Issue with Okta Sending Deactivated Users in Group PUT Call to SCIM Server

darshan.deshmane · June 30, 2025, 4:37am

We are encountering an issue with Okta’s SCIM integration related to group synchronization. Here’s the scenario:

When a user is deactivated in Okta, it correctly sends a SCIM PUT request to our SCIM server with “active”: false.
Our SCIM implementation handles this by removing the user’s group memberships and deactivating their access.
However, in subsequent PUT requests for group updates, Okta continues to include this deactivated (and effectively deleted) user in the group membership list.
Since the user ID no longer exists in our system (as it was removed on deactivation), our SCIM service returns a 400 Bad Request, causing the group sync to fail.

Question:

Is this the expected behavior from Okta—to continue sending deactivated users in group membership during group PUT calls? If so, how should SCIM services handle such cases where the user referenced in the group no longer exists in the system? Is there a recommended approach to prevent group sync failures in this scenario?

Thanks

darshan.deshmane · July 2, 2025, 8:55am

Hello, can I get any update on this please?

andrea · July 7, 2025, 8:32pm

Can you check to see if you are using the same group for user assignment as you do for Group Push? If so, you will want to modify this per the documentation here: Troubleshooting Group Push | Okta Identity Engine

Post		Replies	Views
OIN SCIM integration and removal of users from groups SCIM	5	315	November 24, 2024
User deletion SCIM integration issue SCIM	2	2194	February 15, 2024
SCIM Group Removal SCIM	5	4334	February 18, 2020
SCIM Deactivation via Group Membership SCIM	3	4804	January 23, 2024
SCIM group push includes disabled users SCIM	6	134	May 1, 2025

Issue with Okta Sending Deactivated Users in Group PUT Call to SCIM Server

Related topics