SCIM sync is completely stopped due to restricted domain at a user email #19794
Description
Describe the bug
When I add a user with an invalid e-mail for a SCIM integration, the whole SCIM sync operation gets blocked. At the logs I can see the error like this:
{"domain_url": null, "event": "Stopping sync", "exc": "StopSync(1 validation error for User\nemails.0.value\n value is not a valid email address: The part after the @-sign is a special-use or reserved name that cannot be used with email. [type=value_error, input_value='username@testipa.local', input_type=str], <User: username>)", "level": "warning", "logger": "authentik.lib.sync.outgoing.tasks", "object_type": "authentik.core.models.User", "pid": 105, "provider_pk": 3, "provider_type": "authentik.providers.scim.models.SCIMProvider", "schema_name": "public", "timestamp": "2026-01-27T11:09:31.612892"}
Our company has quite a big LDAP domain with thousands of users. Some of them have inconsistent e-mails, for some of them it's a valid case.
I can see that this restriction comes from email_validator python package.
How to reproduce
- Create a user with e-mail that has zone
localortestat domain. For example: michael@domain.local - Create SCIM integration with any provider
- Run full SCIM sync operation
Expected behavior
SCIM synchronisation shouldn't be stopped.
This case may be managed in one of two ways:
- Disable this e-mail validation completely. For example, Okta synchronises such users with no restrictions.
- If there're objective reasons against of p1, such users should be skipped with an error message. But shouldn't stop the whole SCIM synchronization.
Screenshots
No response
Additional context
No response
Deployment Method
Docker
Version
2025.12.1
Relevant log output
Metadata
Metadata
Assignees
Type
Projects
Status