Deployment

Production deployment and operations planning

Run FreeSCIM as a Flask/Gunicorn identity service with systemd lifecycle control, PostgreSQL-backed audit data, reverse proxy ingress, and explicit health/readiness probes.

Deployment philosophy

Deployment is treated as an engineering control plane decision, not a one-time action. Every environment should be reproducible from declared configuration, protected secrets, migration checks, and explicit runbooks for Okta, SAML, FreeIPA/LDAP, SCIM, and database operations.

Deployment topology

Production baseline

LB/TLS -> Reverse Proxy -> Gunicorn/Flask -> PostgreSQL + Connectors -> Okta / FreeIPA
Keep TLS, proxy headers, worker health, database readiness, and connector status visible before traffic cutover.

Observability chain

/health -> /health/db -> /health/ipa -> /health/okta -> /readyz -> metrics
Probe output should classify data, policy, transport, database, and connector failures without exposing secrets.

Readiness sequence

  1. Validate Python runtime, PostgreSQL connectivity, migrations, service account permissions, SELinux context, and network reachability.
  2. Deploy the systemd service, Gunicorn configuration, protected environment file, TLS or reverse proxy path, and Okta/SAML public base URL.
  3. Run endpoint smoke checks for SCIM discovery, SAML metadata/login initiation, health, readiness, and database diagnostics.
  4. Harden logs, metrics, alerts, and rollback commands before enabling provisioning writes.

Deployment entry points

Linux setup

Host and package preflight checks.

systemd

Service lifecycle and restart policy.

Reverse proxy

TLS edge and ingress policy.

Configuration

Environment variables, secrets, and runtime boundaries.

Troubleshooting

Health, readiness, connector, and database triage.

Launch readiness controls