Okta
Note
This script is provided as an example of how XML can be generated from different sources for use with Interacts profile sources. This is not supported by Interact, therefore, you should feel free to use this as a starting point and tweak as necessary.
Using PowerShell it's possible to use a script to gather user data from your Okta account, using their API. This can then be used to generate an XML file and send this file to interact for purposes of synchronising with general profile sources. The script provided will also synchronise Okta groups into Interact to become Interact security groups, allowing you to manage group membership for permissions purposes in Okta, and have that flow through to Interact.
The script
Let's start by looking at the script before breaking it down into more detail...
# OKTA variables
$uri = "[FQDN FOR OKTA (e.g. https://dev-620014.oktapreview.com)]"
$apiKey = "[API KEY FOR OKTA (e.g. 00i1po7guY9wFDDoeAXLI7SzA_ZEKyznWKxSMx38El)]"
#Interact variables
$interactUrl = "[URL TO INTERACT UPLOAD (e.g. https://inkconsultants.interactgo.com/api/umi/1001/upload)]"
$authtoken = "[AUTH KEY ENTERED INTO INTERACT - (e.g. 629ehxPT30hZyfi09tE8GX1Uk42zne1r)]"
$domain = "[NAME OF PROFILE SOURCE ADDED TO INTERACT]"
$ldapId = "[ID OF PROFILE SOURCE IN INTERACT]"
$xmlPath = "[FILENAME AND PATH OF XML FILE TO BE PRODUCED]"
### Functions
function Write-SyncOption([System.Xml.XmlElement] $element, [string] $optionName, [string] $optionValue){
# Write a syncoption element using the passed values
$ele = $xmlWriter.CreateElement("", "option", "")
$ele.SetAttribute("name", $optionName) > $null
$ele.InnerText = $optionValue
$element.AppendChild($ele) > $null
}
function Write-DocumentBase(){
# Write the document root element
$syncdata = $xmlWriter.CreateElement("", "syncdata", "")
$syncdata.SetAttribute("version", "1") > $null
# Write the syncoptions element
$syncoptions = $xmlWriter.CreateElement("", "syncoptions", "")
$syncoptions.SetAttribute("domain", $domain) > $null
$syncoptions.SetAttribute("ldapid", $ldapid) > $null
Write-SyncOption $syncoptions 'syncCompanies' 'true'
Write-SyncOption $syncoptions 'syncLocations' 'true'
Write-SyncOption $syncoptions 'syncDepartments' 'true'
Write-SyncOption $syncoptions 'syncManagers' 'true'
Write-SyncOption $syncoptions 'actionDisabledUsers' 'd'
Write-SyncOption $syncoptions 'actionMissingDeletedUsers' 'd'
Write-SyncOption $syncoptions 'loginType' '0'
Write-SyncOption $syncoptions 'defaultCulture' '1'
Write-SyncOption $syncoptions 'newUserPasswordBehaviour' 'random'
$syncdata.AppendChild($syncoptions) > $null
$xmlWriter.AppendChild($syncdata) > $null
}
function Write-Detail([System.Xml.XmlElement] $element, [string] $optionName, [string] $optionValue){
# Write a syncoption element using the passed values
$ele = $xmlWriter.CreateElement("", $optionName, "")
if($optionValue -ne "") {
$ele.InnerText = $optionValue
}
$element.AppendChild($ele) > $null
}
function Write-PersonElement([System.Xml.XmlElement] $users, [System.Object] $user){
$xmluser = $xmlWriter.CreateElement('', 'user', '')
$xmluser.setAttribute('uid', $user.id)
$xmluser.setAttribute('dn', $user.id)
$xmluser.setAttribute('username', $user.profile.login)
$xmluser.setAttribute('email', $user.profile.mail)
# Call the function to write person specific elements
$xmlperson = $xmlWriter.CreateElement("", "person", "")
