SCIM Provider not processing user and group deletions

[ElBeenMachine]

Describe the bug

I'm facing an issue on a couple of authentik deployments which I initially thought were down to my configuration on the app side, but after a couple of days of investigation, I feel the issue may be with authentik, or at least the way I have configured it.

I have an application, in this example I'll use cloudflare, with a SAML provider, and a SCIM backchannel provider. It successfully evaluates which users and groups should be synced TO cloudflare, and I can confirm that the users and groups have been synced over, as well as any changes made to the respective entities.

The issue I am facing, is that when a user or group is deleted in authentik, or just falls out of scope of the application, I would expect it to be deleted in the destination via SCIM. However, I am not seeing this behaviour at all. I have confirmed that this is not solely an issue with cloudflare, and I cannot see any logs on authentik's side to suggest that any delete requests had been sent.

How to reproduce

1. Create an application with a SCIM backchannel provider
2. Sync a user or group
3. Update the user or group and manually sync to confirm the user or group has been changed in the destination
4. Remove the user or group from the scope of the application
5. Manually sync again. The user will remain in the destination.

Expected behavior

When the user or group is deleted in the source (authentik), or removed from the scope of the application, I would expect it to also be removed from the destination. However, this is not seen at all. Requiring me to manually delete these managed users or groups from the destination application.

Screenshots

No response

Additional context

On one of the application where I would have expected the SCIM deletion request to be made, I could only see PATCH and PUT requests for the provisioning and updating of users. The users that fell out of scope were not creating any DELETE requests.

GET /v1/scim/v2/ServiceProviderConfig 200 326.897 ms - 556
PUT /v1/scim/v2/Users/8a95d1d0-1422-47da-9850-7aa1813bdebe 200 93.734 ms - 554
PUT /v1/scim/v2/Users/9d19b41e-12c9-48cd-9ff4-a214d44bc8f5 200 11.794 ms - 550
PUT /v1/scim/v2/Users/7d816329-87ef-41df-90c6-5720e5767d16 200 11.293 ms - 578
PUT /v1/scim/v2/Groups/bc3d024f-c7bb-410b-836f-049d44659501 200 78.853 ms - 528
GET /v1/scim/v2/Groups/bc3d024f-c7bb-410b-836f-049d44659501 200 11.416 ms - 528

Deployment Method

Kubernetes

Version

2026.0.2

Relevant log output

I do not know which logs would be helpful in this case, unfortunately. But I would be happy to provide them if someone could help point me in the right direction.

[waqqasahmad]

Observed the same behaviour on AWS SCIM provisioning as well.

[ElBeenMachine]

@waqqasahmad Just to confirm that you are seeing the user being provisioned, and it isn't that the requests are failing on AWS's end, but that the DELETE request is just never being made?

[waqqasahmad]

@ElBeenMachine Yes I only face issue in deleting user from a Group, if I add user/users they get synch but nothing happens if I delete a user from Group.
Delete/De-activation of user itself is working fine, so far I only see problem with Group synch & only for DELETION of user from a Group not working as intended.

[ElBeenMachine]

@waqqasahmad I'm working on a PR for it. After a brief run through, I think I've got groups working, but not too sure how I'm going to get the users working as they aren't directly linked to the provider, but rather the associated application. At least that's as far as I understand. I'm currently thinking about going through the users marked as synced in the provider and then checking their access to the application and deleting where necessary but that can't possibly be the best way of doing it.