User Provisioning With SCIM
On this page
System for Cross-domain Identity Management (SCIM) is a REST-based protocol that provides a straightforward approach to resource management using the JSON data format. While SCIM is technically flexible enough to represent various types of resources, its most common application today is in managing user accounts, user attributes, and groups—and for synchronizing identities across identity and access management systems.
In OAuth architectures, SCIM allows organizations to design their own user account storage in the authorization server. In SCIM, data storage uses the SCIM Core Schema, which supports standard ways to store built-in attributes and also supports the storage of any custom user attributes. You then gain REST-based API access to all user attributes using the SCIM protocol.
Why SCIM?
SCIM is an open standard that simplifies the process of centrally managing user identities. Compared to integrating directly with LDAP, Active Directory, or SQL, SCIM is a more modern and lightweight alternative. It offers a REST-based API, making it easier to implement.
From a developer's standpoint, using SCIM's REST API is significantly easier than integrating with legacy systems. Communication channels between domains are more secure and manageable over HTTP/REST whereas protocols like LDAP often require additional configuration - such as firewalls, proxies, or VPN tunnels - which increases complexity and introduces potential security concerns. These configurations must be maintained, and depending on the system, they could pose significant security concerns.
Cross-Domain User Provisioning
As the name implies, SCIM handles identity management across domains. Here, "domains" refers to identity domains or separate IT systems. Traditionally, these systems were internal and managed independently, making cross-domain identity management relatively straightforward but still resource-intensive.
Nowadays, many services and IT systems are SaaS-based and very specialized in what they do. However, there's still a need to connect these separate SaaS applications across multiple domains. With that comes the management of identities across these different systems.
SCIM is standardized, making it easy for all IT systems to integrate and quickly enable the management of identities across these hosted SaaS applications. Or, in other words, manage the user identities across the different identity domains.
While federated identity mechanisms like Single Sign-On (SSO) or Just-in-Time (JIT) provisioning solve part of the challenge, they don't fully address the need for centralized provisioning, especially when some systems don't support federation or must meet strict compliance requirements. In these cases, SCIM becomes vital for provisioning processes that span across internal apps and external services.
SCIM Server and Client Roles
A SCIM client is essentially the consumer of the SCIM server. The client is the application that needs to perform the CRUD actions on a user object. It is the IT system, or domain, mentioned earlier in the article. This is the system that would need to know if a user has been de-provisioned (centrally) and thus would probably deny the user access.
The SCIM server is the component that interfaces with one or more backend systems containing user and group data. This server exposes the standardized CRUD capabilities to the clients and, with the incoming requests, performs those actions in the native "language" of the data source holding the information.
The server simplifies the complexity of managing several data sources. It also removes the need to connect to the data source in its native communication protocol, which can be cumbersome and time-consuming to implement in modern applications. The server exposes open, standardized SCIM interfaces for SCIM clients (applications) to consume.
As an example, the Curity Identity Server is both a SCIM server and a client. It exposes a SCIM 2.0-compliant server for user management. However, one of the sources that can be connected on the backend is also a SCIM server. In that scenario, the Curity Identity Server operates as a SCIM 1.1 and/or SCIM 2.0 client.
SCIM Authorization
Requests to SCIM servers should support authorization so that different clients can operate on resources with distinct levels of privilege. It should be possible to configure authorization policies so that clients can operate on a subset of user accounts and also to limit attributes within each user account. In the Curity Identity Server, you can use an Attribute Authorization Manager to control each client's level of access.
Typically a SCIM server requires a compliant access token before it grants any access to resources. The SCIM server requires the access token to have a particular scope from the authorization policy, such as 'accounts', to restrict the clients that have SCIM access. Next, the SCIM server can require the access token to have particular claim values, like tenant ID or groups, to filter access to user accounts.
