Overview
When attempting to provision a user through the Azure admin UI (portal.azure.com), the following error is seen:
Failed to match an entry in the source and target systems
We are not able to deserialize the resource received from your SCIM endpoint because your SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Here is the resource we received from your SCIM endpoint
Applies To
- SCIM
- Azure AD via SAML
Cause
This can be caused by a change to the attribute used for the user ID, so the unique identifiers used are no longer consistent between Auth0 and Azure.
For example, by default userPrincipalName is sent as “userName” to Auth0. But if this is changed to another attribute, e.g., objectID, errors can start to occur for users previously provisioned into Auth0 using userPrincipalName as their “userName,” as they can be found by email, but the userNames no longer align.
The standard setup for Azure via SAML SCIM attribute mapping:
Configuration instructions:
Solution
If the attribute used to uniquely identify users is changed, for example, the userName in the Azure attribute mapping configuration, the existing users on the Auth0 side must be deleted to allow resuming provisioning on demand.
- Otherwise conflicts may occur due to previously existing users using a different value for their IDs.
- For example, a user could be found by their email, but the returned userName (ID) would not match in Azure or vice versa.
Matching attributes need to be unique: Matching users in the source and target systems