You are viewing limited content. For full access, please sign in.

Question

Question

How do you delete a user managed by SCIM?

Laserfiche Cloud Administration Integrations
Updated two days ago
asked on February 11

I have configured SCIM with Okta in Laserfiche Cloud. A user has been created in Laserfiche Cloud, but I now cannot figure out how to delete it. If I deactivate the user in Okta, it marks the user in Laserfiche Cloud as Inactive. If then try to delete the user in Laserfiche Cloud I get the error message "Unable to modify objects managed by Identity Provider". Since the user is deactivated in Okta, it won't sync with Laserfiche Cloud when I delete it in Okta, so how do I delete the user in Laserfiche Cloud?

0 0

Answer

SELECTED ANSWER
replied on February 12 Show version history

Hi Blake,

Sorry for the confusion earlier. After further review, here is the correct information:

When a user is unassigned from the Okta application, the user will become disabled in Laserfiche Cloud. However, they will not be deleted, and Laserfiche Cloud currently does not support deleting SCIM‑managed users that originate from Okta.

Because of this, even after the user is disabled, they will remain in the system and cannot be removed through Laserfiche Cloud.

0 0
View 6 previous replies
replied on February 12

I just tried it again. The user itself is not assigned to the application in Okta. It is applied based on the Okta group. When I remove the user from the Okta group, the user in Laserfiche Cloud gets marked as Inactive, but isn't deleted.

0 0
replied on February 12

That is the expected behavior. When a user is unassigned from the group in the Okta application, the user will be automatically disabled in Laserfiche Cloud. At that point, the SCIM Managed column for that user will switch to “No.”
After that change occurs, you can manually delete the user if needed.

0 0
replied on February 12 Show version history

That's the problem though, the SCIM Managed column still says yes, and I am unable to delete the user.

0 0
replied on February 12 Show version history

I will also add that when this user is active, they never get a license assigned even though they are in the pushed group from Okta and that group is part of the configured licensing rules.

0 0
replied two days ago

I’ve updated the original reply. Sorry for the confusion earlier. 

Regarding the license assignment, was the synchronization status updated?

0 0
replied two days ago Show version history

Thank you for the clarification. That explains what I am seeing. Out of curiosity, is the issue with deleting SCIM managed users in LF Cloud only with Okta or does it apply to all idPs? And is this feature in the plans to be added?

Regarding the license management, yes, the synchronization status did update. When I add the user back to the group in Okta, the user in LF Cloud becomes Active again, is showing as assigned to the group in LF Cloud but is not assigned a license.

0 0
replied two days ago

For Entra ID, the user can be deleted in Laserfiche Cloud after they are permanently deleted from the user directory in Entra ID. Currently we only support these two idPs.

We are actually evaluating this feature, although it’s not on our current roadmap. If you’re able to share more about your use case, it would help us review and possibly reprioritize it.


 

0 0
replied two days ago Show version history

We’re currently evaluating whether a move to Laserfiche Cloud is feasible for our organization, and one major concern is how SCIM provisioning works with Okta. Because we rely on Okta and have a high volume of users cycling in and out, the inability to fully delete SCIM‑managed accounts would leave us with thousands of Inactive users in Laserfiche. That would create unnecessary clutter and complicates our access audits, since inactive accounts would still technically exist and could be viewed as a security risk.

 

I don't believe this is unique to us. Many of the education institutions I work with would face the same issue—only at a much larger scale. Student accounts turn over every semester or year, and without true deprovisioning, they’d accumulate an enormous number of stale accounts if they used SCIM with Okta.

 

Another reason I think it would be important to have this feature is the inconsistency between identity providers. Since Laserfiche supports full SCIM deprovisioning for Entra ID, but not for Okta, that discrepancy makes it difficult to set clear expectations and creates an uneven experience across environments. Ideally, SCIM behavior should be standardized across all supported IdPs so organizations can plan their identity lifecycle management with confidence.

0 0
replied two days ago

Thanks for sharing the detailed context. It’s really helpful. We understand the challenges you described, especially around lifecycle management and the differences between identity providers.

We’re going to look into this feature further, and we’ll be sure to share any updates as soon as we have them. Your feedback is greatly appreciated and will help guide our next steps.

1 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...