If you are not familiar with navigating Okta System Logs please loop in your Okta admin.
Table of contents:
When SCIM is enabled and users and Groups are synced with Guru, management of users and Groups is handled through your chosen identity provider (IDP). While not all issues will be covered here, you can use the information in this article to help troubleshoot common issues that might be impacting your user and Group provisioning.
Confirming SCIM provisioning configuration
Below are the steps to ensure SCIM provisioning is enabled correctly.
1. Navigate to Guru's SSO/SCIM tab within Apps and Integrations under Team Settings and verify Authorize SCIM Provisioning is enabled.
2. Navigate to your Guru Application in Okta.
3. Click on the Provisioning tab.
4. Confirm that the Create Users, Update User Attributes, and Deactivate Users are all enabled and that the default username is set to Email:
5. Scroll down the page to the Guru Attribute Mappings section.
6. Ensure the following Okta attributes are mapped as:
Okta System Logs
Okta's System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and diagnose problems.
This should be the first place you look to begin troubleshooting issues related to SCIM events in your Guru app within Okta. Below we've outlined two event types that will be helpful in confirming user addition and removal in the Guru web app.
Event Types are a primary method of categorization within the Okta platform that groups system occurrences. This is not an exhaustive list of events.
Confirming user addition to external applications in Okta logs
1. Navigate to your Guru app in Okta
2. Click on View logs
3. Search for the specific user by adding and target.AlternateId eq "email_address" to the existing search query
4. Look for a Successfully pushed new user account to app message under the Event Info column.
5. Click on the carrot to the right of the timestamp for this event and expand the Event and second Target attributes.
6. You want to ensure that the Event Type is shown as app.user_management.push_new_user_success, the event was successful, the target is the primary email of the user, and the AppInstance is the name of your Guru application in Okta.
Ensure the event type is app.user_management.push_new_user_success and not another Event Type. For example application.user_membership.add simply adds the user to your application in Okta and does not impact your Guru instance.
Confirming user deletions in external applications within Okta logs
1. Navigate to your Guru app in Okta
2. Click on View logs and Search for the specific user
3. Look for a Push user deactivation to external application message under the Event Info column
4. Click on the carrot to the right of the timestamp for this event and expand the Target attribute.
5. You want to ensure that the Event Type is shown as application.provision.user.deactivate, the event was successful, the target is the primary email of the user, and the AppInstance is the name of your Guru application in Okta.
Now that we've covered how to read the Okta logs for the purposes of troubleshooting let's take a look at some common issues that can arise and their solution below.
Scenario # 1 user is added to Group in Okta but is not added to the Group in Guru
1. Confirm SCIM is enabled for the team on the SSO/SCIM page within Guru.
2. Take a look at your Push Groups tab within the Guru app in Okta to validate the Group is shown here.
3. If the Group exists here navigate to the Group page on the left-hand panel within Okta, click on the Group name, and validate the user is shown in the People tab.
4. Click on Applications and confirm that Guru is displayed under Applications. If the Guru app has not been assigned to the Group this is the likely culprit why the user is not appearing within the Group in Guru.
5. The solution here is to add the Guru app to the Group.
Assigned users and Group will now appear in Guru and the Group will be synced.
Scenario #2 I enabled SCIM and now my users can’t sign into Guru
You've enabled SCIM but had previously enabled SSO and now users are encountering issues logging into Guru. The root cause of this issue appears to be that users are not automatically provisioned downstream within Okta once SCIM is enabled in the source application.
1. Verify that the user in question appears in the System Log within Okta with the events “sync user in external application" followed by a “Successfully pushed new user account to app”. If you're not seeing these events it means the user was never pushed to Guru once SCIM was enabled.
2. As a next step check the Assignments tab of your Guru app in Okta and search for the user in question. You're looking to see if there is a red exclamation mark indicating an issue.
3. If you hover over the exclamation mark it will give more context about the error.
4. In this instance, the user needs to be provisioned in Guru by clicking on the Provision User button.
Scenario #3 I removed my Group assignment from the Guru app in Okta but I still see the synced Group in Guru
This occurs when the Group has been disassociated with the Guru app via the applications page within the Group in Okta but has yet to be unlinked via Push Groups.
Below you'll find images outlining this scenario.
1. Group is to be disassociated with the Guru app in Okta.
2. The Guru app was removed from the list of applications associated with the Group.
However, the Group still exists in Guru and is synced.
This is because the Group has yet to be unlinked from Guru from the Push Groups tab of the Guru app in Okta.
4. Check if the Group still appears in the Push Groups tab and has a status of Active under the Push Status column:
5. If the status is Active this is why the Group still exists in Guru it must be unlinked. Click on Active and then Unlink pushed group > Delete the group in the target app.
The Group is successfully deleted from Guru.
If interested the System Log will show the removal of the Group as two events Group Push - deleting AppGroup(Mapping:alphanumeric_value) and Group Push group [Group_name] Group removed from app.
☎️ Contact us
If you're still having problems troubleshooting after following the above guidance, send us a chat using the widget located at the bottom right-hand corner of this page.