SCIM re-activate and re-assign sends wrong active field

Hi Okta,

I’m building a custom app integration that I plan on submitting to the OIN. I was running the SCIM CRUD tests (https://developer.okta.com/standards/SCIM/SCIMFiles/Okta-SCIM-20-CRUD-Test.json) on Runscope and I discovered a bug when a user is deactivated, then reactivated and reassigned to an app integration.

It only happens when the app has the SCIM provisioning option “Push Profile Updates” enabled.

When a user is re-activated and quickly re-assigned to an Okta app, Okta pushes a reactivation event and a profile update event to the SCIM server. The first event contains “active: true” but the second event contains “active: false” even though the user was reassigned to the app.

I believe there is a database replication issue because if I wait a while before reassigning the user to the app after reactivating them, the profile update event will have “active: true”.

This is problematic because the profile update event is fired after the reactivation event, so the end state of the user in the SCIM app is deactivated even though they are reactivated in Okta.

Hi @kevin.yang! To submit to our OIN you would need to use our SCIM Template App - please confirm this is how you have your SCIM integration configured.

Hi @sigama

I am using the SCIM 2.0 Header Authentication template with “Create new users”, “Update user attributes”, and “Deactivate users” checked.

Thanks for confirming @kevin.yang and where do you have “Push Profile Updates” set?

Hi @sigama

I have “Push New Users” and “Push Profile Updates” checked in my custom app integration. I have SCIM 2.0 Header Authentication enabled for this custom app too.

The purpose of this bug report is that I believe the profile update event that is triggered after reassignment sends stale data to the SCIM server.

@kevin.yang Sorry for the confusion. I want to make sure you create the correct app for submission. I believe you are using the SCIM custom app integration through our App Integration Wizard but instead you should create a SCIM app using the template app provided in our Browse App Catalog - Connect your SCIM service with a new Okta integration | Okta Developer. Steps are as follows:

1. In the Admin Console, go to Applications > Applications .
2. Click Browse App Catalog .
3. Search for “SCIM 2.0” or “SCIM 1.1” (your choice depends on which version your SCIM server supports). You’ll see three different SCIM template applications, one for each of the three authentication methods that you can use to connect to your SCIM implementation (Basic Auth, Header Auth, or OAuth Bearer Token).

Screen_Shot_2021-05-24_at_3_09_33_PM1676×698 105 KB

Please make sure you are using the correct app, retest, and let me know if you still get the same result.

Hi @sigama

If I am understanding you correctly, I only need to provide a passing Runscope test for the template SCIM app and not my custom app integration when submitting my custom app integration to the OIN for review?

Yes, correct, there is a separate SCIM template for submission and that must pass the Runscope test. If you have a SAML app integration as well you can request to merge this during the submission process - Is publishing to the OIN required for SCIM provisioning? - #2 by dragos.

Hi @sigama

Wonderful. My Runscope tests passed using the SCIM Template App.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.