Article

SCIM

Home
The Siit Glossary
SCIM
Article Sections

What is SCIM?

SCIM (System for Cross-domain Identity Management) is an open standard protocol that automates how user accounts are created, updated, and removed across multiple cloud applications. Defined by the IETF in RFC 7644, it lets an identity provider push user lifecycle changes to every connected application through a RESTful API and a common JSON schema.

SCIM 2.0 was published in 2015 with a fully RESTful design and mandatory JSON formatting, and is the recommended standard for all new integrations.

SCIM does not handle authentication or store identities. That responsibility belongs to SAML, OpenID Connect, or directories like LDAP. SCIM carries provisioning instructions from your identity source to downstream applications.

Key Takeaways

  • Open Standard Protocol: SCIM is an IETF standard (RFCs 7642-7644) using a REST API and JSON schema for identity management.
  • Client-Server Architecture: A SCIM client (your identity provider) sends requests to a SCIM server (the target application) that processes them.
  • Full Account Lifecycle: SCIM handles user creation, attribute updates, group membership changes, and deactivation across connected applications.
  • Complements SSO: SCIM works alongside SAML and OIDC, which decide who signs in, while SCIM decides whether the account exists.

Why SCIM Matters

Without SCIM, every SaaS application uses its own proprietary way of managing users, creating onboarding delays, security gaps, and compliance exposure at scale.

  • Faster Onboarding: New hires get access to every connected app on day one, instead of waiting for manual IT provisioning.
  • Cleaner Offboarding: Terminated employees lose access immediately across SCIM-connected systems, closing the orphaned-account risk that tops OWASP's identity list.
  • Reduced Privilege Creep: Role changes revoke outdated access automatically when group memberships update, preventing permission accumulation over time.
  • Audit Readiness: SCIM produces consistent, timestamped records of every provisioning event, supporting SOX, HIPAA, and GDPR access-control requirements.

SCIM in Action

A new engineer joins on Monday. Without SCIM, IT manually provisions accounts across Google Workspace, Slack, GitHub, Jira, and Zoom, a process that takes over an hour and still leaves gaps by Tuesday afternoon. With SCIM, HR flags the hire as active in the HRIS, the identity provider sends POST /Users requests to every connected app, and accounts exist before the Monday kickoff. When the engineer later leaves, setting active to false revokes access across every system in minutes, matching Microsoft's one-hour target for cloud auto-revocation.

How Siit Supports SCIM

Siit natively supports SCIM 2.0 and extends it with the workflow layer that provisioning alone cannot handle.

  • Native SCIM 2.0 Provisioning: Admin accounts are provisioned, updated, and deactivated through native identity connectors for Okta and JumpCloud, with IdP groups mapped to Siit roles.
  • 360° Employee Profile: Siit aggregates identity data from IAM, HRIS, and device tools, giving approvers full context before access is granted.
  • AI-Powered Workflows: Requests for apps outside SCIM's reach are routed intelligently, approved in context, and executed as actions in your IAM platform.
  • Analytics and Role-Based Controls: Reporting tracks request volumes and approval times, while RBAC keeps sensitive identity data visible only to authorized teams.

Together, SCIM handles automated execution and Siit layers on the governance, coordination, and visibility that SCIM alone was never designed to provide.

Want to turn SCIM-based provisioning into fully orchestrated identity workflows with approvals, audit trails, and cross-team coordination built in? Book a demo to see Siit in action.