Docs/SCIM Provisioning/Troubleshooting

SCIM Troubleshooting

Common issues and solutions for SCIM provisioning problems.

Common Issues

Token Authentication Failed

CauseInvalid or expired SCIM token
SolutionRegenerate the token in SecureCodingHub and update it in your identity provider
NoteTokens don't expire automatically, but can be revoked by an admin

User Already Exists (409 Conflict)

CauseUser with the same email already exists (created manually or via JIT provisioning)
SolutionIf the existing user is inactive (previously deactivated via SCIM), SCIM reactivates them in place and returns 200. If the existing user is active, SCIM returns 409 and does not auto-link — the IdP needs to PATCH or PUT the matching user instead of creating a duplicate.

Seat Limit Reached (403 Forbidden)

CauseOrganization has reached its maxSeats limit
SolutionRemove inactive users or upgrade your plan to increase the seat limit

Group Sync Not Working

CausePush Groups not enabled, or the group is not assigned to the application
SolutionEnable Push Groups in your IdP and verify the group is assigned to the SecureCodingHub app

User Not Deactivated After Removal

CauseIdP sends PATCH with active=false, not DELETE
SolutionThis is expected behavior — SCIM deactivation sets the user to inactive without deleting their data

Checking SCIM Logs

When troubleshooting, check the provisioning logs in your identity provider:

Identity ProviderWhere to Find Logs
OktaApplications → your app → Provisioning → Integration → View Logs
Azure ADEnterprise Applications → your app → Provisioning → Provisioning Logs

SCIM Endpoints Reference

All endpoints are relative to the base URL: https://api.limeplate.com/api/sch/scim/v2

EndpointMethodDescription
/UsersGETList users (with filter support)
/UsersPOSTCreate user
/Users/{id}GETGet user
/Users/{id}PUTReplace user
/Users/{id}PATCHUpdate user attributes
/Users/{id}DELETESoft-delete user (sets active=false, preserves the record)
/GroupsGETList groups (with filter support)
/GroupsPOSTCreate group
/Groups/{id}GETGet group
/Groups/{id}PUTReplace group
/Groups/{id}PATCHUpdate group members
/Groups/{id}DELETEDelete group
/ServiceProviderConfigGETDiscovery — capabilities the server supports.
/SchemasGETDiscovery — the SCIM schemas served by this tenant.
/ResourceTypesGETDiscovery — the resource types (User, Group) this tenant exposes.
Still having issues? Contact support@securecodinghub.com with your organization name and the error details.