Skip to main content

SCIM provisioning overview

System for Cross-domain Identity Management (SCIM) is an open standard that manages user identity information between identity domains. The goal of SCIM is to make managing the exchange of user identities between cloud applications and services easier. Once configured, user profiles that are added, edited, or deleted in the SecureAuth® Identity Platform are automatically updated in supported applications.

The following workflow is an example of a user logging into a SCIM integrated application for the first time with new or updated credentials:

  1. The user accesses a SCIM integrated third-party application which redirects to the Identity Platform.

  2. The user authenticates and the Identity Platform verifies their credentials with the associated data store.

  3. The Identity Platform recognizes that the verified user is accessing the third-party application for the first time or with newly updated credentials. It sends this information to the Service Provider to create or update the verified user's profile.

  4. The user is granted access to the application and their profile is automatically created or updated with the Service Provider with no other steps needed.

Refer to the diagram below for a visual of how SCIM provisioning works:

scim_diagram.png

Currently, the Identity Platform supports SCIM provisioning with the following Service Providers:

  • GitHub

  • AWS

  • Salesforce

The following authentication methods are supported:

  • Basic

  • OAuth 2.0

  • Access Token

Supported SCIM provisioning functionality

The following matrix details the supported SCIM provisioning in the Identity Platform release 22.12-1 or later.

Definitions
  • SCIM provisioning – SCIM provisioning automates provisioning, deprovisioning, and management of users through the service provider.

  • Supported – Supports the automation of SCIM provisioning and deprovisioning.

  • Not supported – Does not support the automation of SCIM provisioning and deprovisoning. However, as an admin, you can go into the directory of the service provider and make this adjustment.

Service provider

SCIM provisioning:

User

SCIM provisioning:

Group / Team synchronization

SCIM management:

User profile update

SCIM deprovisioning:

User deactivation

SCIM deprovisioning:

Group

AWS

Supported

Supported

  • Create group

  • Assign user to group

Supported

Supported

Not supported

  • Cannot delete group

  • Cannot remove user from group

GitHub

Supported

Not supported

Not supported

Supported

Not supported

Salesforce

Supported

Not supported

Limited support

Supported

Not supported

Next steps

Follow the configuration steps to enable SCIM with any of the supported service providers.