SCIM Password Sync Bug

Hi, I have been investigating an issue with user provisioning with our app, and I have noticed some weird behavior with the password sync for SCIM. I have read through the documentation for this, and it says that the auto generated password should be 16 characters long. In practice, the passwords being sent from Okta on user provisioning are less than 16 characters. This has caused issues with our SCIM endpoints, as in some cases, we have requirements that include a 16 character minimum. I have reproduced this across two different developer accounts, and we have reports of our customers running into this issue. I also have run across another bug where when disabling the “Sync Password” setting Okta will still send a password on the user POST request. Are these known issues?

Thank you in advance

What is the minimum length requirement within your password policies? If my memory serves, the auto-generated password Okta includes in the user push to a SCIM server is based on these complexity requirements, so if your SCIM server requires passwords of a certain length, so too would your Okta org.

Hi, that is helpful information. I guess there is still the issue that when the passwords sync is turned off there are still passwords being sent over.

That’s expected behavior, the passwords that are sent will conform to the password requirements as per policy, but are not actual user passwords. This was done in part to support SCIM servers that required for this to be sent during User creation.

There is an Okta Idea you can vote on regarding this behavior to request that there be an option to disable sending this dummy password: Idea #193882

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.