When using Push Groups, the following error is received:
Changes to the Group push mapping for the group <group> could not take effect due to error: Error while updating user group membership for group <group>: Read timed out
Please make sure all the listed Push Group troubleshooting steps have been tried to resolve the issue before continuing.
- Push Group
- SCIM Provisioning with any application (In this example, Workiva)
- Service Provider SCIM API
This assumes all the common Push Group troubleshooting steps have been attempted, and the issue persists.
Group Push/Update Group Membership/Read Time Out errors are normally thrown when Okta fails to complete the update group membership request API call within the allowed time for the push group mapping event.
Some common root causes are listed below:
- The linked target group does not exist or cannot be found in the Service Provider application platform.
- The linked target group was found, but some group membership updates cannot be completed due to an SP error or data restriction.
- The linked target group was found, but it took far too long to complete all the required group membership updates due to the large group membership count in the target/source group.
- The linked target group membership was modified manually after the group push mapping was configured, which is not allowed as Okta will be the source of truth once group push mapping is set up.
Because the error is being thrown due to failing to receive the group membership update request completion from the external application's remote API server, to identify the actual issue root cause for the push group mapping failure, it is recommended to reach out to the Service Provider (SP)'s Application Support team so the SP vendor's Support team can assist in pulling some SP SCIM Remote API Server's audit log history during issue occurrence of Okta push group membership update failure with matching timestamp to identify:
- Does the target linked group exist in an external SP application?
- Exactly which group membership update event (username/email and was it add/delete event) did the group membership update fail on and cause the 'Read Time Out' on Okta side?
- Once the problematic group membership update is identified via the SP product log check, consult the SP vendor team about what may be causing those group membership update errors. Then, apply the fix as necessary to ensure that when retrying the Okta Push Group Mapping with group membership update, all group membership will be completed successfully in the SP target group.
- NOTE: It's not uncommon for there to be multiple problematic group membership updates, so repeat this SP log check process until confirmation that the push group mapping is completed successfully without any error.
