Hi standards fans! We are super lucky today to hear from (talk to?) one of the folks who is actively making a difference in Microsoft’s expanded support for the System for Cross-domain Identity Management (SCIM) 2.0 specification, Arvind Harinder. If you want to learn more about how SCIM works and why it is important, look no farther!
-Pam
-------
As the number of applications used in modern organizations continues to grow, IT admins are tasked with access management at scale. Standards such as Security Assertions Markup Language (SAML) or Open ID Connect (OIDC) allow admins to quickly set up single sign-on (SSO), but access also requires users to be provisioned into the app. To many admins, provisioning means manually creating every user account or uploading CSV files each week, but these processes are time consuming, expensive, and error prone. Solutions such as SAML just-in-time (JIT) have been adopted to automate provisioning, but enterprises also need a solution to deprovision users when they leave the organization or no longer require access to certain apps based on role change.
To help automate provisioning and deprovisioning, apps expose proprietary user and group APIs. However, anyone who’s tried to manage users in more than one app will tell you that every app tries to perform the same simple actions, such as creating or updating users, adding users to groups, or deprovisioning users. Yet, all these simple actions are implemented just a little bit differently, using different endpoint paths, different methods to specify user information, and a different schema to represent each element of information.
What is SCIM?
To address these challenges, the SCIM specification provides a common user schema to help users move into, out of, and around apps. SCIM is becoming the de facto standard for provisioning and, when used in conjunction with federation standards like SAML or OpenID Connect, provides administrators an end-to-end standards-based solution for access management.
SCIM is a standardized definition of two endpoints – a /Users endpoint and a /Groups endpoint. Using common REST verbs to create, update, and delete objects, and a pre-defined schema for common attributes like group name, username, first name, last name and email, apps that offer a SCIM 2.0 REST API can reduce or eliminate the pain of working with a proprietary user management API. For example, any compliant SCIM client knows how to make an HTTP POST of a JSON object to the /Users endpoint to create a new user entry. This means that, instead of every app creating a slightly different API that does the same basic thing but requires proprietary code to call, apps can conform to the SCIM standard and instantly take advantage of pre-existing clients, tools and code.
How does SCIM make provisioning easier?
The standard user object schema and rest APIs for management defined in SCIM 2.0 (RFC 7642, 7643, 7644) allow identity providers and apps to more easily integrate with each other. Application developers that build an SCIM endpoint can integrate with any SCIM-compliant client without having to do custom work. In the example below, you can see a sample SCIM request and response between the Azure Active Directory (AD) SCIM client and a service provider. The same request could be made across applications such as Zscaler, Slack, Smartsheet, and Workplace by Facebook. The only thing that changes is the URI of the service provider.
How does Microsoft support SCIM?
Microsoft is all-in on SCIM. If an app supports SCIM 2.0, it can integrate with AD in two ways:
- For multitenant apps such as Zscaler, SAP, and Oracle, Microsoft works with the app developer to test and integrate their app into our platform. This allows any organization to quickly provision users into these apps.
- For line of business apps used within an organization, Microsoft provides a generic SCIM client that can push users and groups from Azure AD into the target app. You can learn more here about integrating a custom app as well as the specific profile of the SCIM specification that Azure AD has implemented.
How to get started with SCIM?
Developing an SCIM compliant app
While the SCIM standard is quite expansive, getting started is easy. Implementing core profiles of the SCIM specification such as supporting CRUD operations on a user resource will cover most of the use cases that you may have. You can always add support for additional SCIM profiles as the requirements come up.
- Read the SCIM Overview specification (RFC 7642) first. This will give you the terminology and introduce the use cases that the specification is intended to address.
- Learn more about how to integrate with the Azure AD SCIM client. We’ve created detailed guidance on the format of the request and response that you can expect when integrating with the Azure AD SCIM client.
- Request that your SCIM compliant app be integrated with the Azure AD gallery through the application network portal.
- Engage with the SCIM community on StackOverflow.
- Learn more about the SCIM specification. We identified the core aspects of the SCIM spec and published a draft profile in June 2019.
Deploying an SCIM compliant app
- Learn more about our provisioning service.
- Review the step-by-step integration tutorials provided for pre-integrated apps in our app gallery.
The resources above should help you familiarize yourself with the SCIM standard. Look out for our next blog where we’ll dive deeper into how to develop an SCIM endpoint and make getting started a breeze.
We always love to hear your feedback and suggestions. Let us know what you think in the comments below. You can also post on StackOverflow with questions about developing your SCIM endpoint as well as Azure AD UserVoice feedback forum for new features and capabilities.
For more on provisioning with SCIM, check out our next blog in the series for top resources to help you expedite your SCIM development. |