I'm trying to sync users/groups that sit behind Okta in Active Directory. Specifically, I'd like to get all groups a user belongs to, upon login to a third party application.
Looking at the Okta API documentation (http://developer.okta.com/docs/api/resources/groups.html) I see that I could accomplish this by performing the following operations (in pseudo-code):
FETCH ALL GROUPS (using List Groups operation)
FOR EACH GROUP
FETCH A LIST OF USERS (using List Group Members operation)
For my purposes this seems very inefficient, but I can't find a better way of doing this by looking at the documentation.
Ideally, what I would like to do is:
FETCH ALL GROUPS FOR A GIVEN USER ID
Is there any way I could accomplish this ?
Any help is appreciated. Thanks.
I found the answer: the Get Member Groups API call does this exact thing. It's under Related Resources here: http://developer.okta.com/docs/api/resources/users.html
https://developer.okta.com/docs/reference/api/users/#get-user-s-groups how about that?
[GET] /api/v1/users/$userid/groups
It's also possible to get this list when the user logs in into an app via SAML.
Add a Group Attribute Statement with filter Matches regex and value .*.
You will get the user's groups as part of the XML.
Related
I have asked this question on ASP.Net Core github repo, but I do not think my query was sufficiently answered, so posting the question here.
I followed the instructions here to get a user's AD groups as claims. However, the user is member of a large number of groups, and I just see a single claim "hasGroups".
My question is: what is the suggested best practice/pattern to follow in such cases, as I am interested in retrieving only a few of the user's groups that match a string pattern. Where would I even write the code to perform this filter?
I know how to code the graph api query, but where/when exactly to make this call is unclear. And once I retrieve the groups from Graph Api, how do I reflect the group information into the token claims, so the client app can use regular Authorization mechanism, without knowing the details of how the user's groups were populated.
I'm not sure if this is the recommended way of doing it, but the docs here talk about adding groups and roles to use the user object claims for blazor. https://learn.microsoft.com/en-us/aspnet/core/security/blazor/webassembly/azure-active-directory-groups-and-roles?view=aspnetcore-3.1
I'm not sure if it's even possible, but in the customuserfactory, I would try to replace the
foreach (var group in account.Groups)
{
userIdentity.AddClaim(new Claim("group", group));
}
with some code to try to call the graph api (somehow get the token to call the api with, that's the part I'm not sure on), parse the groups and add them to the user claims,
then follow the rest of the example of how to incorporate that into the [authorize] mechanism.
again, I'm not super familiar with blazor wasm yet, and I couldn't find any docs other than this to add groups/roles into the authorization mechanism.
if anyone else has a better method of doing it or why this wouldn't work feel free to chime in, but I hope that this can at least give you some ideas and is slightly useful.
I'm trying to build functionality into my app for 'admins' to assign users from their AD group to certain groups that are further assigned to app-specific roles. Basically a simple management component.
Adding the user with the oid to a group is easy, the problem I'm facing is finding the actual user.
Currently, the only option I'm seeing is making multiple api requests to v1.0/users (999 items max) and grouping them all in memory and then provide a simple search function to narrow it down.
I have also used the v1.0/me/people endpoint to search for users but this does not reveal all users from the AD group, just relevant users they deal with, so not too useful.
Is there any other api endpoint I could tap into to do a search ONLY on members of the same active directory?
Using the startsWith filter on multiple properties is probably the closest we can get to user search in MS Graph at the moment:
https://graph.microsoft.com/v1.0/users?$filter=startswith(displayName,'sarah') or startswith(givenName,'sarah') or startswith(surname,'sarah') or startswith(mail,'sarah') or startswith(userPrincipalName,'sarah')
Ended up switching to the old AD Graph API and implementing a query on the endpoint as follows:
https://graph.windows.net/{ tenant ID }/users?api-version=1.6&$select=mail,displayName,objectId,givenName,surname&$filter=startswith(givenName,'SEARCH TERM') or startswith(surname,'SEARCH TERM')
If a function receives 1 single param, it will search for that parameter in both givenName and surname but you could configure this to search accross any other supported fields.
You could also completely ditch the $select= completely to get the whole data. I didn't want the clutter though and those keys are enough for me.
Instead of going with startswith You may get better experience using search keyword:
https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http#example-6-use-search-to-get-users-with-display-names-that-contain-the-letters-wa-including-a-count-of-returned-objects
I want to do a role based access for the pages in AngularJS.
Based on the role pages should be shown to the user.
Can any give me an example? Which should be a best solution.
To access the page based on the role is very easy.
Suppose if the web/dashboard have three roles like admin, support, employee.
assign the field as userrole to the users.
Now assign the roles for those pages as ng-if="userrole=='admin'" or vice versa
now based on the roles the pages are accessible
I'd suggest you take a look at (in the following steps):
Decide on an approach for accessing the current users role.
Look into ui-router, specifically it's Resolve method.
Run some third function inside the Resolve method to see if the user is of the correct role, and handle your cases in what way you will.
Something I worked on a while back had an Authenticate method running in the Resolve method, you may want to have a look at that for reference. This was not role based however, but it may give you a nudge in the right direction.
Routes:
https://github.com/kasperlewau/metalmarket/blob/master/app/assets/javascripts/config/routes.js
Auth Service: https://github.com/kasperlewau/metalmarket/blob/master/app/assets/javascripts/app/services/auth.js
If anyone has a better idea for role based / logged-in based authentication, I'm all ears.
As mentioned in the title, Is there anybody know how to get member list belong to a created google group using AdminSDK without super user's right. I tried on GAE but always received the following error :
「Not Authorized to access this resource/api」
Thank you!
You dont need superuser rights, thats just one way.
If the user is owner/manager of the group, she can see membership.
Also might work if you make group membership visible to all but i haven't tried it.
I am trying to build an open-source python code hosted at GAE to sync contacts by group to a limited number of users. In a web interface users will be able to pick their group and whom it will be synced with.
I understand there is a lot of applications on market place withe the same functionality, but my organization is concerned about those provides selling contacts to 3rd parties. We are a non-profit organization, so the code could be hosted at google project or github for community contribution.
(sorry for the long intro)
How is the best way to start? is there tutorial available with similar functionality that I can expand?
What is the best way to compare two Contact kind elements? To see if they need to be sync.
Is there a last update on the Contact kind elements? In case I want to implement a last update wins?
thanks!
I don't know of any tutorials for syncing and comparing contacts specifically, but there is a getting started guide for the Google Contacts API at https://developers.google.com/google-apps/contacts/v3/.
The contacts are sent as XML blobs, so you could compare two contacts by parsing them and looking at the individual elements within them. I don't think there's a better way to do this but there are libraries to handle it for you.
There is a last updated field sent as part of the contacts when retrieving them with the API. It is an XML element labeled <updated>.
how are you getting different user's contacts feeds?
i tried to save the tokens in the datastore when the
users grant the access, but when i get the token back
from datastore for 2 users at a time, after an hour
when the token expires,
all tokens start working like the current users token
and i can only get current users contacts.
token = Get_Shared_User_Token(user_email)
contact_client = gdata.contacts.client.ContactsClient(source=USER_AGENT)
authorized_client = token.authorize(contact_client)
contacts_feed = authorized_client.GetContacts(q = query)
can you please tell how one can get any user's contacts?