Hello Okta Developer Community,
We are in the process of implementing a SCIM 2.0 service for our application. Our customers will use their Okta IdP to send us SCIM requests to create and deactivate users, which will keep our systems synchronized for all future lifecycle events.
Our Core Challenge:
While SCIM will effectively handle users who are deactivated after the integration is enabled, we have a significant number of stale user accounts in our system. These are users who were created via a previous JIT federation model and were later deactivated or deleted from the customer’s Okta IdP long before our SCIM service was connected.
Since these deactivations happened in the past, the customer’s Okta IdP will not send us a SCIM delete or deactivation event for these users. This leaves us with a large number of orphaned accounts that pose a security risk and a data integrity problem.
Our Question:
What is the recommended best practice or guidance from Okta for identifying and cleaning up these stale user accounts at the time of SCIM integration? How can we perform an initial reconciliation to align our user base with the customer’s source of truth in Okta?