Background of System for Cross-domain Identity Management
Keeping user identities synchronized across multiple disparate data stores has always been a challenge for organizations. Even with identity federation and single sign-on, it’s often imperative to have user records established across IAM systems so that applications can store and retrieve user information from a local repository. For SaaS applications, this is even more critical because the data stores are in different security domains, and streamlining user onboarding and offboarding is increasingly a requirement for customers.
Service Provisioning Markup Language (SPML) was an XML-based framework that was approved in 2003 to solve this problem, but the implementation and usage of the protocol was cumbersome, leading to low adoption of the standard. So, the System for Cross-domain Identity Management (SCIM) was developed in 2011 using modern protocols like REST and JSON in order to reduce complexity and provide a more straightforward approach to user management.
The release of SCIM 1.1 in July of 2012 clarified issues that were discovered during interop testing, and the protocol is now successfully being used by a number of enterprises and SaaS providers, including Salesforce. While many SaaS providers support proprietary interfaces as well as mechanisms like just-in-time provisioning, the adoption of SCIM allows easier, more powerful and standardized communication between identity data stores. This avoids the need to develop one-off integrations and allows organizations to leverage commercial solutions like PingFederate, which has built-in support for both inbound and outbound SCIM provisioning.
How SCIM works
For identity providers, a SCIM client like PingFederate connects to the user directory and monitors it for changes. The changes are then pushed to the target directories or to service provider SCIM endpoints as users are added, modified or deleted.
On the service provider side, PingFederate functions as a SCIM server to receive requests for user management and then modifies the target directory as required. PingFederate includes built-in support for LDAP as well as an SDK for integrating with custom directories or databases.