I’m seeing an issue with SCIM API calls for an app.
When I update a Group in Okta, I see multiple API calls duplicating effort.
E.g. let’s say I have group A with members 1, 2, and 3. If I add member 4, then the API calls look like this:
GET /scim/v2/Groups/[ID A]
(group with [1,2,3] returned)
GET /scim/v2/Groups/[ID A] (same request as before)
(group with [1,2,3] returned)
GET /scim/v2/Users?filter=userName%20eq%20%22[EMAIL 4]%22&startIndex=1&count=100
(inactive user returned)
PUT /v1/scim/v2/Groups/[ID A] (with member list [1,2,3])
(group with [1,2,3] returned)
GET /v1/scim/v2/Users/[ID 4]
(inactive user returned)
PUT /v1/scim/v2/Users/[ID 4] (“active”: true)
(user set to active)
GET /scim/v2/Groups/[ID A]
(group with [1,2,3] returned)
GET /v1/scim/v2/Users/[ID 4]
(active user returned)
PUT /v1/scim/v2/Users/[ID 4] (with member list [1,2,3])
(group with [1,2,3] returned)
PUT /v1/scim/v2/Users/[ID 4] (displayName, externalId, empty groups array)
(active user returned)
GET /scim/v2/Groups/[ID A]
(group with [1,2,3] returned)
GET /scim/v2/Groups/[ID A] (same request as the previous)
(group with [1,2,3] returned)
PUT /scim/v2/Groups/[ID A] (with member list [1,2,3,4])
(group with [1,2,3,4] returned)
GET /scim/v2/Groups/[ID A]
(group with [1,2,3,4] returned)
PUT /scim/v2/Groups/[ID A] (with member list [4,1,2,3])
(group with [4,1,2,3] returned)
The problem is the last two PUT calls. The changing of the order is unusual, but sometimes, the contents of the member lists don’t even match, resulting in members being incorrectly removed from the group in the target server. When I run “Push now” on the group, I still get duplicate GETs and duplicate PUTs, with the member list slightly shuffled.
Does anybody know why this is happening or how to mitigate it?