Want support for SCIM in silo creation #2885
Description
Today, when fleet admin sets up a new silo, the two IDP modes available are JIT-SAML and local user auth. SCIM-SAML will soon be available as another option user can choose.
- JIT and SCIM modes are mutually exclusive.
- The silo IDP mode will remain immutable, i.e., a silo can't be changed from JIT to SCIM and vice versa.
- The SCIM attributes to be provided by fleet admin at setup time are:
- IDP system (in our initial implementation, only Okta is supported)
- Attribute mapping (username, maybe email + other attributes - it'll be a short list since we don't use/track most of them)
- An initial bearer token will be generated during silo setup which fleet admin will specify on the IDP side for authorizing SCIM API requests.
Here is an example of SCIM setup in Duo for some ideas of how the config looks like: https://duo.com/docs/oktasync.
@jmpesp @papertigers - Please update the above as needed.