npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
Overview
SCIM (System for Cross-domain Identity Management) is an open standard protocol (RFC 7644) that automates the exchange of user identity information between identity providers like Okta and service providers. This skill covers building a SCIM 2.0-compliant API endpoint and integrating it with Okta for automated user lifecycle management including provisioning, deprovisioning, profile updates, and group management.
When to Use
- When deploying or configuring implementing scim provisioning with okta capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Okta tenant with admin access (Developer or Production)
- Application with REST API capable of user management
- TLS-secured endpoint (HTTPS required)
- Okta API token or OAuth 2.0 client credentials
- Python 3.9+ with Flask or FastAPI
Core Concepts
SCIM 2.0 Protocol
SCIM defines a standard schema for representing users and groups via JSON, with a RESTful API for CRUD operations:
| Operation | HTTP Method | Endpoint | Description |
|---|---|---|---|
| Create User | POST | /scim/v2/Users | Provisions a new user account |
| Read User | GET | /scim/v2/Users/{id} | Retrieves user details |
| Update User | PUT/PATCH | /scim/v2/Users/{id} | Modifies user attributes |
| Delete User | DELETE | /scim/v2/Users/{id} | Removes user account |
| List Users | GET | /scim/v2/Users | Lists users with filtering |
| Create Group | POST | /scim/v2/Groups | Creates a group |
| Manage Group | PATCH | /scim/v2/Groups/{id} | Add/remove group members |
Okta SCIM Integration Architecture
Okta (IdP) ──SCIM 2.0 over HTTPS──> SCIM Server ──> Application Database
│ │
├── User Assignment ├── Create/Update User
├── User Unassignment ├── Deactivate User
├── Profile Push ├── Sync Attributes
└── Group Push └── Manage GroupsRequired SCIM Endpoints
- ServiceProviderConfig (
/scim/v2/ServiceProviderConfig): Advertises SCIM capabilities - ResourceTypes (
/scim/v2/ResourceTypes): Describes supported resource types - Schemas (
/scim/v2/Schemas): Publishes the SCIM schema definitions - Users (
/scim/v2/Users): User lifecycle operations - Groups (
/scim/v2/Groups): Group management operations
Workflow
Step 1: Build SCIM 2.0 API Server
Create a Flask-based SCIM server that implements the core endpoints. The server must handle:
- User CRUD: Create, read, update, delete, and list users
- Filtering: Support
eqfilter onuserName(required by Okta) - Pagination: Return
startIndex,itemsPerPage, andtotalResults - Authentication: Bearer token validation on all endpoints
from flask import Flask, request, jsonify
import uuid
from datetime import datetime
app = Flask(__name__)
# Bearer token for Okta authentication
SCIM_BEARER_TOKEN = "your-secure-token-here"
def require_auth(f):
def wrapper(*args, **kwargs):
auth = request.headers.get("Authorization", "")
if not auth.startswith("Bearer ") or auth[7:] != SCIM_BEARER_TOKEN:
return jsonify({"detail": "Unauthorized"}), 401
return f(*args, **kwargs)
wrapper.__name__ = f.__name__
return wrapper
@app.route("/scim/v2/Users", methods=["POST"])
@require_auth
def create_user():
data = request.json
user_id = str(uuid.uuid4())
user = {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": user_id,
"userName": data.get("userName"),
"name": data.get("name", {}),
"emails": data.get("emails", []),
"active": True,
"meta": {
"resourceType": "User",
"created": datetime.utcnow().isoformat() + "Z",
"lastModified": datetime.utcnow().isoformat() + "Z",
"location": f"/scim/v2/Users/{user_id}"
}
}
# Persist user to database
return jsonify(user), 201
@app.route("/scim/v2/Users", methods=["GET"])
@require_auth
def list_users():
filter_param = request.args.get("filter", "")
start_index = int(request.args.get("startIndex", 1))
count = int(request.args.get("count", 100))
# Parse filter: userName eq "john@example.com"
# Query database with filter
return jsonify({
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 0,
"startIndex": start_index,
"itemsPerPage": count,
"Resources": []
})Step 2: Configure Okta Application
-
Create SCIM App Integration:
- Navigate to Okta Admin Console > Applications > Create App Integration
- Select SWA or SAML 2.0 as sign-on method
- In the General tab, select SCIM for Provisioning
-
Configure SCIM Connection:
- SCIM connector base URL:
https://your-app.com/scim/v2 - Unique identifier field:
userName - Supported provisioning actions: Push New Users, Push Profile Updates, Push Groups
- Authentication Mode: HTTP Header (Bearer Token)
- SCIM connector base URL:
-
Enable Provisioning Features:
- To App: Create Users, Update User Attributes, Deactivate Users
- Configure attribute mappings between Okta profile and SCIM schema
Step 3: Map Attributes
Map Okta user profile attributes to your SCIM schema:
| Okta Attribute | SCIM Attribute | Direction |
|---|---|---|
| login | userName | Okta -> App |
| firstName | name.givenName | Okta -> App |
| lastName | name.familyName | Okta -> App |
| emails[type eq "work"].value | Okta -> App | |
| department | urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department | Okta -> App |
Step 4: Implement Error Handling
SCIM specifies standard error response format:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail": "User already exists",
"status": "409",
"scimType": "uniqueness"
}Common error codes: 400 (Bad Request), 401 (Unauthorized), 404 (Not Found), 409 (Conflict), 500 (Internal Server Error).
