0

I have a case where we would like to update the identity provider data (like Azure AD etc) for example add/delete certain groups to accounts. A standard like SCIM would be desired, to gain support for several identity providers, I assume.

The SCIM specification looks promising to me, but practically, are those scenario supported by identity providers out there?

For example:

Does/can the identity provider also implement the services (like /groups) as a way to update the group assignments for example?

Or could a identity provider initiated search call receive this information and update their database?

Dev_Karl
  • 53
  • 2
  • 2
  • 7
  • The page http://www.simplecloud.info/#Implementations2 suggest Azure and some other IdPs can act both as client and server. What is the use case when a IdPs is a server? – Dev_Karl Apr 14 '20 at 20:12

1 Answers1

1

The whole purpose here is to have a single source of truth for identity management. If another application wants to modify the leading systems state, then it has to play by its rules. And in IAM case that means running through sophisticated Access Request workflows. An IdP might have that build in, or just serves the bare dictionary.

Even with the latter case, where group assignments might be changeable, it is totally up to the provisioning configuration, whether the IdP specific groups are send to the target at all. Often only the User account is provisioned and group assignment happens in the target completely independent.

Maybe your use case actually starts with modification of group assignments in the source system that feeds the IdP ?

andekande
  • 91
  • 3
  • Thanks Andekande. My use case simply that an employee completes different kind of security training and the should get some groups assigned after that. I'm pretty new to this thinking, but an approval flow where the training is just one step, could be a way forward. Thanks again – Dev_Karl Jan 19 '21 at 10:08