IdP Integration

Arrakis applies tool policy by group. Devs can use one set of Skills, MCPs, and plugins; Business users a different set; Quarantined users none. Group membership is the source of truth, and the source of truth is the customer’s IdP. This page covers how Arrakis ingests user and group membership via SCIM 2.0 so the Arrakis admin UI can offer a per-group policy editor.

Why SCIM 2.0 (push model)

• The customer’s IdP pushes user lifecycle and group membership changes to Arrakis as they happen.
• Arrakis exposes a SCIM 2.0 Service Provider endpoint; the customer’s IdP is the SCIM client.
• Read-only from Arrakis’s side. Arrakis never makes outbound calls to the customer IdP. There is no IdP credential stored on Arrakis. Arrakis cannot mutate the customer directory.
• This is the property that lets customer security teams approve the integration quickly: failure modes on Arrakis cannot corrupt the customer directory.

Cite: RFC 7644 — SCIM Protocol .

What Arrakis exposes (SCIM Service Provider)

HTTP methods Arrakis accepts: POST, GET, PUT, PATCH, DELETE on Users and Groups. PATCH operations follow the SCIM PatchOp message format (RFC 7644 §3.5.2 ).

Authentication: bearer token (recommended default; universally supported by IdPs) or OAuth 2.0 client_credentials grant (RFC 6749 §4.4 ) for IdPs that prefer rotating credentials.

Customer-side configuration steps (vendor-agnostic)

Customers will recognize these steps in any major IdP.

1. Create a generic SCIM 2.0 application in your IdP, pointing at the Arrakis SCIM endpoint URL (provided in the Arrakis platform under Settings → Integrations → IdP).
2. Paste the Arrakis-issued SCIM bearer token into the IdP application’s secret/token field.
3. Map IdP user attributes to SCIM core User attributes:
   • IdP mail → SCIM userName and emails[primary].value
   • IdP givenName → SCIM name.givenName
   • IdP surname / sn → SCIM name.familyName
   • IdP stable id (e.g., objectGUID, id) → SCIM externalId (this is the join key — never displayName)
   • IdP accountEnabled → SCIM active
4. Map IdP security groups to SCIM groups. Select the subset of groups in scope for Arrakis (typically scoped via “assigned to app” filter). Examples: eng-developers, data-scientists, business-ops, quarantine.
5. Enable provisioning lifecycles: create, update (attribute and group membership), deactivate. Confirm soft-delete behavior (active: false PATCH) vs hard DELETE.
6. Test the connection from the IdP’s “Provisioning” → “Test Connection” button (or equivalent). Arrakis returns the SCIM ServiceProviderConfig.
7. Run a manual provisioning sync in the IdP to push the initial set of users and groups.
8. Verify in Arrakis under Settings → Identity → Groups that the expected groups appear with member counts matching the IdP.
9. Set up automatic provisioning so subsequent changes flow continuously (most IdPs poll every 20–60 minutes).

Group → policy mapping in Arrakis

• Each SCIM-pushed group appears in Settings → Identity → Groups.
• Per-group policy editor lets the admin allow/deny:
  • Specific Claude Skills
  • Specific MCP servers
  • Specific Cursor / Codex plugins
  • Specific Anthropic / OpenAI models
  • Mandatory hooks (e.g., DLP scanning hook for the Business group)
• Groups also drive Quarantine: a quarantine SCIM group with the right policy bound is the cleanest way to suspend access without deleting the user from the IdP. Membership added → policy auto-applied; membership removed → user restored.

Multi-group precedence. Arrakis applies the most-restrictive intersection of all bound policies for the user’s groups. A single user in eng-developers AND quarantine ends up under the Quarantine policy.

A Default policy applies to users not bound to any group.

Sample SCIM payloads

Create user (POST /v2/Users):

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "externalId": "a1b2c3d4-idp-guid",
  "userName": "alice@customer.example",
  "name": { "givenName": "Alice", "familyName": "Nguyen" },
  "emails": [
    { "value": "alice@customer.example", "type": "work", "primary": true }
  ],
  "active": true
}

Create group (POST /v2/Groups):

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
  "externalId": "grp-engineering-7f3a",
  "displayName": "Engineering",
  "members": [
    { "value": "9c1e...arrakis-user-id", "type": "User" }
  ]
}

Add a member to a group (PATCH /v2/Groups/{id}):

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    {
      "op": "add",
      "path": "members",
      "value": [{ "value": "9c1e...arrakis-user-id", "type": "User" }]
    }
  ]
}

Deprovision (soft delete) (PATCH /v2/Users/{id}):

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    { "op": "replace", "path": "active", "value": false }
  ]
}

Limitations and edge cases

• Polling lag. Most IdPs poll the SCIM endpoint on a schedule (commonly 20–40 minutes). For instant deprovisioning, pair SCIM with the Arrakis Quarantine flow (which also requires the MDM block — see Quarantine).
• Nested groups. SCIM 2.0 supports groups-as-members but most IdPs flatten before pushing. Arrakis evaluates only direct membership; configure the IdP to flatten nested groups.
• JIT provisioning. Arrakis does NOT auto-create users from SAML or any other login flow. SCIM is authoritative. If a user signs in via SSO before SCIM has provisioned them, Arrakis rejects the sign-in by default.
• Token rotation. Bearer tokens have no built-in rotation; rotate manually via Arrakis admin UI on a 90-day cadence.
• Audit log export. SCIM/SAML do not cover this; if customers need SIEM export of group-policy decisions, that is a separate Arrakis feature — see Multi-sending OTel.

SAML SSO (optional, for sign-in to Arrakis platform)

Customers who use SAML SSO to sign in to the Arrakis admin UI itself can also configure that here — but it is separate from the SCIM ingestion of group membership for policy. SAML governs admin login; SCIM governs end-user policy. Do not conflate them.

Arrakis is a SAML 2.0 SP and accepts standard SP-initiated and IdP-initiated flows (OASIS SAML 2.0 ). NameID format emailAddress.

Where Arrakis-side configuration lives

The Arrakis SCIM endpoint URL, bearer token, and ServiceProviderConfig are provisioned per-tenant in the Arrakis platform under Settings → Integrations → IdP. Group → policy bindings live under Settings → Identity → Groups.

Cross-references

• Quarantine — using a SCIM group to drive instant suspension
• MDM Sync & Change Management — group-aware policy push
• Offboarding — full tenant disconnect