How to Access Manager's Okta User ID in Expression Language for SCIM Provisioning?

Questions SCIM
1

Context

I’m building a SCIM provisioning integration and need to map the manager’s Okta user ID to a downstream application. My users come from two sources:

  • Active Directory (with AD manager relationships via the manager attribute)

  • Native Okta users (with Linked Object manager relationships)

Issue

I can successfully access manager attributes like email and firstName, but cannot access the id property:

:white_check_mark: Works:

getManagerUser("active_directory").email
getManagerUser("active_directory").firstName
user.getLinkedObject("manager").email
user.getLinkedObject("manager").firstName

:cross_mark: Fails with “Invalid property id”:

javascript

getManagerUser("active_directory").id
user.getLinkedObject("manager").id

What I’ve Tried

Expression attempt:

getManagerUser("active_directory") != null ? getManagerUser("active_directory").id : user.getLinkedObject("manager") != null ? user.getLinkedObject("manager").id : null

Other attempts:

  • .managerID - Invalid property

  • .userId - Invalid property

  • .externalId - Invalid property

Note: For the current user, user.getInternalProperty("id") works, but this doesn’t apply to objects returned by getManagerUser() or getLinkedObject().

:cross_mark: user.getLinkedObject("manager").getInternalProperty("id") fails

:cross_mark: getManagerUser("active_directory").getInternalProperty("id") fails

Documentation Referenced

The docs show examples with .email and .firstName but don’t document accessing the id property or list all available properties on returned objects.

Questions

  1. What is the correct property name to access a manager’s Okta user ID?

  2. What properties are available on objects returned by getManagerUser() and user.getLinkedObject()?

  3. Is there comprehensive documentation listing all accessible properties for these functions?

  4. If .id is not supported, what’s the recommended approach for provisioning stable manager identifiers?

Why I Need the ID

The target SCIM application requires stable user identifiers. Email addresses can change, so we need to use the Okta user ID as the canonical reference.

Has anyone successfully provisioned manager IDs (not emails) to SCIM apps? Any insights would be greatly appreciated!