Skip to main content

SCIM Connection Setup UI

OP-066g adds an API-backed SCIM administration path to the Settings console. Tenant admins and system admins can create SCIM connections, update connection status, and configure provider group to OneProtect role mappings through the existing OP-034R runtime APIs.

Implemented:

  • Create SCIM connection form for Entra ID, Okta, and generic SCIM profiles.
  • Status control for draft, active, and disabled connection states.
  • Role mapping form for tenant_admin, operator, and auditor groups.
  • Sync status display for active/deprovisioned users, groups, last success, and failure count.
  • Same-origin handlers under /console-api/oneprotect/scim/connections/* that proxy to the existing tenant-admin SCIM API.
  • Role-aware rendering: tenant admins and system admins can mutate, auditors inspect status only, and operators see SCIM admin configuration hidden.

Security boundaries:

  • Bearer tokens are accepted only in the create form and are never rendered back.
  • Raw SCIM payloads, provider secrets, provider PII, and unredacted user records are not displayed in the console.
  • Role mapping saves use the backend role_mapping_version optimistic version and fail closed through the SCIM runtime.
  • No standards-shaped /scim/v2 aliases, Entra/Okta adapter automation, secret sync, or auth/session rewrite was added.

Validation:

  • npm --prefix frontend run typecheck
  • npm --prefix frontend test -- --run
  • make docs-build