FreeSCIM control planeSLU deployment context18-chapter handoff packRHEL 9 production shape

More than an API: an operator system with accountable boundaries.

FreeSCIM is the control tower between cloud identity, directory authority, and physical infrastructure. The important engineering decision is separation: SAML logs people in, SCIM provisions accounts, SSWS provides Okta intelligence, FreeIPA defines Linux authorization shape, and classroom actions require their own evidence.

Architecture

Designed across trust boundaries, not just application layers.

Python 3.12 and Flask blueprints provide the application surface. Gunicorn serves the process under systemd. nginx terminates TLS. PostgreSQL carries logs, mappings, snapshots, classroom state, and evidence. A bounded FreeIPA agent and classroom relays keep privileged operations outside casual browser behavior.

FlaskGunicornsystemdnginxPostgreSQLRHEL 9SELinux
Trust paths separating SAML browser login, SCIM provisioning, SSWS snapshots, and FreeIPA agent access
Three Okta-related channels remain distinct so operators fix the correct trust.

What was built

A platform surface for real jobs.

01

Identity access

Okta SAML login, role mapping, session establishment, logout, diagnostics, and a clear distinction between the browser trust and provisioning trust.

02

Directory control

FreeIPA command center with agent health, circuit-breaker posture, users, groups, HBAC, host groups, probes, and evidence capture.

03

Reconciliation

Okta and FreeIPA snapshots meet in a compare-first workflow with drift review, mapping validation, execution preview, and gated apply.

04

Classroom operations

Per-seat WoL, reboot, and power-off paths with relay and SSH boundaries, mandatory reasons, multi-signal status, and bulk wake disabled by policy.

05

Evidence operations

OPS, logs, database health, Reality Current, production-readiness views, correlation IDs, redaction, and an incident path that starts with evidence.

06

Transferable ownership

An 18-chapter handoff system with role paths, quick reference, FAQ, troubleshooting, worked scenarios, checklists, diagrams, and doc-gap discipline.

Interactive proof

Explore the lifecycle contract without touching a real system.

This front-end lab uses redacted example payloads and simulates the operator feedback loop. It sends no network request and never accepts a real token.

Sandbox modeNo credentials ยท no external calls
FreeSCIM Provisioning LabSCIM 2.0
POST/scim/v2/Usersready
Response200 OK
requestmappingauditresult

Operational proof

Safety is visible in the product, the runtime, and the documentation.

Evidence before action. Operators start at health, OPS, logs, and the domain-specific runbook before mutating identity or power.

Policy as UX. Sync Password, broad sync, and classroom bulk wake remain visibly disabled or gated instead of appearing broken.

Recovery as a feature. Every important failure has a decision path, a request or correlation ID, and a clear next owner.

Handoff as an engineering deliverable. The system can be transferred using documented role paths instead of undocumented tribal knowledge.

Operator workflows

Worked scenarios turn architecture into muscle memory.

01First login

Okta MFA, group-to-role mapping, session verification, and repeatable logout/login.

02FreeIPA unreachable

Badge, test connection, wizard, diagnostic script, and the distinction between agent and LDAP failure.

03Directory comparison

Capture snapshots, compare one identity, decide disable versus provision, and stop before blind sync.

04Classroom seat power

Read multi-signal evidence, require a reason, power one seat, refresh, and document the result.

05SCIM complaint

Separate login from provisioning, verify bearer/base URL, inspect compliance/logs, mappings, and agent health.

06Morning health sweep

Refresh posture, open OPS, review error spikes, and check classroom state without guessing.

Engineering signal

This project demonstrates senior infrastructure judgment across the whole delivery path.

Identity architecture, secure authentication, Linux runtime operations, production deployment, database-backed evidence, networked hardware control, safety policy, UX composition, troubleshooting, and knowledge transfer all meet in one FreeSCIM system.