Rollout Approved · 106 Tests Passing

Enterprise Identity
Provisioning at Scale

A production-ready SCIM 2.0 server built for multi-tenant identity synchronization — with full RFC 7643/7644 compliance, worker automation, and deep observability.

Explore the APIRead the Docs Start Free Trial →
SCIM 2.0
RFC 7643 / 7644
106
Tests Passing
Multi-tenant
Full Isolation
0
Test Failures
Capabilities

Everything you need for enterprise provisioning

Built on the SCIM 2.0 standard with production-grade reliability, security, and operational tooling.

🔄

SCIM 2.0 Compliant

Full RFC 7643/7644 implementation. Users, Groups, filtering, pagination, sorting, ServiceProviderConfig, Schemas, and ResourceTypes endpoints.

🏢

Multi-Tenant Architecture

Complete tenant isolation with per-tenant SCIM clients, credentials, and data segregation. Manage hundreds of tenants from a single control plane.

🔐

Hardened Authentication

Bearer token auth per tenant, admin session management with lease heartbeats, credential rotation, and per-client access controls.

Automated Worker Fleet

Background workers for consistency checks and reconciliation previews. Distributed lease management prevents duplicate execution across worker instances.

📊

Deep Observability

Prometheus metrics, structured audit logs, pre-built Alertmanager rules for lease loss, stale leases, and timeout recovery events.

🗡

Audit Trail

Immutable audit log for every admin and SCIM operation. Filter by tenant, operation type, actor, and timestamp range via the control plane API.

Runtime Configuration

Adjust rate limits, worker polling intervals, session TTLs, and feature flags at runtime without service restarts.

🔧

Admin Control Plane

Full REST API for tenant provisioning, credential lifecycle, job management, and configuration — plus a built-in admin dashboard UI.

📋

Rollout-Ready

Ships with ROLLOUT_CHECKLIST.md, OPERATOR_RUNBOOKS.md, smoke tests, and early-life monitoring guidance for safe production deployments.

SCIM 2.0 Protocol

Full RFC 7643 / 7644 support

Every standard SCIM operation for Users and Groups, plus discovery endpoints for schema-driven integrations.

User Operations

GET/scim/v2/UsersList & filter
POST/scim/v2/UsersCreate user
GET/scim/v2/Users/{id}Get by ID
PUT/scim/v2/Users/{id}Full replace
PATCH/scim/v2/Users/{id}Partial update
DELETE/scim/v2/Users/{id}Deprovision

Group Operations

GET/scim/v2/GroupsList & filter
POST/scim/v2/GroupsCreate group
GET/scim/v2/Groups/{id}Get by ID
PUT/scim/v2/Groups/{id}Full replace
PATCH/scim/v2/Groups/{id}Partial update
DELETE/scim/v2/Groups/{id}Remove group

Discovery & Metadata

GET/scim/v2/ServiceProviderConfigSP config
GET/scim/v2/SchemasAll schemas
GET/scim/v2/Schemas/{id}Schema by ID
GET/scim/v2/ResourceTypesResource types

Query Capabilities

GET?filter=SCIM filter
GET?startIndex=Pagination
GET?count=Page size
GET?sortBy=Sorting
GET?attributes=Attribute select
GET?excludedAttributes=Attribute exclude

PATCH Operations

addPatchOp: addAdd values
replacePatchOp: replaceReplace values
removePatchOp: removeRemove values
API Reference

Control Plane & Admin API

Full REST control plane for managing tenants, credentials, jobs, audit logs, and runtime configuration.

GET/admin/v1/tenantsList all tenantssession
POST/admin/v1/tenantsCreate tenantsession
GET/admin/v1/tenants/{id}Get tenant detailssession
PUT/admin/v1/tenants/{id}Update tenantsession
DELETE/admin/v1/tenants/{id}Remove tenantsession
GET/admin/v1/scim_clientsList SCIM clientssession
POST/admin/v1/scim_clientsCreate client credentialsession
GET/admin/v1/scim_clients/{id}Get client detailssession
PUT/admin/v1/scim_clients/{id}Rotate / update credentialsession
DELETE/admin/v1/scim_clients/{id}Revoke credentialsession
GET/admin/v1/jobsList worker jobssession
POST/admin/v1/jobsCreate jobsession
GET/admin/v1/jobs/{id}Get job status & resultsession
GET/admin/v1/auditQuery audit events (filterable)session
GET/admin/v1/audit/{id}Get specific audit eventsession
GET/admin/v1/configGet runtime configurationsession
PUT/admin/v1/configUpdate runtime configurationsession
POST/admin/v1/loginAdmin login — returns session tokenpublic
POST/admin/v1/logoutInvalidate sessionsession
POST/admin/v1/session/heartbeatRefresh session leasesession
GET/metricsPrometheus metrics endpointinternal
GET/healthHealth checkpublic
# Example: Create a user via SCIM

curl -X POST https://your-scim-host/scim/v2/Users \
  -H "Authorization: Bearer <tenant-token>" \
  -H "Content-Type: application/scim+json" \
  -d '{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"jdoe@example.com","name":{"givenName":"Jane","familyName":"Doe"},"active":true}'
Worker Automation

Background job processing

Distributed worker fleet with lease management ensuring exactly-once execution across all worker instances.

tenant.consistency_check

Consistency Check

Automated scan across all tenant data to detect drift, orphaned records, and constraint violations. Runs without requiring a tenant ID — covers the full fleet.

