Fix SCIM bridge PUT loop and excluded user names overwrite#1080
Merged
SachaProbo merged 1 commit intomainfrom Apr 21, 2026
Merged
Fix SCIM bridge PUT loop and excluded user names overwrite#1080SachaProbo merged 1 commit intomainfrom
SachaProbo merged 1 commit intomainfrom
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
SachaProbo
force-pushed
the
SachaProbo/fix-scim-exclude-loop
branch
3 times, most recently
from
a0af967 to
87029b1
Compare
Two bugs caused SCIM sync failures: 1. buildUserPayload conditionally omitted empty fields. When a field was cleared in the identity provider, the PUT payload didn't include it, so the SCIM handler never cleared the stored value. The bridge kept detecting a mismatch every sync cycle, causing a perpetual PUT loop. Fix: always include all fields unconditionally. 2. ListUsers ignored the startIndex parameter — the cursor always started from nil, so every page returned the same first N users. Organizations with more than 100 SCIM-managed users never got a full listing; users beyond the first page appeared missing, causing CreateUser calls that failed with 409 (uniqueness conflict) and eventually disabled the bridge. Fix: replace cursor-based pagination with OFFSET/LIMIT to honor SCIM's 1-based startIndex. Signed-off-by: Sacha Al Himdani <sacha@getprobo.com>
SachaProbo
force-pushed
the
SachaProbo/fix-scim-exclude-loop
branch
from
87029b1 to
a622c61
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two issues:
buildUserPayload conditionally omitted fields when empty (externalId, userType, preferredLanguage, all enterprise fields). When a field was cleared in Google, the PUT payload didn't include it, so the SCIM handler never cleared the stored value. The comparison kept detecting a mismatch, causing a PUT on every sync cycle. Always include all fields so cleared values propagate correctly.
The bridge runner wrote all columns (including excluded_user_names) back on sync completion, overwriting changes made via the UI during the sync window. Add UpdateSyncState that only writes sync-related columns.
Summary by cubic
Fixes the SCIM bridge PUT loop on cleared fields, prevents
excluded_user_namesoverwrites during sync, and makes SCIM pagination honorstartIndex. Cleared values now persist, UI changes stick, and user listings page correctly.pkg/iam/scim/bridge/client,buildUserPayloadnow unconditionally sets core and enterprise fields (including empty) so cleared values propagate and stop repeated PUTs.UpdateSyncStateinpkg/coredata/scim_bridgeand updatedpkg/iam/scim/bridge_runner_stateto write only sync-related columns, preventingexcluded_user_namesoverwrites.pkg/iam/scim/service,ListUsersreplaces cursor paging with SCIMstartIndex/countand usespkg/coredata/membership_profile.LoadAllByOrganizationIDto build pages, fixing repeated first pages and missing users.Written for commit a622c61. Summary will update on new commits.