![Logo (Black Text)-1.svg]](https://support.haystackteam.com/hubfs/Logo%20(Black%20Text)-1.svg){kind=small}
SCIM Troubleshooting 🛠️
Running into issues with your SCIM? We're here to help! 🦸♀️
📌 We have included a form for you to fill out. We realize you may not have all of the details but we do appreciate you being as thorough as possible. As soon as you submit the form, the information will be forwarded to our team and we'll help you as quickly as possible. Click here to submit your responses.
1. What's Happening? Provide an Affected User Example
A specific example is worth a thousand general descriptions! Giving us the details of one affected user allows us to trace the issue directly in our logs.
What we need:
-
The Name and/or Email Address of a single user experiencing the issue.
-
A clear description of what they have in your Identity Provider (IdP) (like Okta or Microsoft Entra ID).
-
A clear description of what they currently have on our platform (the desired state, or the particular problem they are experiencing).
| Example Problem | IdP Status | Platform Status (The Problem) |
| User not logging in: | Active, email: jdoe@example.com |
Account not found on platform. |
| Incorrect attribute: | startDate: 2025-01-15 |
startDate shows 2024-06-01 on platform. |
| De-provisioning failed: | Deactivated (Suspended) | Still Active on platform. |
2. Share Your Attribute Mapping Details
Attribute mappings tell your IdP exactly how to translate user data into a format our platform can understand. When a sync fails, the mappings are one of the first things we need to check.
While a summary screenshot of all your mappings is nice, the most crucial piece of information is the SCIM Property Path for the affected attribute. This is the technical name our system uses.
What we need:
A screenshot or a copy/paste of the full, technical SCIM property path for the attribute in question.
-
Look for values that look like this:
urn:ietf:params:scim:schemas:extension:haystack:2.0:User:startDate -
In some IdPs, this path may be split into two lines:
-
Object Path (e.g.,
urn:ietf:params:scim:schemas:extension:haystack:2.0:User) -
Property Name (e.g.,
startDateorfirstName)
-
A detailed view of the mapping settings will ensure we can confirm your settings are correctly configured for our SCIM endpoint.
3. Help Us Pinpoint the Timing
Knowing when an issue started—or when things were last working correctly—is incredibly important. This allows us to zero in on the relevant activity in our system logs and filter out days or weeks of irrelevant data.
What we need:
-
When (if ever) did things seem OK?
-
When did things change?
-
If your IdP provides sync logs, timestamps for when recent sync attempts occurred are ideal.
Even rough timing is a huge help!
| Rough Timing | Detailed Timing |
| "Sometime yesterday." | "Around 1:30 PM MDT yesterday." |
| "A few weeks ago." | "The first week of September." |
| "It never worked." | "The first sync attempt was about 3 hours ago." |
4. Let's Talk Priority (and Workarounds)
When submitting a ticket, your priority designation helps us understand the immediate impact on your business. To make sure we're on the same page, please clearly communicate the impact and any workarounds you might have in place.
Priority Guidelines:
| Priority | Definition | Impact & Examples |
| 0: Critical System Failure | TOTAL Outage. Essential functionality is completely down for all or a major segment of users, and there is no operational workaround. | Core SCIM functionality is halted. Examples: All provisioning (create/update/deactivate) has stopped for all users; no new hires can be created; all deactivations are failing across the board. |
| 1: High / Business-Halting | Major business impact. Essential functionality is impaired, severely affecting a large number of users, and any existing workaround is unacceptable or causes extreme friction. | System is blocked. Examples: New user provisioning is failing, requiring extensive and error-prone manual steps for every new hire; a critical attribute (like email address) is consistently incorrect for all users. |
| 2: Significant Issue | Significant business impact. Core functionality is impacted, but a temporary, operational workaround exists, even if it is cumbersome. | Cumbersome Workaround. Examples: Updates to a critical attribute (like startDate or role) are failing, but users can still log in and use the application; a specific, large group of users is experiencing provisioning failures. |
| 3: Moderate Issue | Moderate business impact. Functionality is partially affected, limited to a smaller number of users, or non-essential features, and an acceptable workaround is in place. | Tolerable Workaround. Examples: Provisioning is failing only for a handful of individual users; updates to non-critical attributes (like department or phone number) are failing; a group membership sync is delayed but eventually resolves itself. |
| 4: Minor Concern | Minimal impact. The issue affects a single user or a non-essential feature, and there is a simple, easy-to-use workaround that causes minimal friction. | Simple Fix Available. Examples: A very specific, non-mandatory attribute is not syncing; the IdP logs show intermittent soft errors that don't seem to stop the overall sync process. |
| 5: Minor Inconvenience / Question | No business impact. This is typically a question about intended behavior, an intermittent visual glitch, or a request for clarification. | Request for Clarification. Examples: Questions about log file format; a request to confirm SCIM property path syntax; a visual display issue in the IdP console that doesn't impact provisioning. |
Keywords: SCIM provisioning , attribute mapping, 401 unathorized, 409 conflict, user sync failure, IdP logs, SCIM endpoint URP, ADP token, deprovisioning, schema extension