Unit 5: SCIM lifecycle — automatic provisioning and deprovisioning from IdP

[TeoSlayer]

Scope

SCIM 2.0 endpoint on the registry for push-based identity lifecycle management. When an employee is offboarded in the IdP, their agents are automatically deprovisioned.

Deliverables

• SCIM 2.0 server endpoint on registry (/scim/v2/Users, /scim/v2/Groups)
• User provisioning: create Pilot identity when IdP provisions user
• User deprovisioning: remove from all networks, deregister, revoke certificates
• Group sync: IdP group changes → Pilot network membership changes
• Supported IdPs: Okta, Azure AD, OneLogin, Google Workspace (all support SCIM push)
• Webhook event: scim.user_deprovisioned, scim.group_updated

Files

• pkg/registry/scim.go — SCIM 2.0 server
• tests/ — SCIM provisioning/deprovisioning tests

Priority: MEDIUM

[TeoSlayer]

Context: SCIM closes the lifecycle gap. Without it, offboarded employees retain Pilot access until someone manually removes them. With SCIM, the IdP pushes deprovisioning events in real-time. This is a compliance requirement for SOC 2, ISO 27001, and HIPAA — access must be revoked promptly when employment ends.