Scim deprovision bug

satanshiro · December 18, 2025, 12:19pm

Hi everyone,

We’ve been developing a SCIM integration for our organization. Since most of our customers use Okta, we’re starting by ensuring our provisioning support works well with Okta first.

At this stage, we only want to support user deprovisioning (not user creation). We’ve implemented:

GET /Users with filtering (for matching)
PUT, PATCH and DELETE (for updates/deactivation)

We can successfully deprovision users when they were originally created on our side, but we’re seeing a specific flow where deprovisioning fails:

Repro steps

Ensure the user does not exist in our app.
Create the Okta SSO + SCIM integration, but do not import users.
Assign a user to the app in Okta.
The user shows a red warning icon in Okta with the message:

“Automatic provisioning of user ‘username’ to app ‘app name’ failed: Matching user not found”

(expected, since we did not implement POST /Users).
Log in to our app using Okta SSO — this creates the user in our app (JIT on login).
Back in Okta, the assignment screen still shows the user with the red warning icon.
If we enable Import, we can see the user with the red icon gets a valid externalId.
- However, the red warning icon does not disappear, even after the externalId is present.
When we remove the user assignment in Okta, the user is not deprovisioned on our side.

Workaround

The only way we’ve found to make deprovisioning work is:

Unassign the user, then reassign them after they’ve been created in our app.

Question

Is this expected behavior in Okta when POST /Users is not implemented, even if the user later appears in the target app (via SSO login) and an externalId is assigned through import?

If there’s a recommended approach for supporting deprovisioning-only SCIM integrations (especially with SSO/JIT user creation), we’d love guidance on the correct flow.

To us this seems like a bug so I posted here

Thanks and have a nice day!

erik · December 22, 2025, 8:14pm

Hi Satanshiro,

After the user signs in and the app creates the user, instead of doing an import can you navigate to Dashboard > Tasks > (‘Profile push updates encountered errors’ or ‘Application assignments encountered errors’). There should be a failed task for that user.

Can you select that user and do a re-try task. I believe this will kickoff of the provisioning for the user except now SCIM will return the user during GET /Users

satanshiro · December 23, 2025, 9:52am

Hi you are probably correct, but this requires manual tinkering and does not provide an automatic provisioning scenario. We have implemented POST as a solution. but I think JIT on login user creation flow should be supported, or atleast made more clear what and when okta uses which endpoint, it seems there is no sync cycle like azure has and is more event based. so once a user is added to an app on okta side and it isn’t able to POST user or GET user it will not poll again

system · January 22, 2026, 9:53am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
SCIM Deprovisioning Issue SCIM	4	65	August 31, 2025
User deletion SCIM integration issue SCIM	2	2237	February 15, 2024
Challenges with SCIM delete implementation with Just in Time SCIM	5	73	August 27, 2025
SCIM deprovisioning not sent to integration SCIM	9	3676	December 6, 2022
Enable SCIM provisioning after assigning users to the application SCIM	3	3291	February 8, 2024

Scim deprovision bug

Repro steps

Workaround

Question

Related topics