When using a custom Security Assertion Markup Language (SAML) 2.0 + System for Cross-domain Identity Management (SCIM) 2.0 application created via the Okta App Integration Wizard (AIW), Group Push successfully creates the group in Cisco Secure Access, but fails to populate any user memberships.
- The Okta System Logs report a "SUCCESS" result for the Group Push.
- Cisco SCIM API returns a "200 OK", but the response shows "returned 0 members".
- Users are already correctly provisioned/assigned to the application in Okta.
- Cisco Secure Access / Cisco Umbrella
- Custom SCIM 2.0 (Header Auth) Integrations
- Okta App Integration Wizard (AIW)
- System for Cross-domain Identity Management (SCIM)
- Group Push
- Okta Classic Engine
- Okta Identity Engine (OIE)
This issue is caused by a SCIM protocol mismatch for the Group Update method.
The custom SCIM connector generated by the Okta App Integration Wizard defaults to using the PUT method for Group Push operations. A PUT request attempts to replace the entire group object. However, Cisco Secure Access strictly requires the PATCH method (Add/Remove) to successfully process group membership updates.
Because the PUT request is syntactically correct, the Cisco API accepts the call (resulting in the "SUCCESS" log in Okta), but it silently ignores the membership array within the payload.
Since the general SCIM template in the App Integration Wizard does not provide a UI toggle to switch from PUT to PATCH, the integration must be moved to a template that supports PATCH by using a "SCIM 2.0 Test App" Template.
- In the Okta Admin Console, go to Applications > Applications > Browse App Catalog.
- Search for and add "SCIM 2.0 Test App (Header Auth)".
- In the Provisioning tab, enter the same SCIM Base URL and API Token used in the previous custom app.
- Navigate to the Push Groups tab and link the desired Okta groups.
- This template natively utilizes the
PATCHmethod, which will allow memberships to sync immediately.
