SCIM Integration Unique ID "chicken and the egg"


I think I am missing a piece of the fundamental understanding for how unique IDs work with existing Okta applications that want to add SCIM provisioning.

When you go to assign an Okta user to a SAML enabled application, the ‘User Name’ text field is pre-populated with an attribute of that user. For example, the user’s email may be pre-populated there. I believe the pre-populated value is based on either the value you chose for the ‘Name ID format’ field or the value you chose for the ‘Application username’ field when you first configure the SAML settings for that application in Okta.

Then, when you go to enable SCIM provisioning for that application, the ‘Provisioning’ tab is unlocked. In the ‘Provisioning’ tab, part of the configuration is to specify a value for a field called ‘Unique identifier field for users’.

I am confused on which one of these fields controls what value is used as the unique ID for a given user entity and a large part of my confusion stems from the fact that this Okta documentation states that unique identifiers are “assigned a value by the service provider (your application) for each SCIM resource” and are “always issued by the service provider (your application) and not specified by the client (Okta)”.

If both of those statements are true, how would Okta know what to supply with a brand new user that only exists in Okta and therefore would not have the unique ID given to them by the service provider yet. The fields I mentioned above seem to imply that the unique ID should be known in advance, but if Okta isn’t creating the unique IDs, then that seems impossible. So, I need some clarification on how to handle and configure unique IDs for SCIM provisioning. The documentation says the service provider should be creating them, but the configuration in Okta seems to demand it be part of the initial payload.

Thank you for your time and for any and all help!

Put userName in this field and Okta will send application login field for SCIM calls. I think your confusion is coming from unique ID vs external ID paradigm. Unique ID (Okta attribute unique to each of your application users) is required, so that Okta does not confuse SCIM by sending the same ID for 2 different app users.

External ID is returned back by SCIM as you stated

1 Like