mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-14 06:54:57 +03:00
mukul975
97 lines
2.8 KiB
Markdown
97 lines
2.8 KiB
Markdown
# SCIM Provisioning Workflows
|
|
|
|
## User Provisioning Workflow
|
|
|
|
```
|
|
1. Admin assigns user to Okta application
|
|
│
|
|
2. Okta checks if user exists (GET /Users?filter=userName eq "user@domain.com")
|
|
│
|
|
├── User NOT found → Okta sends POST /Users with user attributes
|
|
│ │
|
|
│ └── SCIM server creates user → Returns 201 Created
|
|
│
|
|
└── User found → Okta sends PUT /Users/{id} to update attributes
|
|
│
|
|
└── SCIM server updates user → Returns 200 OK
|
|
```
|
|
|
|
## User Deprovisioning Workflow
|
|
|
|
```
|
|
1. Admin unassigns user from Okta application (or user deactivated in Okta)
|
|
│
|
|
2. Okta sends PATCH /Users/{id}
|
|
Body: {"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
|
|
"Operations":[{"op":"replace","value":{"active":false}}]}
|
|
│
|
|
3. SCIM server deactivates user (sets active=false, revokes sessions)
|
|
│
|
|
4. Returns 200 OK with updated user object
|
|
```
|
|
|
|
## Group Push Workflow
|
|
|
|
```
|
|
1. Admin enables Group Push for Okta group
|
|
│
|
|
2. Okta sends POST /Groups with group name and initial members
|
|
│
|
|
3. When group membership changes in Okta:
|
|
│
|
|
├── Member added → PATCH /Groups/{id}
|
|
│ Op: add, path: members, value: [{value: userId}]
|
|
│
|
|
└── Member removed → PATCH /Groups/{id}
|
|
Op: remove, path: members[value eq "userId"]
|
|
```
|
|
|
|
## Profile Sync Workflow
|
|
|
|
```
|
|
1. User profile updated in Okta (e.g., department change)
|
|
│
|
|
2. Okta sends PUT /Users/{id} or PATCH /Users/{id}
|
|
Body includes updated attributes
|
|
│
|
|
3. SCIM server updates user attributes in local database
|
|
│
|
|
4. Returns 200 OK with full updated user representation
|
|
```
|
|
|
|
## Error Recovery Workflow
|
|
|
|
```
|
|
1. SCIM operation fails (network timeout, server error)
|
|
│
|
|
2. Okta logs failed task in Provisioning > Tasks
|
|
│
|
|
3. Admin can retry individual failed tasks
|
|
│
|
|
4. For persistent failures:
|
|
├── Check SCIM server logs for error details
|
|
├── Verify network connectivity and TLS certificate
|
|
├── Validate bearer token has not expired
|
|
└── Review attribute mapping for data format issues
|
|
```
|
|
|
|
## Implementation Testing Workflow
|
|
|
|
```
|
|
1. Deploy SCIM server to staging environment
|
|
│
|
|
2. Configure Okta SCIM integration with staging URL
|
|
│
|
|
3. Run Okta SCIM validator test suite
|
|
│
|
|
4. Test manual operations:
|
|
├── Assign test user → verify account created
|
|
├── Update user profile → verify attributes synced
|
|
├── Unassign user → verify account deactivated
|
|
└── Push group → verify group and members created
|
|
│
|
|
5. Review provisioning logs in Okta Admin Console
|
|
│
|
|
6. Promote to production with production SCIM URL
|
|
```
|