<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00006djRITSA2Okta Classic EngineLifecycle ManagementAnswered2024-01-24T18:19:06.000Z2019-09-11T18:25:36.000Z2019-09-24T21:05:24.000Z

AndrewG.46093 (Customer) asked a question.

September 11, 2019 at 6:25 PM
Automatic Deprovisioning Of SSO Users

What is the easiest way to support automated user deprovisioning as a service provider. For instance, Acme Company SSO's with SAML into our application, they add John Smith, the account is provisioned, they subsequently remove John Smith's access, we want to be able to auto deprovision this user in our Okta tenant. What is the easiest way to accomplish this? We currently use JIT provisioning but that appears not to support this. I looked into SCIM but that seems like overkill for this ostensibly simple feature.

  • 3 answers
  • 2.96K views

  • brandon.wendorf1.5402508460323345E12 (AMER Customer Success - Enterprise NYC)

    Hi Andrew!

     

    Per the following documentation:

     

    https://help.okta.com/en/prod/Content/Topics/Apps/Provisioning_Deprovisioning_Overview.htm

     

    There are multiple apps that support deprovisioning, from the app to Okta, such that if a user is removed or deactivated on the app side, then the user will get deactivated on the Okta side.

     

    Please let me know if this information helps, or if you have any questions.

     

    Thank you,

    Brandon Wendorf

    Technical Support Engineer

    Expand Post
    Selected as Best

  • AndrewG.46093 (Customer)

    Thanks for your answer Brandon. I was not specific enough so just to clarify for future readers. It looks like Okta does not support auto deprovisioning with SCIM across IDPs. They do however support imports so in our situation our customer would deprovision the user in question, then run an import, which would hit our SCIM server. I also figured out that SCIM is the only way to get this sort of cross idp user integration.

     

    Here is the example SCIM server I forked and setup with a provisioning agent and Docker for anyone interested in firing up a quick PoC https://github.com/quantumew/sample-node-scim-server

    Expand Post

  • BhaskarM.18336 (Customer)

    Hi Andrew - Trying to understand your concept from Implementation perspective:

    Let's say,

    I have Integrated Ping (IDP) with OKTA (SP) via SAML inbound fed, leveraging the JIT to create ping users on FLY in OKTA (SP) for app access.

     

    Now,

    What would be my next step(s) to ensure my SP in sync with IDP when Ping deactivate the users...

     

     

     

    Thank you in advance.

    Expand Post
This question is closed.
Loading
Automatic Deprovisioning Of SSO Users