NiviM.71991 (Customer) asked a question.
I have a SCIM APP that pushes and syncs users from OKTA to our own application. There was an issue and the SCIM APP got disconnected from the APP so some user attributes that were added later on weren't synced to the application.
We reconnected the app but since there was no change to the OKTA user attributes, no sync took place. I tried Force Sync but that didn't work either because according to the docs on Force Sync:
https://support.okta.com/help/s/article/How-To-Use-The-Force-Sync-Option?language=en_US
Force Sync from the To App section is not a request for all assigned users' profiles to be pushed via System for Cross-domain Identity Management (SCIM)/API to the external service. While this often may indeed result in AppUser profile provisioning push events, only a detected change in the AppUser profile from the last successful provisioning event will prompt a new push attempt to the external service.
The OKTA user profile itself is synced from another system so we can't change the user attributes directly in the OKTA user profile.
Is there a way to force the SCIM App to just push all users to our application regardless of detected changes?
There seems to be a workaround, though not sure it applies to this case. It's possible to do a mock update to the user App Scim Profile. It requires making an API call.
This is what I did:
First, create an OKTA API token.
Then, get the list of users in the app. You need the App Id which you can get from the URL:
https://OKTA_DOMAIN/admin/app/apono/instance/APP_ID/
curl -H "Authorization: SSWS OKTA_API_TOKEN" \
"https://OKTA_DOMAIN/api/v1/apps/APP_ID/users"
Find the any user ID and use it to do a mock update. In my case I used MiddleName set to NULL:
curl -X PUT -H "Authorization: SSWS OKTA_API_TOKEN" -H "Content-Type: application/json" \
-d '{"profile": {"middleName":""}}' \
"https://OKTA_DOMAIN/api/v1/apps/APP_ID/users/USER_ID"
Even though the value is null, it triggers an update.
For example, to update the managerValue, you can run an API call to update the AppUser profile with a mock value '{"profile": {"managerValue":"manager@company.com"}}'
And then run the same command but put '{"profile": {"managerValue":null}}' which will reset the value to take it from the OKTA user profile.
Hello @NiviM.71991 (Customer) Thank you for posting on our Community page!
If there was a disconnect in the app, it may lead to profiles to be somehow disconnected from the Okta SCIM application. One thing that comes to mind would be to remove and re-add the users to the SCIM app, before doing this you will need to disable the "Disable user in app" option to avoid de-provisioning of users.
Also if you have the option to test this in a test environment that would be optimal to see if this will indeed fix your issue.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Thanks Paul,
We thought about this option but it's currently not possible to do so due to some technical limitations. Otherwise we would have done it already. But thanks for the suggestion, if all else fails we might go down that path.
I would try updating an attribute in your users account in Okta, like Middle name. It doesn't have to be an attribute that is being mapped to your app, any change in the attribute will force the sync