SCIM Provisioning Runtime
Status
Runtime Implemented
Related Requirements
- Client response references: SCIM 2.0 is a Phase 1 user/group lifecycle requirement that cannot move to Phase 2.
- ADR references:
docs/adr/ADR-0011-scim-provisioning-contracts.md. - Task board references: OP-034R.
What Was Implemented
- Tenant-scoped SCIM connection metadata with secret values stored only as non-secret references.
- Tenant admin APIs for connection create/list/read/update and role-mapping replacement.
- Service-account provisioning endpoints for users, groups, full group membership replacement, and explicit member removal.
- Deterministic group-to-role mapping for
tenant_admin,operator, andauditor. - Fail-closed deprovisioning by
active=falseor removal from all mapped groups. - Identity lifecycle events and audit records for accepted, denied, failed, and conflict-driven mutations.
- Read-only SCIM status panel in the Settings page.
Components Involved
- Runtime:
poc/ingest_api/scim_service.py - Routes:
poc/ingest_api/http_routes.py - Storage:
db/postgres/012_scim_provisioning_runtime.sql - OpenAPI:
specs/openapi.yaml - Events:
specs/events/identity.*.v1.schema.json - UI:
frontend/src/components/console-pages.tsx - Tests:
tests/test_scim_provisioning_runtime.py
APIs / Events / Schemas
- API:
GET /api/v1/scim/connections - API:
POST /api/v1/scim/connections - API:
PATCH /api/v1/scim/connections/{connection_id} - API:
PUT /api/v1/scim/connections/{connection_id}/role-mappings - API:
POST /api/v1/scim/connections/{connection_id}/users - API:
PUT /api/v1/scim/connections/{connection_id}/users/{scim_user_id} - API:
POST /api/v1/scim/connections/{connection_id}/groups - API:
PUT /api/v1/scim/connections/{connection_id}/groups/{scim_group_id} - API:
DELETE /api/v1/scim/connections/{connection_id}/groups/{scim_group_id}/members/{scim_user_id} - Event:
identity.scim_connection.configured - Event:
identity.scim_role_mapping.changed - Event:
identity.user.provisioned - Event:
identity.user.updated - Event:
identity.user.deprovisioned - Event:
identity.group.provisioned - Event:
identity.group_membership.changed - Event:
identity.provisioning.failed
Security / Tenant Isolation
Every SCIM table, event, audit row, and API result is tenant-scoped. Provisioning mutations require a service-account actor, while tenant admins manage connections and role mappings. Bearer tokens, raw SCIM payloads, provider secrets, and unredacted email values are not rendered in the UI or audit output.
Validation Steps
make validate-contracts
make typecheck-python
make lint
make test-sqlite
npm --prefix frontend test -- --run
make docs-build
Known Limitations
- Entra ID, Okta, and generic SCIM pull/sync adapters are not implemented.
- Standards-shaped
/scim/v2/Usersand/scim/v2/Groupsaliases are not implemented. - Real provider secret provisioning is not implemented.
- Broad auth/session rewrite and runtime token revocation are not implemented.
- Writable SCIM admin UI remains future scoped work.