# SCIM Server
[](https://crates.io/crates/scim-server)
[](https://docs.rs/scim-server)
[](https://crates.io/crates/scim-server)
[](https://opensource.org/licenses/MIT)
[](https://www.rust-lang.org)
A comprehensive **SCIM 2.0 server library** for Rust that makes identity provisioning simple, type-safe, and production-ready.
> **SCIM (System for Cross-domain Identity Management)** is the industry standard for automating user provisioning between identity providers and applications. Think automatic user onboarding/offboarding across your entire tech stack.
## ποΈ How It Works: Client β Server β Provider Architecture
The SCIM Server acts as an **intelligent middleware** that handles all provisioning complexity so your applications don't have to:
### **Multiple Ways to Connect**
Connect any type of client through standardized interfaces:
- **π Web Applications** - REST APIs for admin portals, user dashboards, and sync tools
- **π€ AI Assistants** - Natural language provisioning via Model Context Protocol (Claude, ChatGPT, custom bots)
- **β‘ Automation Tools** - CLI scripts for bulk imports, migrations, and DevOps pipelines
- **π§ Custom Integrations** - GraphQL, gRPC, message queues, webhooks, or any protocol you need
### **The Intelligence Layer**
The SCIM Server core provides enterprise-grade capabilities that would take months to build yourself:
- **π Dynamic Schema Management** - Define custom resource types with automatic validation
- **π‘οΈ Type-Safe Validation** - Comprehensive error checking with detailed reporting
- **βοΈ Standardized Operations** - Consistent CRUD, filtering, and bulk operations across all resources
- **π’ Multi-Tenant Architecture** - Built-in organization isolation and configuration management
- **π Automatic Capabilities** - Self-documenting API features and service provider configuration
### **Flexible Storage Backend**
Choose your data storage strategy without changing your application code:
- **π Development** - In-memory providers for testing and prototyping
- **π’ Production** - Database providers with full ACID compliance
- **βοΈ Cloud-Native** - Custom providers for S3, DynamoDB, or any storage system
- **π Multi-Tenant** - Automatic tenant isolation with shared or dedicated infrastructure
- **π·οΈ ETag Concurrency Control** - Built-in optimistic locking prevents lost updates
### π‘ **Value Proposition: Offload Complexity from Your SaaS**
Instead of building provisioning logic into every Rust application:
| β Custom validation in each app | β
**Centralized validation engine** |
| β Manual concurrency control | β
**Automatic ETag versioning with optimistic locking** |
| β Manual schema management | β
**Dynamic schema registry** |
| β Ad-hoc API endpoints | β
**Standardized SCIM protocol** |
| β Reinvent capability discovery | β
**Automatic capability construction** |
| β Build multi-tenancy from scratch | β
**Built-in tenant isolation** |
| β Custom error handling per resource | β
**Consistent error semantics with conflict resolution** |
| β Lost updates in concurrent scenarios | β
**Version conflict detection and prevention** |
**Result**: Your SaaS applications focus on business logic while the SCIM server handles all provisioning complexity with enterprise-grade reliability.
## β¨ Why Choose This Library?
- π‘οΈ **Type-Safe by Design** - Leverage Rust's type system to prevent runtime errors
- π’ **Multi-Tenant Ready** - Built-in support for multiple organizations/tenants
- π **Full SCIM 2.0 Compliance** - Comprehensive implementation of RFC 7643 and RFC 7644
- β‘ **High Performance** - Async-first with minimal overhead
- π **Framework Agnostic** - Works with any HTTP framework (Axum, Warp, Actix, etc.)
