Problem

We have an authenticating load balancer in front of our instance, preventing connection to the SCIM connector.

Solution

To ensure the SCIM connector works correctly, your identity provider must be able to communicate directly with the SCIM endpoints provided by User Sync.

This means the authenticating load balancer must not require authentication for connections to your instance. Otherwise, the request from your identity provider will be redirected to the identity provider's login page.

Additionally, this implies that there must be an unauthenticated path to your instance for the SCIM connection to function correctly.

To make a SCIM connector work in this scenario, you

1. must get the connector id of the connector,
   
   

2. create a second load balancer rule that does not authenticate when the identity provider tries to connect to the instance's SCIM endpoints
   
   

3. and this rule must be above the other rule to not trigger the authentication.

See the following example for an AWS authentication load balancer. Please note that this might look differently for your authenticating load balancer:

We created a second rule that forwards to the instance without authentication when the Path Pattern is 

This ensures that all SCIM endpoints provided by User Sync are accessible from external sources.

Instead of using a wildcard (*), you can create OR-based rules for specific endpoints defined by the SCIM standard.

For details on excluding a path from authentication, refer to your load balancer documentation.

To find the connector id (and/or the URL), go to User Sync and click Edit → Connector id and Directory: