SCIM re-activate and re-assign sends wrong active field

kevin.yang · May 24, 2021, 9:24pm

Hi Okta,

I’m building a custom app integration that I plan on submitting to the OIN. I was running the SCIM CRUD tests (https://developer.okta.com/standards/SCIM/SCIMFiles/Okta-SCIM-20-CRUD-Test.json) on Runscope and I discovered a bug when a user is deactivated, then reactivated and reassigned to an app integration.

It only happens when the app has the SCIM provisioning option “Push Profile Updates” enabled.

When a user is re-activated and quickly re-assigned to an Okta app, Okta pushes a reactivation event and a profile update event to the SCIM server. The first event contains “active: true” but the second event contains “active: false” even though the user was reassigned to the app.

I believe there is a database replication issue because if I wait a while before reassigning the user to the app after reactivating them, the profile update event will have “active: true”.

This is problematic because the profile update event is fired after the reactivation event, so the end state of the user in the SCIM app is deactivated even though they are reactivated in Okta.

sigama · May 24, 2021, 9:49pm

Hi @kevin.yang! To submit to our OIN you would need to use our SCIM Template App - please confirm this is how you have your SCIM integration configured.

kevin.yang · May 24, 2021, 9:56pm

Hi @sigama

I am using the SCIM 2.0 Header Authentication template with “Create new users”, “Update user attributes”, and “Deactivate users” checked.

sigama · May 24, 2021, 9:59pm

Thanks for confirming @kevin.yang and where do you have “Push Profile Updates” set?

kevin.yang · May 24, 2021, 10:00pm

Hi @sigama

I have “Push New Users” and “Push Profile Updates” checked in my custom app integration. I have SCIM 2.0 Header Authentication enabled for this custom app too.

The purpose of this bug report is that I believe the profile update event that is triggered after reassignment sends stale data to the SCIM server.

sigama · May 24, 2021, 10:20pm

@kevin.yang Sorry for the confusion. I want to make sure you create the correct app for submission. I believe you are using the SCIM custom app integration through our App Integration Wizard but instead you should create a SCIM app using the template app provided in our Browse App Catalog - Connect your SCIM service with a new Okta integration | Okta Developer. Steps are as follows:

In the Admin Console, go to Applications > Applications .
Click Browse App Catalog .
Search for “SCIM 2.0” or “SCIM 1.1” (your choice depends on which version your SCIM server supports). You’ll see three different SCIM template applications, one for each of the three authentication methods that you can use to connect to your SCIM implementation (Basic Auth, Header Auth, or OAuth Bearer Token).

Please make sure you are using the correct app, retest, and let me know if you still get the same result.

kevin.yang · May 24, 2021, 11:20pm

Hi @sigama

If I am understanding you correctly, I only need to provide a passing Runscope test for the template SCIM app and not my custom app integration when submitting my custom app integration to the OIN for review?

sigama · May 24, 2021, 11:39pm

Yes, correct, there is a separate SCIM template for submission and that must pass the Runscope test. If you have a SAML app integration as well you can request to merge this during the submission process - Is publishing to the OIN required for SCIM provisioning? - #2 by dragos.

kevin.yang · May 25, 2021, 12:02am

Hi @sigama

Wonderful. My Runscope tests passed using the SCIM Template App.

system · May 26, 2021, 12:03am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.