- 𧩠**Provider Flexibility** - In-memory, database, or custom backends
- π€ **AI-Ready with MCP** - Built-in Model Context Protocol for AI tool integration
- π― **Beyond Users & Groups** - Extensible schema system for any resource type
- π **ETag Concurrency Control** - Optimistic locking prevents lost updates in multi-client scenarios
- 𧡠**Thread-Safe Operations** - Concurrent access safety with atomic version checking
- π **Production Ready** - Extensive testing (827 tests), logging, and error handling
## π Quick Start
Add to your `Cargo.toml`:
```toml
[dependencies]
scim-server = "0.2.1"
tokio = { version = "1.0", features = ["full"] }
serde_json = "1.0"
```
### Minimal Example
```rust
use scim_server::{ScimServer, providers::InMemoryProvider, resource::RequestContext};
use serde_json::json;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// Create a SCIM server with in-memory storage
let provider = InMemoryProvider::new();
let server = ScimServer::new(provider)?;
// Create a user with automatic ETag versioning
let context = RequestContext::with_generated_id();
let user_data = json!({
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "john.doe@example.com",
"active": true
});
let versioned_user = server.provider()
.create_versioned_resource("User", user_data, &context)
.await?;
println!("Created user with ETag: {}", versioned_user.version().to_http_header());
Ok(())
}
```
### Complete HTTP Server Example
```rust
use scim_server::{ScimServer, InMemoryProvider, ScimUser};
use serde_json::json;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let provider = InMemoryProvider::new();
let server = ScimServer::new(provider);
// Create a user
let user_data = json!({
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "alice@example.com",
"name": {
"givenName": "Alice",
"familyName": "Smith"
},
"emails": [{
"value": "alice@example.com",
"primary": true
}]
});
let user = server.create_user("tenant-1", user_data).await?;
println!("Created user: {}", user.id);
// Server integrates with your HTTP framework of choice
// See examples/ for Axum, Warp, and Actix integrations
Ok(())
}
```
## π― Key Features
### Core SCIM 2.0 Support
- β
**Users & Groups** - Full lifecycle management (CRUD operations)
- β
**Schema Validation** - Automatic validation against SCIM schemas
- β
**Filtering & Pagination** - Efficient queries with SCIM filter syntax
- β
**Bulk Operations** - Handle multiple operations in a single request
- β
**Patch Operations** - Granular updates with RFC 6902 JSON Patch
### Advanced Capabilities
- ποΈ **Multi-Tenant Architecture** - Isolate data between organizations
- π **Automatic Discovery** - Service provider configuration and schema endpoints
- ποΈ **Provider Capabilities** - Automatic feature detection and advertisement
- π **Comprehensive Logging** - Structured logging with multiple backends
- π§ **Value Objects** - Type-safe domain modeling with compile-time validation
### π ETag Concurrency Control
**Production-Grade Optimistic Locking** - Prevent lost updates in multi-client environments:
```rust
use scim_server::{ScimServer, providers::InMemoryProvider, resource::RequestContext};
use serde_json::json;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let provider = InMemoryProvider::new();
let server = ScimServer::new(provider)?;
let context = RequestContext::with_generated_id();
// Create user with automatic versioning
let user_data = json!({
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "alice@example.com",
"active": true
});
let versioned_user = server.provider()
.create_versioned_resource("User", user_data, &context)
.await?;
println!("User ETag: {}", versioned_user.version().to_http_header());
// Output: User ETag: W/"abc123def456"
// Conditional update - only succeeds if version matches
let update_data = json!({"active": false});
let current_version = versioned_user.version();
match server.provider()
.conditional_update("User", "123", update_data, current_version, &context)
.await?
{
ConditionalResult::Success(updated) => {
println!("Update successful! New ETag: {}", updated.version().to_http_header());
},
ConditionalResult::VersionMismatch(conflict) => {
println!("Version conflict detected!");
println!("Expected: {}, Current: {}", conflict.expected, conflict.current);
// Handle conflict: refresh, merge, or retry
},
ConditionalResult::NotFound => {
println!("Resource no longer exists");
}
}
Ok(())
}
```
**ETag Features:**
- π **Weak ETags** - Semantic equivalence versioning (`W/"version"`)
- β‘ **Atomic Operations** - Thread-safe version checking and updates
- π€ **AI Agent Safe** - MCP integration with conflict resolution workflows
- π’ **Multi-Tenant** - Version isolation across tenant boundaries
- π **Conflict Resolution** - Structured error responses with resolution guidance
