Blog

SCIM for ADFS

February 21, 2024

In this article, we're going to unpack everything you need to know about SCIM and SCIM provisioning, dive into how SCIM works, and show you how to start using SCIM for ADFS.

ADFS (Active Directory Federation Services), doesn't support SCIM provisioning out of the box.

SCIM is specifically designed to make it easier to manage user accounts across different SaaS apps, something that ADFS doesn’t do since it focuses on enabling SSO authentication beyond an organization’s network/security zone.

Organizations looking to implement SCIM provisioning to automate user account management would normally need to use Microsoft Entra (formerly Azure AD).

However, if migrating to Microsoft Entra doesn't fit your plans right now, you're not out of options. There are third-party tools like SCIM for ADFS that can link your ADFS setup with any SCIM-compatible apps you use.

In this article, we're going to unpack everything you need to know about SCIM and SCIM provisioning, dive into how SCIM works, and show you how to start using SCIM for ADFS.

What is SCIM for ADFS?

SCIM for ADFS is a solution from SSO Easy that enables SCIM (System for Cross-domain Identity Management) user provisioning from Microsoft ADFS to any SCIM-compliant SaaS app.

Here are some reasons you might want to use it:

  • If your organization prefers to keep ADFS on-premise, SCIM for ADFS offers a solution compatible with your existing setup.
  • If your organization regularly updates user identity information and requires these updates to be instantly reflected in SaaS apps you use, SCIM for ADFS enables real-time synchronization.
  • If you're looking to have a unified platform to oversee access control — where you can easily monitor who has access to what, identify inactive accounts, and revoke access as needed.

With SCIM for ADFS, you can easily sync identities from your on-prem ADFS to your SaaS apps and enjoy all the benefits of SCIM provisioning.

What is SCIM Provisioning?

Imagine if every time someone joined or left your team, you had to manually update their access to all the apps and tools your company uses. That's a lot of work, right? It takes time, and there’s a higher margin of error — it’s not unusual to overprovision or end up with orphan accounts that were never deprovisioned when they should’ve been.

SCIM provisioning automates how user info gets shared between your Active Directory instance and all those SaaS apps you use. The moment you make a change (e.g. create a user or deactivate them), a HTTP request containing the update is sent to all connected applications. This means user identity data will stay in sync without you having to manually intervene.

How does SCIM work?

SCIM provisioning operates via a RESTful API, using standard HTTP methods — POST, GET, PUT, DELETE — for CRUD operations (Create, Read, Update, Delete) on User and Group data. As of SCIM 2.0, this data is strictly formatted in JSON.

The SCIM standard specifies several endpoints for interacting with user data, mainly /Users and /Groups for managing user profiles and group memberships, respectively. These endpoints are implemented by the SaaS apps and essentially act as access points for an IdP that supports SCIM to manage identities in the apps.

When you add a new user or update their details in the IdP,  the IdP sends HTTP requests to all the connected apps which then process this request by creating, updating, or deleting user accounts or group memberships in their system based on the information contained in the request.

ADFS doesn’t support this functionality. It won’t automatically provision or de-provision users in the SaaS apps your company uses. That’s why you need SCIM for ADFS.

What are the benefits of using SCIM for ADFS?

SCIM for ADFS lets you seamlessly provision users from ADFS to dozens of SaaS apps. You don’t need to get an Azure subscription or switch from ADFS to another federation service, to enjoy the benefits of SCIM provisioning.

With SCIM for ADFS, you get:

  • Automated access management

SCIM for ADFS ensures any updates you make in Active Directory are automatically reflected across all the apps and services your team uses. Whether you’re onboarding new users or removing existing ones, SCIM handles updating their data across various apps without you having to do it manually for each service.

  • Tighter security

Automatically updating access for people who’ve left the company or who've changed roles reduces security risks as only authorized people can access your systems.

Additionally, you may have regulations requiring access to certain data to be strictly controlled. By automatically managing access, it’s way easier for your company to stay compliant.

  • Time and cost efficiency

By cutting out the manual work of managing user accounts across different systems, IT teams won’t get bogged down in never-ending admin tasks like creating new user accounts, updating permissions for existing users, or deleting accounts.

Additionally, with automatic de-provisioning, as soon as someone leaves the company, their accounts are deactivated, and you're not billed for services they're no longer using.

How do you use SCIM for ADFS?

Unfortunately, the documentation on how to use SCIM for ADFS is rather sparse. And from what we can tell, you have to contact them to learn more about how to get started or request a free trial.

The good news is, with the free trial you can:

  • Use the full-feature, production-quality product as part of your evaluation. This will allow you to experience the complete capabilities of SCIM for ADFS before you commit.
  • Implement a Proof of Concept (POC) in your environment to see SCIM for ADFS in action. The POC is typically completed within 1-2 hours, during which you’ll have free remote support, you won’t be left to figure things out on your own.

What this means is that you get a no-risk, no-cost evaluation before you make a decision. Whether you use it or not will be based entirely on the value it brings to your organization.

Conclusion

While ADFS does not natively support user provisioning, with the right tool, it's possible to set up a system that provisions user accounts from ADFS.

You can use SCIM for ADFS and create integrations from ADFS to all the SCIM-compliant apps you currently use. Alternatively, if you have the time and resources, use Microsoft Entra ID for both SSO and user provisioning.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.