Skip to main content

SCIM Provisioning Troubleshooting

Use this guide when Catalog users or teams are missing, out of date, or fail to sync from your identity provider after you have started SCIM setup. It complements the provider-specific walkthroughs with shared checks and common failure patterns.

Catalog SCIM Scope

SCIM in this section provisions Catalog accounts and team membership. It does not replace just-in-time SSO for the Coalesce Transform app. If your question is about Transform login or SSO buttons, start with Troubleshooting Common SSO Errors.

Before You Start

Confirm the following so you are not debugging the wrong surface:

  • You completed the integration and token step with Catalog ops using support@coalesce.io or your Coalesce representative, as described in SCIM Setup for Okta or SCIM Setup for Microsoft Entra ID.
  • You know whether your Catalog tenant uses app.castordoc.com or app.us.castordoc.com so you can validate the regional base URL.
  • You can open provisioning settings and logs for the Catalog app in Okta or the Entra Enterprise application.

How Issues Show Up

You might notice one or more of the following:

  • New hires in your identity provider never appear in Catalog, even when assignments look correct.
  • Updates to names or team membership in the provider do not show in Catalog after a reasonable wait.
  • Deactivated users in the provider still have Catalog access because provisioning did not deactivate them in Catalog.
  • Provisioning jobs fail in the provider with connection, authorization, or attribute errors in the log.
  • Catalog users are created but names look empty or wrong even though email is present.

These symptoms usually trace to integration not enabled, wrong URL or token, assignment scope, attribute mapping, or sync schedule.

Verify the Integration and Connection

  1. Open your Catalog SCIM application in Okta or Entra ID.
  2. Go to the provisioning or API integration screen your provider uses for outbound SCIM.
  3. Confirm provisioning is enabled or on, not paused.
  4. Run Test Connection or the equivalent health check and fix reported errors before chasing data issues.

If the connection test fails, fix URL and token first. Attribute mapping will not matter until authentication to the SCIM endpoint succeeds.

Check Base URL and Token

The SCIM base URL must match your Catalog region. Use exactly one of:

Catalog app hostSCIM base URL
app.castordoc.comhttps://api.castordoc.com/auth/scim
app.us.castordoc.comhttps://api.us.castordoc.com/auth/scim

Token issues often look like auth failures or intermittent 401 responses in provider logs. If a token was exposed or rotated outside Coalesce, ask Coalesce to issue a new token. Do not paste old tokens in tickets. Use support@coalesce.io.

Verify Attribute Mapping

Incorrect mapping usually produces users with email but missing first and last name, or failed creates when required fields are empty.

  • Okta: Follow SCIM Setup for Okta for To App actions and profile mapping. Ensure givenName and familyName in Okta are populated for affected people.
  • Microsoft Entra ID: Follow SCIM Setup for Microsoft Entra ID so users keep userName, active, name.givenName, and name.familyName, and externalId maps to objectId as documented. Remove extra attributes the walkthrough says to delete.
Provider-Specific Steps

Keep the setup doc open while you compare mappings. Small differences, such as an extra attribute or a wrong externalId source, are a frequent root cause.

Confirm Assignments and Group Scope

SCIM only processes identities your provider sends to this application.

  • Okta: Under the Catalog SCIM app, check Assignments so people or groups that should get Catalog are actually assigned.
  • Microsoft Entra ID: Under the Enterprise application, check Users and groups so the right users and groups are assigned. Remember that group-based assignment drives who is in scope for provisioning when you use groups.

If someone is missing from assignments, they will not reach Catalog through SCIM.

Sync Timing and Logs

Entra ID provisioning commonly runs on an interval, and Okta may take time between runs depending on configuration and backlog.

  1. After fixing configuration, allow at least one full sync cycle.
  2. If your provider supports it, restart or re-save provisioning to queue a fresh run.
  3. Read provisioning logs or provisioning summary in the provider and note error codes or failing step names. Those strings help Coalesce support match the failure to API behavior.

Manual Catalog Users Versus SCIM

You can have manually created Catalog access while you roll out SCIM. Once SCIM is healthy, prefer a single source of truth in your identity provider so you do not keep duplicate or stale records. Align email and lifecycle with your IT standards so just-in-time SSO or SCIM does not fork identities for the same person.

When To Contact Support

Contact support@coalesce.io when:

  • Connection tests keep failing after URL and token checks.
  • Token reset or rotation is required.
  • Provider logs show repeated errors you cannot map to configuration steps in the setup guides.
  • You need help interpreting SCIM responses alongside your provider logs.

Include your Catalog host region, identity provider, approximate time of failures, and redacted screenshots or log excerpts where your policy allows.

What's Next?