a20kq (a20kq) asked a question.
Hoping someone can help.
I have Okta integrated with SalesForce. I can assign groups to the SalesForce app in Okta. For each group, I can customize the SalesForce Profile, Role and Permission sets.
I can export the application group and permission sets by using the apps api e.g.
GET /api/v1/apps/${aid}/groups/${gid}
The resulting object will show me the profile e.g.
role :
salesforceGroups : {PermSet1, PermSet2, PermSet3}
city :
profile :Web Team
postalCode :
companyName :
featureLicenses :
division :
Is_Call_Center_User__c :
street :
NVMConnect__IsActiveOnDialler__c :
state :
department :
publicGroups :
NVMContactWorld__NVM_Agent_Id__c :
What I want to be able to do is update the profile, licenses etc. using an API call. Has anyone done something similar and could help me with the right API call?
I've looked at the Groups API. I don't think this will work In part because they're syncrhonized from Active Directory. But also I want to modify the app profile.
Any help appreciated.
Thanks
I've tried doing a PUT using the Assign Group To Application endpointhttps://developer.okta.com/docs/reference/api/apps/#assign-group-to-application.
In the body I specified the Application Group Object (https://developer.okta.com/docs/reference/api/apps/#application-group-object) with the profile configured to the desired state.
The group is assigned to the application, but the profile is not updated.
Hi @a20kq (a20kq) , Thank you for reaching out to the Okta Community!
Just ran a test in my environment with an Okta Group assigned to my Salesforce sandbox and it worked.
I've switched the role from "CEO" to "COO" and back successfully.
You'll need to confirm that the attributes that you are trying to change are editable and (depending on the attribute) that the new values match exactly what is expected.
In the example I've given above, for the role attribute I could only use values from a predefined list.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope it helps!
One thing to note: If you are checking to confirm the changes took place by visual confirmation in the Okta Admin Dashboard, make sure to give it a few seconds and refresh the page, then check.
Thanks for testing it out. I still can't get it to work in my environment. I'm trying to script it using Powershell which may be a factor.
If I set the role manually via the dashboard, then run a GET request against the app group. I can see the profile.
Any ideas?
@Mihai N. (Okta, Inc.) Apologies, didn't tag you in my response.
This is resolved. Posting the solution for anyone it might help.
I tried with Postman and was able to update the profile successfully.
I went back to my Powershell script and tried again.
It seems that the cmdlet I was using was not properly converting the PSOjbect into JSON (maybe I was wrong to think it would). Once I formatted it as JSON first then sent it as the body, I was able to change the object in Okta.
Instead of sending the body as $body, I first converted it to a JSON string.
$body = $body | convertto-JSON
$result = Invoke-RestMethod $requestUrl -Headers $headers -Method Put -Body $body
I'm sure I tried this before but initially I got a 400 error so thought it was improperly formatted. Turns out the 400 related to an attribute that was not present in this SF instance in Okta. This was highlighted using Postman. Once I removed the attributes, I got a 200 status and the object was updated successfully.
Happy days.
Sorry for the late reply! I was out of the office last week.
Happy to "hear" that it was sorted! 👍