Incidents

scim Package

Overview

Package scim provides a comprehensive SCIM 2.0 server implementation for automated user provisioning and identity management.

This package implements a complete SCIM (System for Cross-domain Identity Management) 2.0 server that enables automated user and group provisioning from external identity providers. It provides standards-compliant resource management, filtering, patching, and bulk operations while integrating with the incident management platform’s authentication and authorization systems.

SCIM 2.0 Protocol Compliance

The implementation provides full RFC 7643 and RFC 7644 compliance including:

  • Core User and Group resource schemas with enterprise extensions
  • Complete CRUD operations (Create, Read, Update, Delete) for all resource types
  • Advanced filtering with complex query expressions and logical operators
  • PATCH operations with JSON Patch-style field modifications
  • Bulk operations for efficient batch provisioning and updates
  • Service provider configuration and schema discovery endpoints
  • Bearer token authentication with service account management
  • Rate limiting, audit logging, and comprehensive error handling

Architecture Overview

The SCIM server follows a modular architecture with clear separation of concerns:

┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
│ HTTP Handlers   │───▶│ Validation &     │───▶│ Database Store  │
│ (REST API)      │    │ Mapping Layer    │    │ (PostgreSQL)    │
└─────────────────┘    └──────────────────┘    └─────────────────┘
         │                        │                        │
┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
│ Middleware      │    │ Filter Parser &  │    │ Auth Integration│
│ (Auth, Audit)   │    │ Query Engine     │    │ (Service Accounts)│
└─────────────────┘    └──────────────────┘    └─────────────────┘

Core Components

  • Server: Main SCIM server with route registration and dependency injection
  • Store: Database abstraction layer for SCIM resource persistence
  • Mapper: Bidirectional conversion between SCIM resources and internal models
  • Validator: Schema validation and compliance checking for all operations
  • Filter Parser: SCIM filter expression parsing and SQL query generation
  • Patch Handler: JSON Patch-style field modification processing
  • Middleware: Authentication, rate limiting, audit logging, and error handling

Supported Resources

The server supports standard SCIM resource types:

  • Users: Complete user profiles with names, emails, phone numbers, and enterprise extensions
  • Groups: Group management with dynamic membership and nested group support
  • Service Provider Config: Server capability advertisement and configuration discovery
  • Schemas: Resource type definitions and attribute specifications
  • Resource Types: Endpoint configuration and supported operations

Enterprise Integration

The SCIM server integrates with enterprise identity providers including:

  • Azure Active Directory with automatic user and group synchronization
  • Okta with real-time provisioning and deprovisioning
  • Google Workspace with group-based access control
  • LDAP and Active Directory through standard SCIM bridges
  • Custom identity providers via standard SCIM 2.0 protocol

Usage Examples

Basic server initialization and configuration:

// Create SCIM server with database connection
config := &scim.Config{
	BaseURL: "https://incidents.company.com",
	DB:      db,
}
server, err := scim.NewServer(config)
if err != nil {
	log.Fatal(err)
}

// Register SCIM routes on HTTP router
router := mux.NewRouter()
server.RegisterRoutes(router)

// Start SCIM server
http.ListenAndServe(":8080", router)

Creating users with enterprise attributes:

user := &scim.User{
	UserName:    "john.doe@company.com",
	DisplayName: "John Doe",
	Active:      true,
	Name: &scim.Name{
		GivenName:  "John",
		FamilyName: "Doe",
	},
	Emails: []scim.Email{
		{
			Value:   "john.doe@company.com",
			Type:    "work",
			Primary: true,
		},
	},
	Enterprise: &scim.EnterpriseUser{
		EmployeeNumber: "E12345",
		Department:     "Engineering",
		Manager: &scim.ManagerRef{
			Value:       "manager-id-123",
			DisplayName: "Jane Smith",
		},
	},
}

Advanced filtering and querying:

// Complex filter example
filter := `userName sw "john" and active eq true and emails[type eq "work"].value co "@company.com"`

// The filter parser converts this to SQL queries automatically
// Supports: eq, ne, co, sw, ew, gt, ge, lt, le, pr (present)
// Logical operators: and, or, not
// Grouping with parentheses: (condition1 or condition2) and condition3

Security and Compliance

The SCIM implementation provides enterprise-grade security features:

  • Bearer token authentication with service account isolation
  • Rate limiting with per-account quotas and burst protection
  • Comprehensive audit logging for compliance and security monitoring
  • Input validation and sanitization for all resource operations
  • SQL injection prevention with parameterized queries
  • HTTPS enforcement and secure header handling

Performance and Scalability

The server is designed for high-performance operation:

  • Efficient SQL query generation with proper indexing
  • Connection pooling and transaction management
  • Streaming JSON parsing for large bulk operations
  • Concurrent request handling with proper resource locking
  • Configurable pagination for large result sets
  • ETags for optimistic concurrency control

Integration with Incident Management

The SCIM server integrates closely with the incident management platform:

  • Automatic role assignment based on group memberships
  • Team-based access control with dynamic group synchronization
  • User deactivation triggering incident reassignment workflows
  • Enterprise attribute mapping for escalation and notification routing
  • Single sign-on integration with platform authentication systems

Import Path: github.com/systmms/incidents/internal/scim

Constants

contextKeyServiceAccount (and others) 

const contextKeyServiceAccount const contextKeyCorrelationID const contextKeyStartTime const headerAuthorization const headerContentType const headerAccept const headerETag const headerIfMatch const headerIfNoneMatch const headerLocation const contentTypeSCIM const contentTypeJSON

UserResourceType (and others)

SCIM 2.0 resource type constants for resource identification and routing.

These constants define the standard SCIM resource types supported by the server. They are used in resource metadata, endpoint routing, and schema validation to ensure proper SCIM protocol compliance and type safety.

const UserResourceType const GroupResourceType

UserSchemaURI (and others)

SCIM 2.0 schema URI constants defining standard resource and message schemas.

These URIs follow the IETF SCIM 2.0 specification and provide unique identification for different schema types. They are used in resource schemas fields, content type negotiation, and schema discovery endpoints to ensure protocol compliance.

const UserSchemaURI const GroupSchemaURI const EnterpriseUserURI const ErrorSchemaURI const ListResponseURI const BulkRequestURI const BulkResponseURI const PatchOpURI

Types

Address

Address represents a physical mailing address

{<nil> 99264 type 0 [0x1400049fd40] 0}

Attribute

Attribute represents a schema attribute

{<nil> 105790 type 0 [0x140004306c0] 0}

AttributeExpression

AttributeExpression represents an attribute comparison

{<nil> 1017 type 0 [0x1400013d040] 0}

AuditLogEntry

AuditLogEntry represents a SCIM audit log entry

{<nil> 109107 type 0 [0x1400045a940] 0}

AuthenticationScheme

AuthenticationScheme represents an authentication scheme

{<nil> 104468 type 0 [0x14000591cc0] 0}

BulkOperation

BulkOperation represents a single operation in a bulk request

{<nil> 101871 type 0 [0x14000590d80] 0}

BulkOperationResponse

BulkOperationResponse represents a single operation response in a bulk response

{<nil> 102425 type 0 [0x14000591200] 0}

BulkRequest

BulkRequest represents a SCIM bulk operations request

{<nil> 101618 type 0 [0x14000590c40] 0}

BulkResponse

BulkResponse represents a SCIM bulk operations response

{<nil> 102203 type 0 [0x14000591040] 0}

BulkSupported

BulkSupported represents bulk operation support

{<nil> 104097 type 0 [0x14000591a80] 0}

Config

Config holds comprehensive SCIM server configuration including database connectivity and service endpoints.

This configuration structure supports enterprise deployment scenarios with customizable base URLs for multi-tenant environments and flexible database connectivity for various deployment architectures including containerized, cloud-native, and traditional deployments.

{<nil> 127050 type 0 [0x14000208040] 0}

ETag

ETag represents an ETag for a resource

{<nil> 109900 type 0 [0x1400045b000] 0}

Email

Email represents an email address

{<nil> 98364 type 0 [0x1400049f540] 0}

EnterpriseUser

EnterpriseUser represents the enterprise user extension

{<nil> 100234 type 0 [0x14000590380] 0}

Error

Error represents a SCIM error response

{<nil> 101375 type 0 [0x14000590ac0] 0}

FilterNode

FilterNode represents a node in the filter expression tree

{<nil> 865 type 0 [0x1400013ce40] 0}

FilterOperator

FilterOperator represents SCIM filter operators

{<nil> 118 type 0 [0x1400013cbc0] 0}

Constants 

const OpEq const OpNe const OpCo const OpSw const OpEw const OpPr const OpGt const OpGe const OpLt const OpLe

FilterParser

FilterParser parses SCIM filter expressions

{<nil> 1558 type 0 [0x1400013d440] 0}

Methods

NewFilterParser

NewFilterParser creates a new filter parser

{<nil> <nil> NewFilterParser 0x1400015ca00 <nil>}

FilterSupported

FilterSupported represents filter support

{<nil> 104302 type 0 [0x14000591bc0] 0}

Group

Group represents a SCIM 2.0 Group resource

{<nil> 100874 type 0 [0x14000590780] 0}

GroupExpression

GroupExpression represents a parenthesized expression

{<nil> 1455 type 0 [0x1400013d380] 0}

GroupMemberModel

GroupMemberModel represents group membership in the database

{<nil> 107069 type 0 [0x14000431880] 0}

GroupModel

GroupModel represents a group in the database

{<nil> 106532 type 0 [0x14000430a80] 0}

IM

IM represents an instant messaging address

{<nil> 98817 type 0 [0x1400049f980] 0}

ListFilter

ListFilter represents comprehensive parameters for SCIM list operations with advanced filtering and pagination.

