Blog

You Need a SCIM Server — Here’s the Easiest Way to Create One

Learn how to build a SCIM server for your app with WorkOS.


Wondering what a SCIM server is, and why enterprise companies keep pestering you for one?

A SCIM server acts as a middle-man between your app and your customer’s identity providers and then accepts requests to automatically provision and deprovision users within your app.

In this article, we’ll discuss what a SCIM server is, highlight some of the costs of building your own server, and then walk you through the process of building a SCIM server.

What is a SCIM server?

The two main components in any SCIM integration are the SCIM client and the SCIM server.

The SCIM client is typically your customer’s Identity Provider (idP) like Okta or a HRIS directory like Workday. The client’s core role is to store and manage user identities.

The SCIM server exposes specific endpoints to the SCIM client, to which that client can then send user provisioning requests (e.g. to create, update, or deactivate user accounts).

When the server receives these requests, it processes them, normalizes any data mismatches, and sends your system an update of the change and your app processes it accordingly — whether that’s setting up new accounts, updating details of existing users, deactivating accounts, etc.

Simply put, the SCIM server acts as a bridge between your customer’s user directory and your app and exists purely to make sure your system and your customer’s directories stay in sync.

This is a big plus for your customers who are managing the hundreds and thousands of apps their employees use. SCIM dramatically reduces their administrative overhead by eliminating the need to manually manage access.

Do you need a separate SCIM server for every customer?

SCIM servers use standardized API endpoints defined in the SCIM spec. This standardization is designed to be compatible with the widest possible range of identity providers and directories — provided they’re SCIM-compliant.

So, no you don’t need a separate SCIM server for every customer or user directory. Just make sure your endpoints follow the SCIM guidelines and that your SCIM server’s infrastructure can handle multiple requests at once.

But keep in mindNot every IdP follows the SCIM spec to the letter…

How much does a SCIM server cost?

Your SCIM server costs will depend on whether you use a paid solution or an open source provider.

Most paid SCIM providers charge based on Monthly Active Users (MAU) or per-company (flat-rate) charges:

  • Monthly Active Users (MAU): This model bills you based on the number of unique users who are actively provisioned via SCIM per month. It's dynamic and fluctuates with your actual usage, making it ideal if you just have a few customers with not so many employees. However, it’s hard to budget for, especially as you scale.

    For example
    , if the SCIM provider charges $0.50 per MAU and your app starts with 1,000 active users, the initial cost would be $500 monthly. As the app gains traction and you onboard more companies, it becomes very difficult to predict pricing without knowing the number of users each company will want to provision.
  • Per company charges:  With this model, you’re billed a flat rate for each company you connect to regardless of the number of users it provisions. It's a fixed cost that provides unlimited access to the SCIM server's capabilities within the agreed terms. Budgeting is simpler with predictable, fixed costs. It's particularly advantageous if you’re signing more companies with lots of employees, as the cost per user decreases with scale.

    For example
    , if a SCIM provider charges $125 per company per month, the number of employees in each company won’t matter, the cost remains constant.

If you opt for an open source solution to save money, you may save some of the upfront costs, because you’re bypassing licensing fees, however, your total cost of ownership may still be high. You’ll have to cover the costs of deploying, customizing, maintaining, and updating your server. The scope of these expenses will depend on how complex the SCIM server is and the expertise of your in-house engineering team. There’s also the potential of the project going dormant — you may find yourself with a costly migration on your hands.

So, be very careful when choosing a SCIM provider, the pricing model and total investment should not only fit your current operational needs but should also be sustainable in the long run.

How to create a SCIM server

1. Choose a provider

There are a wide variety of SCIM providers in the market today with both open-source and paid providers.

Open-source is great if: You want to self-host or keep costs down.

Paid providers are great if: You want to support every IdP, you want integration support or you need more advanced features.

