1. Docs
  2. Pulumi Cloud
  3. Identity & access management
  4. SCIM
  5. FAQ

Pulumi Cloud SCIM FAQ

    FAQ

    This page contains information on how to resolve issues that may occur when configuring SCIM provisioning.

    A failure occurred when attempting to provision a user.

    This failure occurred because there is a conflict with an existing user account in the Pulumi Cloud application. When this occurs our service returns a 409 HTTP response code, indicating a conflict, which you should be able to see in your identity provider’s (e.g. Okta, Azure AD) console logs. This means that there is a conflict with an existing account that already contains either that user’s username or email. These attributes must be unique for each user in our system which is why the provisioning failed. The steps below describe the process needed to resolve the conflict.

    Resolving an email conflict - This occurs when the user being provisioned has already created a Pulumi account with the same email address. The conflict must be resolved by changing the email associated with their Pulumi account and releasing it from our system or connecting the existing account to the new account being provisioned. If you encounter this issue, please contact our customer support for assistance.

    Resolving a username conflict - This occurs when the user being provisioned has the same username as an existing account in the Pulumi Cloud. This does not guarantee that the usernames in conflict both belong to the same individual since a username is not something guaranteed to be unique across multiple applications. Therefore connecting to the existing account is not an option in this case since we do not know for sure they are owned by the same individual. The suggested way to resolve this conflict would be to update the username attribute in your identity provider’s console if your identity provider allows. This action must be done by an admin on the identity provider side (e.g. Okta).

    1. Navigate to the user’s profile settings in your identity provider’s console.
    2. Next change the username attribute to a different value.
    3. Retry provisioning that user. This should now succeed if the username is now unique in the Pulumi Cloud.

    If your identity provider doesn’t allow you to control the username attribute’s value, please contact our customer support for assistance.

    Can I manage Pulumi-local teams if using SCIM?

    Yes. In addition to the SCIM-managed teams, one can also configure and manage Pulumi-local teams in the Pulumi Cloud. See Teams for how to configure teams in the Pulumi Cloud.

    A failure occurred when attempting to provision group members.

    The creation (POST), update (PATCH) or replacement (PUT) of a group performs member validation prior running the operation. If any of the members provided are not provisioned into your Pulumi organization or is not active, the request will fail with the following response:

    Status: 400 BAD REQUEST
    Bad Request: invalid member ids: [comma separated list of invalid member ids]
    

    The suggested way to resolve this conflict would be to synchronize all the group members to guarantee every member is successfully provisioned and update the user’s status. This action must be done by an admin on the identity provider side (e.g. Okta).

    More FAQ

      PulumiUP 2024. Watch On Demand.