For the best web experience, please use IE11+, Chrome, Firefox, or Safari
Free Trials Request Pricing
Home / SCIM 101: Efficient Cross-Domain Identity Management

SCIM 101: Efficient Cross-Domain Identity Management

SCIM, or System for Cross-Domain Identity Management, is a protocol that simplifies the management of digital identities across different applications and platforms. The SCIM set of APIs enables automated provisioning and deprovisioning and synchronization of user attributes and passwords.

As our world becomes more reliant on cloud-based technologies, we need to create identities for various applications that exist across different public and private cloud platforms. However, manually managing all these identities, including creating and updating roles, assigning permissions and securing privileged users, can be a challenging and error-prone task.

Enter SCIM, which defines a standardized framework to exchange data between IT systems and identity providers. With SCIM, new users created in an identity system are automatically provisioned inside different IT applications (both SaaS and on-premises).

SCIM also supports synchronizing identity data between different identity products. For example, if you have a legacy enterprise identity solution, you can integrate it with a cloud-based identity vendor over SCIM. This eliminates the need for administrators to define identity data across multiple applications and systems, reducing the risk of errors and misconfigurations.

What is SCIM

What is SCIM provisioning in cybersecurity?

SCIM provisioning is the process of automating the management of user accounts and the granting of access rights using the SCIM protocol. SCIM-enabled IT tools implement the protocol to expose user management APIs.

SCIM-enabled identity products can use these APIs to create, update and delete user accounts. For example, an identity provider may hit the /Users/create API endpoint to create a new user in the target application.

SCIM provisioning reduces the manual effort needed to manage users and their permissions across different systems. It also boosts security by ensuring that user accounts are deprovisioned in a timely manner, reducing the risk of unauthorized access and data breaches.

How does the SCIM protocol work?

While implementations of the SCIM protocol may vary between organizations, typically the following steps are involved:
  1. An administrator uses the identity application to create, modify or delete a user account
  2. The identity application communicates the change to a SCIM-enabled application (the SCIM-enabled application is a standalone SCIM client responsible for generating and sending SCIM messages to target applications)
  3. The SCIM-enabled application sends a JSON-formatted SCIM message to the target application
  4. The target application, typically a SCIM-enabled SaaS tool that requires latest identity data, verifies the SCIM message, updates its identity data accordingly and responds to the SCIM application with a status code
  5. Lastly, the SCIM application informs the identity application about the success or failure of the synchronization attempt

Where does SCIM fit in your cybersecurity strategy?

The diverse and complex nature of modern IT infrastructures can make it challenging to manage identities and govern access to sensitive resources. Administrators need to ensure that all applications, whether they’re located in the cloud or on-premises, are using up-to-date identity data. This is where SCIM proves to be an invaluable solution.

SCIM acts as a binding agent that bridges the gap between otherwise disparate components of an IT infrastructure. It delivers a seamless identity management process by automating the synchronization of data across identity systems and IT applications.

Therefore, it is important to choose identity providers and IT tools that offer SCIM support. If you have any legacy applications that do not support SCIM, consider writing a SCIM adapter service that allows them to integrate with the SCIM-enabled identity provider.

SCIM vs. SSO

SCIM and SSO (Single Sign-On) are prevalent Identity and Access Management (IAM) techniques that serve different purposes. SCIM is a protocol that automates the exchange of identity data between different systems. Conversely, SSO is a login technique that allows users to authenticate once and gain access to multiple applications. SSO simplifies the user login experience and improves security by reducing the need for users to remember multiple usernames and passwords.

SCIM vs. SAML

SCIM and SAML (Security Assertion Markup Language) are both IAM protocols that cater to different use cases. SAML defines a standard for exchanging SAML assertions, digitally signed XML documents containing information about the user’s identity and permissions, between identity providers and service providers. The main purpose of SAML is to enforce seamless authentication and authorization (e.g., SAML-based SSO). On the other hand, the primary purpose of SCIM is to automatically synchronize data from an identity system to IT applications.

SCIM vs. JIT provisioning

SCIM and JIT (Just in Time) provisioning are related but different IAM concepts. JIT provisioning enables the on-demand creation of user accounts upon their first successful login. It streamlines user onboarding and reduces administrative overhead. Conversely, SCIM offers administrators a way to create, manage and delete identities from a central place. JIT provisioning typically uses SAML, whereas SCIM relies on REST APIs.

Pros and cons of SCIM

Here are a few ways your business can benefit from using SCIM:

  • Make the identity management process more streamlined, effective and resilient
  • Improve your security posture by providing all IT systems with the latest identity data
  • Enhance compliance and auditing through consistent application of security controls across all systems
  • Save costs related to administration by automating user provisioning, modification and deprovisioning
  • Ensure access is granted and revoked in a timely and consistent manner to reduce the risk of unauthorized access
  • Improve user experience by ensuring that updated access rights are immediately applied to the relevant target applications
  • Use a protocol that is designed to handle the management of thousands of users and resources, making it a good fit for enterprises

While SCIM offers many benefits, there are also some (potential) cons you should consider:

  • If your infrastructure has several legacy applications, incorporating SCIM will require a lot of time, effort and technical expertise
  • If SCIM REST APIs are not properly secured, they can increase your attack surface. This would be the case if, for example, a breach in one system connected to SCIM can lead to unauthorized access to multiple systems

Conclusion

SCIM is a protocol designed to integrate identity platforms with IT applications. It enables organizations to enforce the same security controls across legacy and cloud applications, from a central place. SCIM enablement is a must-have for security-first organizations with diverse infrastructures.

Try OneLogin for Free

Experience OneLogin’s Access Management capabilities first-hand for 30 days
Try It Now