pidt.38921 (Customer) asked a question.
I am trying to run Okta API using the powershell module to retrieve all users assigned to AWS apps via groups with their assigned AWS roles. I am able to retrieve the user list along with their SAML roles. However, I have some users who are members of multiple groups and each group is mapped to a different AWS role. When I run this command I get the info of the first group a user is member of and it skips to list any other group and corresponding SAML role.
Its showing me the result based on the Role set by the first group in the group priority. If I change the user to individual assignment and map multiple roles then I can retrieve all roles for the user. Any ideas how do I see all roles for groups users are member of?
oktaGetUsersbyAppID -oorg prod1 -aid '<appid>' | select externalID -expandproperty profile | select firstname, lastname, externalID, @{expression={($_.samlroles) -join ";"}; label= 'SAML Role'}
Can anyone lend a hand here?
Hello this is Vasi from support team.
If you have powershell related questions feel free to direct them to github by opening an issue on : https://github.com/mbegan/Okta-PSModule/issues
Regarding your initial question, when a user is assigned to an app by group the first group in the assignment order is the group that is used to assign the user to the app and the user will receive the properties (roles in this case) defined for that group, if they are also a member of another group that is also used to assign that application there isn't an additive element to the assignment.
If you wants to know more about the groups and the roles that are configured you can perform a query oktaGetAppGroups with the same appid, this will list the groups along with the profiles which contains the configured properties for the group assignment.
For further clarification, or more insight on Okta Powershell API, I would recommend opening an issue on https://github.com/mbegan/Okta-PSModule/issues
Group 1 – EC2 Role
Group 2 – S3 Role
When I run the report using Okta API’s it just shows me user is assigned Ec2 Role as this is coming from the first group in the assignment order. However, if the user is assigned multiple roles in the group, it works fine.
Multiple groups leads to inaccurate reporting as users roles are just coming from the first group in the assignment order.
OktaGetAppgroups will not give me any user specific information so this is ideally not a solution. Any other ideas?
I am available to discuss this over a call as well 201-469-3511
Thanks
Ripul
I would also like this information. I'm trying to find a simple way to generate a report (or at least get the raw data) of Okta users and all the AWS Saml roles they have access to for compliance review purposes.
I don't have it working in Powershell... but using the Rockstar Chrome extension > API Explorer > GET > /api/v1/apps I was then able to click through to my AWS app's id, and then to users & groups.
If you can get to your app's ID, the URL will be <yourcompany.okta.com>/api/v1/apps/<app id>/groups and <app id>/users -- the column you want is profile.samlRoles
Did you ever figure anything out here?
this ended up really helping solve my problem. here is what i'm using to map ad groups to aws roles:
##GET GROUPS assigned to aws
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Accept", "application/json")
$headers.Add("Content-Type", "application/json")
$headers.Add("Authorization", "SSWS APITOKEN")
$headers.Add("Cookie", "JSESSIONID=A2A3478367CFFD847804F0492342C68D")
$oktaawsgroups = Invoke-RestMethod 'https://org.okta.com/api/v1/apps/APPID/groups?expand=group&limit=100' -Method 'GET' -Headers $headers
$oktaawsgroups | ConvertTo-Json
#okta ad entitlements
$oktaawsgroups._embedded.group.profile.name
#okta samlroles
$oktaawsgroups.profile.samlroles
#parse out okta data
$oktaawsgroups
foreach ($oktawsgroup in $oktaawsgroups) {
$oktawsgroup | select-object @{Name = "ad_entitlement"; Expression = { $oktawsgroup._embedded.group.profile.name } },
@{Name = "saml_roles"; Expression = { $oktawsgroup.profile.samlroles} }
}