fleet/docs/Contributing/guides/integrations/scim-integration.md

# SCIM (System for Cross-domain Identity Management) integration

## Reference docs

- [scim.cloud](https://scim.cloud/)
- [SCIM: Core Schema (RFC7643)](https://datatracker.ietf.org/doc/html/rfc7643)
- [SCIM: Protocol (RFC7644)](https://datatracker.ietf.org/doc/html/rfc7644)
- [scim Go library](https://github.com/elimity-com/scim)

## Okta integration

- https://developer.okta.com/docs/guides/scim-provisioning-integration-prepare/main/

Sample provisioning settings that work. Capabilities can be disabled and attributes can be removed as needed.

![Okta to Fleet provisioning](../../assets/SCIM-Okta-provisioning.png)

From our testing with Okta, we see the following behavior that is worth noting:
- Okta does not use PATCH endpoint
- Okta does not DELETE users; if a new user needs to be created with the same username as a "deleted" user, then it overwrites the old user

### Automated test for Okta integration

First, create at least one SCIM user:

```
POST https://localhost:8080/api/latest/fleet/scim/Users
Authorization: Bearer <API key>
{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "userName": "test.user@okta.local",
    "name": {
        "givenName": "Test",
        "familyName": "User"
    },
    "emails": [{
        "primary": true,
        "value": "test.user@okta.local",
        "type": "work"
    }],
    "active": true
}
```

Run test using [Runscope](https://www.runscope.com/). See [instructions](https://developer.okta.com/docs/guides/scim-provisioning-integration-prepare/main/#test-your-scim-api).

## Entra ID integration

- [SCIM guide](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups)
- [SCIM validator](https://scimvalidator.microsoft.com/)
  - Note: only test attributes implemented by Fleet

By default, Entra ID SCIM client is not fully SCIM 2.0 compliant. [See details](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility). Fleet server does not support Entra ID's non-SCIM compliant client. To use the SCIM compliant Entra ID client, you must append the following URL parameter to the Fleet server's path: `aadOptscim062020`. This parameter is processed by Entra ID, not by Fleet. So, the Fleet URL should look like this:

```
https://<server_url>/api/v1/fleet/scim?aadOptscim062020
```

### Testing Entra ID integration

Use [scimvalidator.microsoft.com](https://scimvalidator.microsoft.com/). Only test the attributes that we have implemented.

We support the `emails` attribute, even though it is not called out in our customer-facing guide.

![SCIM-Entra-ID-Validator-User-attributes.png](../../assets/SCIM-Entra-ID-Validator-User-attributes.png)
![SCIM-Entra-ID-Validator-Group-attributes.png](../../assets/SCIM-Entra-ID-Validator-Group-attributes.png)

To see our supported attributes, check the schema:
```
GET https://localhost:8080/api/latest/fleet/scim/Schemas
```

Results (2025/05/06)

![SCIM-Entra-ID-Validator-results.png](../../assets/SCIM-Entra-ID-Validator-results.png)

## Authentication

We use same authentication as API. HTTP header: `Authorization: Bearer xyz`

## Diagrams

```mermaid
---
title: Initial DB schema (not kept up to date)
---
erDiagram
    HOST_SCIM_USER {
        host_id uint PK
        scim_user_id uint PK "FK"
    }
    SCIM_USERS {
        id uint PK
        external_id *string "Index"
        user_name string "Unique"
        given_name *string
        family_name *string
        active *bool
    }
    SCIM_USER_EMAILS {
        id uint PK
        scim_user_id uint FK
        type *string "Index"
        email string "Index"
        primary *bool
    }
    SCIM_USER_GROUP {
        scim_user_id string PK "FK"
        group_id uint PK "FK"
    }
    SCIM_GROUPS {
        id uint PK
        external_id *string "Index"
        display_name string "Index"
    }
    HOST_SCIM_USER }o--|| SCIM_USERS : "multiple hosts can have the same SCIM user"
    SCIM_USERS ||--o{ SCIM_USER_GROUP: "zero-to-many"
    SCIM_USER_GROUP }o--|| SCIM_GROUPS: "zero-to-many"
    SCIM_USERS ||--o{ SCIM_USER_EMAILS: "zero-to-many"
    COMMENT {
        _ _ "created_at and updated_at columns not shown"
    }
```

