Common problems with user provisioning

This article provides answers to most common issues related to automatic user provisioning (SCIM). Unless otherwise noted, all items below are applicable to all Identity Providers (Entra ID, Okta, etc.)

-----

Names cannot contain brackets <>(){}[]

Due to security reasons, user's first name and last name cannot contain any bracket characters. If at all possible, avoid using bracket characters in first name and last name data in Azure AD.

-----

User's department was first provisioned as "dept123" but it was recently changed to "Dept123". However, the update doesn't show up in Hoxhunt. What's going on?

SCIM provisioning doesn't distinguish between small case and capital case letters. In this above example, SCIM considers that user's department data hasn't changed, so it doesn't send a change request to Hoxhunt.

Using provision-on-demand or restarting the provisioning doesn't help. Please contact Hoxhunt Support to have the data updated.

-----

After setting up SCIM, we have been seeing duplicate user accounts. What's going on?

This can occur if UserPrincipalName (UPN) and primary email address are not identical for your employees.

The duplicate user accounts may be created when:

  • You have a mismatch between SSO claims and SCIM user attribute mapping values
  • You have provisioned users with their UPN but when users click on Hoxhunt button, they always get identified by their primary email address.

Please make sure you are using mail / user.mail in both SSO and SCIM configuration. This ensures your employees are identified and provisioned with their primary email address, thus matching how they are identified when they click Hoxhunt button.

In order to resolve existing user accounts in Hoxhunt, please contact Hoxhunt Support.

SSO_claims_user.mail.png

Figure 1. Correct SSO claim value.

SCIM_attr_map_mail.png

Figure 2. Correct SCIM attribute mapping.

IMPORTANT: As of February 2024, Hoxhunt requires the use of user.mail as the main source attribute for Hoxhunt users instead of userPrincipalName. This is especially important for customers who use non-identical values for userPrincipalName and user.mail.

Read more: (2024-03) Hoxhunt no longer authenticates end users based on userPrincipalName

-----

We are unable to provision manager information from Okta to Hoxhunt.

Hoxhunt currently requires that user's manager information is provisioned to Hoxhunt with the manager's Hoxhunt User ID. It's currently not possible to provision manager information by the manager's email address. Hoxhunt is working to support the email address format.

In addition, Okta's native provisioning approach for manager information is to use AD as it's data source.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request