SCIM vs SAML: Provisioning vs Authentication, and Why You Need Both
Updated 2026-05-15 · 8 min read · By @guptadeepak
Key takeaways
- SAML authenticates a user at the moment of login. SCIM provisions and deprovisions user accounts in the background, without the user being involved.
- Both are required for enterprise B2B SaaS: SAML handles 'can this person log in?'; SCIM handles 'should this account still exist after their employment ended?'.
- The procurement question 'do you support SCIM?' is the lifecycle question — the customer wants automated offboarding, not authentication.
- JIT (just-in-time) provisioning from SAML attributes is the cheap-and-cheerful lifecycle. SCIM Directory Sync is the production answer for accounts and groups at scale.
The split
The two protocols solve different halves of the enterprise integration:
| SAML | SCIM | |
|---|---|---|
| What it does | Authenticates a user at login | Provisions and deprovisions user accounts |
| When it runs | Synchronous, at every login | Asynchronous, on directory changes |
| Who initiates | The user (clicks 'sign in') | The IdP (pushes changes to the app) |
| Format | XML signed assertions | JSON over REST |
| Standard year | 2005 (OASIS) | 2015 (RFC 7642-7644) |
| B2B procurement weight | Heavy (the security questionnaire) | Heavy (the lifecycle / offboarding section) |
A typical enterprise B2B SaaS deployment uses SAML or OIDC for the authentication flow at login and SCIM for the lifecycle of accounts in the background. The customer's IT admin configures both, often in the same self-service IdP setup screen.
What SCIM actually does
SCIM is a REST API specification. The IdP makes HTTP calls to the application's SCIM endpoint to manage the application's users:
POST /Users— create a new user account (the IdP added someone to the group that grants access to this app).PUT /Users/{id}— update an existing user's attributes (email changed, name changed, manager changed).PATCH /Users/{id}withactive: false— deactivate the user (the most operationally important operation; this is offboarding).DELETE /Users/{id}— delete the user (used less commonly; most apps deactivate rather than delete for audit reasons).POST /Groups,PUT /Groups/{id}, etc. — manage group memberships (used for role assignment in many apps).
The application implements the SCIM endpoint; the IdP (Okta, Microsoft Entra, Google Workspace, OneLogin, JumpCloud) drives the requests. The protocol is straightforward — the engineering work is in attribute mapping, idempotency, conflict resolution, and matching the application's user model to SCIM's schema.
Why SAML alone leaves the deprovisioning gap
A SAML-only deployment works like this:
- Employee Alice joins the customer; admin grants her access to your app via the IdP.
- Alice logs into your app via SAML; you JIT-provision her account on first login.
- Alice uses the app for two years.
- Alice leaves the company; admin revokes her access in the IdP.
- Alice's account in your app... still exists.
Without SCIM, the application has no way of knowing Alice left. She can no longer log in via SAML (the IdP won't authenticate her), but her account, her data, her permissions, and any active session cookies persist in your app indefinitely. The customer's IT compliance posture says "all access revoked on offboarding"; your app silently failed that requirement.
SCIM Directory Sync fixes this: when the admin revokes Alice's access in the IdP, the IdP fires a SCIM PATCH /Users/alice-id with active: false to your app, and your app deactivates the account, terminates sessions, and (per policy) archives or deletes the data.
For enterprise customers with hundreds of SaaS apps, SCIM is the only mechanism that scales offboarding. Manual deprovisioning is a compliance failure waiting to happen.
JIT provisioning: the lightweight alternative for the create side
Just-in-time (JIT) provisioning creates the user account on first SAML login by reading the assertion's attributes (email, first name, last name, groups). It's the cheap-and-cheerful lifecycle:
- ✅ Solves first-login onboarding cleanly without SCIM infrastructure.
- ✅ Works for any IdP that emits standard attributes.
- ❌ Doesn't handle deprovisioning at all.
- ❌ Doesn't handle attribute updates after first login (Alice's department changed, but JIT only runs once).
- ❌ Doesn't handle pre-provisioning (admin wants to add an account before the user's first login).
JIT plus SCIM is the production pattern. JIT covers the convenience of first login; SCIM covers the ongoing lifecycle. Many CIAM platforms ship both as out-of-the-box capabilities.
The procurement question, explicitly
When an enterprise customer's security questionnaire asks "do you support SCIM?", the question is about:
- Automated provisioning: can the customer's IdP push user records to your app without anyone clicking in your admin UI?
