Troubleshooting Common Issues with SCIM

SCIM provisioning depends on synchronization between your Identity Provider (IdP) and Files.com. After changes to user attributes like email addresses or usernames, on-demand provisioning is the fastest way to push the update through.

Modifying the Email Address or User Name

When you change a user's email address, user principal name (UPN), or username after provisioning the user with SCIM, the update may not synchronize with Files.com immediately. Users can experience login difficulties until the IdP pushes the change on its synchronization interval. On-demand provisioning in your IdP propagates the change right away.

Issues with Duplicate User Names or Missing User Names

When you use Entra ID or another IdP with Create User On First Login enabled and do not have SCIM configured, you may see duplicate user records. The system interprets the updated UPN or email address as a new user.

When Create User On First Login is disabled and SCIM is not configured, attempting to change the UPN or primary email/username produces an error. The system does not recognize the new user entry being referenced.

SCIM with on-demand provisioning synchronizes username or email address changes between your IdP and Files.com cleanly and avoids both cases.

Issues with Deleting Users in Files.com

When an SSO-provisioned user is manually deleted from Files.com, the IdP or SCIM integration can fall out of sync. The IdP shows the users or groups as successfully provisioned, but they are not actually provisioned in Files.com. The way to restore an out-of-sync user is to deactivate and then reactivate the user within the IdP, which triggers user update requests to Files.com. Group provisioning tools within the IdP have not been effective in restoring users in this scenario.

Missing Groups or Group Memberships

Group provisioning and membership syncing via SCIM is automatic when the identity provider includes all required data in its provisioning payloads. During the initial sync, most IdPs send all users and groups that are within scope, along with their group memberships. After that, many IdPs such as Entra ID switch to a change-based or incremental provisioning approach where only recently modified users or groups appear in future syncs.

As a result, users may be created without all of their expected group memberships when those groups have not been updated recently. Some groups may not appear at all when the IdP does not include them in the SCIM request. This can happen due to unsupported group types, scoping rules, or metadata issues. In rare cases, a group that previously existed in Files.com and was deleted is not recreated unless the IdP sends it again in a future provisioning cycle.

Files.com processes all valid SCIM data it receives. To force a sync, update the group or user in your IdP, use any available on-demand provisioning feature, or apply changes through the IdP's API to prompt inclusion in the next sync cycle. These approaches trigger reprocessing in the next sync cycle. When the identity provider does not offer scalable or automated ways to trigger re-evaluation, manual updates may be the only available workaround.

Other Factors That Can Impact SCIM Provisioning

Several factors outside configuration can interfere with SCIM provisioning and lead to missing or incomplete results.

Throttling or rate limits imposed by the IdP may silently delay or skip provisioning actions during high-volume synchronization. Incomplete SCIM payloads, such as missing required attributes or identifiers, can cause provisioning failures. Scope filters or inclusion rules may unintentionally exclude certain users or objects. Misconfigured attribute mappings, outdated records, and deleted entries that are no longer reprocessed can also lead to unexpected behavior. When your IdP does not support on-demand provisioning, resolving such issues may require manual updates or restarting the synchronization cycle.