The Okta and Workspace ONE Access SCIM integration currently has the following known issues.

Known Issue: When you push groups from Okta to Workspace ONE using the Push now command, you might get an error.

The Push now command's description is "Push this group's memberships to VMware Workspace ONE.

Solution: Click the Retry All Groups button.


Known Issue: When you delete a user in Okta, the user is deactivated in Workspace ONE Access. However, if you recreate the user with the same attributes in Okta again, instead of a new user being created in Workspace ONE Access the old user is updated.

Solution: If you delete a user from Okta, also delete the user from Workspace ONE Access using the SCIM API and from Workspace ONE UEM using the administration console.

To delete the user in Workspace ONE Access, use the following API:

DELETE /SAAS/jersey/manager/api/scim/Users/userID
Host: WorkspaceONEAccessTenantFQDN
Authorization: Bearer token

WorkspaceONEAccessTenantFQDN is your Workspace ONE Access tenant's fully qualified domain name, such as, and userID is the user ID that you want to delete.

For example:


Known Issue: User groups created from Okta are associated with the System domain in Workspace ONE Access instead of the actual domain, and they are not associated with the directory that you created for Okta.

Solution: First, create the group with the correct domain name in Workspace ONE Access manually using the SCIM API, then link the group to the VMware Workspace ONE application in the Okta Admin console.

  1. Open a new tab in Postman.
  2. Add the authorization header.
  3. For the HTTP method, select POST.
  4. For the URL, enter:

    tenantURL is your Workspace ONE Access URL.

  5. Under Headers, set the Content-Type to:
  6. Click the Body tab.
  7. For each group that you want to create, use the following as a sample and click Send.
    "schemas": [
    "displayName": "groupName",
    "urn:scim:schemas:extension:workspace:1.0": {
    "Domain": "domainName",

    groupName is the name of the group in Okta. domainName is the same domain that you used in Create a Directory of Type Other in Workspace ONE Access and that you set in Okta.

    The group is created in Workspace ONE Access and associated with the correct directory.

  8. In the Okta Admin console, verify that the group exists before continuing with the next steps.
  9. In the Okta Admin console, navigate to the VMware Workspace ONE application, and click Push Groups.
  10. Click Refresh App Groups to ensure Okta has a complete list of groups in Workspace ONE Access.
  11. Select Push Groups > Find Groups by Name.
  12. Enter the name of the group.
  13. Ensure that a match is found in Workspace ONE Access with the option to Link Group.
  14. Click Save.
  15. Verify that the group linking was successful.

The group can now sync with Workspace ONE Access.