This structure supports RFC 7644 List/Query Resources specification with full filtering, pagination, sorting, and attribute selection capabilities. It enables efficient bulk operations and optimized bandwidth usage for large-scale identity provider integrations.

Filter capabilities:

  • SCIM filter expressions with complex attribute-based queries
  • Pagination with 1-based indexing per SCIM specification
  • Sorting support with configurable field and direction
  • Attribute selection for bandwidth optimization and privacy
  • Performance optimizations for large result sets

Example filter expressions:

  • userName eq "jdoe@company.com" (exact match)
  • emails.value co "@engineering.company.com" (domain filtering)
  • active eq true and department eq "Engineering" (boolean and string)
  • meta.created gt "2023-01-01T00:00:00Z" (date range)
  • manager.displayName pr (presence check)

Pagination and performance:

  • StartIndex: 1-based pagination start (SCIM standard)
  • Count: Maximum results per page (with configurable limits)
  • Efficient database queries with proper offset/limit handling
  • Total count calculation for accurate pagination metadata

Attribute selection:

  • Attributes: Include only specified fields (bandwidth optimization)
  • ExcludedAttributes: Exclude sensitive fields (privacy protection)
  • Supports nested attribute paths (name.givenName, emails.value)

Example usage:

filter := &ListFilter{
	Filter:             `userName co "@company.com" and active eq true`,
	StartIndex:         1,
	Count:              50,
	SortBy:            "meta.created",
	SortOrder:         "descending",
	Attributes:        []string{"userName", "emails", "active"},
	ExcludedAttributes: []string{"phoneNumbers", "addresses"},
}

{<nil> 177191 type 0 [0x14000246580] 0}

ListResponse

ListResponse represents a SCIM list response

{<nil> 101053 type 0 [0x140005908c0] 0}

LogicalExpression

LogicalExpression represents a logical combination of expressions

{<nil> 1202 type 0 [0x1400013d180] 0}

LogicalOperator

LogicalOperator represents logical operators

{<nil> 656 type 0 [0x1400013cd40] 0}

Constants 

const LogicalAnd const LogicalOr const LogicalNot

ManagerRef

ManagerRef represents a reference to a user’s manager

{<nil> 100667 type 0 [0x140005905c0] 0}

Mapper

Mapper handles conversion between SCIM resources and internal models

{<nil> 54779 type 0 [0x14000635000] 0}

Methods

NewMapper

NewMapper creates a new SCIM mapper

{<nil> <nil> NewMapper 0x14000637400 <nil>}

MemberRef

MemberRef represents a reference to a group member or user group

{<nil> 99994 type 0 [0x14000590200] 0}

Meta

Meta contains common SCIM resource metadata attributes required by the SCIM 2.0 specification.

This structure provides essential resource lifecycle information including creation timestamps, modification tracking, versioning, and resource location URIs. It is embedded in all SCIM resources to ensure consistent metadata handling and protocol compliance.

The Meta attributes support:

  • Resource type identification for proper endpoint routing
  • Temporal tracking with creation and modification timestamps
  • Optimistic concurrency control through version management
  • Resource location URIs for RESTful API navigation
  • Client-side caching and synchronization support
{<nil> 89954 type 0 [0x1400049e3c0] 0}

