Can I assign specific event hooks to specific Okta applications?
I created a user is unassigned event hook but I'm receiving the event hook request when the user is unassigned from all Okta applications.
I would like to send out specific unassignment event hooks to different URLs depending on which application the user was unassigned from. So I would like to attach specific event hooks to specific applications so that the external applications can handle deprovisioning on their side.
Is this possible?
Looking through the documentation, it does not appear that is possible
https://developer.okta.com/docs/concepts/event-hooks/
Okta has open beta in progress for "conditional hooks" where you can filter events to be delivered to the hook endpoint. It might be something you can use to configure multiple hooks of the same type but different URLs for different applications based on the filter expression.
Check you Settings -> Features -> Open Betas if you have it
Related
In Okta, I can unassign a user from an application but then the application will not know that the user has been unassigned and will still show the user in the application.
What is the best way to "alert" the application that the user has been unassigned so that the application can remove the user appropriately?
I looked at event hooks but event hooks send out a user unassigned event hook when the user is unassigned from any apps. I want to send a specific event hook out to the external application specifically for that application so that application can remove the user accordingly from their side.
https://help.okta.com/en-us/Content/Topics/automation-hooks/event-hooks-main.htm?cshid=ext-event-hooks
I see I can also download reports (recent unassignments) but that is a very manual process.
Is there an api endpoint I can hit from the external app to compare the users?
What do you suggest?
The best option is to use SCIM provisioning mechanism, where only events related to a particular application will be sent out to your configured endpoint on the application side.
Please check out Okta SCIM documentation
I am using Okta for SSO and I want to receive an event webhook for when a user is assigned, deleted, removed from an application.
The Okta documentation says there's 2 types of hooks (asynchronous and synchronous).
I think synchronous, inline hooks are better because if my backend app doesn't process the event correctly, then I do not want the user to be removed on the Okta side.
Which inline event hook type should I use to know when a user is removed/unassigned from an application?
Documentation I have looked at so far:
https://developer.okta.com/blog/2020/07/20/easy-user-sync-hooks
https://developer.okta.com/docs/reference/api/event-types/#catalog
https://developer.okta.com/docs/concepts/event-hooks/#sample-event-delivery-payload
https://developer.okta.com/docs/concepts/inline-hooks/
https://developer.okta.com/docs/reference/hooks/#get-started
Sync hooks exist only for certain events, so you can't just choose for any given event which hook you want to use. If I'm correct application unassignment is not the one covered by inline hooks, so you are left only with async one.
You can read more about inline ones in Okta documentation
I'm integrating ACS video call into my service (NodeJs backend, React front).
I want to allow ACS video call session only for a scheduled time period, then force to end it if it is over.
However I cannot find the way of implement followings (or REST API)
list current call sessions
list participants of each sessions.
force to stop/end a session by group id or any call ID
webhooks/callback being called when the session closes and when the participant leaves session.
Could you please give me some hint or advice?
Much appreciated.
Jin
You can use the Call Automation to join or create a new call. Your app can join either as a participant of the call or act out of the call. Each option offers different capabilities described here.
The good news is that both options offer the capability to add and remove participants to/from the call:
Call Connections - Remove Participant
Server Calls - Remove Participant
If you decide to use the In-Call (App-Participant) APIs, can you specify the callbackUri in the CreateCallOptions or JoinCallOptions. On this URI, you can listen to events (webhooks) such as Participants updated and deserialize the information about them. There is a comprehensive quickstart app available on GitHub showcasing the concept of callback URIs on the call recording capabilities (see the CallRecordingController.cs and Utils.ts in the public-preview branch).
If you decide to use the Out-of-Call APIs, then you need to keep track of the participant IDs yourself.
Currently, the CallingServer SDKs are currently available only for .NET and Java so you'll have to use the REST API.
I want to use Dialogflow fulfillment to connect to an external webservice / API. One way of doing that is to use the custom webhook feature (not the inline web hook). However, when using the custom web hook it seems that you are limited to creating just one even though you may have many intents and you may want to call many endpoints. Is there a way to link to more custom webhooks (API endpoints)?
If you can only set up one web hook then your webserivce will always receive a Post request from Dialogflow and will then need to interpret the body of the request i.e. based on the intent parameter. Just wondering is there a better way to work with REST webservices with Dialogflow.
The other potential option is to use the inline web hook and then put logic in there to call specific endpoints, however, that might get a bit messy.
You can only setup one fulfillment that will handle the processing for all the Intents you've enabled. This can be either the built-in one through the fulfillment editor or at a webhook URL you specify.
That webhook is expected to delegate the actual processing to an Intent Handler of some sort. The Dialogflow node.js fulfillment library has a way to register what handler you want for each Intent name, or you can switch on the Intent name, the Action name, or any other field provided to you in your code.
In the library, you'll typically make the REST calls from an appropriate Intent handler which will take the parameters provided and craft the call. If you are using Javascript, make sure you are handling the call asynchronously and return a Promise.
I recommend a webhook because it gives you more control than the inline editor does. The inline editor is really just a webhook under the covers using Firebase Cloud Functions. Even putting it yourself in a Cloud Function gives you better control over it.
There may be costs depending where you host it, however Firebase has a free tier that is sufficient for testing and light operation. Once your Action is published, you are also eligible for a monthly cloud credit from Google.
Consider following situation: We're currently in a migration phase where the majority of our users should still be forwarded to the existing application A. Other users that fulfil some certain criteria (let's call them beta-testers) should instead be forwarded to the new application B.
Users reach our AD FS with a POST request that contains the SAMLResponse and the RelayState. The RelayState-parameter tells our AD FS the desired target-application. Up to now it always contains "site A" since the users don't know about site B yet ;-)
I'm wondering if there's a way to dynamically change the process our ADFS determines the target application based on the value of the RelayState-parameter?
So what I'm looking for is a way to somehow modify the RelayState based on a certain claim the user provides. E.g. if the user has a "beta-tester" entry in her role-claim, then our ADFS should forward her to site B instead of site A.
Is there a way to hook into the AD FS procssing pipeline? The only thing I found so far is this article describing how to "inject" a custom authentication method. But that's obvisiously not what I'm looking for.
So could anybody tell me if there are any other extension points I could utilize to achieve what I described above?
Sorry, no - there is no way to dynamically change RelayState.
ADFS is locked down (as it is a security system) and doesn't have extension points.
Could you have two RP during the transition?
One approach is to setup a proxy site where you can apply custom logic as necessary for scenarios like this. My experience is there are numerous times when it's handy to have a point of entry into the federation process, i.e. a psuedo-extension point, where you can apply custom logic. So, everyone from the IdP may go to https://proxy.mysite.com and then that site would make determinations based on claims and maybe querystring, posted variables or header attributes, as to where to send (redirect) the user to next, https://a.mysite.com or https://b.mysite.com.
DNS can also be folded in, to do things like direct https://a.mysite.com to the proxy site and the proxy site can then look at the hostname of the request and know that the user intended to go to a.mysite.com, but you can determine if a beta tester and direct to b.mysite.com or the actual A site.