SCIM

System for Cross-domain Identity Management

SCIM is a protocol that standardizes how identity information is exchanged between one entity and another. It’s an open standard and is widely used to simplify the process of granting people or groups access to cloud-based applications.

The key to understanding the purpose of SCIM is in its name:

• System—SCIM creates a common format for how identity data is exchanged.

• Cross-domain—SCIM securely communicates identity data across platforms.

• Identity Management—SCIM automates the flow of information between an identity provider or identity and access management (IAM) system and cloud-based applications.

In an enterprise work scenario, using SCIM reduces the effort it takes to create, modify, and synchronize employee accounts and govern the resources employees have access to. It has the added benefit of reducing IT friction for employees because it works in tandem with other technologies that simplify how users sign in to apps.

Understanding SCIM provisioning

SCIM was created to make it easier for IT admins to provision users—that is, to create, maintain, and update people’s accounts and give them permission to access all of the cloud-based applications they need to do their job.

Without SCIM, provisioning can be a lengthy and tedious manual process. The identifying information apps require to determine whether a person has permission to access them is fairly standard, such as employee names, emails, job titles, and departments. However, the formats apps use to represent each element of that information, and how the apps perform simple actions, can often be just a little bit different.

Having to manually add users to each app in a slightly different way every time might not be too problematic for businesses with just a few employees and cloud-based apps or services. But for organizations with a large number of employees and hundreds of cloud applications, manual provisioning can be costly, frustrating, and counterproductive.

SCIM solves this problem by providing a standard for seamlessly and securely exchanging information between identity providers and cloud apps. That standardization makes automating the provisioning process feasible and safe.

Some efficiencies that SCIM enables are:

• Automatic provisioning of new accounts—new employees are efficiently given access to the right systems when they join your team or organization.

• Automatic deprovisioning—when people leave the organization, there’s a centralized way to deactivate their account and app privileges.

• Synchronizing data between systems—when changes are made to accounts, it’s automatically updated everywhere.

• Group provisioning—whole groups of employees can be given access to the apps that they need.

• Governing access—SCIM makes it easier to monitor and audit privileges.

How SCIM works

In addition to providing a predefined schema for common identity attributes like group name, username, first name, last name, and email, SCIM provides a standardized definition of client and service provider roles. A client is usually an identity provider or IAM system, such as Microsoft Entra ID (formerly known as Microsoft Azure AD). A service provider is typically a software-as-a-service app. The client manages core identity information that apps need to grant or refuse access.

SCIM uses JavaScript Open Notation (JSON), an open-standard file and data exchange format, to support seamless interoperability across domains. It also uses a representational state transfer (REST) API to perform the actions needed to manage identity lifecycles. The database operation acronym CRUD describes the basic REST actions SCIM provisioning uses:

• Create—add new users in applications.

• Read—retrieve or search for information from existing identities and groups.

• Update—synchronize updated identity information between the client and apps.

• Delete—deprovision identities.

Application developers can use SCIM provisioning standards to ensure their apps integrate seamlessly with enterprise systems. It avoids the problem of having slightly different APIs to perform the same basic actions. Developers that create apps conforming to the SCIM standard can instantly take advantage of pre-existing clients, tools, and code.

Why is SCIM important?

SCIM is important because it gives organizations the scalability and agility they need to grow. Automating user provisioning with SCIM streamlines the effort and cost it takes to manage user lifecycles. It also improves security by giving organizations robust control over the identities that have access to their resources. With that access control, IT admins can ensure that each user has just the right permissions they need to succeed in their role and can quickly eliminate defunct identities when people leave the organization.

SCIM ensures that there’s a single source of truth, rather than multiple versions of the truth, for each identity and group. With a consistent way of storing and exchanging user data, it’s easier to enforce the security and compliance policies your business depends on to operate.

 The Benefits of SCIM provisioning

SCIM has a variety of benefits that have a positive impact on users, IT teams, budgets, and security. It helps you to:

• Boost productivity Automated SCIM provisioning frees admins from having to manually create and update identities in multiple apps, giving them time to focus on more valuable tasks. Automation also eliminates the need for IT and development teams to develop and manage custom integrations and decreases the number of requests to add users, remove users, change permissions, or reset passwords.

