Frequently Asked Questions About SCIM Connector

This page provides a list of frequently asked questions regarding the SCIM Connector.

Why Token Retrieval is Required?

Token retrieval is required because it:

  • Confirms the service account and custom SCIM role are configured correctly.

  • Confirms the OAuth client is active and accepting credentials.

  • Confirms the correct scope (xpm.platform).

  • Confirms the tenant URL is correct.

  • Prevents authentication failures in SailPoint later.

What is the difference between the current SCIM Connector On-Prem and SCIM Cloud Connector?

The following table highlights the key differences between Delinea’s SCIM Cloud Connector and the On-Prem SCIM Connector, helping you understand when to use each solution based on deployment, performance, and operational requirements.

Feature SCIM Cloud Connector On-Prem SCIM Connector Notes / Recommendation
Deployment & Network SaaS-based, fully hosted by Delinea. Integrates with cloud IAM/IGA providers without requiring firewall changes. Installed on customer’s private network. Requires public exposure for cloud IAM integrations, adding complexity and security concerns. SCIM Cloud is simpler and more secure for cloud IAM.
Configuration & Log Storage Uses cloud services (Datadog for monitoring/logging, Azure Storage for configuration). No local storage required. Configuration and logs stored locally on the host machine. SCIM Cloud centralizes and simplifies monitoring.
Installation & Updates Multi-tenant, centrally managed by Delinea. Updates and patches are automatic. Tenant separation is enforced by Tenant IDs. Each customer installs and manages independently. Updates must be applied manually. SCIM Cloud reduces operational overhead.
Configuration Process Streamlined: create a service account with least-privilege permissions, configure IAM with SCIM URL and credentials. No UI; all configuration is via API/IAM platform. Requires multiple manual steps within the customer’s environment. SCIM Cloud is faster to configure.
Data Retrieval & Performance Direct API calls to the Delinea Platform, improving efficiency and reducing latency. Limited subset of supported filters (only eq and co). Retrieves data from Secret Server reports, stores in an in-memory SQLite DB, then applies filters—less efficient. SCIM Cloud is higher performing for supported use cases.
Source of Users & Groups Managed through Platform Identity via SCIM Cloud. Managed directly in Secret Server. Choose based on whether the IAM integration targets Platform Identity or Secret Server.
Maintenance & Redundancy Availability, scaling, and redundancy managed by Delinea. High availability must be configured and managed by the customer. SCIM Cloud recommended for reliability.
Security Uses least-privilege SCIM service accounts; no local exposure. Same principle, but exposed locally on customer network. SCIM Cloud reduces attack surface.

Recommendation: Use SCIM Cloud Connector whenever possible for cloud IAM/IGA integrations due to simplicity, security, and managed infrastructure. On-Prem SCIM Connector should only be used if a local installation is strictly required.

Why am I getting an Access Denied error when updating container permissions?

When performing a Container update request, adding or removing a secret’s Privileged Data is permitted only if the service user has Owner-level permission for that secret. If the user lacks Owner-level permission, the SCIM API returns an Access Denied error.

Accessing the Get All Containers and Get All Container Permissions APIs requires the user to have Owner-level permissions on the corresponding containers. If a service account has Owner-level permissions on only specific folders, the APIs will return only those folders. If the account has no permissions on any folders, no folders will be returned in SailPoint.

Accessing the Get All PrivilegedData APIs requires the user to have Owner-level permissions on the corresponding secret. If a service account has Owner-level permissions on only specific secrets, the APIs will return only those secrets. If the account has no permissions on any secrets, no Privileged Data will be returned in the IGA/IAM Provider.

What if I am missing a group in Secret Server after syncing with IGA/IAM Provider?

In certain scenarios, some groups may not appear in the Secret Server Groups section. This typically occurs when the groups are not yet synchronized with the Secret Server on the Platform. To address this, the Secret Server on the Delinea Platform provides a synchronization feature that allows administrators to sync all platform groups with Secret Server.

If any group is missing from the list, you can manually edit or add groups in the platform before initiating a sync.

Steps to edit or add missing groups

  1. Log in to the Platform using an administrator account.
  2. Navigate to Access > Groups.
  3. Review the existing groups to confirm if the group is already created but may need to be updated.
  4. Click on the desired group name from the grid to open its details, then select the Edit button to update the group’s Name or Description.
  5. After making the changes, click Save. Once saved, the updated group will automatically sync with Secret Server and your IAM/IGA Provider.
  6. To add a new group, click Add Group, provide the required details (Name, Description), then save.
  7. To manage group membership, open the newly created group, go to the Members tab, and add or remove members as needed.
  8. To add new members, click Assign Member, then select and add the desired members.
  9. To remove members from the group, select the members you want to remove, then click Unassign.

Steps to sync all Platform Groups with Secret Server

  1. Log in to the Platform using an administrator account.
  2. Navigate to Access > Groups.
  3. In the Secret Server section, click Platform Groups Sync.
  4. You will be redirected to the Platform Groups Sync page, where you can view all platform groups as well as any groups missing in the Secret Server.
  5. Click the Sync Now button.
  6. After syncing, all platform groups will be synchronized between the platform and Secret Server.

How does folder permission support work for users and groups?

Delinea SCIM Cloud supports assigning Users or Groups to folders with defined rights using the ContainerPermissions endpoint. While SCIM supports arrays of rights, the Delinea Platform only accepts the first right listed. Any additional rights in the array are ignored.

Will role support be available in the SCIM Cloud Connector?

Role support is planned for a future release and will be added once SCIM Cloud enters public preview. This will include support for:

  • Get Roles
  • Get Role by ID

These capabilities are part of the SCIM Roles and Entitlements Extension, but Delinea has not yet implemented these endpoints.

Can SCIM metadata be provisioned externally?

SCIM metadata (meta.created, meta.lastModified, meta.version, meta.location) cannot be provisioned externally. The Delinea SCIM Cloud automatically generates metadata values based on object creation and modification events within the Platform.

Any metadata provided by an external IGA/IAM system is ignored.