Clean Up SCIM Users and Groups

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

SCIM (System for Cross-domain Identity Management) provisioned users and groups are tied to the identity provider (IdP) that created them. When the IdP changes, the existing SCIM mappings become invalid and must be cleared before a new IdP can provision users and groups correctly.

When SCIM Cleanup Is Necessary

Perform a SCIM cleanup in these situations:

  • Switching identity providers — You are replacing the current IdP with a different one, for example, switching from Okta to Microsoft Entra ID.

  • Migrating to a different environment — The destination environment uses a different IdP, for example, when restoring a Production instance to a Development or Disaster Recovery environment that is connected to a different IdP.

  • Migrating to a new IdP tenant — You are moving to a new tenant within the same IdP vendor, for example, switching between two Okta organizations after a company rebrand or domain change. Even though the IdP vendor is the same, the SCIM external IDs and provisioning tokens are tied to the old tenant and must be cleared before the new tenant can provision users and groups correctly.

  • Resolving corrupted or duplicate SCIM state — Your Alation instance has duplicate users, ghost groups, or users mapped to incorrect external IDs, typically caused by running SCIM provisioning from two IdP applications simultaneously or after a failed provisioning run. A full cleanup resets SCIM to a clean state.

Warning

The server-side cleanup in Step 3 suspends all SCIM-provisioned users and removes all SCIM-provisioned groups in Alation. Before you start, verify that at least one user account with the Server Admin role exists that was created using built-in (non-SAML) authentication. You need this account to access Alation while the cleanup is in progress.

Prerequisites

Before starting the cleanup, confirm all of the following:

  • You have a local built-in user account with the Server Admin role that doesn’t depend on SCIM provisioning.

  • You have administrator access to the current identity provider (IdP) application.

  • You have coordinated with your IdP administrator to perform the steps on the IdP side.

Step 1: Remove Users and Groups Assignment From the Identity Provider Application

In your IdP, remove the assignments of all SCIM-provisioned users and groups from the SCIM application. Refer to your IdP’s documentation for the specific steps.

Removing the assignments clears the provisioning link between the IdP and Alation, removes the external ID mapping, and enables you to reprovision users and groups from a new IdP application.

Step 2: Disable Provisioning on the Identity Provider Application

In your IdP, disable SCIM provisioning on the application to stop it from sending SCIM requests to Alation. Refer to your IdP’s documentation for the specific steps.

Note

Disabling provisioning does not automatically delete SCIM objects in Alation. It only stops the provisioning process. Re-enabling provisioning may not clear stored mappings unless you remove the SCIM objects first.

Step 3: Request Alation Server-Side Cleanup

Open a support case with Alation to request a full SCIM user and group cleanup on the server. Alation Support runs the server-side cleanup script to remove residual SCIM data and prepare the instance for a new SCIM integration.

Note

Alation Cloud Service customers can request server configuration changes through Alation Support.

After Cleanup

After the cleanup is complete, reconfigure SCIM integration with the new IdP. See Enable SCIM Integration for User and Group Management.