SCIM Security: Is the User Provisioning Protocol Secure?

SCIM resources (e.g. Users and Groups) can sometimes contain sensitive information, including passwords and other delicate user details.

Meaning, if you’re building a SCIM integration, security needs to be a top priority — the last thing you want is for a hacker or a thief to gain access to your customer’s sensitive data.

In this article, we’ll discuss what SCIM is, how SCIM requests are secured, and finally we’ll discuss how SCIM makes user provisioning more secure for enterprises.

What is SCIM?

SCIM (System for Cross-domain Identity Management) is an open protocol that standardizes user identity management and synchronization.

It defines a core schema that acts as a template for representing users and groups (think of groups as collections of users that have something in common) data such as names, emails, or group memberships.

On top of that, SCIM also defines RESTful API endpoints for creating, retrieving, updating, and deleting user identities. When you’re setting up your SCIM server, you create these endpoints that your customer’s Identity Provider (IdP) sends requests to.

By providing a standard way of representing user data and a RESTful API for sharing this data, SCIM makes it easier for your customers to keep their user identity data in sync across all the different apps they use and control which users are able to access a service provider.

Is SCIM secure?

As a RESTful API, the SCIM protocol is based on HTTP, and does not define a SCIM-specific scheme for securing data. It relies on the Transport Layer Security (TLS) protocol to protect data as it moves between your customer’s IdP and your SCIM server. TLS ensures that data is encrypted over the network, preventing eavesdropping and tampering of user data. SCIM requires you to support TLS 1.2.

For even tighter security, you should combine TLS with other authentication schemes like bearer tokens and cookies.

• Bearer tokens: These are a type of access token that allows the holder to access a resource or service. You may use the bearer tokens in a token-based authorization framework such as OAuth 2.0. IdPs must include these tokens in the authorization header of HTTP requests to prove their identity and you must check whether the token is valid before processing any SCIM request.
  
  An attacker could forge or alter an assertion to obtain an access token. If you don’t verify the token, you may end up processing unauthorized SCIM requests and exposing your customer’s data.

• Cookies: The IdP can use cookies to represent the authentication state of the user trying to send a SCIM request to your server. And like tokens, these cookies must not have a longer lifetime than the browser session.

When designing your endpoints:

• Use POST instead of GET when sending sensitive information. If your SCIM server supports query filters, be extremely cautious about the data transmitted in the URL. Personally identifiable information (PII) could be exposed in web browser history or server logs if included in a URL which could potentially violate data privacy laws.
  
  For these kinds of requests, the SCIM specification recommends using HTTP POST instead of HTTP GET method. If your server receives an HTTP GET request with sensitive data in the query filters, deny the requests and respond with a 403 HTTP status code.

• Don’t support passwords: By not collecting or transmitting passwords, your SCIM implementation eliminates a major attack vector. You don’t have to protect what you don’t collect.

How does SCIM enhance user account security?

Here’s how SCIM makes user provisioning more secure for enterprise organizations:

Automating user provisioning and deprovisioning

For organizations using multiple SaaS apps, manually managing employee access is not only time-consuming but highly susceptible to mistakes. For example, an admin might accidentally overprovision or forget to remove a user's access when they leave the company. Suddenly, you’ve got ex-employees with access to company resources, a security nightmare.

Implementing SCIM minimizes these security risks.

The instant an admin changes the user's status in the IdP — be it activation, switching roles, or deactivation — SCIM propagates the change to all the downstream apps automatically which in turn process the requests accordingly. For example, for deprovisioning requests, the apps respond by closing the user’s active sessions. This significantly reduces the window of opportunity for unauthorized access.

Role-based Access Control

While SCIM was not designed as a system for enforcing access control policies, it can support Role-Based Access Control (RBAC) via Groups. Organizations can create SCIM groups that categorize employees by their roles or job functions, such as managers, interns, or marketing teams, and assign specific access rights to these groups.

Groups make it easier for admins to manage access since they can assign and manage permissions at the group level rather than individually for each user.

They’re also great for security — RBAC adheres to the principle of least privilege. By assigning users to groups with specific access rights, employees have just enough access to do their jobs and nothing more.

Note that this group based access control is just the bare minimum needed to do access control especially for large organizations. Once you go past a few dozen to a few hundred groups, things get out of control as the organization accumulates a large, unwieldy number of roles that are difficult to manage, audit, and keep secure. In such cases, a more fine grained access control approach that can handle detailed permissions is always necessary.

Audit trails

Dedicate SCIM providers log every action taken on user accounts and group memberships through the SCIM protocol. These providers typically offer admin portals or APIs through which organizations can access and query audit logs. This enables IT and security teams to perform detailed analyses, generate reports, and conduct investigations when needed.

FAQ

Is SCIM secure?

Yes. SCIM leverages TLS for encryption, ensuring data in transit is protected against eavesdropping and tampering. While SCIM itself focuses on data exchange, it can be used alongside authorization protocols like OAuth 2.0, which adds an extra security layer on top of TLS.

Does SCIM provide authentication?

No, SCIM doesn't handle authentication. Its main role is to automate the management of user identities across systems. To authenticate users, use authentication protocols like OpenID Connect and SAML.

What are the benefits of SCIM provisioning?

SCIM provisioning automates user identity management which not only reduces admin overhead but also minimizes the security risks associated with manual provisioning or de-provisioning — employees’ identity data is automatically synced with all the connected apps as soon as they change in the IdP.

Next steps

Instead of worrying whether you get security right for all your SCIM integrations, why not use a done-for-you SCIM provider like WorkOS Directory Sync?

With Directory Sync, you don't have to manually code a SCIM integration. It gives you a secure, single API-based integration for all the major IdPs your customers use.

• Get started fast: With SDKs for every popular platform, and Slack-based support, you can implement SCIM in minutes rather than weeks.
• Events-based processing: While webhooks are also supported, WorkOS’ unique Events API means every SCIM request is processed in order, and in real-time. You’ll never miss a provisioning request again.
• Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard - whether they’re syncing 10 or 10,000 users with your app.

Explore WorkOS Directory Sync.