SCIM only okta (#41125)

* Changes required for implementing a standalone (i.e. without Okta Sync compatibility) SCIM service in teleport.e.

Includes:

 * `tctl plugins delete` and `tctl plugins create scim` tooling
 * Moving some constants from teleport.e to OSS
 * Protobuf message types for standalone SCIM settings
 * UI updates for rendering SCIM users

Changelog: Added plugin management tooling to tctl

* Adds validation to SCIM settigs

* Linter fixup

* linter appeasement

Author: tcsc

api/proto/teleport/legacy/types/types.proto

@@ -5791,6 +5791,8 @@ message PluginSpecV1 {
     PluginGitlabSettings gitlab = 12;
     // Settings for the Entra ID plugin
     PluginEntraIDSettings entra_id = 13;
+    // Settings for the SCIM plugin
+    PluginSCIMSettings scim = 14;
   }
 
   // generation contains a unique ID that should:
@@ -5992,6 +5994,19 @@ message PluginEntraIDSyncSettings {
   repeated string default_owners = 1;
 }
 
+// PluginSCIMSettings defines the settings for a SCIM integration plugin
+message PluginSCIMSettings {
+  option (gogoproto.equal) = true;
+
+  // SamlConnectorName is the name of the SAML Connector that users provisioned
+  // by this SCIM plugin will use to log in to Teleport.
+  string saml_connector_name = 1;
+
+  // DefaultRole is the default role assigned to users provisioned by this
+  // plugin.
+  string default_role = 2;
+}
+
 message PluginBootstrapCredentialsV1 {
   oneof credentials {
     PluginOAuth2AuthorizationCodeCredentials oauth2_authorization_code = 1;

api/types/common/constants.go

@@ -54,6 +54,10 @@ const (
 	// created from the Okta service.
 	OriginOkta = "okta"
 
+	// OriginSCIM is an Origin value indicating that a resource was provisioned
+	// via a SCIM service
+	OriginSCIM = "scim"
+
 	// OriginIntegrationAWSOIDC is an origin value indicating that the resource was
 	// created from the AWS OIDC Integration.
 	OriginIntegrationAWSOIDC = "integration_awsoidc"
@@ -75,6 +79,7 @@ var OriginValues = []string{
 	OriginCloud,
 	OriginKubernetes,
 	OriginOkta,
+	OriginSCIM,
 	OriginDiscoveryKubernetes,
 	OriginEntraID,
 }

api/types/constants.go

@@ -1232,3 +1232,17 @@ const (
 	// ApplicationProtocolTCP is the TCP apps protocol.
 	ApplicationProtocolTCP = "TCP"
 )
+
+const (
+	// HostedPluginLabel defines the name for the hosted plugin label.
+	// When this label is set to "true" on a Plugin resource,
+	// it indicates that the Plugin should be run by the Cloud service,
+	// rather than self-hosted plugin services.
+	HostedPluginLabel = TeleportNamespace + "/hosted-plugin"
+)
+
+const (
+	// SCIMBaseURLLabel defines a label indicating the base URL for
+	// interacting with a plugin via SCIM. Useful for diagnostic display.
+	SCIMBaseURLLabel = TeleportNamespace + "/scim-base-url"
+)

api/types/plugin.go

@@ -40,6 +40,7 @@ var AllPluginTypes = []PluginType{
 	PluginTypeMattermost,
 	PluginTypeDiscord,
 	PluginTypeEntraID,
+	PluginTypeSCIM,
 }
 
 const (
@@ -69,6 +70,8 @@ const (
 	PluginTypeGitlab = "gitlab"
 	// PluginTypeEntraID indicates the Entra ID sync plugin
 	PluginTypeEntraID = "entra-id"
+	// PluginTypeSCIM indicates a generic SCIM integration
+	PluginTypeSCIM = "scim"
 )
 
 // PluginSubkind represents the type of the plugin, e.g., access request, MDM etc.
@@ -83,6 +86,9 @@ const (
 	PluginSubkindAccess = "access"
 	// PluginSubkindAccessGraph represents access graph plugins collectively
 	PluginSubkindAccessGraph = "accessgraph"
+	// PluginSubkindProvisioning represents plugins that create and manage
+	// Teleport users and/or other resources from an external source
+	PluginSubkindProvisioning = "provisioning"
 )
 
 // Plugin represents a plugin instance
@@ -304,6 +310,13 @@ func (p *PluginV1) CheckAndSetDefaults() error {
 		if err := settings.EntraId.Validate(); err != nil {
 			return trace.Wrap(err)
 		}
+	case *PluginSpecV1_Scim:
+		if settings.Scim == nil {
+			return trace.BadParameter("Must be used with SCIM settings")
+		}
+		if err := settings.Scim.CheckAndSetDefaults(); err != nil {
+			return trace.Wrap(err)
+		}
 	default:
 		return trace.BadParameter("settings are not set or have an unknown type")
 	}
@@ -471,6 +484,9 @@ func (p *PluginV1) GetType() PluginType {
 		return PluginTypeGitlab
 	case *PluginSpecV1_EntraId:
 		return PluginTypeEntraID
+	case *PluginSpecV1_Scim:
+		return PluginTypeSCIM
+
 	default:
 		return PluginTypeUnknown
 	}
@@ -632,6 +648,18 @@ func (c *PluginEntraIDSettings) Validate() error {
 	return nil
 }
 
+func (c *PluginSCIMSettings) CheckAndSetDefaults() error {
+	if c.DefaultRole == "" {
+		return trace.BadParameter("default_role must be set")
+	}
+
+	if c.SamlConnectorName == "" {
+		return trace.BadParameter("saml_connector_name must be set")
+	}
+
+	return nil
+}
+
 // GetCode returns the status code
 func (c PluginStatusV1) GetCode() PluginStatusCode {
 	return c.Code