Start with the identity provider’s provisioning log and correlate failures with AuthOS organization and token activity. Do not expose a SCIM bearer token in logs, screenshots, or support messages.
Monitoring and Troubleshooting
Common Issues
Issue: “Invalid SCIM token” Error
Symptoms: IdP reports authentication failure
Solutions:
- Verify token was copied completely (including
scim_live_prefix) - Check token hasn’t expired
- Ensure token belongs to the correct organization
- Verify HTTPS is used (HTTP will fail authentication)
Issue: Users Not Provisioning
Symptoms: Users assigned in IdP but not appearing in AuthOS
Solutions:
- Check IdP provisioning logs for errors
- Verify users are assigned to the application
- Confirm SCIM base URL is correct
- Check network connectivity from IdP to AuthOS
- Review firewall rules allowing IdP IP ranges
Issue: “User already exists” (409 Conflict)
Symptoms: IdP reports conflict when creating users
Solutions:
- User exists in AuthOS (possibly manually created)
- Delete existing user or configure IdP to update instead of create
- Use IdP’s user matching features to link existing accounts
Issue: Slow Synchronization
Symptoms: Changes take hours to sync
Understanding Sync Cycles:
- Okta: Real-time for explicit provisioning, 40 minutes for automatic sync
- Azure AD: Initial sync 20-40 minutes, incremental every 40 minutes
- OneLogin: Configurable, default 1 hour
Workarounds:
- Force manual sync in IdP admin console
- Reduce sync interval if supported by IdP
- Use webhooks for real-time updates (if available)
Debugging Tips
Enable Verbose Logging in IdP
- Okta: Navigate to Reports → System Log and filter by application
- Azure AD: Use Provisioning logs under the application’s Provisioning section
- OneLogin: Check Activity → Events for provisioning events
Validate after a fix
Use direct endpoint checks and repeat create, update, deactivation, and group-membership scenarios.