What is SCIM?

SCIM, or System for Cross-domain Identity Management, is an open standard that allows for the automation of user provisioning. It was created in 2011 as it became clear that the technology of the future would be cloud-based. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps).

Why use SCIM?

In short, SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process.

As companies grow, innovate, and experience employee turnover, their number of user accounts increases exponentially. Employees use them for everything from customer relationship management to team collaboration. Requests to add and delete users, change permissions, and add new types of accounts all take up valuable IT department time.

With SCIM, user identities can be created either directly in a tool like Okta, or imported from external systems like HR software or Active Directory. Since it is a standard, user data is stored in a consistent way and can be communicated as such across different apps. This enables IT departments to automate the provisioning/deprovisioning process while also having a single system to manage permissions and groups. Since data is transferred automatically, risk of error is also reduced.

IT departments no longer need to develop and constantly update custom integrations that connect company directories to various external tools and apps. Employees outside of IT can take advantage of single sign-on (SSO) to streamline their own workflows and reduce the need to pester IT for password resets by up to 50%.

At the same time, many of the security risks that companies faced are reduced by adopting SCIM. When employees no longer need to sign on to each of their accounts individually, companies can ensure security policy compliance. This also mitigates risks associated with employees using the same password across different tools and apps. As teams develop new workflows and adopt new apps, companies can keep on top of these changes without fear of losing track of accounts.

How it works

SCIM is a REST and JSON-based protocol that defines a client and server role. A client is usually an identity provider (IDP), like Okta, that contains a robust directory of user identities. A service provider (SP) is usually a SaaS app, like Box or Slack, that needs a subset of information from those identities. When changes to identities are made in the IdP, including create, update, and delete, they are automatically synced to the SP according to the SCIM protocol. The IdP can also read identities from the SP to add to its directory and to detect incorrect values in the SP that could create security vulnerabilities. For end users, this means that they have seamless access to applications for which they’re assigned, with up-to-date profiles and permissions.

How to adopt SCIM for your business

Provisioning integrations, including SCIM-based ones, with over 80 top apps are integrated into Okta. And Okta supports SSO with over 5,000 apps. Okta has API integrations to thousands of the industry-leading applications to communicate your user data quickly and securely. Try Okta for free for 30 days to see how it can help you streamline your user identity management.

If you are a developer looking to integrate your app into Okta, you can do so by joining our SCIM Provisioning Developer Program.