Account don't get deactivated over SCIM

aixxoaixxo
Community Member

Hello, after upgrading the SCIM Bridge to 2.3 and changing away from the provisioning manager.
User accounts that are disabled in AzureAD are still active in 1Password and even after removing the user from the Sync the account is still active.
I can't even deactivate the user manually in 1Password.

What can I do to get a working sync again?

Regards,
Oliver


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • DeVille_1PDeVille_1P

    Team Member

    Hi @aixxo.

    Sorry for the delay. My name is De Ville and I am part of the provisioning team.

    ... changing away from the provisioning manager.

    I wanted to confirm that you upgraded the SCIM bridge to 2.3 and transitioned to using an automated provisioning service account over the legacy Provisioning Manager user, is this correct?

    This process would mean that you have created new SCIM bridge credentials that needed to be updated on your SCIM bridge (scimsession) and your identity provider (bearer token).

    User accounts that are disabled in AzureAD are still active in 1Password and even after removing the user from the Sync the account is still active.

    Can you confirm that the identity provider (Azure AD) has access to the SCIM bridge. You should be able to test the connection between Azure and the SCIM bridge.

    Secondly, do you see any errors in the SCIM bridge logs? You can access the logs by navigating the the URL where your SCIM bridge is deployed and entering the bearer token.

    I can't even deactivate the user manually in 1Password.

    Managing users directly is disabled when automated provisioning is enabled for the account. You should be able to manually suspend the user account when you disable automated user provisioning by switching off provisioning via the integration details page.

  • aixxoaixxo
    Community Member

    Hi @DeVille_1P ,
    thanks for the answer!
    Yes I made the transition away from the provisioning manager user.
    The bridge adds new users from AzureAD!

    The SCIM Bridge version is 2.3.0

    There are no errors. This is the message I get from AzureAD when provisioning the User:

    User '[email protected]' was evaluated to be soft deleted in source system and the provisioning service should disable the target entry. However, User '[email protected]' was not managed through the provisioning service previously. The soft delete operation will be skipped

    But, as mentioned before ist is not editable in 1Password, because it is provisioned...

    Seems like a deadlock ...

  • DeVille_1PDeVille_1P

    Team Member

    Hi @aixxo. Thanks for the additional information.

    From the warning message it seems that Azure AD is not sending the suspend or delete request to the SCIM bridge because it believes that the user was not managed through the provisioning service previously.

    Did you perform a full user sync recently?

    Azure AD usually tries to suspend the user via an update request when a "soft" delete is required. A delete request is sent via SCIM when a "hard" delete is required.

    I think there is a bit of a disconnect between the user in your Azure AD and 1Password account.

    Can you perform a full user sync and let us know if any errors are reported in the Azure AD portal or SCIM bridge logs?

    As mentioned, you can temporarily disable provisioning in 1Password to allow you to suspend the user immediately. This is a workaround while we continue to investigate and fix the issue with automated provisioning.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file