Heya,
I ran across this SCIM playground a while ago and that reminded me I wanted to write more about this standard. For the basics of the System for Cross-domain Identity Management (SCIM), I will point you to what I've written previously for my employer, an article entitled “What Is SCIM”.
Let's dig into some of the less obvious aspects of SCIM.
SCIM Quirks
First off, I find SCIM nomenclature a bit weird. A SCIM server receives the user data and stores it. A SCIM client, on the other hand, sends user data. It's kinda like HTTP in that way.
Each SCIM client is the system of record for its user data. SCIM allows provisioning those users into other systems. It is an example of direct user creation. SCIM is most useful in a B2B scenario, where the users being provisioned are managed by a directory controlled by the business. B2C users typically don't exist in such an external directory.
With SCIM, the clients are pushing user data into the server. Then, when a user tries to log in, they are authenticated against the server using the data provided by the client.
One eyebrow raising aspect of SCIM is that it allows user passwords to be pushed from client to server. The spec does make recommendations around securing those passwords, including suggesting hashing them on the SCIM server and always using TLS.
Common SCIM clients differ in their ability to push passwords. Okta allows it. Entra ID, formerly Azure AD, does not.
SCIM vs Federation
A main SCIM alternative around provisioning is federation, using OIDC. Both are standardized. Both deliver user data to a CIAM system but don’t require the CIAM system to be the source of truth.
SCIM has benefits when compared to federation.
SCIM offers direct user provisioning in a standards based manner, rather than being just-in-time as federation is. All users exist in the SCIM server as soon as the SCIM push succeeds.
The user experience of a user logging directly into a CIAM server is better than when federating to the external data store. The process is faster and there is no redirect to any other application.
SCIM syncs more user data than methods like federation, including groups and other metadata.
With SCIM, account deletion is immediate or near real-time. If the CIAM server is configured correctly, it can invalidate all active sessions. With federation, the user is blocked at next login, but may retain application access until re-authentication is required.
Summing Up
SCIM is one alternative for user provisioning that you should consider if your customers are businesses with employees or other people managed by a directory. If that directory is a SCIM client, it can push user data into your CIAM system in ways that are often superior than the just-in-time provisioning offered by OIDC federation.
Cheers,
Dan