Step 5: Test with Runscope/Okta SCIM Validator
Okta provides an automated SCIM test suite (via Runscope/BlazeMeter) that validates your SCIM implementation against all required operations:
- Import the Okta SCIM 2.0 test suite from the OIN submission portal
- Configure the base URL and authentication token
- Run the full test suite covering user CRUD, filtering, and pagination
- Fix any failing tests before submitting to OIN
Validation Checklist
- SCIM server accessible over HTTPS with valid TLS certificate
- Bearer token authentication enforced on all endpoints
- User creation returns 201 with full user representation
- User search by
userName eq "..."filter works correctly - Pagination parameters (
startIndex,count) handled properly - User deactivation sets
active: false(not hard delete) - PATCH operations support
add,replace,removeops - Group push creates and manages group memberships
- Okta SCIM validator test suite passes all tests
- Error responses conform to SCIM error schema
References
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md4.6 KB
API Reference: Okta SCIM 2.0 Provisioning
Libraries Used
| Library | Purpose |
|---|---|
requests |
HTTP client for SCIM 2.0 and Okta Management API |
json |
Parse SCIM user and group payloads |
os |
Read OKTA_DOMAIN, OKTA_API_TOKEN, SCIM_BASE_URL |
Installation
pip install requestsAuthentication
Okta Management API
import requests
import os
OKTA_DOMAIN = os.environ["OKTA_DOMAIN"] # e.g., "dev-12345.okta.com"
OKTA_TOKEN = os.environ["OKTA_API_TOKEN"]
headers = {
"Authorization": f"SSWS {OKTA_TOKEN}",
"Content-Type": "application/json",
"Accept": "application/json",
}SCIM 2.0 Endpoint (Bearer Token)
SCIM_URL = os.environ["SCIM_BASE_URL"] # e.g., "https://app.example.com/scim/v2"
scim_headers = {
"Authorization": f"Bearer {os.environ['SCIM_TOKEN']}",
"Content-Type": "application/scim+json",
}SCIM 2.0 Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /scim/v2/Users |
List users with filtering |
| GET | /scim/v2/Users/{id} |
Get a specific user |
| POST | /scim/v2/Users |
Create a new user |
| PUT | /scim/v2/Users/{id} |
Replace a user (full update) |
| PATCH | /scim/v2/Users/{id} |
Partial user update (activate/deactivate) |
| DELETE | /scim/v2/Users/{id} |
Delete a user |
| GET | /scim/v2/Groups |
List groups |
| GET | /scim/v2/Groups/{id} |
Get a specific group |
| POST | /scim/v2/Groups |
Create a group |
| PATCH | /scim/v2/Groups/{id} |
Update group membership |
| GET | /scim/v2/ServiceProviderConfig |
SCIM service capabilities |
| GET | /scim/v2/Schemas |
Supported SCIM schemas |
| GET | /scim/v2/ResourceTypes |
Available resource types |
Core Operations
List SCIM Users with Filtering
resp = requests.get(
f"{SCIM_URL}/Users",
headers=scim_headers,
params={
"filter": 'userName eq "alice@example.com"',
"startIndex": 1,
"count": 100,
},
timeout=30,
)
users = resp.json()
for user in users.get("Resources", []):
print(f"{user['userName']} — active: {user.get('active', True)}")Create a User
new_user = {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "bob@example.com",
"name": {"givenName": "Bob", "familyName": "Smith"},
"emails": [
{"value": "bob@example.com", "type": "work", "primary": True}
],
"active": True,
}
resp = requests.post(
f"{SCIM_URL}/Users",
headers=scim_headers,
json=new_user,
timeout=30,
)
created = resp.json()
user_id = created["id"]Deactivate a User (PATCH)
deactivate_payload = {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{"op": "Replace", "path": "active", "value": False}
],
}
resp = requests.patch(
f"{SCIM_URL}/Users/{user_id}",
headers=scim_headers,
json=deactivate_payload,
timeout=30,
)Manage Group Membership
add_member = {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "Add",
"path": "members",
"value": [{"value": user_id, "display": "bob@example.com"}],
}
],
}
resp = requests.patch(
f"{SCIM_URL}/Groups/{group_id}",
headers=scim_headers,
json=add_member,
