Troubleshoot SCIM Provisioning

Diagnose AuthOS SCIM authentication, provisioning, conflict, and synchronization failures

AuthOS release 0.8.2 TypeScript SDK 0.8.0 Latest-only documentation
Updated Jul 15, 2026 Edit this page
On this page

Start with the identity provider’s provisioning log and correlate failures with AuthOS organization and token activity. Do not expose a SCIM bearer token in logs, screenshots, or support messages.

Monitoring and Troubleshooting

Common Issues

Issue: “Invalid SCIM token” Error

Symptoms: IdP reports authentication failure

Solutions:

  • Verify token was copied completely (including scim_live_ prefix)
  • Check token hasn’t expired
  • Ensure token belongs to the correct organization
  • Verify HTTPS is used (HTTP will fail authentication)

Issue: Users Not Provisioning

Symptoms: Users assigned in IdP but not appearing in AuthOS

Solutions:

  1. Check IdP provisioning logs for errors
  2. Verify users are assigned to the application
  3. Confirm SCIM base URL is correct
  4. Check network connectivity from IdP to AuthOS
  5. Review firewall rules allowing IdP IP ranges

Issue: “User already exists” (409 Conflict)

Symptoms: IdP reports conflict when creating users

Solutions:

  • User exists in AuthOS (possibly manually created)
  • Delete existing user or configure IdP to update instead of create
  • Use IdP’s user matching features to link existing accounts

Issue: Slow Synchronization

Symptoms: Changes take hours to sync

Understanding Sync Cycles:

  • Okta: Real-time for explicit provisioning, 40 minutes for automatic sync
  • Azure AD: Initial sync 20-40 minutes, incremental every 40 minutes
  • OneLogin: Configurable, default 1 hour

Workarounds:

  • Force manual sync in IdP admin console
  • Reduce sync interval if supported by IdP
  • Use webhooks for real-time updates (if available)

Debugging Tips

Enable Verbose Logging in IdP

  • Okta: Navigate to ReportsSystem Log and filter by application
  • Azure AD: Use Provisioning logs under the application’s Provisioning section
  • OneLogin: Check ActivityEvents for provisioning events

Validate after a fix

Use direct endpoint checks and repeat create, update, deactivation, and group-membership scenarios.