What Is SCIM & How It Works
Share
Managing user identities in enterprise environments is complex. The average employee uses 36 cloud-based services in a day and the average enterprise uses almost 1,300 cloud services. It’s the responsibility of IT teams to ensure that users can access these apps and all the intended functionalities within them. With organizations’ digital footprints ballooning daily, reliable syncing of user identity information across apps is important.
That’s where SCIM comes in. In this article, we will explore the role of SCIM in user identity management, its benefits, and how it contributes to a more secure and efficient user experience.
What is SCIM?
SCIM stands for System for Cross-Domain Identity Management. It is an HTTP-based open standard built for user provisioning between Identity Providers (IdP) and cloud-based Service Providers (SP).
SCIM is a set of JSON and REST-based specifications developed to simplify user identity management across multiple domains. It provides a consistent schema for representing users and groups, as well as a standardized API for managing these identities. By using SCIM, organizations can streamline the process of creating, reading, updating, and deleting (CRUD actions) user accounts and group memberships across different platforms.
For example, a company may use Microsoft Azure as the IdP, which would thus contain a directory of user identities. The company may also use SaaS apps like Slack or Dropbox for their employees – these apps would need a subset of user identity information. Rather than manually syncing, updating and deleting these identity details on all apps, IT teams and developers can use SCIM to automate and simplify the entire process.
How SCIM relates to authentication
Authentication is the process of validating the identity of a user, device, or system. Authentication plays a vital role in ensuring that only intended users have access to specific protected resources. Utilizing SCIM allows applications to manage their user identities across multiple systems, creating an easy environment for maintaining accurate and up-to-date authentication information.
How SCIM works
As mentioned before, SCIM works by providing a standard schema and protocol for automating the exchange of user identity information between IdPs or SPs. Here's an overview:
The core components of SCIM are usually defined as such:
Schema: This defines the structure and attributes of resources, like users and tenants. This standardization ensures consistency in the way user identities are described across different systems, facilitating easier data integration and mapping.
Protocol: Uses RESTful APIs to enable communication between systems for user identity management tasks. The protocol supports common operations such as Create, Read, Update, and Delete (CRUD) for managing user and group objects in a standardized way.
Endpoints: URLs at which API operations can be accessed to perform actions on resources such as users, groups, or other entities defined within the SCIM protocol.
As the diagram below illustrates, a company that provides SCIM also provides different endpoints from which applications can make and deliver requests.
A typical SCIM flow would look like this:
Provisioning (Onboarding): When a new user is added to a source system (e.g., an HR system or IdP), a SCIM create operation can be triggered to automatically create a corresponding user account in target systems (e.g., email, collaboration tools, SaaS applications).
Synchronization: User attributes (such as job title, department, or email address) can be kept synchronized across systems. If a user's details change in the source system, SCIM update operations can propagate these changes to target systems, ensuring information consistency.
Deprovisioning (Offboarding): When a user leaves the organization or no longer requires access to certain systems, a SCIM delete operation can remove or disable the user accounts and access rights in target systems.
To implement SCIM, both the source and target systems must support the SCIM standard. The source system acts as a SCIM client, while the target systems act as SCIM servers or SPs, responding to RESTful API calls from the client to perform the necessary user identity management operations.
Common SCIM use cases
SCIM can be used in various scenarios to streamline and automate the management of user identities across different systems, platforms, and applications. These are some of the most common use cases for SCIM with an IdP:
User provisioning: When a new user is created or updated in the IdP, it sends a request to the SCIM endpoint to create or update the corresponding user account. This process keeps the user data synchronized between the IdP and the application, ensuring that the user always has the appropriate access to protected resources.
User deprovisioning: When a user's access needs to be revoked, such as when an employee leaves a company, the IdP will send an HTTP request to the SCIM endpoint to remove the user account or disable access. This ensures that the user no longer has access to the SP's resources.
