[Feat]: SCIM Client support (Outbound provisioning)

[polarathene]

🚀 Feature

Feb 2024 blog post: https://supertokens.com/blog/what-is-scim-provisioning

• While the article describes SCIM, it doesn't actually clarify that SuperTokens lacks support for this (both as Server and Client).
• There is a feature request for implementing support as a SCIM server, thus the feature request raised here is for adding SCIM client support.

A SCIM client is probably more effort to support. I don't use SuperTokens myself, so perhaps wait until enough user interest is expressed with 👍 reactions.

Implementation details

For reference:

• SCIM Server (exposes the SCIM API endpoints, like the standard /Users and /Groups)
  • A SCIM client connects to the SCIM Server via the endpoints to provision users and groups.
  • SCIM servers may also be referred to as "inbound provisioning", or a "Service Provider" (usually SaaS / cloud apps, but could also be an IdP_),
  • Note, it can be quite common for an SP to have varying limitations in their SCIM spec support / implementation. Examples: AWS IAM Identity Center (additionally: 1, 2), Casdoor, Gitlab, Okta, Sentry, Slack.
• SCIM Client (source of truth for users/groups for SCIM servers to be provisioned/deprovisioned with)
  • SCIM clients may be referred to as "outbound provisioning".
  • In this scenario, a client like SuperTokens ensures downstream apps are provisioned with users/groups, along with any updates being synced to those downstreams (aka "Service Providers" / SPs).
  • A SCIM Client supports attribute mapping, to map it's internal equivalent attributes to those of the SCIM endpoint.
    • There are standard attributes, but optional/custom attributes may require including support for custom mappings.
    • Okta, Microsoft Entra ID, and Authentik are examples where this is supported. Likewise, they may document their own deviations from other providers such as Okta with deprovision/delete (associated FAQ entry on DELETE with /Users).

There are also services that map a SCIM endpoint to an alternative API of a service which lacks support for SCIM. These vary in naming too as SCIM bridges / connectors / facades / gateways.

[rishabhpoddar]

We have an example app that shows how SCIM can be added: https://github.com/supertokens/jackson-supertokens-express

[polarathene]

I'm aware, but that is for supporting SuperTokens as a Service Provider (SCIM server, provides the API endpoints to provision users/groups to SuperTokens, aka inbound provisioning):

Once created, you will see a URL at the bottom of the screen: http://localhost:5225/api/scim/oauth/authorize?directoryId=
You need to navigate to that on your browser and login as the admin of your Google workspaces account.
This will generate an access and refresh token which can then be used by BoxyHQ to sync users from Google Workspaces.

---

SCIM Client support (outbound provisioning) is different.

If you were to provision users from SuperTokens (now acting as a SCIM Client) into a SP (services with SCIM server support like Okta, Sentry, Slack, AWS IAM Identity Center), that would all be the other way around (SuperTokens calls those services SCIM API, mapping it's internal representation of equivalent SCIM attributes).

[rishabhpoddar]

Right. Makes sense. Thanks for opening this issue.