SCIM deprovisioning not sent to integration

Questions SCIM
1

How does a SAML/SCIM integration need to be setup so deprovisioning (when deactivating a user in Okta) occurs?

Currently provisioning is working as expected.

This is the integration config in the Provisioning tab:

image

Integration was created as SAML, and SCIM enabled.

2

Hello,

Okta does not make use of the DELETE method on a SCIM server, see here.

Okta doesn’t perform DELETE operations on User objects in your SCIM application.
If a user is deactivated or removed from your integration inside Okta, then Okta sends a request to your SCIM application to set the active attribute to false. There is no deprovisioning event sent for users that are suspended inside Okta.

Thank You,

3

I know, I’m talking about the update request, to set a user as inactive. That request is not happening.

4

It is sent in my test integration I have setup.

Can you provide your Org name, test account name, and the timestamp of when you deleted the test account but the SCIM server did not receive the activate equals false?

If you don’t want to provide those details over the forum you will either need to open a case with support or message the information to me to check.

5

dev-04531479 / Test 3 14dPmkNb

Timestamp: 2022-12-05T19:04:41.087Z

Thanks!

6

It looks like the following happened:

  • Dec 05 18:12:57 - user was activated
  • Dec 05 18:13:06 - pushed user to Forkable
  • Dec 05 18:13:07 - Verify user in external app (Forkable) by doing a GET to SCIM
  • Dec 05 18:13:07 - Push marked as failed because the SCIM server was still returning active=false
  • Dec 05 19:04:41 - Deactivate user. Okta does not send active=false since when the user was activated at 18:12:57, the SCIM server was returning false for active instead of true. So inernally Okta already has this user marked as inactive in the SCIM server.

When Okta changes a user state it does an immediate GET to verify that change took place. SCIM requests should be synchronous in nature because of this. The SCIM server shouldn’t reply until the message sent from Okta is fully processed.

You can verify the transactions by going to the Okta System log and for 12/5 search only for “00u3rp3snewdH4HnB5d7”

Thank You,

7

Thanks, tried again. It’s not working, check event Y49TcWpUqWuSQbGBlZ0EVwAAA20.

This time I made sure the integration is returning the SCIM user as active when assigning. Then I removed assignment and nothing happened as far as the SCIM integration receiving any requests.

I then tried again by assigning the user to the integration, that worked, and integration returned user as active. Then I deactivated the user in Okta, but integration did not receive any requests at all.

8

Just to verify, you do have deactivate users enabled for this SCIM integration in your SAML app?

deactivate
deactivate1747×1375 110 KB

9

That was it :man_facepalming:

Those options didn’t appear initially though. Not sure what change made them appear, but I think you have to enable Profile Updates and/or Push Profile Updates.

Thanks!

10

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.