Account don't get deactivated over SCIM
Hello, after upgrading the SCIM Bridge to 2.3 and changing away from the provisioning manager.
User accounts that are disabled in AzureAD are still active in 1Password and even after removing the user from the Sync the account is still active.
I can't even deactivate the user manually in 1Password.
What can I do to get a working sync again?
Regards,
Oliver
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Hi @aixxo.
Sorry for the delay. My name is De Ville and I am part of the provisioning team.
... changing away from the provisioning manager.
I wanted to confirm that you upgraded the SCIM bridge to 2.3 and transitioned to using an automated provisioning service account over the legacy Provisioning Manager user, is this correct?
This process would mean that you have created new SCIM bridge credentials that needed to be updated on your SCIM bridge (
scimsession) and your identity provider (bearer token).User accounts that are disabled in AzureAD are still active in 1Password and even after removing the user from the Sync the account is still active.
Can you confirm that the identity provider (Azure AD) has access to the SCIM bridge. You should be able to test the connection between Azure and the SCIM bridge.
Secondly, do you see any errors in the SCIM bridge logs? You can access the logs by navigating the the URL where your SCIM bridge is deployed and entering the bearer token.
I can't even deactivate the user manually in 1Password.
Managing users directly is disabled when automated provisioning is enabled for the account. You should be able to manually suspend the user account when you disable automated user provisioning by switching off provisioning via the integration details page.
0 -
Hi @DeVille_1P ,
thanks for the answer!
Yes I made the transition away from the provisioning manager user.
The bridge adds new users from AzureAD!The SCIM Bridge version is 2.3.0
There are no errors. This is the message I get from AzureAD when provisioning the User:
User 'XXXX@YYYYY.XZ' was evaluated to be soft deleted in source system and the provisioning service should disable the target entry. However, User 'XXXX@YYYYY.XZ' was not managed through the provisioning service previously. The soft delete operation will be skipped
But, as mentioned before ist is not editable in 1Password, because it is provisioned...
Seems like a deadlock ...
0 -
Hi @aixxo. Thanks for the additional information.
From the warning message it seems that Azure AD is not sending the suspend or delete request to the SCIM bridge because it believes that the user was not managed through the provisioning service previously.
Did you perform a full user sync recently?
Azure AD usually tries to suspend the user via an update request when a "soft" delete is required. A delete request is sent via SCIM when a "hard" delete is required.
I think there is a bit of a disconnect between the user in your Azure AD and 1Password account.
Can you perform a full user sync and let us know if any errors are reported in the Azure AD portal or SCIM bridge logs?
As mentioned, you can temporarily disable provisioning in 1Password to allow you to suspend the user immediately. This is a workaround while we continue to investigate and fix the issue with automated provisioning.
0
