What Is SCIM Provisioning and How Does It Work?

System for Cross-domain Identity Management (SCIM) provisioning is a tool that helps simplify the management of user information across different systems. The information needed on multiple devices or systems will be the same, so instead of a user entering their information over and over again to access data, SCIM connects their identity with your organization’s various systems.

Keep reading to learn the ways SCIM provisioning can be used, how it works and its benefits.

What is SCIM provisioning used for?

With SCIM provisioning, you can provision users to create, maintain and update accounts and give them permission to access specific cloud-based applications. The more employees your organization hires, the more accounts need to be created for your cloud-based applications and systems. Through the automated process of SCIM provisioning, your IT administrators will no longer need to create and manage user accounts manually, which significantly reduces the time and complexity of this task.

SCIM is an open standard, HTTP-based protocol, which means that it uses HTTP request methods to manage user data. In simpler terms, SCIM’s standardized rules can assist different systems in communicating with each other through the internet. For example, if your organization uses several different tools and systems, each one needs to know who is an authorized user and their permissions. When your organization uses SCIM provisioning, your HR team can create a new employee’s account and share it with the appropriate tools or systems they will need access to. This allows multiple parts of your organization to work together and maintain consistent user information across many systems. If you have any accounts that need to access sensitive data, SCIM supports the Principle of Least Privilege (PoLP) by allowing you to define an employee’s permissions, automatically provision them based on their role and ensure that only authorized users have access to specific information.

How SCIM provisioning works

SCIM provisioning uses a schema, which defines what data can be stored and managed for certain users and resources. For example, a specific username and email address must be stored with the affiliated user. With SCIM provisioning, a user’s information can be organized and consistent across multiple systems, simplifying the management process.

In SCIM, there are two roles: the ‘client’ and the ‘service provider.’ The ‘client’ is typically an organization’s Identity and Access Management (IAM) system, and the ‘service provider’ is a Software-as-a-Service (SaaS) application. Because your IAM system manages identities and permissions that service providers require, SCIM can simplify the process of creating, changing or deleting accounts on all systems to keep all information current and in sync.

Using a Representational State Transfer Application Programming Interface (RESTful API), SCIM provisioning transforms common HTTP request methods into Create, Read, Update and Delete (CRUD) operations. SCIM creates a new user within a system when you hire an employee, sending a request with the user’s name and email address to make an account. Next, SCIM retrieves (reads) information about a specific user, which could be helpful when you need more details about an existing user, like their role. SCIM updates their existing information once you request modifications to a user’s role or details in the system, such as a new email address for an existing employee. Lastly, SCIM can delete users when you need to remove them from the system, such as when users are offboarded. This helps your organization ensure that user information is updated and organized across organizational systems.

The benefits of SCIM provisioning

There are several benefits of SCIM provisioning, including that it makes it easier to implement Single Sign-On (SSO), increases productivity, reduces human error and enhances overall security.

1. Supports Single Sign-On (SSO)

Single Sign-On (SSO) authenticates users on multiple applications using one login credential, so an employee does not have to keep logging in to various applications. SSO reduces the time wasted when trying to do a simple task and eliminates the need for employees to remember multiple passwords for their daily work. Employees can use SSO to access all necessary resources, and SCIM allows SSO to simplify a user’s experience logging in to more than one application. SCIM provisioning with SSO will benefit your organization because not only will your employees have an easier time logging in to multiple systems, but your user permissions will also be synchronized across those systems.

2. Increases productivity across the organization

Because SCIM’s automated processes eliminate the need for administrators to manually create and update each user’s details on multiple applications, your organization will become more productive by focusing on more important tasks. SCIM automation frees IT teams from having to create and manage integrations, with fewer requests to add users or update a user’s permissions on various applications.

3. Reduces human error

SCIM automation mitigates the risk of human error because your administrators no longer need to manually enter every new user’s details for multiple applications. This also helps eliminate outdated or ‘zombie’ accounts that may be lurking in the background of your systems if they’ve been forgotten, which a cybercriminal could use as a security vulnerability to infiltrate your systems. 

4. Enhances security levels and compliance

SCIM makes removing newly departed employees from all applications simple and accurate. When your organization enables SSO, you will enhance your compliance with security policies by reducing your attack surface and enforcing Multi-Factor Authentication (MFA). SCIM allows you more control over authorized user permissions, which strengthens your organization’s overall security.

Manage accounts easily with SCIM provisioning

Keeper SSO Connect® supports SCIM by automatically provisioning and deprovisioning users as they join or leave your organization. Included with Keeper Enterprise, Keeper SSO Connect ensures that users have least-privilege access based on their specific roles and permissions.

Request a demo to see how Keeper^® can protect your organization’s login credentials with a zero-knowledge security architecture and enhance your overall security with SCIM-supported tools.