User16932634548646103204 (Customer) asked a question.
I'm currently implementing SCIM provisioning on a SAML app and having issues de-provisioning groups managed via Terraform.
(UPDATE: issue seems related to volume of changes around the group deletion, rather than specific to Terraform. Terraform just lets us make enough changes to trigger the behaviour. See update below.)
TLDR:
Instead of issuing a SCIM DELETE request for the de-provisioned group, Okta is issuing a bunch of GET/PUT requests on the target group as the group members are deleted, but never actually issues the SCIM DELETE request on that group. It also leaves behind an APP_GROUP that I can't delete in the Okta UI.
Deleting the group via the Okta Console or groups REST API behaves as expected.
Detail:
- The App is an Okta SAML app with SCIM provisioning enabled
- Push New Users, Push Profile Updates & Push Groups are all enabled
- Groups are created via terraform with the name group-nr-x, where x is an index number
- Groups are added to the App's PushGroups via a rule (i.e. anything starting with group-nr-)
- Group members are added via terraform provider okta_group_memberships resources
- None of the group-nr-x groups are used to assign the app to users
When I apply a terraform change that deletes a group I see:
- Terraform explicitly deleting each member from the group via the REST API
- Each deleted membership is reflected in the Okta log by a pair of events showing a successful group.user_membership.remove and subsequent successful application.provision.group_push.push_memberships targeting the appropriate apps
- A flurry of SCIM GET/PUT requests on the downstream group. The PUT requests remove members from the downstream list, but they never seem to get all the way to 0. All of the downstream reconciliation succeeds, and the the internal state of the downstream application matches the Group resource supplied by the PUT request.
- The Group resource returned by the downstream SCIM service to both the PUT and subsequent GET requests is identical to the PUT request body until the next PUT (Note: the member list ordering may be different, but the list content is the same).
- I don't see any SCIM PATCH requests at all.
- Once Terraform has issued requests to delete all of the group members, it explicitly deletes the target Okta group
- The target group deletion is reflected in the Okta log with successful application.provision.group_push.delete_appgroup, group.lifecycle.delete and application.provision.group_push.updated events
- No SCIM DELETE request is ever issued on the downstream app
- Because no DELETE request is ever issued, the downstream application is left in an invalid state.
An non-editable group with the same name as the target group is also left behind in the Okta UI. I cannot edit or delete it through the UI and have had to use the REST API to delete it. This group's ID appears nowhere that I can see in the Okta log as an event target, and shows up as an APP_GROUP when queried through the Okta Groups REST API. NOTE THAT The ID of this leftover group is not the same as the AppGroup mentioned in any of the log events
As stated before, when I delete a group via the Okta console or via the REST API (i.e. with a DELETE group, without any of the membership preamble), this all works as expected.
Does anyone have any idea about what I'm doing wrong here?
cheers,
Trent
Update: We've been able to replicate this behaviour without terraform involved by rapidly adding and removing members to groups via the console before deleting the group - so whatever is happening appears related to the rate and number of changes happening around the time of the group deletion.
It seems that Terraform merely allowed us to make enough changes rapidly to trigger the behaviour, rather than being a Terraform provider issue in itself.
Hi, @User16932634548646103204 (Customer)
Thank you for posting on our Community page!
Here is a previously answered question that could shed some light on your case:
https://support.okta.com/help/s/question/0D54z00009VTCGjCAP/scim-group-put-requests?language=en_US
My advice would be to leverage the Okta Developer forums for this type of questions and take advantage of their expertise.
https://devforum.okta.com/
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Hi @User16594883467582706479 (Customer Support Online Experience)
The linked issue, as described at:
https://support.okta.com/help/s/question/0D54z00009VTCGjCAP/scim-group-put-requests?language=en_US
appears not to be entirely relevant. The attached issue details behavior when the PUT request contains an empty membership, but the issue discussed in this thread is significantly different.
Additionally, regarding the linked thread:
> The behavior described does not seem correct. After reviewing our documentation, I could not find specific information related to this. However, I managed to identify a few documents that might assist you in troubleshooting this issue:
https://developer.harness.io/docs/platform/user-management/provision-users-with-okta-scim/#option-assign-groups
Unfortunately, the linked documentation appears to be inaccessible, as clicking the link results in a "Page Not Found" error.
--
Marek
Hi @User16594883467582706479 (Customer Support Online Experience) ,
I believe @MarekS.48183 (Customer) has also replicated this with a third-party SCIM server, so we're reasonably sure its an issue on the Okta side. I'll try posting in the dev forum and see if anyone has some pointers there.
cheers,
Trent