Until recently, no standard existed to securely propagate user directory information across organizational boundaries. For this reason, managing user identities in cloud-based applications has been a resource-intensive undertaking.
Accounts must be synchronized across organizations to enable single sign-on. Currently, this can be accomplished in one of three ways: manual, just-in-time or proprietary. In each case, on- and off-boarding users is time-consuming, fragile and open to error.
A new standard, the System for Cross-domain Identity Management (SCIM), reduces the complexity of user management operations by providing a standard, REST-based protocol for carrying out cross-domain identity management operations. SCIM enables provisioning and deprovisioning between identity providers and service providers. This keeps users in sync and reduces administrative burdens.
How it Works
The SCIM model is based upon the experience of existing schemas and SaaS deployments, with specific emphasis on (1) simplifying development and integration, and (2) applying existing authentication, authorization and privacy mechanisms wherever possible.
A SCIM server connects to the user directory and monitors it for changes. The changes are then pushed to the target service providers as required. On the service provider side, a SCIM client receives the information and implements the required changes in the target user directory.
SCIM has four main technical benefits:
- It leverages REST and JSON, not SOAP and XML, focusing on essential operations: Create, Read, Update and Delete, also referred to as ‘CRUD’.
- Unlike Service Provisioning Markup Language (SPML), it does not rely on the target application.
- It offers an improvement over SPML by using a comprehensive user schema.
- It is supported by major cloud applications like Google and Salesforce.