## Notes

- Okta and Entra ID do not support nested groups
Add SCIM Users (#27551) For #27287 Video explaining the PR: https://www.youtube.com/watch?v=ZHgFUAvrPEI This PR adds SCIM Users support for Okta. The goal is to first add Users/Groups support so that the remaining backend SCIM work can be done in parallel. This PR does not include the following, which will be added in later PRs - Changes file - Groups support for Okta - Full support for Entra ID - Integration tests # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-04-01 16:02:24 +00:00			`# SCIM (System for Cross-domain Identity Management) integration`

			`## Reference docs`

			`- [scim.cloud](https://scim.cloud/)`
			`- [SCIM: Core Schema (RFC7643)](https://datatracker.ietf.org/doc/html/rfc7643)`
			`- [SCIM: Protocol (RFC7644)](https://datatracker.ietf.org/doc/html/rfc7644)`
			`- [scim Go library](https://github.com/elimity-com/scim)`

			`## Okta integration`

			`- https://developer.okta.com/docs/guides/scim-provisioning-integration-prepare/main/`

SCIM integration tests (#27750) For #27287 This PR adds integration tests for SCIM API endpoints as well as some bug fixes found by these tests. # Checklist for submitter - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality 2025-04-04 16:00:46 +00:00			`Sample provisioning settings that work. Capabilities can be disabled and attributes can be removed as needed.`

Fixed/updated SCIM contributor guide. (#29257) 2025-05-19 16:29:36 +00:00			`![Okta to Fleet provisioning](../../assets/SCIM-Okta-provisioning.png)`
SCIM integration tests (#27750) For #27287 This PR adds integration tests for SCIM API endpoints as well as some bug fixes found by these tests. # Checklist for submitter - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality 2025-04-04 16:00:46 +00:00
SCIM + host integration (#27880) For #27284 This PR: - Adds SCIM as a fallback for username during macOS end user authentication during setup experience - Adds SCIM/endUsers details to host details # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-04-08 14:35:06 +00:00			`From our testing with Okta, we see the following behavior that is worth noting:`
			`- Okta does not use PATCH endpoint`
			`- Okta does not DELETE users; if a new user needs to be created with the same username as a "deleted" user, then it overwrites the old user`

			`### Automated test for Okta integration`
Add SCIM Users (#27551) For #27287 Video explaining the PR: https://www.youtube.com/watch?v=ZHgFUAvrPEI This PR adds SCIM Users support for Okta. The goal is to first add Users/Groups support so that the remaining backend SCIM work can be done in parallel. This PR does not include the following, which will be added in later PRs - Changes file - Groups support for Okta - Full support for Entra ID - Integration tests # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-04-01 16:02:24 +00:00
			`First, create at least one SCIM user:`

			```
			`POST https://localhost:8080/api/latest/fleet/scim/Users`
SCIM + host integration (#27880) For #27284 This PR: - Adds SCIM as a fallback for username during macOS end user authentication during setup experience - Adds SCIM/endUsers details to host details # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-04-08 14:35:06 +00:00			`Authorization: Bearer <API key>`
Add SCIM Users (#27551) For #27287 Video explaining the PR: https://www.youtube.com/watch?v=ZHgFUAvrPEI This PR adds SCIM Users support for Okta. The goal is to first add Users/Groups support so that the remaining backend SCIM work can be done in parallel. This PR does not include the following, which will be added in later PRs - Changes file - Groups support for Okta - Full support for Entra ID - Integration tests # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-04-01 16:02:24 +00:00			`{`
			`"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],`
			`"userName": "test.user@okta.local",`
			`"name": {`
			`"givenName": "Test",`
			`"familyName": "User"`
			`},`
			`"emails": [{`
			`"primary": true,`
			`"value": "test.user@okta.local",`
			`"type": "work"`
			`}],`
			`"active": true`
			`}`
			```

