Overview
This article explains why some user attributes may be lost after login for a System for Cross-domain Identity Management (SCIM) enabled enterprise connection and provides steps to prevent this issue from occurring.
Applies To
- SCIM enabled enterprise connections
Cause
During the login process, the upstream Identity Provider (IdP) sends claims for the user. If the Sync user profile attributes at login option is enabled, user attributes may be lost. This occurs because of discrepancies between the claims sent during the login flow and the user attributes sent via the SCIM integration.
Solution
One of the following solutions can address this issue:
- Disable the Sync user profile attributes at login option.
- Update the upstream IdP configuration to send the missing claims in the login flow. The specific steps to update the configuration will vary depending on the IdP, so it is necessary to consult their documentation.
- For example, in an environment with an SCIM integration between Okta and an Auth0 Security Assertion Markup Language (SAML) integration, where Okta is the IdP provisioning users to Auth0, the
family_name
andgiven_name
claims for users might be lost after login. To implement the second solution in this scenario:- Send the firstName and lastName claims by updating the Okta setup by following the Okta Article How to Define and Configure a Custom SAML Attribute Statement.
- Map these claims on the Auth0 side using the SAML mapping feature explained in the Auth0 Article Mapping the ‘name’ SAML Attribute.
- For example, in an environment with an SCIM integration between Okta and an Auth0 Security Assertion Markup Language (SAML) integration, where Okta is the IdP provisioning users to Auth0, the