SCIM-based automated user provisioning for cloud applications

With the world transitioning to the cloud, companies are subscribing to hundreds of SaaS applications for enhanced productivity and scalability. The System for Cross-domain Identity Management (SCIM) is a lightweight REST and JSON-based standard that was developed to effectively and securely manage identities across multiple platforms. User life cyle management is simpler and more efficient with SCIM-based automated user provisioning across all applications.

Life before SCIM provisioning, and its challenges

In the early stages of user management, IT admins had to manually create user accounts in each application assigned to a user. This was nearly impossible, very error-prone, and time-consuming—then came bulk provisioning. Using a CSV file, admins were able to upload the necessary details and provision accounts in less time; however, this too was error-prone. Admins also carried out user provisioning using custom APIs, but this used up a lot of resources and was expensive.

Just-in-time (JIT) provisioning based on the Security Assertion Markup Language (SAML) creates a user account the first time a user accesses an application. Say an admin added a user to an email application; that user wouldn’t receive emails until they accessed the application so the provisioning could take place. Also, the changes made in the Identity Provider (IdP) are updated in the Service Provider (SP) only when the application is accessed by the user.

How SCIM stands out from the rest

  • Widely adopted by cloud service providers as it’s easy to employ, being built on existing standards such as LDAP directory services.
  • Doesn’t require additional training or knowledge because it utilizes the familiar JSON and HTTP protocols.
  • Decreases the load on IT admins in provisioning and maintaining user accounts, reducing costs and complexity.
  • Supports real-time, automated user provisioning, which reduces the risk of error.
  • Fortifies security by deprovisioning a user from all applications assigned to them once they’re removed from the IdP. This helps avoid unauthorized access, one of the major causes of insider threats and data breaches.

How Identity360 can help your business with SCIM provisioning

Identity360 supports real-time, automated user provisioning and deprovisioning using SCIM. It can automatically provision users in an application once it’s assigned to them. For example, when users from Azure Active Directory are added to Identity360 and Pingboard is assigned to them, their user accounts are automatically created in Pingboard.

Identity360' user management features include:

  • Creating users: A new user account will be automatically created in a cloud application when assigned to the user in Identity360. If there is an existing account for that user but it’s disabled, the account will be re-enabled.
  • Deleting users: When a user is deleted or the application is unassigned for the user in Identity360, their user account is deleted or disabled in the application as well.