SCIM provisioning is an emerging concept in the world of identity and access management, and it has the potential to redefine the way we create and manage user accounts in web applications.
One report noted that the average company spent 78% more on Software-as-a-Service in 2018 than the year prior, and the trend is continuing upward. With the explosion of SaaS and web apps, it’s important to understand how to streamline user management across those resources and what new tools can play a role.
Here, we’ll explore what SCIM provisioning is, how it came about, and the benefits it can provide.
SCIM Provisioning Defined
SCIM (System for Cross-domain Identity Management) is an API-driven identity management protocol for managing user identities in web applications. It uses HTTP verbs, including GET, POST, PUT, PATCH, and DELETE.
SCIM eases the friction admins have in provisioning and managing user accounts in web applications. Using SCIM, admins can automate the processes of account creation and deletion, as well as maintain synchronization between their core directory and web apps.
History of SCIM
SCIM was first known as “Simple Cloud Identity Management” — and it was born out of developers’ desire to standardize web application identity management.
In the early 2010s, standards existed to authenticate and authorize online users, but a standard didn’t exist to create users in various online services, SCIM co-creator Kelly Grizzle told an audience at the Austin API Summit in 2018. He and other co-creators set out to address what they saw as a gap in the industry and to centralize identities used to access web apps.
“Identity is really the center of almost every service or product out there,” Grizzle said. “They all have to have it.”
SCIM is now recognized by the the Internet Engineering Task Force (IETF), and its creators have, since its earliest draft schema, made clear what its purpose is: “In essence, make it fast, cheap, and easy to move identity in to, out of, and around the cloud.”
Benefits of SCIM Provisioning
There are various benefits of SCIM provisioning, including:
- Standardization of provisioning
- Centralization of identity
- Automation of onboarding and offboarding
- More comprehensive SSO management
With SCIM, admins no longer need to manually create and delete user accounts in web apps — which saves them valuable time and reduces the chance for errors in the authorization levels granted to users.
It’s important to note that SCIM provisioning differs in both its implementation and output from another type of web app provisioning, Just-in-Time.
What is the difference between SCIM and JIT?
Just-in-Time provisioning is an extension of the SAML protocol and automates user provisioning. In this configuration, user accounts are created the first time they try to log in to an application via SAML assertions that pass the attributes required for account creation.
SCIM, on the other hand, does not use SAML. Instead, it standardizes the way objects are represented among web applications. Beyond that, it automates not only user provisioning but also the modification and deletion of user accounts through an ongoing sync between the identity provider and linked service providers.
For example, if an employee quits, an admin can deprovision them in the identity provider, and that change will propagate to SCIM-enabled web applications and automatically delete the accounts there, too. JIT provisioning does not provide these capabilities.
Both JIT and SCIM can be implemented through a web application single sign-on (SSO) solution, though. At this point, SAML JIT provisioning is far more widely adopted than SCIM provisioning, though we anticipate the adoption of SCIM will continue to grow because of the benefits it provides to organizations.
If you’re looking to implement SSO, including SCIM, in your organization, our SSO buying guide is a good place to start. You can also try the JumpCloud® SSO offering, now including SCIM for Slack, absolutely free.
Simply sign up for a JumpCloud account and start leveraging SSO with SCIM today.