We have a SCIM integration setup for provisioning users and groups from OKTA.
- User ‘user1’ is a member of group ‘group1’
- ‘user1’ isn’t member of any other groups
- I have provisioned the group ‘group1’ through SCIM.
- If I remove the user ‘user1’ from group ‘group1’, okta sends a PATCH call to /Users endpoint to make the user ‘user1’ as inactive
- But Okta does not send a PATCH call to /Groups endpoint to update the membership details.
Any reasoning behind this mechanism, as it may create discrepancies in data in future in SCIM server.
Hi, I am still waiting for an update on this question.
To give more context about why this might be an issue.
If I go one more step and
- ‘group2’ is added to scim app.
- Add ‘user1’ to another group ‘group2’
- Okta sends call to make user ‘user1’ active [/Users endpoint]
- Okta sends call to add ‘user1’ to ‘group2’ [/Groups endpoint]
- Okta sees that the scim server has both ‘group1’ and ‘group2’ listed as groups for ‘user1’
- Okta sends a call to update ‘user1’ groups using PUT call to /Users endpoint
- The 6th step is a violation of SCIM rfc - change to groups attribute should be done only via /Groups endpoint. So SCIM server discards groups change sent from /Users endpoint.
[RFC 7643 - System for Cross-domain Identity Management: Core Schema - check groups attribute description]
- This leads to bad data as ‘user1’ has both ‘group1’ and ‘group2’ in it’s groups attribute