This message was deleted.

it at least works with okta. we use it to pull okta groups into rancher. after adding okta integration, our okta groups were available from the drop-down on the "Cluster Member: Add" page of the rancher ui. we did this a few years ago, and iirc, there was some wonkiness like the user adding the cluster member had to be part of the okta group he/she wanted to add for rancher to be able to query okta for that group. hopefully, the process has been improved since then.

I find myself in a this situation, where the user who is adding a cluster member is also a member of the group that I want to add

ah. no i don't think we have that ability. your use case may be different from ours, but we just add entire okta groups as cluster members then assign them to namespaces, etc. when a user on one of the allowed groups logs into rancher, they login as themselves and rancher and okta figure out what group they belong to and if that group is a cluster member. if so, they can log into the console.

Based on previous information shared, it seems that Rancher may only import the groups from the external identity provider that corresponds to the user who made the integration. This means that any new groups that are created within the external identity provider and not associated with the user who made the integration may not be visible in Rancher

interesting. that's not the case from our experience. i wasn't the one who initially set up the okta integartion, but i'm fairly certain he wasn't a member of all the groups we've added to rancher at the time or any of the new groups we've added that didn't exist at the time. in the handful of instances i had to add new groups to rancher myself, i would first have to add myself to the okta group (until i added the group to rancher). i did have to make sure to log out of rancher and log back in so rancher could re-query okta and see my new group membership.