Users getting tagged to "Individual Assignment" for SCIM application upon removal

Questions
#1

Users of my client application are tagged to an OIDC Client application & SCIM Application. When users are removed from Client Application, below happens as per Okta logs:

  1. User is removed from Client Application. Under User, Client application is not seen anymore.
  2. User is removed from SCIM application. Under user, SCIM application is still seen.
  3. Okta does “Individual” assignment for the SCIM application. application.user_membership.update event is fired which adds individual assignment for the user.
  4. Which further triggers SCIM flow, but SCIM flow fails due to application logic written in SCIM connector.

Question is why #3 happens? How can we avoid #3 and hence remove reference of SCIM application after #1 is done. Do we have to do some configuration in tenant or is it some issue with SCIM connector configuration?
Any leads on this will be helpful.

#2

Hello,
When a user is removed from the SCIM application does their account immediately get added back?

Does the SCIM application provisioning have ‘Deactivate Users’ enabled? If not and provisioning has scheduled imports the user account could be added back during the next import.

Is this Native SCIM or the on premises SCIM agent?

#3

Hi Erik,

Below are the response to your queries:

  1. When user is removed from SCIM app, account immediately gets added back. application.user_membership.update event is fired which adds individual assignment for the user.
  2. SCIM application does not have ‘Deactivate Users’. Provisioning does not have imports.
  3. We are using on premise SCIM agent.
#4

I recommend that you also try posting this question on the other support forum. It maybe that someone on this forum will know this answer, however the Okta team members that watch this forum support the SCIM server, but not the on premise agent. The other forum will be monitored by the group that supports the agent.