SCIM Provisioner

Known issues and limitations

The following are known issues or limitations with the SCIM Provisioner.

Known issues

There are no known issues.

Known limitations

Service provider (SP) connections:

  • The Unique User Identifier cannot be changed in an SP connection configuration. To change to a different Unique User Identifier, delete the existing connection, restart PingFederate, and then create a connection with the new Unique User Identitier.

  • All SP connections with the same target must use the same Unique User Identifier. If multiple SP connections are created for the same target, every subsequent connection will use the Unique User Identifier configured in the first connection that was created.

Attributes:

  • The connector has a limit of one value per type (home, work, other, and so on) for multi-value attributes (email, phone, address).

  • If the SaaS does not specify type or primary information on multi-value attributes (email, phone, address), unexpected behavior can occur. During an update, existing attributes on the SaaS may not be removed, and the desired value may not be correctly set as primary.

  • The connector cannot clear a user attribute once it has been set.

  • If the target application supports two email attributes and one attribute is empty, the connector populates both attributes with the email address and sets both as "primary". This can produce unexpected effects in some target applications.

Group provisioning:

  • When provisioning groups, only required attributes, such as displayName and members, are supported. Common attributes, such as id and externalID, are not supported because they’re optional attributes.

Other:

  • This connector does not support PATCH updates to SCIM-enabled target applications.

  • When an LDAP user is deleted in a targeted group distinguished name (DN), the provisioning connector doesn’t propagate the deletion until a new user is added to the group. This limitation is compounded when the User Create provisioning option is disabled. You can find solutions in SaaS provisioner does not remove the user in the Knowledge Base.

  • SCIM-compliant service providers can implement or interpret the SCIM standards differently, which could result in behavior that’s not consistent with the SCIM Provisioner intended use.