With the explosion of Software as a service applications, organizations are juggling a lot – from rollout out hybrid/remote work policies; supporting employee, contractor and vendor hiring and off-boarding; managing various identities, and ensuring only authorized users have access to what their job requires. This work has become critical to ensuring smooth processes, preventing account take over (ATO) attacks and reducing costs.

System for Cross-domain Identity Management (SCIM) is transforming Identity and Access Management in SaaS platforms, workflow, and Identity lifecycle management. SCIM is an open standard protocol designed to simplify the management of identities in cloud-based applications and services. SCIM provides predefined schema for users and groups, and a RESTful API, for automatic user provisioning and deprovisioning, making it easier for systems and applications to communicate identity-related data.

The key benefits for using SCIM based provisioning are preventing account takeover, mitigate the risk of dormant accounts, and achieve cost savings through permission rightsizing and streamlined onboarding & offboarding processes.

User Provisioning & De-provisioning

For an organization that uses multiple SaaS applications like O365, Salesforce, Slack, WorkDay, Webex, and Dropbox amongst others, manually creating and managing user access for these applications is time consuming and carries high security risks. For example when a new employee joins the organization, an IT administrator would have to individually create access across all these applications, a process that can take hours, if not days. Similarly, when an employee leaves or changes roles within the organization, it is critical to swiftly revoke all access to prevent potential misuse. Implementing SCIM can streamline and automate this process. For instance, when integrated with an Identity Provider (IdP) like Entrust IDaaS, any change in the user status gets automatically updated across all the SaaS applications connected with IDaaS. So, a new user added to Entrust IDaaS gets automatically provisioned in Salesforce, Slack, Workday, Webex, and Dropbox, while an employee leaving the organization gets deactivated immediately, thus preventing unauthorized access.

Streamlining Workflow Management

Each application has it’s own user management, making it challenging to maintain data consistency. For example, if an employee moves from one department to another, their access rights need to be updated in each application – which can lead to inconsistencies if done manually. However, with SCIM, changes made in the central identity management system like Entrust IDaaS is automatically propagated through all connected applications, ensuring up-to-date and consistent access privileges, which enhances workflow management and overall efficiency.

Identity Lifecycle Management

For a rapidly growing tech startup, frequent identity lifecycle events include onboarding new employees, assigning them to projects, updating their roles, and offboarding them when leaving the organization. Each ‘identity lifecycle event’ must be accurately reflected in the organization’s systems and applications to prevent dormant or under / over privileged accounts that could cause potential security threats.

Automating user provisioning and deprovisioning process across different platforms through SCIM will ensure that the update is mirrored across all integrated systems and applications. Direct integration with HR Systems like Workday can kickstart the entire Identity Lifecycle Management of the new, moving or departing employee. Such automated governance with least privilege access helps organizations deploy zero trust framework / architecture (ZTA) that leads to sustained high levels of security.


In addition to strengthening security and lifecycle management, deploying SCIM can also yield cost savings through automation, reducing the manual effort involved in identity management. For example, if an IT administrator typically spends 20 minutes managing each user’s access rights across five different applications, then an organization with 1000 employees will need to invest more than 330 hours just for a single round of access updates. With SCIM, this effort can be cut down, saving substantial labor costs while also minimizing the possibility of human errors that could lead to even more costly security incidents.

SCIM is not only a protocol for managing digital identities; it is an essential tool that can enhance an organization’s security posture through a Zero Trust framework, streamlined workflows, and yield cost savings. By automating and standardizing identity management, SCIM alleviates the risks associated with account takeover, reduces the potential security threats posed by dormant and over privileged accounts, and introduces significant efficiency into identity lifecycle management processes.

Entrust IDaaS provides out of box SCIM capabilities to organizations of all sizes.

Learn more about IDaaS: https://www.entrust.com/digital-security/identity-and-access-management/products/identity-as-a-service