More than an API: an operator system with accountable boundaries.
FreeSCIM is the control tower between cloud identity, directory authority, and physical infrastructure. The important engineering decision is separation: SAML logs people in, SCIM provisions accounts, SSWS provides Okta intelligence, FreeIPA defines Linux authorization shape, and classroom actions require their own evidence.
Architecture
Designed across trust boundaries, not just application layers.
Python 3.12 and Flask blueprints provide the application surface. Gunicorn serves the process under systemd. nginx terminates TLS. PostgreSQL carries logs, mappings, snapshots, classroom state, and evidence. A bounded FreeIPA agent and classroom relays keep privileged operations outside casual browser behavior.
What was built
A platform surface for real jobs.
Identity access
Okta SAML login, role mapping, session establishment, logout, diagnostics, and a clear distinction between the browser trust and provisioning trust.
Directory control
FreeIPA command center with agent health, circuit-breaker posture, users, groups, HBAC, host groups, probes, and evidence capture.
Reconciliation
Okta and FreeIPA snapshots meet in a compare-first workflow with drift review, mapping validation, execution preview, and gated apply.
Classroom operations
Per-seat WoL, reboot, and power-off paths with relay and SSH boundaries, mandatory reasons, multi-signal status, and bulk wake disabled by policy.
Evidence operations
OPS, logs, database health, Reality Current, production-readiness views, correlation IDs, redaction, and an incident path that starts with evidence.
Transferable ownership
An 18-chapter handoff system with role paths, quick reference, FAQ, troubleshooting, worked scenarios, checklists, diagrams, and doc-gap discipline.
Interactive proof
Explore the lifecycle contract without touching a real system.
This front-end lab uses redacted example payloads and simulates the operator feedback loop. It sends no network request and never accepts a real token.
SCIM 2.0/scim/v2/Usersready
Operational proof
Safety is visible in the product, the runtime, and the documentation.
Evidence before action. Operators start at health, OPS, logs, and the domain-specific runbook before mutating identity or power.
Policy as UX. Sync Password, broad sync, and classroom bulk wake remain visibly disabled or gated instead of appearing broken.
Recovery as a feature. Every important failure has a decision path, a request or correlation ID, and a clear next owner.
Handoff as an engineering deliverable. The system can be transferred using documented role paths instead of undocumented tribal knowledge.
Operator workflows
Worked scenarios turn architecture into muscle memory.
Okta MFA, group-to-role mapping, session verification, and repeatable logout/login.
Badge, test connection, wizard, diagnostic script, and the distinction between agent and LDAP failure.
Capture snapshots, compare one identity, decide disable versus provision, and stop before blind sync.
Read multi-signal evidence, require a reason, power one seat, refresh, and document the result.
Separate login from provisioning, verify bearer/base URL, inspect compliance/logs, mappings, and agent health.
Refresh posture, open OPS, review error spikes, and check classroom state without guessing.
Engineering signal
This project demonstrates senior infrastructure judgment across the whole delivery path.
Identity architecture, secure authentication, Linux runtime operations, production deployment, database-backed evidence, networked hardware control, safety policy, UX composition, troubleshooting, and knowledge transfer all meet in one FreeSCIM system.
