MVP SCIM functionality

Amrit · July 28, 2025, 10:58am

Hello,

We are in the initial stages of building a custom SCIM 2.0 server to integrate with Okta as an Identity Provider.
Our goal is to understand if we can adopt an incremental, phased approach to building out our SCIM capabilities, or if the Okta SCIM client requires a fully functional server (supporting all core operations) from day one to work correctly.

For example, could we follow a development plan like this?

Phase 1 (Deprovisioning Focus): Initially, only implement GET /Users (for lookups) and PATCH /Users (specifically to support deactivation with active: false).
Phase 2 (Provisioning): Later, add support for POST /Users to handle user creation.
Phase 3 (Groups, etc.): Subsequently, add support for /Groups and other features.

Our Specific Questions Are:

Is an incremental approach viable? Or will the Okta provisioning service encounter critical, non-recoverable errors if, for instance, it attempts to create a user but the POST /Users endpoint is not yet implemented?
What is the minimum required set of endpoints for the Okta SCIM client to function without getting into a persistent error state? For example, must POST /Users be available before any users are assigned to the application?
What is the recommended best practice from Okta for developing a new SCIM integration? Is there a “minimum viable SCIM server” definition that we should aim for in our first release?

We want to ensure we can deliver value iteratively without causing downstream issues in our customers’ Okta tenants. Any guidance or insights from your experience would be greatly appreciated.

ramgan · July 28, 2025, 1:31pm

GET /users is the only mandatory method you need, you could technically release a version accepting GET and PATCH requests and progressively perform upgrades to your app. You might have to support SCIM compliant filtering in your endpoint even in your first version as Okta tries to locate existing users for any operation.

During submission you would select something like this

Here are couple of blogs about building a SCIM server

Amrit · July 28, 2025, 4:08pm

Hi Ram, thanks for your reply. We enabled SCIM only for deprovisioning and we are receiving PUT as well as POST request. We don’t see any PATCH request. Can you advise on how best to move ahead ?

ramgan · July 28, 2025, 4:56pm

What kind of app are you using? An app created using AIW via Create App Integration button or using template app (refer this)

What are the steps you are doing to get the PUT/POST requests?

What does your provisioning settings look like?

I see a PATCH request during deactivation on my side similar to what is mentioned here.

You can create a support ticket if you want to share your org specific details for our engineers to take a closer look.

system · August 27, 2025, 4:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
Deprovisioning-only use of SCIM SCIM	2	4048	December 9, 2019
SCIM support for Okta endpoints /users /groups /apps SCIM	2	5292	December 9, 2017
SCIM APIs in Okta SCIM	3	3304	January 20, 2022
SCIM based user provisioning SCIM	7	5215	September 2, 2019
SCIM On-Prem Provisioning SCIM	3	4131	January 29, 2020

MVP SCIM functionality

Related topics