#$xmlperson.setAttribute('uid', $user.id)
Write-Detail $xmlperson 'firstname' $user.profile.firstName
Write-Detail $xmlperson 'surname' $user.profile.lastName
Write-Detail $xmlperson 'title' ''
Write-Detail $xmlperson 'initials' ''
Write-Detail $xmlperson 'jobtitle' $user.profile.title
Write-Detail $xmlperson 'phone' $user.profile.primaryPhone
Write-Detail $xmlperson 'mobile' $user.profile.mobilePhone
Write-Detail $xmlperson 'fax' ''
Write-Detail $xmlperson 'extension' ''
Write-Detail $xmlperson 'address' ($user.profile.streetAddress + "`r`n" + $user.profile.city + "`r`n" + $user.profile.state + "`r`n" + $user.profile.zipCode + "`r`n" + $user.profile.countryCode)
$xmluser.AppendChild($xmlperson)
# Create user specific elements
Write-Detail $xmluser 'statusenabled' 'true'
Write-Detail $xmluser 'password' $defaultUserPassword
Write-Detail $xmluser 'culture' '1'
$lang = $xmlWriter.CreateElement("", "language", "")
$lang.setAttribute('id', '1')
$xmluser.appendChild($lang)
# Create additional fields
$addfields = $xmlWriter.CreateElement("", "additionalfields", "")
$xmluser.appendchild($addfields)
# Call the function to write the manager element
Write-ManagerElement $xmluser $user
# Call the function to write the organisations element
Write-OrganisationsElement $xmluser $user
# Write a person child element for a user
$users.AppendChild($xmluser)
}
function Write-AdditionalField([System.Xml.XmlElement] $fields, [string] $fieldName, [string] $fieldValue){
# Write an additional field element using the passed values
$field = $xmlwriter.CreateElement("", "field", "")
$field.setAttribute('name', $fieldName)
$field.InnerText = $fieldValue
$fields.AppendChild($field)
}
function Write-ManagerElement([System.Xml.XmlElement] $xmluser, [System.Object] $user){
# Write the manager element for a user
$xmlManager = $xmlWriter.CreateElement("", "manager", "")
$xmlManager.setAttribute("uid", $user.profile.managerId)
$xmlManager.SetAttribute("dn", $user.profile.managerId)
$xmluser.AppendChild($xmlManager)
}
function Write-PrimaryOrganisationElement([System.Xml.XmlElement] $xmlorg, [string] $organisationType, [string] $organisationValue){
# Write an organisation element using the passed values
$org = $xmlWriter.CreateElement("", 'organisation', "")
$org.SetAttribute('type', $organisationType)
$org.SetAttribute('primary', 'true')
$org.InnerText = $organisationValue
$xmlorg.AppendChild($org)
}
function Write-OrganisationsElement([System.Xml.XmlElement] $xmluser, [System.Object] $user){
# Write the organisations element for a user
$xmlorg = $xmlWriter.CreateElement("", "organisations", "")
if (![string]::IsNullOrWhiteSpace($user.profile.department)) {
Write-PrimaryOrganisationElement $xmlorg 'department' $user.profile.department
}
if (![string]::IsNullOrWhiteSpace($user.profile.company)) {
Write-PrimaryOrganisationElement $xmlorg 'company' $user.profile.company
}
if (![string]::IsNullOrWhiteSpace($user.profile.physicalDeliveryOfficeName)) {
Write-PrimaryOrganisationElement $xmlorg 'location' $user.profile.physicalDeliveryOfficeName
}
$xmluser.AppendChild($xmlorg)
}
function Write-UsersAndGroups(){
# Write the groups element of the document
$groups = $xmlWriter.CreateElement("", "groups", "")
$users = $xmlWriter.CreateElement("", "users", "")
$grpcnt = 0
$usercnt = 0
$oktagroups = getOktaData("/api/v1/groups")
foreach ($group in $oktagroups)
