I've implemented a test SCIM 2.0 server with OAuth 2.0 and managed to integrate it with Okta, mostly by modifying code from here https://github.com/andreihava-okta/sample-node-scim-server. As I understand, the integration would need an access token to access the IdP's API, so that an OAuth 2.0 bearer token can be created and sent when accessing the Service Provider's API. My current concern is that I need to support multi-tenancy in my actual application, and my tenants might have different IdPs. Here is how I'm planning to support multi-tenancy:
Scim endpoint:
<host>/<tenant>/scim
Tenant A might use Okta, and Tenant B might use Azure AD. When I receive a REST request, eg at /Users, how do I know whether the Bearer Token was one from Okta or Azure AD? Do I need to additionally add a configuration UI in my app to tie a to its IdP?
You could use the 'cid' claim : Client ID of the client that requested the access token to find out who is passing the token.