I’m trying to set up an Okta SCIM integration with SAML, which as I understand, requires Okta to update my SCIM server via PUT requests. This was pretty straightforward for users, but I’m seeing request logs from Okta to my SCIM server that I don’t understand.
When Okta updates a group assignment via PUT, the members
collection parameter looks something like this:
{
"members": [
{
"value": 1234,
"display": "myuser@email.com"
},
{
"value": 3294,
"display": null
},
{
"value": 5483,
"display": null
}
]
}
where the first one or two items in the collection correspond to actual group members, followed by items that have a value
but not a display
. What makes this even more confusing is that adding a user to one group usually causes Okta to fire multiple PUT requests to the individual group endpoint (i.e /api/v2/scim/Groups/:id
) on the SCIM server, and each of those requests has a different set of items for the members
collection. To make matters worse, the members collection often doesn’t accurately reflect the state of a given group’s memberships, which makes it hard to use in a PUT request where I expect an accurate list of group members. If I have four members in a linked Okta SCIM group, I expect to see four members in the members collection in the PUT request params.
Why does Okta send these “empty” members in the membership collection, is there something wrong with my app configuration? How do I ensure that Okta is sending correct collections of members to my SCIM server? Thanks in advance.