Is there a way, via Postman, to list the usernames assigned to an application. I am not looking for the Okta username, rather the username being passed to the SP. If yes, is there a way to limit the response to only that value as opposed to all values that get returned when you list a user?
Great question.
What you want to get is what is sent in the SAML Assertion right ?
I was able to get it using something like this:
oktaorg../api/v1/apps/0oa1775fsuhaO5wKD1d8/users/00uy74c0h7NGTLBSXQOC
Here is what it returned
{ "id": "00uy74c0h7NGTLBSXQOC",
"externalId": null,
"created": "2017-03-10T19:17:05.000Z",
"lastUpdated": "2017-03-10T19:17:05.000Z",
"scope": "GROUP",
"status": "ACTIVE",
"statusChanged": "2017-03-10T19:17:05.000Z",
"passwordChanged": null,
"syncState": "DISABLED",
"lastSync": null,
"credentials": {
"userName": "oktaadmin2#okta.com" /*this is what you want I think */
},
"profile": {},
"_links": {
"app": {
"href": "https://companyx.okta.com/api/v1/apps/0oa1775fsuhaO5wKD1d8"
},
"group": {
"name": "Everyone",
"href": "https://companyx.okta.com/api/v1/groups/00gy74c0gzOSVLSLVYIG"
},
"user": {
"href": "https://companyx.okta.com/api/v1/users/00uy74c0h7NGTLBSXQOC"
}
}
}
Related
This is an extension of Unable to validate account confirmation in WSO2 version 6.0 issue.
I have same regex pattern in my self-registration section. But when I'm creating users using rest API, the link which I got in the email is
https://localhost:9443/accountrecoveryendpoint/confirmregistration.do?confirmation=ce790759-1086-4870-a673-35b5927351d8&userstoredomain=PRIMARY&username=samyu&tenantdomain=carbon.super&callback={{callback}}
and when I created the user using manually the link which I got is
https://localhost:9443/accountrecoveryendpoint/confirmregistration.do?confirmation=dff024e7-d7e7-48ef-bb60-1c1c4d6f3b1c&userstoredomain=PRIMARY&username=sam&tenantdomain=carbon.super&callback=https%3A%2F%2Flocalhost%3A9443%2Fmyaccount.
So, the difference between these two links is that callback. So what configuration should I make in order to get the callback value
When you are trying this from the recovery portal, the callback value is set automatically. If you are trying with the REST API you need to include that in the request. The following is a sample JSON payload.
{
"user": {
"username": "kim",
"realm": "PRIMARY",
"password": "Password12!",
"claims": [
{
"uri": "http://wso2.org/claims/givenname",
"value": "kim"
},
{
"uri": "http://wso2.org/claims/emailaddress",
"value": "kimAndie#gmail.com"
},
{
"uri": "http://wso2.org/claims/lastname",
"value": "Anderson"
},
{
"uri": "http://wso2.org/claims/mobile",
"value": "+947729465558"
}
]
},
"properties": [
{
"key": "callback",
"value": "https://localhost:9443/myaccount"
}
]
}
Notice the way how you need to send the callback when using the REST API.
I'm not seeing my posixAccounts information from the following link:
https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/get
{
"kind": "admin#directory#user",
"id": "8675309",
"etag": "\"UUID\"",
"primaryEmail": "email#example.com",
"name": {
"givenName": "Email",
"familyName": "Account",
"fullName": "Email Account"
},
"isAdmin": true,
"isDelegatedAdmin": false,
"lastLoginTime": "2021-08-04T21:11:17.000Z",
"creationTime": "2021-06-16T14:32:35.000Z",
"agreedToTerms": true,
"suspended": false,
"archived": false,
"changePasswordAtNextLogin": false,
"ipWhitelisted": false,
"emails": [
{
"address": "email#example.com",
"primary": true
},
{
"address": "email#example.com.test-google-a.com"
}
],
"phones": [
{
"value": "123-456-7890",
"type": "work"
}
],
"nonEditableAliases": [
"email#example.com.test-google-a.com"
],
"customerId": "id12345",
"orgUnitPath": "/path/to/org",
"isMailboxSetup": true,
"isEnrolledIn2Sv": false,
"isEnforcedIn2Sv": false,
"includeInGlobalAddressList": true
}
As you can see from the above output, there's no posixAccount information. I can open the ldap information in Apache Directory studio, so I know it's there, but I can't see it from the above output. Since I can see it though, I tried to update this using the update function in the API.
https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/update
I used this for the payload as I'm just testing updating the gid information. I used the documentation below to get the entry details needed. At least as far as I could tell.
