Dynamic IdP Groups for Okta

  • Updated

Using the Dynamic IdP groups functionality reduces the time spent creating groups and manually adding or removing members in two places. Now, you will be able to work with the groups that have already been made within Okta and use them for workflows and assignments within Vanta! 

 

What are Groups?

  • Multiple users with similar responsibilities, tasks, or job descriptions can be grouped.
  • Groups can then assign Checklists to multiple users, making it easier to manage which tasks are assigned to specific people.

Importing Groups from Okta

  • Select Import Groups from People - >Groups page in the top right-hand corner

  • From here, you will be asked to select which groups you would like brought Into Vanta.
    • Select the check box next to the group name to signify they should be imported

  • Once you have selected, click Next in the lower right-hand corner. 
  • Choose a checklist from the drop-down to be assigned to each group

  • Click Next
  •  If you would like to make changes, select Back. If you are ready to import into Vanta, you can choose Import Groups
  • The newly imported groups will now appear on your groups' list as Created by Okta
  • Checklists for an identity provider imported group can be updated similarly to any other list or group

 

Updating Groups in Okta

  • When adding or removing users from groups within Okta, that information will automatically be updated and reflected in Vanta. 
  • If you don't see the changes reflected immediately, select Refresh data to force the update.

 

 

Reassigning Groups 

  • Once a user is assigned to a group through Okta, their group can only be reassigned to other Okta groups it is a member of in the Edit details section of the People page drawer
  • To control the user's group through Vanta, remove the user from the Okta-created group or delete the imported group in Vanta
  • If you rename a group imported from Okta, the name change must be made within Okta. Once saved, the name change will also be reflected in Vanta.

Removing Imported Groups

  • The imported group must be deleted to remove an Okta group import.
    • To delete a group, open the Groups page and select the Okta-imported group you would like to remove
    • Select the options menu (...), and select Delete Group

  • When this happens, all existing identity provider group users are reassigned to their prior Vanta groups, and the identity provider group is removed from Vanta. The group can always be re-imported if the admin changes their mind.

Please keep in mind that:

  • We do not support IDP groups with more than 8,000 employees. Users will not see groups with more than 8,000 employees show up in the UI when importing groups. 
  • We only support fetching at most 10,000 groups for our Okta IDP group integration due to rate limiting imposed by Okta. If a user has 10,000+ groups, only the first 10,000 will be available for import.
  • Changes from identity providers are only reflected when resources are refreshed on a two-hour cadence. Customers can also trigger these refreshes from the group's drawer on the group's page.
  • Suppose a user is in multiple groups in their identity provider, and both groups are imported within Vanta. The first time we detect a user is in multiple groups, we ask you to select a preferred group for all future conflicts.
  • It is best practice for admins to only import groups that don't overlap in which employees belong to which groups. Vanta only supports one group per user and resolves conflicts by assigning users the last imported group.