Real World Use Cases
User Profile Management in Customer Apps
Customer-facing applications can use SCIM to allow users to edit their profiles if authorization can restrict each user to their own account. In some cases, the SCIM server might provide a self-service portal where the user can update their personal details. If that does not meet the needs of an application, it can use custom screens that call SCIM endpoints.
Managing Partner Users in B2B2C Applications
Tenant administrator applications can potentially call SCIM endpoints of the provider in B2B2C use cases if authorization can restrict each business partner to its own user accounts. For example, if a partner does not have a workforce identity system, they may prefer to use SCIM to onboard employees into B2B2C applications.
User Migrations
SCIM is often used to migrate users from an existing data source to a new identity system. For example, an organization may upgrade to a CIAM system with improved security features. SCIM enables a straightforward ETL (Extract, Transform, Load) process from the old system to the new system. Updates should maintain the values of essential user attributes, like user identities and other claims issued to access tokens, to prevent any adverse effects for APIs and clients.
During a business acquisition, multiple identity domains must often be merged, which affects APIs, applications, and user accounts. The new organization can import new user accounts or update users that exist in both identity domains. When required, SCIM can store multiple custom user identities against user accounts.
Contractor and Temporary Staff Management
Organizations that rely on external contractors can use SCIM to enforce time-limited access. SCIM can automatically disable accounts after a contract ends, ensuring compliance and improving the security of sensitive systems by removing users who no longer need access.
Employee Onboarding and Offboarding
SCIM is commonly used in workforce identity systems to automatically provision user accounts for permanent employees or contractors. For example, SCIM provisioning might create an account for a developer employee in Entra ID or for a client-facing employee in Salesforce. Once a user is created in that system, the user gains access to many applications.
When required, employees can be authorized to use their workforce identity to authenticate and gain access to customer applications that use a CIAM system. To do so, the workforce system acts as an external identity provider.
Security and Compliance Benefits
In addition to simplifying identity integration, SCIM plays a significant role in improving an organization’s overall security posture and ensuring compliance with internal policies and external regulations. By automating identity provisioning and de-provisioning, SCIM eliminates many of the manual, error-prone tasks that can lead to access creep or orphaned accounts.
Centralized Access Control
SCIM ensures user access is governed from a single identity source. Whether it's a workforce identity system or a CIAM system, organizations can apply a change in one place and propagate it automatically. This reduces the risk of users retaining access to systems they no longer need.
In OAuth architectures, SCIM enables sensitive user data like Personally Identifiable Information (PII) to be managed in a central place and returned to applications in tokens. Doing so prevents this information from being scattered across multiple systems and can make it easier to meet privacy regulations like GDPR.
Consistent De-Provisioning
When an employee user leaves an organization, or a customer user unregisters, SCIM allows connected applications to immediately revoke access. This minimizes the attack surface by ensuring that removing users is instant and synchronized across all systems—not reliant on manual cleanup by IT admins.
Audit and Compliance Reporting
SCIM's structured and predictable workflows make it easier to generate audit trails. Lifecycle events such as provisioning, attribute updates, and account deletions can be logged centrally. This supports compliance with frameworks like:
- ISO 27001
- SOC 2
- HIPAA
- GDPR
Reduced Human Error
Manual account provisioning introduces inconsistencies, especially in environments with many SaaS tools. SCIM enforces schema alignment and eliminates hand-configured user roles, improving overall identity and access management hygiene and reducing administrative overhead.
Conclusion
SCIM is a standardized REST-based protocol for cross-domain user management, making it easier and faster to centralize user management. SCIM enables developers to integrate and use CRUD capabilities for user management quickly and seamlessly across many different types of data sources without using several different protocols.
Jonas Iggbom
Director of Sales Engineering at Curity
Frequently Asked Questions
Join our Newsletter
Get the latest on identity management, API Security and authentication straight to your inbox.
Start Free Trial
Try the Curity Identity Server for Free. Get up and running in 10 minutes.
Start Free Trial