{
"posixAccounts": [
{
"gid": "12345",
}
]
}
https://developers.google.com/admin-sdk/directory/reference/rest/v1/users
I'm getting a 200 response, but nothing is actually changing for the user when doing a PUT to update.
I tried a similar update method from another user on here, but no avail: Google Admin SDK - Create posix attributes on existing user
I was able to get this resolved by supplying additional details in my PUT request:
{
"posixAccounts": [
{
"username": "email(excluding #domain.com)",
"uid": "1234",
"gid": "12345",
"operatingSystemType": "unspecified",
"shell": "/bin/bash",
"gecos": "Firstname Lastname"
"systemId": ""
}
]
}
The above wouldn't reflect in LDAP until I put "systemId" in there. So that part is required.
As per the documentation, I should be able to get a list of users with a custom schema as long as the field in the schema has a value of ALL_DOMAIN_USERS in the readAccessType property. That is the exact set up I have in the admin console; Moreover, when I perform a get request to the schema get endpoint for the schema in question, I get confirmation that the schema fields are set to ALL_DOMAIN_USERS in the readAccessType property.
The problem is when I perform a users list request, I don't get the custom schema in the response. The request is the following:
GET /admin/directory/v1/users?customer=my_customer&projection=full&query=franc&viewType=domain_public
HTTP/1.1
Host: www.googleapis.com
Content-length: 0
Authorization: Bearer fakeTokena0AfH6SMD6jF2DwJbgiDZ
The response I get back is the following:
{
"nextPageToken": "tokenData",
"kind": "admin#directory#users",
"etag": "etagData",
"users": [
{
"externalIds": [
{
"type": "organization",
"value": "value"
}
],
"organizations": [
{
"department": "department",
"customType": "",
"name": "Name",
"title": "Title"
}
],
"kind": "admin#directory#user",
"name": {
"fullName": "Full Name",
"givenName": "Full",
"familyName": "Name"
},
"phones": [
{
"type": "work",
"value": "(999)999-9999"
}
],
"thumbnailPhotoUrl": "https://photolinkurl",
"primaryEmail": "user#domain.com",
"relations": [
{
"type": "manager",
"value": "user#domain.com"
}
],
"emails": [
{
"primary": true,
"address": "user#domain.com"
}
],
"etag": "etagData",
"thumbnailPhotoEtag": "photoEtagData",
"id": "xxxxxxxxxxxxxxxxxx",
"addresses": [
{
"locality": "Locality",
"region": "XX",
"formatted": "999 Some St Some State 99999",
"primary": true,
"streetAddress": "999 Some St",
"postalCode": "99999",
"type": "work"
}
]
}
]
}
However, if I perform the same request with a super admin user, I get an extra property in the response:
"customSchemas": {
"Dir": {
"fieldOne": false,
"fieldTwo": "value",
"fieldThree": value
}
}
My understanding is that I should get the custom schema with a non admin user as long as the custom schema fields are set to be visible by all domain users. This is not happening. I opened a support ticket with G Suite but the guy that provided "support", send me in this direction. I believe this is a bug or maybe I overlooked something.
I contacted G Suite support and in fact, this issue is a domain specific problem.
It took several weeks for the issue to be addressed by the support engineers at Google but it was finally resolved. The behaviour is the intended one now.
I am using the people API to allow users to create entities in my system from their google contacts, via the people API, and am storing the resourceName (i.e 'people/c7760106965272617307') to keep track of the google contact the entity was created from.
I want to be able periodically update the entities to match what is in google. i.e. if the contact updates the phone number the entity gets the updated phone number. So am a calling the list API passing the sync token to get the contacts that have changed since the last call. This works for updates, edits and deletes but I can't find a way to detect when two contacts have been merged in google contacts.
