Blog

The Top 3 SCIM Providers for 2024

January 19, 2024

We’ll walk you through exactly what SCIM is, what to look for when selecting a SCIM provider and our top 3 recommendations for SCIM providers to cover any use case.

If you’re building a SaaS app which sells to enterprise customers, the chances are you’ve been asked - or are about to be asked - to support SCIM by your prospect’s IT team.

While you can always put together your own homegrown SCIM solution, most developers prefer to outsource this particular piece of the authentication puzzle to a 3rd party platform with expertise in providing a scalable, reliable and easy solution.

But when it comes to choosing a SCIM provider, the problem can be more complicated than it first appears: Does the provider work with every identity provider or Human Resources Information System you’ll need to support? Does it scale to support thousands of SCIM events per day? What does the onboarding process look like for your customers’ IT department?

In this article, we’ll walk you through exactly what SCIM is, what to look for when selecting a SCIM provider and our top 3 recommendations for SCIM providers to cover any use case.

What is SCIM, and do you need a SCIM provider?

SCIM is a REST-based standard which allows apps and identity providers (IdPs) or Human Resources Information Systems (HRISs) to exchange user provisioning information. 

The protocol can be used to manage things like:

  • User Provisioning: Including all of the necessary information needed to get a user added to an app or service.
  • User Deprovisioning: Securely removing access to your app once an employee leaves your customer’s business, or just no longer needs access.
  • User Permission Adjustments: For example, if your customer’s employee moves from being a junior role to a manager role then they may require corresponding permissions to be updated in your app.
  • Group Provisioning and Adjustment: Used to establish specific user groups which correspond to your customer’s organization.

When you sell to enterprise customers who require features like Single Sign-On (SSO), they’ll also expect your app to support SCIM so that they can automatically provision and deprovision their employees as appropriate. 

For example, if you have a customer support tool then your customer may want their new support employees to be automatically provisioned when they start on day 1 of their new job.

Often, IT teams will tie their HR systems (like Workday) together with their Identity Provider platform (like Okta, Microsoft Entra ID or Google Workspace) to enable this. They’ll expect you to support their identity provider’s SCIM solution out of the box.

Why use a SCIM provider?

While SCIM is an open standard - and on the surface seems relatively easy to support - there are a few complexities under the hood which can quickly soak up every engineering hour in your next two sprints.

As a result, many developers turn to a dedicated SCIM provider to take care of the implementation of SCIM and free up their time to work on their core, value-add features. 

Here’s some of the hassles you’ll encounter when you try to implement SCIM:

  • Every Provider Uses it Differently: Most IdPs and HRISs use slightly different interpretations of SCIM. For example, expect to see slightly different attribute names across different systems - Think firstName vs first_name.

  • SCIM Gets Difficult at Scale: In a large enterprise company with 10s of thousands of employees, it’s not uncommon for hundreds of employees to require provisioning requests over the course of even just a day.

    And if you miss a single request, it could have serious contractual or security consequences with your customer. Supporting SCIM for large customers often requires you to go beyond webhooks and build a full event streaming implementation.

  • Onboarding Your Customer is a Pain: You’ll need to go back and forth with your customer’s IT department to map attributes, configure endpoints (URLs where the SCIM requests are sent) along with necessary authentication methods like OAuth tokens, and test if your provisioning setup is working.

How to choose a SCIM provider

While the problems in implementing SCIM are universal, the solutions are not. SCIM-as-a-service is a relatively new offering on the authentication market, and each provider approaches the problem differently, and with different levels of support.

Over the last 3 years, we’ve spoken to hundreds of developers looking for a SCIM provider and the same requirements come up every time. Here’s what you should look for in a SCIM provider:

  • Easy Integration: If you’re going to work with a provider, it needs to be easier than building it yourself. Look for a provider with an agnostic, API-based integration, plenty of SDKs to suit your chosen platform(s), and support for any major IdP or HRIS you’re likely to encounter.

  • Sensible Pricing: With the volumes of enterprise users you’re likely to be onboarding to your app, costs can quickly spiral out of control and are often a big driver for rolling your own SCIM support instead.

    Providers generally charge either based on the number of companies you’ve onboarded, or the number of monthly active users your customer is deploying on your app. We’ve included both options on this list, so pick the one which best suits your business model.

  • Done-For-You Onboarding: The best SCIM providers will give you a self-service onboarding flow or admin portal which you can send on to your customers’ IT teams. This cuts down the back and forth and makes your operation look professional.

  • Built for Scale: If you want to be able to support the biggest of enterprise clients and Fortune 100 companies, you’ll need a SCIM provider which can handle any volume of provisioning tasks, at any time. Look for a service which goes beyond mere webhooks and supplies real-time access to every provisioning event.

