Okta Problem with SCIM for SAML users created before SCIM protocol was enabled

[jiwoc55]

Debug mode

• I have enabled debug mode
• I have read checked the Common Issues page

Describe the bug

Hi,

We have a problem with the SCIM protocol.
We followed the documentation below : https://snipe-it.readme.io/docs/scim

IdP: Okta
Parameters :
Create Users enabled
Deactivate Users enabled

The SAML protocol was activated first, then we manually created each account on Snipe-IT.

When we set up SCIM, the connection between IdP and Snipe-IT is fully functional. However, when we assign the application from our IdP, this doesn't activate the account on Snipe-IT, so we have to check the "This user can login" box, otherwise we get the following error:

An error occurred while assigning this app.
Automatic provisioning of user to app failed: User XXXX provision to app failed due to delay in reactivating remote User. Rescheduling provision job.

We have the same problem for deactivating accounts with SCIM, so the functionality described in the documentation doesn't work "IF account when it is unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta."

The box "This user can login" remains activated even though the status change is clearly visible in the SCIM logs (active:true > active:false):

scim.log :
HTTP/1.0 200 OK
Cache-Control: no-cache, private
Content-Type: application/json
Date: Fri, 22 Mar 2024 16:44:44 GMT
Etag: "W/"e7e08e356cf07d88e79960cc61482801a5000917""

{"id":"341","meta":{"created":"2023-11-20T15:34:43+01:00","lastModified":"2024-03-22T17:43:49+01:00","location":"https://URL_To_Snipe-IT/scim/v2/Users/341","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber":"XXX","department":"XXX","manager":{"value":500}},"userName":"XXX","name":{"formatted":"XXX","familyName":"XXX","givenName":"XXX"},"title":"XXX","preferredLanguage":"en-US","active":true,"emails":[{"value":"XXX","type":"work","primary":true}],"phoneNumbers":[{"value":"None","type":"work","primary":true}],"addresses":[{"type":"work","formatted":"n/a","streetAddress":"France","primary":true}]}
[2024-03-22 17:44:44] production.ERROR: =====================================================================================
Exception caught! Invalid data! of type: ArieTimmerman\Laravel\SCIMServer\Exceptions\SCIMException when executing:
PUT https://URL_To_Snipe-IT/scim/v2/Users/341

{"id":"341","meta":{"created":"2023-11-20T15:34:43+01:00","lastModified":"2024-03-22T17:43:49+01:00","location":"https://URL_To_Snipe-IT/scim/v2/Users/341","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber":"XXX","department":"XXX","manager":{"value":500}},"userName":"XXX","name":{"formatted":"XXX","familyName":"XXX","givenName":"XXX"},"title":"XXX","preferredLanguage":"en-US","active":false,"emails":[{"value":"XXX","type":"work","primary":true}],"phoneNumbers":[{"value":"None","type":"work","primary":true}],"addresses":[{"type":"work","formatted":"n/a","streetAddress":"France","primary":true}]} `

We don't encounter these problems with new accounts created and deactivated on Okta.

Regards,

Reproduction steps

1. Enable SAML protocol between Okta and Snipe-IT
2. Create accounts manually on Snipe-IT
3. Enable SCIM protocol between Okta and Snipe-IT
4. Assign the Snipe-IT application on Okta to users already created
5. Bug : the user cannot login until the This user can login" checkbox is manually ticked on Snipe-IT (see errors ang logs message above)
6. Unassign application from Okta, Bug : "This user can login" box remains checked (see errors ang logs message above)

Expected behavior

The SCIM protocol must enable / disable login and therefore the "this user can login" checkbox automatically as mentioned in the documentation.

Screenshots

No response

Snipe-IT Version

v6.3.3 build 12903 (g0f63fa23e)

Operating System

Ubuntu

Web Server

Nginx

PHP Version

8.1.2

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

No response

[welcome]

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.

[jiwoc55]

Hi,

May I please have an update on my problem?

regards,

[uberbrady]

"Can Log in" in Snipe-IT is mapped to the 'active' flag in SCIM. If you send "active": false - then we will toggle the "can log in" field to false.

[jiwoc55]

Hi,

switching the “can connect” field to false does not work for users already existing before the SCIM connection with our IdP.
even when sending a flag in SCIM. If you send “active”: false.