{
Write-Host ""
Write-Host "Processing group " $group.id $group.profile.name
# Create group element with attributes
$grp = $xmlWriter.CreateElement("", "group", "")
$grp.SetAttribute("uid", $group.id)
$grp.SetAttribute("dn", $group.id)
$grp.SetAttribute("name", $group.profile.name)
$groupusers = $xmlWriter.CreateElement("", "users", "")
# get users in the group
$grpUsers = getOktaData($group._links.users.href)
$grpUsercount = 0
foreach ($grpUser in $grpUsers)
{
Write-Host "Processing member " $grpUser.id $grpUser.profile.login
if($grpUser.status -eq "ACTIVE"){
if(!$processedusers.ContainsKey($grpuser.id)){
$processedusers.Add($grpuser.id, $grpuser.id)
Write-PersonElement $users $grpUser
$usercnt+=1
}
$xmlgrpuser = $xmlWriter.CreateElement("", "user", "")
$xmlgrpuser.SetAttribute('uid', $grpUser.id)
$xmlgrpuser.SetAttribute('dn', $grpUser.id)
$xmlgrpuser.SetAttribute('username', $grpUser.profile.login)
$xmlgrpuser.SetAttribute('email', $grpUser.profile.email)
$groupusers.AppendChild($xmlgrpuser)
$grpUsercount+=1
}
}
if($grpUsercount -ne 0){
$grp.SetAttribute("UserCount", $grpUsercount)
$grp.AppendChild($groupusers)
$groups.AppendChild($grp)
$grpcnt += 1
}
}
$users.SetAttribute("TotalUsers", $usercnt)
$groups.SetAttribute("TotalUsers", $usercnt)
$groups.SetAttribute("TotalGroups", $grpcnt)
$xmlWriter.DocumentElement.AppendChild($users)
$xmlWriter.DocumentElement.AppendChild($groups)
}
function getOktaData([string] $apiPath){
$url = ($uri + $apiPath)
if($apiPath.Contains("http")){
$url = $apiPath
}
$response = Invoke-WebRequest -Uri $url -Method GET -Headers @{Authorization= 'SSWS ' + $apiKey}
$response = ConvertFrom-Json $response
return $response
}
###########################################
#
# The main execution sequence of the script
#
$processedusers = @{}
Write-Host "Starting..."
Write-Host "Setting up XML document..."
# Set up the XML document
$xmlWriter = New-Object System.Xml.XmlDocument
$xmlDeclaration = $xmlWriter.CreateXmlDeclaration("1.0", "UTF-8", $null)
$root = $xmlWriter.DocumentElement
$xmlWriter.InsertBefore($xmlDeclaration, $root) > $null
# Call the major work functions to build the document
Write-DocumentBase
Write-Host "Processing groups..."
Write-UsersAndGroups
# Final tidy up actions
$xmlWriter.Save($xmlpath)
Write-Host "Complete"
# Deliver file to API endpoint
Invoke-RestMethod -Uri $interactUrl -Method Post -InFile $xmlPath -ContentType "multipart/form-data" -Headers @{'X-ApiKey'=$authtoken; }
Script walkthrough
Let's look at the script in a little more detail...
Set up
First, we set up some variables that relate to your particular instance on Interact and the information needed to connect to the Okta API to get user and group information
# OKTA variables
$uri = "[FQDN FOR OKTA (e.g. https://inkconsultants.oktapreview.com)]"
$apiKey = "[API KEY FOR OKTA (e.g. ad0c98bSSMx38El)]"
#Interact variables
$interactUrl = "[URL TO INTERACT UPLOAD (e.g. https://inkconsultants.interactgo.com/api/umi/1001/upload)]"
$authtoken = "[AUTH KEY ENTERED INTO INTERACT - (e.g. 1234567890asdawnc)]"
$domain = "[NAME OF PROFILE SOURCE ADDED TO INTERACT]"
$ldapId = "[ID OF PROFILE SOURCE IN INTERACT]"
$xmlPath = "[FILENAME AND PATH OF XML FILE TO BE PRODUCED]"
Then, a series of functions are defined that generate the XML for a user within Okta and the various synchronization options from within profile sources.
