SCIM bridge doesn't deprovision OneLogin users

jchafin
jchafin
Community Member

With the 1Password SCIM bridge v.2.3.1, deployed in GCP and using OneLogin as the IDP, we're seeing that new users are provisioned successfully but when users are suspended in OneLogin, this does not carry over to 1Password. The SCIM bridge status page is all green, and looking at the debug logs it seems like it sees the suspended user and attempts to delete but this doesn't actually happen. The 401 at the beginning of this snippet might also be relevant but I could use some help diagnosing what's going on. Thank you!

{"level":"debug","version":"2.3.1","build":"203011","application":"op-scim","component":"CertificateManager","domain":"x.x.x.x","time":"2022-05-10T19:05:14Z","message":"certificate manager obtained certificate"}
{"level":"debug","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","error":"failed to touch session: failed to DoEncrypted: Authorization: (401) (Unauthorized), You aren't authorized to perform this action.","time":"2022-05-10T19:05:15Z","message":"failed to verify session"}
{"level":"debug","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","idp":"OneLogin","time":"2022-05-10T19:05:15Z","message":"connected to IDP"}
{"level":"info","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","time":"2022-05-10T19:05:15Z","message":"generating new session"}
{"level":"info","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","time":"2022-05-10T19:05:15Z","message":"generated new session"}
{"level":"info","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","user":"MANQGK6LCZADLFFVWZD7YJKXAU","time":"2022-05-10T19:05:15Z","message":"suspended user"}
{"level":"info","version":"2.3.1","build":"203011","application":"op-scim","component":"SCIMServer","request_id":"c9tbeqo6bdcnjevblq60","remote_addr":"10.150.0.30","status":200,"duration":512.087624,"size":0,"method":"DELETE","path":"/Users/MANQGK6LCZADLFFVWZD7YJKXAU","time":"2022-05-10T19:05:15Z","message":"HTTP request"}

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hi @jchafin, apologies for the delay in response.

    The 401 log line is a known red-herring. It does not affect the operation of the bridge, as you can see that bridge successfully generated new session a few lines later. That means the bridge successfully re-established a connection to our backend. We're looking to de-emphasize that unnecessarily-worrying warning message in a future release.

    Beyond that, according to our logs and the user state in backend for that UUID, the user was indeed suspended by Automated User Provisioning at the exact timestamp listed in the logs you provided.

    Could you elaborate on what you're seeing that doesn't line up with your expectations?

This discussion has been closed.