timeout=30,
)Okta Management API Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/apps |
List applications |
| GET | /api/v1/apps/{appId}/users |
List users assigned to an app |
| POST | /api/v1/apps/{appId}/users |
Assign user to app |
| GET | /api/v1/users |
List Okta users |
| POST | /api/v1/users/{userId}/lifecycle/deactivate |
Deactivate user |
List Okta Applications with SCIM Provisioning
resp = requests.get(
f"https://{OKTA_DOMAIN}/api/v1/apps",
headers=headers,
params={"filter": 'status eq "ACTIVE"', "limit": 50},
timeout=30,
)
for app in resp.json():
features = app.get("features", [])
if "PUSH_NEW_USERS" in features or "PUSH_PROFILE_UPDATES" in features:
print(f"SCIM-enabled: {app['label']} — features: {features}")Output Format
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 42,
"startIndex": 1,
"itemsPerPage": 100,
"Resources": [
{
"id": "2819c223-7f76-453a-919d-ab1234567890",
"userName": "alice@example.com",
"name": {"givenName": "Alice", "familyName": "Johnson"},
"active": true,
"emails": [{"value": "alice@example.com", "type": "work", "primary": true}]
}
]
}standards.md2.3 KB
SCIM Provisioning Standards Reference
Protocol Standards
RFC 7644 - SCIM Protocol
- Defines the RESTful API for managing identity resources
- Specifies HTTP methods, headers, and response formats
- Mandates JSON as the data interchange format
- Requires TLS for all communications
RFC 7643 - SCIM Core Schema
- Defines User, Group, and EnterpriseUser schemas
- Specifies attribute types: string, boolean, decimal, integer, dateTime, reference, complex, binary
- Defines mutability: readOnly, readWrite, immutable, writeOnly
- Specifies attribute uniqueness: none, server, global
RFC 7642 - SCIM Definitions, Overview, Concepts, and Requirements
- Provides context for the SCIM specification
- Defines terminology and use cases
- Outlines design requirements for cross-domain provisioning
Okta SCIM Requirements
Mandatory Endpoints
| Endpoint | Methods | Purpose |
|---|---|---|
| /Users | GET, POST | User listing and creation |
| /Users/{id} | GET, PUT, PATCH, DELETE | Individual user operations |
| /Groups | GET, POST | Group listing and creation |
| /Groups/{id} | GET, PATCH, DELETE | Individual group operations |
Required Filter Support
userName eq "value"- Exact match on userNameid eq "value"- Exact match on user IDdisplayName eq "value"- Exact match for groups
Pagination Requirements
- Support
startIndexandcountquery parameters - Return
totalResultsin ListResponse - Default
startIndexis 1 (1-based indexing) - Maximum
countshould be configurable
Compliance Standards
SOC 2 Type II
- Automated provisioning demonstrates access control effectiveness
- Deprovisioning within defined SLA shows timely access removal
- Audit logs of SCIM operations provide evidence for access reviews
ISO 27001 - A.9.2 User Access Management
- A.9.2.1: User registration and deregistration (automated via SCIM)
- A.9.2.2: User access provisioning (role-based assignment)
- A.9.2.5: Review of user access rights (SCIM audit logs)
- A.9.2.6: Removal of access rights (automated deprovisioning)
NIST SP 800-53 - AC (Access Control)
- AC-2: Account Management (automated lifecycle)
- AC-2(1): Automated System Account Management
- AC-2(4): Automated Audit Actions
- AC-6: Least Privilege (role-based provisioning)
workflows.md2.8 KB
SCIM Provisioning Workflows
User Provisioning Workflow
1. Admin assigns user to Okta application
│
2. Okta checks if user exists (GET /Users?filter=userName eq "user@domain.com")
│
├── User NOT found → Okta sends POST /Users with user attributes
│ │
│ └── SCIM server creates user → Returns 201 Created
│
└── User found → Okta sends PUT /Users/{id} to update attributes
│
└── SCIM server updates user → Returns 200 OKUser Deprovisioning Workflow
1. Admin unassigns user from Okta application (or user deactivated in Okta)
│
2. Okta sends PATCH /Users/{id}
