[SCIM] Define behavior for provisioned users when SCIM is disabled #17978
Description
References
- Source comment: SCIM Provisioning does not remember previous users #17628 (comment)
- Related issue: SCIM Provisioning does not remember previous users #17628
Problem
Currently, when SCIM is disabled, any users that were provisioned via SCIM remain in the system, and there is no clear way to remove or convert them.
As shown in the video attached here, disabling SCIM does not affect already-provisioned users in any way. There is also no UI or workflow to manage their lifecycle after SCIM is turned off.
As a result, once SCIM is enabled at least once, SCIM-provisioned users appear to be effectively permanent.
Expected behavior
When an admin disables SCIM, the system should explicitly handle the fate of SCIM-provisioned users.
At minimum, the admin should be offered one of the following options:
-
Convert SCIM-provisioned users into regular users
- Users remain in the system.
- They are no longer synced with the IdP.
- SCIM metadata is cleared or marked inactive.
- Re-enabling SCIM later must be handled carefully (re-link vs re-provision).
-
Remove SCIM-provisioned users
- All users that were created via SCIM are deleted (or soft-deleted).
- Clear warning should be shown before confirming this action.
Current behavior
- SCIM-provisioned users remain after SCIM is disabled.
- No conversion or removal mechanism exists.
- No indication is given to the admin about what happens to these users.
- Users appear to be “stuck” indefinitely once SCIM has been enabled.
Acceptance criteria
- Disabling SCIM triggers an explicit decision about SCIM-provisioned users
- Admin can choose between converting users or removing them
- The chosen behavior is applied consistently
- Re-enabling SCIM does not lead to duplicated or orphaned users
- Behavior is clearly communicated in the UI