SCIM
An open standard (RFC 7643/7644) for automating user provisioning, deprovisioning, and attribute synchronization.
What is SCIM?
SCIM (System for Cross-domain Identity Management) is an open standard (RFC 7643/7644) for automating user provisioning and deprovisioning between identity providers and service providers.
SCIM defines:
- Core Schema (RFC 7643): Standard user/group attributes (userName, emails, name, etc.)
- Protocol (RFC 7644): REST API endpoints for CRUD operations on users/groups
SCIM enables automated lifecycle management:
- Provisioning: Automatically create user accounts when employees are hired
- Deprovisioning: Automatically disable/delete accounts when employees leave
- Synchronization: Keep user attributes (department, manager) in sync across systems
SCIM is widely used in B2B IAM and Enterprise SSO scenarios.
Analogy
Think of SCIM like an automatic HR system. When a new employee is hired, HR adds them to the system once, and automatically they get access to all the tools they need (Slack, Salesforce, Workday). When they leave, one click removes access everywhere.
Types and Use Cases
- Enterprise SSO: Automatically provision/deprovision employees to Salesforce, Slack, Workday
- B2B Federation: Sync partner users between Okta/Azure AD and vendor portals
- CIAM: Automatically provision customers from CRM/ERP to CIAM platform
- HR Integration: Connect Workday/BambooHR to identity systems via SCIM
How it Works
// SCIM User Creation (POST /scim/v2/Users)
POST /scim/v2/Users
Content-Type: application/scim+json
Authorization: Bearer <admin_access_token>
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "john.doe@company.com",
"name": {
"givenName": "John",
"familyName": "Doe"
},
"emails": [{
"value": "john.doe@company.com",
"type": "work",
"primary": true
}],
"active": true,
"externalId": "emp12345",
"department": "Engineering"
}
// Response: User Created
{
"id": "7d6d8f7a-5b5b-4b5c-8b5d-5b5b5b5b5b5b",
"userName": "john.doe@company.com",
"active": true
}SCIM vs Manual Provisioning
SCIM
Manual Provisioning
SCIM is automated (real-time sync)
Manual provisioning is human-driven (error-prone, slow)
SCIM ensures consistent access across all systems
Manual often leads to orphaned accounts
SCIM requires initial setup (API integration)
Manual requires ongoing effort (IT tickets)
Best Practices for SCIM
- Monitor SCIM operations: Log all provisioning/deprovisioning events for audit trails
- Test in sandbox: Validate SCIM flows in test environment before production
- Handle errors gracefully: Implement retry logic for failed SCIM operations
How LoginRadius Powers SCIM
LoginRadius CIAM platform provides comprehensive SCIM 2.0 support. As a SCIM server, we accept provisioning requests from Okta, Azure AD, and other IdPs to automate user lifecycle management. As a SCIM client, LoginRadius can provision users to third-party SaaS applications. Our platform supports user CRUD operations, group management, attribute mapping, and detailed SCIM operation logs for audit and troubleshooting.
FAQs
SCIM is for user lifecycle management (create, update, delete users) between systems. SAML is for authentication (SSO - logging users in). SCIM is like HR adding you to the payroll system; SAML is like using your badge to enter the building. They're complementary: use both together for full identity management.
Yes, LoginRadius supports SCIM 2.0 for both: (1) As SCIM client - provision/deprovision users from LoginRadius to third-party SaaS apps, (2) As SCIM server - allow your HR system or corporate IdP (Okta, Azure AD) to provision users into LoginRadius. We support user create, read, update, delete, and group management via SCIM endpoints.
Steps to set up SCIM: (1) Generate SCIM token in LoginRadius admin console, (2) Configure Okta/Azure AD - add LoginRadius as SCIM application, (3) Map attributes - define how Okta attributes map to LoginRadius fields, (4) Set provisioning rules - which users/groups get provisioned, (5) Test - create test user and verify it syncs to LoginRadius.