SCIM Troubleshooting & FAQ
SCIM is currently in beta for Passbolt Pro. It will be available for Passbolt Cloud once it exits beta.
Common issues with SCIM user provisioning and frequently asked questions.
Connection Issues
SCIM Endpoint Not Accessible
Symptoms:
- Connection test fails in identity provider
- Timeout errors when testing SCIM configuration
- 404 or connection refused errors
Solutions:
- Verify SCIM endpoint URL format:
https://your-passbolt-instance.com/scim/v2/<settings_id> - Ensure HTTPS is properly configured
- Check firewall settings allow port 443
- Verify Passbolt server is running
Authentication Token Issues
Symptoms:
- "Unauthorized" or "401" errors
- "Invalid token" messages
- Connection test fails with authentication error
Solutions:
- Verify token format:
pb_[A-Za-z0-9]{43} - Ensure "Bearer " prefix is included in authentication header
- Regenerate token in Passbolt if needed:
- Go to Administration → SCIM Settings
- Disable SCIM temporarily
- Re-enable SCIM to generate new token
- Update identity provider configuration
Provisioning Issues
Users Not Being Created
Symptoms:
- Users assigned in identity provider but not appearing in Passbolt
- Provisioning logs show "skipped" or "error" status
Solutions:
- Check required attribute mapping:
- userName (must be unique email)
- name.givenName
- name.familyName
- emails[0].value
- Ensure source users have valid email addresses
- Review identity provider provisioning logs for specific errors
Users Created but Not Activated
Symptoms:
- Users appear in Passbolt but remain in "invitation pending" status
- Users cannot log in despite being provisioned
Solutions:
- Check Passbolt email configuration
- Verify email delivery (check spam folders)
- Send welcome email manually from Passbolt if needed
Users Not Being Updated
Symptoms:
- Changes in identity provider not reflected in Passbolt
- User information remains outdated
Solutions:
- Verify "Update User Attributes" is enabled in identity provider
- Check attribute mapping for update operations
- Review provisioning logs for update attempts
Identity Provider Specific Issues
Microsoft Entra ID
Provisioning Delays:
- Azure runs provisioning cycles every 40 minutes
- Use "Provision on demand" for immediate testing
Connection Issues:
- Verify SCIM endpoint URL includes settings_id
- Check authentication token format
Okta
API Connection Issues:
- Verify Base URL format includes settings_id
- Check Bearer token format
Provisioning Not Starting:
- Verify application is activated
- Check that users are assigned to the application
Frequently Asked Questions
General Questions
Which identity providers are supported?
- Microsoft Entra ID (Azure AD)
- Okta
What version of Passbolt do I need?
Passbolt Pro Edition version 5.5 or later.
How is SCIM different from LDAP directory sync?
| Feature | LDAP Directory Sync | SCIM User Provisioning |
|---|---|---|
| Target Systems | On-premises directories (AD, OpenLDAP) | Cloud identity providers (Azure AD, Okta) |
| Protocol | LDAP | HTTP/HTTPS REST API |
| Real-time Updates | Scheduled synchronisation | Near real-time provisioning |
| User Management | Full user sync | User provisioning only |
| Setup | More complex configuration | Simpler setup process |
Configuration Questions
What information do I need from Passbolt?
- SCIM Endpoint URL:
https://your-passbolt-instance.com/scim/v2/<settings_id> - Authentication Token: Generated by Passbolt (format:
pb_[A-Za-z0-9]{43})
How do I find the SCIM endpoint URL?
- Go to Administration → SCIM Settings
- Enable SCIM if not already enabled
- The endpoint URL is displayed in the configuration
What if I lose my authentication token?
- Go to Administration → SCIM Settings
- Temporarily disable SCIM
- Re-enable SCIM to generate a new token
- Update your identity provider configuration
User Management Questions
What user information is synchronised?
- Username (must be unique email address)
- First Name
- Last Name
- Email Address
- Active Status (enabled/disabled)
Can I change a user's email address through SCIM?
No. Passbolt uses email as part of the user's cryptographic identity. Email update requests are rejected.
What happens when I delete a user in my identity provider?
SCIM follows a two-phase process:
- Phase 1 - Disable: User is disabled in Passbolt (soft delete)
- Phase 2 - Delete: After 30 days, user is permanently deleted
If the user cannot be deleted (sole owner of shared resources), the user remains disabled and administrators receive an email notification.
Can I manually create users when using SCIM?
Yes, but this may cause conflicts if the same user is later provisioned via SCIM.
Why can't I sync groups through SCIM?
Group synchronisation is not supported in the initial SCIM release.
How often does user synchronisation occur?
- Microsoft Entra ID: Every 40 minutes by default
- Okta: Near real-time updates
- On-demand sync: Available in both providers for immediate testing
Troubleshooting Questions
Why is my connection test failing?
Common causes:
- Incorrect SCIM endpoint URL (must include settings_id)
- Wrong authentication token format
- HTTPS not properly configured
- Firewall blocking access
- Passbolt server not running
Users are not being created - what should I check?
- Verify users are assigned to the application in your identity provider
- Check that required attributes (first name, last name, email) are populated
- Ensure attribute mapping is correct
- Review provisioning logs for specific error messages
Why are users created but not activated?
This is normal behaviour. Users created via SCIM:
- Are created in "invitation pending" status
- Receive a welcome email to complete account setup
- Must complete the account setup process to activate their account
How do I troubleshoot provisioning delays?
- Microsoft Entra ID: Use "Provision on demand" for immediate testing
- Okta: Check system logs for any processing delays
- Both: Verify network connectivity and server performance
Getting Help
When contacting support, provide:
- Passbolt version and edition
- Identity provider and version
- Error messages from logs
- Steps to reproduce the issue
- Configuration details (without sensitive information)