Middleware

Middleware provides SCIM-specific HTTP middleware

{<nil> 67648 type 0 [0x14000707900] 0}

Methods

NewMiddleware

NewMiddleware creates a new SCIM middleware

{<nil> <nil> NewMiddleware 0x140004b6600 <nil>}

MultiValued

MultiValued represents a multi-valued attribute

{<nil> 99740 type 0 [0x14000590080] 0}

Name

Name represents a user’s name components

{<nil> 97973 type 0 [0x1400049f280] 0}

NotExpression

NotExpression represents a negation

{<nil> 1344 type 0 [0x1400013d2c0] 0}

PatchHandler

PatchHandler handles SCIM PATCH operations

{<nil> 110244 type 0 [0x1400045b340] 0}

Methods

NewPatchHandler

NewPatchHandler creates a new PATCH handler

{<nil> <nil> NewPatchHandler 0x1400040e9c0 <nil>}

PatchOperation

PatchOperation represents a single PATCH operation

{<nil> 102988 type 0 [0x14000591540] 0}

PatchRequest

PatchRequest represents a SCIM PATCH request

{<nil> 102809 type 0 [0x14000591440] 0}

PhoneNumber

PhoneNumber represents a phone number

{<nil> 98585 type 0 [0x1400049f800] 0}

Photo

Photo represents a photo or image URL

{<nil> 99035 type 0 [0x1400049fbc0] 0}

Resource

Resource provides the base structure for all SCIM 2.0 resources with common attributes.

This base type implements the fundamental SCIM resource pattern with universal attributes that apply to all resource types. It ensures consistent resource identification, schema declaration, and metadata handling across the entire SCIM implementation.

Key features:

  • Unique resource identification with internal and external ID support
  • Schema URI declarations for proper resource type identification
  • Embedded metadata for lifecycle and versioning information
  • Extensible design supporting custom resource types and attributes
{<nil> 91523 type 0 [0x1400049e7c0] 0}

ResourceType

ResourceType represents a SCIM resource type

{<nil> 104843 type 0 [0x14000591f00] 0}

Schema

Schema represents a SCIM schema

{<nil> 105497 type 0 [0x14000430400] 0}

SchemaExtension

SchemaExtension represents a schema extension

{<nil> 105361 type 0 [0x14000430300] 0}

Server

Server implements a comprehensive SCIM 2.0 server for automated user provisioning and identity management.

This server provides full RFC 7643 and RFC 7644 compliance with support for User and Group resources, advanced filtering, PATCH operations, bulk operations, and enterprise extensions. It integrates with the incident management platform’s authentication system to provide seamless user provisioning from external identity providers like Azure AD, Okta, and Google Workspace.

Core SCIM 2.0 capabilities:

  • Complete User resource management with enterprise extensions (employeeNumber, department, manager)
  • Group resource management with dynamic membership and nested group support
  • Advanced filtering with complex query expressions (eq, ne, co, sw, ew, gt, ge, lt, le, pr)
  • PATCH operations with JSON Patch-style field modifications and conflict resolution
  • Bulk operations for efficient batch provisioning with configurable operation limits
  • Service provider configuration and schema discovery endpoints for client integration
  • Bearer token authentication with service account isolation and rate limiting

Enterprise integration features:

  • Automatic role assignment based on group memberships and enterprise attributes
  • Team-based access control with dynamic synchronization from external identity providers
  • Manager relationship mapping for approval workflows and escalation chains
  • Department and cost center tracking for organizational reporting and access controls
  • Comprehensive audit logging for compliance and security monitoring requirements

Architecture and performance:

  • Modular design with clear separation between routing, validation, mapping, and storage
  • Database-backed persistence with transaction support and optimistic concurrency control
  • Memory-efficient request processing with streaming support for large operations
  • Concurrent request handling with proper resource locking and conflict detection
  • Configurable pagination and filtering for optimal performance with large datasets
{<nil> 125995 type 0 [0x140001e2b00] 0}

Methods

NewServer

NewServer creates a new SCIM server

{<nil> <nil> NewServer 0x14000259ce0 <nil>}

ServiceAccount

ServiceAccount represents a SCIM service account

{<nil> 108430 type 0 [0x1400045a240] 0}

ServiceProviderConfig

ServiceProviderConfig represents the SCIM service provider configuration

{<nil> 103226 type 0 [0x14000591680] 0}

Store

Store provides comprehensive database abstraction for SCIM 2.0 resource persistence and querying.

This store implements high-performance, transactional database operations for SCIM User and Group resources with full support for enterprise extensions, group memberships, and audit logging. It provides optimized queries for large-scale identity management systems with proper indexing, pagination, filtering, and concurrent access patterns.

