<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ000011xhTh0AIOkta Classic EngineIntegrationsAnswered2025-07-02T08:09:35.000Z2025-06-27T11:28:07.000Z2025-07-02T08:09:35.000Z

DarshanD.83150 (Customer) asked a question.

June 27, 2025 at 11:28 AM
Issue with Okta Sending Deactivated Users in Group PUT Call to SCIM Server

We are encountering an issue with Okta's SCIM integration related to group synchronization. Here's the scenario:

 

  1. When a user is deactivated in Okta, it correctly sends a SCIM PUT request to our SCIM server with "active": false.
  2. Our SCIM implementation handles this by removing the user’s group memberships and deactivating their access.
  3. However, in subsequent PUT requests for group updates, Okta continues to include this deactivated (and effectively deleted) user in the group membership list.
  4. Since the user ID no longer exists in our system (as it was removed on deactivation), our SCIM service returns a 400 Bad Request, causing the group sync to fail.

 

Question:

 Is this the expected behavior from Okta—to continue sending deactivated users in group membership during group PUT calls? If so, how should SCIM services handle such cases where the user referenced in the group no longer exists in the system? Is there a recommended approach to prevent group sync failures in this scenario?

 

Thanks

  • 2 answers
  • 168 views
This question is closed.
Loading
Issue with Okta Sending Deactivated Users in Group PUT Call to SCIM Server