Role of Okta
Okta is the identity provider and assignment source for SAML access and SCIM lifecycle events.
Authority model
Okta owns human identity intent; FreeIPA / LDAP owns Linux directory enforcement; FreeSCIM owns mapping, guardrails, audit evidence, and recoverability.
Supported operations
- SAML login and assertion consumer flow for operator access.
- SCIM Users create, update, active-state changes, filtering, and patch behavior.
- SCIM Groups list, create, membership visibility, and supported filtering.
Authentication model
SAML protects operator access. SCIM endpoints should use scoped integration tokens with rotation, revocation, and redacted event logging.
Rollout guidance
- Validate metadata, ACS URL, certificate fingerprint, and group claims.
- Run read-only or dry-run reconciliation.
- Enable low-risk assignment groups first.
- Add approval gates for privileged groups and deprovisioning.
Known limits
Do not claim Okta owns downstream Linux enforcement. FreeIPA, SSSD, Kerberos, HBAC, and sudo policy remain separate operational boundaries.