Users and accounts
/
SCIM provisioning
Last updated

SCIM Provisioning

SCIM (System for Cross-domain Identity Management) is a standard protocol that simplifies user identity management by automating provisioning and de-provisioning across cloud-based platforms. It ensures consistent user data synchronization, streamlining user updates and removals across multiple services.

Security aspects of SCIM

  1. Reduced Risk of Human Error: Automating user provisioning minimizes mistakes like incorrect permissions or failure to deactivate accounts, reducing unauthorized access.

  2. Consistent Security Policies: SCIM ensures uniform security policies across applications by automatically updating user roles and permissions from the primary identity system.

  3. Improved Compliance: SCIM supports compliance with standards like GDPR and HIPAA through automated, auditable user access management.

  4. Real-Time Visibility of User and Group Changes: SCIM provides instant tracking of user status, roles, and group changes, enabling:

  5. Immediate Threat Response: Quickly deprovision flagged users to prevent breaches. Accurate Access Management: Reflect role changes instantly to prevent unauthorized access. Efficient Onboarding and Offboarding: Grant and revoke access promptly, boosting security and productivity. Effective Auditing: Real-time tracking supports compliance and identifies unauthorized access.

SCIM provisioning and Single Sign-On:

While SCIM and Single Sign-On (SSO) are both key to identity management, they serve different purposes:

SCIM manages the lifecycle of user identities, automating provisioning, updates, and deprovisioning to ensure consistent data and permissions.

SSO handles authentication, enabling users to log in once for access to multiple applications, reducing password fatigue. Together, SCIM and SSO streamline identity management, combining seamless authentication with secure access control.

Users that are provisioned through SCIM, will use single sign-on to login to the application.

Authorization and access for SCIM users

Users that were created via SCIM provisioning, will get the default role(s) that are set for the entire environment. Once they will attempt to login to the application through their organization's SSO connection, they will also get the default role that is set for their SSO connection and in addition any group related roles, if this information is passed on their login SAMLResponse.

SCIM provisioning with Frontegg

The following SCIM capabilities are supported out of the box with Frontegg:

  • Provisioning of users
  • Updating user details
  • De-provisioning of users
  • Provisioning of groups
  • De-provisioning of groups
  • Updating group details
  • Assigning users to groups
  • Un-assigning users from groups

Update user's email

When provisioning users via SCIM, note that if you update a user's email on your IdP's side, It will create a new user in Frontegg (i.e., the user's new email won't be synced with the original user ID).