			`Run test using [Runscope](https://www.runscope.com/). See [instructions](https://developer.okta.com/docs/guides/scim-provisioning-integration-prepare/main/#test-your-scim-api).`

			`## Entra ID integration`
Docs v4.71.0 (#31200) Documentation changes for 4.71.0 --------- Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com> Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com> Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Ian Littman <iansltx@gmail.com> 2025-07-23 22:02:13 +00:00
Add SCIM Users (#27551) For #27287 Video explaining the PR: https://www.youtube.com/watch?v=ZHgFUAvrPEI This PR adds SCIM Users support for Okta. The goal is to first add Users/Groups support so that the remaining backend SCIM work can be done in parallel. This PR does not include the following, which will be added in later PRs - Changes file - Groups support for Okta - Full support for Entra ID - Integration tests # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-04-01 16:02:24 +00:00			`- [SCIM guide](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups)`
			`- [SCIM validator](https://scimvalidator.microsoft.com/)`
Fixed/updated SCIM contributor guide. (#29257) 2025-05-19 16:29:36 +00:00			`- Note: only test attributes implemented by Fleet`

			By default, Entra ID SCIM client is not fully SCIM 2.0 compliant. [See details](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility). Fleet server does not support Entra ID's non-SCIM compliant client. To use the SCIM compliant Entra ID client, you must append the following URL parameter to the Fleet server's path: `aadOptscim062020`. This parameter is processed by Entra ID, not by Fleet. So, the Fleet URL should look like this:

			```
			`https://<server_url>/api/v1/fleet/scim?aadOptscim062020`
			```
Add SCIM Users (#27551) For #27287 Video explaining the PR: https://www.youtube.com/watch?v=ZHgFUAvrPEI This PR adds SCIM Users support for Okta. The goal is to first add Users/Groups support so that the remaining backend SCIM work can be done in parallel. This PR does not include the following, which will be added in later PRs - Changes file - Groups support for Okta - Full support for Entra ID - Integration tests # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-04-01 16:02:24 +00:00
			`### Testing Entra ID integration`

SCIM Entra ID support (#28832) For #28196 This PR adds full patching for SCIM Users and Groups, and adds the ability to filter Groups by displayName. The changes have been tested with [Entra ID SCIM Validator](https://github.com/fleetdm/fleet/blob/67dfd91c0cfb1546177ad533d02ee94eb199c3eb/docs/Contributing/SCIM-integration.md#entra-id-integration) and Okta SCIM 2.0 SPEC Test (to make sure we didn't break Okta). # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-05-08 18:02:49 +00:00			`Use [scimvalidator.microsoft.com](https://scimvalidator.microsoft.com/). Only test the attributes that we have implemented.`
Add SCIM Users (#27551) For #27287 Video explaining the PR: https://www.youtube.com/watch?v=ZHgFUAvrPEI This PR adds SCIM Users support for Okta. The goal is to first add Users/Groups support so that the remaining backend SCIM work can be done in parallel. This PR does not include the following, which will be added in later PRs - Changes file - Groups support for Okta - Full support for Entra ID - Integration tests # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-04-01 16:02:24 +00:00
Fixed/updated SCIM contributor guide. (#29257) 2025-05-19 16:29:36 +00:00			We support the `emails` attribute, even though it is not called out in our customer-facing guide.

