We’re implementing SCIM APIs in our platform and I noticed one thing which I’d like to get more clarity on.
Context: I created an user group with only 1 member let’s say user X and neither one are assigned to our app. Now when I assign this group to my app then I do get information related to user in the PUT /Groups call and I am able to add that user in my platform but when I un assign that user from that group I should receive one PUT /Groups call without that user in the member list but instead I am receiving two calls.
- PUT /Users - active = false
- PUT /Groups - that removed user still in the list of members.
Could anyone please clarify on how this exactly works?
This is working as designed some face it differently based on app assignments (Link to olhttps://devforum.okta.com/t/scim-group-push-includes-disabled-users/31389/2?u=krishnad posts), you may require a feature flag to be enabled on your tenant (Chances are low that this can be changed.) if you want to change this behaviour and this upstream in Okta, as its the default hard coded behaviour based on what we know.
Fix is on your side which is recommended.
Make sure the remove the user from the group first and then proceed with deactivation → Do this always.
Handle stale membership defensively: cross-check active on PUT /Users against any group membership state in PUT /Groups. (Don’t trust put + deactivations, gather more signals before hand.)
Let us know how it goes?
Okay so I went through the documentation and understood how how group member/user provisioning works and now I think all the pieces are in place but there is still one strange thing happening which I cant seem to figure out.
When I add an user in a pushed group:
I am receiving two PUT call for that group and both of them has the updated member list.
But when I remove an user from a group:
I am receiving two PUT calls and the first one does not have any updated list but only the second PUT call has the updated list so ultimately logic wise changes are being reflected correctly but not able to understand why is this behaviour happening?
And no I am not using this group for assignment this is a separate different group with different name that I have pushed in the app.