System for Cross-domain Identity Management (SCIM) is a standard protocol for provisioning and managing identity data across multiple identity providers (IdPs) and service providers (SPs).
SCIM was originally designed to simplify the provisioning and management of user accounts in cloud-based applications and services. However, SCIM can be used to provision and manage any type of identity data, including but not limited to:
The SCIM standard is maintained by the SCIM working group of the Internet Engineering Task Force (IETF). The latest version of the SCIM protocol is SCIM 2.0, which was published in July of 2015.
The SCIM protocol is based on the principle of schema-on-read, which means that identity data is not required to conform to a specific schema in order to be provisioned or managed. This allows for a high degree of flexibility when provisioning and managing identity data.
SCIM uses the HTTP protocol for all communication between IdPs, SPs, and SCIM servers. SCIM servers are responsible for translating SCIM requests and responses into the appropriate format for the IdP or SP.
The SCIM protocol defines a number of different operations that can be performed on identity data, including:
Each of these operations is performed using an HTTP verb (e.g., POST for create, GET for read, etc.). In addition, the SCIM protocol defines a number of different resources that can be managed, including:
The SCIM protocol also defines a number of different attributes that can be associated with each resource, including:
The SCIM protocol is designed to be extensible, which means that new resources and attributes can be added as needed. You can think of it as a spec that companies implement to enable interoperability between their system and third party identity providers.
SCIM is like skim (or skimmed) milk, it's great in theory. But like with all great ideas, there are a few things that are not quite as good as they should be.
First, it requires a high level of integration between different IT systems. This can be difficult to achieve, especially in larger organizations with complex IT architectures.
Second, SCIM is designed to work with enterprise-level identity management solutions, which can be expensive and difficult to implement. A lot of software vendors will charge an extra fee for SCIM / single sign-on support — commonly known as the SSO Tax. This means as a customer you have to pay extra for your users to be able to sign in using your chosen identity provider.
Finally, SCIM is designed to be used by a single identity provider. This means that you can only use SCIM to provision and manage data for one identity provider.
Software vendors will sometimes only support the create and update operations of SCIM but not delete / deactivate, which means you can only grow in usage but you can't deprovision users automatically from your identity provider.
SCIM is used by Identity Providers (IdPs) to provision and manage user accounts in cloud-based applications. When a user authenticates to an application, the IdP uses SCIM to create or update the user's account in the application. This allows the application to have an up-to-date view of the user's identity, which is essential for security and compliance.
By supporting SCIM, an application can be used with any IdP that also supports SCIM. This makes it easy to switch IdPs, or to use multiple IdPs for different users.
SCIM is an important part of the identity management landscape, and is poised to become even more important as cloud-based applications become more prevalent.
Have questions about SCIM and how it could fit into your organization?