SCIM Connector Platform

Status

In Development

Maturity

Production-oriented lab

Evidence

Architecture documented · Screenshots pending · Repo pending

Add live demo endpoint

Problem

Enterprises using Okta, Entra ID, or Auth0 need reliable automated provisioning to downstream SaaS and internal platforms. Manual provisioning creates stale accounts, audit gaps, and inconsistent access states across systems.

What Was Built

A multi-tenant SCIM v2 connector platform. Customers self-service create tenants and connectors. Each connector receives a unique Bearer token used by the IdP to authenticate SCIM requests. Tokens are bcrypt-hashed at rest and displayed only once at creation.

Architecture Overview

Identity Providers

OktaMicrosoft Entra IDAuth0Any SCIM-compatible IdP

↓ HTTPS · Bearer Token · TLS 1.2+

SCIM Connector Platform

Tenant RouterSCIM v2 HandlerToken ValidatorEvent BusRequest Logger

↓↓

Data & Operations

Tenant Store
Audit Log
Metrics Collector

Admin & Ops

Admin Console
Operator Dashboard
Customer Portal

↓

Target Applications

Internal APIsSaaS PlatformsUser Directories

Request Flow

1IdP sends SCIM request: Authorization: Bearer <token> header
2Token Validator computes hash, looks up tenant store — plaintext never stored
3Tenant Router directs request to correct tenant namespace
4SCIM v2 Handler processes operation (create / update / delete / patch)
5Audit event written: actor=connector_id, resource=user|group, action, outcome, timestamp
6HTTP 200/201/204 returned to IdP; failures return RFC 7644-compliant error body

SCIM Endpoints Implemented

Method	Endpoint	Operation
GET	/scim/v2/Users	List users (supports filter)
POST	/scim/v2/Users	Create user
GET	/scim/v2/Users/{id}	Get user by ID
PUT	/scim/v2/Users/{id}	Replace user
PATCH	/scim/v2/Users/{id}	Partial update
DELETE	/scim/v2/Users/{id}	Deprovision user
GET	/scim/v2/Groups	List groups
POST	/scim/v2/Groups	Create group
GET	/scim/v2/Groups/{id}	Get group
PATCH	/scim/v2/Groups/{id}	Update group membership
DELETE	/scim/v2/Groups/{id}	Remove group
GET	/scim/v2/ServiceProviderConfig	Advertise capabilities
GET	/scim/v2/Schemas	Schema discovery
GET	/scim/v2/ResourceTypes	Resource type discovery

Security Controls

▸Bearer token per connector, bcrypt-hashed at rest
▸Plaintext never stored — display-once at creation
▸Tenant isolation: token scoped to exactly one tenant namespace
▸Admin MFA enforced on dashboard
▸Rate limiting per connector

Operational Controls

▸GET /health — liveness
▸GET /ready — readiness (DB + downstream deps)
▸GET /metrics — Prometheus-compatible counters
▸Structured JSON audit log per event
▸Admin/operator dashboard: tenant list, connector status, recent events

Failure Handling

▸Token not found → 401 Unauthorized + failed_auth audit event
▸User already exists → 409 Conflict (RFC 7644)
▸Malformed payload → 400 Bad Request with detail
▸Downstream unavailable → 503 with retry guidance
▸All failures logged with request ID

Design Trade-offs

1.Stateless token validation chosen over session auth for IdP compatibility
2.DB-level tenant namespacing rather than separate DB per tenant — cost vs isolation trade-off
3.Display-once token pattern prioritises security over operator convenience

Employer Value

Risk reduced

Orphaned accounts, access drift, provisioning audit gaps

Operational value

Automated lifecycle management across IdP and SaaS fleet

IAM domain

SCIM v2, identity lifecycle, multi-tenant SaaS architecture

Seniority signal

End-to-end platform design — not just SCIM client usage

Evidence

Architecture Diagram

[ Pending — will be added ]

Admin Dashboard Screenshot

[ Screenshot pending ]

GitHub Repository

[ Repo pending ]

Live Demo Endpoint

[ Demo pending ]