FreeSCIM

A secure and flexible SCIM 2.0 bridge for FreeIPA and Okta

FreeSCIM simplifies user and group provisioning between identity systems. Designed for sysadmins, by sysadmins.

About FreeSCIM

FreeSCIM is a Python-based SCIM 2.0 middleware designed to bridge the gap between modern identity management systems. It serves as a secure connector between Okta and FreeIPA, enabling seamless user lifecycle management across hybrid identity environments.

The middleware allows Okta to provision users, update attributes, and synchronize group memberships into FreeIPA securely and efficiently. Built with enterprise reliability in mind, FreeSCIM handles the complex mapping between SCIM 2.0 protocols and LDAP operations that FreeIPA understands.

Python 3

Core runtime environment

Flask

Lightweight web framework

LDAP3

LDAP client library

FastAPI

Optional high-performance API

FreeSCIM supports multiple deployment options including systemd services, WSGI applications, and containerized environments. It's released under the MIT License, making it freely available for both open-source and commercial use.

Problems It Solves

Modern identity management often involves complex integrations between cloud-based and on-premises systems. FreeSCIM addresses several critical challenges:

  • Native SCIM Gap: FreeIPA does not natively support SCIM 2.0, making it difficult to integrate with modern identity providers like Okta
  • Manual User Management: Without automated provisioning, organizations must manually maintain user identities across systems, leading to errors and security gaps
  • Brittle Scripts: Custom integration scripts often break with system updates and lack proper error handling and logging
  • Security Concerns: Ad-hoc solutions may not follow security best practices for credential management and audit logging
  • Scalability Issues: Manual processes don't scale with growing organizations and changing user populations

Common Use Cases

FreeSCIM is particularly valuable in environments where organizations need to bridge cloud and on-premises identity systems:

🏫 Educational Institutions

Universities with FreeIPA-based lab and workstation access who want centralized Okta user management for students, faculty, and staff.

🏢 Hybrid Enterprises

Organizations using FreeIPA on-premises but Okta in the cloud, needing seamless user synchronization across both environments.

⚡ Just-in-Time Provisioning

Admins requiring automatic user creation based on SCIM payloads, ensuring users have access exactly when they need it.

🎯 Fine-Grained Control

Organizations needing precise group control and attribute mapping between SCIM data and LDAP directory structures.

How It Works

FreeSCIM operates as a middleware service that translates SCIM 2.0 requests into FreeIPA-compatible LDAP operations:

Request Processing

The service accepts SCIM requests over HTTPS with proper bearer token authentication. It validates the request format and extracts user or group information from the SCIM payload.

POST /scim/v2/Users Authorization: Bearer your-scim-token Content-Type: application/scim+json { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "userName": "john.doe", "emails": [{"value": "[email protected]", "primary": true}], "groups": [{"value": "developers"}] }

Data Mapping

FreeSCIM parses and maps SCIM data fields to FreeIPA-compatible LDAP attributes. For example, userName maps to uid, and group memberships are translated to appropriate LDAP group operations.

LDAP Operations

Using a secure Directory Manager bind DN, the service performs LDAP operations such as user creation, attribute updates, and group membership modifications. All operations are logged with timestamps and status information.

# Example LDAP DN for user creation uid=john.doe,cn=users,cn=accounts,dc=company,dc=com # Group membership addition cn=developers,cn=groups,cn=accounts,dc=company,dc=com

System Integration

FreeSCIM integrates with systemd for reliable service management, automatic restarts, and centralized logging. This ensures the service remains available and provides proper audit trails for compliance requirements.

Security Model

Security is a fundamental consideration in FreeSCIM's design, with multiple layers of protection:

Authentication & Authorization

  • SCIM Bearer Token: Requires a unique, securely generated bearer token for all SCIM requests
  • LDAP Credentials: Directory Manager password is never stored in plaintext, supporting environment variables or encrypted keyring storage
  • HTTPS Only: All communications are encrypted in transit

Input Validation & Sanitization

  • Comprehensive input validation prevents injection attacks
  • Attribute sanitization ensures only valid LDAP data is processed
  • SCIM payload validation against RFC 7643 specifications

Audit & Logging

  • All requests are logged with timestamps, source IPs, and operation status
  • Audit-friendly metadata for compliance requirements
  • Structured logging for easy integration with SIEM systems
  • Error logging with appropriate detail levels

Operational Security

  • Minimal privilege principle for LDAP operations
  • Secure credential management practices
  • Regular security updates and dependency management
  • Configurable rate limiting and request validation