mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00

Victor Lyuboslavsky 2198fd8d65

For #27287

Video explaining the PR: https://www.youtube.com/watch?v=ZHgFUAvrPEI

This PR adds SCIM Users support for Okta. The goal is to first add
Users/Groups support so that the remaining backend SCIM work can be done
in parallel.

This PR does not include the following, which will be added in later PRs
- Changes file
- Groups support for Okta
- Full support for Entra ID
- Integration tests

# Checklist for submitter

- [x] If database migrations are included, checked table schema to
confirm autoupdate
- For database migrations:
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [x] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [x] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
- [x] Added/updated automated tests
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [x] Manual QA for all new/changed functionality

2025-04-01 11:02:24 -05:00

2.7 KiB

Raw Blame History

SCIM (System for Cross-domain Identity Management) integration

Reference docs

Okta integration

https://developer.okta.com/docs/guides/scim-provisioning-integration-prepare/main/

Testing Okta integration

First, create at least one SCIM user:

POST https://localhost:8080/api/latest/fleet/scim/Users

{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "userName": "test.user@okta.local",
    "name": {
        "givenName": "Test",
        "familyName": "User"
    },
    "emails": [{
        "primary": true,
        "value": "test.user@okta.local",
        "type": "work"
    }],
    "active": true
}

Run test using Runscope. See instructions.

Entra ID integration

SCIM guide
SCIM validator
- Only test attributes that we implemented

Testing Entra ID integration

Use scimvalidator.microsoft.com. Only test the attributes that we have implemented. To see our supported attributes, check the schema:

GET https://localhost:8080/api/latest/fleet/scim/Schemas

Authentication

We use same authentication as API. HTTP header: Authorization: Bearer xyz

Diagrams

---
title: Initial DB schema (not kept up to date)
---
erDiagram
    HOST_SCIM_USER {
        host_id uint PK
        scim_user_id uint PK "FK"
    }
    SCIM_USERS {
        id uint PK
        external_id *string "Index"
        user_name string "Unique"
        given_name *string
        family_name *string
        active *bool
    }
    SCIM_USER_EMAILS {
        id uint PK
        scim_user_id uint FK
        type *string "Index"
        email string "Index"
        primary *bool
    }
    SCIM_USER_GROUP {
        scim_user_id string PK "FK"
        group_id uint PK "FK"
    }
    SCIM_GROUPS {
        id uint PK
        external_id *string "Index"
        display_name string "Index"
    }
    HOST_SCIM_USER }o--|| SCIM_USERS : "multiple hosts can have the same SCIM user"
    SCIM_USERS ||--o{ SCIM_USER_GROUP: "zero-to-many"
    SCIM_USER_GROUP }o--|| SCIM_GROUPS: "zero-to-many"
    SCIM_USERS ||--o{ SCIM_USER_EMAILS: "zero-to-many"
    COMMENT {
        _ _ "created_at and updated_at columns not shown"
    }

Notes

Okta and Entra ID do not support nested groups

2.7 KiB Raw Blame History