fcvtg (fcvtg) asked a question.
How can I update a combined group attribute's union over SAML JIT?
I'm using some array attributes set to "combine values across groups" in an app profile, so we can use Okta group membership to define what access people get in the app (Lacework). The array values are set in each group's assignment to the app, and the users are pushed to Lacework with SAML JIT. This usually results in the values that I expect, but when I change a user's group memberships, their individual app assignment doesn't always update to reflect the new union of values, which means their access is out of sync.
When is the union of a combined group attribute calculated? How can I force an updated union to be pushed to the app?
Hi @fcvtg (fcvtg) , Thank you for reaching out to the Okta Community!
If those Group membership changes happen in a third party source like Active Directory, you have to take into account the fact that JIT ("Real-time" sync) only happens on a user login to Okta event.
You'll need to ensure that the affected users log out of Okta and then log back in to trigger the event and subsequent downstream updates.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope it helps!
Hi Mihai,
The group membership changes don't come from a third-party source. We're changing them directly in Okta.
I don't see this mentioned anywhere, but if you are leveraging Provisioning features, you should be able to got to Applications→ "app name"→ Provisioning→ Settings/To app→ Force Sync. See if that works.
If you are using some other kind of implementation type, you might need to investigate the issue via support ticket.
Hm, okay. We are using provisioning here, but I've torn down my test groups (as I finished the project I was part of). I'll keep this in mind to try the next time this comes up. Thanks!