Using SCIM allows users to access resources within unrelated partner environments automatically without organizations needing to create and maintain external user accounts.
What is SCIM and Why is it Important?
SCIM or System for Cross-domain Identity Management is an open standard designed to secure and manage user identity data.
Developed in 2011, the goal of SCIM is to securely automate the exchange of user identity data between your company’s cloud applications and any service providers, such as enterprise SaaS applications. This is the SCIM Model.
That is a good definition, but what does that really mean and why should you care?
To answer that question, let’s talk use cases first. Let’s say you have a web application and you want to integrate it with another service to enhance the application functionality e.g. ServiceNow for service management, Salesforce for fulfillment, etc. To do this you need to push user data to the integrated application so that you can provide a unified experience to that application.
How to Push User Data to Integrated Applications
The most common ways of doing this include:
- If that application has a web service, you are going to need to write methods to push the data there using their published APIs.
- Export files from your application and send them via batch jobs to that application. More challenging, but, yes, this still happens.
- Push data directly via insecure / private protocols (LDAP, JDBC; etc.) to internal systems.
Note: Yes, I specifically said private/ internal here, you should never use these over the Internet unless you have some other compensating control / protections (e.g. private VPN tunnel).
How the SCIM Standard Saves Time
Given the above, if you need to push users to multiple integrations and targets you must be prepared that this can take a lot of time and effort to complete.
SCIM addresses this issue and gives application developers and identity consumers a common way for defining users and groups.
- For the target application(s) in the use case above, they define an API using the SCIM standard.
- For applications, when they need to push identity data to the target application, they now have a common way (and libraries) to create users in the target applications.
Why is this important?
In a previous post, I talked about the differences between Consumer Identity Access Management (CIAM) or Enterprise Identity Access Management (CIAM).
In an EIAM deployment, SCIM helps accelerate integrations, but more importantly in a CIAM deployment you are going to have to push identity data across the Internet. SCIM can be secured to allow this communication and is a standard way to communicate and define data between these endpoints.
If you look at a lot of access management products (e.g. Ping, Okta, Microsoft) they will generally have a provisioning capability built around SCIM standards to help automate single sign-on and cross-domain authentication.
Additionally, using a SCIM interface, there are secure means of issuing tokens to authenticate the connections and capabilities between applications. Having this in place, this reduces the need and burden on Identity Governance platforms to perform these actions. If you have an Identity Governance platform that does synchronization and provisioning, then most of them have pre-built connectors built around SCIM.
This is important to bring this all together because, to be effective, an IAM system needs to work securely and be able to securely identity users across organizational borders. This involves 1) publishing identity data (SCIM) and then 2) using that data to authenticate (SAML) and authorize users. Having SCIM in place sets the stage for allowing authentication later on in the users journey.
There are other options that are becoming more prevalent e.g. just-in-time provisioning or oauth / oidc flows. However, to define and keep this data updated SCIM still is the most prevalent and supported mechanism.
If you are starting out evaluating products to support your CIAM and EIAM initiatives or looking at applications to enhance your digital transformation, a good starting point to help accelerate growth is checking their conformance and capabilities with SCIM. This will help you rapidly onboard and integrate these applications and help provide a better user experience. As you start this process, reach out to us and we can help you evaluate and build these integrations.
Author, Nick Hunt, IDMWORKS, IAM Delivery Director