Flow baseline
Incoming identity events progress through decode, validation, mapping, policy checks, connector execution, and final audit emission. SCIM provisioning events and SAML access events follow separate ingress paths but converge in operator-visible evidence.
Flow phases
Inbound plane
Okta SAML -> ACS -> Signature/Claim Checks -> Session + Role MappingTransformation plane
SCIM Bearer Token -> Schema/Filter Validation -> Attribute Mapper -> FreeIPA ConnectorOperational invariants
- No stage may mutate source intent silently; Okta, SCIM, FreeIPA, and Linux enforcement ownership must stay visible.
- SCIM filters and PATCH paths are accepted only where the implementation supports them.
- Group replacement and deletion stay outside the SCIM contract until governed FreeIPA workflows are added.
- All side effects should emit redacted telemetry with stable correlation keys.
Failure branching
Retries follow explicit classification: transport failures can retry after health recovers, validation failures should not replay without operator correction, and mapping failures should create a remediation task with input diff and no secret material.
Flow visibility
SAML / SCIM -> Validator -> Attribute Mapper -> Connector Adapter -> Lifecycle Telemetry -> Audit SinkFiltering and pagination edge behavior
Replay-safe flow pattern
Request -> Supported filter check -> startIndex/count bounds -> Deterministic list response- Support user filters for
userName,email,emails.value, andactiveequality. - Support group filtering for
displayName eq "value". - Use
startIndexandcountfor bounded responses and avoid documenting pagination modes outside the current contract.