What is SCIM?

There were 1.4 million identity theft cases reported by the FTC in 2020. Is your identity protected from theft? Find out how SCIM can help protect your data and identity from theft.

SCIM stands for System for Cross-domain Identity Management and is the best system for managing identities in cloud-based applications and services.

Find out everything you need to know to help streamline the management of employee identities in your network. Employees rely on a lot of tools for day-to-day activities which means they need to constantly sign on to each platform they use. 

SCIM links systems together for the purpose of managing identities in applications and services that are cloud-based in a more streamlined way. The SCIM API facilitates all the management of both people, and groups of people, in cloud-based apps and services. 

This can create havoc for any IT department as employees might be using weak passwords which can open the door for many malicious actors and other issues such as identity theft and fraud.

In 2020, there were 4.8 million identity theft and fraud cases reported by the FTC, totaling over $56 billion. 

Another issue is cloud-based attacks. According to the State of Cloud Security 2021, 36% of organizations suffered a serious cloud security data leak or a breach in the past 12 months.

Some of the common causes were attributed to lack of policy awareness, negligence, and a lack of controls. SCIM can help minimize the risk of a data breach by syncing user information between multiple applications with high levels of security.

Looking to Implement SCIM?

How Does SCIM Work?

There are different functions within SCIM which can be divided into sections that relate to operations and discovery.

It is a REST and JSON-based protocol that specifies and defines the client and server roles. The client is normally an IdP (Identity Provider) which contains a large number of user IDs.

The SP (Service Provider) involved here is normally a SaaS application that requires a subset of information from those identities. 

When any changes occur in the IdP, SCIM integration takes place, as these changes automatically sync to the service provider according to the SCIM protocol.

The identity provider is also able to read IDs from the service provider which it can then add to its directory, and is also able to pick up any incorrect values in the service provider that could create vulnerabilities in security. 

As far as end users are concerned, they are able to have smooth and continuous access to apps that have been assigned to them, along with up-to-date profiles, as well as permissions.

This becomes extremely important when managing a bunch of apps simultaneously in the cloud and assigning permissions for each particular app or service. 

Over 90% of cloud identities only use less than 5% of the permissions they’ve been granted.

This becomes a serious problem and a nightmare for IT and security departments as any entrepreneurial hacker can easily exploit private employee accounts and gain access to confidential resources such as passwords and credit card details.

What Is a SCIM Rest API?

A SCIM Rest API contains a set of operations that support a wide range of functions for users to perform bulk updates or patching specific attributes. Admins can also create a complete User resource using the Response functions.  

REST determines exactly how the Application Programming Interface appears. REST stands for “Representational State Transfer.” It’s a set of rules followed by developers in the process of creating their API. 

An example of one of these rules is that you should be able to receive a resource (piece of data) upon linking to a specific URL. Every URL is referred to as a request, and the data sent back your way is referred to as a “response.”

SCIM provides three endpoints that support specific attribute details:

• GET /ServiceProviderConfig – Specification compliance, authentication schemes, data models.

• GET /ResourceTypes – An endpoint used to discover the types of resources available.

• GET /Schemas – Introspect resources and attribute extensions.

In a SCIM environment, changes to resources may be requested by multiple parties.

Looking to Implement SCIM?

What Is SCIM Provisioning?

SCIM user provisioning works with web model standards that already exist, and this makes implementation easy.

The SCIM provisioning specification operates with the usage of HTTP request methods, for example, DELETE, GET, POST, and so on, within a certain programming language, for the sole purpose of managing user data throughout the life cycle of the identity. 

Once a company’s SCIM endpoints (main identity resources, in other words, /Users and /Groups) have been built, admins will encode user ID data items, like username and address, etc.

These are SCIM objects operating within a common core schema which exchanges with cloud apps and domains. 

In such a SCIM environment, both IdPs and SPs are able to constantly communicate, even though such barriers exist, like organization-imposed firewalls, and this makes SCIM provisioning the absolute ideal protocol for integration that is seamless.

What Is a SCIM Protocol?

A SCIM protocol is an app-level protocol that is HTTP-based which provisions and manages ID data both on the web and in environments that are cross-domain like enterprise-to-cloud service providers or scenarios that are inter-cloud.

There are also several ways to authenticate and authorize users. 