Filtering and pagination: SCIM supports filtering and pagination, enabling the IdP to search for specific users or tenants based on certain attributes or conditions. This feature is useful for large organizations that have to manage a voluminous set of user accounts.
Benefits of SCIM
Adopting SCIM provisioning helps enterprise organizations in different ways:
Simplified identity management: SCIM makes it easier for IT teams to manage identities across different platforms by providing a consistent schema for user and group representation, reducing the complexity of managing multiple systems. This is critical in large, distributed environments where keeping user information synchronized manually can be prone to errors.
Enhanced security: SCIM helps maintain up-to-date authentication information, reducing the risk of unauthorized access due to outdated or inaccurate user data. Implementing SCIM with SSO also eliminates the need for password sharing and the security vulnerabilities those practices can bring. For example, timely de-provisioning of user accounts when employees leave the organization helps prevent unauthorized access. Additionally, SCIM supports fine-grained access control, enabling precise management of user permissions in line with the principle of least privilege.
Improved user experience: The integration of SCIM with SSO allows users to access multiple applications and services using a single set of credentials, simplifying the authentication process and reducing the likelihood of credential-related security breaches. Moreover, it reduces the reliance on IT support for routine account management tasks.
Scalability: SCIM was designed with scalability in mind and supports large-scale identity management in organizations of any size. It eliminates the need for developers to grapple with custom APIs to integrate different systems, instead relying on standardized schemas that save time and effort.
SCIM vs SAML vs SSO
SCIM, SAML, and SSO are all important standards and methods used for identity and access management (IAM), but they serve different purposes and operate in distinct ways:
SCIM | SAML | SSO | |
|---|---|---|---|
Purpose | Automates management of user identities across systems | Exchanges authentication and authorization data | Allows access to multiple applications with one login |
Main Use Cases | User provisioning and deprovisioning | Single Sign-On (SSO), Federated Identity Management | Streamlining user access to multiple services |
How It Works | Uses RESTful APIs to manage create, read, update, delete operations on identities | Uses XML-based assertions for exchanging auth data between IdP and SP | Provides seamless access via a single authentication process using protocols like SAML, OAuth |
SCIM vs SAML
Security Assertion Markup Language (SAML) is an open XML-based standard that helps IdPs and SPs exchange authentication and authorization information. While SAML and SCIM are both protocols used for IAM, they fulfill different purposes.
SAML is meant for authentication and authorization, while SCIM is meant for automating user provisioning and de-provisioning across different apps. With SAML, users can access multiple apps with a single set of credentials. With SCIM, the IT team can easily synchronize user information across multiple apps to account for new users being created, updated, or removed.
SCIM vs SSO
One of the most significant advantages of a SCIM specification is its ability to support SSO, which allows users to access multiple applications and services with a single set of credentials. This reduces the need for multiple usernames and passwords, simplifying the user experience and improving security by reducing the risk of password-related breaches.
SCIM and SSO work closely together but are meant to serve different goals. SCIM’s main purpose is to facilitate identity information sharing to apps across multiple domains. On the other hand, SSO is meant to authenticate users with a single set of credentials across apps. By integrating SCIM with an SSO solution, user accounts can be centrally managed, ensuring that authentication information is consistent across all applications and services.
Seamless SCIM provisioning with Descope
SCIM provisioning and deprovisioning are fundamental components of modern identity management systems, providing a standardized framework for syncing user identities across multiple platforms.
Nowadays, B2B applications are expected to incorporate SCIM, which is not just a luxury but a necessity for efficiently serving enterprise clientele. However, it can be complicated to implement and maintain it in-house. Descope’s drag-and-drop CIAM platform helps organizations get enterprise-ready with capabilities such as single sign-on, fine-grained authorization, and SCIM provisioning.
Check out our SCIM management docs and demo videos with Okta and Microsoft Azure.
To get started with Descope, sign up for a Free Forever account. Have questions about deploying SCIM? Book time with our experts.
