Pulumi Cloud SCIM FAQ
FAQ
This page contains information on how to resolve issues that may occur when configuring SCIM provisioning.
A failure occurred when attempting to provision a user.
These errors can occur when attempting to create (POST), replace (PUT), or update (PATCH) a user. If you encounter difficulties resolving these issues, please contact our customer support for assistance.
Email already in use
{
"status": 409,
"response": {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": 409,
"scimType": "uniqueness",
"detail": "Email {email} already in use by another Pulumi account."
}
}
Cause: The user being provisioned has already created a Pulumi account with the same email address. The email needs to be released from our system before it can be used to provision a new user, or the existing account needs to be connected to the new account being provisioned.
Suggested Resolution: There are three possible solutions. The user can either:
- Delete their existing Pulumi account
- Change the email associated with their existing Pulumi account
- Connect their SAML credentials to their existing Pulumi account by navigating to Account Settings > Connect SAML SSO.
UserName already exists
{
"status": 409,
"response": {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": 409,
"scimType": "uniqueness",
"detail": "User with userName {userName} already exists."
}
}
Cause: The user being provisioned has the same username as an existing account in the Pulumi Cloud.
Suggested Resolution: Update the username attribute in your identity provider’s console if your identity provider allows, then try reprovisioning the user. This action must be done by an admin on the identity provider side (e.g. Okta).
UserName is immutable
{
"status": 400,
"response": {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": 400,
"scimType": "immutability",
"detail": "Attribute 'userName' is immutable."
}
}
Cause: Pulumi usernames are immutable and cannot be updated.
Suggested Resolution: Update the attribute mapping in the identity provider so that userName is updated only during creation, not creation and update. This action must be done by an admin on the identity provider side (e.g. Okta).
Unknown path
{
"status": 400,
"response": {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": 400,
"scimType": "invalidPath",
"detail": "Unknown path: {path}."
}
}
Cause: Pulumi only supports adding or updating the following user attributes:
userNamedisplayNamegivenNamefamilyNameactive
Provisioning jobs that try to add or update any other attribute will fail.
Suggested Resolution: Update the attribute mappings in the identity provider and delete all unsupported attributes. This action must be done by an admin on the identity provider side (e.g. Okta).
A failure occurred when attempting to provision group members.
The creation (POST), update (PATCH) or replacement (PUT) of a group performs member validation prior running the operation. If any of the members provided are not provisioned into your Pulumi organization or is not active, the request will fail with the following response:
Status: 400 BAD REQUEST
Bad Request: Cannot add invalid members to team. Invalid member ids: [comma separated list of invalid member ids]
The suggested way to resolve this conflict would be to synchronize all the group members to guarantee every member is successfully provisioned and update the user’s status. This action must be done by an admin on the identity provider side (e.g. Okta).
Can I manage Pulumi-local teams if using SCIM?
Yes. In addition to the SCIM-managed teams, one can also configure and manage Pulumi-local teams in the Pulumi Cloud. See Teams for how to configure teams in the Pulumi Cloud.
More FAQ
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
