Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/docs/Contributing/MDM-SCIM-integration.md

103 lines
2.7 KiB
Markdown
Raw Normal View History

Add SCIM Users (#27551) For #27287 Video explaining the PR: https://www.youtube.com/watch?v=ZHgFUAvrPEI This PR adds SCIM Users support for Okta. The goal is to first add Users/Groups support so that the remaining backend SCIM work can be done in parallel. This PR does not include the following, which will be added in later PRs - Changes file - Groups support for Okta - Full support for Entra ID - Integration tests # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality
2025-04-01 16:02:24 +00:00
# SCIM (System for Cross-domain Identity Management) integration
## Reference docs
- [scim.cloud](https://scim.cloud/)
- [SCIM: Core Schema (RFC7643)](https://datatracker.ietf.org/doc/html/rfc7643)
- [SCIM: Protocol (RFC7644)](https://datatracker.ietf.org/doc/html/rfc7644)
- [scim Go library](https://github.com/elimity-com/scim)
## Okta integration
- https://developer.okta.com/docs/guides/scim-provisioning-integration-prepare/main/
### Testing Okta integration
First, create at least one SCIM user:
```
POST https://localhost:8080/api/latest/fleet/scim/Users
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "test.user@okta.local",
"name": {
"givenName": "Test",
"familyName": "User"
},
"emails": [{
"primary": true,
"value": "test.user@okta.local",
"type": "work"
}],
"active": true
}
```
Run test using [Runscope](https://www.runscope.com/). See [instructions](https://developer.okta.com/docs/guides/scim-provisioning-integration-prepare/main/#test-your-scim-api).
## Entra ID integration
- [SCIM guide](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups)
- [SCIM validator](https://scimvalidator.microsoft.com/)
- Only test attributes that we implemented
### Testing Entra ID integration
Use [scimvalidator.microsoft.com](https://scimvalidator.microsoft.com/). Only test the attributes that we have implemented. To see our supported attributes, check the schema:
```
GET https://localhost:8080/api/latest/fleet/scim/Schemas
```
## Authentication
We use same authentication as API. HTTP header: `Authorization: Bearer xyz`
## Diagrams
```mermaid
---
title: Initial DB schema (not kept up to date)
---
erDiagram
HOST_SCIM_USER {
host_id uint PK
scim_user_id uint PK "FK"
}
SCIM_USERS {
id uint PK
external_id *string "Index"
user_name string "Unique"
given_name *string
family_name *string
active *bool
}
SCIM_USER_EMAILS {
id uint PK
scim_user_id uint FK
type *string "Index"
email string "Index"
primary *bool
}
SCIM_USER_GROUP {
scim_user_id string PK "FK"
group_id uint PK "FK"
}
SCIM_GROUPS {
id uint PK
external_id *string "Index"
display_name string "Index"
}
HOST_SCIM_USER }o--|| SCIM_USERS : "multiple hosts can have the same SCIM user"
SCIM_USERS ||--o{ SCIM_USER_GROUP: "zero-to-many"
SCIM_USER_GROUP }o--|| SCIM_GROUPS: "zero-to-many"
SCIM_USERS ||--o{ SCIM_USER_EMAILS: "zero-to-many"
COMMENT {
_ _ "created_at and updated_at columns not shown"
}
```
## Notes
- Okta and Entra ID do not support nested groups
Reference in a new issue Copy permalink