Body: {"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{"op":"replace","value":{"active":false}}]}
│
3. SCIM server deactivates user (sets active=false, revokes sessions)
│
4. Returns 200 OK with updated user objectGroup Push Workflow
1. Admin enables Group Push for Okta group
│
2. Okta sends POST /Groups with group name and initial members
│
3. When group membership changes in Okta:
│
├── Member added → PATCH /Groups/{id}
│ Op: add, path: members, value: [{value: userId}]
│
└── Member removed → PATCH /Groups/{id}
Op: remove, path: members[value eq "userId"]Profile Sync Workflow
1. User profile updated in Okta (e.g., department change)
│
2. Okta sends PUT /Users/{id} or PATCH /Users/{id}
Body includes updated attributes
│
3. SCIM server updates user attributes in local database
│
4. Returns 200 OK with full updated user representationError Recovery Workflow
1. SCIM operation fails (network timeout, server error)
│
2. Okta logs failed task in Provisioning > Tasks
│
3. Admin can retry individual failed tasks
│
4. For persistent failures:
├── Check SCIM server logs for error details
├── Verify network connectivity and TLS certificate
├── Validate bearer token has not expired
└── Review attribute mapping for data format issuesImplementation Testing Workflow
1. Deploy SCIM server to staging environment
│
2. Configure Okta SCIM integration with staging URL
│
3. Run Okta SCIM validator test suite
│
4. Test manual operations:
├── Assign test user → verify account created
├── Update user profile → verify attributes synced
├── Unassign user → verify account deactivated
└── Push group → verify group and members created
│
5. Review provisioning logs in Okta Admin Console
│
6. Promote to production with production SCIM URLScripts 2
agent.py9.0 KB
#!/usr/bin/env python3
"""Okta SCIM provisioning audit agent.
Audits Okta SCIM provisioning configuration by querying the Okta API
for provisioned applications, user assignments, group memberships, and
deprovisioning status. Identifies orphaned accounts, mismatched
assignments, and provisioning failures.
"""
import argparse
import json
import os
import sys
from datetime import datetime, timezone
try:
import requests
except ImportError:
print("[!] 'requests' required: pip install requests", file=sys.stderr)
sys.exit(1)
def get_okta_config():
"""Return Okta org URL and API token."""
org_url = os.environ.get("OKTA_ORG_URL", "").rstrip("/")
api_token = os.environ.get("OKTA_API_TOKEN", "")
if not org_url or not api_token:
print("[!] Set OKTA_ORG_URL and OKTA_API_TOKEN env vars", file=sys.stderr)
sys.exit(1)
return org_url, api_token
def okta_api(org_url, token, endpoint, params=None):
"""Make authenticated Okta API call with pagination."""
url = f"{org_url}/api/v1{endpoint}"
headers = {"Authorization": f"SSWS {token}", "Accept": "application/json"}
all_results = []
while url:
resp = requests.get(url, headers=headers, params=params, timeout=30)
resp.raise_for_status()
all_results.extend(resp.json())
links = resp.links
url = links.get("next", {}).get("url")
params = None # Pagination URL includes params
return all_results
def list_provisioning_apps(org_url, token):
"""List applications with SCIM provisioning enabled."""
print("[*] Fetching provisioning-enabled applications...")
apps = okta_api(org_url, token, "/apps", params={"limit": 200})
scim_apps = []
for app in apps:
features = app.get("features", [])
if any(f in features for f in [
"PUSH_NEW_USERS", "PUSH_USER_DEACTIVATION",
"IMPORT_NEW_USERS", "PUSH_PROFILE_UPDATES"
]):
scim_apps.append({
"id": app.get("id"),
"name": app.get("name", ""),
"label": app.get("label", ""),
"status": app.get("status", ""),
"features": features,
"sign_on_mode": app.get("signOnMode", ""),
"created": app.get("created", ""),
})
print(f"[+] Found {len(scim_apps)} SCIM-enabled apps")
return scim_apps
def audit_app_assignments(org_url, token, app_id, app_label):
"""Audit user assignments for a provisioning app."""
