MyounghunP.12250 (Customer) asked a question.
Hello
I am currently testing SCIM 2.0 user provisioning using a custom SCIM Test App (Header Auth), and I encountered an issue related to a custom attribute mapping.
Summary of the issue
When I add and map a custom attribute named roles, user provisioning fails during the Create User operation with the following error:
'Automatic provisioning of user okta 02 to app SCIM 2.0 Test App (Header Auth) failed: Error while creating user okta02@monit.com: Bad Request. Errors reported by remote server: The request body message structure was invalid or did not conform to the request schema.'
Test results
I tested the following scenarios in order:
Default user provisioning (no custom attributes)
→ ✅ User created successfully
Add and map custom attribute roles, then input a value (e.g. ADMIN)
→ ❌ User creation fails with the error above
Add or modify an existing mapped attribute (e.g. userType)
→ ✅ User created successfully
This suggests that the failure is specific to the roles attribute.
Current configuration
Custom attribute name: roles
Data type: string / string array
External name: roles
External namespace: urn:ietf:params:scim:schemas:core:2.0:User
Attribute mapped from Okta user profile (appuser.roles → roles)
Observation
The SCIM server correctly handles all other attributes, and no server-side schema changes were made except for adding support for the roles field.
However, provisioning fails only when this attribute is present.
Based on SCIM 2.0 specifications, roles is already defined as a core multi-valued complex attribute. I suspect that defining a custom attribute with the same name may cause Okta to generate a request payload that does not conform to the expected SCIM schema.
Questions
Is it supported to define and map a custom attribute named roles under the SCIM core User namespace?
Does Okta treat roles as a reserved SCIM core attribute and enforce a specific structure?
If so, is the recommended approach to use a different attribute name (e.g. customRoles) or a custom SCIM extension namespace?
Any clarification or best practice guidance would be greatly appreciated.
Thank you.
Hi @MyounghunP.12250 (Customer) , Thank you for reaching out to the Okta Community!
I'm not seeing "roles" as being reserved in the list.
Does the SCIM integration have the "roles" attribute configured under Oka Admin Dashboard > Applications > "SCIM app name" > Provisioning > to app?
If not, you may need to add it there.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added