What is SCIM, and what is it for?
by Alexandre Dedourges, DevSec
It will enable employees to save a significant amount of time by simplifying the authentication process. If you wish to know more about SSO, you can read here our article on the topic. However, in order to guarantee optimal security and identity integrity, it is necessary to use SCIM.
SCIM (System for Cross-domain Identity Management) is a standard for automating the exchange of user identity information between IT systems. It is particularly useful should you be using - or considering to use - SSO.
Small reminder about SSO
Single Sign-On is a method that allows a user to log in with a single ID to any of several software systems. It allows to connect a user with all the applications they need for their work activity. SSO is particularly handy in the case where a company uses several SaaS as part of its activity. Thanks to SSO, identity management is therefore simplified. However, it remains necessary to manage changes that occur on these identities in order to guarantee the integrity and security of our system. That’s what the SCIM protocol will enable, by simplifying the update of identity data.
SCIM for up-to-date identities
As your company grows and expands, the number of employees increases accordingly. Therefore, the number of identities to be handled becomes bigger and bigger, and the work of IT teams gets more and more complex. When a new employee arrives or when someone changes their name, this means identities need to be handled, created or updated. Making these changes by hand would be a long and tedious job for your IT teams - especially in the context of rapid growth for your company. That’s where SCIM comes in. SCIM is a protocol created in 2011, to anticipate the influx of SSOs. It allows you to stop worrying about updating identities. As a matter of fact, once you set it up with your SSO, each identity change on the identity provider’s side will be taken into account and spread out on all the services that use this SSO. Thus the security of your system will be preserved. For instance, an employee who left your company will no longer be able to access the services they used to log in to. Similarly, someone who changed their name after getting married will have their profile updated on all their services. To sum up, SCIM enables you to keep data up-to-date to avoid any problems. Indeed, according to a study conducted by Beyond Identity, 83% of employees have already kept access to their former companies after leaving them. What’s more, 56% of them have tried to harm their former employers by using their previous login information. Lastly, 74% of employers claim to have been negatively impacted by an employee who has kept their access info. That’s why keeping identity information up-to-date is crucial for companies. This is known as identity lifecycle management.
SCIM: advantages of a protocol that became a standard for data exchange
As the use of SSOs has increased, the SCIM protocol has gradually become a standard. Indeed, it is used by a great number of companies that have set up SSOs. That’s one of the reasons why it’s so solid. With SCIM, user data can be communicated everywhere in the same way, which makes its use much easier. Data is transferred in the same manner between various services and applications. Thanks to this standardization of data, the provisioning and deprovisioning process can be automated. It allows for the management of roles, groups and permissions in a single location. With data being transmitted automatically, the teams no longer need to change all information on every single platform.
Ressources, schemas and extension models
SCIM is primarily based on a common user schema, a group schema and an extension model. The latter are exchanged via an HTTP protocol which we’ll expand on in the next section. SCIM is also built on an object model where a resource is the common denominator and all SCIM objects are derived from it. For it to be considered as a resource, it must have the id, externalId and meta attributes. These 3 attributes form for the basis of a resource. Other elements will expand this resource, such as a User, an EnterpriseUser, a Groupe…
A standard that uses API REST
SCIM operating model is based on JSON (JavaScript Object Notation) and REST (REpresentational State Transfer). The use of REST API will allow for user update through CRUD (Create, Read Update, Delete) for all of the concerned systems and applications. In order to create, update or delete a user, it will be necessary to use API requests.
Let’s say a new employee joins Cryptr. Thus, a “User” object will have to be created. This object will be made of different attributes, such as “Nam”, “First name”, “Age”... Besides, the info will have to be spread out to all the SaaS tools and applications so that the new employee will be able to access all the tools necessary to their work.
This will be the JSON structure we could have to be transmitting:
In order to handle these structures, a list of basic Endpoints is available directly through the SCIM protocol:
We will now have to use requests in order to transmit data to all our applications. To do so, various HTTP methods exist:
Thus we’ll use a POST method, since - as shown by the table above - the POST method allows for resource creation, as opposed to the other methods.
User creation via HTTP POST request appears under the following format:
Which, with the aforementioned example, would yield:
Here, we work with version #2 of our API and we want to create a new user - so we’ll work on the “users” resource. Once our POST request is completed, our user will be created on the basis of the parameters provided in the JSON format. If the requests goes through, a JSON response will be sent and can take the following form:
We can see that an ID has been created, which will allow us to identify our user more easily in the future.
For the other methods, the request will be virtually the same - with one exception: the addition of the ID parameter to our URL (of course, we’ll also have to use the correct method):
SCIM: a tool combining security, productivity and user experience
In a nutshell, the SCIM protocol allows for better identity management. By combining security, productivity and user experience, it has become a “must-have” for any company using an SSO. Besides, a service provider’s ability to be “SSO-friendly” is becoming more and more important, and even a necessity. Therefore, one of the objectives for SAAS is to become “SSO ready”, i.e. to be able to connect to the various types of SSO and identity providers that they may encounter through their clients or prospects. Consequently, meeting this requirement is both a matter of security and business when it comes to growing your market and contracting with clients who have such expectations. With just a few lines of code, Cryptr can make your authentication compatible with all types of SSOs (SAML, ADFS, OIDC) and identity providers (Okta, Ping Identity, Auth0, OneLogin, Google,...) that you might encounter. Of course, the SCIM protocol which we’ve just addressed in this article will also be covered! It will allow you to adopt SSOs with ease.
So… are you prepared to learn more about SCIM and SSOs? Find out more on Cryptr!
And to chat with our teams, you can book the slot of your choice by clicking here: Meet Cryptr
Add enterprise SSO for free
Cryptr simplifies user management for your business: quick setup, guaranteed security, and multiple free features. With robust authentication and easy, fast configuration, we meet businesses' security needs hassle-free.