Blog

What is identity provisioning and how does it work?

May 3, 2024

Learn what identity provisioning is, how it works, its benefits, and the protocols that enable it.

As organizations grow and start using more SaaS apps — 473 on average for enterprise firms — managing access can quickly become a logistical nightmare. 

Every new app means more accounts, permissions, and configurations — challenges that grow with employee turnover, role changes, and constant tool adoption. Identity provisioning solves this complexity by automating user management across apps.

In this article, we’ll cover:

  • What identity provisioning is
  • The benefits of automating provisioning
  • A breakdown of the main provisioning protocols, including SCIM
  • Practical tips for implementing provisioning
  • How identity provisioning works in typical scenarios

Let’s start by explaining what provisioning means.

What is identity provisioning?

Identity provisioning, also called user provisioning, is the process of creating, managing, and deactivating user identities and access permissions across various systems and apps.

This process relies on protocols such as SAML, SCIM, SPML, LDAP, and JIT (which we’ll discuss later), which allow identity providers (where user data is managed) to sync with service providers (like your SaaS apps). This way, any changes — whether it’s adding a new user, updating permissions, or deactivating accounts — are applied consistently across all connected systems.

How identity provisioning works

Identity provisioning starts with setting up user accounts with authentication details like names, emails, roles, departments, and other attributes that define access rights.

These access rights are assigned based on the principle of least privilege, meaning users get access only to the resources necessary to do their jobs. This is often managed with policies like Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC).

As employees change roles or leave, their access needs to change. For someone moving to a new position, their access rights get adjusted. For someone leaving, an admin revokes access, and their accounts are deactivated to prevent any loose ends.

Identity provisioning can be implemented manually or automatically.

In manual provisioning, admins create each user account and assign permissions one by one. While workable, this method is time-consuming and notoriously prone to errors. Admins can overprovision or fail to revoke access and consequently open access points for attacks.

To save time and reduce such security risks, many organizations use automated user provisioning tools.

These systems, often part of identity providers, integrate with directories or HR systems to make updates instantly. So, when HR or an admin updates a role change, the provisioning software takes care of all the app permissions, adding or removing access as needed.

Provisioning protocols explained: SAML, SCIM, SPML, LDAP, and JIT

Managing user identities and access across applications requires reliable communication between systems. This is where protocols like SAML, SCIM, SPML, LDAP, and JIT come in. Let’s break down each protocol, what it does, and when to use it.

SAML

Security Assertion Markup Language (SAML) is an XML-based protocol used to exchange identity data between an identity provider (IdP) and a service provider (SP) during the SSO process.

When a user logs in, the IdP sends a SAML assertion to the SP with identity data, such as the user's name, email address, and potentially other attributes like roles. SPs can use this information to make access control decisions, determining what resources or actions the user is allowed to perform within the app.

Because SAML is not a real-time protocol, it’s not commonly used for provisioning, especially in environments where access needs frequently change. It only communicates identity data at login, so any updates between logins aren’t reflected.

SCIM

System for Cross-domain Identity Management (SCIM) is the default standard for user provisioning.

With SCIM provisioning, directory providers can create, update, and delete user identities in a standardized way. And unlike SAML, it’s a real-time protocol — directories can constantly send user data updates to downstream apps the instant a change is made.

SPML

Service Provisioning Markup Language (SPML) is an XML-based framework for exchanging provisioning information, particularly useful for inter-organizational setups. Although it’s less commonly used today, SPML can handle requests for provisioning accounts, groups, and entitlements across different organizations.

SPML can support onboarding and offboarding across organizations but is largely considered legacy, with newer options like SCIM being more common.

LDAP

Lightweight Directory Access Protocol (LDAP) is used to access and maintain distributed directory information over an IP network. Organizations frequently use it to store and access user profile data, access control information, and group memberships.

LDAP is useful for on-premises environments where user profile data needs to be accessible to various applications.