findings = []
print(f"[*] Auditing assignments for: {app_label}")
users = okta_api(org_url, token, f"/apps/{app_id}/users", params={"limit": 200})
status_counts = {}
for user in users:
status = user.get("status", "unknown")
status_counts[status] = status_counts.get(status, 0) + 1
scope = user.get("scope", "")
sync_state = user.get("syncState", "")
if status == "PROVISIONED" and sync_state == "ERROR":
findings.append({
"app": app_label,
"user": user.get("credentials", {}).get("userName", "unknown"),
"check": "Provisioning sync error",
"severity": "HIGH",
"detail": f"User sync state: ERROR (status: {status})",
})
if status == "DEPROVISIONED":
findings.append({
"app": app_label,
"user": user.get("credentials", {}).get("userName", "unknown"),
"check": "Deprovisioned user still assigned",
"severity": "MEDIUM",
"detail": "User is deprovisioned but assignment exists",
})
findings.append({
"app": app_label,
"check": "Assignment summary",
"severity": "INFO",
"detail": f"Total: {len(users)}, Status: {json.dumps(status_counts)}",
})
return findings, users
def audit_group_assignments(org_url, token, app_id, app_label):
"""Audit group-based provisioning assignments."""
findings = []
groups = okta_api(org_url, token, f"/apps/{app_id}/groups", params={"limit": 200})
if not groups:
findings.append({
"app": app_label,
"check": "Group assignments",
"severity": "MEDIUM",
"detail": "No group assignments found (user-level only)",
})
else:
for group in groups:
group_id = group.get("id", "")
priority = group.get("priority", 0)
findings.append({
"app": app_label,
"check": f"Group assignment: {group_id}",
"severity": "INFO",
"detail": f"Priority: {priority}",
})
return findings
def check_deprovisioning(org_url, token):
"""Check for deactivated Okta users that still have active app assignments."""
findings = []
print("[*] Checking for orphaned provisioning assignments...")
deactivated = okta_api(org_url, token, "/users",
params={"filter": 'status eq "DEPROVISIONED"', "limit": 200})
for user in deactivated[:50]: # Check first 50
user_id = user.get("id")
login = user.get("profile", {}).get("login", "unknown")
try:
apps = okta_api(org_url, token, f"/users/{user_id}/appLinks")
if apps:
findings.append({
"check": "Orphaned app assignment",
"user": login,
"severity": "HIGH",
"detail": f"Deactivated user has {len(apps)} active app link(s)",
"apps": [a.get("appName", "") for a in apps[:5]],
})
except requests.RequestException:
pass
if not findings:
findings.append({
"check": "Deprovisioning audit",
"severity": "INFO",
"detail": f"No orphaned assignments found ({len(deactivated)} deactivated users checked)",
})
return findings
def format_summary(scim_apps, all_findings):
"""Print audit summary."""
print(f"\n{'='*60}")
print(f" Okta SCIM Provisioning Audit Report")
print(f"{'='*60}")
print(f" SCIM Apps : {len(scim_apps)}")
print(f" Findings : {len(all_findings)}")
severity_counts = {}
for f in all_findings:
sev = f.get("severity", "INFO")
severity_counts[sev] = severity_counts.get(sev, 0) + 1
print(f"\n By Severity:")
for sev in ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"]:
count = severity_counts.get(sev, 0)
if count:
print(f" {sev:10s}: {count}")
if scim_apps:
print(f"\n Provisioning-Enabled Apps:")
for app in scim_apps:
print(f" {app['label']:30s} | {app['status']:10s} | "
f"Features: {', '.join(app['features'][:3])}")
issues = [f for f in all_findings if f["severity"] in ("CRITICAL", "HIGH")]
if issues:
print(f"\n Issues Requiring Attention:")
for f in issues[:15]:
print(f" [{f['severity']:8s}] {f['check']}: {f.get('detail', '')[:50]}")
return severity_counts
def main():
parser = argparse.ArgumentParser(description="Okta SCIM provisioning audit agent")
parser.add_argument("--org-url", help="Okta org URL (or OKTA_ORG_URL env)")
parser.add_argument("--token", help="API token (or OKTA_API_TOKEN env)")
parser.add_argument("--app-id", help="Audit a specific app ID")
parser.add_argument("--skip-deprovisioning", action="store_true")
parser.add_argument("--output", "-o", help="Output JSON report")
parser.add_argument("--verbose", "-v", action="store_true")
args = parser.parse_args()
if args.org_url:
os.environ["OKTA_ORG_URL"] = args.org_url
if args.token:
os.environ["OKTA_API_TOKEN"] = args.token
org_url, token = get_okta_config()
all_findings = []
scim_apps = list_provisioning_apps(org_url, token)
for app in scim_apps:
if args.app_id and app["id"] != args.app_id:
continue
findings, _ = audit_app_assignments(org_url, token, app["id"], app["label"])
all_findings.extend(findings)
group_findings = audit_group_assignments(org_url, token, app["id"], app["label"])
all_findings.extend(group_findings)
if not args.skip_deprovisioning:
all_findings.extend(check_deprovisioning(org_url, token))
severity_counts = format_summary(scim_apps, all_findings)
report = {
"timestamp": datetime.now(timezone.utc).isoformat(),
"tool": "Okta SCIM Audit",
"scim_apps": scim_apps,
"findings": all_findings,
"severity_counts": severity_counts,
"risk_level": (
"CRITICAL" if severity_counts.get("CRITICAL", 0) > 0
else "HIGH" if severity_counts.get("HIGH", 0) > 0
else "MEDIUM" if severity_counts.get("MEDIUM", 0) > 0
else "LOW"
),
}
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
print(f"\n[+] Report saved to {args.output}")
elif args.verbose:
print(json.dumps(report, indent=2))
if __name__ == "__main__":
main()
process.py15.3 KB
#!/usr/bin/env python3
"""
SCIM 2.0 Provisioning Server for Okta Integration
A production-ready SCIM 2.0 server implementation that handles user and group
lifecycle management from Okta. Supports user CRUD, group push, filtering,
pagination, and PATCH operations per RFC 7644.
