AccueilGlossaire › SCIM (System for Cross-domain Identity Management)

SCIM (System for Cross-domain Identity Management)

Identité

Standard REST API pour provisioning automatique d'utilisateurs cross-systèmes.

SCIM (System for Cross-domain Identity Management, RFC 7643-7644) est le standard REST API pour automated user provisioning et lifecycle management cross-systèmes. Permet à un IdP central (Okta, Azure AD, OneLogin) de provisioning automatically users, groups, et attributes dans des centaines d'applications SaaS — éliminant CSV uploads manuels ou scripts custom.

Fonctionnalités SCIM :
(1) **Create user** — POST /Users → app créé compte utilisateur.
(2) **Update user** — PATCH /Users/{id} → modifie attributes (email, name, role).
(3) **Disable user** — PATCH active=false (soft delete, audit retained).
(4) **Delete user** — DELETE /Users/{id} (hard delete, rarely used).
(5) **Group management** — provisioning groups + memberships.
(6) **Filtering** — `?filter=userName eq "alice"`.
(7) **Schema extensions** — custom attributes per organization.

Workflow typique enterprise :
(1) HR system update (employee hired, terminated, role change) → triggers Workday/BambooHR API.
(2) Workday → IdP (Okta, Azure AD) via SCIM.
(3) IdP fanout to all integrated apps via SCIM (Slack, GitHub, Salesforce, Zoom, Jira, etc.) — "App Assignments" configurable per group.
(4) New hire : access provisioned in minutes vs days/weeks manually.
(5) Termination : access revoked everywhere simultaneously (compliance critical, prevent insider threat / data theft post-exit).

Integration patterns : (1) **IdP-initiated** (push) — Okta/Azure AD pushes changes to SaaS apps ; (2) **App-initiated** (pull) — app polls IdP for updates ; (3) **JIT** (Just-In-Time) provisioning lors first SSO login.

Vendor support : Okta, Azure AD/Entra ID, OneLogin, Google Workspace, JumpCloud SCIM out-of-the-box. SaaS apps with SCIM endpoints : Slack, GitHub Enterprise, Salesforce, Zoom, Atlassian, Box, Dropbox, Notion, ZenDesk, Workday, ServiceNow, etc. (catalog growing).

Vs alternatives historical : (1) **LDAP sync** legacy on-prem ; (2) **Custom scripts** per app (manual maintenance) ; (3) **HR-driven CSV uploads** (slow, error-prone, no real-time).

Compliance value : (1) **SOC 2** automated provisioning evidence ; (2) **Audits** clean trail of access lifecycle ; (3) **Insider threat prevention** — instant termination ; (4) **Cost optimization** — automatic license deprovisioning. Compétences SC-300, AZ-500, CISSP.

Certifications qui couvrent ce concept
SC-300 AZ-500 CISSP
Termes liés
SSO (Single Sign-On) IAM (Identity and Access Management) RBAC (Role-Based Access Control) ABAC (Attribute-Based Access Control)

Préparez vos certifications IT gratuitement

200+ certifications, 400 000+ questions, examens blancs chronométrés.

Voir le catalogue →
← Retour au glossaire