SCIM
SCIM (System for Cross-Domain Identity Management) is a protocol that standardizes how identity information is synchronized between systems. It provides a common API for provisioning and deprovisioning users, groups, and other identity data across multiple applications.
# WHAT TEAMS RUN INTO
- —
SCIM implementations vary widely. Some applications implement it fully, others implement subsets of the specification, and some implement extensions that don't exist in the standard, making interoperability difficult.
- —
SCIM doesn't handle complex provisioning logic. It can create and update users, but it cannot express 'create this user only if they belong to this group' or 'grant this app permission only if the user role matches this pattern.'
- —
SCIM sync failures are silent and cumulative. If SCIM fails to provision a user to one application, the user doesn't get created there, nobody notices, and the failure is discovered weeks later when the user complains they cannot access the system.
# WHY IT MATTERS
SCIM makes it possible to treat identity provisioning as a data synchronization problem instead of a manual process. When SCIM works, users get created, updated, and deprovisioned consistently across systems. But SCIM is only a transport mechanism — it doesn't solve the harder problem of deciding what access a user should have. SCIM moves provisioning from a human task to an automated task, which is progress only if the automation is designed correctly.