Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-06 06:48:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/ee/server/scim
History
Nico 5196521586
Delete Fleet users when deleted from IdP: Server changes for SCIM handling of deletion (#38321) 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #38087 

More context:
https://fleetdm.slack.com/archives/C084F4MKYSJ/p1768336339026999 and
https://fleetdm.slack.com/archives/C084F4MKYSJ/p1768512354275959.

## Testing

- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually

### Okta

NOTE: Okta does not send `DELETE` requests when deleting a user.
Therefore, we decided to perform Fleet users deletion when the
deactivation happens (`PUT` request).
There's an edge case where a `deactivated` user in Okta is `activated`
back again: Okta sends a `POST` request as if a new user was created --
due to this I added an extra check on the `UserHandler Create` function
so that we don't attempt to create a duplicate SCIM user and instead
replace the existing record (basically, the only change should be
`active=0` -> `active=1`).

What I tested:

- [x] Deactivating user in Okta switches `scim_users` record to `active
= 0` and deletes matching `users` records.
- [x] Activating a deactivated user in Okta switches `scim_users` record
to `active = 1`. Note that a `users` record is not created
automatically. For this, there are two alternatives that we'll mention
in the documentation:

1. Manually create a user from the **Users page**.
2. Log in to Fleet using SSO (must have SSO and the **Create user and
sync permissions on login** setting enabled). Note that an activation
email is sent and the user must provide a new password, or an admin in
the Okta dashboard can set up a one-time password and share it with the
user.


https://github.com/user-attachments/assets/5262a581-41f0-4a88-aa73-40768064f8f5
2026-01-19 11:35:42 -03:00
..
groups.go Update PATCH /fleet/scim/Groups/<group name> endpoint to handle duplicate entries (#30533) 2025-07-07 09:33:17 -05:00
path_test.go SCIM Entra ID support -- PATCH User with op:replace (#28167) 2025-04-15 10:14:20 -05:00
scim.go Delete Fleet users when deleted from IdP: Server changes for SCIM handling of deletion (#38321) 2026-01-19 11:35:42 -03:00
scim_otel_test.go Added missing OpenTelemetry instrumentation to several API endpoints. (#32960) 2025-09-16 11:10:33 -05:00
users.go Delete Fleet users when deleted from IdP: Server changes for SCIM handling of deletion (#38321) 2026-01-19 11:35:42 -03:00
users_test.go Delete Fleet users when deleted from IdP: Server changes for SCIM handling of deletion (#38321) 2026-01-19 11:35:42 -03:00