System for Cross-domain Identity Management
SCIM.
A REST-and-JSON standard for automated user provisioning and deprovisioning between identity providers and applications, defined by RFC 7644.
SCIM addresses the deprovisioning problem that JIT provisioning does not, when an employee leaves the customer's organization, SCIM removes them from the SaaS without requiring the customer's admin to log into every SaaS individually. The CIAM that ship SCIM cleanly in 2026: WorkOS, Frontegg, Auth0 Enterprise, MojoAuth, SSOJet. Most other CIAM either don't support SCIM or ship rough implementations.
Go deeper: SCIM's role in modern identity management walks through the full provisioning and deprovisioning lifecycle.
Common questions
Do I need SCIM at launch for B2B SaaS?
Usually not at launch. SCIM matters once you sell to enterprises with 100+ seats per account, where manual deprovisioning becomes a security and compliance liability. Below that, just-in-time provisioning at first SSO login is enough. Add SCIM when a prospect's security review asks for it, which is typically your first mid-market or enterprise deal.
What's the difference between SCIM provisioning and JIT?
JIT creates a user record the first time someone logs in via SSO, so it only ever adds users, and only when they show up. SCIM syncs the full lifecycle from the customer's directory: it can create users before they ever log in and, critically, deprovision them the moment IT removes them. JIT solves onboarding; SCIM also solves offboarding.
Which CIAM platforms support SCIM cleanly?
In 2026 the cleanest SCIM implementations are WorkOS, Frontegg, Auth0 Enterprise, MojoAuth, and SSOJet. Many other platforms either lack SCIM or ship partial implementations that handle create but stumble on update and delete, which is exactly the part enterprises care about.
Related terms
In the guides
B2B SaaS Identity: Organizations, SSO, SCIM, and the Enterprise Sales Checklist
How to design B2B SaaS identity: Organizations, Enterprise SSO with SAML and OIDC, SCIM provisioning, audit logs, and the IT-admin features that close enterprise deals.
Enterprise SSO: SAML vs OIDC, and How to Pick
SAML and OIDC are the two protocols that dominate enterprise SSO. A practical comparison, when each is the right answer, and the IdP-side considerations that determine the choice.