These methods include: 

• Bearer Tokens – Bearer Tokens are the main type of access token used with OAuth 2.0. Bearer Tokens may be used to permit one-time requests such as an anonymous registration.
• HOBA Authentication – HOBA or HTTP Origin-Bound Authentication is a variation on TLS client authentication. Its sole purpose is to prevent passwords from leaking. It is basically a password-less means of authentication. 
• PoP Tokens – PoP stands for proof-of-possession and is associated with a key known to the client. PoP tokens rely on strong cryptography in the event of Security Tokens being compromised. 
• TLS Client Authentication – The TLS method involves a client using a certificate to authenticate itself during the TLS handshake which is the process of two communicating sides exchanging messages to acknowledge and verify each other (e.g. browser and web server). 

SCIM also depends on the use of Transport Layer Security (TLS) which is the successor of the Secure Sockets Layer (SSL). TLS helps encrypt data sent over the internet and allows for more secure communication between parties.

Benefits of SCIM

SCIM provides a wide range of benefits which makes cross-domain identity management much easier to implement. These benefits include the following:

Automating IT Tasks

SCIM automates the IT tasks of provisioning accounts for each system and its connection which is unique. With this, every account, group, and permission or entitlement is automatically synchronized to every unique system straight from the organization’s database, ready to be used by employees.

Manage Identities in Cloud-Based Apps Easier   

As organizations turn to more and more cloud-based apps and services each day, there needs to be a way of managing identities in a streamlined way, and that is what SCIM provides.

Simple to Deploy

The deployment of SCIM is easy. One just needs to implement RESTful SCIM APIs for the app that is being used. The following are calls your API should be able to get from SCIM provisioning:

• Get User with “User Name” filter
• Create User
• Get User by ID
• Update User
• Get Groups
• Create Group
• Patch Group
• Delete User
• Get Users

Reduce Time-Consuming Data Inconsistencies

Since all user ID is automatically updated, time-consuming data inconsistencies do not occur. Data inconsistencies can lead to loss of information and have an adverse effect on your database.

They can also lead to human error which accounted for 88% of data breaches in 2020. SCIM also helps maintain strong data integrity and minimizes the possibility of human error or data redundancy.

Provides a Standard Method to Link Your Systems Together

SCIM provides a standard method of linking your systems together so that no matter how many cloud-based applications and services your company utilizes, all user ID data can be updated, or deleted in an automatic way.

Whether you’re using cloud services such as AWS, Salesforce, or Dropbox, your apps are protected from cloud-based attacks.

SCIM Okta Integration

Okta is the world’s number one identity platform trusted by thousands across the world to secure all interactions that take place digitally. Perimeter 81’s Okta integration provides a more secure login and policy-based access no matter where employees are from across the world. 

The Perimeter 81 Okta integration enables companies to improve and tighten their authentication methods, ensuring the organizational workforce remains safe and secure, no matter where in the world they may be working from.

SCIM vs SAML: What Are The Differences

SAML (Security Markup Language) was created in 2001, and in 2005, version 2.0 came out. SAML is an open standard, often used to provide single sign-on to web-based applications. The protocol can be utilized for both authentication and authorization.

SAML is an open federation standard allowing IdPs (Identity Providers) to authenticate users and then give authentication tokens to other applications known as SPs (Service Providers). 

Some advantages of SAML include: 

• Loose coupling of directories – SAML doesn’t require user information to be maintained and synchronized between directories.
• Reduced costs for service providers – Another benefit of SAML is that you don’t have to maintain account information across multiple services as the identity provider takes this burden out of your hands. 
• Improved user experience – Users only need to sign in once via SSO for authentication to access multiple service providers. This process eliminates the friction and creates a great user experience.    
• Increased level of security – SAML transfers identity information to the service providers, ensuring that all details are sent to the IdP directly as opposed to multiple providers and risk the possibility of credentials being stolen.  

SCIM connects systems and manages identities in cloud-based applications and services. SCIM and SAML work in tandem where SCIM often utilizes SAML SSO, however in reverse, SAML SSO does not necessarily need the use of SCIM. 

Perimeter 81 allows users to authenticate against an external IdP using the SAML protocol with integrations to Okta, Auth0, OneLogin, and more.

