SCIM – Redefining identity and access management in the cloud

“Worldwide end-user spending on public cloud services is forecast to grow 18.4% in 2021 to total $304.9 billion, up from $257.5 billion in 2020.” Gartner

Though indispensable for millennial businesses, cloud and SaaS applications have increased the complexity of user lifecycle management manifold times. User provisioning and de-provisioning, tracking user ids and logins have emerged as the new pain points for IT as organizations innovate and migrate to the cloud. In the changing business landscape,  automatic provisioning has emerged as a viable option for identity and user management.        

Resolving identity and access concerns

Identity and access management (IAM) is a way for organizations to define user’s rights to access and use organization-wide resources. There have been several developments in the last couple of decades for resolving identity and access concerns (in the cloud). 

The Security Assertions Markup Language (SAML) protocol enables the IT admin to set up a single sign-on (SSO) for resources like email, JIRA, CRM, (AD), so that when a user logs in once they can use the same set of credentials for logging in to other services. However, app provisioning or the process of automatically creating user identities and roles in the cloud remained a concern. Even today, many IT teams register users manually. But it is a time-consuming and expensive process. Highly Undesirable, when the actual need is for higher speed. Just-in-Time (JIT) methodology and System for Cross-domain Identity Management (SCIM) protocol ushers in a new paradigm for identity management. It regulates the way organizations generate and delete identities. Here, in this blog, we will highlight how JIT and SCIM have redefined identity and access management (IAM). We will also focus on cloud directory service and how it reimagines the future of IAM.     

1. Just-in-Time (JIT) provisioning

There are many methodologies for managing user lifecycles in web apps; one of them is JIT or Just-in-Time. In simple terms, Just-in-Time (JIT) provisioning enables organizations to provide access to users (elevate user access) so that only they/it can enter the system and access resources and perform specific tasks. The user, in this case, can be human or non-human, and policies are governing the kind of access they are entitled to. 

How it works    

JIT provisioning automates the creation of user accounts for cloud applications. It is a methodology that extends the SAML protocol to transfer user attributes (new employees joining an organization) from a central identity provider to applications (for example, Salesforce or JIRA). Rather than creating a new user within the application, approving their app access, an IT admin can create new users and authorize their app access from the central directory. When a user logs into an app for the first time, those accounts are automatically created in the federated application. This level of automation was not possible before JIT, and each account had to be manually created by an IT administrator or manager. 

2. System for Cross-domain Identity Management (SCIM) 

SCIM is the standard protocol for cross-domain identity management. As IT today is expected to perform like a magician -juggling several balls in the air and ensuring that none falls, SCIM has become exceedingly important as it simplifies IAM. 

SCIM defines the protocol and the scheme for IAM. The protocol defines how user data will be relayed across systems, while the scheme/identity profile defines the entity that could be human or non-human. An API-driven identity management protocol, SCIM standardizes identities between identity and service providers by using HTTP verbs.

Evolution of SCIM

The first version of SCIM was released in 2011 by a SCIM standard working group. As the new paradigm of identity and access management backed by the Internet Engineering Task Force (IETF), and with contributions from Salesforce, Google, etc., SCIM transformed the way enterprises build and manage user accounts in web and business applications. SCIM specification allocates a “common user schema” that enables access/exit from apps.  

Why SCIM? 

Next level of automation: SCIM’s relevance in the user life cycle management of B2B SaaS applications is enormous.   

Frees IT from the shackles of tedious and repetitive work: Admins can build new users (in the central directory) with SCIM. Through ongoing sync, they can automate both onboarding and offboarding of users/employees from apps. SCIM frees the IT team from the burden of having to process repetitive user requests. It is possible to sync changes such as passwords and attribute data. 

Let us consider the scenario where an employee decides to leave the organization or is on contract, and their contract has expired. SCIM protocol ensures that the account’s deletion from the central directory accompanies the deletion of identities from the apps. This level of automation was not possible with JIT.  With SCIM, organizations achieve the next level of automation.

