Troubleshooting Common Issues with SCIM

When troubleshooting SCIM provisioning related issues, it's important to ensure proper synchronization between your Identity Provider (IdP) and Files.com, especially after changes to user attributes like email addresses or usernames. Using on-demand provisioning helps update user information promptly.

Modifying the Email Address or User Name

In the event that you modify your user's email address, user principal name (UPN), or username after provisioning the user with SCIM, the updates may not be immediately synchronized with Files.com. As a result, users may experience login difficulties until your Identity Provider (IdP) pushes those changes according to their synchronization interval. To mitigate this issue, we suggest utilizing the on-demand provisioning capabilities of your IdP to promptly provision and propagate these changes.

Issues with Duplicate User Names or Missing User Names

If you are using Entra ID or other IdP with Create User On First Login enabled and do not have SCIM configured, you may encounter an issue where duplicate user records are created. This occurs because the system interprets the updated UPN/Email address as a new user entry. On the other hand, if you have Create User On First Login disabled and without SCIM, you may see an error when attempting to change the UPN or primary email/username. This error occurs because the system does not recognize the new user entry that is being referenced. To avoid such cases, we recommend using SCIM and on-demand provisioning to properly synchronize the user name or email address changes between your IdP and Files.com.

Issues with Deleting Users in Files.com

When an SSO-provisioned user is manually deleted from Files.com, it can cause the IdP or SCIM integration to fall out of sync, where the IdP shows that the users or groups were successfully provisioned/pushed, but they are not actually being provisioned in Files.com. If this issue happens, the only way to restore an out-of-sync user in Files.com is to deactivate and then reactivate the user within the IdP, which triggers user update requests to Files.com. Group provisioning tools within the IdP have not been effective in restoring users in this scenario.

Missing Groups or Group Memberships

Group provisioning and membership syncing via SCIM is intended to be seamless and automatic, assuming the identity provider (IdP) includes all required data in its provisioning payloads. During the initial sync, most IdPs send all users and groups that are within scope, along with their group memberships. After that, many IdPs such as Entra ID switch to a change based model or incremental provisioning approach where only recently modified users or groups are included in future syncs.

As a result, users may be created without all of their expected group memberships if those groups have not been updated recently. Similarly, some groups may not appear at all if the IdP does not include them in the SCIM request. This can happen due to unsupported group types, scoping rules, or metadata issues. In rare cases, a group that previously existed in Files.com and was deleted might not be recreated unless the IdP sends it again in a future provisioning cycle.

Files.com processes all valid SCIM data it receives. To ensure data is synced as expected, you can update the group or user in your IdP, use any available on demand provisioning feature, or apply changes through the IdP's API to prompt inclusion in the next sync cycle. These approaches trigger reprocessing in the next sync cycle. If the identity provider does not offer scalable or automated ways to trigger re-evaluation, manual updates may be the only available workaround.

Other Factors That Can Impact SCIM Provisioning

SCIM provisioning with Files.com is intended to be seamless and automatic, assuming the IdP includes all required data in its provisioning payloads. However, several other factors outside of configuration can also interfere with this process and lead to missing or incomplete provisioning.

These issues include throttling or rate limits imposed by the IdP, which may silently delay or skip provisioning actions during high-volume synchronization. Incomplete SCIM payloads, such as missing required attributes or identifiers, can result in provisioning failures. Scope filters or inclusion rules may unintentionally exclude certain users or objects. Misconfigured attribute mappings, outdated records, and deleted entries that are no longer reprocessed can also lead to unexpected behavior. If your IdP does not support on demand provisioning, resolving such issues may require manual updates or restarting the synchronization cycle.