- Automated deprovisioning: when an employee leaves, will their account in your app be deactivated automatically, within hours not days?
- Group sync: can role assignments in the IdP propagate to permissions in your app?
- Attribute updates: when an employee changes departments, does the change reflect in your app?
The answer they want: yes, via standard SCIM 2.0 (RFC 7644), with attribute mapping documented, with deactivation propagating within minutes, with group / role sync supported. Anything less is a finding on the customer side and, often, a deal-blocker.
Implementation guidance
- Ship SAML or OIDC for authentication and SCIM for lifecycle, both per-Organization. Either alone is insufficient for enterprise B2B.
- Use a CIAM that handles SCIM as a primitive. Building a compliant SCIM endpoint is real engineering work; the major B2B-focused CIAMs (WorkOS, Auth0, Frontegg, Okta, MojoAuth) ship it as a feature.
- Default to JIT + SCIM: JIT for first-login onboarding convenience, SCIM for the ongoing lifecycle.
- Test against the major IdPs: Okta, Microsoft Entra, Google Workspace, OneLogin, JumpCloud. Each has SCIM client quirks; testing once per major IdP catches the integration-edge bugs.
- Document your SCIM support explicitly in customer-facing materials: which version (2.0), which attributes are mapped, what the deactivation latency is. The detail wins B2B security reviews.
- Log everything on the SCIM endpoint — provisioning events are audit-relevant for the customer.
Related vendors
Auth0
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
Frontegg
Frontegg is the strongest B2B SaaS CIAM in 2026 by Admin Portal and self-service end-customer experience, the buyer is a SaaS engineering team that needs to ship enterprise-grade IT admin features without building them, and Frontegg delivers more of that out of the box than Auth0 or WorkOS. The trade-off is narrower B2C feature coverage and a smaller ecosystem than Auth0; for B2B-first SaaS the Admin Portal alone often justifies the choice.
WorkOS
WorkOS is the strongest B2B-first CIAM in 2026 by deliberate scope choice, every product surface assumes the buyer is selling to enterprise IT, not to consumers. AuthKit's 1M MAU free tier makes it a credible Auth0 alternative for B2B SaaS that doesn't need adaptive risk or B2C consumer flows. For pure B2B SSO, SCIM, and audit logs, WorkOS is hard to beat at any price point.
FAQ
- What is the difference between SCIM and SAML?
- SAML (Security Assertion Markup Language) is an authentication protocol — at login, the user is redirected to the customer's identity provider, which sends back a signed assertion that the application uses to create a session. SCIM (System for Cross-domain Identity Management) is a provisioning protocol — the customer's IdP pushes user records, group memberships, and lifecycle events (create, update, deactivate) to the application's API in the background, without the user being involved.
- Do I need both SAML and SCIM for enterprise B2B SaaS?
- Yes, almost always. SAML handles 'this person can log in'; SCIM handles 'this person should no longer have an account after their employment ended'. Enterprise procurement teams ask about both — SAML for the security questionnaire's authentication section, SCIM for the lifecycle / offboarding section. Shipping only one means losing deals where the customer needs the other.
- Can JIT provisioning replace SCIM?
- Partially. Just-in-time provisioning creates a user account on first SAML login from the assertion's attributes — solves the onboarding side cleanly without SCIM infrastructure. But JIT doesn't handle the deprovisioning side: when an employee leaves and stops logging in, the account sits orphaned in your app forever. Production B2B SaaS uses JIT for first login plus SCIM for ongoing lifecycle, especially deactivation when employees leave.
- Is SCIM only used with SAML?
- No. SCIM is protocol-agnostic for authentication — it works alongside SAML, OIDC, or any other authentication mechanism the application uses. The pattern is the same: identity provider pushes user records to the application's SCIM endpoint independently of how authentication happens at login.
- Why do customers care about SCIM more than I expect?
- Because they have an IT compliance requirement to deprovision access when employees leave, and they cannot satisfy it without automated deprovisioning across every SaaS app. Manual offboarding doesn't scale past a handful of apps. SCIM is what makes 'employee leaves on Friday, all their access is gone by Saturday' actually happen. For larger enterprises, SCIM support is a hard gate in B2B procurement.
Sources
- RFC 7642 — SCIM 2.0 Definitions, Overview, Concepts, and Requirements
- RFC 7643 — SCIM Core Schema
- RFC 7644 — SCIM Protocol
- OASIS SAML 2.0 Core (2005)