Problem description

• You have set up a SCIM integration between Druva and your IDP (for example Okta / Azure / etc.).
• The User import from your IDP to Druva has been working fine and suddenly, the provisioning has stopped.
• This has resulted in no new users getting provisioned from your IDP to Druva inSync.

Resolution

• Users are not assigned to the SCIM App in your IDP.
  • When you create new users in your IDP -> ensure to assign them to the SCIM App; else inSync will not be able to provide them through SCIM.
  • Ensure to assign the SCIM provisioning app to the users that you create in your IDP.
• SCIM API URL is modified or entered incorrectly in your IDP’s SCIM App.
  • Login to your IDP console -> access the SCIM App that you have configured and cross-check the SCIM API URL that you have provided is correct: 
  • For inSync public cloud: https://apis.druva.com/insync/scim
  • For inSync govcloud: https://govcloudapis.druva.com/insync/scim
• The inSync’s SCIM Token has expired.
  1. SCIM token has a default expiration of 365 days from the generation time.
  2. This time is visible in the inSync Admin Console -> click on Users -> Deployment -> Settings page as shown below: 
  3. If the SCIM token has expired, simply click on the “New Token” button under the same section in the above screenshot -> copy the token -> log in to your IDP’s SCIM App settings -> supply the new token.

Note: Below are the screenshots from the SCIM Apps in OKTA and Azure AD. If you are using any other IDP that supports SCIM provisioning, then similar settings should be available within your IDP.

OKTA: Druva 2.0-SCIM app

OKTA: Custom App for SCIM:

Azure AD:

• Incorrect configuration of the SCIM Mappings within the inSync Admin Console.
  • Such a scenario will usually generate an error message in your IDP’s SCIM App stating something like “None of the SCIM Mapping matched to create user”. The log may contain different words but will be referencing the SCIM Mapping’s incorrect configuration.
  • Refer to this article to troubleshoot SCIM Mapping configuration.
• The threshold for a maximum number of users in an inSync profile has reached.
  1. SCIM Mappings in inSync Console are mapped to a specific inSync profile as shown below: 
     
  2. If the maximum number of users per inSync profile has reached for this profile, then new users will no longer get imported to Druva inSync. This limit can be found under inSync Admin Console -> Profile -> click on the Profile -> General tab -> Max. #users
     
  3. Increase this number or set this value to 0 for unlimited.

• Users with the same email IDs already exist in the Druva cloud.
  1. This is a rare but possible scenario. If an email ID for a user is already present within Druva inSync Cloud, then the users will not get imported from your IDP to inSync.
  2. Across all our customer instances, the user email IDs need to be unique.
  3. You may first check within your inSync Admin Console -> Users -> search for the user if it is already present in inSync.
  4. It could be possible that the user was previously backing up under a different inSync instance with the same email address. To verify this point, please submit a support ticket with Druva inSync Support, for further investigation on these lines.
• Druva inSync Storage assigned to your inSync instance might be down or unhealthy.
  1. This again is an extremely rare scenario. SCIM Mappings created with inSync Admin Console are also linked to the storage region.
  2. If the inSync Storage Region assigned to your inSync instance is down or unhealthy; then users will not get provisioned from your IDP to Druva inSync.
  3. You may check the status of the storage region under inSync Admin Console -> settings -> Storage: 
     
  4. If the storage region is unhealthy, then please reach out to Druva Support by creating a support ticket for further investigation.