Issue with Okta Sending Deactivated Users in Group PUT Call to SCIM Server

darshan.deshmane · June 30, 2025, 4:37am

We are encountering an issue with Okta’s SCIM integration related to group synchronization. Here’s the scenario:

When a user is deactivated in Okta, it correctly sends a SCIM PUT request to our SCIM server with “active”: false.
Our SCIM implementation handles this by removing the user’s group memberships and deactivating their access.
However, in subsequent PUT requests for group updates, Okta continues to include this deactivated (and effectively deleted) user in the group membership list.
Since the user ID no longer exists in our system (as it was removed on deactivation), our SCIM service returns a 400 Bad Request, causing the group sync to fail.

Question:

Is this the expected behavior from Okta—to continue sending deactivated users in group membership during group PUT calls? If so, how should SCIM services handle such cases where the user referenced in the group no longer exists in the system? Is there a recommended approach to prevent group sync failures in this scenario?

Thanks

darshan.deshmane · July 2, 2025, 8:55am

Hello, can I get any update on this please?

andrea · July 7, 2025, 8:32pm

Can you check to see if you are using the same group for user assignment as you do for Group Push? If so, you will want to modify this per the documentation here: Troubleshooting Group Push | Okta Identity Engine

Post		Replies	Views
SCIM group push includes disabled users SCIM	6	145	May 1, 2025
OIN SCIM integration and removal of users from groups SCIM	5	327	November 24, 2024
SCIM Deactivation via Group Membership SCIM	3	4806	January 23, 2024
SCIM doesn't remove user from the last group SCIM	2	32	July 5, 2025
SCIM provisioning issue SCIM	2	2924	February 8, 2024

Issue with Okta Sending Deactivated Users in Group PUT Call to SCIM Server

Related topics