Difference Between SAML Auto Provisioning and SCIM Provisioning

SCIM provisioning, also known as AUM (automated user management), enables organizations to use their IdP service to automate the way in which their employees are added to, as well as updated. SCIM provisioning needs the use of SAML SSO (Single Sign-On), however, SAML SSO does not need SCIM.

SAML auto-provisioning can be enabled to allow a service to automatically retrieve any sort of information related to users, groups, as well as departments from the SAML response, and immediately add those details to the database.

It is also able to automatically update a user’s group membership, all based upon the data retrieved from the SAML response.

DocuSign SCIM

DocuSign automates the preparation, signatures, and management of agreements. DocuSign has the DocuSign Agreement Cloud offering eSignature, which is a top-rated method of signing electronically on most devices from any place around the world.

There is both DocuSign SCIM and SAML integration via different cloud applications and services. The DocuSign CLM (Contract Lifecycle Management) application offers SCIM configuration to automate workflows and prevent errors. If you have a DocuSign account, you will find the Okta SCIM and SAML Integration very resourceful.

Looking to Implement SCIM?

SCIM vs SSO

SSO stands for Single Sign-On which allows users to utilize one set of login credentials in order to access many apps. A set of such credentials may be a name and password.

Single Sign-On eases the management of many different usernames and passwords. SCIM requires the use of SSO. 

The benefits of using SSO include: 

• Stronger passwords – There are 258,837 stolen passwords per day. Needless to say, it is absolutely crucial to choose strong passwords in preventing brute force attacks. It is highly recommended to choose passwords that are lengthy (over 8 characters with numbers, upper case letters, and special characters such as $, #, or !).
• Different passwords – Hackers love it when their job is easy. A hacker can try 2.18 trillion password/username combinations in less than 22 seconds. Employees rely on a set of tools and platforms to perform and manage everyday tasks. That means remembering a lot of passwords, also known as password fatigue which can ultimately lead to human error. It is important to have different passwords for each login to prevent an attacker from gaining access to employee credentials. 
• Multi-factor authentication – Multi-factor authentication or MFA requires multiple methods of user verification in order to gain access into an account. An example of an MFA is when you forgot your Gmail password. The first step is to create a new password. Once that is established, the second step will be to receive a push notification via SMS to your smartphone for verification. Multi-factor authentication provides an added security layer when signing into any cloud-based account. 

Save time on password recovery – Employees forget their passwords all the time. IT must then issue new passwords after a ticket has been opened. This causes a loss in productivity for both the IT department and employees. Having an SSO can save IT the headache and wasted time in resetting passwords.

AWS SSO SCIM

SCIM maintains all AWS SSO identities in sync with identities from the IdP. It includes all provisioning, updates, as well as deprovisioning of users between the IdP and AWS SSO. More detail can be found in the AWS SCIM profile and SAML 2.0 implementation documentation here.

Azure SSO SCIM

Azure SSO SCIM must be used when you want to automatically provision user data from an HCM (Human Capital Management) system to Azure AD, as well as Windows Server Active Directory, and if necessary, to target systems as well. 

Perimeter 81 provides secure Microsoft Azure access, and Azure Active Directory has an SSO which integrates with Perimeter 81 which allows for:

• The management of accounts in a central location – the Azure portal
• Control in Azure Active Directory with regards to the access of Perimeter 81
• The enablement of users to be automatically signed-in to Perimeter 81 with their Azure Active Directory accounts.

SCIM for Cloud-Based Applications

For simple cloud identity management, SCIM is the perfect solution with its ability to manage identities in cloud-based applications and services so seamlessly.

Azure AD SCIM

When Azure AD SCIM integration occurs, all employees added to the HCM (Human Capital Management) automatically obtain accounts created in the Azure AD or Windows Server Active Directory.

All the user attributes, as well as the profiles, synchronize between both systems, updating and/or removing users depending on their status or change in roles.

Application developers are able to use the SCIM user management API for the automatic provisioning of both users and groups between the app and Azure AD.

An Azure AD SCIM endpoint can be built and integrated with the Azure Active Directory provisioning service. 

GitHub SCIM Azure AD can easily be configured for automatic user provisioning of GitHub Enterprise Cloud organization membership. It is recommended that you assign a single Azure AD user to GitHub to test the provisioning configuration.

Can Google Users Be Provisioned Via SCIM from Azure AD?

