<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00009LgO5NCAVOkta Classic EngineAdministrationAnswered2024-04-16T11:01:40.000Z2023-06-19T14:32:38.000Z2023-06-21T00:25:31.000Z

ah9zt (ah9zt) asked a question.

June 19, 2023 at 2:32 PM
SCIM question - Can't push users from Okta to downstream service

Hi all,

 

My SCIM service passes the RunScope test suite, and I can successfully Import Users. But when I assign an Okta user to my SAML app, I get the following error indicator in the list of assigned users ...

 

"Automatic provisioning of user XXXXXX to app Sample SCIM App failed: Error while verifying if user xxx@xxx.com

exists: Property id was not found in schema"

 

I xxx'd out the name + email but you get the idea. I get this error for any user I try and assign to the app. Also, it does not appear that my SCIM app is being accessed -- it doesn't look like Okta is hitting any of the endpoints. I'm guessing there's a configuration/admin detail that I have missed in setting up the app but I'm stuck figuring out what that might be. Any thoughts?

 

Thanks!

  • 6 answers
  • 975 views

  • ah9zt (ah9zt)

    Sounds good. By the way I think I am now very close. If I select my Application in the Okta Admin console, and I go to Provisioning | Integration, the value I'd set for "Unique identifier field for users" was "id". This was perfectly valid, as it's part of the SCIM spec. But as a wild guess, I changed it from "id" to "email", and now suddenly Okta is successfully hitting my endpoint with the JSON payload for the new user.

     

    I'm not 100% comfortable with the wild guess of switching from 'id' to 'email' -- I'd feel better knowing why this worked. If you happen to know, that'd be great, and if it's better to open a case with Support, I can give that a try.

     

    Thanks for all your help thus far!

     

    C

    Expand Post
    Selected as Best

  • Paul S. (Okta, Inc.)

    Hello @ah9zt (ah9zt)​ Thank you for reacting out to our Community!

     

    If the import is working, that means that the SCIM configuration partially works. The problem might be that the might not be mapped to be sent though SCIM.

    I would also recommend to review the System log, that might have additional information on why the provisioning failed.

    Please also see:

    https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SCIM.htm

     

    Community members help others by clicking Like or Select as Best on responses. Try it today.

    Coming soon: Get tips from community managers during Okta Community's first Ask Me Anything event on 6/22

    Expand Post

    • ah9zt (ah9zt)

      Hi Paul,

       

      Thanks very much for your response. Your suggestion ie "the problem might be that the might not be mapped to be sent though SCIM" sounds roughly like what I suspect the problem is. Unfortunately I'm not sure of specifically what that means, how I'd check if I am missing a mapping, or how I would remedy the situation. (Also it appears your sentence might be missing a word, so I'm afraid I'm even further unsure what it means.)

       

      Re your suggestion to check out the Logs, I meant to include this excerpt from the log in my initial question .

       

      ```

      ```

       

      I don't see any corresponding activity in my Web app, so I suspect Okta's failing before it hits the Web app.

       

      Having checked the logs, and looked in the Admin console for mapping issue cues to no avail, do you have any specific ideas on next steps?

       

      Thanks!

      Chris

      Expand Post

      • Paul S. (Okta, Inc.)

        Form that log it seems we check to see if the user exists, which we are unable to do. Make sure the username assigned in Okta matches the one in the application.

        Also make sure that Create and Update use options are enabled on the Provisioning side.

        I also found this question that may provide some additional info:

        https://support.okta.com/help/s/question/0D54z00007rF3Y8CAK/error-while-verifying-if-user-exists-property-id-was-not-found-in-schema?language=en_US

        Expand Post

      • ah9zt (ah9zt)

        This is on an attempt to add a new Okta user to the application, so I would not expect the user to be in the application. Also, Okta is not attempting to hit the SCIM app at all.

         

        This is very different from , for example, an attempt to modify an existing user, who was successfully imported into Okta via the SCIM app. When I modify that user, I do indeed see a `GET /Users/:id` request made by Okta, followed by a `PUT /Users/:id` request with JSON payload of modified user info. That appears to be working fine as well.

         

        The problem really looks like an issue in my Okta setup, that has nothing to do with my SCIM app. But I can't find any further information on how to troubleshoot this.

         

        Do you have any recommendations on next steps?

         

        (Also, thank you for the link to the other user's question .... unfortunately I had already read that, and the response to the poster did not contain any useful information I'm afraid.)

         

        Thank you,

        Chris

        Expand Post

      • Paul S. (Okta, Inc.)

        A closer review of the setup needs to be done, I would recommend to open a case with Support and do additional troubleshooting.

      • ah9zt (ah9zt)

        Sounds good. By the way I think I am now very close. If I select my Application in the Okta Admin console, and I go to Provisioning | Integration, the value I'd set for "Unique identifier field for users" was "id". This was perfectly valid, as it's part of the SCIM spec. But as a wild guess, I changed it from "id" to "email", and now suddenly Okta is successfully hitting my endpoint with the JSON payload for the new user.

         

        I'm not 100% comfortable with the wild guess of switching from 'id' to 'email' -- I'd feel better knowing why this worked. If you happen to know, that'd be great, and if it's better to open a case with Support, I can give that a try.

         

        Thanks for all your help thus far!

         

        C

        Expand Post
        Selected as Best
This question is closed.
Loading
SCIM question - Can't push users from Okta to downstream service