SCIM 2.0

What it is

SCIM, the System for Cross-domain Identity Management, is the open standard for automating the user lifecycle across applications. When HR hires someone or an admin grants an app, SCIM pushes that change so accounts are created, updated, and, most importantly, removed without manual work. It is defined by RFC 7643 (the schema) and RFC 7644 (the protocol).

How it works

SCIM defines a standard JSON representation of users and groups and a REST API to manage them. An identity provider acts as the client and pushes changes to any application that exposes a SCIM endpoint.

• Standard schema: common attributes for users and groups, extensible per app.
• REST operations: create, read, update, delete, and search over /Users and /Groups.
• Real-time or scheduled: good implementations deprovision promptly when access is revoked.

Status

The SCIM 2.0 RFCs were finalized in 2015 and are widely implemented across identity providers and SaaS applications. For B2B SaaS vendors, offering SCIM to enterprise customers is frequently a procurement requirement.

Why it matters

The biggest identity risk is stale access. Accounts that linger after someone leaves become orphaned accounts and attacker targets. SCIM closes that gap by automating deprovisioning as part of the joiner-mover-leaver lifecycle.

Pitfalls

• Coverage varies: confirm which attributes and group operations an app's SCIM endpoint actually supports.
• Confirm whether deprovisioning is real-time or batched; the gap matters for offboarding.

Related

Guide: what is SCIM, SCIM provisioning implementation. Glossary: SCIM, provisioning. Vendors: IGA.