The Best SCIM providers

  • If you want the most scalable, developer-friendly solution alongside per-company pricing, choose WorkOS as your SCIM provider.
  • If you want pricing based primarily on monthly active users, as well as advanced security features, choose Frontegg.
  • If you want the cheapest MAU-based pricing and only need industry-standard security features, choose Stytch

#1 WorkOS

WorkOS provides the most feature-complete SCIM offering on the market, Directory Sync. The product provides simple SDKs to integrate with any major corporate identity provider (Okta, Google, Microsoft EntraID /Azure AD, etc) or major HRIS (BambooHR, Workday, Rippling, etc).

Unlike competitors which rely on webhooks, WorkOS provides a full Events API which allows developers to access every single provisioning event in real-time and in order. Webhooks can induce a race condition, where a user is provisioned or deprovisioned multiple times in quick succession. This typically results in inconsistent or out-of-sync user states in the application, posing significant security risks due to potential access control anomalies.

WorkOS also stands out from other SCIM providers, with a flat-rate, $125/month per-company pricing which is considerably more affordable for most use-cases than paying by MAUs. Bulk pricing discounts are available and transparently shared on the pricing page.

Unlike sales-focused competitors, WorkOS as a company has been built from the ground up to be developer-centric, with best-in-class documentation, thoughtfully crafted APIs and on-demand support provided via Slack. 

A self-serve admin portal is also provided for your end customers, allowing their IT teams to easily configure their identity provider to work with your app. 

It’s worth noting that WorkOS isn’t just a SCIM provider - The platform can handle your full path to enterprise-readiness, with complete end-to-end support for User Management, Enterprise SSO, Audit Logs and more.

Explore Directory Sync by WorkOS.

#2 Frontegg

Frontegg is a done-for-you authentication provider, allowing developers to easily add SSO support to their apps for any IdP.

Frontegg complements its existing authentication-as-a-service suite with SCIM provisioning. This can be easily configured from their dashboard and supports the use of Webhooks for ingesting and handling provisioning events. 

Beyond SCIM, Frontegg also stands out for its Security Suite offering. These built-in security features are usually only available to FAANG and other large tech companies. 

For example, when a user logs on from one location and then logs on from another location too quickly to have physically traveled between those locations, Frontegg can flag this potential security flag and take action on this. 

But where Frontegg really shines is with their MAU-based pricing. If you’re working with lots of enterprise customers, but have only a handful of MAUs per customer, then this type of pricing likely works out best for your use case.

With that said, it can be hard to get a handle on Frontegg’s complex pricing model as it spans seats, per-plan features, orgs (100 MAUs counts as 1 org), monthly-active-tenants and multi-user accounts. The pricing is explained here on their website, but it may be worth contacting their team to understand exactly how their pricing would work for you.

#3 Stytch

Like the other options on this list, Stytch is a full authentication-as-a-service platform offering services like SSO, multi-factor authentication and magic links. 

They’re particularly known for their easy integration of modern authentication paradigms like passkeys, biometrics and Web3 login options.

Stytch’s SCIM service is available in Early Access by application only, so the exact details of how well their provisioning implementation works are unclear right now.

With that said, the platform does have a much simpler, MAU-based pricing structure compared to Frontegg, and offers an extremely generous 5000 MAUs for free (albeit with Stytch-branded login and emails).

If you need MAU-based pricing or cutting-edge auth options, and you’re willing to apply to their early access, then Stytch is a solid option for you.

Conclusion

SCIM isn’t the most exciting technology choice you’ll make in your stack, but the implementation you do choose will dictate how many enterprise-grade customers your app can handle and how seamless the experience is for both those customers and your engineering team.

While pricing is an obvious factor in your decision, pay particular attention to:

  • The Onboarding Experience You’ll be Able to Offer Your Customers: Will your chosen SCIM provider offer a self-service, hosted onboarding portal you can share with your customers, or will your support team mediate the configuration process with your customers?
  • The Scalability of Your SCIM Provider: Will you have to rely on Webhooks, or does your SCIM provider offer real-time, in-order event streaming via API?

Still unsure which option is right for you?

Directory Sync by WorkOS allows you to quickly enable SCIM provisioning from all major corporate identity providers with a straightforward, API-based integration.

  • Get Started Fast: With SDKs for every popular platform, and Slack-based support, you can implement Directory Sync in minutes rather than weeks.
  • Events-based Processing: While webhooks are also supported, WorkOS’s Events API means every SCIM request is processed in order, and in real-time. You’ll never miss a provisioning request again.
  • Pricing That Makes Sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard - whether they’re syncing 10 or 10,000 users with your app.

Explore Directory Sync by WorkOS.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.