VN-06 · SCIM Provisioning
Status: Delivered (runtime-lite). Live Entra ID / Okta adapters and
standards-shaped /scim/v2 aliases are deferred.
Roles needed: Tenant admin (or system admin), operator/auditor (read-only)
What the client asked for
"SCIM 2.0 is a Phase 1 requirement for user/group lifecycle provisioning, deprovisioning, tenant role mapping, and IdP integration."
What this proves
A tenant admin can set up a SCIM connection, map identity-provider groups to
OneProtect roles (tenant_admin, operator, auditor), and rely on
fail-closed deprovisioning — all tenant-scoped, with provider secrets never
shown back.
How it works (at a glance)
Validate via Swagger (Try it out)
Open /api/docs, click Authorize, paste a tenant-admin token. Use the
request schema shown in Swagger for each body. (A portal form also exists under
Settings → SCIM connections.)
| # | Action | What you should see |
|---|---|---|
| 1 | POST /api/v1/scim/connections (name, provider, base URL, bearer token) | 200; connection created — the bearer token is not echoed back |
| 2 | POST /api/v1/scim/connections/{connection_id}/role-mappings mapping IdP groups → tenant_admin/operator/auditor | Mappings saved |
| 3 | POST /api/v1/scim/connections/{connection_id}/users to provision a user | User provisioned with the mapped role |
| 4 | GET /api/v1/scim/provisioned-users | The user appears, tenant-scoped |
| 5 | DELETE /api/v1/scim/connections/{connection_id}/users/{scim_user_id} | Deprovisioned fail-closed; only source='scim' roles are removed (manual roles survive) |
Contract & tests: /api/v1/scim/* in the OpenAPI deliverable;
tests/test_scim_provisioning_runtime.py. Live Entra/Okta adapter sync and
standards-shaped /scim/v2 aliases are Phase 2.
Where to look in the portal
Settingsthen SCIM connectionsAudit
Validation walkthrough
Exact labels match the portal. Substitute your real IdP SCIM base URL and bearer token where indicated.
| # | Action | What you should see |
|---|---|---|
| 1 | Sign in as tenant admin. Open Settings and find the SCIM connections section. | A SCIM connection create form (Name, Provider, Base URL, Bearer token, …). |
| 2 | Set Name = ACME Entra ID, Provider = Entra ID, Base URL = your IdP SCIM base (e.g. https://idp.example.com/scim), Bearer token = your IdP token. Click Create connection. | The connection is created and listed with a status; the bearer token is not re-displayed (shown redacted). It returns success — not the prior is of type boolean but expression is of type smallint error. |
| 3 | Configure group-to-role mappings for tenant_admin, operator, auditor, then Save role mappings. | Mappings are saved and shown. |
| 4 | Change the connection status and save. | The change is accepted and reflected. |
| 5 | Open Audit. | SCIM connection and mapping changes are recorded for your tenant. |
| 6 | Sign in as an operator; open Settings. | The SCIM admin configuration is hidden. |
| 7 | Sign in as an auditor; open Settings. | SCIM connection status is visible read-only; no create/save controls. |
| 8 | As tenant/system admin, grant a user an admin role outside SCIM, then re-sync a SCIM group for that same user. | The manually-granted role survives the recompute — SCIM only replaces source='scim' roles. |
Pass / fail checklist
- Tenant admin creates a SCIM connection (returns success on Postgres — boolean bug fixed)
- Group-to-role mapping covers tenant_admin / operator / auditor and saves
- Provider secrets/tokens are never re-displayed after creation
- Connection and mapping changes appear in Audit
- Operators cannot see SCIM admin configuration; auditors are read-only
- SCIM connections are scoped to the owning tenant
- Manually-granted roles survive a SCIM role recompute (SCIM only replaces SCIM-sourced roles)
Intentionally not in Phase 1
- Live, automated Entra ID / Okta adapter sync and real provider secret round-trips. Phase 1 delivers tenant-scoped connection management, role mapping, fail-closed deprovisioning semantics, and redacted provider metadata.
- Standards-shaped public
/scim/v2endpoint aliases.
Evidence to capture
- Screenshot of the SCIM connection and its group-to-role mappings.
- Screenshot showing the secret is not re-displayed.
- Screenshot of the SCIM audit entries and the operator's hidden-config view.