Education/Nonprofit Asset Management/Okta integration/Operational Efficiency/SCIM Provisioning/Uncategorized

What is SCIM Provisioning? Overview of Benefits, How it Works and More

Posted on by Michael Caslowitz

In the ever-evolving landscape of Information Technology, efficiency and automation have become paramount. One such powerful tool that has emerged to streamline user provisioning and management processes is SCIM (System for Cross-domain Identity Management). Pairing SCIM with robust IT asset management tools like Reftab can revolutionize the way organizations handle user on-boarding, off-boarding, and overall system management.

In this guide, we’ll cover:

  1. What is SCIM user provisioning
  2. Real-world example of SCIM provisioning
  3. Video example, showcasing SCIM provisioning handling employee life-cycle management
  4. Why everyone in IT should be using SCIM provisioning
  5. How does SCIM work?
  6. Difference between SCIM and SSO (Single-Sign-On)
  7. How to setup SCIM provisioning for FREE

What is SCIM User Provisioning?

SCIM, or System for Cross-domain Identity Management, is an open standard protocol designed to automate the exchange of user identity information between different systems. Essentially, it allows for seamless integration between identity management systems and service providers, facilitating the automatic provisioning and de-provisioning of user accounts.

For example, in Reftab you can setup SCIM so that when a new user joins your company or school, that user is added to Reftab automatically. SCIM also keeps that user’s information up-to-date such as their email address, contact information, location and department information, etc.

Once you have user information flowing to your critical systems, then you can start running workflows. Workflow automations enable you to automate so much of your IT management tasks that would otherwise be cumbersome, repetitive and error prone.

Real-world Example Use-Case

Here’s an example of a powerful, yet simple workflow in an IT asset tracking system that SCIM facilitates:

SCIM Example Flow

If it wasn’t for SCIM provisioning, the work shown above would have to be done manually. That means a human would need to manually update the details of every employee and make sure the system remains up-to-date. This is not an ideal use of time for IT admins as there are much more important tasks to be done at an organization.

Video on SCIM Provisioning

Check out this video from Reftab that shows how SCIM facilitates the automation of user life cycle management:

Why Everyone Should be Using SCIM in an IT Setting

  1. Automation Reduces Manual Work: One of the most compelling reasons to adopt SCIM is the reduction of manual, duplicate work involved in user provisioning and deprovisioning. With SCIM, IT administrators can automate the process of adding, updating, and removing user accounts across various systems, eliminating the need for tedious manual interventions.
  2. Keeping Users Up-to-Date: SCIM ensures that user information remains accurate and up-to-date across all systems. When integrated with IT asset management tools like Reftab, changes in user status (such as employment termination) trigger automatic updates across all relevant systems, maintaining data integrity and reducing the risk of security breaches.
  3. Efficient Onboarding and Offboarding: By leveraging SCIM alongside an IT asset management system, organizations can streamline user onboarding and offboarding processes. New employees can be provisioned with the necessary access and resources automatically, while departing employees’ access rights can be promptly revoked, ensuring data security and compliance.
  4. Integration with Existing Infrastructure: SCIM integrates seamlessly with popular identity management platforms such as Okta or Microsoft Entra Active Directory. This means organizations can leverage their existing investments in identity management infrastructure, maximizing efficiency and reducing implementation costs.
  5. Centralized Management and Compliance: With SCIM, organizations can achieve centralized management of user identities and access rights. When users are added to groups in directory systems, SCIM ensures that corresponding access to software and resources is granted automatically. This not only enhances security but also simplifies compliance efforts by providing a comprehensive overview of user access across all systems.
  6. Automated License Management: Integrating SCIM with IT asset management systems like Reftab enables automated license tracking and management. IT administrators can easily monitor software licenses and ensure compliance by correlating user access to licensed software with inventory data, simplifying audit processes and cost optimization efforts.

How Does SCIM Work?

The below will give you a technical understanding of how SCIM works.

SCIM outlines a schema for user and group identity representation, offering a REST API that can work within this schema. This API utilizes standard HTTP methods (e.g., POST, GET, DELETE) for CRUD operations. Basically, this is a standard way to create, update, delete, etc..

In SCIM, the “client” refers to your company’s Identity Access System (IAM), or SCIM Identity Provider (IdP), the most common are Microsoft Entra ID and Okta. The “service provider” typically denotes a SaaS application like Reftab or Zoom.

The client (Okta, Microsoft Entra ID, etc.) manages identities and permissions required by service providers. Any changes made on the client side trigger automatic updates on the service provider side through SCIM, ensuring synchronization across all systems.

Here’s an example of a user represented via SCIM schema:

In short, SCIM presents users with attributes and values that describe the user. For example, you can see the user’s displayName, their department, phone numbers, etc.. This information will be sent to the service provider at the moment an operation takes place on the user:

POST: New user is created -> user data sent to Reftab to be created as a new user

PUT (or PATCH): User is updated -> user is updated in Reftab.

DELETE: User is deleted -> user is deleted (or disabled) in Reftab.

Notice how this does not happen on a schedule, like a daily sync at midnight, (That would be more akin to LDAP which is outdated now that SCIM is more prevalent). SCIM updates users in all connected systems at the time the actual update is made in Entra or Okta.

You may be presented with the ability to build workflows in service provider systems, (Reftab has a powerful workflow builder) that allow you to utilize attribute and value pairs to run workflows. For example, an attribute is something like “department” and a value could be “sales“. You can then do something with this information like disable a user, move a user in to an access role or do something upon assigning equipment to Sales personal, etc..

When this user is created or updated within Microsoft Entra ID or Okta for example, this data is passed to the connected software systems via SCIM. Those other software systems are configured to understand SCIM and can therefore ingest this information and handle and parse this information correctly, which ultimately removes the need for humans to do manual work.

Difference Between SCIM and SSO (Single Sign-On)

SCIM focuses on keeping user records synchronized across different systems automatically. On the other hand, Single Sign-On (SSO) primarily deals with authenticating users, allowing them to access multiple applications with just one set of credentials. While SCIM ensures user data consistency, SSO simplifies user authentication processes for enhanced convenience and security.

How to Setup SCIM Provisioning

If you’re looking to see first-hand how to setup SCIM provisioning, a good place to start is to setup an IT asset management system like Reftab. Using Reftab, you can setup SCIM for free so that you can learn this powerful protocol and actually interact with it.

The below steps can all be done using a Free Reftab account. But you will need admin access to your identity provider.

Step 1) Create a Free Reftab account here: https://www.reftab.com/sign-up

Step 2) Click “Settings” > “Integrations” > find SCIM User Provisioning and click “Configure

Step 3) At the top, click on any of the how-to guides available for your identity provider:

Follow the instructions on the guides available and reach out to ‘[email protected]’ for any questions.

Conclusion

In conclusion, SCIM user provisioning, when coupled with IT asset management tools like Reftab, offers a powerful solution for modern organizations looking to streamline their IT operations. By automating user provisioning, maintaining up-to-date user information, and integrating with existing infrastructure, SCIM enables efficient onboarding and offboarding processes while ensuring compliance and security. Embracing SCIM represents a step towards centralized management, enhanced productivity, and cost-effective IT operations in today’s digital landscape.

,
Michael Caslowitz