The groups attribute on a user in the SCIM api is always empty. What is it for? Even if a user is added to a group in the Directory settings, the groups attribute is an empty list. I cannot find any documentation for that attribute and what it is supposed to contain.
Hi there, the SCIM specsheet defines the group attribute this way:
It is intended that the semantics of group membership and any behavior or authorization granted as a result of membership are defined by the service provider.
Ideally, you’d want to have a many-to-many relationship between your Groups table and Users table in your external application’s database. This relationship would populate your groups attribute for a user dynamically and avoid any potential security issues down the line with a hard-coded groups list that could grant outdated access. Does that make sense?
Maybe a bit. But the thing that I still don’t understand is this. When I update or create a user in Okta, there is an POST or PUT request sent to my application with that user and its attributes. Within those attributes there is a groups attribute which does always has an empty list as value. I assumed that it would contain information about which groups the user belongs to in Okta, but it does not. I have not activated groups in the SCIM settings for the application though, not sure if it is needed for this. The application does not support the groups api for SCIM at the moment.