Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/docs/Contributing/guides/integrations/scim-integration.md
Rachael Shaw 0d8c099cf9
Docs v4.71.0 (#31200) 
Documentation changes for 4.71.0

---------

Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2025-07-23 16:02:13 -06:00

4.2 KiB
Raw Blame History

SCIM (System for Cross-domain Identity Management) integration

Reference docs

Okta integration

Sample provisioning settings that work. Capabilities can be disabled and attributes can be removed as needed.

Okta to Fleet provisioning

From our testing with Okta, we see the following behavior that is worth noting:

  • Okta does not use PATCH endpoint
  • Okta does not DELETE users; if a new user needs to be created with the same username as a "deleted" user, then it overwrites the old user

Automated test for Okta integration

First, create at least one SCIM user:

POST https://localhost:8080/api/latest/fleet/scim/Users
Authorization: Bearer <API key>
{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "userName": "test.user@okta.local",
    "name": {
        "givenName": "Test",
        "familyName": "User"
    },
    "emails": [{
        "primary": true,
        "value": "test.user@okta.local",
        "type": "work"
    }],
    "active": true
}

Run test using Runscope. See instructions.

Entra ID integration

By default, Entra ID SCIM client is not fully SCIM 2.0 compliant. See details. Fleet server does not support Entra ID's non-SCIM compliant client. To use the SCIM compliant Entra ID client, you must append the following URL parameter to the Fleet server's path: aadOptscim062020. This parameter is processed by Entra ID, not by Fleet. So, the Fleet URL should look like this:

https://<server_url>/api/v1/fleet/scim?aadOptscim062020

Testing Entra ID integration

Use scimvalidator.microsoft.com. Only test the attributes that we have implemented.

We support the emails attribute, even though it is not called out in our customer-facing guide.

SCIM-Entra-ID-Validator-User-attributes.png SCIM-Entra-ID-Validator-Group-attributes.png

To see our supported attributes, check the schema:

GET https://localhost:8080/api/latest/fleet/scim/Schemas

Results (2025/05/06)

SCIM-Entra-ID-Validator-results.png

Authentication

We use same authentication as API. HTTP header: Authorization: Bearer xyz

Diagrams

---
title: Initial DB schema (not kept up to date)
---
erDiagram
    HOST_SCIM_USER {
        host_id uint PK
        scim_user_id uint PK "FK"
    }
    SCIM_USERS {
        id uint PK
        external_id *string "Index"
        user_name string "Unique"
        given_name *string
        family_name *string
        active *bool
    }
    SCIM_USER_EMAILS {
        id uint PK
        scim_user_id uint FK
        type *string "Index"
        email string "Index"
        primary *bool
    }
    SCIM_USER_GROUP {
        scim_user_id string PK "FK"
        group_id uint PK "FK"
    }
    SCIM_GROUPS {
        id uint PK
        external_id *string "Index"
        display_name string "Index"
    }
    HOST_SCIM_USER }o--|| SCIM_USERS : "multiple hosts can have the same SCIM user"
    SCIM_USERS ||--o{ SCIM_USER_GROUP: "zero-to-many"
    SCIM_USER_GROUP }o--|| SCIM_GROUPS: "zero-to-many"
    SCIM_USERS ||--o{ SCIM_USER_EMAILS: "zero-to-many"
    COMMENT {
        _ _ "created_at and updated_at columns not shown"
    }

Notes

  • Okta and Entra ID do not support nested groups