Difference Between JIT and SCIM Provisioning

Written by Cassa Niedringhaus on February 8, 2020

Share This Article

Web application provisioning has changed dramatically in the last two decades, and new protocols have cropped up to help IT admins better manage enterprise app access. In the modern enterprise, streamlining these processes helps time-strapped IT admins onboard users more quickly. First we’ll cover app provisioning as it was historically, and then we’ll compare two protocols that are newer to the scene: Just-in-Time (JIT) and System for Cross-domain Identity Management (SCIM) provisioning. 

History of Web Application Provisioning

Software-as-a Service (SaaS) applications (think: Salesforce®) sent shockwaves through the IT industry in the 1990s. They changed the way software was delivered to companies and challenged the traditional Active Directory® domain because AD didn’t extend natively to them.

These apps required manual access management because AD was built for on-prem domains — not cloud services. Eventually, a new protocol, SAML (Security Assertion Markup Language), and various third-party vendors emerged to federate AD identities to these apps.

As the use of SaaS apps has continued to increase since then, admins now search for solutions that not only allow them to use authoritative identities in these apps but that also allow them to streamline the process of account management. Several protocols exist to make the process of user lifecycle management in web apps easier — though they differ in key ways.

JIT Provisioning

One such protocol is Just-in-Time provisioning, which extends the SAML protocol to pass user attributes from the central identity provider to apps like Salesforce.

From the central directory, an IT admin can create new users and authorize their app access — rather than creating a new user in the central directory, authorizing their app access, and then creating a corresponding account for that user in the app(s).

Instead, users trigger the creation of those accounts automatically the first time they log in to an app. Before JIT, this kind of automation was not possible, and each account required manual creation by an IT admin or manager. SCIM provisioning, by comparison, takes automation to the next level.

SCIM Provisioning

SCIM is an API-driven identity management protocol that uses HTTP verbs to standardize identities among identity and service providers.  

With SCIM, admins create new users in the central directory, and they can automate both onboarding and offboarding of those users in their authorized apps through an ongoing sync. They can also sync updates like passwords and attribute information. If a user leaves the organization, for example, deleting them from the central directory will automatically propagate to the apps they accessed and delete their accounts without requiring manual configuration.

JIT vs. SCIM Provisioning

JIT provisioning automates account creation, while SCIM provisioning automates provisioning, deprovisioning, and management. In either case, it’s important to note that the service provider must support the particular protocol for it to be possible. Currently, more apps support JIT than SCIM. 

Regardless, any steps an organization can take to automate onboarding and/or offboarding of users streamlines day-to-day IT operations, increases accuracy, and improves security — particularly in the case of large or scaling organizations that are adding users quickly.

You can achieve automation from a cloud directory service, which also enables you to provision users seamlessly to their other resources, including systems, networks, and file servers. Learn more about app provisioning from a cloud directory service

Continue Learning with our Newsletter