Multi tenant

README.md

@@ -2,35 +2,8 @@
 The Aserto SCIM service uses the SCIM 2.0 protocol to import data into the Aserto Directory. While not all features have been implemented yet, it supports the basic operations in order to manage users and groups using the SCIM core schemas.
 
 ### sample config.yaml
-```yaml
----
-logging:
-  prod: true
-  log_level: info
-server:
-  listen_address: ":8080"
-  auth:
-    basic:
-      enabled: true
-      username: "scim"
-      password: "scim"
-    bearer:
-      enabled: true
-      token: "scim"
-directory:
-  address: "directory.prod.aserto.com:8443"
-  tenant_id: "your_tenant_id"
-  api_key: "your_directory_rw_api_key"
-scim:
-  create_email_identities: true
-  create_role_groups: true
-  group_mappings:
-    - subject_id: app-admin
-      object_type: system
-      object_id: administrators
-      relation: member
-      subject_relation: member
-```
+
+See [Config docs](./docs/config.md)
 
 ### start service
 ```

docs/config.md

@@ -0,0 +1,81 @@
+# Configuring the scim service
+
+## Single tenant setup
+In a single tenant setup, scim syncs users to just one tenant, that has been configured. For this, the tenant id and directory read-write API Key need to be configured.
+
+```
+logging:
+  prod: true
+  log_level: info
+server:
+  listen_address: ":8080"
+  auth:
+    basic:
+      enabled: true
+      username: "scim"
+      password: "scim"
+    bearer:
+      enabled: true
+      token: "scim"
+directory:
+  address: "directory.prod.aserto.com:8443"
+  tenant_id: "your_tenant_id"
+  api_key: "your_directory_rw_api_key"
+```
+
+To let the directory handle auth, set the `passthrough` flag to `true`.
+
+```
+      auth:
+        basic:
+          enabled: true
+          passthrough: true
+        bearer:
+          enabled: true
+          passthrough: true
+```
+The bearer token used should be set as base64 encoded `<tenant-id>:<api-key>`
+
+## Multi-tenant setup
+
+For a multitenant setup, the directory config should not contain the tenant-id and api-key. These will be passed using the authorization header.
+
+```
+logging:
+  prod: true
+  log_level: info
+server:
+  listen_address: ":8080"
+  auth:
+    basic:
+      enabled: true
+      passthrough: true
+    bearer:
+      enabled: true
+      passthrough: true
+directory:
+  address: "directory.prod.aserto.com:8443"
+```
+
+## Transform config
+
+The transform config is being read from the tenant the users are being synced to. For this, a object type `scim_config` with id `scim_config` is being read. This config can be used to override the default values for the transformation templat, aswell as the transformation template used when syncing data.
+
+Sample `scim_config` and default values:
+```
+{
+  "group_mappings": [],
+  "group_member_relation": "member",
+  "group_object_type": "group",
+  "identity_object_type": "identity",
+  "identity_relation": "identifier",
+  "manager_relation": "manager",
+  "role_object_type": "group",
+  "role_relation": "member",
+  "source_group_type": "scim.2.0.group",
+  "source_user_type": "scim.2.0.user",
+  "template": "users-groups-roles-v1",
+  "user_mappings": [],
+  "user_object_type": "user"
+}
+```

docs/entra-id.md

@@ -0,0 +1,32 @@
+# Sync users from Entra ID (AzureAD)
+
+## Create the SCIM application
+To setup SCIM provisoning from Entra ID to Aserto, you need to create a new application in Entra ID. Please follow instructions on how to setup a new application:  https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#getting-started
+
+When creating the application, set Tenant URL to https://scim.prod.aserto.com/?aadOptscim062020. The `aadOptscim062020` feature flag is required for SCIM 2.0 compliance (see https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior)
+
+For the secret token, you need your Tenant ID and your Directory read/write API Key. You can grab those from the Aserto Console. The secret token needs to be a base64 encoded string in the format `<tenant-id>:<api-key>`. 
+You can use the base64 command: `echo "tenantid:apikey" | base64`
+![Provisioning credentials](./img/credentials.png)
+
+## Provisioning users and groups
+Once the application was created, users and groups can be assigned to this application. Once a user/group was assigned, it becomes available for provisioning.
+To test the provisioning works, go to your SCIM app => Manage => Provisioning => Provision on demand, search for your user/group and click `Provision`
+Please note that automatic provisioning might take some time to trigger, see https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user#how-long-will-it-take-to-provision-users
