SCIM provisioning issue

We have a SCIM integration setup for provisioning users and groups from OKTA.


  1. User ‘user1’ is a member of group ‘group1’
  2. ‘user1’ isn’t member of any other groups
  3. I have provisioned the group ‘group1’ through SCIM.
  4. If I remove the user ‘user1’ from group ‘group1’, okta sends a PATCH call to /Users endpoint to make the user ‘user1’ as inactive
  5. But Okta does not send a PATCH call to /Groups endpoint to update the membership details.

Any reasoning behind this mechanism, as it may create discrepancies in data in future in SCIM server.

Hi, I am still waiting for an update on this question.

To give more context about why this might be an issue.
If I go one more step and

  1. ‘group2’ is added to scim app.
  2. Add ‘user1’ to another group ‘group2’
  3. Okta sends call to make user ‘user1’ active [/Users endpoint]
  4. Okta sends call to add ‘user1’ to ‘group2’ [/Groups endpoint]
  5. Okta sees that the scim server has both ‘group1’ and ‘group2’ listed as groups for ‘user1’
  6. Okta sends a call to update ‘user1’ groups using PUT call to /Users endpoint
  7. The 6th step is a violation of SCIM rfc - change to groups attribute should be done only via /Groups endpoint. So SCIM server discards groups change sent from /Users endpoint.
    [RFC 7643 - System for Cross-domain Identity Management: Core Schema - check groups attribute description]
  8. This leads to bad data as ‘user1’ has both ‘group1’ and ‘group2’ in it’s groups attribute