Term · 8. Connectors & Integration
SCIM SCIM
SCIM (System for Cross-domain Identity Management 2.0, IETF RFC 7643/7644) is a REST/JSON protocol that standardizes how identity providers create, update and deactivate users and groups in downstream applications. It replaces brittle custom connectors with one vendor-neutral schema, making automated joiner-mover-leaver provisioning portable across SaaS.
Definition
System for Cross-domain Identity Management 2.0 (IETF RFC 7643/7644) — REST/JSON protocol for cross-vendor identity provisioning. Standardized schema for user/group lifecycle operations (Create/Read/Update/Delete/Search). Vendor-neutral alternative to custom connectors.
- Synonyms
-
- SCIM
- Application
- Major IdPs (Okta, Microsoft Entra, Ping, ForgeRock) act as SCIM clients; major SaaS apps (Workday, Slack, Zoom, Box, GitHub) act as SCIM endpoints. Best practice: SCIM-first provisioning, custom connectors only for legacy systems.
- Standards & regulations
-
- RFC 7642 «The System for Cross-domain Identity Management (SCIM) specification is designed to manage user identity in cloud-based applications and services in a standardized way to enable interoperability, secu»
- RFC 7643 «This document provides a platform-neutral schema and extension model for representing users and groups and other resource types in JSON format.»
- RFC 7644 «The System for Cross-domain Identity Management (SCIM) specification is an HTTP-based protocol that makes managing identities in multi-domain scenarios easier.»
- RFC 9967 «This document defines a profile of the System for Cross-domain Identity Management (SCIM) protocol and schemas for use with Security Event Tokens (SETs).»
- Sources
-
- SCIM 2.0 Core Schema — RFC 7643 primary source
- SCIM 2.0 Protocol — RFC 7644 primary source
Related terms
-
Target System (TS)
System that receives provisioning actions from IGA platform — receives create/update/disable account commands and entitl …
-
Active Directory (AD)
Microsoft's enterprise directory service (since Windows 2000 Server) — central repository for user accounts, computer ac …
-
Application Programming Interface (API)
Defined interface allowing software components to interact — increasingly the primary integration mechanism for cloud-na …
-
AuthZEN
OpenID Foundation working group standardising a uniform API for authorization decisions across heterogeneous Policy Deci …
-
DPoP (Demonstration of Proof of Possession) (DPoP)
Demonstration of Proof-of-Possession — IETF RFC 9449, OAuth 2.0 mechanism binding an access token to a private key held …
-
FAPI 2.0 (Financial-grade API) (FAPI 2.0)
OpenID Foundation Financial-grade API Security Profile 2.0 — high-security authorization profile for financial APIs (ope …
Frequently asked questions
What is SCIM?
SCIM is an open IETF standard (RFC 7643/7644) for automated user provisioning. An identity provider pushes create/update/deactivate operations over REST/JSON to any SCIM-compliant application, using a common user and group schema.
Why use SCIM instead of custom connectors?
Custom connectors are per-application and break on API changes. SCIM gives one standard schema and protocol, so onboarding a new SaaS is configuration rather than engineering — and deprovisioning, the security-critical part, happens automatically when someone leaves.
Does SCIM handle deprovisioning?
Yes — SCIM deactivate/delete operations are how leaver events propagate. Reliable SCIM deprovisioning is what closes the orphaned-account gap that manual offboarding leaves open.