"Unable to update Group Push mapping target" error when syncing Okta groups to workspace

You cannot SCIM sync users and groups directly to the workspace when identity federation is enabled.

Written by sivaprasad.cs

Last published at: May 5th, 2023

Problem

You enable identity federation (AWS | Azure) on your Databricks workspace.

You are trying to push Okta groups to your workspace via SCIM, but get an Unable to update Group Push mapping target error.

Failed on 07-13-2022 07:10:58PM UTC: Unable to update Group Push mapping target App group
databricks_prod_admins: Error while creating user group databricks_prod_admins: Bad Request. Errors
reported by remote server: Request is unparsable, syntactically incorrect, or violates schema.

Cause

When identity federation is enabled in your workspace, you cannot SCIM sync users and groups directly to the workspace. Users and groups should be centrally managed in the account-level SCIM application. 

Solution

You should disable workspace SCIM sync in the Okta application.

  1. Navigate to your per-workspace application in the Okta configuration settings.
  2. Click the workspace application name (for example, Databricks Workspace Level SCIM Application).
  3. Click Provisioning.
  4. In the Settings drop down menu, click Configure API Integration..
  5. Click Edit.
  6. Remove the check mark for Enable API Integration.
  7. Click Save.