• Reduce errors SCIM reduces much of the manual entry that would otherwise go into provisioning, dramatically cutting down on inevitable human errors. It also helps admins prune away outdated and forgotten “zombie” accounts that may be cluttering up your system and giving malicious actors extra avenues to exploit.

• Implement single sign-on (SSO)

  SCIM makes it easier to implement SSO, which allows users to use a single set of credentials to access all their apps. With SSO, employees can go through the authentication process once and work seamlessly with all their resources. There’s no need to memorize multiple passwords—and no temptation to reuse them.
• Mitigate security risks

  By enabling SSO, SCIM helps organizations to reduce their attack surfaces and increase compliance with security policies such as two-factor authentication and multifactor authentication. Having more granular control over identities and permissions strengthens general security. There’s little risk of losing track of accounts.
• Reduce IT costs

  Streamlining cloud identity management lifecycles can potentially give organizations the ability to reduce surplus and redundant software licenses. Having a single source of truth for identities makes it clear how many licenses are needed, and automated deprovisioning ensures you aren’t paying for licenses that are no longer used. SCIM also eliminates the need for costly custom integrations, which can take considerable employee time to develop and maintain.

• Quickly add users and apps

  SCIM provisioning makes it faster to onboard employees and immediately give them access to the right resources using preset rules and group permissions. And as your organization grows and innovates, SCIM simplifies the process of adopting new apps and workflows.

SCIM vs. SAML

Security Assertion Markup Language (SAML) and SCIM are both open-standard protocols that streamline the exchange of identity data. SAML is commonly used to provide SSO for enterprise applications and to extend SSO across security domains. Similar to SCIM, it plays a role in enabling people to use the same credentials to access multiple services. SCIM lays the foundation for SAML to work by creating, updating, or deleting user profiles in the target system with the necessary information for the user to sign in to an app.

SAML is based on Extensible Markup Language (XML) and uses it to make security assertions, which are statements that service providers use to decide whether to grant access to a resource. When SAML authenticates that your identity can have access to a resource, it gives you an access token for a single session in your browser. Both SCIM and SAML are underlying technologies commonly used in enterprise IAM solutions.

SCIM vs. SSO

SCIM and SSO are two different technologies that play slightly different roles in managing identities and access. SCIM is for provisioning identities across multiple applications, and SSO is for authenticating users in multiple applications with a single set of credentials.

SCIM supports SSO and works together with it. SSO requires user provisioning to function. Enterprise IAM systems tend to use a complex mix of technology to make the user experience seamless, and SCIM, SSO, and SAML are all technologies that help achieve that aim.

SCIM provisioning use cases

Automatic provisioning with SCIM can improve your organization’s productivity by simplifying processes that would otherwise be time-consuming. Here are just six examples of how to improve your internal processes with SCIM:

1. Lay the foundations for SSO. Implement SCIM-enabled technology as a complement to SSO—a time-saver that will be beneficial for everyone in your organization.

2. Manage user onboarding in a time of growth. Give new employees immediate access to all of the downstream applications they’ll need to get them up and running quickly.

3. Facilitate large migrations. Easily import a large number of users into a new application or system, saving time and cost.

4. Synchronize changes in real time. Automatically adjust permissions as people change roles within the organization and quickly deprovision the accounts of people who leave.

5. Increase control over access privileges. Get the granular visibility you need to facilitate privileged access management best practices. Protect your organization against cyberthreats by monitoring access to your most critical resources.
6. Keep your organizational directory up to date. SCIM keeps user information like telephone numbers, email addresses, and HR information up to date. This information might be used in turn by another system to provide access or facilitate a workflow. For example, SCIM can be used to keep the manager information up to date for an employee, which will allow an expense approval system to know who will approve the expense. Having an up-to-date system reduces errors and time to complete workflows.

SCIM integration for business

To ensure that you get a good return on your investment from a SCIM provisioning system, choose a solution that integrates with a vast number of apps and a provider at the forefront of cybersecurity and automation technology. Microsoft Entra ID (formerly known as Azure AD) uses SCIM for provisioning, automating your identity lifecycle, and synchronizing identities across trusted systems. Microsoft Entra ID integrates with thousands of applications—all the resources your employees need to stay productive and innovative well into the future.