JIT

Just-in-Time (JIT) provisioning means that user access is provided dynamically, on demand. Instead of provisioning access ahead of time based on a user's role, access is provisioned automatically when a user tries to access a resource.

Unlike the protocols in this list, JIT provisioning is not a standalone protocol but rather a strategy for provisioning that is facilitated by other protocols like SAML. When a user tries to access your app, you use the SSO profile attributes to provision their account in your system and give them access.

For more info on JIT see What is Just-In-Time Provisioning, and how do you use it?

Examples of identity provisioning in action

Common examples of identity provisioning include:

  • Onboarding a new employee: When a new hire joins a company, an admin sets up a user profile with key details like their name, email, department, role, and any access permissions they’ll need. The provisioning tool works its magic, creating accounts for the new hires in all the essential apps they need on day one.
  • Handling name changes: If an employee changes their name (maybe after marriage or for personal reasons), the admin updates their profile in the provisioning system. From there, the system automatically updates the employee's name across all apps, so everything stays consistent without the admin having to chase down each account individually.
  • Offboarding employees: Offboarding is critical — when an employee leaves, the admin simply deactivates their account in the provisioning system. This automatically removes their access across all company apps and systems, preventing any risk of leftover permissions.
  • Adjusting access for promotions: When employees move into new roles, their access needs typically change. For example, a promotion might mean access to new tools or restricted data. The admin updates their role and permissions in the system, and the provisioning tool syncs the changes across all connected apps.
  • Reactivating accounts for rehires: When an employee is rehired, an admin reactivates their profile in the provisioning tool, which restores their previous permissions and access to all necessary apps.

Key benefits of automated identity provisioning

The benefits of identity provisioning for your customers are huge, especially when it is automated. They include:

  • Increased efficiency: Manually setting up user accounts one by one across multiple systems is not only time-consuming; it’s a recipe for mistakes. Identity management provisioning lets admins create one central user profile, which syncs instantly across all necessary apps. When automated, the process is even faster; any updates to a user’s profile are instantly applied across all connected apps.
  • Improved security: Identity provisioning enforces standard access policies. When someone leaves the company, for example, their access is instantly removed across the board, reducing the risk of lingering access that could lead to a security breach.
  • Cost savings: Employee provisioning takes the repetitive work off IT’s plate, freeing them up for more critical tasks. Plus, it reduces the risk of costly compliance issues or security breaches that could result from mismanaged access.
  • Enhanced compliance: Provisioning tools follow standardized templates that keep your access management in line with company policies and regulations like HIPAA and GDPR. Additionally, built-in auditing and reporting features in provisioning tools provide visibility into all provisioning changes for compliance reviews.

And for you, as a service provider, supporting identity provisioning has big upsides:

  • Improved security: By letting your customers handle access requests through their identity providers, you’re taking on fewer security risks while ensuring that access to your service is always handled securely.
  • More closed deals: If your customers are already using user provisioning tools for other apps, they’ll be much more likely to use yours if you also support it.

Next steps

Supporting identity provisioning in your app can be a daunting task. You’d need to connect with all the directory providers your customers use and build complex logic to handle provisioning requests. 

And sure, you could develop these integrations in-house, but that could take your engineering team weeks, maybe even months, time that could be spent building your core product instead.

For a fast, stress-free integration, use Directory Sync by WorkOS to integrate with all major identity providers, such as Okta, Microsoft Entra ID, and OneLogin, in minutes.

  • Get started fast: With SDKs for every popular platform and Slack-based support, you can implement Directory Sync in minutes rather than weeks.
  • Events-based processing: While webhooks are also supported, WorkOS’s Events API means every provisioning request is processed in order and in real-time. You’ll never miss a provisioning request again.
  • Avoid the back-and-forth: WorkOS’s Admin Portal takes the pain out of onboarding your customers’ IT teams and configuring your app to work with their identity provider.
  • Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard — whether they’re syncing 10 or 10,000 users with your app.

Explore Directory Sync by WorkOS.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.