What FreeSCIM is
FreeSCIM is a SCIM lifecycle control plane for environments where one system may express identity intent while another system owns Linux enforcement. It keeps the SCIM contract visible, maps authority boundaries explicitly, and gives operators evidence before high-impact writes.
Who it is for
When to use it
- Okta, Entra, or another identity authority needs to drive user and group lifecycle events into Linux-aware infrastructure.
- FreeIPA or LDAP remains a real enforcement layer, not a passive sync target.
- Provisioning changes require dry-run review, approval, reconciliation, and rollback evidence.
- Operators need SCIM 2.0 compatibility without losing auditability or directory-specific constraints.
When not to use it
Do not use FreeSCIM as a hidden password sync tool, a bypass around FreeIPA policy, an unmanaged write bridge into privileged groups, or a replacement for identity governance decisions that require an explicit owner.
Lifecycle control model
DiscoverMapDry-runApproveApplyReconcileRecover
Each lifecycle action is treated as a state transition with a source, target, authority owner, risk level, evidence artifact, and recovery path.
Evidence and recoverability
| Artifact | Purpose | Status |
|---|---|---|
| SCIM request and response records | Explain what the client asked for and how FreeSCIM responded. | Verified |
| Directory reconciliation view | Compare intended state with FreeIPA or LDAP state before writes. | Supported |
| Rollback candidates | Preserve the recovery path for high-impact lifecycle changes. | Supported |
| ITSM handoff context | Carry evidence into review or escalation workflows. | Integration-ready |