<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007ZwTfPCAVOkta Classic EngineSingle Sign-OnAnswered2024-04-16T13:25:57.000Z2022-04-12T07:38:27.000Z2022-04-14T04:21:37.000Z

7dn1i (7dn1i) asked a question.

April 12, 2022 at 7:38 AM
Is this a bug or expected behaviour for import users function?!?

Hi all,

For background, we have an app that we configured for SSO, and assigned to All Users. We then configured provisioning, which produced errors against each user (this user was added before provisioning was configured, etc). This may or may not have affected anything, but mentioning it just in case.

 

Here's where things went really bad:

  1. Clicked on Import tab
  2. Saw there 0 imported users need review, X number of imported users confirmed
  3. Clicked on Import Now button
  4. Got a message saying "2X users affected, X users removed, X users updated" or similar (didn't take a copy of this)
  5. Saw in Assignments -> People that it was EMPTY!
  6. Saw in Assignments -> Groups that the Everyone group was still there
  7. Testing confirmed that users were NOT able to sign in to the application
  8. Confirmed that (thankfully) users were not deactivated in the app (even though we set "Deactivates a user's app account when it is unassigned in Okta")

 

How I had to resolve this (while trying to not screw everyone over):

  1. Turn off deactivation option in Provisioning
  2. Remove the Everyone group
  3. Re-add the Everyone group

 

This was obviously a serious outcome, especially since it was for an app everyone uses. Is the "import users" function removing all assigned users a bug? Or is it expected behaviour (and if so it should have a pretty massive warning in front of it)?

  • 2 answers
  • 597 views

  • flaviu.vrinceanu1.5628408972654734E12 (Customer Success Service Delivery)

    Hi @7dn1i (7dn1i)​,

     

    Thank you for posting on the Okta community page!

     

    Based on the details provided, this most probably happened because the users were assigned to the application before provisioning was enabled.

     

    To answer your inquiry, imports will remove users assigned to the app in Okta if the data brought is not aligning with the assignments, therefore this would be expected. In your case, this most probably happened because the users accounts did not have a complete sync between Okta and the app in question since they were assigned prior to provisioning being enabled. That is why, it is recommended to re-assign the accounts to the app in Okta after provisioning is turned on.

     

    I hope the above information is helpful!

     

    Expand Post

  • 7dn1i (7dn1i)

    Hi Flaviu, thanks for your response.

    Ideally, if disruptive outcomes are expected, there should be a warning to acknowledge this (similar to the warning that appears when you untick "don't import groups"). Can I request this anywhere?

    Apart from your response, is the recommendation to re-assign the accounts to the app documented somewhere?

    Expand Post
This question is closed.
Loading
Is this a bug or expected behaviour for import users function?!?