Currently, when you set up an application to support SCIM provisioning (described in this documentation: Connect your SCIM API service to Okta | Okta Developer) , you will only get group membership updates for users that are 1. assigned to the SCIM app directly and 2. are members of groups that are pushed in the SCIM app.
Can these operations (described in this documentation: SCIM 2.0 Protocol Reference | Okta Developer) also be supported when users are assigned to apps via groups?
Is this a bug that these operations aren’t being sent currently?
Steps to replicate the issue:
- Create a SCIM app in Okta and connect it to an application to receive SCIM update events.
- Create a group in Okta and assign a user to that group.
- Assign the group you created to the SCIM app in Okta, and push that group as well.
- In Okta, remove the user from the group.
- No remove SCIM operation is sent, which is what I would expect.
For the above steps, if you assign the user directly to the SCIM app, instead of via the group, the remove SCIM operation is sent.