mirror of
https://github.com/pocket-id/pocket-id.git
synced 2025-12-06 09:13:19 +03:00
🚀 Feature: SCIM Provisioning #160
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @HeyITGuyFixIt on GitHub.
Feature description
Please add support for SCIM (System for Cross-domain Identity Management) provisioning. Specifically SCIM version 2.
Pitch
In my use case, Pocket ID users can access sites protected by Cloudflare's Zero Trust Access, via the Generic OIDC feature in Zero Trust. This feature supports SCIM version 2, which allows user and group changes made in the OIDC provider to synchronize with Zero Trust.
A couple links to documentation:
@HeyITGuyFixIt commented on GitHub:
Yeah I think that's the gist of how it should work. Basically automate account management across compatible cloud services.
Currently, the availability of SCIM tends to be limited to enterprise plans (i.e. GitLab, Bitwarden). I would hope that if some of the open source, self hosted identity providers support SCIM, more service providers will also support it like many do with OIDC.
@kmendell commented on GitHub:
SCIM is a "whole different spec" in itself, and is kind of a enterprise based feature, but if @stonith404 sees some value, we could think about implementing it.
@HeyITGuyFixIt commented on GitHub:
I'm looking into additional potential uses cases. SCIM support can be added to NextCloud with the SCIM Service Provider app.
@stonith404 commented on GitHub:
I’m not really sure I understand the full purpose of SCIM, but from what I understand, it allows user information to be updated in the background without requiring the user to sign in again.
For example, if a Pocket ID account is deleted, the current session would be invalidated automatically?
And if a user updates their name, that change would be reflected immediately, even if they haven’t signed out and back in?
@HeyITGuyFixIt commented on GitHub:
For what it's worth, it looks like Authentik already supports it. And there is a discussion on Authelia to add support for it. I've also seen a few extensions created that add SCIM support to Keycloak.
@bannmann commented on GitHub:
Another use case: Tailscale exclusively uses SCIM to pull group membership info.
So if I want to use groups for access rules in my tailnet, right now I would have to set up the groups and their members entirely inside the tailnet policy file.
If Pocket ID supported SCIM, I could define the groups centrally (or pull them via LDAP) and use them across Tailscale and other apps.
@derekschartung commented on GitHub:
Agreed. SCIM provisioning from various IdPs would be a welcome feature.
@kmendell commented on GitHub:
This is a big feature to implement, as it would require the full SCIM Server implmentation, ill look again at it once we get all caught up on PR's.
@ben-kuhn commented on GitHub:
@stonith404 That's exactly correct.
For me the biggest use case is "leavers" in an organization. Many apps and SaaS solutions will use very long sessions. If a user has signed in to the SmartSheet app on a personal device (using this as an example since I've seen it many times) and they leave the organization, they retain access to organization data until someone removes their account in SmartSheet even if their access from the IdP is immediately revoked. IMO SCIM is the nicest way to do this as it's a single step and doesn't require additional tooling other than the IdP.