			`![SCIM-Entra-ID-Validator-User-attributes.png](../../assets/SCIM-Entra-ID-Validator-User-attributes.png)`
			`![SCIM-Entra-ID-Validator-Group-attributes.png](../../assets/SCIM-Entra-ID-Validator-Group-attributes.png)`
SCIM Entra ID support (#28832) For #28196 This PR adds full patching for SCIM Users and Groups, and adds the ability to filter Groups by displayName. The changes have been tested with [Entra ID SCIM Validator](https://github.com/fleetdm/fleet/blob/67dfd91c0cfb1546177ad533d02ee94eb199c3eb/docs/Contributing/SCIM-integration.md#entra-id-integration) and Okta SCIM 2.0 SPEC Test (to make sure we didn't break Okta). # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-05-08 18:02:49 +00:00
			`To see our supported attributes, check the schema:`
Add SCIM Users (#27551) For #27287 Video explaining the PR: https://www.youtube.com/watch?v=ZHgFUAvrPEI This PR adds SCIM Users support for Okta. The goal is to first add Users/Groups support so that the remaining backend SCIM work can be done in parallel. This PR does not include the following, which will be added in later PRs - Changes file - Groups support for Okta - Full support for Entra ID - Integration tests # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-04-01 16:02:24 +00:00			```
			`GET https://localhost:8080/api/latest/fleet/scim/Schemas`
			```

SCIM Entra ID support (#28832) For #28196 This PR adds full patching for SCIM Users and Groups, and adds the ability to filter Groups by displayName. The changes have been tested with [Entra ID SCIM Validator](https://github.com/fleetdm/fleet/blob/67dfd91c0cfb1546177ad533d02ee94eb199c3eb/docs/Contributing/SCIM-integration.md#entra-id-integration) and Okta SCIM 2.0 SPEC Test (to make sure we didn't break Okta). # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-05-08 18:02:49 +00:00			`Results (2025/05/06)`

Fixed/updated SCIM contributor guide. (#29257) 2025-05-19 16:29:36 +00:00			`![SCIM-Entra-ID-Validator-results.png](../../assets/SCIM-Entra-ID-Validator-results.png)`
SCIM Entra ID support (#28832) For #28196 This PR adds full patching for SCIM Users and Groups, and adds the ability to filter Groups by displayName. The changes have been tested with [Entra ID SCIM Validator](https://github.com/fleetdm/fleet/blob/67dfd91c0cfb1546177ad533d02ee94eb199c3eb/docs/Contributing/SCIM-integration.md#entra-id-integration) and Okta SCIM 2.0 SPEC Test (to make sure we didn't break Okta). # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-05-08 18:02:49 +00:00
Add SCIM Users (#27551) For #27287 Video explaining the PR: https://www.youtube.com/watch?v=ZHgFUAvrPEI This PR adds SCIM Users support for Okta. The goal is to first add Users/Groups support so that the remaining backend SCIM work can be done in parallel. This PR does not include the following, which will be added in later PRs - Changes file - Groups support for Okta - Full support for Entra ID - Integration tests # Checklist for submitter - [x] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [x] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [x] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [x] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality 2025-04-01 16:02:24 +00:00			`## Authentication`

			We use same authentication as API. HTTP header: `Authorization: Bearer xyz`

			`## Diagrams`

			```mermaid
			`---`
			`title: Initial DB schema (not kept up to date)`
			`---`
			`erDiagram`
			`HOST_SCIM_USER {`
			`host_id uint PK`
			`scim_user_id uint PK "FK"`
			`}`
			`SCIM_USERS {`
			`id uint PK`
			`external_id *string "Index"`
			`user_name string "Unique"`
			`given_name *string`
			`family_name *string`
			`active *bool`
			`}`
			`SCIM_USER_EMAILS {`
			`id uint PK`
			`scim_user_id uint FK`
			`type *string "Index"`
			`email string "Index"`
			`primary *bool`
			`}`
			`SCIM_USER_GROUP {`
			`scim_user_id string PK "FK"`
			`group_id uint PK "FK"`
			`}`
			`SCIM_GROUPS {`
			`id uint PK`
			`external_id *string "Index"`
			`display_name string "Index"`
			`}`
			`HOST_SCIM_USER }o--\|\| SCIM_USERS : "multiple hosts can have the same SCIM user"`
			`SCIM_USERS \|\|--o{ SCIM_USER_GROUP: "zero-to-many"`
			`SCIM_USER_GROUP }o--\|\| SCIM_GROUPS: "zero-to-many"`
			`SCIM_USERS \|\|--o{ SCIM_USER_EMAILS: "zero-to-many"`
			`COMMENT {`
			`_ _ "created_at and updated_at columns not shown"`
			`}`
			```

			`## Notes`

			`- Okta and Entra ID do not support nested groups`