User Provisioning With SCIM

System for Cross-domain Identity Management (SCIM) is a REST-based protocol that provides a straightforward approach to resource management using the JSON data format. Even though technically, any resource could be represented using SCIM, it's mainly used for user management in cloud-based applications and services. User management with SCIM is what this article will focus on below.

SCIM applies a standardized data model across multiple user data sources and allows for a fast, cheap, and easy way to perform operations on user identities between different identity systems.

Why SCIM?

SCIM is an open standard that simplifies the process of centrally managing user identities. Compared to integrating directly with LDAP/AD, SQL, or other protocols, SCIM is a more modern and lightweight approach. From a developer standpoint, SCIM is much easier to work with.

Given that SCIM is a REST-based protocol, it has benefits over LDAP/SQL from a communication perspective too. Communication channels between domains are more trivial to establish over HTTP/REST rather than LDAP/SQL. The latter would probably require additional configurations of firewalls, proxies, and networks to be allowed. These configurations must be maintained, and depending on the system, they could pose significant security concerns.

SCIM also helps streamline disparate identity stores, such as during a company acquisition. The same is true for employee provisioning or de-provisioning — SCIM acts as a single source of truth for user identities, removing the hurdles of adding or removing users to many applications within an organization. Taking it one step further, SCIM can enable self-service and self-registration to alleviate the IT department's burden.

Cross-Domain User Provisioning

As the name implies, SCIM handles identity management across domains. Here, "domains" refers to identity domains or separate IT systems. Historically, IT systems were hosted internally within an organization, managed separately, and had very little cross-domain communication. There could naturally have been some cross-domain or system communication, but with systems fully managed internally within the organization, managing identities across these systems was simpler (although not necessarily easy).

Nowadays, many services and IT systems are SaaS-based and very specialized in what they do. However, there's still a need to connect these separate SaaS applications across multiple domains. With that comes the management of identities across these different systems. SCIM is standardized, making it easy for all IT systems to integrate and quickly enable the management of identities across these hosted SaaS applications. Or, in other words, manage the user identities across the different identity domains.

Federation (e.g., using "Just in Time" or JIT provisioning) can handle some aspects of this. However, it's often not enough or doesn't fit the use case. For example, particular applications within an organization's ecosystem may not be federated. There could also be regulatory or liability concerns that prohibit federation for certain applications or organizations.

SCIM Server and Client

A SCIM client is essentially the consumer of the SCIM server. The client is the application that needs to perform the CRUD actions on a user object. It is the IT system, or Domain mentioned earlier in the article. This is the system that would need to know if a user has been de-provisioned (centrally) and thus would probably deny the user access.

A SCIM server is the component that communicates with one or more data sources that hold user information. This server exposes the standardized CRUD capabilities to the clients and, with the incoming requests, performs those actions in the native "language" of the data source holding the information. The server simplifies the complexity of managing several data sources. It also removes the need to connect to the data source in its native communication protocol, which can be cumbersome and time-consuming to implement in modern applications. The server exposes open, standardized SCIM interfaces for SCIM clients (applications) to consume.

As an example, the Curity Identity Server is both a SCIM server and a client. It exposes a SCIM 2.0 compliant server for user management. However, one of the sources that can be connected on the backend is also a SCIM server. In that scenario, the Curity Identity Server operates as a SCIM 1.1 and/or SCIM 2.0 client.

Conclusion

SCIM is a standardized REST-based protocol for cross-domain user management, making it easier and faster to centralize user management. SCIM enables developers to integrate and use CRUD capabilities for user management quickly and seamlessly across many different types of data sources without using several different protocols.

References

• System for Cross-domain Identity Management: Core Schema
• System for Cross-domain Identity Management: Protocol
• System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements