SCIM provisioning fails due to incorrect search filter

Hi everyone,

I’m currently trying to debug an issue that occurs for one of our customers who’s using our SCIM Integration with Okta.

Basically, they created a custom SCIM Integration via the AIW, and they set the right settings so that it correctly points to our SCIM endpoints running in our cloud. This part works fine.

However, under obscure circumstances, Okta sends this sequence of requests to our SCIM endpoints:

(the following requests occur approximately within the same 3 seconds…)

  1. GET /scim/Users?filter=userName eq “”&startIndex=1&count=100 <<< returns 1 result

  2. GET /scim/Users/{id}

  3. PUT /scim/Users/{id} with payload {‘active’: True, …}

  4. GET /scim/Users/{id}

  5. PUT /scim/Users/{id} with payload {‘active’: True, …}.

(and 2 minutes later, the following requests are sent within the same second…)

  1. GET /scim/Users/{id}

  2. PUT /scim/Users/{id} with payload {‘active’: False, …}.

  3. GET /scim/Users?filter=userName eq “”&startIndex=1&count=100 <<< returns 0 result

  4. POST /scim/Users <<< returns an HTTP 409 Conflict because the user already exists

My understanding is that:

  • For requests *1-5, the user was assigned (or re-assigned) to the app.
  • In requests *6-7, the user was probably unassigned from the app (because of {‘active’: False, …}).
  • But for some reason, in requests *8-9, the user appears to be immediately re-assigned to the app, but the wrong search filter is used in request *8 (it should be using “”, and not “”).

Do you know what may be the cause of this last sequence of requests? And why would an incorrect search filter be used?


Hi @bbernard,

It looks like your customer is experiencing issues with assignments. This document is something you can refer to Manage app integration assignments | Okta

You can also open a support case with us by emailing us here at, and we may be able to assist you and your customer better via the case.

Thank you!