I’m new in the world of user provisioning and we recently setup a simple SCIM service. I’m working out the finer details in a technical design of how we want to implement our service.
We will be using 1 service for all our customers, which can each have multiple applications that have to be fed by OKTA. I can solve this by doing one of the following:
1: I create a user/group table which will get updated by OKTA and I merge all changes from these tables to our applications. If a new application gets added I can just tell it to query our SCIM database to get all the user data. This would work well enough, however we like to prevent having to store the user data in yet another database. In a perfect world, all applications would get it’s data from one source, but that is sadly not how our applications are designed, and it will take too much work to change that now.
2: We do not store any user/group data in our SCIM service and only the mutations send by OKTA. These will be picked up by a queue and send to all applications that have not received this mutation. This would great for existing applications. However if we add another application for the organization, OKTA would not know that “that” application is missing all the user data.
- In that case is it possible for us to request a full synchronization from OKTA, or is it a one way street?
- Also, how does OKTA sync it’s data exactly. Do you only send mutation request for users that changed on your end. Or do you query all users periodically to check if they exist?
If there are other solutions i’m not thinking of, those would be welcome also of course. If i’m going about this in the wrong way please feel free to enlighten me:slight_smile: