Authority before automation
FreeSCIM treats each identity system as an authority with a specific job. Okta and other SSO providers can express lifecycle intent, SCIM carries the contract, FreeIPA/LDAP owns Linux directory enforcement, Kerberos and SSSD prove runtime access, and ITSM records human follow-up when the system should not silently proceed.
Execution gates
- Observe-only states collect evidence without writing to the downstream authority.
- Dry-run states show the intended mutation before execution is allowed.
- Blocked states remain visible when FreeIPA, Linux validation, rollback safety, or identity provenance is not trusted enough to proceed.
Identity provenance
The canonical identity model keeps identifiers honest instead of flattening them. A person can have one login, another contact email, a SCIM username, a FreeIPA uid, and a Kerberos principal; FreeSCIM exposes those relationships so operators can see which value is driving each decision.
Recovery as product behavior
The platform is designed to answer four operational questions: what happened, why it was allowed, under whose authority, and how to recover. That is why mutation audit, rollback candidates, runtime survivability, route inventory, and ticket context belong in the product surface.