+
+## Provisioning roles
+Only application specific roles can be provisioned. For this, the provisioning scope needs to be set to `Sync only assigned users and groups`
+![Sync only assigned users and groups](./img/image.png)
+
+By default, roles are not mapped to any SCIM property. To add the mapping:
+1. open your SCIM app, go to Manage => Provisioning => Mappings => open Provision Microsoft Entra ID Users => on the bottom, toggle Show advanced options => Edit attribute list for customappsso
+2. on the bottom, add a new attribute called `roles`, type `String` and make sure `Multi-Value` is checked
+3. back on the Attribute Mapping page, Add New Mapping:
+    - Mapping type: `Expression`
+    - Expression: `AssertiveAppRoleAssignmentsComplex([appRoleAssignments])`
+    - Target attribute: select the new created attribute `roles`
+    ![attribute mapping](./img/role-mapping.png)
+    - click OK
+4. Save attribute mappings
+
+For more info on mappings, see https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes#provisioning-a-role-to-a-scim-app

docs/okta.md

@@ -0,0 +1,34 @@
+# Sync users from Okta
+
+## Setup Okta SCIM application
+
+1. Login to your okta admin console, go to Applications => Browse App Catalog, search for `SCIM 2.0 Test App (Basic Auth)` => Add Integration
+2. On the General Settings tab, set application label and click Next
+3. On the Sign-On Options you can leave all default values, scroll down and click Done
+4. On the application page, go to the Provisioning tab => Configure API Integration => Enable API Integration
+    - Set the SCIM 2.0 Base Url to https://scim.prod.aserto.com/
+    - Set Username to your Tenant ID
+    - Set Password to your Directory Read/Write API Key
+    - Test API Credentials
+    - Save
+5. Back on the Provisioning tab, on the To App Settings, click Edit, enable Create Users, Update User Attributes and Deactivate Users and Save
+
+## Provision users
+
+For provitining users, a user needs to be assigned to the SCIM application.
+1. Go to the Assignments tab
+2. Click on Assign => Assign to People => Assign wanted users and click Done.
+Your user should show up in the Aserto Directory
+Any updates to a property that is mapped to a SCIM attribute, should trigger a user update in Aserto.
+
+## Provision groups
+
+For provitining groups, a group needs to be assigned to the SCIM application.
+1. Go to the Assignments tab
+2. Click on Assign => Assign to People => Assign your group and click Done.
+3. Go to Push Groups tab => Push Groups => Frind groups by name => search for your group and click Save
+
+Groups and group membership should be provisioned now.
+
+## Troubleshooting
+Please note that any errors on provisioning groups will pause the group provisioning. If a group was provisioned, Okta does keep a state for that provisioned group, so removing it from Aserto before attempting to unlink it from the Okta app can cause issues. If this happens, the group needs to be unlinked and reassigned to the app.

go.mod

@@ -1,13 +1,14 @@
 module github.com/aserto-dev/scim
 
-go 1.22.9
+go 1.23.2
 
-toolchain go1.23.2
+// replace github.com/aserto-dev/ds-load/sdk => ../ds-load/sdk
 
 require (
+	github.com/aserto-dev/ds-load/sdk v0.0.0-20241218115154-f2f2cd870aea
 	github.com/aserto-dev/errors v0.0.11
 	github.com/aserto-dev/go-aserto v0.33.4
-	github.com/aserto-dev/go-directory v0.33.1
+	github.com/aserto-dev/go-directory v0.33.2
 	github.com/aserto-dev/logger v0.0.6
 	github.com/elimity-com/scim v0.0.0-20240320110924-172bf2aee9c8
 	github.com/mitchellh/mapstructure v1.5.0
@@ -20,40 +21,51 @@ require (
 )
 
 require (
-	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.2-20240920164238-5a7b106cbb87.1 // indirect
+	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.35.2-20241127180247-a33202765966.1 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/aserto-dev/header v0.0.8 // indirect
 	github.com/di-wu/parser v0.3.0 // indirect
 	github.com/di-wu/xsd-datetime v1.0.0 // indirect
+	github.com/dongri/phonenumber v0.1.12 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/samber/lo v1.47.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
-	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
-	golang.org/x/net v0.31.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/text v0.20.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 // indirect
-	google.golang.org/grpc v1.68.0 // indirect
+	golang.org/x/crypto v0.30.0 // indirect
+	golang.org/x/exp v0.0.0-20241210194714-1829a127f884 // indirect
+	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/grpc v1.68.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )