Okta <->SCIM Bridge attribute mapping details
Hi All,
I recently implemented a SCIM Bridge for integrating Okta & 1Pass and while the docs got me most of the way there, there is missing info thats vital to know specifically around attribute mapping.
Based on the 1Pass Docs (https://support.1password.com/scim-okta/) there is some details about the attribute mapping towards the bottom regarding default values in the Okta 1Pass SCIM integration that comes as a built-in integration in Okta. While this info is helpful, at the end of the day there is missing info in this Doc that will prevent a SCIM bridge from working successfully. I also did a quick search here in the community but did not find anything related to what we were seeing.
So I followed the Docs: Setup a GCP container, deployed 1Pass app, configured Okta integration. All went well, except when we went to actually assign a user to 1Pass in Okta, we would get '400 Bad Request' with the specific error 'displayName cannot be empty without first or last names'. Now, one would think that with the default attributes setup as the doc described (firstName & lastName) that the SCIM would just combine these values if 'displayName' is not directly provided by the Okta API call however this is not true.
To fix this issue we had to create a custom attribute mapping in the app for 'displayName' to be pushed from Okta to 1P. After manually doing this the SCIM worked perfectly.
1Password: Please update your docs!! It appears that 1Pass docs around attribute mapping are non-existent as a whole. A simple paragraph would have saved lots of troubleshooting and time on my end. Don't be that guy 1Password. Take 5 minutes and update your docs.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hey @charlesmlambdalcom 👋
Thanks for reaching out. I have a few questions about your setup because the mappings defined in the documentation you linked are all that are needed to get working.
First though, you can continue to use the
displayNamemapping you've defined, that will continue to work. 👌I'm looking at the validation code in the SCIM bridge and it goes something like: if either the
givenNameorfamilyNamevalues are empty, it will check thedisplayName, and if that is empty it will produce the error you've found.Is it at all possible that the
user.firstNameoruser.lastNamefields in Okta are empty? Can you double-check that the mappings are accurate?If we can get to the bottom of where things went wrong, we can update the docs to be a little more clear. 🙏
0 -
Interesting, yes the error seems to denote that displayName is required is last and first attribs are not received however, I double and Triple checked this. When we map a user with user.firstName & user.lastName default mappings populated and confirm that the attributes are being pushed from okta's end the 1Pass scim will always send back a 400 bad request and throw the displayName error from above. And yes we can confirm manually that the user last name and first name are for sure populated and not empty.
It immediately started working after adding displayName attribute even though lastname and firstname are already mapped and populated.
0 -
-
Thanks for the information. If you're up for it, let's connect with our support folks who may be able to dig deeper into the problem with you. Email us using
support+forum@1password.com. Be sure to use the email address tied to the account in question.Include the following:
- Your user name here in the forum:
charlesmlambdalcom - A link to this discussion: https://1password.community/discussion/148433/okta-scim-bridge-attribute-mapping-details
This should help our support team link the support request to this forum discussion. 👍
0 - Your user name here in the forum:
