This article discusses the role of the external ID for System for Cross-domain Identity Management (SCIM)-capable applications.
- External ID
- Provisioning
Please refer to the Service Provider (SP) documentation regarding CRUD (Create, Read, Update, and Deactivation) for their API.
Some things to be aware of:
-
Provisioning would have had to be enabled before the end users were assigned to the Okta Application to receive an External ID.
-
Even if Admins check or uncheck the provisioning options without an External ID in the end user profile, for example, the Office 365 app instance, Admins will not be able to provision downstream.
- Users need to have an External ID in the end user profile for the app instance for provisioning to work downstream. Every app that has provisioning enabled will have a unique External ID once the end user is added to the app instance.
The external ID might differ if the provisioning flow was done multiple times for the same user, to the same app, with the same username. Possible reasons why the external ID might be different for the same user are listed below:
- If the previous user account was completely deleted on the application side.
- The application provisioning API always uses a new external ID during provisioning. By design, it cannot use the previous external ID.
