SCIM User Deprovisioning

We are providing customers the ability to provision/deprovision users via SCIM. While testing I noticed my SCIM API is called, the user is set to active: false, but when an import kicks off in the service provider tenant, the user is removed from the import app but is never deactivated. It is our understanding that this is possible, it is a big reason why we wanted SCIM, but I cannot figure out how to do it. To summarize, we want active: false users to get deactivated in our Okta tenant.

Hi @quantumew

Do you have the following option enabled under Provisioning >> To Okta?

1 Like

@dragos Thanks for the quick response. That looks like what I need. I do not see that option but that is perhaps because I am using a SAML app with SCIM provisioning turned on. The reason for using that over the test app is it uses refresh tokens. I don’t have to hard code a JWT and switch it out whenever it expires. Is there any way to do the same thing with a SCIM/SAML app?

Hi @quantumew

Can you add scope=offline_access as query parameter in the Authorization endpoint URI, like the following

image

In this way, the access token should be refreshed using the refresh token retrieved from the authorization server.

@dragos That is what I have configured in my custom SCIM/SAML app. It works like a charm but I have no deprovisioning option under the provisioning tab. The Test SCIM 2.0 app does have the deprovisioning option but does not support the OAuth flow, it requires me to hardcode a token. Is there a way to support both?

Hi @quantumew

You can submit a request on oinmanager.okta.com from an Okta preview tenant and request for a SCIM 2.0 template application to be integrated using your authorization server and, in the end, assigned only to your tenant.

2 Likes

Got it. Thanks for clarifying @dragos. Super helpful.