Azure SCIM configuration quarantined due to exceeding max threshold value
search cancel

Azure SCIM configuration quarantined due to exceeding max threshold value

book

Article ID: 389788

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet sites via Cloud SWG using WSS Agent access method.

Users using SAML protocol to authenticate to Microsoft Entra Identity Provider.

To be able to define policies per user/groups, SCIM integration with Entra is enabled.

When checking the expected user and group count in the Cloud SWG Portal, the number of entries was below what was expected.

When checking the provisioning status, the Entra admin sees that the provisioning had been quarantined as shown below:

Environment

Microsoft Entra.

Cloud SWG.

SCIM.

Cause

The Manager attribute sent across with the SCIM user updates included values that could not be validated on the backend; instead of logical name, it included a numeric IP with separators that were not handled correctly.

Resolution

Updated SCIM to address the issue with a February 2025 Cloud SWG update.

Additional Information

When looking at the Azure logs, there were many messages that included

"We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client."

These logs also included sample attribute values, which we could use to reproduce the issue. Here is the resource we received from your SCIM endpoint:

    {""totalResults"":1,""itemsPerPage"":100,""startIndex"":1,""schemas"":[""urn:ietf:params:scim:api:messages:2.0:ListResponse""],""Resources"":[{""id"":""####"",""externalId"":""#####"",""meta"":{""created"":""2024-07-31T11:19:55.372Z"",""lastModified"":""2024-07-31T15:14:27.554Z"",""resourceType"":""User""},""schemas"":[""urn:ietf:params:scim:schemas:core:2.0:User"",""urn:ietf:params:scim:schemas:extension:enterprise:2.0:User""],""userName"":""######"",""name"":{""formatted"":""####"",""familyName"":""######"",""givenName"":""#####""},""displayName"":""######"",""preferredLanguage"":""##"",""active"":true,""emails"":[{""value"":""######"",""primary"":true,""type"":""work""}],""addresses"":[{""streetAddress"":""#####"",""locality"":""#####"",""country"":""######"",""type"":""work"",""primary"":false}],""groups"":[{""value"":""######"",""display"":""#####""}],""urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"":{""department"":""#####"",""employeeNumber"":""######"",""manager"":""xxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx""}}]}

Addressing the Cloud SWG SCIM backend to handle these IDs fixed the issue.

Powered by Wolken Software