3. Cloud Directory Services

Cloud directory service is another category of IAM solutions that has gained a fair amount of traction recently. Earlier, most organizations were on-prem, and Microsoft Active Directory fulfilled the IAM needs. In contrast, the IT environment has dramatically changed in the last decade. Users are more mobile now, security is a significant concern, and web applications are de facto. Therefore the shift from AD to directory-as-a-service is a natural progression in tune with the changing requirements. It is a viable choice for organizations. Platform agnostic, in the cloud, and diversified, and supporting a wide variety of protocols like SAML, it serves the purpose of modern organizations. These directories store information about devices, users, and groups. IT administrators can simplify their workload and use these for extending access to information and resources.

Platform-agnostic schema: As an HTTP-based protocol that handles identities in multi-domain scenarios, SCIM defines the future of IAM. Organizations are not required to replace the existing user management systems as SCIM acts as a standard interface on top. SCIM specifies a platform-agnostic schema and extension model for users and classes and other resource types in JSON format (defined in RFC 7643). 

Ideal for SaaS: Ideal for SaaS-based apps as it allows administrators to use authoritative identities, thereby streamlining the account management process.

Organizations using internal applications and external SaaS applications are keen to reduce onboarding/deboarding effort/costs. A cloud directory service helps simplify processes while allowing organizations to provision users to other tools such as applications, networks, and file servers. 

It is also a good idea for cloud directories service vendors like Okta, Jumpcloud, OneLogin, and Azure AD to opt for SCIM. They benefit from SCIM adoption, as it makes the management of identities in cloud-based applications more manageable than before. All they need to do is accept the protocol, and seamless integration of identities and resources/privileges/applications is facilitated. Providers can help organizations manage the user life cycle with supported SCIM applications or SCIM interfaced IDPs (Identity Provider).   

How JIT and SCIM differ

As explained earlier, SCIM is the next level of automation. SCIM provisioning automates provisioning, de-provisioning, and management, while JIT automates account development. Organizations need to deprovision users when they leave the organization or move to a different role. JIT does not provide that facility. While the user credentials stop working, the account is not deprovisioned. With SCIM, app access is automatically deleted.     

Though JIT is more common, and more organizations are going forward with JIT implementation, SCIM is in trend. Several cloud directory service providers realizing the tremendous potential of SCIM have accepted the protocol. SCIM, they recognize, is the future of IAM.   

Benefits of SCIM Provisioning

1. Standardization of provisioning

Every type of client environment is handled and supported by the SCIM protocol. SCIM protocol supports Windows, AWS, G Suite, Office 365, web apps, Macs, and Linux. Whether on-premise or in the cloud, SCIM is ideal for organizations desiring seamless integration of applications and identities. 

2. Centralization of identity

An enterprise can have a single source of truth, i.e., a common IDP (identity provider), and communicate with the organization’s application and vendor application over SCIM protocol and manage access.

3. Automation of onboarding and offboarding 

Admins no longer need to create and delete user accounts in different applications manually. It saves time and reduces human errors. 

4. Ease of compliance 

As there is less manual intervention, compliance standards are higher. Enterprises can control user access without depending upon SaaS providers. Employee onboarding or turnover can be a massive effort if conducted manually. Especially when employees onboard or offboard frequently, the corresponding risks of a data breach are high. Also, as an employee’s profile will change during their tenure, compliance can be a threat if access is not managed correctly. With SCIM, all scenarios described above can be transparently handled in one place.

5. More comprehensive SSO management

SCIM complements existing SSO protocols like SAML. User authentication, authorization, and application launch from a single point are taken care of with SAML. Though JIT user provisioning with SAML helps provision, it does not take care of complete user life cycle management. SCIM and SAML combination SSO with user management across domains can be easily managed.

SCIM is hard to ignore

Modern enterprises cannot deny the importance of SCIM protocol. According to the latest Request for Comments - a publication from the Internet Society (ISOC) and associated bodies, like the Internet Engineering Task Force (IETF) - “SCIM intends to reduce the cost and complexity of user management operations by providing a common user schema, an extension model, and a service protocol defined by this document.” Not just in terms of simplifying IAM and enabling users to move in and out of the cloud without causing the IT admin needless worry, SCIM compliant apps can avail the pre-existing advantages like code and tools. 
At Magic FinServ, we realize that the most significant benefit SCIM brings to clients is that it enables them to own their data and identities. It helps IT prioritize their essential functions instead of getting lost in the mire tracking identities and user access. Magic FinServ is committed to ensuring that our clients keep pace with the latest developments in technology. Visit our cloud transformation section to know more.