<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007RV308CADOkta Classic EngineIntegrationsAnswered2022-02-12T17:52:38.000Z2022-02-11T06:44:55.000Z2022-02-12T17:52:38.000Z

User1629454569194773518 (Customer) asked a question.

February 11, 2022 at 6:44 AM
I have an issue with SCIM provisioning in OKTA

We have a SCIM integration setup for provisioning users and groups from OKTA.

Scenario:

  1. User ‘user1’ is a member of group ‘group1’
  2. ‘user1’ isn’t member of any other groups
  3. I have provisioned the group ‘group1’ through SCIM.
  4. If I remove the user ‘user1’ from group ‘group1’, okta sends a PATCH call to /Users endpoint to make the user ‘user1’ as inactive
  5. But Okta does not send a PATCH call to /Groups endpoint to update the membership details.

 

To give more context about why this might be an issue.

If I go one more step and

  1. ‘group2’ is added to scim app.
  2. Add ‘user1’ to another group ‘group2’
  3. Okta sends call to make user ‘user1’ active [/Users endpoint]
  4. Okta sends call to add ‘user1’ to ‘group2’ [/Groups endpoint]
  5. Okta sees that the scim server has both ‘group1’ and ‘group2’ listed as groups for ‘user1’
  6. Okta sends a call to update ‘user1’ groups using PUT call to /Users endpoint
  7. The 6th step is a violation of SCIM rfc - change to groups attribute should be done only via /Groups endpoint. So SCIM server discards groups change sent from /Users endpoint.
  8. [RFC 7643 - System for Cross-domain Identity Management: Core Schema - check groups attribute description]
  9. This leads to bad data as ‘user1’ has both ‘group1’ and ‘group2’ in it’s groups attribute

 

Any reasoning behind this mechanism, as it may create discrepancies in data in future in SCIM server.

  • 3 answers
  • 957 views

  • User1630709688426468638 (Okta)

    Hello 

     

    Thanks for posting.

     

     

    PATCH /Groups/$groupID

    PUT /Groups/$groupID

     

     

    To add or remove users inside a specific pushed Group object on the SCIM server, Okta requires the following:

    • The user must be a member of the group in Okta.
    • The user has been added under the Assignments tab of the SCIM integration inside the Okta Admin Console.
    • The group is pushed under the Push Groups tab of the SCIM integration inside the Okta Admin Console.

    If these three requirements are met, Okta sends a request to add the specified users to the Group object on the SCIM server.

    • For all new OIN app integrations, this request to update a Group object is sent through a PATCH method request.
    • For custom app integrations created using the AIW, this request to update a Group object is sent through a PUT request.
    •  

    https://developer.okta.com/docs/reference/scim/scim-20/#update-specific-group-membership

     

    Please review if these settings are correct on your configuration. If the issue keeps happening, I suggest you to open a support case with our team using the information in the link below: https://help.okta.com/en/prod/Content/Topics/Directory/get-support.htm

     

     

    Let us know if this helps you.

     

     

    Daniela Chavarria.

    Okta Inc.

    Expand Post

  • User1629454569194773518 (Customer)

    Hi Daniela,

     

    I have gone through the documents and the settings are as expected.

    Your answer points to user addition to a pushed group.

     

    My concern is about the user removal from a pushed group.

    1. The user is a member of the group in Okta.
    2. The user has been added under the Assignments tab of the SCIM integration inside the Okta Admin Console.
    3. The group is pushed under the Push Groups tab of the SCIM integration inside the Okta Admin Console.
    4. Now, I am removing the user from the pushed group in OKTA.

     

    My expectation:

    1. PATCH on group to update membership [PATCH /Groups/GroupID]

     

    Actual:

    1. PATCH on user to make him inactive [PATCH /Users/UserID]
    Expand Post
This question is closed.
Loading
I have an issue with SCIM provisioning in OKTA