IndieHosters' plan funded by NLnet

# IndieHosters' plan funded by NLnet Our goal is to enable synchronous users and groups provisioning thought the SCIM 2.0 protocol (RFC7642/RFC7643/RFC7644) among a collection of Free and Open Source Software. The chosen architecture is as follows : a SCIM Client collocated with the Identity Provider will reflect changes by calling all SCIM Service Providers collocated with each application. Our focus is around collaborative tooling. Thus, the information to provision are only : - For users : username, email, first name, last name and display name. - For groups : name and membership. In this context only a subset of the SCIM protocol is required, and we expect all SCIM Service Providers to implement the following endpoints : - /Users to retrieve, add, modify and remove users. - /Groups to retrieve, add, modify and remove groups. - /ServiceProvider to retrieve service provider's configuration. - /ResourceTypes to retrieve supported resources types. - /Schemas to retrieve one or more supported schemas. Authentication should proxy to the targeted application and if not possible a static option must be present. Features like : patch, bulk, filter, changePassword, sort and etag are not mandatory. The end result of this project will be that users and groups of each application : Rocket.Chat, NextCloud, Matrix and Discourse, can be managed via any of : KeyCloak, the command line app or Stackspin. ## 1. Release the Keycloak Client extension. This will enable Keycloak to provision users and groups on multiple SCIM Service Providers. ### Milestone(s) - Release v0.1 - Configuration through console UI. - Users/Groups propagation. - CI to generate release. - Release v0.2 - Reconcile existing resources. - Admin endpoints. - Comprehensive logging. - Pagination support. - Resolve the security flaws discovered during the audit. ## 2. Release the Rocket.Chat Service Provider app. This installable app from the marketplace will add SCIM Service Provider capabilities to Rocket.Chat. ### Milestone(s) - Release v0.1 - Users CRUD endpoints. - Groups CRUD endpoints. - CI to generate release and publish to the marketplace. - Core endpoints. - Configurable group behavior (to teams, channels, or nothing). - Resource pagination. - Integrate compliance tests in the CI - Fix compliance issues. - Resolve the security flaws discovered during the audit. ## 3. Release the Nextcloud Service Provider app. This installable app from the marketplace will add SCIM Service Provider capabilities to Nextcloud. ## Milestone(s) - Release v0.1 - Users CRUD endpoints. - Groups CRUD endpoints. - CI to generate release and publish to the store. - Core endpoints. - Resource pagination. - Integrate compliance tests in the CI - Fix compliance issues. - Resolve the security flaws discovered during the audit. ## 4. Release a Matrix Service Provider. An implementation of a SCIM Service Provider in one of the official Matrix servers either as a patch or a sidecar program. ### Milestone(s) - Submited MSC proposal. - Release implementation. - Users CRUD endpoints. - Groups CRUD endpoints. - Core endpoints. - Resource pagination. - CI to generate release or a pull request to upstream. - Run the test suite and resolve compliance issues. - Resolve the security flaws discovered during the audit. ## 5. Release a Discourse Service Provider. An implementation of an SCIM service provider for Discourse either as a patch or a plugin. ### Milestone(s) - Implementation. - Users CRUD endpoints. - Groups CRUD endpoints. - Core endpoints. - Resource pagination. - CI to generate release or a pull request to upstream. - Run the test suite and resolve compliance issues. - Resolve the security flaws discovered during the audit. ## 6. Documentation We want to help our fellow system administrators to use SCIM. ### Milestone(s) - Website. - CI/CD - Explanations to this SCIM topology. - Pretty schemas - Documentation of our work. - Keycloak Client - Rocket.Chat SP - Nextcloud SP - Matrix SP - Discourse SP ## 7. Release a simple compliance test suite. Easily testing a SCIM Service Provider compliance will help developers and improve reliability. This will only test valid use cases in our context. Testing the whole specifications is out of the scope. ### Milestone(s) - Endpoints - Core. - Users CRUD. - Groups CRUD. - Features - Authentication. - Pagination. ## 8. Release a SCIM Client CLI. An SCIM Client multitool capable of managing users and groups of one or multiple SCIM service providers, as well as other utilities to facilitate administration work. e.g. scim user add alice –email alice@example.net –groups nlnet,admin ### Milestone(s) - Resources management. - Auth : Basic & Bearer. - Users CRUD. - Groups CRUD. - Keycloak administration. - CRUD Ids mappings. - Resolve the security flaws discovered during the audit ## 9. Release Stackspin with a SCIM Client. Allow the dashboard to perform basic SCIM operations against a fixed, statically configured SCIM Service Provider. ### Milestone(s) - Refactor the dashboard source code to facilitate adding SCIM features. - Extend the dashboard database to store app-internal user IDs (necessary for SCIM protocol). - Add settings for statically configuring a single SCIM Service Provider. - Write a routine for calling SCIM user provisioning. - Write a routine for calling SCIM user deprovisioning. - Call these new routines on all pertinent events: user creation/deletion, app (un)installation, access right changes. - Resolve the security flaws discovered during the audit.