Skip to content

Identity term · last reviewed 2026-07-07

SCIM

Also known as: System for Cross-domain Identity Management

SCIM (System for Cross-domain Identity Management) is a REST API standard for automating user provisioning and deprovisioning between an identity provider and an application, keeping the account lifecycle in sync.

How it works

SCIM (System for Cross-domain Identity Management) 2.0 is a standard REST API for automating user provisioning and deprovisioning between an identity provider and an application. The IdP (Okta, Entra, and peers) calls your SCIM endpoints to create, update, and deactivate users and groups using a defined JSON schema for Users and Groups. Where SAML or OIDC authenticate a user at login, SCIM keeps the account lifecycle in sync proactively, so a user disabled in the IdP is disabled in your app without waiting for their next login attempt. The core spec is RFC 7643 (schema) and RFC 7644 (protocol).

When it matters

SCIM matters at enterprise scale, once manual user management or just-in-time provisioning at login is no longer enough. Enterprises want automated onboarding and, critically, automated offboarding as a security control: when someone leaves, their access should vanish everywhere immediately. If a customer asks for "automated provisioning" or "directory sync," they mean SCIM. Ship SSO first, then add SCIM when a customer requires it. See Add SSO to Your B2B SaaS.

Common misconceptions

  • "SSO and SCIM are the same." SSO authenticates a user at login; SCIM provisions and deprovisions accounts. You usually want both, in that order.
  • "SCIM is one integration." Each IdP has schema quirks, so expect ongoing per-provider maintenance.
  • "Provisioning is the point." Deprovisioning is the security win; automated offboarding is why enterprises demand SCIM.
← All terms