/ Blog EN, CIAM, cidaas Features
Why SCIM challenges the exchange of user identities?

Why SCIM challenges the exchange of user identities?

The System for Cross-domain Identity Management (SCIM) standard was originally developed to simplify the management and synchronization of user identities between systems. A sensible goal at first glance – but a closer look reveals that SCIM often encounters problems in practice that result from outdated assumptions and architectural decisions. Particularly in modern and dynamic scenarios such as customer management or B2B environments, it becomes clear that SCIM is not always the best choice.

SCIM and the assumptions about user data

SCIM is based on a fixed schema for user and group data. This poses a significant challenge, as many systems use individual data models that do not match SCIM’s standard attributes.

OIDC as a better approach

A look at the OpenID Connect (OIDC) standard shows that a more flexible and modern approach is possible. OIDC also defines attributes for user profiles, but these are

  • Broadly established: OIDC is not only older than SCIM, but is also used by a large number of modern applications.
  • More flexible: OIDC allows you to define your own, application-specific claims, which enables better adaptation to individual data models.

The problem: data often has to be “translated” between SCIM and OIDC in order to make the systems compatible. This leads to bidirectional mapping processes that are not only error-prone, but also complex to implement and maintain.

The outdated concept of user groups

SCIM adopts the classic model of user groups from the world of LDAP and older IAM systems. This model is based on the assumption that:

  • groups can reference all members in a single object.
  • groups may recursively contain other groups.

The reality of modern systems

These assumptions are often impractical in modern scenarios:

  • Scaling problems: In customer environments or B2B platforms, there are often groups with hundreds of thousands or even millions of members. Complete referencing of these users in a group object is inefficient and puts a strain on both the system and API performance.
  • Need for recursive groups: It is implied that groups can contain other groups – but in many scenarios this is neither necessary nor useful. Complex group structures often lead to performance problems and make administration more difficult.

Old concepts from the LDAP world

Another key problem is that SCIM has taken many of its basic concepts from the world of LDAP servers and traditional IAM systems. These systems were originally designed for the management of employees in companies, not for the flexible and scalable requirements of modern platforms.

Why this no longer works today

  • Employee environment: Even in corporate environments, where SCIM is primarily used, the standard is already reaching its limits. More flexible data models and the need for real-time synchronization are only insufficiently supported by SCIM.
  • Customer and supplier environment: In B2C, B2B and supplier environments, the requirements for user administration are even more diverse. Different systems, attributes and relationships make rigid standardization such as SCIM hardly practicable.

Modern integration platforms as an alternative

In practice, the synchronization of users is often much more complex and versatile than SCIM originally intended. With modern integration platforms such as cnips, such challenges can be solved precisely – and not only batch-oriented, but also event-based. This enables prompt synchronization with minimal overhead.

A quick example:

Let’s imagine that not only the personal data of a user is to be synchronized, but also a user license is to be assigned in the SaaS software – let’s say an “E3 plan” in a collaboration platform.

With cnips this is a trivial matter, since:

  • The appropriate APIs of the SaaS software can be used.
  • The operations are carried out in the correct order.
  • Flexible adaptations to the specific requirements of the platform are possible.

Due to its rigid, data-centered structure, such a workflow could hardly be implemented with SCIM, or only with considerable additional effort.

SCIM: A data-centric approach from the past

SCIM is too focused on data and fixed schemas and ignores many issues of modern identity management scenarios. In dynamic environments such as customer management or B2B platforms, this approach quickly reaches its limits. Especially when it comes to more than just pure data synchronization – such as the automation of license assignments or other complex processes – it becomes clear that SCIM is no longer up to date.

SCIM may enable unified identity management in theory, but in practice it is clear that the standard is characterized by outdated assumptions. SCIM is not always the best choice for modern, scalable systems in the customer, supplier or B2B environment. The future lies in more flexible approaches that are based on proven standards such as OIDC and efficiently address the requirements of today’s systems and workflows
with event-based integration platforms such as cnips.

Find out more about the features of cnips or book get a demo directly!

single sign on

To Single Sign-On in 30 minutes

Due to the increased number of various digital services in …
Read More
The cidaas group management - delegated user administration quick and easy! For family & friends or B2B use cases.

The cidaas group management – delegated user administration quick and easy! For family & friends or B2B use cases. 

The blog series – “The cidaas group management in a …
Read More