Support SCIM group membership updates for groups of users assigned to apps

Currently, when you set up an application to support SCIM provisioning (described in this documentation: Connect your SCIM service with a new Okta integration | Okta Developer) , you will only get group membership updates for users that are 1. assigned to the SCIM app directly and 2. are members of groups that are pushed in the SCIM app.

Can these operations (described in this documentation: SCIM 2.0 Protocol Reference | Okta Developer) also be supported when users are assigned to apps via groups?

Is this a bug that these operations aren’t being sent currently?

Steps to replicate the issue:

  1. Create a SCIM app in Okta and connect it to an application to receive SCIM update events.
  2. Create a group in Okta and assign a user to that group.
  3. Assign the group you created to the SCIM app in Okta, and push that group as well.
  4. In Okta, remove the user from the group.
  5. No remove SCIM operation is sent, which is what I would expect.

For the above steps, if you assign the user directly to the SCIM app, instead of via the group, the remove SCIM operation is sent.

Bump on this - any thoughts?

This is the kind of remove operation we’re looking for, but is not sent when the removed user is assigned to the SCIM app via group:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "remove",
            "path": "members[value eq \"directory_user_01FFR215H3C9X6V5C8AJFKZ823\"]"
        }
    ]
}

One potential workaround is to manually push the groups from Okta, which sends a replace operation to re-set the group membership.

Is this expected behavior or is this a bug? Requiring assignment of thousands of users individually and not through groups is a blocker in some cases. However, we’re not receiving the correct group removal events if the users are assigned to the SCIM app via groups.

Posted in Stack Overflow as well: scim - Does Okta send group membership removal when user is assigned to app via a group? - Stack Overflow