Support SCIM group membership updates for groups of users assigned to apps

blunceford · August 30, 2021, 10:14pm

Currently, when you set up an application to support SCIM provisioning (described in this documentation: Connect your SCIM API service to Okta | Okta Developer) , you will only get group membership updates for users that are 1. assigned to the SCIM app directly and 2. are members of groups that are pushed in the SCIM app.

Can these operations (described in this documentation: SCIM 2.0 Protocol Reference | Okta Developer) also be supported when users are assigned to apps via groups?

Is this a bug that these operations aren’t being sent currently?

Steps to replicate the issue:

Create a SCIM app in Okta and connect it to an application to receive SCIM update events.
Create a group in Okta and assign a user to that group.
Assign the group you created to the SCIM app in Okta, and push that group as well.
In Okta, remove the user from the group.
No remove SCIM operation is sent, which is what I would expect.

For the above steps, if you assign the user directly to the SCIM app, instead of via the group, the remove SCIM operation is sent.

blunceford · September 16, 2021, 9:30pm

Bump on this - any thoughts?

This is the kind of remove operation we’re looking for, but is not sent when the removed user is assigned to the SCIM app via group:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "remove",
            "path": "members[value eq \"directory_user_01FFR215H3C9X6V5C8AJFKZ823\"]"
        }
    ]
}

One potential workaround is to manually push the groups from Okta, which sends a replace operation to re-set the group membership.

Is this expected behavior or is this a bug? Requiring assignment of thousands of users individually and not through groups is a blocker in some cases. However, we’re not receiving the correct group removal events if the users are assigned to the SCIM app via groups.

blunceford · September 16, 2021, 9:45pm

Posted in Stack Overflow as well: scim - Does Okta send group membership removal when user is assigned to app via a group? - Stack Overflow

Lasse · October 25, 2021, 10:41am

This reply might explain the behavior you’re seeing: Scim remove user from group - #3 by bogdan.andrisan

Post		Replies	Views
SCIM 1.1 Group Update docs don't match real life behavior SCIM api	1	2752	February 12, 2024
OIN SCIM integration and removal of users from groups SCIM	4	26	October 25, 2024
SCIM Deactivation via Group Membership SCIM	3	4720	January 23, 2024
SCIM provisioning issue SCIM	2	2887	February 8, 2024
SCIM 2.0 PUT/PATCH User not sent on User Removal SCIM	4	3707	January 26, 2024

Support SCIM group membership updates for groups of users assigned to apps

Related Topics