Google users can be provisioned via SCIM from Azure AD, however, SCIM provisioning (on G Suite) needs to be enabled first.

Salesforce SCIM Provisioning

All Salesforce user IDs across systems can be provisioned with SCIM. The Salesforce SCIM implementation offers extensions to the SCIM 2.0 specification in order to both edit and manage Salesforce user properties with the use of Salesforce SCIM API REST operations. 

The following topics help navigate the SCIM Salesforce implementation. Admins can manage Salesforce user objects with SCIM and REST API Reference Sheet. 

In order to manage Salesforce user objects using SCIM, REST API “create,” “read,” “update,” and “disable” (CRUD) operations can be sent to SCIM endpoints. To carry out these operations, an OAuth 2.0 access token must be supplied. 

Access tokens are what apps use to make API requests on behalf of a user. Access tokens have to be kept confidential at all times. Only the app itself, and the authorization and resource server should ever see them. The app must make sure the access token’s storage isn’t accessible to apps on the same device. 

These tokens are only able to be utilized over HTTPS connections. The reason for this is that passing it over a channel that is non-encrypted would make it trivial for the interception of third parties.

Applications make requests to gain access tokens for users from the token endpoint. The following are token requests:

• Authorization Code
• Password Grant
• Client Credentials
• Access Token Response
• Self-Encoded Access Tokens
• Access Token Lifetime
• Refreshing Access Tokens

OAuth authorization offers a client app restricted access to resources that are protected on a resource server. In order to begin an authorization flow, a client application requests access to a resource that is protected.

After this request, an authorizing server gives access tokens to the client application. A resource server goes ahead and validates these access tokens and allows access to the resource that is protected. 

As an example, when opening the Salesforce mobile application in order to access Salesforce data, an OAuth 2.0 authorization flow is initiated.

What Is a SCIM API?

SCIM is an API (Application Programming Interface) specification created to facilitate the seamless managing of people, as well as groups of people in cloud-based apps and services.

Azure SCIM API

Azure SCIM integration occurs as Azure AD Provisioning Service uses the SCIM 2.0 protocol for automatic provisioning. It connects to the SCIM endpoint for the app and utilizes the SCIM user object schema, as well as REST APIs in order to automate both provisioning, as well as deprovisioning of users and groups of people.

GitHub SCIM API

The SCIM API is utilized by SCIM-enabled IdPs for the automatic provisioning of GitHub organization membership. The GitHub SCIM endpoint that should be used by an IdP is: https://api.github.com/scim/v2/organizations/{org}/

Why Organizations Should Use SCIM

It is a tiresome process to manually update user identities and constantly keep on top of changing roles. With the automatic provisioning that SCIM offers, there is less of a security risk, especially when employees no longer work for organizations. Worse, is if the employee left on bad terms with the company. 

Disgruntled employees have been known to steal confidential trade secrets, shut down company servers, and violate compliance policies. These malicious activities can wind up costing organizations approximately $4.24 million on average per data breach as of 2021.    

SCIM also helps protect against identity theft. Cybercriminals can easily get a hold of Personally identifiable information (PII) such as a social security number or bank account and can cause major financial repercussions to a company.

Under the Fair and Accurate Credit Transactions Act, employers may be liable for any actions leading to worker identity theft. Needless to say, you do not want this burden hanging over you. 

As businesses continue to grow, and more work takes place in conjunction with cloud-based apps and services, SCIM is needed more and more to manage identities in such places.

SCIM helps resolve Identity and access management (IAM) issues and keeps cloud-based applications secure from outside threats and unauthorized access.

How Perimeter 81’s Zero Trust Approach Works Together to Improve SCIM Security

Managing cloud-based resources and authorization can be a daunting task for any IT. Perimeter 81 takes the hassle out of managing cloud-based applications and managing user identities with a Zero Trust approach.

Users’ SCIM cloud identity remains secure from external threats as IT grants limited access to employees, partners, and third-party service providers. 

Perimeter 81’s Zero Trust Application Access (ZTAA) is identity-centric and syncs with cloud-based access management platforms such as Okta and OneLogin.

With automated user recognition, your IT team can create custom resource access and traffic policies based on the devices, locations, and roles of users, no matter where they are. Keep your cloud safe with Perimeter 81’s Zero Trust Application Access.