System for Cross-Domain Identity Managementfleeting
- External reference: https://datatracker.ietf.org/doc/html/rfc7644
- External reference: https://datatracker.ietf.org/doc/html/rfc7643
- External reference: https://www.okta.com/blog/2017/01/what-is-scim/
It’s a simple JSON schema of what users and groups could look like. Defining a standard help interoperability.
It also defines a protocol (rfc7644) that defines how to construct a web API to manipulate users data.
Strangely enough, even though this protocol appears to be widely accepted and is quite old (2015), keycloak does not implement it out of the box. Fortunately, an apparently maintained plugin appears to provide such a feature.
SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps).
Since it is a standard, user data is stored in a consistent way and can be communicated as such across different apps.
SCIM is a REST and JSON-based protocol that defines a client and server role
client is usually an identity provider (IDP
service provider (SP) is usually a SaaS app, like Box or Slack
needs a subset of information from those identities
automatically synced to the SP according to the SCIM protocol
For end users, this means that they have seamless access to applications for which they’re assigned, with up-to-date profiles and permissions
Service Provider An HTTP web application that provides identity information via the SCIM protocol.
Client A website or application that uses the SCIM protocol to manage identity data maintained by the service provider
groups A list of groups to which the user belongs, either through direct membership, through nested groups, or dynamically calculated
values are meant to enable expression of common group-based or role-based access control models, although no explicit authorization model is defined
entitlements A list of entitlements for the user that represent a thing the user has. An entitlement may be an additional right to a thing, object, or service.
No vocabulary or syntax is specified; service providers and clients are expected to encode sufficient information in the value so as to accurately and without ambiguity determine what the user has access to
roles A list of roles for the user that collectively represent who the user is, e.g., “Student”, “Faculty”. No vocabulary or syntax is specified, although it is expected that a role value is a String or label representing a collection of entitlements
SCIM provides a schema for representing groups, identified using the following schema URI: “urn:ietf:params:scim:schemas:core:2.0:Group
“Group” resources are meant to enable expression of common group-based or role-based access control models, although no explicit authorization model is defined