System for Cross-domain Identity Management
System for Cross-domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between identity domains, or IT systems.
One example might be that as a company onboards new employees and separates from existing employees, they are added and removed from the company's electronic employee directory. SCIM could be used to automatically add/delete (or, provision/de-provision) accounts for those users in external systems such as G Suite, Office 365, or Salesforce.com. Then, a new user account would exist in the external systems for each new employee, and the user accounts for former employees might no longer exist in those systems.
In addition to simple user-record management (creating & deleting), SCIM can also be used to share information about user attributes, attribute schema, and group membership. Attributes could range from user contact information to group membership. Group membership or other attribute values are generally used to manage user permissions. Attribute values and group assignments can change, adding to the challenge of maintaining the relevant data across multiple identity domains.[1]
The SCIM standard has grown in popularity and importance, as organizations use more SaaS tools.[2][3] A large organization can have hundreds or thousands of hosted applications (internal and external) and related servers, databases and file shares that require user provisioning. Without a standard connection method, companies must write custom software connectors to join these systems and their IdM system.[4]
SCIM uses a standardised API through REST with data formatted in JSON or XML.[1]
History
The first version, SCIM 1.0, was released in 2011 by a SCIM standard working group organized under the Open Web Foundation.[5] In 2011, it was transferred to the IETF, and the current standard, SCIM 2.0 was released as IETF RFC in 2015.[2][6]
SCIM 2.0 was completed in September 2015 and is published as IETF RFCs 7643[7] and 7644.[8] A use-case document is also available as RFC 7642.[9]
The standard has been implemented in various IdM software.[10]
The standard was initially called Simple Cloud Identity Management (and is still called this in some places), but the name was officially changed to System for Cross-domain Identity Management (SCIM) when the IETF adopted it.[11]
Interoperability was demonstrated in October, 2011, at the Cloud Identity Summit, an IAM industry conference. There, user accounts were provisioned and de-provisioned across separate systems using SCIM standards, by a collection of IdM software vendors: Okta, Ping Identity, SailPoint, Technology Nexus and UnboundID.[3] In March 2012, at IETF 83 in Paris, Interoperability tests continued by the same vendors, joined by Salesforce.com, BCPSoft, WSO2, Gluu, and Courion (now SecureAuth) - nine companies in total.[12]
SCIM is the second standard for exchanging user data, but it builds on prior standards (e.g. SPML, PortableContacts, vCards, and LDAP directory services) in an attempt to be a simpler and more widely adopted solution for cloud services providers.[13][14]
The SCIM standard is growing in popularity and has been adopted by numerous identity providers (e.g. Azure Active Directory) as well as applications (e.g. Dynamic Signal, Zscaler, and Dropbox). As adoption of the standard grows, so do the number of tools available to you. You can leverage a number of open source libraries to jump start your development and testing frameworks to ensure that your endpoint is SCIM compliant.
References
- Internet Engineering Task Force, Network Working Group (May 11, 2015). System for Cross-Domain Identity Management: Core Schema. Draft 19. Retrieved 2015-05-17.
- Wilson, Neil (June 22, 2011). "SCIMming along..." UnboundID blog. (link: neil-wilson). Retrieved May 11, 2015.
- "Identity Management Companies To Demonstrate Simple Cloud Identity Management (SCIM) Specification at Internet Identity Workshop (IIW)" (Press release). SailPoint. October 18, 2011. Archived from the original on 2016-03-04. Retrieved May 11, 2015.
- Grizzle, Kelly (March 10, 2014). "SCIM: Provisioning users, killing connectors". SecureID News. SecureID. Retrieved May 17, 2015.
- "SCIM Overview". SimpleCloud.info. Simple Cloud Identity Management. Retrieved May 17, 2015.
- Internet Engineering Task Force, Network Working Group (August 2, 2012). System for Cross-Domain Identity Management: Core Schema 1.1. Version 1.1. Retrieved 2015-05-11.
- "RFC 7643: System for Cross-domain Identity Management: Core Schema". ietf.org. Internet Engineering Task Force. September 2015.
- "RFC 7644: System for Cross-domain Identity Management: Protocol". ietf.org. Internet Engineering Task Force. September 2015.
- "RFC 7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements". ietf.org. Internet Engineering Task Force. September 2015.
- "Known SCIM implementations". SimpleCloud.info. Simple Cloud Identity Management.
- Hunt, Phil (February 27, 2014). "Standards Corner: SCIM and the Shifting Enterprise Identity Center of Gravity". Oracle Fusion Middleware (blog). Oracle. Retrieved May 17, 2015.
- "Logistics and attendee info for the March 2012 SCIM interop event". SCIM, Simple Cloud Identity Management. April 26, 2012. Retrieved May 11, 2015.
- "SCIM: How It Works" (Article). PingIdentity.com. Retrieved July 28, 2020.
- Internet Engineering Task Force, Network Working Group (May 11, 2015). "Section 1, Introduction". System for Cross-Domain Identity Management: Core Schema. Draft 19. Retrieved 2015-05-11.
External links
- Scim Status Pages - The working group in IETF for defining the standard
- SCIM: System for Cross-domain Identity Management - A site dedicated to the standard, with explanations and details about how to implement the standard
- SCIM Implementations - The initial working group's collaboration site, with a list of SCIM implementations as of February 2012
- Events | Identity Commons Internet Identity Workshop #13 October 18–20 in Mountain View, August 19, 2011
- [4] Understand why SCIM helps simplify provisioning