back arrowBack to Identipedia

What Is System for Cross-Domain Identity Management (SCIM)?

What is Open Authorization (OAuth 2.0)?

Share

Managing user identities in enterprise environments is complex. The average employee uses 36 cloud-based services in a day and the average enterprise uses almost 1300 cloud services. It’s the responsibility of IT teams to ensure that users can access these apps and all the intended functionalities within them. With organizations’ digital footprints ballooning day-by-day, reliable syncing of user identity information across apps is important.

That’s where SCIM comes in. In this article, we will explore the role of SCIM in user identity management, its benefits, and how it contributes to a more secure and efficient user experience.

What is SCIM and how does it work?

System for Cross-Domain Identity Management is an HTTP-based protocol that allows for seamless integration and management of user identity data across identity providers and cloud-based service providers. The goal of implementing this protocol is to manage the exchange of user identity information between a company’s cloud based applications and their service providers (e.g. enterprise SaaS apps).

SCIM is a set of JSON and REST based specifications developed to simplify user identity management across multiple domains. It provides a consistent schema for representing users and groups, as well as a standardized API for managing these identities. By using SCIM, organizations can streamline the process of creating, reading, updating, and deleting (i.e. CRUD actions) user accounts and group memberships across different platforms.

For example, a company may use Microsoft Azure as the IdP, which would thus contain a directory of user identities. The company may also use SaaS apps like Slack or Dropbox for their employees – these apps would need a subset of user identity information. Rather than manually syncing, updating and deleting these identity details on all apps, IT teams and developers can use SCIM to automate and simplify the entire process.

As the diagram below illustrates, a company that provides SCIM also provides different endpoints from which applications can make and deliver requests.

SCIM endpoints

The core components of SCIM are usually defined as such:

  1. Schema: This defines the structure and attributes of resources, like users and tenants

  2. Protocol: This describes the API operations that can be performed on the users or other resources, like Create, Update, Delete, and Search.

  3. Endpoints: These are the RESTful API endpoints that are used for managing resources like users and tenants, as defined in the protocol.

These core components are then used to create a centralized user management system across different applications. The protocol was originally published as an IETF specification here.

Common SCIM use cases

To enable SCIM-based identity management, both the Identity Provider (IdP) and the Service Provider (SP) must support the protocol. An IdP is a service that stores and verifies user identity. An IdP is responsible for managing the user accounts and their associated attributes, while an SP is the application or service that requires user access. 

These are some of the most common use cases for SCIM with an IdP:

  • User provisioning: When a new user is created or updated in the IdP, it sends a request to the SCIM endpoint to create or update the corresponding user account. This process keeps the user data synchronized between the IdP and the application, ensuring that the user always has the appropriate access to protected resources.

  • User deprovisioning: When a user's access needs to be revoked, such as when an employee leaves a company, the IdP will send an HTTP request to the SCIM endpoint to remove the user account or disable access. This ensures that the user no longer has access to the SP's resources.

  • Filtering and pagination: SCIM supports filtering and pagination, enabling the IdP to search for specific users or tenants based on certain attributes or conditions. This feature is useful for large organizations that have to manage a voluminous set of user accounts.

How SCIM relates to authentication

Authentication is the process of validating the identity of a user, device, or system. Authentication plays a vital role in ensuring that only intended users have access to specific protected resources. Utilizing SCIM allows applications to manage their user identities across multiple systems, creating an easy environment for maintaining accurate and up-to-date authentication information.

SCIM vs SAML vs SSO

SCIM vs SAML

Security Assertion Markup Language (SAML) is an open XML-based standard that helps identity providers and service providers exchange authentication and authorization information. While SAML and SCIM are both protocols used in the IAM realm, they fulfill different purposes.

SAML is meant for authentication and authorization, while SCIM is meant for automating user provisioning and deprovisioning across different apps. With SAML, users can access multiple apps with a single set of credentials. With SCIM, the IT team can easily synchronize user information across multiple apps to account for new users being created, updated, or removed.

SCIM vs SSO

One of the most significant advantages to a SCIM specification is in its ability to support Single Sign-On (SSO). SSO allows users to access multiple applications and services with a single set of credentials. This reduces the need for multiple usernames and passwords, simplifying the user experience and improving security by reducing the risk of password-related breaches.

SCIM and SSO work closely together but are meant to serve different goals. SCIM’s main purpose is to facilitate identity information sharing to apps across multiple domains. On the other hand, SSO is meant to authenticate users with a single set of credentials across apps. 

By integrating SCIM with an SSO solution, user accounts can be centrally managed, ensuring that authentication information is consistent across all applications and services. 

Benefits of SCIM

Adopting SCIM provisioning helps enterprise organizations in many ways:

  • Simplified identity management: SCIM makes it easier to manage identities across different platforms by providing a consistent schema for user and group representation, reducing the complexity of managing multiple different systems.

  • Enhanced security: SCIM helps maintain up-to-date authentication information, reducing the risk of unauthorized access due to outdated or inaccurate user data. Implementation of SCIM with SSO also eliminates the need for password-sharing and the security vulnerabilities those practices can bring.

  • Improved user experience: The integration of SCIM with SSO allows users to access multiple applications and services using a single set of credentials, simplifying the authentication process and reducing the likelihood of credential-related security breaches.

  • Scalability: SCIM was designed with scalability in mind and supports large-scale identity management in organizations of any size. It eliminates the need for developers to grapple with custom APIs to integrate different systems, instead relying on standardized schemas that save time and effort.

Conclusion

SCIM provisioning and deprovisioning plays a crucial role in modern identity management systems, providing a standardized framework for syncing user identities across multiple platforms.

B2B applications serving enterprise customers are expected to support SCIM, but it can be complicated to implement and maintain in-house. Descope helps organizations get enterprise-ready with single sign-on, fine-grained authorization, and SCIM provisioning. Check out our docs and demo videos with Okta and Microsoft Azure

To get started with Descope, sign up for a Free Forever account and join the AuthTown community for any questions or feedback. Have an authentication project and need help? Book time with our auth experts.