Skip to main content

SCIM Provisioning Contracts

SCIM 2.0 provisioning is contract-designed in ADR-0011 and OP-034R implements the first tenant-scoped runtime path for connections, role mappings, user/group provisioning, fail-closed deprovisioning, audit, and events. OP-066g adds the API-backed Settings UI for tenant-admin connection setup, status changes, and role mapping configuration.

Current status:

  • SCIM connection metadata, role mappings, user/group provisioning endpoints, status UI, and tenant-admin setup controls are implemented.
  • Entra ID/Okta adapters are not implemented.
  • Auth/session behavior is not rewritten.
  • Standards-shaped /scim/v2 compatibility aliases are not implemented.
  • Admin/status/provisioning API contracts, event contracts, and validation examples exist.

The contract freezes:

  • tenant-scoped SCIM connection metadata;
  • group-to-role mapping into tenant_admin, operator, and auditor;
  • fail-closed deprovisioning behavior;
  • audited user, group, membership, role mapping, and failure events;
  • redacted auditor-safe status/read assumptions.

Source docs:

  • docs/adr/ADR-0011-scim-provisioning-contracts.md
  • docs/architecture/scim-provisioning-contracts.md
  • specs/openapi.yaml
  • specs/asyncapi.yaml
  • specs/events/identity.*.v1.schema.json
  • poc/ingest_api/scim_service.py
  • tests/test_scim_provisioning_runtime.py