3

Can anybody please tell me, what is exactly mean by SCIM provisioning and how it works?

What is difference between SCIM endpoint and SCIM client?

Thanks in advance.

techsu
  • 753
  • 2
  • 7
  • 11

2 Answers2

8

Imagine you are the IT admin in a fortune 500 company. Typically, your employees might be using 100's of cloud based SaaS applications such as salesforce, zendesk, github, trello etc.

When a new employee is on boarded, he/she must be added to certain SaaS applications depending on his job role. For example, sales agent might need to be added to SalesForce, Developers to github etc.

Obviously, it is not possible for you as the IT admin to manually log in to each application and add the new employee and also remove them when they are terminated.

This is where SCIM comes into play. SaaS vendors will implement REST endpoints as described in the SCIM protocol for provisioning and de-provisioning users and groups. This process can be called SCIM provisioning.

Organizations will then use another SaaS vendor who consumes the SCIM endpoints implemented by the SaaS apps to provision/de-provision users/groups. These are companies like AzureAD, OneLogin, Okta. You can think of these providers as SCIM clients, although you will find them be addressed by various other names such as IdentiyProviders (IDPs)

PradGar
  • 103
  • 1
  • 4
7

If you imagine a SCIM server as an LDAP repository but in the Cloud, you need to find a way to manage users and groups (CRUD operations) with a protocol which is HTTPs based as LDAPs is not recommended over Internet.

SPML (https://en.wikipedia.org/wiki/Service_Provisioning_Markup_Language) was created in the past to solve this. But it is SOAP / XML oriented so complex and heavy.

Modern standard are more oriented along JSON and towards API/REST protocols. Therefore SCIM was created.

A SCIM client is then an external agent (one application - web, Native, FAT-, one CLI console, etc.) that may want to manage users/groups on behalf of one authorized user (SCIM is OIDC compliant). The SCIM Endpoint is were the client will connect to, authenticate to and being authorized for those CRUD operations.

please see : http://www.simplecloud.info/

Currently an extension to SCIM is planned. SCIM-PAM will allow to manage policies for privileged access (à-la-SUDO).

Jeff

Jeff LOMBARDO
  • 324
  • 1
  • 11
  • Thanks, for your reply. If I want to do some practice examples of SCIM from the scratch where can I find it? How can I build my own application that connects to SCIM endpoint and does the CRUD functions? Thanks again. – techsu Nov 28 '17 at 15:36
  • You can install a pre-configured SCIM endpoint (most majors IAM product support it from now). Recommend you start with Forgerock OpenDJ. A LDAP directory with a SCIM interface. WSO2 IS is pretty straightforward too. Then practice yourself with Postman to learn how to call it. Then create your SPA with Node.js. Then do your real stuff. Jeff – Jeff LOMBARDO Nov 28 '17 at 15:40