RichardY.18612 (Customer) asked a question.
Okta Workflow / Atlassian Admin - Unable to search for groups
Hi
I am creating my first Okta workflow, and have come stuck using the Atlassian Admin "Search Groups" card.
If i perform a test of this card, and enter something such as jira-users, or confluence-users it doesn't return anything.
But if i specify a group i have created in Okta, and pushed to Atlassian, it will return the group ID and Display Name of the group correctly.
Is this expected behaviour? As i would of thought it should be able to find ANY group that is within our Atlassian account.
Thanks
Hi Richard,
Ran into the same issue. Based on my testing, the Atlassian Admin connector can only search for groups created by Okta/IDPs, it cannot find local/default Atlassian groups such as jira-users.
A workaround for this is to use API connector cards and use Jira's API calls to add users to jira-users or confluence-users groups.
Thanks for that Luca!
Least it's sanity checking i've not done something wrong.
I'll look into the API connector card for it.
@RichardY.18612 (Customer)
I would not expect the results to be limited by Okta groups.
Unfortunately, I do not have Atlassian setup to perform iterative testing against their API. However, I would suggest to try a couple things:
1) Attempt to Search Groups with no inputs. For many API's (and possibly this one) this will return all groups.
2) Same idea on Get Groups. But you would need to leverage a "Custom API Action". I would again do a search with no filters. (Note: Custom API Action requires a relative URL. )
https://developer.atlassian.com/cloud/admin/user-provisioning/rest/api-group-groups/#api-scim-directory-directoryid-groups-get
Yeah when i run a test with Search Groups with no input, it returns 4 groups. All of which are pushed from Okta.
Thanks for the input, i'll be looking into the API action later today.
Community forums seem more responsive and knowledgable than Okta tech support so, so i appreciate folks input.
Hi all. Just a follow up on this, the response from Okta support i got was:
I've done some more research on this and it seems that Atlassian no longer supports functionality to allow IdPs to perform Group operations.
Based on their documentation, they are pretty restrictive with their mastered groups: https://support.atlassian.com/provisioning-users/docs/understand-user-provisioning/#Userprovisioning-Userprovisioningfeatures
Groups created manually and by default (e.g. confluence-users, site-admins) in your Atlassian organization can't be managed via SCIM integration. You can only manage groups synced from your identity provider directory via SCIM.
Since the workflows card shows Okta mastered groups, and does not throw any errors, I think it would be best to reach out to Atlassian Support to get a confirmation on what actions are supported.
Now this in my mind, basically makes the "Add User To Group" in the Atlassian Admin connector completely useless then, because if you're gonna add them into a group, you'd do it on the Okta side.
I actually think that this isn't working correctly as the Okta connector (based off the Okta doco i've seen) talks about using the same API Token as used for the SCIM integration. And i suspect using a full Atlassian API token (likely in the Custom API action as others have mentioned) will work fine.
But, i'm not spending anymore time on getting something working, that should just work by default. Especially when i've just found out that Bettercloud can do this task with no issues, and is a lot easier to setup than Okta workflows.