Deprovisioning-only use of SCIM

Hi –

We have a SaaS application which can use customer identity providers for authentication (via the IdentityServer3 library) via WS-Federation or SAML2.

When a customer uses this feature their IdP (directory) is master, our application handles provisioning, and we store no user attributes which need to be stored in the IdP.

We’ve set this up for a customer that uses Okta as IdP. They would like us to take some action when they deprovision a user.

SCIM seems ideal for this, but I don’t understand:

  1. Whether we have to implement the GET, POST and PUT methods listed in the beta docs when we only need PATCH?
  2. How OAuth 2.0 would work on our endpoints; would our customer have to configure the Okta Lifecycle Management product with details of our authorization endpoint & credentials for a service account we’d create for this use?

The customer doesn’t need real-time deprovisioning, so a solution where we poll their directory via the Okta api would probably be acceptable; but I’d like to understand more about Okta’s support for SCIM.


– Richard