Skip to main content

SCIM - Overview

System for Cross-domain Identity Management (SCIM) is an Open Standard API specification designed to manage identities across cloud applications easily and scalably. The specification suite builds upon experience with existing schemas and deployments, emphasizing:

  • Simplicity of development and integration
  • Application of existing authentication, authorization, and privacy models

Its intent is to reduce the cost and complexity of user management operations by providing:

  • A common user schema
  • An extension model; e.g., Enterprise User
  • Binding documents to provide patterns for exchanging this schema using HTTP

SCIM Protocol: Key Components

SCIM is a HTTP based protocol and uses structured JSON payloads to exchange resource information between the SCIM client and service provider. To identify the SCIM protocol resources, the application/scim+json media type is used.

SCIM Service Provider

SCIM Service Provider is any business application that provisions users and groups by synchronizing the changes made in a SCIM Client, including creates, updates, and deletes. The synchronization enables end users to have seamless access to the business application for which they’re assigned, with up-to-date profiles and permissions.

Scalekit acts as the SCIM Service Provider on your behalf and integrates with your customer's Identity Providers or Directory Providers(e.g. Okta, Azure AD, Google Workspace, etc.) to provision users and groups.

SCIM Client

SCIM Client facilitates Provisioning, or managing user lifecycle events, through SCIM endpoints exposed by the SCIM Service Provider. Identity Providers and HRMS act as very popular SCIM Clients as they are treated as the source of truth for user identity data.

Some of the most common SCIM Clients are Okta, Microsoft Entra ID (aka Azure AD).

SCIM Endpoints

SCIM endpoints are the entry points to the SCIM API. They are the endpoints that the SCIM client will call to provision users and groups.

The following are the most popular SCIM endpoints that any SCIM Service Provider should support:

  • /Users
  • /Groups

SCIM Methods

As SCIM is built on top of REST, SCIM methods are the HTTP methods that are used to perform CRUD operations on the SCIM resources. The following are the most common SCIM methods:

  • GET
  • POST
  • PUT
  • PATCH
  • DELETE

SCIM Authentication

SCIM uses OAuth 2.0 Bearer Token Authentication to authenticate requests to the SCIM API. The token is a string that is used to authenticate the SCIM API requests to the SCIM service provider. The token is passed in the HTTP Authorization header using the Bearer scheme.

SCIM Resources

SCIM Resources are the core building blocks of the SCIM protocol. They represent entities such as users, groups, and organizational units. Each resource has a set of attributes that describe the entity.

While SCIM User Resource has the basic attributes of a user like email address, phone number, and name, it is extensible by defining new json schemas that a service provider can choose to implement. An Enterprise User is an example of an SCIM User extension resource. Enterprise User Resource has attributes such as employee number, department, and manager which are valuable for enterprise implementation of user management using SCIM v2.

Example SCIM User Representation
Loading...

SCIM Schema

SCIM schema is the core of the SCIM protocol. It is a JSON schema that defines the structure of the SCIM resources. The following are the most common SCIM schemas:

Putting Everything Together

Now that you have a high level understanding of the SCIM protocol and different components involved, let's put everything together to take a scenario of how SCIM protocol facilitates user provisioning from an Identity Provider to an SCIM Service Provider like Scalekit.

Scenario: New Employee Onboarding

  1. ACME Inc. hires a new employee, John Doe.
  2. ACME Inc. adds John Doe to their Okta Directory.
  3. Okta send a SCIM POST /Users request to a pre-registered SCIM Service Provider (Your B2B Application) with John Doe's information as per the SCIM protocol.
  4. You authenticate the request using the OAuth 2.0 Bearer Token Authentication & validate the request payload.
  5. You provision John Doe as a new user in your B2B application using the user payload.

Scenario: Employee Termination

  1. ACME Inc. terminates John Doe's employment.
  2. ACME Inc. removes John Doe from their Okta Directory.
  3. Okta send a SCIM DELETE /Users/john.doe request to a pre-registered SCIM Service Provider (Your B2B Application) as per the SCIM protocol.
  4. You authenticate the request using the OAuth 2.0 Bearer Token Authentication & validate the request payload.
  5. You deactivate John Doe as an existing user in your B2B application using the user payload.

Scenario: Employee Transfer

  1. ACME Inc. transfers John Doe to a different department.
  2. ACME Inc. updates John Doe's information in their Okta Directory.
  3. Okta send a SCIM PATCH /Users/john.doe request to a pre-registered SCIM Service Provider (Your B2B Application) as per the SCIM protocol.
  4. You authenticate the request using the OAuth 2.0 Bearer Token Authentication & validate the request payload.
  5. You update John Doe's information in your B2B application using the user payload.
SCIM Create User Request
POST /Users HTTP/1.1
Host: yourapp.scalekit.com/directory/dir_12442/scim/v2
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer YOUR_SCIM_API_TOKEN

{
    "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
    "userName":"bjensen",
    "externalId":"bjensen",
    "name":{
        "formatted":"Ms. Barbara J Jensen III",
        "familyName":"Jensen",
        "givenName":"Barbara"
    }
}

Scalekit's SCIM Implementation

Scalekit's SCIM implementation is built upon the principles of simplicity, security, and scalability. It provides a normalized implementation of the SCIM protocol across different Identity Providers & Directory Providers. This allows you to focus on integrating with Scalekit's API & leave the complexities of SCIM protocol implementation to us. While not all Directory Providers implement SCIM or support all SCIM features, Scalekit aims to abstract these complexities & provide a seamless experience for provisioning users and groups.

Webhooks

Scalekit supports webhooks as a mechanism to send real-time updates to your application about user provisioning and deprovisioning events to your application as and when there are changes detected in your customer's SCIM compliant Directory Providers.

We also normalize the webhook payloads across different Directory Providers to ensure that you can focus on building your application without having to worry about the nuances of each Directory Provider's SCIM implementations.

Refer to our Webhooks documentation to learn more on how you can use webhooks to listen for changes in the directory and update the user's roles in your application.

Is this page helpful? Yes No
Need help? Contact Support
Questions? Contact Us