fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

Support Okta SCIM minimium requirements

Open mooreds opened this issue 2 years ago • 0 comments

Support Okta SCIM minimium requirements

Problem

I want to provision my users from Okta into FusionAuth.

Solution

Support the required features for Okta to be able to provision users into FusionAuth using SCIM.

Alternatives/workarounds

N/A

Additional context

Here's the FusionAuth SCIM API doc: https://fusionauth.io/docs/v1/tech/apis/scim/

Here's the Okta SCIM API doc: https://developer.okta.com/docs/reference/scim/scim-20/

From the SCIM documentation, here's a list of features that are not present in FusionAuth's SCIM support (in 1.36) that are required to integrate with Okta. This should be tested against an Okta installation.

  • Filter users on userName. Relevant section of the documentation:
Okta checks that the User object exists on the SCIM server through a GET method request with the filter=userName parameter (or any other filter parameter that was configured with the SCIM integration). This check is performed using the eq (equal) operator and is the only one necessary to successfully provision users with Okta.
  • Update a user via PATCH. This is only for certain operations. From the Okta docs:
For new OIN app integrations, the following operations update a User object through a PATCH method request:

-    Activating a user
-    Deactivating a user
-    Syncing the user password

All other updates to User objects are handled through a PUT method request.
  • Patch for groups to Update a specific Group name and Update specific Group membership 
For all new OIN app integrations, this request to update a Group object is sent through a PATCH method request.
  • Authorization doesn't support the client credentials grant, but one of the following: authorization code grant, a static API key or basic auth: https://developer.okta.com/docs/guides/scim-provisioning-integration-prepare/main/#api-endpoints
  • The content type must be application/scim+json not application/json as currently used (and is allowed by the spec). This is per feedback from a customer.

Similar to https://github.com/FusionAuth/fusionauth-issues/issues/1761

Related

  • https://github.com/FusionAuth/fusionauth-issues/issues/1761

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

mooreds avatar Jul 16 '22 02:07 mooreds