SCIM provisioning never executes in trial org (no application.provision.* events despite valid SCIM config)

Hi all,

I’m troubleshooting SCIM provisioning for a Zscaler OIDC app in an Okta trial org, using the pre-made Zscaler app found in the Okta App Catalog (for ZIdentity integration), and I am trying to determine whether this is an Okta entitlement limitation or an integration issue with ZIdentity. Previously, SCIM integration worked when using SAML, but the following behaviors now apply when trying to do with SAML as well. So these behaviors are affecting both SAML and OIDC integration attempts.

Current behavior for OIDC attempts:

• SCIM Base URL and bearer token configured correctly

• “Test API Credentials” succeeds

• Provisioning → To App (Create / Update / Deactivate Users) enabled

• Group Push mappings exist and run

• Direct user assignment to the app succeeds

Observed issue:

• In Okta logs, no application.provision.* events are ever generated

• No outbound /scim/v2/Users or /scim/v2/Groups calls appear in Okta System Log

• All Group Push events terminate at Okta internal /api/v1/groups/... endpoints

• No AppUser provisioning state or “Provision user / Push profile” actions appear anywhere

• This behavior is identical for both OIDC and SAML app integrations, suggesting the issue is org-level for my Okta trial tenant rather than app-specific. To clarify… OIDC attempts are using the pre-built Zscaler app in the app catalog; but SAML is using a custom app (since SAML is no longer the preferred integration approach). Neither approach works at this point in time for pushing users/groups to ZIdentity/Zscaler.

This suggests the Lifecycle Management execution engine is never invoked, even though provisioning UI is present and SCIM API tests succeed. No evidence in the Okta logs indicates SCIM calls are ever attempted. So while there are never call failures, SCIM integration does not work. Settings have been reviewed with Zscaler support to ensure correct configuration of the Okta app, and Support agrees the application is configured correctly, which is why I am investigating the Okta side.

Question:
In Okta trial or developer orgs, is SCIM/Lifecycle Management execution intentionally disabled, even though provisioning configuration is visible? It once worked for me, for my trial tenant, so I curious about any recent changes.
If not, is there a specific entitlement or org flag required to allow provisioning jobs to run?

Any guidance or confirmation would be appreciated.

Hey @ptracy

I checked our logs and it looks like there is an issue with your org. I’ve reached out to our engineering team to get assistance with this and will let you know when you can re-test this (should be a quick fix!)

Hey @andrea Is this issue resolved? I am also facing the same issue for my integrator/trial account.

@ptracy We’ve made a fix in your org. Can you test this again?

@manishr I’m requesting the same fix for your org, I’ll let you know once its completed and you can re-test.

@manishr fix has been applied to your org as well. Please test again.

Thank you @andrea! Yes, I will run a test today and post the results this afternoon/evening.

Thank you for your support with this.

Phil

@andrea, confirmed that everything works as expected now with SCIM. Thank you for your support.

@andrea I believe I’m running into the same issue with my integrator/trial account, any chance you can check/apply the same fix if so?

@isabel done! Let me know if its working for you as well

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.