Hi standards fans! We are super lucky today to hear from (talk to?) one of the folks who is actively making a difference in Microsoft’s expanded support for the System for Cross-domain Identity Management (SCIM) 2.0 specification, Arvind Harinder. If you want to learn more about how SCIM works and why it is important, look no farther!
As the number of applications used in modern organizations continues to grow, IT admins are tasked with access management at scale. Standards such as Security Assertions Markup Language (SAML) or Open ID Connect (OIDC) allow admins to quickly set up single sign-on (SSO), but access also requires users to be provisioned into the app. To many admins, provisioning means manually creating every user account or uploading CSV files each week, but these processes are time consuming, expensive, and error prone. Solutions such as SAML just-in-time (JIT) have been adopted to automate provisioning, but enterprises also need a solution to deprovision users when they leave the organization or no longer require access to certain apps based on role change.
To help automate provisioning and deprovisioning, apps expose proprietary user and group APIs. However, anyone who’s tried to manage users in more than one app will tell you that every app tries to perform the same simple actions, such as creating or updating users, adding users to groups, or deprovisioning users. Yet, all these simple actions are implemented just a little bit differently, using different endpoint paths, different methods to specify user information, and a different schema to represent each element of information.
To address these challenges, the SCIM specification provides a common user schema to help users move into, out of, and around apps. SCIM is becoming the de facto standard for provisioning and, when used in conjunction with federation standards like SAML or OpenID Connect, provides administrators an end-to-end standards-based solution for access management.
SCIM is a standardized definition of two endpoints – a /Users endpoint and a /Groups endpoint. Using common REST verbs to create, update, and delete objects, and a pre-defined schema for common attributes like group name, username, first name, last name and email, apps that offer a SCIM 2.0 REST API can reduce or eliminate the pain of working with a proprietary user management API. For example, any compliant SCIM client knows how to make an HTTP POST of a JSON object to the /Users endpoint to create a new user entry. This means that, instead of every app creating a slightly different API that does the same basic thing but requires proprietary code to call, apps can conform to the SCIM standard and instantly take advantage of pre-existing clients, tools and code.
The standard user object schema and rest APIs for management defined in SCIM 2.0 (RFC 7642, 7643, 7644) allow identity providers and apps to more easily integrate with each other. Application developers that build an SCIM endpoint can integrate with any SCIM-compliant client without having to do custom work. In the example below, you can see a sample SCIM request and response between the Azure Active Directory (AD) SCIM client and a service provider. The same request could be made across applications such as Zscaler, Slack, Smartsheet, and Workplace by Facebook. The only thing that changes is the URI of the service provider.
Microsoft is all-in on SCIM. If an app supports SCIM 2.0, it can integrate with AD in two ways:
Developing an SCIM compliant app
While the SCIM standard is quite expansive, getting started is easy. Implementing core profiles of the SCIM specification such as supporting CRUD operations on a user resource will cover most of the use cases that you may have. You can always add support for additional SCIM profiles as the requirements come up.
Deploying an SCIM compliant app
The resources above should help you familiarize yourself with the SCIM standard. Look out for our next blog where we’ll dive deeper into how to develop an SCIM endpoint and make getting started a breeze.
We always love to hear your feedback and suggestions. Let us know what you think in the comments below. You can also post on StackOverflow with questions about developing your SCIM endpoint as well as Azure AD UserVoice feedback forum for new features and capabilities.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.