One open-source option worth considering is i2SCIM. It’s a Kubernetes deployable server designed to be extremely flexible. Unlike most SCIM servers, it operates as a generalized SCIM engine, allowing you to configure endpoints and schemas in JSON, without being bound to fixed resource types. It's flexible as it allows custom attributes for specific needs, and has a built-in events interface that can be used to trigger async events and notifications every time there’s a change in directories you’ve connected to.

The issue is — like any open-source solution — the configuration process can be quite complex, it requires a lot of prior knowledge and may take a bit of time to set everything up securely. Additionally, IdP compatibility might not be as good as with a paid provider. For example, it might not address group fragmentation and leaves it up to you to standardize group behaviors across providers.

For a managed and developer-friendly solution that doesn’t require a lot of manual configuration, go for a paid provider like Directory Sync by WorkOS.

It’s much simpler to configure than an open-source solution, with easy-to-use SDKs and APIs, thorough documentation, and on-demand support provided via Slack in case you need help. Plus, it’s pretty affordable — you only have to pay $125 per connection per month — with automatic bulk discounts applied when you reach higher volumes.

2. Install it in your application

Use the WorkOS SDK for your programming language to install Directory Sync.

3. Setup the secrets

To set up WorkOS Directory Sync, you'll first need to obtain the API key and client secret from your WorkOS dashboard.

Make sure you store these secrets securely (in a .env file or a secrets management system) — they’re what identifies your app on WorkOS; in the wrong hands, a bad actor could impersonate your application and gain access to confidential user information from your customers.

4. Implement event handling

Events refer to specific requests from your customer’s IdP, like creating a user, updating user data, creating group memberships, deleting a user, etc.

Your app must be able to receive these events as they happen to sync the user’s status in your app with their status in the IdP.

There are two ways to go about it with WorkOS – webhooks or the Events API.

Webhooks instantly notify you of changes in your customer’s IdP but, one of their major downsides is they don’t always arrive in order. You may process events out of order and end up granting access to users you shouldn’t. They may also overload your app during peak times.

The Events API is more efficient – it delivers events in order and lets you process these events at your own pace – your app never has to process more events than it can handle.

5. Create a connection to the IdP

Finally, establish a connection between your SCIM server and the IdP.

From the WorkOS dashboard, you can configure the connection manually or invite an admin and let them configure the connection themselves — the latter option is much faster since there’s no need for a back and forth, mapping attributes over Zoom calls or dealing with messy connection issues.

FAQ

What is the difference between a SCIM client and a SCIM server?

The SCIM client (usually the identity provider) sends provisioning requests to the SCIM server. The SCIM server processes these requests, communicating with your app to update the user’s status in your system accordingly (e.g. creating or deactivating a user account).

What problem does SCIM solve?

SCIM cuts down the manual work of adding, updating, or removing user details by automating the user provisioning and deprovisioning process. It makes life easier for IT admins as they don’t need to manually manage user access and permissions in every app a user uses.

What is the difference between SSO and SCIM?

SSO (Single Sign-On) allows users to access multiple apps from a single place. It focuses on access authentication. SCIM automates the management of user accounts and permissions across different systems and keeps user data synchronized.

Conclusion

Building a great SCIM server starts with picking the right provider. You’ll want one that’s easy to integrate with your existing system, won’t break the bank, scales with you as your customer base grows, and has a self-serve onboarding flow for your customers.

Directory Sync covers all of this — it allows you to connect your app to all major identity providers like Okta, Microsoft Entra, and OneLogin alongside HRIS platforms like Rippling, not to mention custom directories with SCIM 2.0 support via a simple API-based integration.

  • Get started fast: With SDKs for every popular platform, and Slack-based support, you can implement Directory Sync in minutes rather than weeks.
  • Events-based processing: WorkOS’s Events API means every SCIM request is processed in order, and in real-time. You’ll never miss a provisioning request again.
  • Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard — whether they’re syncing 10 or 10,000 users with your app.

Explore Directory Sync by WorkOS.

In this article

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.