Cannot create a user in downstream app using SCIM provisioning Skip to main content
https://support.okta.com/help/answers?id=9062a000000qujbqas&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Lorena RacicLorena Racic 

Cannot create a user in downstream app using SCIM provisioning

Hi there, 
I am building custom App to which I would like to provision users from Okta using SCIM 2.0. Idea would be to create new user in my App when user gets provisioned so I enabled user creation on my Apps provisioning page. 

Weird thing happens when I try to provision a user - it appears to go through successfuly but when I navigate to a user the application is not assigned. The user indeed gets created on the App side and Okta receives matching SCIM user model and 201 (resource created) status (as mentioned operation goes through successfully) but no visible link to it actually exists.

Based on the logging on the App side I've narrowed down the problem to the Entitlements mapping issue.

My App does not have mapping set for Entitlements field as it currently isn't mapped to anything in the App so the model returned to Okta when user is created is an empty array. Example of JSON response returned to Okta:

{
  "Schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "UserName": "username@email",
  "Name": {
    "Formatted": null,
    "FamilyName": "Family Name",
    "GivenName": "Given Name",
    "MiddleName": null,
    "HonorificPrefix": null,
    "HonorificSuffix": null
  },
  "DisplayName": null,
  "NickName": null,
  "ProfileUrl": null,
  "Title": null,
  "UserType": null,
  "PreferredLanguage": null,
  "Locale": null,
  "Timezone": null,
  "Active": false,
  "Password": null,
  "Emails": [
    {
      "Type": null,
      "Primary": false,
      "Value": "username@email",
      "Display": null,
      "$ref": null
    }
  ],
  "Photos": [],
  "Entitlements": [],
  "Groups": [
    {
      "Type": null,
      "Primary": false,
      "Value": null,
      "Display": "General",
      "$ref": null
    }
  ],
  "Roles": [],
  "Id": "32",
  "ExternalId": null,
  "Meta": {
    "ResourceType": "User",
    "Created": "2017-12-20T00:10:27Z",
    "LastModified": null,
    "Location": null,
    "Version": null
  }
}

If I change the Entitlements to return null rather than empty array [] I get an error in provisioning:
Error setting property, appUser=0uadc2mjspgzjD2oP0h7 property=entitlements error=[Error in object 'appUser': codes [InvalidValueTypeForProperty.appUser,InvalidValueTypeForProperty]; arguments [entitlements]: default message [Invalid value data type]

Can anybody see what am I doing wrong or has anybody encountered similar error? 

Thank you.

Lorena RacicLorena Racic
Very same happens if I remove the entitlements attribute from Apps profile editor, user is created in App but does not get assigned to the App in Okta