leogr
commented
6 years ago A scim service provider can work in both way, but RFC do not mandate how to accomplish that. IMHO, we do not need full auth features at first release.
API consumers can already implement identity authentication by filtering for username/password (a secure connection must be used, ie. HTTPS, because the clear text password).
Features like credentials validation, password recovery and account locking should be included in scimd? or these should be handled by another module with direct access to the identity store?