Synchronization options
The functions for generating the XML for users and groups should be fairly self-explanatory so let's look at the various options
function Write-DocumentBase([System.Xml.XmlTextWriter] $writer){
# Write the document root element
# Write the syncoptions element
$xmlWriter.WriteStartElement('syncdata')
$xmlWriter.WriteAttributeString('version', '1')
$xmlWriter.WriteStartElement('syncoptions')
$xmlWriter.WriteAttributeString('domain', $domain)
$xmlWriter.WriteAttributeString('ldapid', $ldapId)
Write-SyncOption $xmlWriter 'syncCompanies' 'true'
Write-SyncOption $xmlWriter 'syncLocations' 'true'
Write-SyncOption $xmlWriter 'syncDepartments' 'true'
Write-SyncOption $xmlWriter 'syncManagers' 'true'
Write-SyncOption $xmlWriter 'actionDisabledUsers' 'x'
Write-SyncOption $xmlWriter 'actionMissingDeletedUsers' 'x'
Write-SyncOption $xmlWriter 'loginType' '0'
Write-SyncOption $xmlWriter 'defaultCulture' '1'
Write-SyncOption $xmlWriter 'newUserPasswordBehaviour' 'strict'
$xmlWriter.WriteEndElement()
}
When using profile sources, Interact takes the options from the XML source itself rather than from the screens within Interact. Each option above is described a little below
-
syncCompanies - this tells Interact whether or not to synchronize user companies. If a company does not exist in Interact it will be automatically created and the user assigned to that company.
-
syncLocations - this tells Interact whether or not to synchronize user Locations. Again, if a location does not already exist in Interact it will be automatically created and the user assigned to that location.
-
syncDepartments - this tells Interact whether or not to synchronize user departments. As above, if a department does not already exist in Interact it will be automatically created and the user assigned to that location.
-
actionDisabledUsers - this tells Interact what to do with users that are marked in the XML as disabled. Options here are:
- x - do nothing - do not update the interact status of those users
- d - deactive those users within Interact
- a - deactivate and archive users within Interact
-
actionMissingDeletedUsers - this tells Interact what to do with users that have either been previously created in Interact with this profile source, or are not assigned to any groups within the XML. Options for this are the same as above.
-
loginType - this needs to be present and set to the appropriate authentication method - please see the schema documentation for more information
-
defaultCulture - this needs to be present and set to the appropriate culture - please see the schema documentation for more information
-
newUserPasswordBehaviour - this tells Interact how to create passwords for new users. Options here are
- strict - Use the password that is specified in the user part of the XML
- random - Create a random password for each user
The main part of the script
The main part of the script is found at the bottom which actually handles the generation of the XML file and sending the data to Interact
###########################################
#
# The main execution sequence of the script
#
$processedusers = @{}
Write-Host "Starting..."
Write-Host "Setting up XML document..."
# Set up the XML document
$xmlWriter = New-Object System.Xml.XmlDocument
$xmlDeclaration = $xmlWriter.CreateXmlDeclaration("1.0", "UTF-8", $null)
$root = $xmlWriter.DocumentElement
$xmlWriter.InsertBefore($xmlDeclaration, $root) > $null
# Call the major work functions to build the document
Write-DocumentBase
Write-Host "Processing groups..."
Write-UsersAndGroups
# Final tidy up actions
$xmlWriter.Save($xmlpath)
Write-Host "Complete"
# Deliver file to API endpoint
Invoke-RestMethod -Uri $interactUrl -Method Post -InFile $xmlPath -ContentType "multipart/form-data" -Headers @{'X-ApiKey'=$authtoken; }
This part of the script sets up the XML writer to generate the file, builds the and XML elements by calling the relevant functions (Write-UsersAndGroups), and finally sends the file to Interact as a POST request with the appropriate headers set.
Troubleshooting
Powershell is surprisingly good at reporting errors from the script itself, and Interact returns useful error messages if the XML is invalid so troubleshooting should be fairly straightforward - take a look at Troubleshooting XML data for more information.
Updated about 1 year ago