SSO SCIM Error Messages – LaunchDarkly

Affected: Single sign-on, Okta

Overview

Reference this document when experiencing issues when signing on through SSO and you see SCIM assertion consumer errors.

Topics

Occurs during setup or provisioning?

Errors during setup: These errors occur upon initial configuration of SCIM.
Errors during provisioning: These errors occur when provisioning users through SCIM.

SCIM Errors

Error message

*Occurs during setup or provisioning

Cause

Steps to resolve

Multiple users found by userName. Expected 0 or 1 results but was 2

Provisioning

The team members were stuck in a deactivated members collection in our database.

Contact Technical Support to have the deactivated members fully removed.

Error (400) invalid_request: New Users must be provisioned through SCIM. Please ask your administrator to provision your account.

Provisioning

The team members username in Okta is incorrect.

Or

The team members role in Okta is not defined on their assignment.

Ensure the username and email in Okta are the same.

Or

Ensure the role in Okta is defined. If the role is not defined, it will treat it as an update to an existing member instead of creating a new member.

Okta Specific Errors

Error message	*Occurs during setup or provisioning	Cause	Steps to resolve
`You already have a SCIM client connected to your account. You must disable it before adding another.`	Setup	Occurs when you disable SSO on the LaunchDarkly side while SCIM is enabled on the Okta side and then try to re-enable SSO on the LaunchDarkly side while SCIM is still enabled on the Okta side.	Okta prevents the SSO connection until you disable SCIM on Okta. You'll need to log into Okta and disable the SCIM connection on the Okta side. Then you will be able to enable SSO on the LaunchDarkly side.
`Error while updating group membership for group {GROUP_NAME}: Internal Server Error. Error reported by remote server: internal error.`	Provisioning	Occurs when you try to push an Okta group while SCIM is enabled, and it fails to patch the group and assign a member to the group.	Contact Technical Support to troubleshoot further.
`Automatic provisioning of user {NAME} to app LaunchDarkly failed: Matching user not found.`	Setup or Provisioning	Occurs when Okta cannot find an existing user within LaunchDarkly to update.	If this is a new LaunchDarkly user, enable the Create Users settings under the Provisioning tab of the app within Okta. If this is an existing user, ensure the username attributes match the member's email on the LaunchDarkly side, and enable the Update User Attributes under the Provisioning tab for the app within Okta.
`Automatic provisioning of user {NAME} to app LaunchDarkly failed: Error while trying to push profile update for {EMAIL}: Internal Server Error. Errors reported by remote server: error updating account`	Provisioning	Occurs when SCIM was implemented after the member is already provisioned in LaunchDarkly. This results in the member not fully syncing between Okta and LaunchDarkly.	In Okta, unassign/reassign the affected member from the LaunchDarkly app while SCIM is enabled.
`Error while trying to push profile update for {username}: No user returned for user {externalID}`	Provisioning	Occurs when the LaunchDarkly application does not return any results for the user, meaning the user isn't a member of LaunchDarkly yet.	Ensure that the user has been correctly provisioned. If the member was previously removed from LaunchDarkly, unassign and then re-assign the user to the LaunchDarkly app in Okta.

Resources

SSO: SAML Error Messages