Deprovisioning-only use of SCIM

richard.barnett · December 3, 2019, 3:23am

Hi –

We have a SaaS application which can use customer identity providers for authentication (via the IdentityServer3 library) via WS-Federation or SAML2.

When a customer uses this feature their IdP (directory) is master, our application handles provisioning, and we store no user attributes which need to be stored in the IdP.

We’ve set this up for a customer that uses Okta as IdP. They would like us to take some action when they deprovision a user.

SCIM seems ideal for this, but I don’t understand:

Whether we have to implement the GET, POST and PUT methods listed in the beta docs when we only need PATCH?
- Perhaps these docs are old and superseded by “Required SCIM Server Capabilities” in Understanding SCIM?
How OAuth 2.0 would work on our endpoints; would our customer have to configure the Okta Lifecycle Management product with details of our authorization endpoint & credentials for a service account we’d create for this use?

The customer doesn’t need real-time deprovisioning, so a solution where we poll their directory via the Okta api would probably be acceptable; but I’d like to understand more about Okta’s support for SCIM.

Thanks

– Richard

dragos · December 9, 2019, 2:56am

Hi @richard.barnett

The best solution is to implement the endpoints and operations mentioned in the article available here. This article has been reviewed and published recently.

This depends on how the SCIM endpoints are checking the authorization header and which type of resources are they returning (eg. everything, resources per tenant, etc.).

If the application is published in Okta Integration Network with OAuth 2.0 capabilities, then the users can simply click a button such as “Authenticate with ” and the browser will do automatically the authorization code flow.

system · January 23, 2024, 7:37pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.