Requirements:
pip install flask sqlalchemy
"""
import uuid
import re
from datetime import datetime, timezone
from functools import wraps
from flask import Flask, request, jsonify, g
from sqlalchemy import create_engine, Column, String, Boolean, DateTime, Table, ForeignKey
from sqlalchemy.orm import declarative_base, sessionmaker, relationship
app = Flask(__name__)
DATABASE_URL = "sqlite:///scim_users.db"
SCIM_BEARER_TOKEN = "replace-with-secure-token"
SCIM_BASE_URL = "https://your-app.example.com/scim/v2"
engine = create_engine(DATABASE_URL)
SessionLocal = sessionmaker(bind=engine)
Base = declarative_base()
# Association table for user-group membership
user_group = Table(
"user_group", Base.metadata,
Column("user_id", String, ForeignKey("users.id"), primary_key=True),
Column("group_id", String, ForeignKey("groups.id"), primary_key=True),
)
class User(Base):
__tablename__ = "users"
id = Column(String, primary_key=True, default=lambda: str(uuid.uuid4()))
userName = Column(String, unique=True, nullable=False)
givenName = Column(String, default="")
familyName = Column(String, default="")
email = Column(String, default="")
displayName = Column(String, default="")
active = Column(Boolean, default=True)
department = Column(String, default="")
title = Column(String, default="")
created = Column(DateTime, default=lambda: datetime.now(timezone.utc))
lastModified = Column(DateTime, default=lambda: datetime.now(timezone.utc),
onupdate=lambda: datetime.now(timezone.utc))
groups = relationship("Group", secondary=user_group, back_populates="members")
def to_scim(self):
return {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
"id": self.id,
"userName": self.userName,
"name": {
"givenName": self.givenName or "",
"familyName": self.familyName or "",
"formatted": f"{self.givenName or ''} {self.familyName or ''}".strip()
},
"displayName": self.displayName or f"{self.givenName or ''} {self.familyName or ''}".strip(),
"emails": [{"value": self.email, "type": "work", "primary": True}] if self.email else [],
"active": self.active,
"title": self.title or "",
"groups": [{"value": g.id, "display": g.displayName} for g in self.groups],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"department": self.department or ""
},
"meta": {
"resourceType": "User",
"created": self.created.isoformat() + "Z" if self.created else "",
"lastModified": self.lastModified.isoformat() + "Z" if self.lastModified else "",
"location": f"{SCIM_BASE_URL}/Users/{self.id}"
}
}
class Group(Base):
__tablename__ = "groups"
id = Column(String, primary_key=True, default=lambda: str(uuid.uuid4()))
displayName = Column(String, unique=True, nullable=False)
created = Column(DateTime, default=lambda: datetime.now(timezone.utc))
lastModified = Column(DateTime, default=lambda: datetime.now(timezone.utc),
onupdate=lambda: datetime.now(timezone.utc))
members = relationship("User", secondary=user_group, back_populates="groups")
def to_scim(self):
return {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"id": self.id,
"displayName": self.displayName,
"members": [{"value": m.id, "display": m.displayName or m.userName} for m in self.members],
"meta": {
"resourceType": "Group",
"created": self.created.isoformat() + "Z" if self.created else "",
"lastModified": self.lastModified.isoformat() + "Z" if self.lastModified else "",
"location": f"{SCIM_BASE_URL}/Groups/{self.id}"
}
}
Base.metadata.create_all(engine)
def get_db():
if "db" not in g:
g.db = SessionLocal()
return g.db
@app.teardown_appcontext
def close_db(exception):
db = g.pop("db", None)
if db is not None:
db.close()
def scim_error(detail, status, scim_type=None):
body = {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail": detail,
"status": str(status)
}
if scim_type:
body["scimType"] = scim_type
return jsonify(body), status
def require_auth(f):
@wraps(f)
def wrapper(*args, **kwargs):
auth = request.headers.get("Authorization", "")
if not auth.startswith("Bearer ") or auth[7:] != SCIM_BEARER_TOKEN:
return scim_error("Authentication required", 401)
return f(*args, **kwargs)
return wrapper
def parse_scim_filter(filter_str):
"""Parse simple SCIM filter expressions like: userName eq 'value'"""
match = re.match(r'(\w+)\s+eq\s+"([^"]*)"', filter_str)
if not match:
match = re.match(r"(\w+)\s+eq\s+'([^']*)'", filter_str)
if match:
return match.group(1), match.group(2)
return None, None
def list_response(resources, total, start_index, count):
return jsonify({
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": total,
"startIndex": start_index,
"itemsPerPage": count,
"Resources": resources
})
# ---- User Endpoints ----
@app.route("/scim/v2/Users", methods=["POST"])
@require_auth
def create_user():
data = request.json
db = get_db()
username = data.get("userName")
if not username:
return scim_error("userName is required", 400)
existing = db.query(User).filter(User.userName == username).first()
if existing:
return scim_error(f"User with userName '{username}' already exists", 409, "uniqueness")
name = data.get("name", {})
emails = data.get("emails", [])
enterprise = data.get("urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", {})
user = User(
userName=username,
givenName=name.get("givenName", ""),
familyName=name.get("familyName", ""),
displayName=data.get("displayName", ""),
email=emails[0].get("value", "") if emails else "",
active=data.get("active", True),
department=enterprise.get("department", ""),
title=data.get("title", ""),
)
db.add(user)
db.commit()
db.refresh(user)
return jsonify(user.to_scim()), 201
@app.route("/scim/v2/Users", methods=["GET"])
@require_auth
def list_users():
db = get_db()
start_index = int(request.args.get("startIndex", 1))
count = int(request.args.get("count", 100))
filter_str = request.args.get("filter", "")
query = db.query(User)
if filter_str:
attr, value = parse_scim_filter(filter_str)
if attr == "userName":
query = query.filter(User.userName == value)
elif attr == "id":
query = query.filter(User.id == value)
total = query.count()
users = query.offset(start_index - 1).limit(count).all()
return list_response([u.to_scim() for u in users], total, start_index, count)
@app.route("/scim/v2/Users/<user_id>", methods=["GET"])
@require_auth
def get_user(user_id):
db = get_db()
user = db.query(User).filter(User.id == user_id).first()
if not user:
return scim_error("User not found", 404)
return jsonify(user.to_scim())
@app.route("/scim/v2/Users/<user_id>", methods=["PUT"])
@require_auth
def replace_user(user_id):
db = get_db()
user = db.query(User).filter(User.id == user_id).first()
if not user:
return scim_error("User not found", 404)
data = request.json
name = data.get("name", {})
emails = data.get("emails", [])
enterprise = data.get("urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", {})
user.userName = data.get("userName", user.userName)
user.givenName = name.get("givenName", user.givenName)
user.familyName = name.get("familyName", user.familyName)
user.displayName = data.get("displayName", user.displayName)
user.email = emails[0].get("value", user.email) if emails else user.email
user.active = data.get("active", user.active)
user.department = enterprise.get("department", user.department)
user.title = data.get("title", user.title)
user.lastModified = datetime.now(timezone.utc)
db.commit()
db.refresh(user)
return jsonify(user.to_scim())
@app.route("/scim/v2/Users/<user_id>", methods=["PATCH"])
@require_auth
def patch_user(user_id):
db = get_db()
user = db.query(User).filter(User.id == user_id).first()
if not user:
return scim_error("User not found", 404)
data = request.json
operations = data.get("Operations", [])
for op in operations:
operation = op.get("op", "").lower()
path = op.get("path", "")
value = op.get("value", {})
if operation == "replace":
if isinstance(value, dict):
if "active" in value:
user.active = value["active"]
if "userName" in value:
user.userName = value["userName"]
if "name" in value:
user.givenName = value["name"].get("givenName", user.givenName)
user.familyName = value["name"].get("familyName", user.familyName)
elif path == "active":
user.active = value
elif path == "userName":
user.userName = value
user.lastModified = datetime.now(timezone.utc)
db.commit()
db.refresh(user)
return jsonify(user.to_scim())
@app.route("/scim/v2/Users/<user_id>", methods=["DELETE"])
@require_auth
def delete_user(user_id):
db = get_db()
user = db.query(User).filter(User.id == user_id).first()
if not user:
return scim_error("User not found", 404)
db.delete(user)
db.commit()
return "", 204
