What is Identity Provisioning?

On average, organizations with more than 1000 employees use 150+ SaaS applications, ranging from collaboration tools to CRM systems.

Using these apps introduces significant challenges in managing employee access. Each app requires individual attention to set up user accounts, permissions, and access levels, which can become a logistical nightmare for IT departments. This complexity is compounded by employee turnover, role changes, and the continuous adoption of new tools.

Identity provisioning solves this nightmare by automating the process of creating, managing, and disabling user identities and access permissions across multiple apps.

In this article, you'll learn more about what identity provisioning is, how it takes the grunt work out of managing users, and the various protocols used to implement it.

What is identity provisioning?

Identity provisioning is the process of creating, managing, and deactivating user identities and access permissions across various systems and apps.

Provisioning is enabled through protocols like SAML, SCIM, SPML, LDAP, and JIT (which we’ll discuss later). These standards enable IdPs (the entities that store and manage identities) to communicate with service providers (SPs) — like your SaaS app or other systems — to efficiently create, update, or remove user identities and access.

How identity provisioning works

Identity provisioning starts with setting up user accounts and authentication details. Each user profile stores attributes like names, emails, roles, departments, and other attributes relevant to determining their access rights.

Access rights should be assigned based on the principle of least privilege, meaning, users get access only to the resources necessary to do their job. This step is often governed by access control policies like RBAC or ABAC.

As employees change roles or take on new responsibilities, their access needs change. For employees leaving the company, an admin revokes their access and their accounts are deactivated. For those moving to a different role, their access rights get adjusted accordingly.

Identity provisioning can be implemented manually or automatically.

Manual identity provisioning involves manually creating user accounts and assigning employees permissions one by one. And while this process works, it’s time consuming and notoriously prone to errors. Admins can overprovision or fail to revoke access and consequently open access points for attacks.

To save on time and reduce security risks, many organizations use identity provisioning software to automatically provision users.

Automatic provisioning systems are usually identity providers or platforms that integrate with directories or HR systems to automatically trigger account creation, deletion, or access updates in connected apps when an admin creates a new user account or updates user details.

Provisioning protocols explained: SAML, SCIM, SPML, LDAP, and JIT

Protocols like SAML, SCIM, SPML, and LDAP are used to communicate identity and access information between applications and directories. Here’s a breakdown of what each is and when to use it:

SAML

Security Assertion Markup Language (SAML) is an XML-based protocol used for exchanging identity data between an identity provider (IdP) and a service provider (SP).

During the SSO process, the IdP sends a SAML assertion to the SP. This assertion contains user identity data, such as the user's name, email address, and potentially other attributes like roles. SPs can use this information to make access control decisions, determining what resources or actions the user is allowed to perform within the app.

Because it’s not a real-time protocol, SAML is not commonly used for provisioning, especially in environments where access needs frequently change. It only communicates identity data during the SSO login process and any changes that happen in between logins are not sent to your app.

SCIM

System for Cross-domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between systems.

It allows SCIM-enabled directory providers to create, read, update, and delete user identities in a standardized and interoperable way.  

Unlike SAML, it’s a real-time protocol — directories can constantly send user data updates to downstream apps the instant a change is made.

SPML

Service Provisioning Markup Language (SPML) is a little-used legacy XML framework for exchanging provisioning information between cooperating organizations.

It allows you to request the provisioning of accounts, groups, and entitlements across organizations. SPML can be used to onboard new employees, offboard exiting employees, and manage account changes.

LDAP

Lightweight Directory Access Protocol (LDAP) is a protocol used to access and maintain distributed directory information services over an IP network. It's often used by organizations to store and access user profile data, access control information, and group memberships.

LDAP allows applications to look up contact details, email addresses, and more based on a user's username. It’s often used to provision on-premises resources.

JIT

Just-in-Time (JIT) provisioning means that user access is provided dynamically, on demand. Instead of provisioning access ahead of time based on a user's role, access is provisioned automatically when a user tries to access a resource.

Unlike the protocols in this list, JIT provisioning is not a standalone protocol but rather a pattern that is facilitated by other protocols like SAML. When a user tries to access your app, you use the SSO profile attributes to provision their account in your system and give them access.

Examples of identity provisioning in action

Common examples of identity provisioning include:

• Creating new user accounts when an employee is onboarded: This is perhaps one of the most common examples of identity provisioning. When a new employee joins a company, an admin adds a new user profile with details like the new hire’s name, email, and department to a provisioning tool, which creates accounts in all the necessary apps.
• An employee changes their name: Another common example is when an employee gets married and decides to change their name.
• Offboarding employees by deactivating their accounts and revoking access: Offboarding is as critical as onboarding. When an employee leaves, an admin deactivates their account to deprovision them such that their access rights to the company’s resources get revoked.
• Promoting an employee and updating their access to match their new role: Different roles require different access levels. When an employee changes roles, an admin updates their attributes, such as role and permissions and these changes are propagated to the apps connected to the provisioning tool.
• Reactivating accounts when an employee is rehired: When an employee is rehired, an admin can reactivate their old account in the directory and they’ll be reprovisioned i.e. their accounts will be reactivated in all the connected SaaS apps and systems.

Key benefits of automated identity provisioning

The benefits of identity provisioning for your customers are huge especially when automated. They include:

Increased efficiency

Manually setting up user accounts and access across all systems, one by one is a tedious time-consuming process that’s extremely prone to human error. Identity provisioning streamlines this process by centralizing identities and allowing admins to use one identity for all the accounts a user needs.

When automated, the process is even faster, because all the changes made to a user identity are automatically updated in all the apps they use.

Improved security

Identity provisioning enforces standard access policies and can instantly disable accounts for users who leave the organization. This reduces the risk of compromised accounts or data breaches.

Cost savings

Identity provisioning reduces the effort required to set up user accounts, allowing IT teams to focus on other tasks. It also minimizes costs from compliance failures or security incidents that may result from improperly granting users access.

Enhanced compliance

Automated provisioning uses standardized templates to configure user accounts and access. This helps ensure all provisioning actions adhere to corporate security policies and compliance regulations like HIPAA or GDPR.

Additionally, built-in auditing and reporting in provisioning tools provide visibility into all provisioning changes for compliance reviews.

For you as a service provider, supporting identity provisioning has benefits like:

Improved security

Your customers are responsible for the level of access their employees have. Your job is to accurately process any access requests from their identity provider which significantly reduces security risks you take on.

More closed deals

If your customers already use provisioning tools to grant their employees access to the hundreds of apps they use. They’re more likely to use yours if you also support identity provisioning.

Next steps

Supporting identity provisioning in your app can be a daunting task. It involves connecting to all the directory providers your customers use and building logic to process all their provisioning requests.

And while you could build the integrations yourself, it’d take your engineering team weeks if not months — time that’d otherwise go to building your core product.

For a fast, stress-free integration, use Directory Sync by WorkOS to connect to all the major identity providers your customers use such as Okta, Microsoft Entra ID, and OneLogin within minutes.

• Get started fast: With SDKs for every popular platform, and Slack-based support, you can implement Directory Sync in minutes rather than weeks.
• Events-based processing: While webhooks are also supported, WorkOS’s Events API means every SCIM request is processed in order, and in real-time. You’ll never miss a provisioning request again.
• Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard — whether they’re syncing 10 or 10,000 users with your app.

Explore Directory Sync by WorkOS.