production-readiness-scim
Scalekit SCIM Production Readiness
Work through each section in order — earlier sections are blockers for later ones.
Quick checks (run first)
- Production environment URL, client ID, and client secret are set (not dev/staging values)
- HTTPS enforced on all endpoints
- API credentials stored in environment variables — never committed to code
- Webhook secret stored in environment variables — never committed to code
SCIM provisioning
- Configure webhook endpoints to receive SCIM events → IT admin setup guides per IdP: https://docs.scalekit.com/guides/integrations/scim-integrations/
- Verify webhook security with signature validation on every request
- Test user provisioning (automatic creation from IdP)
- Test user deprovisioning (deactivation/deletion when removed in IdP)
- Test user profile updates (name, email, attributes synced correctly)
- Test role changes propagated via group membership
- Set up group-based role assignment and sync
- Test error cases: duplicate users, invalid data, missing required fields
- Verify idempotent handling — duplicate events must not create duplicate records
- Deactivation preferred over hard deletion for
user_deletedevents
Webhook reliability:
- Webhook endpoint returns 2xx quickly — offload heavy processing to a queue if needed
- Scalekit retries on non-2xx with exponential backoff (up to 8 attempts over ~10 hours)
- Tested webhook delivery end-to-end with a real IdP or Scalekit's test tool
User and organization management
- Test organization creation and domain assignment
- Test adding and removing users from organizations
- Set allowed email domains for org provisioning (if applicable)
- Set default roles for auto-provisioned users
- Test user deletion flow
RBAC (if implemented):
- Define roles and permissions that map to IdP groups
- Test role assignment via group membership sync
- Verify permission enforcement at API endpoints
- Test access control across all role levels
Network and firewall
Enterprise customers behind VPN or corporate firewall must whitelist:
| Domain | Purpose |
|---|---|
<your-env>.scalekit.com |
Directory API + webhook delivery |
cdn.scalekit.com |
Static assets |
- Customer firewalls allow Scalekit domains
- SCIM provisioning tested from customer's network environment
Monitoring and incident readiness
- Webhook event monitoring and logging active
- Error tracking configured for provisioning failures
- Alerts configured for failed webhook deliveries
- Log retention policies configured
- Webhook delivery and retry mechanism tested
- Incident response runbook written (who to contact, how to roll back)
- Rollback plan ready (disable SCIM sync without breaking existing users)
Key metrics:
- Webhook delivery success rate
- User provisioning/deprovisioning latency
- Failed sync events (by type and error)
- Group-to-role mapping accuracy
More from scalekit-inc/skills
setup-scalekit
Use when a developer is new to Scalekit and needs guidance on where to start, doesn't know which auth plugin or skill to choose, wants to connect an AI agent or agentic workflow to third-party services (Gmail, Slack, Notion, Google Calendar), needs OAuth or tool-calling auth for agents, wants to add authentication to a project but hasn't chosen an approach yet, or needs to install the Scalekit plugin for their AI coding tool (Claude Code, Codex, Copilot CLI, Cursor, or other agents).
11implementing-scalekit-fsa
Implements Scalekit full-stack authentication (FSA) including sign-up, login, logout, and secure session management using JWT tokens. Use when building or integrating user authentication with the Scalekit SDK across Node.js, Python, Go, or Java — or when the user asks about auth flows, OAuth callbacks, token refresh, or session handling with Scalekit.
4integrating-agent-auth
Integrates Scalekit Agent Auth into a project to handle OAuth flows, token storage, and automatic refresh for third-party services (Gmail, Slack, Notion, Calendar). Use when a user needs to connect to an external service, authorize OAuth access, fetch access or refresh tokens, or execute API calls on behalf of a user.
4adding-mcp-oauth
Guides users through adding OAuth 2.1 authorization to Model Context Protocol (MCP) servers using Scalekit. Use when setting up MCP servers, implementing authentication for AI hosts like Claude Desktop, Cursor, or VS Code, or when users mention MCP security, OAuth, or Scalekit integration.
3modular-sso
Implements complete SSO and authentication flows using Scalekit. Handles modular SSO, IdP-initiated login, user session management, and enterprise customer onboarding. Use when adding authentication, SSO, SAML, OIDC, or user login to applications.
3sk-actions-custom-provider
Create or review Scalekit custom providers/connectors for proxy-only usage. Use this skill when the task is to gather API docs, infer whether a connector is OAuth, Basic, Bearer, or API Key, determine required tracked fields like domain or version, generate provider JSON, check for existing custom providers, show update diffs, run approved create or update curls, and print resolved delete curls.
3