Expand description
SCIM 2.0 — System for Cross-domain Identity Management.
Lets enterprise IdPs (Okta, Azure AD, Workday, Rippling) auto-
provision users into pylon-managed apps. The IdP POSTs to
/scim/v2/Users to create a user, GETs /scim/v2/Users/<id>
to read, PATCHes to update, DELETEs to deactivate. Same shape
for /scim/v2/Groups.
Status: library only — HTTP endpoints not yet wired.
ScimUser / ScimError / check_bearer ship today as primitives so
apps that want to roll their own SCIM endpoints can compose
them. The pylon-shipped /scim/v2/* routes (POST/GET/PATCH/
DELETE Users + Groups) are queued for the next wave.
Auth: SCIM endpoints accept a static bearer token configured via
PYLON_SCIM_TOKEN. IdPs configure this once when they connect.
Spec: https://datatracker.ietf.org/doc/html/rfc7644
Pylon’s SCIM mapping:
- SCIM
userName→ User row’semail - SCIM
name.formatted→ User row’sdisplayName - SCIM
active=false→ soft-delete (setdeletedAton User row; app decides whether to hard-delete)
The endpoint wiring lives in routes/auth.rs. This module just
provides the request/response type definitions and the
field-level mapping helpers.
Structs§
- Scim
Email - Scim
Error - SCIM error response shape — RFC 7644 §3.12.
- Scim
List Response - SCIM list response (RFC 7644 §3.4.2).
- Scim
Name - Scim
User - SCIM User schema (subset). Most IdPs send a much fuller object
— pylon ignores anything we don’t model.
extracaptures it for round-trip on PATCH.
Functions§
- check_
bearer - Validate a bearer token against
PYLON_SCIM_TOKEN. Returnstrueonly if the env var is set + the bearer matches via constant-time compare.