Cloud SWG admin enabled SAML authentication with SCIM.

SCIM token successfully generated and added to Microsoft Entra setup.

32k Azure users and 8 Azure groups are assigned to the Cloud SWG Enterprise Application defined in Entra.

After enabling Entra provisioning for Cloud SWG, and after confirming that the sync initially launched, Cloud SWG Portal reports 1194 users and 5 groups.

Forcing a resync shows up same issue again.

Microsoft Entra.

Cloud SWG.

SCIM with SAML authentication enabled.

Unsure.

Remove the Cloud SWG enterprise application on Entra, and re-add it.

The initial provisioning did not appear to have completed successfully (see below) and a restart addressed this as we did not try to keep re-synchronising object IDs that did not exist on the Cloud SWG side.

When the issue occured, the Azure AD Provisioning logs showed large number of service failures such as th following (404 accounted for most of the errors):

• A request timed out.  The request was to https://scim.wss.symantec.com/wss:##########.  The timeout was 60,000.00 milliseconds. This operation was retried 0 times. It will be retried again after this date: 2024-07-25T08:12:53.1561294Z UTC"
• Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details.
  Web Response:
  {""status"":""404"",""detail"":""Resource with ID '#####-#####-#####-####-#####' not found"",""schemas"":[""urn:ietf:params:scim:api:messages:2.0:Error""]}

The 404 typically references a user or group object and the 404 indicated the object did not exist. This would indicate that the provisioning did not complete successfully, and was the reason to retry it.