SCIM is a powerful tool for managing user identity information across various applications and services. It offers a uniform method to automate user provisioning and de-provisioning, ensuring consistent user data across all platforms.Frontegg supports user provisioning from external IdPs in accordance with SCIM standards and protocol. Implementing user attributes and data synchronization may vary between providers, sometimes leading to errors during the synchronization process.
Provisioning users
The main user identifier in Frontegg is user email. When users go through provisioning - either through automatic cycles or via on-demand provisioning - errors may occur due to user attribute validation on Frontegg's side, resulting in a Bad request error message. Errors reported by remote servers typically indicate that a user attribute’s data type differs from what is expected by Frontegg. For example, pushing a user with a timezone attribute from an external IdP may trigger an error. These errors will soon be reflected in Frontegg's monitoring logs to provide greater clarity.
Provisioning groups & users
User groups and group assignments are transmitted between the IdP and Frontegg using Add or Replace requests. Occasionally, an IdP may send a Replace request instead of an Add, which can cause issues such as users not syncing to Frontegg or not appearing in the correct user group synced from the IdP.
In such cases, when a user's group membership is not reflected in Frontegg after a provisioning cycle, it is recommended to check the monitoring logs for Group creation or Group updation requests. This will help identify the type of request that was sent from the IdP to Frontegg and determine why synced group members may be missing on Frontegg.
If a request to sync additional users to a group is sent as Replace instead of Add request, you are requested to contact [email protected] to request the enabling of a flag that accommodates this behavior. This flag will allow Frontegg to treat requests for adding group members as an addition rather than a replacement. This issue frequently occurs with Microsoft Entra; for more information, please refer to the relevant documentation here .
Troubleshooting Common SCIM Issues
Find below errors that you may be seeing in your IdP when provisioning is not successful:
| Issue | Cause | Solution |
|---|---|---|
| User Already Exists (429 Conflict Error) | The user already exists on an external (Frontegg) account. | The user may have been provisioned before and first needs to be deleted from Frontegg. |
| Bad Request Errors | Errors reported by the remote server during user profile push. | Check for data validation issues and ensure that required fields like "Email", "Primary email type" exist on the user and refer to Frontegg monitoring logs. |
| Provisioning Quarantined (404 Not Found) | Incorrect tenant URL or non-compliance with SCIM protocol. | Verify the tenant URL and ensure it conforms to the SCIM protocol specifications. |
Updated 24 days ago