Skip to main content

SCIM Overview

What is SCIM?

SCIM, or System for Cross-domain Identity Management, is a standardized protocol designed to automate the management of user identities across different systems. Developed in 2011, SCIM addresses the need for a unified approach to handle user data as businesses increasingly adopt cloud-based technologies.

For more information, visit the SCIM website.

Purpose of SCIM

SCIM streamlines and secures user account management by automating tasks such as adding, updating, and removing users. This reduces the burden on IT departments and improves the user experience.

Benefits of SCIM

  • Efficiency: Manages increasing numbers of user accounts efficiently and handles provisioning and permissions without manual intervention.
  • Consistency: Standardizes how user data is stored and communicated, ensuring information remains consistent across applications.
  • Error Reduction: Minimizes the risk of mistakes from manual data entry or custom integrations.
  • Security: Reduces risks by ensuring users don’t need multiple passwords and keeps data synchronized, aiding in policy enforcement.

How SCIM Works

SCIM operates over REST and JSON protocols, involving:

  • Identity Providers (IdPs): Systems like Okta that maintain comprehensive directories of user identities.
  • Service Providers (SPs): Applications such as Slack or Box that require user data from IdPs.

When changes occur in the IdP (e.g., user profiles created or updated), these changes are automatically synced to the SP, keeping user information up-to-date and providing seamless access to applications and resources.

Multi-Tenant Support (Opt-In)

Permit's SCIM server supports routing provisioned users and groups into a specific Permit tenant. This is opt-in: existing integrations continue to work unchanged, and tenant-aware behavior is only activated when you use the new URL format.

URL formats:

  • Legacy (default behavior, unchanged):

    /scim/v2/{PROJ_ID}/{ENV_ID}/Users
    /scim/v2/{PROJ_ID}/{ENV_ID}/Groups

    Existing customer traffic. Users and groups are synced into Permit's default tenant.

  • Opt-in, default tenant:

    /scim/v2/{PROJ_ID}/{ENV_ID}/v2/Users
    /scim/v2/{PROJ_ID}/{ENV_ID}/v2/Groups

    Activates the new tenant-aware code path while still targeting the default tenant.

  • Opt-in, explicit tenant:

    /scim/v2/{PROJ_ID}/{ENV_ID}/v2/{TENANT_ID}/Users
    /scim/v2/{PROJ_ID}/{ENV_ID}/v2/{TENANT_ID}/Groups

    Routes provisioned users and group memberships into the Permit tenant identified by {TENANT_ID}.

How to opt in: in your IdP's SCIM configuration, set the SCIM Base URL to the /v2/... form above. No other changes are required — authentication, payloads, and SCIM semantics are identical to the legacy endpoint.

Example: to provision into a tenant called acme, use a base URL like:

https://<your-scim-host>/scim/v2/{PROJ_ID}/{ENV_ID}/v2/acme

Contents