SCIM Bridge: /Groups returns inflated total Results

── Environment ──

- 1Password account: skedulo.1password.com

- SCIM Bridge: self-hosted on AWS (us-west-2), v2.9.14, domain 1pass.itops.skl.io

- Identity provider: Okta (Group Push)

- Bridge Status page: all components "Connected"

── Primary issue: GET /Groups pagination is broken (ongoing) ──

The bridge appears to return a hugely inflated totalResults on GET /Groups, so Okta

paginates into absurd offsets continuously. From the bridge's own logs:

- 2026-06-22: 32,172 GET /Groups requests, paginating startIndex=1 → 999,901

(27,478 requests beyond startIndex 100,000).

- 2026-06-23 (first ~7 hours): 11,638 GET /Groups requests, again paginating

startIndex=1 → 999,901 (10,250 beyond 100,000).

We have only a small number of groups, so the totalResults being reported is clearly wrong.

On deep pages the backend errors out:

- 2026-06-22T06:07:08Z — GET /Groups?startIndex=465001 → HTTP 500

upstream: "GetAllSCIMGroupsFiltered failed to Account.GetProvisioningAccountDetails,

Unknown: (502), An unknown error occurred."

- 2026-06-22T22:55:03Z — GET /Groups?startIndex=733201 → 499 (Okta timed out).

This looks related to the Redis cursor/pagination area (cf. PROV-796 referenced in the

2.9.14 notes). A restart did not help — the behaviour persisted across an instance

restart on 2026-06-22T02:43Z, so it appears to be backend/data state, not in-memory.

── Resulting symptom: one user won't sync into one group ──

A user could not be added to a 1Password group via Okta Group Push. The bridge returned

HTTP 500 on the membership write, so the user never lands in the group although Okta

reports success. We strongly suspect this is downstream of the broken group enumeration

above (reconciliation can't reliably read the group's membership).

- Affected user : Jia Dong ([email protected])

- Affected group: "CUST - Quatt"

- Error (Okta system log), 2026-06-22T01:52:48.319Z:

"Error while updating user group membership for group CUST - Quatt: Internal Server

Error. Errors reported by remote server: failed to update group: An application error

has occurred."

- Okta event UUID : 120c45df-6ddd-11f1-a880-e9f9f5f82d52

- GroupPushMapping ID : gPmuk5eeaqpISz27K697

- Okta UserGroup id : 00guk5eeanVRGPKyB697

- AppInstance id : 0oa3i93cagGKHQcXT697 (alternateId "1Password SCIM")

The user is active/managed in 1Password and syncs correctly into other pushed groups; other users added to "CUST - Quatt" the same day synced in fine.

── Ask ──

Please investigate why GET /Groups reports an inflated totalResults and why the backend(Account.GetProvisioningAccountDetails) 502s on deep pages, and correct the underlying group count / cursor state. 

Attached: a trimmed evidence excerpt from the bridge logs (scim_pagination_evidence.txt).

Full SCIM bridge logs (2026-06-22, 2026-06-23) and the pre-restart instance logs are available on request.

https://drive.google.com/drive/folders/1HoMu7vP3cD2iSRGIkvECQGNSWXVMpY8p?usp=drive_link