What is the system for cross-domain identity management (SCIM)?

Managing user identities across multiple applications and services can be a daunting task for organizations. Each system often has its own way of representing and storing user information, leading to data silos, inconsistencies, and manual overhead. This is where the system for cross-domain identity management (SCIM) comes in. 

How does SCIM work?

SCIM defines a standardized way to represent and manage user identities. It specifies a schema for common user attributes, like names, email addresses, and roles, as well as a RESTful API for performing CRUD (create, read, update, delete) operations on these identities.

The SCIM protocol uses a REST architecture, typically with data formatted as JSON, although XML is also supported. Here's a comprehensive view of how SCIM enables user management across systems:

1. An identity provider (IdP) or a central user store acts as the source of truth for user identities.
2. A client application (often the IdP) sends an HTTP request to a SCIM service provider endpoint to create, retrieve, modify, or delete user identity data.
3. A SCIM client application (often the IdP) sends an HTTP request to a SCIM endpoint on a SCIM server to create, retrieve, modify, or delete user data.
4. The request includes a JSON representation of the user identity, adhering to the SCIM schema.
5. When a new user is created or an existing user is updated in the IdP, it sends a SCIM request to the target applications.
6. The service provider provisions or updates the user account according to the provided attributes.
7. The service provider returns an HTTP response indicating the status of the operation, along with a JSON representation of the resulting user state.
8. If a user is deactivated or deleted in the IdP, a SCIM request is sent to the target applications to disable or remove the corresponding user accounts.

This process, known as SCIM provisioning, automates the lifecycle management of user accounts across various apps. It involves a SCIM client (usually the IdP or a dedicated provisioning service) sending requests to SCIM endpoints on SCIM servers (the target applications or identity stores).

SCIM's schema allows for modeling users, groups, roles, and entitlements. This enables interoperability by providing a shared understanding of identity data across different systems and applications. The current version, SCIM 2.0, has been widely adopted by major identity providers such as Microsoft Azure AD and Okta. These platforms leverage SCIM to offer robust, federated identity management solutions that can automatically provision and deprovision user accounts across a wide range of applications.

Total control over identity & access across apps

See Rippling IAM

What are the key components of SCIM?

SCIM consists of several key components that work together to enable interoperable identity management:

• Core schema: Defines a common set of attributes for representing users and groups. This schema ensures that systems have a shared understanding of user identity data.
• Extension model: Allows for extending the core schema with custom, application-specific attributes. This flexibility enables SCIM to accommodate diverse use cases and requirements.
• Protocol: Specifies how clients interact with SCIM-compliant APIs using RESTful HTTP methods (POST, GET, PUT, PATCH, DELETE) and JSON payloads.
• API endpoints: Define the paths for accessing and manipulating SCIM resources, such as /Users for managing user identities and /Groups for managing group memberships.
• Authentication and authorization: SCIM leverages industry-standard security protocols, like OAuth and OpenID Connect, to secure API interactions and ensure that only authorized clients can access identity data.

What are the benefits of implementing SCIM?

Adopting SCIM offers numerous benefits for organizations, irrespective of their size or industry:

• Increased efficiency: SCIM automates user provisioning and deprovisioning processes, reducing manual efforts and saving time for IT teams. 
• Improved security: With SCIM, organizations can enforce consistent access policies across multiple systems, ensuring that users have the right permissions based on their roles and attributes. 
• Enhanced user experience: SCIM enables faster onboarding and seamless access to applications, as user accounts are automatically provisioned with the necessary permissions. 
• Simplified compliance: By providing a centralized view of user identities and access rights, SCIM makes it easier for organizations to audit user activities and demonstrate compliance with regulations like GDPR, HIPAA, and SOC 2.
• Reduced costs: Automating user management processes with SCIM can significantly reduce operational costs associated with manual provisioning, helpdesk support, and access management.

Automate user provisioning across your SaaS apps

See Rippling IAM

Common SCIM use cases

To better understand the practical applications of SCIM, let's explore some common use cases and real-world examples.

Streamlining employee onboarding

Imagine a large enterprise that uses multiple cloud-based applications, such as Office 365, Salesforce, and Slack. When a new employee joins the company, traditionally, IT administrators would need to manually create user accounts in each of these systems, a time-consuming and error-prone process.

With SCIM, the company can automate this process. When a new employee is added to the company's HR system, SCIM automatically creates the necessary user accounts in all connected applications, based on the employee's role and department. This not only saves time but also ensures that the employee has access to the right resources from day one.

Ensuring consistent access control

Another challenge organizations face is maintaining consistent access control policies across multiple systems. For example, when an employee changes roles or leaves the company, their access rights need to be updated or revoked in a timely manner.

SCIM enables organizations to define and enforce access control policies centrally. When a user's attributes change in the identity provider, SCIM automatically propagates these changes to all connected applications. This helps maintain security and compliance by ensuring that users only have access to the resources they need.

Enabling seamless collaboration

In today's interconnected business environment, organizations often need to collaborate with external partners, customers, or contractors. Managing identities and access for these external users can be complex, especially when multiple systems are involved.

SCIM simplifies this process by enabling organizations to provision and manage external user identities across applications. For instance, a company can use SCIM to grant a contractor access to specific resources in their project management and file-sharing systems, without having to create separate accounts in each system.

Frequently asked questions

How is SCIM different from single sign-on (SSO)?

While SCIM and SSO both relate to identity management, they serve different purposes:

• SCIM focuses on user provisioning and synchronization of identity data across applications. It ensures consistent user management.
• SSO enables users to authenticate once and access multiple applications without logging in again. It improves the user experience and productivity.

SCIM and SSO are complementary standards that are often used together for comprehensive identity and access management.

Does SCIM replace existing identity and access management (IAM) systems?

No, SCIM is not meant to replace existing IAM systems. Rather, it provides a standardized interface for IAM systems to interoperate with each other and with applications. SCIM allows organizations to keep their existing identity stores, such as Active Directory or LDAP, while providing a consistent way to expose identity data to cloud services and applications. 

Is SCIM the same as SAML?

No, SCIM and Security Assertion Markup Language (SAML) are different standards serving different purposes in identity management:

• SCIM is focused on user provisioning and synchronization of identity data between applications. It defines how user identities are created, updated, and deleted across systems.
• SAML is an authentication protocol that enables SSO by allowing users to log in once and access multiple applications without re-entering credentials.

Streamline user access management across HR & IT

See Rippling