Harden enterprise SAML and SCIM GA path by Bobcatsfan33 · Pull Request #92 · Bobcatsfan33/TokenDNA

Bobcatsfan33 · 2026-05-23T17:42:04Z

Summary

move SAML/SCIM from alpha docs to production-gated local IdP integration flow
add durable SAML request/replay state and durable tenant-scoped SCIM users/groups
add SAML/SCIM preflight gates, runtime dependencies, Docker build support, and IdP GA validation harness

python3 -m pytest -q tests/test_saml_scim.py tests/test_preflight_prod.py
python3 -m pytest -q tests
python3 -m ruff check modules/auth/saml.py modules/auth/scim.py api.py scripts/preflight_prod.py scripts/idp_ga_validation.py tests/test_saml_scim.py tests/test_preflight_prod.py modules/storage/migrations.py alembic/versions/0001_baseline.py
docker build -t tokendna:idp-ga-check .
docker run --rm --entrypoint python tokendna:idp-ga-check -c "import onelogin.saml2.response, defusedxml; print('saml-runtime-ok')"

+    """
+    try:
+        raw = base64.b64decode(saml_response_b64, validate=True)
+        root = SafeElementTree.fromstring(raw)


Harden enterprise SAML and SCIM GA path

0829cfb

github-advanced-security AI found potential problems May 23, 2026

View reviewed changes

Comment thread modules/auth/saml.py

"""

try:

raw = base64.b64decode(saml_response_b64, validate=True)

root = SafeElementTree.fromstring(raw)

Bobcatsfan33 added 2 commits May 23, 2026 14:14

Support SCIM bearer API keys for IdPs

bab60d8

Document Okta SCIM bearer validation

b290cb9