Troubleshooting the SCIM Connector
This page tells how to investigate and solve issues related to the SCIM Connector.
Monitoring and Logging
Use your IAM/IGA provider's logs to trace SCIM requests—especially around provisioning and sync errors.
In the Delinea Platform, review SCIM connector logs and API diagnostics in Datadog or Azure Storage.
Monitor logs for common SCIM error codes such as:
400: Bad Request (missing attributes, unsupported filters)401/403: Authentication/Authorization failures404: Resource not found409: Conflict (e.g., duplicate usernames)500: Internal Server Error
Maintain log retention for post-incident forensics.
Error Handling and Limitations
- If SCIM Cloud is instructed to delete a user who has already been removed, or if you attempt to retrieve a previously deleted user by ID, the SCIM Connector logs a
404error. - When creating a container or making a GET call to privileged data, if Secret Server is unreachable or temporarily down, SCIM Cloud cannot communicate with it. In this case, the SCIM Connector logs a
503error. - The Delinea Platform prevents the creation of privileged data and privileged data permissions, as these actions are not supported by the SCIM Cloud Connector.
- Retrieving a container, container permissions, privileged data, or privileged data permissions requires the service user to have Owner-level permissions. If the user lacks these permissions, the SCIM Connector logs a
403error. - When deleting users via a SCIM call, the Delinea Platform permanently removes them. Deleted users are also removed from containers, privileged data, and groups.
- Using an unsupported filter string in a query results in an error logged as: The
{0}placeholder represents the unsupported filter. Update the query to use only supported filters. - The SCIM Cloud Connector does not support SCIM 2.0 Bulk Operations (the
/Bulkendpoint per RFC 7644, Section 3.7). All user and group provisioning must be performed through individual SCIM operations. For guidance on large-scale onboarding, see SCIM Connector Best Practices in the Best Practices topic.
Common Error Messages from SCIM Cloud
Below are some typical error responses returned by the SCIM Cloud API:
| Error Code | Error Message | Description |
|---|---|---|
| 500 | Internal Server Error. | This error occurs when the SCIM Cloud server encounters an unexpected condition that prevents it from fulfilling the request. It indicates a problem within the SCIM Cloud service, not the request itself. |
| 503 | Secret Server service unavailable. | This occurs when the Secret Server is unreachable or temporarily down, preventing SCIM Connector communication. Causes include network issues, service outages, or incorrect base URL configuration. |
| 404 | Resource '{0}' not found. | This occurs when the requested resource (user, group, or container) does not exist in the system. |
| 400 | Attribute '{0}' is required. | The SCIM request body does not contain the required attribute. Check the schema for the entity and provide all necessary attributes. |
| 400 | The '{0}' attribute was invalid. | Occurs when the attribute value does not meet the expected format, type, or validation rules. |
| 400 | Attribute '{0}' is immutable and cannot be changed. | Occurs when trying to modify a read-only attribute after creation. Only set during initial creation. |
| 400 | Filter string '{0}' is not in proper format. | The filter expression is not correctly formatted. Check operators, attribute names, and value formatting. |
| 400 | Filter string '{0}' is not supported by Delinea. | An unsupported filter string was used. Update the query to only use supported filters. |
| 400 | Specified attribute and filter comparison combination is not supported. | The filter provided is invalid. Check valid syntax and resend. |
| 400 | A required value was missing, or the value specified was not compatible with the operation or attribute type, or resource schema | The SCIM request body is not compatible with the resource schema or required fields are missing. |
| 400 | You are not authorized to perform this operation. Please contact your IT helpdesk. No additional diagnostic information is available. | This error occurs when attempting to update the display name, email, or name of a federated or Active Directory user. Such updates are not permitted, and even in the platform UI, the edit option is disabled |
| 409 | Attribute '{0}' MUST be unique. | Occurs when an attribute requiring uniqueness is duplicated. Provide a unique value. |
