PingOne

SCIM provisioning known limitations

The following are known issues or limitations with System for Cross-domain Identity Management (SCIM) user provisioning.

Service provider (SP) connections

  • The Unique User Identifier cannot be changed in an SP connection configuration.

    To change to a different Unique User Identifier, delete the existing connection and then create a connection with the new Unique User Identifier.

  • All SP connections with the same target must use the same Unique User Identifier.

    If multiple SP connections are created for the same target, every subsequent connection will use the Unique User Identifier configured in the first connection that was created.

Attributes

  • The connector has a limit of one value per type (for example, home, work, and other) for multi-value attributes (for example, email, phone, and address).

  • If the application does not specify type or primary information on multi-value attributes, unexpected behavior can occur.

    During an update, existing attributes on the application cannot be removed, and the desired value cannot be correctly set as primary.

  • The provisioner cannot clear a user attribute after it is set.

  • PingOne does not support multi-value attributes, so the first attribute value will be used.

  • If the target application supports two email attributes and one attribute is empty, the provisioner populates both attributes with the email address and sets both as primary.

    This can produce unexpected effects in some target applications.

Other

  • SCIM-compliant SPs might implement or interpret the SCIM standards differently, which can result in behavior that is not consistent with the intended use of the SCIM provisioner.

  • When syncing groups and group memberships to AWS Identity Centre, you can encounter a 400 invalid filter when a group’s name has a special character in a different language.

  • When syncing groups and group memberships to Atlassian Cloud, renaming a group is not supported. Updating the Group Name causes a UI mismatch on the group’s Sync Status(Healthy - for overwrite / Sync Failure - for merge). Adding and removing members continues to work.

  • When provisioning users and groups to AWS Identity Center, you might encounter an error such as The resource could not be modified. [prov_exception_msg] [SCIM004,].The SCIM Provisioner responds with the message Request is unparsable, syntactically incorrect, or violates schema.

    For AWS, every user must have a First name, Last name, Username, and Display name value specified. If any of these values are missing from a user, that user is not provisioned.

    Learn more about special characters that you must not use in attributes synchronized with SCIM in Limitations and ListUsers in the AWS documentation. The <>;:% SCIM filter expression is in the correct format as defined by AWS.

  • When provisioning users and groups to Atlassian Cloud, the SCIM filter is username eq "%s". If given an invalid SCIM filter, you might encounter an error such as The resource could not be modified. [prov_exception_msg] [SCIM004].The SCIM Provisioner responds with the message Resource [USER] invalid filter.