Issue
We have SCIM provisioning enabled on a SAML enterprise connection. SCIM CREATE operations succeed, but all subsequent PATCH and DELETE operations fail because Auth0’s SCIM endpoint returns a non-URL-safe id in the CREATE response.
What’s happening
When a user is created via SCIM, Auth0 returns the internal composite user_id as the SCIM id:
"id": "samlp|my-saml-connection|username"
This id contains pipe characters (|) which are illegal in URI paths per RFC 3986. When the upstream SCIM client (Okta, using Apache-HttpClient) stores this id and attempts PATCH or DELETE, it tries to construct a URL like:
PATCH https://<tenant>.us.auth0.com/scim/v2/connections/<connection_id>/Users/samlp|my-saml-connection|username
This fails with:
java.lang.IllegalArgumentException: Illegal character in path at index 94
The error occurs on the client side before the request is even sent. As a result:
- PATCH and DELETE requests never reach Auth0
- No error logs appear on the Auth0 tenant
- User lifecycle management (updates, deprovisioning) via SCIM is completely broken
Expected behavior
Per RFC 7643 Section 3.1, the SCIM id field must be usable in URL paths since it’s used to construct resource endpoints. Auth0 should either:
- URL-encode the
idvalue (e.g.,samlp%7Cmy-saml-connection%7Cusername) - Use the internal UUID instead of the composite
user_id
Steps to reproduce
- Create a SAML enterprise connection with SCIM provisioning enabled
- Have the upstream IdP (e.g., Okta) create a user via SCIM POST
- Observe that Auth0 returns a pipe-delimited
idin the response - Attempt a SCIM PATCH or DELETE on that user — fails with illegal character error
Environment
- Auth0 tenant: Development
- Connection type: SAML (Enterprise)
- SCIM client: Okta (Apache-HttpClient 4.5.10)
- Auth0 tenant log event type for successful create:
sscim
Impact
This blocks all SCIM user provisioning beyond initial creation for SAML enterprise connections. We cannot update or deprovision users via SCIM, which is a critical gap for enterprise customer onboarding.