The docs state:
https://developers.google.com/people/api/rest/v1/people#Person.PersonMetadata
previousResourceNames[] Any former resource names this person has had.
Populated only for connections.list requests that include a sync
token.
So if I:
- Call the list API requesting a sync token
- Create Contact A and Contact B
- Call the list API passing the sync token, then I get just the two created contacts and a new sync token:
{
"resourceName": "people/c1465347538402693914",
"etag": "%EgcBAj0JPjcuGgQBAgUHIgxab0lZTFBvUU43bz0=",
"metadata": {
"sources": [
{
"type": "CONTACT",
"id": "1455f5d28afc531a",
"etag": "#ZoIYLPoQN7o=",
"updateTime": "2020-02-26T15:35:34.021Z"
}
],
"objectType": "PERSON"
},
"names": [
{
"metadata": {
"primary": true,
"source": {
"type": "CONTACT",
"id": "1455f5d28afc531a"
}
},
"displayName": "Contact A",
"familyName": "A",
"givenName": "Contact",
"displayNameLastFirst": "A, Contact"
}
]
},
{
"resourceName": "people/c4555919836853785218",
"etag": "%EgcBAj0JPjcuGgQBAgUHIgx2WmJHUUtjNTcxQT0=",
"metadata": {
"sources": [
{
"type": "CONTACT",
"id": "3f39e0f40cd35282",
"etag": "#vZbGQKc571A=",
"updateTime": "2020-02-26T15:35:44.056Z"
}
],
"objectType": "PERSON"
},
"names": [
{
"metadata": {
"primary": true,
"source": {
"type": "CONTACT",
"id": "3f39e0f40cd35282"
}
},
"displayName": "Contact B",
"familyName": "B",
"givenName": "Contact",
"displayNameLastFirst": "B, Contact"
}
}
If I then merge the two contacts, and then call the API passing the new sync token i get:
{
"resourceName": "people/c4555919836853785218",
"etag": "%EgcBAj0JPjcuGgQBAgUHIgxqNlFVYnIwaU9vVT0=",
"metadata": {
"sources": [
{
"type": "CONTACT",
"id": "3f39e0f40cd35282"
}
],
"deleted": true,
"objectType": "PERSON"
}
}
So TDLR; I can find out one of the contacts were deleted, but not that it was merged into another contact.
It seems like the previousResourceNames[] field would do exactly what I want, but I can't seem to make it return in the data, either on the try the API function on the docs:
https://developers.google.com/people/api/rest/v1/people.connections/list
or using the below nodjs code:
const service = google.people({version: 'v1', auth: authClient});
const result = await service.people.connections.list({
resourceName: 'people/me',
personFields: 'names,emailAddresses,phoneNumbers,metadata',
//requestSyncToken: true
syncToken: "insert token here"
});
console.info("Google Returned", JSON.stringify(result.data, null, 4));
I wonder if i need to grant extra scopes, or something else in the requested person fields.
Scopes Requested:
'https://www.googleapis.com/auth/contacts',
'https://www.googleapis.com/auth/userinfo.email',
'https://www.googleapis.com/auth/userinfo.profile'
I'm using the Google API Console Tool tool, and when I do the query
resourceName: people/me
personFields: emailAddresses
I get the following response:
{
"resourceName": "people/102381120202845324999",
"etag": "%EgUBCT43LhoMAQIDBAUGBwgJCgsMIgw0eHhmblFCa0Qybz0="
}
As you can see, no email address is included. This only happens with one of my gmail accounts. Using another account I would get a response like:
{
"resourceName": "people/104150119553351608999",
"etag": "%EgUBCT43LhoMAQIDBAUGBwgJCgsMIgxIc2JBaWZXWldGQT0=",
"emailAddresses": [
{
"metadata": {
"primary": true,
"verified": true,
"source": {
"type": "DOMAIN_PROFILE",
"id": "104150119553351608710"
}
},
"value": "xx#example.com"
}
}
Any idea what the cause could be?
I think this is related to G Suite.