✓ Read-only · Safe to run anytime
tenant.reconcile.preview

Reconciliation Preview

Dry-run reconciliation for a specific tenant. Shows exactly what changes would be applied without persisting anything. Requires tenantId at creation time — rejected with 422 if missing.

⚡ Dry-run only · No mutations
Lease Management
Distributed leases prevent duplicate job execution across worker replicas
Stale Detection
Automatic detection of stale leases from crashed workers; recovery is logged and alerted
Timeout Recovery
Jobs that exceed timeout thresholds are recovered gracefully with full audit trail
Horizontal Scale
Run multiple worker replicas — lease contention is handled automatically
Observability

Production-grade monitoring

Prometheus metrics, structured audit logs, and pre-built alert rules for the most operationally critical events.

scim_admin_failure_total
Counter of admin API operation failures by endpoint and error type
scim_auth_failure_total
SCIM authentication failures — track failed bearer token validations per tenant
scim_job_stale_lease_total
Stale lease detections — spikes indicate crashed workers or networking issues
scim_request_duration_seconds
Histogram of SCIM API request latencies by method and resource type

Pre-built Alertmanager Rules

CRITICAL

SCIMWorkerLeaseLost

Fires when a worker loses its lease unexpectedly. Indicates a crashed worker or network partition. Check worker pod health and database connectivity immediately.

WARNING

SCIMStaleLeaseDetected

A stale lease was detected and recovered. Occasional occurrences are normal. Sustained spikes suggest worker instability or high load.

INFO

SCIMTimeoutRecoveryActivity

Elevated timeout-recovery events. Monitor alongside job latency metrics. May indicate database or downstream slowness affecting job completion times.

Security

Built with security first

Authentication hardening, credential lifecycle management, and audit-everything approach.

🔑

Bearer Token Auth

Per-tenant SCIM client credentials. Tokens are hashed at rest. Full lifecycle: create, rotate, revoke.

🕐

Session Leases

Admin sessions require periodic heartbeats. Expired or dropped sessions are automatically invalidated — no dangling sessions.

🔒

Tenant Isolation

All SCIM resources are tenant-scoped at the data layer. Cross-tenant access is impossible by design, not just by convention.

📝

Immutable Audit Log

Every create, update, delete, and authentication event is recorded with actor, timestamp, and full context. Non-repudiable.

Input Validation

Strict schema validation at creation time. Invalid jobs rejected with 422 before any database write.

Runtime Config Guards

Configuration changes are validated, versioned, and audit-logged. No silent config mutations.

Status

Rollout approved

The SCIM connector has passed full rollout-readiness gates and is approved for production deployment.

GO — Approved for Production Rollout

106 tests passing · 0 failures · Full rollout checklist complete · Operator runbooks ready

106 Tests ✓RFC 7644 ✓Audit Ready ✓Runbooks ✓
Documentation

Everything you need to deploy

Full operational documentation ships with the connector — from rollout checklists to per-alert runbooks.

Rollout Checklist

Pre-rollout, deployment, smoke test, and rollback checklists with early-life monitoring windows.

docs/ROLLOUT_CHECKLIST.md

📖

Operator Runbooks

Step-by-step operator procedures for every alert, including lease-loss, stale lease, and timeout recovery.

docs/OPERATOR_RUNBOOKS.md

📊

Platform Status

Current capabilities, known limitations, and worker scope — kept in sync with the actual implementation.

docs/PLATFORM_STATUS.md

📈

Monitoring Guide

All Prometheus metrics, alert rules, and Grafana dashboard guidance for production visibility.

docs/monitoring.md

Jobs Reference

Complete reference for worker job types, payloads, validation rules, and result schemas.

docs/JOBS.md

🏗

Worker Fleet Design

Architecture documentation: lease protocol, worker lifecycle, multi-instance coordination.

docs/WORKER_FLEET_DESIGN.md

Plans

Start free. Scale when you're ready.

30-day free trial, no credit card required. Up to 50 users during trial.

Free Trial
$0/30 days
  • Up to 50 users provisioned
  • Full SCIM 2.0 RFC 7643/7644
  • 1 SCIM connector
  • Audit log access
  • Email support
Start Free Trial →
Enterprise
Custom
  • Unlimited users
  • Multiple SCIM connectors
  • Multi-tenant isolation
  • Prometheus metrics & alerts
  • Worker fleet & reconciliation
  • SLA & dedicated support
Contact Sales →
>
Enterprise Identity Provisioning · SCIM 2.0 RFC 7643/7644
FeaturesProtocolAPIWorkerMonitoringDocs
© LabsNinja · Enterprise Identity Provisioning