Skip to main content
Documentation

Troubleshooting Common Issues with SCIM

SCIM provisioning depends on synchronization between your Identity Provider (IdP) and Files.com. After changes to user attributes like email addresses or usernames, on-demand provisioning is the fastest way to push the update through.

Modifying the Email Address or User Name

When you change a user's email address, user principal name (UPN), or username after provisioning the user with SCIM, the update may not synchronize with Files.com immediately. Users can experience login difficulties until the IdP pushes the change on its synchronization interval. On-demand provisioning in your IdP propagates the change right away.

Issues with Duplicate User Names or Missing User Names

When you use Entra ID or another IdP with Create User On First Login enabled and do not have SCIM configured, you may see duplicate user records. The system interprets the updated UPN or email address as a new user.

When Create User On First Login is disabled and SCIM is not configured, attempting to change the UPN or primary email/username produces an error. The system does not recognize the new user entry being referenced.

SCIM with on-demand provisioning synchronizes username or email address changes between your IdP and Files.com cleanly and avoids both cases.

Issues with Deleting Users in Files.com

When an SSO-provisioned user is manually deleted from Files.com, the IdP or SCIM integration can fall out of sync. The IdP shows the users or groups as successfully provisioned, but they are not actually provisioned in Files.com. The way to restore an out-of-sync user is to deactivate and then reactivate the user within the IdP, which triggers user update requests to Files.com. Group provisioning tools within the IdP have not been effective in restoring users in this scenario.

Missing Groups or Group Memberships

Group and membership data can go missing when your IdP does not include it in SCIM provisioning payloads. The two most common causes are missing group memberships and missing groups.

For Entra ID, these issues are specific to SCIM provisioning. If consistent group membership sync is critical for your environment, use LDAP provisioning instead. LDAP provisioning reads group membership directly from your LDAP directory on a scheduled basis, independent of Entra's incremental sync behavior.

Missing Group Memberships

Missing group memberships occur when an IdP switches to incremental syncing after the initial provisioning cycle. Entra ID, for example, only processes recently modified objects after the initial sync. A user provisioned after that point may not be added to their assigned groups if those groups have not been recently updated, because the IdP skips unchanged objects.

Missing Groups

Missing groups occur when the IdP does not send the group at all. This happens when the group type is unsupported, including Microsoft 365 groups or mail-enabled distribution lists in Entra ID, when the group falls outside the provisioning scope, or when the group contains invalid metadata.

Resolving Missing Data

Files.com creates or updates any valid group and membership data it receives. When data is missing, the IdP did not send it. To trigger reprocessing, modify the group or user in your IdP, use any available on-demand provisioning feature, or apply changes through the IdP's API. When the IdP does not support scalable re-evaluation, manual updates may be the only workaround.

Other Factors That Can Impact SCIM Provisioning

Several factors outside configuration can interfere with SCIM provisioning and lead to missing or incomplete results.

Throttling or rate limits imposed by the IdP may silently delay or skip provisioning actions during high-volume synchronization. Incomplete SCIM payloads, such as missing required attributes or identifiers, can cause provisioning failures. Scope filters or inclusion rules may unintentionally exclude certain users or objects. Misconfigured attribute mappings, outdated records, and deleted entries that are no longer reprocessed can also lead to unexpected behavior. When your IdP does not support on-demand provisioning, resolving such issues may require manual updates or restarting the synchronization cycle.