System for Cross-domain Identity Management (SCIM) is a set of application-level protocols that use JSON, REST, and several different authentication methods to automate the task of data provisioning. When implemented, SCIM allows a wide variety of user accounts to be created, updated, or deactivated with minimal effort. It transfers just enough information from the identity provider to the app so that the app can identify the user to ensure they can sign in and out easily across the applications they need.
Without SCIM, IT administrators would have to manually add identifying information needed by the application about users who are allowed to use the application. This manual process takes longer and has a higher margin for error. Using SCIM as a standard protocol for cloud-based applications and services solves this problem and streamlines the management of users, groups, and devices.
Explained another way, SCIM offers standards-based provisioning, automates the exchange of user ID data from one entity to the other (across domains), and maintains these accounts across platforms. It makes data available in an orderly and secure way to applications that users need and/or have permission to use. It helps govern the rights and permissions that have been established for each individual user for each of the organization’s secure resources.
Most enterprises today have a complex matrix of technology users to manage and need to simplify the sign-in and permissions process. In addition, employees, partners, and contractors are using their own smart devices (smartphone and tablets) for work-related tasks, and they need to access cloud-based applications and services onsite and offsite with single sign-on (SSO). Unfortunately, SSO cannot be used without user provisioning. SCIM solves this problem by sharing identity information across organizations in a standardized way. It removes the need for proprietary APIs, handling the configuration task similar to how federation standards solve the SSO problem. With SCIM, IT administrators can set up permissions to apps ahead of time so the user will be provisioned immediately when they log on.
Provisioning allows organizations to ensure that users can access only resources that they are authorized to use, which protects systems and applications from unauthorized use and ensures that accounts are deactivated immediately.
SCIM provides standard schema/definitions for users and can be used to manage standard operations, that is, CRUD (create, read, update, delete). For identity providers, a SCIM client like PingOne or PingFederate connects to the user directory and monitors it for changes. The changes are then pushed to the target directories or to service provider SCIM endpoints as users are added, modified, or deleted.
On the service provider side, PingFederate functions as a SCIM server to receive requests for user management and then modifies the target directory as required. PingFederate includes built-in support for Microsoft Active Directory as well as an SDK for integrating with custom directories or databases.
Automated lifecycle management eliminates the borrowing or sharing of passwords between employees to gain access to applications they may not have permission to use. It also prevents accidental access when a user’s status changes. When users leave a company, ID providers can delete or close their accounts across applications, which improves security within the organization. Automatic deprovisioning can eliminate accidental licensing costs, reduce chances for a data breach, and stop unauthorized users from logging into applications they should no longer have access to. It also eliminates the potential for errors in the manual entry of user data that needs to be shared between organizations.
EXAMPLE
ABC Electronics engages an identity service that uses SCIM to provision user data to the apps that each ABC Electronics employee needs. When an employee leaves ABC Electronics, the identity provider deletes or closes their account, which means they will no longer be able to access any of the apps.
Provisioning allows organizations to ensure that users can access only resources that they are authorized to use, which protects systems and applications from unauthorized use and ensures that accounts are deactivated immediately.
The adoption of SCIM allows easier, more powerful, and more standardized communication between identity data stores. This avoids the need to develop one-off integrations and allows organizations to leverage commercial solutions like PingOne or PingFederate, offering built-in support for both inbound and outbound SCIM provisioning.
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a FREE Demo