Overview

Frontegg Documentation

What is SCIM?

System for Cross-domain Identity Management (SCIM) is a standard protocol designed to simplify user identity management in cloud-based applications and services. SCIM automates the provisioning and de-provisioning of user accounts, ensuring that user information is consistently managed across multiple platforms. This standardization is crucial for organizations using various cloud services, as it streamlines the processes of adding, updating, and removing users. SCIM provides a common language for identity data exchange, making it easier to synchronize user identities and their attributes efficiently.


Security Aspects of SCIM

1. Reduced Risk of Human Error: Automating user provisioning minimizes the risk of mistakes such as incorrect permissions or failing to deactivate accounts, which can lead to unauthorized access.
2. Consistent Application of Security Policies: SCIM ensures that security policies are uniformly applied across all applications. Changes in user roles or permissions in the primary identity system are automatically updated in connected systems, maintaining consistent access controls.
3. Improved Compliance: SCIM facilitates compliance with regulatory requirements by providing an automated, auditable process for managing user access, which is crucial for standards like GDPR and HIPAA.
The Need for Real-Time Visibility of User and Group Changes
Real-time visibility into changes in user status, roles, and group memberships is essential for security and operational efficiency. With SCIM, organizations can instantly track and respond to user and group changes, allowing for:

  • Instant Threat Response: Immediate deprovisioning of users flagged for suspicious activity helps prevent data breaches.
  • Accurate Access Management: Ensuring that changes in user roles are reflected immediately prevents unauthorized access.
  • Efficient Onboarding and Offboarding: New users are quickly given the necessary access, and departing users have their access revoked promptly, enhancing security and productivity.
  • Effective Auditing: Real-time tracking of user changes supports robust auditing, helping to identify unauthorized access and ensure compliance.

SCIM enhances security by automating user provisioning. It also ensures consistent application of security policies across all connected applications by automatically updating changes in user roles or permissions in the primary identity system. This uniformity is crucial for maintaining access controls and compliance with regulatory requirements like GDPR and HIPAA. Additionally, SCIM provides real-time visibility into user and group changes, enabling instant threat response, accurate access management, efficient onboarding and offboarding, and effective auditing, which collectively bolster security and operational efficiency.

How SCIM is different from SSO

While SCIM and Single Sign-On (SSO) are both key to identity management, they serve different purposes:

  • SCIM focuses on managing the lifecycle of user identities. It automates user provisioning, updating, and deprovisioning across multiple platforms, ensuring consistency in user data and permissions.
  • SSO is concerned with authentication, allowing users to log in once and access multiple applications without needing to re-enter credentials. SSO enhances user experience by reducing password fatigue and streamlining access to multiple services.
    Complementary Technologies: SCIM and SSO work together to improve identity and access management. SCIM manages user accounts and access rights, while SSO provides seamless authentication. This combination ensures that only authorized users access the appropriate resources, enhancing security and efficiency.

SSO and SCIM in Frontegg

Single sign-on (SSO) and SCIM are two related topics, yet they are separate in Frontegg.

When users are given certain roles when signing in via SSO, they should be synchronized with the categories used on the IdP's end, so that if you use b, This means that when you configure SSO on Frontegg's end and configure groups with roles associated with them (see Roles). Users created on SCIM's end and login to Frontegg for the first time will get a default role (if configured) or no role.

Roles are not updated when they're changed, e.g., on Azure's end. The update of roles is done only upon login, so if you wish to ensure the roles are updated, you are advised to shorten the Session Tokens timeframe.


👍

JIT Provisioning

When configuring SSO through Frontegg, it integrates seamlessly with various identity providers (IDPs) such as Okta or Azure AD.
It can be leveraged in conjunction with JIT(Just in Time) provisioning to ensure that new users are assigned appropriate roles automatically upon their first login. Note that when a user logs in via SSO for the first time they will be created in Frontegg as well— No need to pre-create the user.

Capabilities Supported by Frontegg

🚧

When Updating User Email on IdP side

When provisioning users via SCIM, note that if you update a user's email on your IdP's side, It will create a new user in Frontegg (i.e., the user's new email won't be synced with the original user ID).

The following SCIM capabilities are supported by apps built with Frontegg:

  • Provisioning of Users
  • Updating User Details
  • De-provisioning of Users
  • Provisioning of Groups
  • De-provisioning of Groups
  • Updating Group Details
  • Assigning Users to Groups
  • Un-assigning Users from Groups