### π Compile-Time Authentication (NEW in 0.2.1)
**Zero-Cost Security Enforcement** - Catch authentication bugs at compile time, not runtime:
```rust
use scim_server::auth::{
AuthenticationState, Unauthenticated, Authenticated,
LinearCredentials, AuthenticationWitness, TenantAuthority
};
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// Start with unauthenticated state - compile-time enforced
let mut credentials: LinearCredentials<Unauthenticated> =
LinearCredentials::new("user123", "tenant456");
// Authentication consumes credentials (can only happen once)
let auth_witness: AuthenticationWitness<Authenticated> =
credentials.authenticate("valid_token").await?;
// Tenant authority proves compile-time tenant access rights
let tenant_authority: TenantAuthority =
auth_witness.verify_tenant_access("tenant456")?;
// Operations require authentication witness - impossible to bypass
let protected_data = server
.get_protected_resource(&auth_witness, &tenant_authority)
.await?;
// β This would be a compile error:
// let data = server.get_protected_resource(); // Missing auth witness
Ok(())
}
```
**Authentication Features:**
- π‘οΈ **Compile-Time Security** - Authentication bugs caught during compilation
- π **Linear Credentials** - Can only be used once, preventing replay attacks
- π’ **Tenant Isolation** - Type-safe multi-tenant access control
- β‘ **Zero Runtime Cost** - All checks happen at compile time
- π― **RBAC Support** - Role-based access control with type safety
### Framework Integration
- π **HTTP Framework Agnostic** - Bring your own web framework
- π **Operation Handler Foundation** - Clean abstraction for SCIM operations
- π€ **MCP Integration** - Model Context Protocol support for AI tools
### π€ AI-Powered Identity Management
**Built-in MCP (Model Context Protocol) Support** - Connect AI assistants directly to your identity data:
```rust
use scim_server::{McpServer, ScimServer, InMemoryProvider};
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let provider = InMemoryProvider::new();
let scim_server = ScimServer::new(provider);
// Enable MCP for AI tool integration
let mcp_server = McpServer::new(scim_server);
mcp_server.start("stdio").await?;
// Now AI assistants can:
// - Query users: "Find all users in the engineering department"
// - Manage groups: "Add Alice to the admin group"
// - Audit access: "Who has access to the finance system?"
// - Automate onboarding: "Create accounts for new hire John Doe"
Ok(())
}
```
**AI Use Cases Enabled:**
- π **Intelligent Queries** - Natural language user/group searches
- β‘ **Automated Provisioning** - AI-driven user onboarding/offboarding
- π‘οΈ **Security Auditing** - AI-powered access reviews and compliance checks
- π **Identity Analytics** - Smart insights into user patterns and group dynamics
- π€ **Conversational Admin** - Chat-based identity management operations
**MCP Tools Provided:**
- `list_users` - Query users with natural language filters
- `create_user` - Provision new users with AI validation
- `manage_groups` - Intelligent group membership management
- `audit_access` - Security and compliance reporting
- `bulk_operations` - AI-optimized batch processing
Perfect for building AI-enhanced admin dashboards, chatbots, and automated identity workflows!
### π― Beyond Identity: Custom Resource Management
**SCIM isn't just for users and groups** - it's a powerful foundation for managing ANY structured resource:
```rust
use scim_server::{ScimServer, CustomSchema, ResourceType};
use serde_json::json;
// Define custom schemas for your domain
let device_schema = CustomSchema::builder()
.id("urn:example:schemas:Device")
.add_attribute("serialNumber", AttributeType::String, true)
.add_attribute("manufacturer", AttributeType::String, false)
.add_attribute("location", AttributeType::Complex, false)
.add_sub_attribute("location", "building", AttributeType::String)
.add_sub_attribute("location", "room", AttributeType::String)
.build();
let mut server = ScimServer::new(provider);
server.register_schema(device_schema)?;
// Now manage devices with full SCIM capabilities
let device = server.create_resource("devices", json!({
"schemas": ["urn:example:schemas:Device"],
"serialNumber": "DEV-001",
"manufacturer": "Acme Corp",
"location": {
"building": "HQ",
"room": "Server Room A"
}
})).await?;
```
**Real-World Custom Schema Use Cases:**
| π₯οΈ **IT Asset Management** | Devices, Software Licenses, Certificates | Automated asset lifecycle, compliance tracking |
| π’ **Facility Management** | Rooms, Equipment, Access Cards | Smart building automation, space optimization |
| π **Learning Management** | Courses, Certifications, Learning Paths | Skill tracking, compliance training automation |
| π **Access Control** | Permissions, Roles, Entitlements | Fine-grained authorization, audit trails |
| πΌ **Business Resources** | Projects, Budgets, Approvals | Workflow automation, resource allocation |
