I would like to receive the externalId of a group in my custom app integration with SCIM. When I am trying to add this id to the group attributes I get the following error: Property name externalId is reserved for use by external directory groups.
I have added the group via Directory → Groups → Add Group.
While debugging I do get some information like the displayName and description when pushing the groups. However I do not get the externalId.
Am I using the wrong group or what actions should I take to get this to work?
Which externalId are you trying to receive and where/how: the external Id for the group on the SCIM server, or an external Id for a group from the directory it was imported from (e.g. AD, Workday, Google, etc)?
The ID for the group on the SCIM server will be used by Okta to make update requests, but if Okta doesn’t know the group id on the SCIM side yet, we’ll attempt to create one.
In the body we expect to receive the externalId of the group but while debugging the request, this externalId is not present:
“{“schemas”:[“urn:ietf:params:scim:schemas:core:2.0:Group”],“displayName”:“Test group”,“members”:[{“value":“12345678-0000-0000-0000-000000000000”,“display”:"myemail@email.com”}]}”
In Azure externalId gets mapped by default to “objectid” and can even be changed:
While the externalId is send with a new user it’s not send with a new group in the request body.
At last, should we have import groups action enabled for this to work on the SCIM connection tab in our scim app integration?
When trying to check the “Import Groups” checkbox and saving, we get a “Bad request” error. I can not find any helpful information in the logs apart from the following:
Changes to the Group push mapping for the group Test group could not take effect due to error: Error while creating user group Test group: Bad Request.
Even when having no groups we are not able to save the “Import groups” setting.
I am faced with the same problem. The request from okta to create a group on my scim server does not contain an external id of the group. I solved it the following way: On my scim server I create a group with self-generated external id, which I return to okta in the response. This seems to work. Because when new users are added to the group in okta, the users are transferred to my scim server with the external group id originally generated by myself. Unfortunately, I do not know if this is the desired approach for implementation, but it works. Is my solution correct?
In comparison to Azure: The scim request from Azure to create a group on scim server contains external id of group.
Though this is an old thread, I am also facing the same issue.
Can you please confirm if the solution suggested by @raschp can be applied for this situation?
