Okta provisioning into FreeIPA without losing Linux authority.

User problem

Identity teams need Okta-driven user and group provisioning while FreeIPA, Kerberos, SSSD, HBAC, and sudo policy remain operationally real.

Mechanism

FreeSCIM receives SCIM 2.0 user and group lifecycle events, maps them into FreeIPA-safe identity operations, and records request, decision, result, and recovery evidence.

Boundary and risk

• Okta owns assignment and human identity intent.
• FreeIPA / LDAP owns Linux directory and enforcement state.
• FreeSCIM owns translation, guardrails, reconciliation, and evidence.

Evidence artifact

Okta assignment -> SCIM Users/Groups -> FreeSCIM dry-run -> FreeIPA write gate -> Linux validation -> audit record

Next action

Review the Okta integration, then verify FreeIPA / LDAP mapping before enabling writes.