Blog Post

Security, Compliance, and Identity Blog
4 MIN READ

Provisioning with SCIM – getting started

Pamela Dingle's avatar
Pamela Dingle
Icon for Microsoft rankMicrosoft
Oct 03, 2019

Hi standards fans! We are super lucky today to hear from (talk to?) one of the folks who is actively making a difference in Microsoft’s expanded support for the System for Cross-domain Identity Management (SCIM) 2.0 specification, Arvind Harinder. If you want to learn more about how SCIM works and why it is important, look no farther!

 

-Pam

-------

 

As the number of applications used in modern organizations continues to grow, IT admins are tasked with access management at scale. Standards such as Security Assertions Markup Language (SAML) or Open ID Connect (OIDC) allow admins to quickly set up single sign-on (SSO), but access also requires users to be provisioned into the app. To many admins, provisioning means manually creating every user account or uploading CSV files each week, but these processes are time consuming, expensive, and error prone. Solutions such as SAML just-in-time (JIT) have been adopted to automate provisioning, but enterprises also need a solution to deprovision users when they leave the organization or no longer require access to certain apps based on role change.

 

To help automate provisioning and deprovisioning, apps expose proprietary user and group APIs. However, anyone who’s tried to manage users in more than one app will tell you that every app tries to perform the same simple actions, such as creating or updating users, adding users to groups, or deprovisioning users. Yet, all these simple actions are implemented just a little bit differently, using different endpoint paths, different methods to specify user information, and a different schema to represent each element of information.

 

What is SCIM?

To address these challenges, the SCIM specification provides a common user schema to help users move into, out of, and around apps. SCIM is becoming the de facto standard for provisioning and, when used in conjunction with federation standards like SAML or OpenID Connect, provides administrators an end-to-end standards-based solution for access management.

 

SCIM is a standardized definition of two endpoints – a /Users endpoint and a /Groups endpoint. Using common REST verbs to create, update, and delete objects, and a pre-defined schema for common attributes like group name, username, first name, last name and email, apps that offer a SCIM 2.0 REST API can reduce or eliminate the pain of working with a proprietary user management API. For example, any compliant SCIM client knows how to make an HTTP POST of a JSON object to the /Users endpoint to create a new user entry. This means that, instead of every app creating a slightly different API that does the same basic thing but requires proprietary code to call, apps can conform to the SCIM standard and instantly take advantage of pre-existing clients, tools and code.

 

How does SCIM make provisioning easier?

The standard user object schema and rest APIs for management defined in SCIM 2.0 (RFC 7642, 7643, 7644) allow identity providers and apps to more easily integrate with each other. Application developers that build an SCIM endpoint can integrate with any SCIM-compliant client without having to do custom work.   In the example below, you can see a sample SCIM request and response between the Azure Active Directory (AD) SCIM client and a service provider. The same request could be made across applications such as Zscaler, Slack, Smartsheet, and Workplace by Facebook. The only thing that changes is the URI of the service provider.

 

 

How does Microsoft support SCIM?

Microsoft is all-in on SCIM. If an app supports SCIM 2.0, it can integrate with AD in two ways:

  1. For multitenant apps such as Zscaler, SAP, and Oracle, Microsoft works with the app developer to test and integrate their app into our platform. This allows any organization to quickly provision users into these apps.
  2. For line of business apps used within an organization, Microsoft provides a generic SCIM client that can push users and groups from Azure AD into the target app. You can learn more here about integrating a custom app as well as the specific profile of the SCIM specification that Azure AD has implemented.

 

Provisioning to all your apps using Azure AD + SCIM

 

How to get started with SCIM?

Developing an SCIM compliant app

While the SCIM standard is quite expansive, getting started is easy. Implementing core profiles of the SCIM specification such as supporting CRUD operations on a user resource will cover most of the use cases that you may have. You can always add support for additional SCIM profiles as the requirements come up.

 

  • Read the SCIM Overview specification (RFC 7642) first. This will give you the terminology and introduce the use cases that the specification is intended to address.
  • Learn more about how to integrate with the Azure AD SCIM client. We’ve created detailed guidance on the format of the request and response that you can expect when integrating with the Azure AD SCIM client.
  • Request that your SCIM compliant app be integrated with the Azure AD gallery through the application network portal.
  • Engage with the SCIM community on StackOverflow.
  • Learn more about the SCIM specification. We identified the core aspects of the SCIM spec and published a draft profile in June 2019.

Deploying an SCIM compliant app

  • Learn more about our provisioning service.
  • Review the step-by-step integration tutorials provided for pre-integrated apps in our app gallery.

 

The resources above should help you familiarize yourself with the SCIM standard.  Look out for our next blog where we’ll dive deeper into how to develop an SCIM endpoint and make getting started a breeze.

 

We always love to hear your feedback and suggestions. Let us know what you think in the comments below. You can also post on StackOverflow with questions about developing your SCIM endpoint as well as Azure AD UserVoice feedback forum for new features and capabilities.

 

 

For more on provisioning with SCIM, check out our next blog in the series for top resources to help you expedite your SCIM development.

 

Updated Jul 28, 2020
Version 23.0
  • Kamlesh Kumar's avatar
    Kamlesh Kumar
    Bronze Contributor

    hey Pamela Dingle, I'll wait for your next blog where need to understand how to develop an SCIM endpoint. Please keep us posted. 

    Thanks for sharing this blog and this is very informative.

  • ghislaincote's avatar
    ghislaincote
    Copper Contributor

    Thanks for the article Pamela Dingle ! I am new to this topic. My first reaction was to compare SCIM with dynamic user provisioning based on authentication and roles (ie: a user created in a SaaS provider after a successful OAuth2/OIDC login). I guess SCIM applies more when we NEED to create/maintain/destroy the whole or a sub-group of our users to ANOTHER system ? Is that common nowadays ? Or are most organisation able to wait for the person to login once in system they need ?

    (Just asking for a friend)

  • ghislaincote this can be used in conjunction with the authentication based provisioning that you're talking about. More and more apps support OAuth2/OIDC and also SCIM. The main customer benefit in that scenario is deprovisioning (ensuring that the account is removed when someone doesn't need access anymore). This often comes from security and governance requirements in an organization.