OIN SCIM integration and removal of users from groups

Seldaek · October 23, 2024, 12:43pm

We are developing a SCIM / Okta integration and encountered issues while checking our integration’s compatibility with Okta’s.

It seems like the way Okta handles the removal of a user from a group has two possible code paths:

if the user still has at least another group membership, Okta sends a PATCH to the group endpoint to remove the user from the group it was removed from. That is what we would always expect and that works well.
if the user is removed from all groups, Okta sends a a PATCH to the user endpoint to mark the user as active: false. This is not logical from our perspective as the group membership is still present, the user is merely disabled/unable to login. This resulted in validation issues from your side saying that when listing the group, that user is still in the list of members, but that is for us an incorrect expectation as it was never removed from the group members.

It would be much better from a SCIM compliance point of view if Okta would send a PATCH to the group endpoint as well to remove the user like in the first code path above, and then would issue a DELETE /scim/v2/Users/[user-id] request to disable/delete the user, or PATCH to set active:false, same same, but the group removal should be done first.

Looking forward to hearing your thoughts on this.

ram.gandhi · October 23, 2024, 2:59pm

This is a known limitation and documented in this link.

The following are the known Group Push limitations:

Okta doesn’t support using the same group for app assignment and Group Push. To maintain consistent group membership between Okta and the downstream app, you must create a separate group that’s configured to push to the target app. See App assignments and Group Push.

Seldaek · October 23, 2024, 3:02pm

Sorry I am not sure how that is related to my query. When a user gets unassigned from all groups they get their access removed, ok that makes sense and I have no problem with that limitation. But the way the Okta SCIM client communicates this to the SCIM server could still be improved I would say.

ram.gandhi · October 23, 2024, 3:27pm

This limitation is why you would want a group not part of push group so that you can first remove memberships and then deactivate the user.

As far as changing how SCIM client is implemented, we definitely value your feedback. We would appreciate adding your suggestion in Okta Ideas portal - Okta Help Center (Lightning)

Seldaek · October 25, 2024, 7:48pm

Sorry to be blunt but this is a bug in your SCIM implementation, not some idea I should throw in your wish-bucket to be forgotten…

P.S.: I tried to log in to the Okta Ideas portal anyway but it seems to not respond right now…the page just won’t load.

Post		Replies	Views
SCIM Group Removal SCIM	5	4252	February 18, 2020
SCIM Deactivation via Group Membership SCIM	3	4720	January 23, 2024
SCIM 1.1 Group Update docs don't match real life behavior SCIM api	1	2752	February 12, 2024
Support SCIM group membership updates for groups of users assigned to apps SCIM	4	3788	February 8, 2024
Reassign removed user to group not able to update flag Active to SCIM APP SCIM	5	2885	February 12, 2024

OIN SCIM integration and removal of users from groups

Related Topics