What is SCIM and How it Automates User Provisioning

Published November 9, 2022
What is SCIM and How it Automates User Provisioning Image
LinkedIn Facebook Twitter Copy link
arrow icon Explore more insights

Insight summary and table of contents

Summary

Using SCIM allows users to access resources within unrelated partner environments automatically without organizations needing to create and maintain external user accounts.

Contents

What is SCIM and Why is it Important?

System for Cross-domain Identity Management (SCIM) is an open standard designed to secure and manage user identity data. Developed in 2011, the goal of SCIM is to securely automate the exchange of user identity data between your company's cloud applications and any service providers, such as enterprise SaaS applications. This is the SCIM Model.

That is a good definition, but what does that really mean and why should you care? To answer that question, let's dive into some practical use cases.

How SCIM Provisioning Works - Use Cases

Imagine you have a web application and want to integrate it with another service to enhance functionality - for example, ServiceNow for service management or Salesforce for fulfillment. To provide a unified experience, you need to push user data to the integrated application. This is where SCIM provisioning comes into play.

How to Push User Data to Integrated Applications

Traditionally, pushing user data to integrated applications involved:

  1. APIs: If that application has a web service, you are going to need to write methods to push the data there using their published APIs.
  2. Batch Jobs: Export files from your application and send them via batch jobs to that application. More challenging, but, yes, this still happens.
  3. Private Protocols: Push data directly via insecure / private protocols (LDAP, JDBC; etc.) to internal systems.

Note: Yes, I specifically said private/ internal here, you should never use these over the Internet unless you have some other compensating control / protections (e.g. private VPN tunnel).

How the SCIM Is a Better Way to Push User Data

SCIM addresses these challenges by providing a standardized way for application developers and identity consumers to define and exchange user and group data. This standardization significantly reduces the time and effort required to integrate multiple systems.

Benefits of SCIM for User Management

  1. Standardization: SCIM offers a common way to create users in target applications, simplifying integration processes.
  2. Security: SCIM can be secured for communication across the Internet, making it ideal for both Enterprise IAM (EIAM) and Customer IAM (CIAM) deployments.
  3. Automation: Many access management products (e.g., Ping, Okta, Microsoft) have provisioning capabilities built around SCIM standards, helping automate single sign-on and cross-domain authentication.
  4. Reduced Burden: Using a SCIM interface reduces the need for Identity Governance platforms to perform certain actions, as many have pre-built connectors based on SCIM.

How the SCIM Standard Saves Time

Given the above, if you need to push users to multiple integrations and targets you must be prepared that this can take a lot of time and effort to complete. SCIM addresses this issue and gives application developers and identity consumers a common way for defining users and groups.

  • Unified API: For target applications, in the use case above, they define an API using the SCIM standard.
  • Library Support: For applications, when they need to push identity data to the target application, they now have a common way (and libraries) to create users in the target applications.

Why SCIM is Critical for Modern IAM Systems

An effective IAM system needs to work securely and identify users across organizational borders. This involves two key steps:

  1. Publishing identity data (using SCIM)
  2. Using that data to authenticate (often via SAML) and authorize users

In a previous post, I talked about the differences between Consumer Identity Access Management (CIAM) or Workforce Identity / Enterprise Identity Access Management (EIAM).

In an Workforce EIAM deployment, SCIM helps accelerate integrations, but more importantly in a CIAM deployment you are going to have to push identity data across the Internet. SCIM can be secured to allow this communication and is a standard way to communicate and define data between these endpoints.

If you look at a lot of access management products (e.g. Ping, Okta, Microsoft) they will generally have a provisioning capability built around SCIM standards to help automate single sign-on and cross-domain authentication.


SCIM IDMWORKS

Additionally, using a SCIM interface, there are secure means of issuing tokens to authenticate the connections and capabilities between applications.  Having this in place, this reduces the need and burden on Identity Governance platforms to perform these actions. If you have an Identity Governance platform that does synchronization and provisioning, then most of them have pre-built connectors built around SCIM.

This is important to bring this all together because, to be effective, an IAM system needs to work securely and be able to securely identity users across organizational borders. This involves 1) publishing identity data (SCIM) and then 2) using that data to authenticate (SAML) and authorize users. Having SCIM in place sets the stage for allowing authentication later on in the users journey.

SCIM and Identity Management

For an IAM system to be effective, it must securely identify users across organizational borders. This involves publishing identity data (SCIM) and using that data to authenticate (SAML) and authorize users. Implementing SCIM sets the stage for secure authentication later in the user journey.

Other options, like just-in-time provisioning or OAuth/OIDC flows, are becoming more prevalent. However, SCIM remains the most prevalent and supported mechanism for defining and updating identity data.

FAQs About SCIM

Q: What does SCIM stand for?

A: SCIM stands for System for Cross-domain Identity Management.

Q: How is SCIM different from SAML?

A: While SCIM focuses on user provisioning and management, SAML (Security Assertion Markup Language) is used for authentication and single sign-on. They often work together in comprehensive IAM solutions.

Q: What are the main use cases for SCIM?

A: SCIM is primarily used for automated user provisioning across multiple systems, cloud applications, and domains. It's particularly useful in scenarios involving SaaS applications, multi-cloud environments, and cross-organizational collaborations.

Evaluating SCIM For Your Organization

If you are starting out evaluating products to support your Customer or Workforce (CIAM and  EIAM) initiatives or looking at applications to enhance your digital transformation, a good starting point to help accelerate growth is checking their conformance and capabilities with SCIM. This will help you rapidly onboard and integrate these applications and help provide a better user experience. As you start this process, reach out to us and we can help you evaluate and build these integrations.

Author, Nick Hunt, IDMWORKS, IAM Delivery Director