<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AIHzmCCQTOkta Classic EngineIntegrationsAnswered2024-12-19T18:21:13.000Z2024-12-17T08:48:07.000Z2024-12-19T18:21:13.000Z

User17343537811392381699 (Auzmor) asked a question.

December 17, 2024 at 8:48 AM
SCIM Update User's manager attributes values not reflected in the PUT request payload

I have integrated and enabled SCIM User Provisioning for my LMS application through Okta. The integration works as expected for creating, updating, and deactivating users in my LMS when corresponding actions are performed in the Okta SCIM app.

However, I am facing an issue with the manager attribute. When assigning a user in the Okta SCIM app, I manually set the manager value and the manager display name. Initially, this sends the expected POST request payload to create the user in my LMS with the correct manager details.

The issue arises when I try to update the manager attribute with new values. Instead of sending the updated values in the PUT request payload, the request does not include the updated manager attribute values. As a result, my LMS app is unable to update the manager details.

Can you help me understand why this behaviour occurs and how to resolve it?

  • 5 answers
  • 459 views

  • MatthewH.10249 (State of Iowa)

    I looked at your devforum post. You mentioned "The GET response before the update includes the following response when no manager exists...". Keep in mind that Okta is making all the SCIM calls to the LMS so manager value in the GET response would be what the LMS is returning. If you are looking to update values from your LMS into Okta then you should look at the Profile Editor mapping via the first (left) tab "... to Okta User" and make sure that is set up correctly. We typically don't allow apps to update attributes our Okta.

     

    I myself have never written an SCIM API endpoint but have configured many apps in Okta that leverage them and have set and updated manager attributes with no issues. The steps I provide previously is all that is needed from an Okta perspective. The only time we have run into any sort of SCIM attribute missing issue is when we had issues with our profile editor mappings when we used some expressions that we had to adjust to deal with records that had null values. It does not sound like you are using expressions so you can rule that out I guess.

     

    That all said and keeping in mind that GET and PUT endpoints you mentioned in your devforum post are configured on the service provider (SP) side not the identity provider (IDP) side, have you reached out to your LMS support to make sure they are following the SCIM 1.1 or 2.0 protocol and that matches the supported SCIM version app you created in Okta?

    https://developer.okta.com/docs/guides/scim-provisioning-integration-connect/main/

    https://developer.okta.com/docs/api/openapi/okta-scim/guides/scim-11/

    https://developer.okta.com/docs/api/openapi/okta-scim/guides/scim-20/

     

    If what I've provided does not help and you don't get feedback from your devforum post then consider opening an Okta Support request. I'm sure a quick screen share session with them would allow you to quickly know if you have SCIM set up in Okta fine. If everything looks fine on the Okta side then you'll need to work with the LMS support team. Best of luck!

    Expand Post
    Selected as Best

  • Mihai N. (Okta, Inc.)

    Hi @User17343537811392381699 (Auzmor)​ , Thank you for reaching out to the Okta Community! 

     

    The first thing that comes to mind might be the "update user attributes" option.  

    Secondly, I would recommend checking the attribute mapping configuration

    Based on your description, I don't think the following applies but I'm adding it to cover as many bases as possible - another thing to keep in mind would be to look for is if you perhaps leverage the Okta Expression language to populate the manager values as certain functions do not trigger updates. 

    All that being said, the customer SCIM app implementation is the purview of our Developer colleagues. My advice would be to reach out via devforum.okta.com to take advantage of their expertise.

    While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-custom/developer work). 

     

     

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post

  • User17343537811392381699 (Auzmor)

    @Mihai N. (Okta, Inc.)​ Thank you for your response. I followed your steps.

    There are no problem in my  "update user attributes",  attribute mapping configuration options. Every other attributes updates works fine and mapping of manager is also fine.

    Moreover, I haven't use Okta Expression language  as well.

     

    I posted the issue in more details at devforum.okta.com 

    Here is the respective link: Okta SCIM manager updates fail to send updated values in the PUT request payload . Please do have a look and respond back.

     

    Thank you.

     

    Expand Post

  • MatthewH.10249 (State of Iowa)

    Double check a couple things. 1. Make sure "Update User Attributes" is checked which is found on the "Provisioning to App" section of the Provisioning tab view. 2. On the same tab/page as #1 scroll down to the "Attribute Mappings" and press the "Go to Profile Editor" button. Then press the "Mappings" button. Then select the right most tab on the top of the mapping page making sure it is the "Okta User to ..." view. On that view look at your manager values and make sure the arrow is green not yellow. If it is yellow then it will only set the values on create not update.

    Expand Post

  • User17343537811392381699 (Auzmor)

    @MatthewH.10249 (State of Iowa)​ Thank you for your response. I have ensured all the steps you mentioned. They are fine as expected. I observed this issue is due to the difference in my GET request response. I have explained the issue deeper in this respective link Okta SCIM manager updates fail to send updated values in the PUT request payload. Please do have a look and let me know if you'd be able to assist me with it.

     

    Thank you

    Expand Post

    • MatthewH.10249 (State of Iowa)

      I looked at your devforum post. You mentioned "The GET response before the update includes the following response when no manager exists...". Keep in mind that Okta is making all the SCIM calls to the LMS so manager value in the GET response would be what the LMS is returning. If you are looking to update values from your LMS into Okta then you should look at the Profile Editor mapping via the first (left) tab "... to Okta User" and make sure that is set up correctly. We typically don't allow apps to update attributes our Okta.

       

      I myself have never written an SCIM API endpoint but have configured many apps in Okta that leverage them and have set and updated manager attributes with no issues. The steps I provide previously is all that is needed from an Okta perspective. The only time we have run into any sort of SCIM attribute missing issue is when we had issues with our profile editor mappings when we used some expressions that we had to adjust to deal with records that had null values. It does not sound like you are using expressions so you can rule that out I guess.

       

      That all said and keeping in mind that GET and PUT endpoints you mentioned in your devforum post are configured on the service provider (SP) side not the identity provider (IDP) side, have you reached out to your LMS support to make sure they are following the SCIM 1.1 or 2.0 protocol and that matches the supported SCIM version app you created in Okta?

      https://developer.okta.com/docs/guides/scim-provisioning-integration-connect/main/

      https://developer.okta.com/docs/api/openapi/okta-scim/guides/scim-11/

      https://developer.okta.com/docs/api/openapi/okta-scim/guides/scim-20/

       

      If what I've provided does not help and you don't get feedback from your devforum post then consider opening an Okta Support request. I'm sure a quick screen share session with them would allow you to quickly know if you have SCIM set up in Okta fine. If everything looks fine on the Okta side then you'll need to work with the LMS support team. Best of luck!

      Expand Post
      Selected as Best
This question is closed.
Loading
SCIM Update User's manager attributes values not reflected in the PUT request payload