1 files changed, 18 insertions, 4 deletions

diff --git a/doc/user/group/saml_sso/scim_setup.md b/doc/user/group/saml_sso/scim_setup.md
index cc154b96ed0..04aa99e08af 100644
--- a/doc/user/group/saml_sso/scim_setup.md
+++ b/doc/user/group/saml_sso/scim_setup.md
@@ -71,8 +71,10 @@ Follow [Azure documentation to configure the attribute mapping](https://docs.mic
 
 The following table below provides an attribute mapping known to work with GitLab. If
 your SAML configuration differs from [the recommended SAML settings](index.md#azure-setup-notes),
-modify the corresponding `customappsso` settings accordingly. If a mapping is not listed in the
-table, use the Azure defaults. For a list of required attributes, refer to the [SCIM API documentation](../../../api/scim.md).
+modify the corresponding `customappsso` settings accordingly. In particular, the `externalId` must
+match the [SAML NameID](index.md#nameid).
+If a mapping is not listed in the table, use the Azure defaults.
+For a list of required attributes, refer to the [SCIM API documentation](../../../api/scim.md).
 
 | Azure Active Directory Attribute | `customappsso` Attribute       | Matching precedence |
 | -------------------------------- | ------------------------------ | ------------------- |
@@ -169,7 +171,7 @@ If [Group SAML](index.md) has been configured and you have an existing GitLab.co
 
 We recommend users do this prior to turning on sync, because while synchronization is active, there may be provisioning errors for existing users.
 
-New users and existing users on subsequent visits can access the group through the identify provider's dashboard or by visiting links directly.
+New users and existing users on subsequent visits can access the group through the identity provider's dashboard or by visiting links directly.
 
 [In GitLab 14.0 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/325712), GitLab users created by [SAML SSO](index.md#user-access-and-management) or SCIM provisioning display with an **Enterprise** badge in the **Members** view.
 
@@ -257,7 +259,19 @@ Changing the SAML or SCIM configuration or provider can cause the following prob
 | Problem                                                                   | Solution                                                                                                                                                                                                                                                                                                                                                                                                                                                |
 | ------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | SAML and SCIM identity mismatch.                                          | First [verify that the user's SAML NameId matches the SCIM externalId](#how-do-i-verify-users-saml-nameid-matches-the-scim-externalid) and then [update or fix the mismatched SCIM externalId and SAML NameId](#update-or-fix-mismatched-scim-externalid-and-saml-nameid).                                                                                                                                                                              |
-| SCIM identity mismatch between GitLab and the Identify Provider SCIM app. | You can confirm whether you're hitting the error because of your SCIM identity mismatch between your SCIM app and GitLab.com by using [SCIM API](../../../api/scim.md#update-a-single-scim-provisioned-user) which shows up in the `id` key and compares it with the user `externalId` in the SCIM app. You can use the same [SCIM API](../../../api/scim.md#update-a-single-scim-provisioned-user) to update the SCIM `id` for the user on GitLab.com. |
+| SCIM identity mismatch between GitLab and the identity provider SCIM app. | You can confirm whether you're hitting the error because of your SCIM identity mismatch between your SCIM app and GitLab.com by using [SCIM API](../../../api/scim.md#update-a-single-scim-provisioned-user) which shows up in the `id` key and compares it with the user `externalId` in the SCIM app. You can use the same [SCIM API](../../../api/scim.md#update-a-single-scim-provisioned-user) to update the SCIM `id` for the user on GitLab.com. |
+
+### Search Rails logs for SCIM requests
+
+GitLab.com administrators can search for SCIM requests in the `api_json.log` using the `pubsub-rails-inf-gprd-*` index in [Kibana](https://about.gitlab.com/handbook/support/workflows/kibana.html#using-kibana). Use the following filters based on the [SCIM API](../../../api/scim.md):
+
+- `json.path`: `/scim/v2/groups/<group-path>`
+- `json.params.value`: `<externalId>`
+
+In a relevant log entry, the `json.params.value` shows the values of SCIM parameters GitLab receives. These values can be used to verify if SCIM parameters configured in an
+identity provider's SCIM app are communicated to GitLab as intended. For example, we can use these values as a definitive source on why an account was provisioned with a certain
+set of details. This information can help where an account was SCIM provisioned with details that appear to be incongruent with what might have been configured within an identity
+provider's SCIM app.
 
 ### Azure