<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000A1A1NZCQ0Okta Classic EngineIntegrationsAnswered2024-03-07T15:57:36.000Z2024-03-05T10:52:37.000Z2024-03-07T15:57:36.000Z

User16603129806742895448 (Customer) asked a question.

March 5, 2024 at 10:52 AM
Disable Sync Password not working as expected in "SCIM 2.0 Test App (OAuth Bearer Token)" integration

Hello,

 

I am testing a SCIM provisioning from Okta to a SCIM API using a "SCIM 2.0 Test App (OAuth Bearer Token)" integration from the App Catalog. I have configured the authentication, mappings, etc, and the requests are being received by the API. The password sync is turned off in the provisioning settings:

/help/servlet/rtaImage?refid=0EM4z000007oTuA

 

However, we have a validation in our API to prevent setting up users' passwords via SCIM, and I am getting errors in the provisioning because Okta sends a random password every time we retry the synchronization of the users. I have added some more details to the error thrown by the API to confirm this is the case.

 

First attempt:

 

/help/servlet/rtaImage?refid=0EM4z000007oTu5

 

Second attempt, where the password generated is different:

/help/servlet/rtaImage?refid=0EM4z000007oTuK

 

I have also tried overwriting the password mapping with a static null value and also trying to configure the password sync with the password set up in Okta instead of a random one (just for testing), without any luck in either of the options. Do you know if there is any additional step I am missing? It looks like the configuration is not being applied correctly. I expected that with the sync password option set to false, the password property shouldn't be sent at all, or if sent, it should be set as null or empty string.

 

Thanks in advance,

Alejandro.

  • 4 answers
  • 596 views

  • Mihai N. (Okta, Inc.)

    Hi @User16603129806742895448 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    I did some research and found similar reports in the past. It all boils down to the following: 

     

    https://developer.okta.com/docs/reference/scim/scim-20/

     

    Note: Okta sends the password parameter in a create user request, even if password sync isn't enabled. This parameter acts as a placeholder for legacy provisioning platforms and its value isn't relevant or sensitive in nature.

     

    Unfortunately, there is no way around this currently. It’s a product limitation.  

    There was a Feature Enhancement request for this a while back but it did not get enough traction to be implemented.  

    You can suggest this again, hopefully it gets more traction this time. On the Okta Community page, go to the Community Ideas tab. Features suggested in our community are reviewed and can be voted and commented on by other members. High popularity will increase the likelihood of it being picked up by the Product Team and it being implemented. 

    More details here.

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --------------------------------

    Ask the Experts: Okta Device Access Product Team Now Thru 3/22

    Expand Post
    Selected as Best

  • Mihai N. (Okta, Inc.)

    Hi @User16603129806742895448 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    I did some research and found similar reports in the past. It all boils down to the following: 

     

    https://developer.okta.com/docs/reference/scim/scim-20/

     

    Note: Okta sends the password parameter in a create user request, even if password sync isn't enabled. This parameter acts as a placeholder for legacy provisioning platforms and its value isn't relevant or sensitive in nature.

     

    Unfortunately, there is no way around this currently. It’s a product limitation.  

    There was a Feature Enhancement request for this a while back but it did not get enough traction to be implemented.  

    You can suggest this again, hopefully it gets more traction this time. On the Okta Community page, go to the Community Ideas tab. Features suggested in our community are reviewed and can be voted and commented on by other members. High popularity will increase the likelihood of it being picked up by the Product Team and it being implemented. 

    More details here.

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --------------------------------

    Ask the Experts: Okta Device Access Product Team Now Thru 3/22

    Expand Post
    Selected as Best

  • User16603129806742895448 (Customer)

    Thanks a lot for your reply Mihai, that explains perfectly why I couldn't get it to work.

    Regarding the case in the Ideas dashboard, I am getting a 403 when trying to go to that link. I have found this other one, from 4 years ago: Request | Feedback (okta.com), but I can't vote because it is already closed.

  • Mihai N. (Okta, Inc.)

    I took at look at the back-end settings for that request. You should now be able to access that page. Please try again.

This question is closed.
Loading
Disable Sync Password not working as expected in "SCIM 2.0 Test App (OAuth Bearer Token)" integration