We’re integrating OneLogin as our IdP with Auth0 for provisioning over SCIM, and we’re hitting an error during deprovisioning.
Setup
- IdP: OneLogin, using the SCIM Provisioner with SAML (SCIM v2 Enterprise) connector
- Auth0: SAML enterprise connection with Sync user profiles using SCIM = On
- Mapping → “SCIM attribute containing the user ID” = userName (mapped to email)
What works
- CREATE (user.created) succeeds — the user is created in Auth0 and a 201 is returned.
What fails
- Deprovisioning (DELETE) — and updates (PATCH) — fail. OneLogin reports:
Provisioning failed due to an invalid URI:
“/Users/samlp|astra-onelogin-staging|adam.west@staging.com”
- It looks like Auth0’s CREATE response returns the resource id as the internal user_id samlp||. OneLogin stores that id and reuses it as
DELETE /Users/{id}, but the | pipe characters are illegal in a URI path (RFC 3986), so the request never forms a valid URI.
Questions
- Is there a supported way to have Auth0 return a URL-safe SCIM id (e.g. the userName/email) in the CREATE response, or to URL-encode the user_id in
meta.location? - Has anyone gotten OneLogin → Auth0 (SAML connection) SCIM to deprovision/update successfully — and if so, what config made it work?
- For SAML connections, is the pipe-delimited id expected to break SCIM clients that key off id for PATCH/DELETE, and is a fix planned?
Any guidance on getting the full lifecycle (create → update → deprovision) working with OneLogin would be much appreciated.