Core capabilities:

  • Transactional CRUD operations for Users and Groups with ACID compliance
  • Advanced filtering and pagination for efficient bulk operations
  • Enterprise extension support with organizational hierarchy management
  • Group membership management with bidirectional relationships
  • ETag-based optimistic concurrency control for conflict prevention
  • Service account management with token-based authentication
  • Comprehensive audit logging for compliance and security monitoring

Database schema design:

  • Primary tables: users, groups, user_scim_metadata, group_members
  • Supporting tables: scim_etags, scim_service_accounts, scim_audit_log
  • Optimized indexes on frequently queried fields (userName, SCIM IDs, group memberships)
  • Foreign key constraints ensuring referential integrity
  • Soft delete support for data retention and audit compliance

Performance characteristics:

  • Efficient joins between users and metadata tables
  • Batch operations with transaction rollback on failures
  • Memory-efficient pagination with offset/limit optimization
  • Connection pooling and prepared statement reuse
  • Query optimization for common SCIM filter patterns

Integration with platform services:

  • Seamless integration with existing user authentication tables
  • Group-based access control (GBAC) with dynamic membership updates
  • Manager relationship support for approval workflows and escalation
  • Department and organizational mapping for enterprise reporting
{<nil> 133442 type 0 [0x14000253100] 0}

Methods

NewStore

NewStore creates a new SCIM store with database connectivity and transaction support.

This constructor initializes a store instance with the provided database connection, enabling comprehensive SCIM resource management with full transaction support and connection pooling. The store assumes the database schema is already initialized with proper tables, indexes, and constraints.

Parameters:

  • db: Active database connection with appropriate permissions for SCIM operations

The store requires the following database tables to be present:

  • users: Core user information and authentication data
  • user_scim_metadata: Extended SCIM-specific user attributes and enterprise extensions
  • groups: Group definitions and organizational structure
  • group_members: User-group membership relationships
  • scim_etags: Resource versioning for optimistic concurrency control
  • scim_service_accounts: API authentication and authorization
  • scim_audit_log: Comprehensive operation logging for compliance

Example usage:

db, err := sql.Open("sqlite3", "scim.db")
if err != nil {
	log.Fatal(err)
}

store := scim.NewStore(db)
// Store is ready for SCIM operations

{<nil> <nil> NewStore 0x140002b6b40 <nil>}

Supported

Supported represents a supported feature

{<nil> 103984 type 0 [0x140005919c0] 0}

User

User represents a comprehensive SCIM 2.0 User resource with full profile and enterprise attributes.

This structure implements the complete SCIM User schema including core attributes, multi-valued fields, and enterprise extensions. It supports rich user profiles with contact information, organizational data, and group memberships while maintaining full SCIM 2.0 protocol compliance.

Core User Features:

  • Complete identity information with names, emails, and phone numbers
  • Multi-valued attributes supporting multiple contact methods
  • Enterprise extensions for organizational hierarchy and employee data
  • Group membership tracking with automatic synchronization
  • Account status management with activation/deactivation support
  • Comprehensive profile attributes for rich user experiences

Enterprise Integration:

  • Employee numbers and organizational structure mapping
  • Manager relationships with hierarchical reporting chains
  • Department and division attributes for access control
  • Cost center tracking for resource allocation and reporting
  • Title and role information for authorization and UI customization

The User resource integrates with the incident management platform by:

  • Automatic role assignment based on enterprise attributes
  • Team membership synchronization through group associations
  • Contact information for escalation and notification routing
  • Manager relationships for approval workflows and escalation chains
{<nil> 93806 type 0 [0x1400049ea00] 0}

UserSCIMMetadata

UserSCIMMetadata represents SCIM metadata for a user

{<nil> 107332 type 0 [0x14000431a80] 0}

Validator

Validator provides SCIM resource validation

{<nil> 177980 type 0 [0x14000247040] 0}

Methods

NewValidator

NewValidator creates a new SCIM validator

{<nil> <nil> NewValidator 0x14000205dc0 <nil>}

contextKey

contextKey is a type for context keys

{<nil> 67002 type 0 [0x14000707780] 0}

responseWrapper

responseWrapper wraps http.ResponseWriter to capture status code and body

{<nil> 78380 type 0 [0x140003c4c00] 0}

Functions

ValidateJSON

ValidateJSON validates that a JSON payload can be unmarshaled to the expected type

{<nil> <nil> ValidateJSON 0x140001c8900 <nil>}

generateETag 

{<nil> <nil> generateETag 0x14000687b80 <nil>}

getClientIP 

{<nil> <nil> getClientIP 0x14000402440 <nil>}

hasEnterpriseData 

{<nil> <nil> hasEnterpriseData 0x1400064fe20 <nil>}

intPtr 

{<nil> <nil> intPtr 0x14000402860 <nil>}

nilIfEmpty 

{<nil> <nil> nilIfEmpty 0x140006879e0 <nil>}

sanitizeBody 

{<nil> <nil> sanitizeBody 0x14000402760 <nil>}

stringValue 

{<nil> <nil> stringValue 0x14000687840 <nil>}

Generated automatically from Go source code. Last updated: 2025-08-25T07:51:05-04:00

Edit this page on GitHub
Prev
redaction Package
Next
server Package