| π **Cloud Resources** | VMs, Databases, Storage Buckets | Infrastructure as Code, cost management |
**Why SCIM for Custom Resources?**
- β
**Standardized API** - Consistent CRUD, filtering, and bulk operations
- β
**Schema Validation** - Type safety and data integrity out of the box
- β
**Multi-Tenant Ready** - Isolate resources by organization/tenant
- β
**Audit & Compliance** - Built-in change tracking and versioning
- β
**AI Integration** - Custom resources become AI-queryable via MCP
- β
**Enterprise Integration** - Standard protocol for system interoperability
**Transform any data model into a fully-featured API with enterprise-grade capabilities!**
## π Examples
| [`basic_server`](examples/basic_usage.rs) | Simple SCIM server setup |
| [`multi_tenant`](examples/multi_tenant_example.rs) | Multi-organization support |
| [`custom_provider`](examples/provider_modes.rs) | Custom storage backends |
| [`mcp_integration`](examples/mcp_server_example.rs) | AI assistant integration via MCP |
| [`compile_time_auth`](examples/compile_time_auth_example.rs) | Type-safe authentication at compile time |
| [`compile_time_rbac`](examples/compile_time_rbac_example.rs) | Role-based access control with type safety |
| [`etag_concurrency`](examples/etag_concurrency_example.rs) | ETag-based optimistic locking |
## ποΈ Architecture
```
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β HTTP Layer β β SCIM Server β β Provider β
β β β β β β
β β’ Axum βββββΆβ β’ Validation βββββΆβ β’ In-Memory β
β β’ Warp β β β’ Operations β β β’ Database β
β β’ Actix β β β’ Multi-tenant β β β’ Custom β
β β’ Custom β β β’ Type Safety β β β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
```
The library provides a clean separation between:
- **HTTP handling** (your choice of framework)
- **SCIM logic** (validation, operations, multi-tenancy)
- **Data storage** (pluggable providers)
## π Documentation
| [π API Documentation](https://docs.rs/scim-server) | Complete API reference with examples |
| [π Quick Start](docs/guides/quick-start.md) | Get running in 5 minutes |
| [πΊοΈ Roadmap](ROADMAP.md) | Feature roadmap and future releases |
| [π User Guide](docs/guides/user-guide.md) | Step-by-step tutorials |
| [ποΈ Architecture Guide](docs/guides/architecture.md) | Design decisions and patterns |
| [β
SCIM Compliance](docs/reference/scim-compliance.md) | RFC 7644 implementation details |
| [π’ Multi-Tenancy](docs/api/multi-tenancy.md) | Multi-tenant setup and usage |
| [π Compile-Time Authentication](docs/COMPILE_TIME_AUTHENTICATION.md) | Type-safe authentication system |
## π οΈ Development
```bash
# Clone the repository
git clone https://github.com/pukeko37/scim-server.git
cd scim-server
# Run tests
cargo test
# Run with logging
RUST_LOG=debug cargo run --example basic_usage
# Generate documentation
cargo doc --open
```
### Testing
- **100%** documentation test coverage
- **Comprehensive** integration test suite
- **Multi-tenant** validation scenarios
- **Performance** benchmarks included
## π€ Contributing
We welcome contributions! Here's how you can help:
1. π **Report bugs** via GitHub Issues
2. π‘ **Suggest features** or improvements
3. π **Improve documentation**
4. π§ **Submit pull requests**
See the repository's contributing guidelines for detailed information on how to contribute.
### Development Principles
- **Type safety first** - Leverage Rust's type system
- **YAGNI compliance** - Build only what's needed now
- **Functional patterns** - Immutable data and pure functions
- **Comprehensive testing** - Every feature thoroughly tested
## π Production Ready
This library is designed for production use with:
- β
**Extensive error handling** with detailed error types
- β
**Performance optimizations** and benchmarking
- β
**Memory safety** guaranteed by Rust
- β
**Concurrent access** patterns handled safely
- β
**Logging integration** for observability
- β
**Documentation** for all public APIs
## π SCIM 2.0 Compliance
| User Resources | β
Complete | RFC 7643 Β§4.1 |
| Group Resources | β
Complete | RFC 7643 Β§4.2 |
| Schema Discovery | β
Complete | RFC 7644 Β§4 |
| Resource CRUD | β
Complete | RFC 7644 Β§3.2-3.5 |
| Filtering | β
Complete | RFC 7644 Β§3.4.2.2 |
| Bulk Operations | β
Complete | RFC 7644 Β§3.7 |
| Patch Operations | β
Complete | RFC 7644 Β§3.5.2 |
**94% SCIM 2.0 Compliance** - See [compliance report](ReferenceNotes/SCIM_2_0_COMPLIANCE_SUMMARY.md) for details.
## π License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
## π Acknowledgments
- [SCIM 2.0 Specification](https://tools.ietf.org/html/rfc7644) - The foundation this library implements
- [Rust Community](https://www.rust-lang.org/community) - For the amazing ecosystem and support
---
**Ready to get started?** Check out the [Quick Start Guide](docs/guides/quick-start.md) or browse the [examples](examples/).