SCIM

What is SCIM?

SCIM (System for Cross-domain Identity Management) is an open standard for automatically managing user accounts in cloud applications and services. With the help of an SCIM interface, systems can exchange, synchronise and manage account information such as a person’s name, email address, phone numbers and other user details.

Origins of SCIM

The need for this SCIM standard arose with the increasingly complex account management in cloud environments. Organisations often have hundreds or even thousands of users who use an increasing number of different applications and data shares. This makes management more complicated. You need an advanced Identity and Access Management system (IAM) that keeps track of which account and access rights each user needs to do their job.

For example, if Amy starts as a sales manager in the sales department, you want the IAM system to automatically ensure that, in addition to a basic Microsoft 365 account, she also gets an account for the CRM, the quotation applications and the planning software during onboarding. You also want to give her access to her specific customers’ data. If she gets other customers or another role in the company over time, you want her account settings and access rights to be automatically adjusted. An IAM platform takes care of that.

This means that such an IAM platform must have connections with all the so-called target systems to create accounts, set access rights and adjust this information as needed. The SCIM standard exists to avoid developing a separate connection for each target system. With the SCIM standard, you have a provisioning API for your account data. This allows you to easily connect target systems to an IAM platform and automatically exchange all relevant identity information.

The first versions of the SCIM standard were developed around 2010-2011, resulting in SCIM version 1.0. From that version, SCIM was further developed to SCIM 2.0 in 2015, which is the version used today.

Advantages of SCIM

Thanks to the SCIM standard, you have numerous benefits when implementing your identity management:

• Automation: You can easily connect IT systems to a central IAM platform via a SCIM interface, and automate the provisioning and synchronisation of accounts from there. This reduces the need for manual actions and limits the chance of errors.
• Consistent management: Thanks to automated management, you ensure that user data is provided and managed consistently.
• Information security: By providing user accounts and access rights from one platform, management becomes more transparent. This prevents unnecessary accounts and rights from being issued and improves information security.
• Efficiency: In addition, you prevent too many licences from being issued. Automation not only saves on manual work but also on licensing costs.
• Scalability: Thanks to automation, you can effortlessly manage more and more user accounts and connect more and more target systems, all from one platform. Your identity management is no longer a bottleneck for scaling your organisation.

Note that the mentioned benefits are mainly in centralising your account and rights management via an advanced IAM platform; the specific advantage of a SCIM API is that you do not need to develop and maintain a separate connection for each target system. At the same time, the standard SCIM interface also has some disadvantages, which we discuss in the last paragraph.

How does SCIM work from a technical perspective?

The SCIM protocol supports identity management in SaaS applications and other cloud applications. SCIM software users have RESTful APIs for creating, updating and deleting user accounts and groups; this makes integrating IAM systems and target systems easier. There are predefined schemes and resource types for sending identity data such as a person’s name, email address, phone number and other user details. The data is exchanged in JSON format, making SCIM a lightweight and easy-to-process protocol.

Applying SCIM with HelloID

HelloID is a modern cloud-based IAM solution. With the Provisioning and Service Automation module, customers can ensure that users receive exactly the accounts and access rights they need for their roles and tasks at all times. At the same time, you prevent unnecessary accumulation of access rights and ensure that redundant rights and accounts are cleaned up in time. For this, HelloID must be connected to source systems – often HR systems – and target systems such as Microsoft 365, a CRM system or an Electronic Patient Record.

HelloID offers an extensive connector catalogue that allows hundreds of common applications to be connected easily. If a connector is not yet available, Tools4ever can easily develop it. Every customer also has the option to develop connectors themselves. This can be done based on a wide variety of technologies. HelloID supports the SCIM standard, but many application connections have also been developed using other technologies such as REST/JSON, SOAP/XML, ODBC, SQL, CSV, XML, etc.

There are many application providers that offer their own API that is not yet based on the SCIM standard. In that case, we use that API for the HelloID connector. However, for many applications and application providers, the SCIM standard is actually too limited. The HelloID provisioning functionality offers a superset of the existing SCIM capabilities. For example, the SCIM data model allows you to set one department and one role per user. In simple organisations, this may suffice, but sometimes you want to register multiple employment relationships for one user, including the associated accounts and access rights. HelloID allows you to support such more extensive staffing models through business rules, but SCIM provisioning is too limited for this.

Therefore, in such cases, Tools4ever opts for a different type of connection to the source and target systems. Internally, within the platform, we do not use the SCIM definition, but we do support the SCIM connector for applications where it is relevant and desired. You can learn more about our provisioning functionality here.