# ---- Group Endpoints ----
@app.route("/scim/v2/Groups", methods=["POST"])
@require_auth
def create_group():
data = request.json
db = get_db()
display_name = data.get("displayName")
if not display_name:
return scim_error("displayName is required", 400)
existing = db.query(Group).filter(Group.displayName == display_name).first()
if existing:
return scim_error(f"Group '{display_name}' already exists", 409, "uniqueness")
group = Group(displayName=display_name)
for member_data in data.get("members", []):
user = db.query(User).filter(User.id == member_data.get("value")).first()
if user:
group.members.append(user)
db.add(group)
db.commit()
db.refresh(group)
return jsonify(group.to_scim()), 201
@app.route("/scim/v2/Groups", methods=["GET"])
@require_auth
def list_groups():
db = get_db()
start_index = int(request.args.get("startIndex", 1))
count = int(request.args.get("count", 100))
filter_str = request.args.get("filter", "")
query = db.query(Group)
if filter_str:
attr, value = parse_scim_filter(filter_str)
if attr == "displayName":
query = query.filter(Group.displayName == value)
total = query.count()
groups = query.offset(start_index - 1).limit(count).all()
return list_response([g.to_scim() for g in groups], total, start_index, count)
@app.route("/scim/v2/Groups/<group_id>", methods=["GET"])
@require_auth
def get_group(group_id):
db = get_db()
group = db.query(Group).filter(Group.id == group_id).first()
if not group:
return scim_error("Group not found", 404)
return jsonify(group.to_scim())
@app.route("/scim/v2/Groups/<group_id>", methods=["PATCH"])
@require_auth
def patch_group(group_id):
db = get_db()
group = db.query(Group).filter(Group.id == group_id).first()
if not group:
return scim_error("Group not found", 404)
data = request.json
for op in data.get("Operations", []):
operation = op.get("op", "").lower()
path = op.get("path", "")
value = op.get("value", [])
if operation == "add" and "members" in path:
members_to_add = value if isinstance(value, list) else [value]
for member_data in members_to_add:
user = db.query(User).filter(User.id == member_data.get("value")).first()
if user and user not in group.members:
group.members.append(user)
elif operation == "remove" and "members" in path:
member_filter = re.search(r'members\[value eq "([^"]+)"\]', path)
if member_filter:
uid = member_filter.group(1)
user = db.query(User).filter(User.id == uid).first()
if user and user in group.members:
group.members.remove(user)
elif operation == "replace" and path == "displayName":
group.displayName = value
group.lastModified = datetime.now(timezone.utc)
db.commit()
db.refresh(group)
return jsonify(group.to_scim())
@app.route("/scim/v2/Groups/<group_id>", methods=["DELETE"])
@require_auth
def delete_group(group_id):
db = get_db()
group = db.query(Group).filter(Group.id == group_id).first()
if not group:
return scim_error("Group not found", 404)
db.delete(group)
db.commit()
return "", 204
# ---- Service Provider Config ----
@app.route("/scim/v2/ServiceProviderConfig", methods=["GET"])
def service_provider_config():
return jsonify({
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
"documentationUri": "https://developer.okta.com/docs/concepts/scim/",
"patch": {"supported": True},
"bulk": {"supported": False, "maxOperations": 0, "maxPayloadSize": 0},
"filter": {"supported": True, "maxResults": 200},
"changePassword": {"supported": False},
"sort": {"supported": False},
"etag": {"supported": False},
"authenticationSchemes": [{
"type": "oauthbearertoken",
"name": "OAuth Bearer Token",
"description": "Authentication scheme using the OAuth Bearer Token Standard",
"specUri": "https://www.rfc-editor.org/info/rfc6750"
}]
})
@app.route("/scim/v2/ResourceTypes", methods=["GET"])
def resource_types():
return jsonify({
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 2,
"Resources": [
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
"id": "User",
"name": "User",
"endpoint": "/Users",
"schema": "urn:ietf:params:scim:schemas:core:2.0:User"
},
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
"id": "Group",
"name": "Group",
"endpoint": "/Groups",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group"
}
]
})
if __name__ == "__main__":
app.run(host="0.0.0.0", port=8080, debug=True)