FreeSCIM FreeIPA | LDAP, Linux Enforcement, Kerberos Evidence

Integration architecture

For FreeIPA deployments, FreeSCIM consumes directory state through a bounded trust path and exposes it through SCIM without pretending that Okta or the web tier owns Linux enforcement. The expected pattern is:

Read LDAP/IPA attributes through direct LDAPS or a controlled FreeIPA agent path.
Normalize identity fields to SCIM canonical types in a deterministic mapper.
Emit user lifecycle events and group visibility with idempotency keys and correlation context.
Persist audit events for every connector write and reconcile response.

Attribute contract and mapping risk

The most common integration failure is inconsistent attribute projection between directory schema and SCIM extension fields.

Map uid and krbPrincipalName explicitly with a documented fallback path.
Normalize group names and Distinguished Name values before reconciliation or write operations.
Store mapping rules in code-reviewable configuration with explicit versioning.

Linux validation surface

The strongest FreeIPA value is not only directory mapping; it is evidence that identity state reaches the Linux estate correctly.

Validate Kerberos, SSSD, IPA enrollment posture, HBAC, sudo visibility, automount, and offline/cache behavior.
Keep probes evidence-oriented so validation does not silently enroll hosts or bypass policy.
Use snapshot comparison to find Okta/FreeIPA drift before changing enforcement state.

Trust and hardening controls

Okta SAML + SCIM intent --(governed boundary)--> FreeSCIM --(LDAPS / agent)--> FreeIPA --(SSSD / Kerberos / HBAC)--> Linux

Treat connector authentication, TLS policy, and audit sink as mandatory controls before high-impact writes.

Operational caveat

Do not mirror FreeIPA administrative groups into FreeSCIM managed groups unless there is an explicit change control owner. FreeSCIM should not auto-enroll hosts, bypass HBAC, or push password policy changes without an approved operational gate.

Deployment and validation checklist

Verify service account scope and lock it to least privilege for write APIs.
Run synthetic tests for user rename behavior, active-state changes, and FreeIPA-safe username normalization.
Confirm that stale LDAP values fail closed with actionable error categories.

FreeIPA mapping edge checks

Validate uid/krbPrincipalName mapping before write operations.
Normalize DN and group path collisions before sync batching.
Attach source mapping revision in each audit record.