Summary
This article addresses the case when an admin has deleted a user from Beyond Identity Admin Console and cannot get the user connected to Okta user.
Symptoms
The user is active in Okta, and the byndidRegistered attribute may update correctly. Still, the user is not updated to push user groups via Okta's Beyond Identity User Console app.
Questions that lead to the diagnosis
Evaluate the user's profile from Okta. Are they a member of a group that is pushed via SCIM to Beyond Identity? Is the user active in Okta? Do they have Beyond Identity User Console app assigned?
Evaluate the user in Beyond Identity Admin Console. Is the user on the Beyond Identity side? Is the user source defined as SCIM, or does it say Beyond Identity? Did someone manually re-create the user on the Beyond Identity side?
Cause
If the user was originally created via SCIM to Beyond Identity directory, or if they were later on synced from Okta to Beyond Identity connecting with the Okta user ID to Beyond Identity user external ID. This causes a situation if the user is deleted in Beyond Identity, and Okta sends SCIM calls; they are referring to a user who is marked deleted in Beyond Identity side, and so they will not get added to groups, or so.
Resolution
Find the user from Okta Admin and use admin override to unassign the Beyond Identity User Console app from them. Wait for a minute or so, re-assign the Beyond Identity User Console app for the user, and remove the admin override.
This will re-create the user in Beyond Identity and now have an active user who will get a new enrollment email if email enrollment is used.
Finally, you can use the Beyond Identity User Console app from the Okta Admin side to push/sync the groups to ensure that the user is a member of the groups as desired.
Comments
0 comments
Please sign in to leave a comment.