I would like to bring your attention to an issue I encountered during my SCIM integration tests. It appears that when attempting to assign an existing user to an app, if the PUT request fails, there is no corresponding request emitted to the SCIM API for user deletion or deactivation.
This poses a problem because the PUT request initially triggers a request to activate the user, followed by a second request to update the user’s profile data. In a scenario where the first request succeeds but the second one fails, the user will be activated but not deactivated if an immediate attempt is made to delete the user from the application.
Here are the steps to reproduce the issue:
- Assign a user with invalid profile data to an app (note that the user must already be added and exist in the app).
- Okta will send two requests: one for user activation and another for user profile update. However, the second request will fail due to the invalid profile data. Despite the failure, the user will still be activated in the app.
- Now, try to remove or deactivate the user from the app. You will notice that no request is sent to the SCIM API, resulting in an inconsistent state between the app and Okta.
I hope these clarifications help in understanding the issue more effectively. Please let me know if you have any questions or require further information.