Skip to content

sources/scim: add managed_objects_only option for stricter provisioning#22536

Open
sreelim wants to merge 1 commit into
goauthentik:mainfrom
sreelim:feature/scim-managed-objects-only
Open

sources/scim: add managed_objects_only option for stricter provisioning#22536
sreelim wants to merge 1 commit into
goauthentik:mainfrom
sreelim:feature/scim-managed-objects-only

Conversation

@sreelim
Copy link
Copy Markdown

@sreelim sreelim commented May 21, 2026

Summary

Follow-up to GHSA-9m7q-6qg6-888h and maintainer feedback that tenant-wide SCIM correlation is intentional but undocumented.

Adds an opt-in managed_objects_only setting on SCIM sources (default false to preserve existing behavior). When enabled:

  • Users/groups are not correlated to existing tenant objects by name on create
  • Group membership is limited to users managed by the same SCIM source
  • SCIM DELETE removes only the SCIM link; underlying User/Group rows are retained

Also documents the SCIM trust model and this option in the SCIM source docs (supersedes/overlaps with #22535 — happy to rebase once that lands).

Test plan

  • Added test_managed_objects_only.py covering conflict on existing names, membership restriction, escalation path blocked, and unlink-only DELETE
  • CI (could not run pytest locally — missing pg_config)

Related

Made with Cursor

@sreelim @cursoragent
sources/scim: add managed_objects_only option for stricter provisioning
b3ea59d 
Add an opt-in SCIM source setting that disables tenant-wide user/group
correlation, restricts group membership to source-managed users, and
unlinks objects on DELETE instead of deleting underlying User/Group rows.

Includes admin UI toggle, API/schema updates, documentation, and tests
covering the reported admin-group escalation path when enabled.

Co-authored-by: Cursor <cursoragent@cursor.com>
@sreelim sreelim requested review from a team as code owners May 21, 2026 14:22
@netlify
Copy link
Copy Markdown

netlify Bot commented May 21, 2026

Deploy Preview for authentik-integrations ready!

Name Link
🔨 Latest commit b3ea59d
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/6a0f150b3889dd0008ef43ed
😎 Deploy Preview https://deploy-preview-22536--authentik-integrations.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link
Copy Markdown

netlify Bot commented May 21, 2026

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit b3ea59d
🔍 Latest deploy log https://app.netlify.com/projects/authentik-storybook/deploys/6a0f150b1f04840008e9b656
😎 Deploy Preview https://deploy-preview-22536--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link
Copy Markdown

netlify Bot commented May 21, 2026

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit b3ea59d
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/6a0f150b808d500008d1b0f3
😎 Deploy Preview https://deploy-preview-22536--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sreelim