Strategic scope
Architecture is documented as a chain of authority, control, and data movement points. Every edge in the identity fabric has an owner, an invariant, and a failure mode that operators can reason about.
Trust boundaries
- Ingress boundary: SCIM request authentication, provider identity, and rate-limiting.
- Policy boundary: validation, entitlement checks, lifecycle state, and transformation rules.
- Authority boundary: connector operations for LDAP, FreeIPA, Okta, and mixed estates with audit logging.
Recommended decision order
- Define protocol mapping and allowed attribute transforms.
- Validate idempotent behavior across repeated SCIM operations.
- Attach rollback checkpoints for each boundary stage.
Architecture entry points
Architectural guardrails
- Each stage in the graph must provide a deterministic output before the next stage starts.
- Connector outputs are immutable audit events tied to a request correlation ID.
- Policy decisions must fail closed when the runtime policy set is incomplete.