The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in cloud-based applications and services more accessible. It’s an open standard protocol for automating the exchange of user identity information between identity domains and IT systems. Its intent is to reduce the cost and complexity of user management operations by providing a common user schema and extension model and binding documents to provide patterns for exchanging this schema using standard protocols. In essence: make it fast, cheap, and easy to move users in to, out of, and around the cloud.
Components of system SCIM (System for Cross-Domain Identity Management)
- HCM system – Applications and technologies that enable Human Capital Management processes and practices that support and automate HR processes throughout the employee lifecycle.
- Azure AD Provisioning Service – Uses the SCIM 2.0 protocol for automatic provisioning. The service connects to the SCIM endpoint for the application and uses the SCIM user object schema and REST APIs to automate the provisioning and de-provisioning of users and groups.
- Azure AD – User repository used to manage the lifecycle of identities and their entitlements.
- Target system – Application or system that has SCIM endpoint and works with the Azure AD provisioning to enable automatic provisioning of users and groups.
The key is keeping your identity systems up to date. If a user can be automatically deprovisioned from Azure AD, as soon as they’re removed from your Application, i.e. HR system; you have less worry about a possible breach.