I'm planning the work necessary to add SCIM support to an application.
I've read the documentation for Okta and OneLogin, as well as the RFCs, but it isn't clear to me if we have to implement the Groups resource. The application doesn't have a concept of groups at all at the moment, and we have no immediate plans to add them.
Do we have to implement the Groups resource? If not, is it be sufficient to just not return Groups from the /ResourceTypes end-point, and exclude groups from the User schema, and the identity provider should then do the right thing?
To not list it on the /ResourceTypes sounds about right. The provisioning service itself might also be configurable to exclude groups independently.
Keep in mind that Resource discovery is considered optional. So to be on the save side, implement a dummy /Groups endpoint that returns 404:
HTTP/1.1 404 Not Found
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":"Resource Type Groups not found",
"status": "404"
}
However, sometimes the groups endpoint is used to represent the role assignments within an application. So if you want to have those being manageable at the central identity provider you might want to consider mapping groups to roles for your application.