Hi Okta team ,
We have a federation set up with our customer Okta Idps and have enabled provisioning of users through Just in time. We are in process of enabling only deprovisioning through SCIM. However we are observing following issue with Just in Time and SCIM delete
This outlines the issue for users who exist in customer Azure IdP but not in our Auth server before SCIM is enabled.
- Upon enabling SCIM in the customer’s Okta IdP it sends a GET request for each existing user to check for them in our Auth server.
- For the the users that have not yet been provisioned in our Auth server through JIT, our SCIM service returns a response as per the SCIM standard.
- Later this user logs in and has it profile created in our Auth server through Just in Time
- Consequently, when the user is deleted from customer Okta IdP, SCIM deactivation events are not sent.
- Users shadow account in our Auth server continues to exist even after user in removed from customer Idp
Ongoing Issue with New Users
This outlines the issue for users added after SCIM is enabled.
- When a new user is assigned to the SAML application in customer Okta idp, the customer’s Okta IdP sends a GET request to our system to fetch the user’s profile.
- Our application returns a response as per the SCIM standard.
- When the new user logs-in his shadow account gets created in our Auth server by Just in Time
- When the user is deleted from customer Okta IdP, it does not trigger the SCIM deactivation event.
- Users shadow account in our Auth server continues to exist even after user in removed from customer Idp
Can you help understand how to resolve this issue ?