Unlocking the power of SCIM: streamlining enterprise user management

Most startups are familiar with SSO and why it’s important, but less so with SCIM and user provisioning. Yet, across our customers, we’ve seen that SCIM is crucial in selling to larger enterprises with complex IT needs and hundreds to thousands of users who need access. 

This post will walk you through SCIM basics, how it works, its benefits and key features, why you should implement it, and how WorkOS can help you with that. We’ll start by discussing how SCIM works.

SCIM basics and how it works

SCIM stands for System for Cross-Domain Identity Management, and it’s the default protocol for what we in the enterprise world call “directory sync.” Directory sync is a single source of truth for your app’s users. SCIM is a standard protocol that makes it easier to manage user identities across different systems and apps. Basically, it’s a way to automatically handle things like creating, updating, and deleting user accounts in multiple places without needing to do it manually every time.

Directory sync is about more than just who someone is (like their name and email) though. It’s also about what role they occupy in their organization, and what implications that might have for access management in the app you’re building.

Imagine you work at GitHub, and you’re in contract negotiations with Google, trying to close them as a customer. As of 2024, Google has more than 100,000 engineers (conservatively). Each one of these people needs access to different SaaS tools to get their jobs done. Without directory sync, every time Google buys a new piece of software, they (well, their IT admins) would need to manually create accounts for every user that needs access to the software, manually revoke access when those employees leave the company, manually decide which permissions each user should have, and the list goes on.

And lest you think that nobody would actually ever do this, you’d be wrong. Many state of the art SaaS tools today still require IT admins to manually upload CSV files with user names, emails, and roles at a static point in time. At a publicly traded company who shall remain nameless, this is how they handled B2B accounts – they required their customers to upload CSV files uploaded to a web portal. At one particular customer, when the program admin who handled this upload process left, nobody else knew how to do it. Years later, the customer’s new finance head was investigating why they were paying so much for the tool, realized there were a ton of seats that had never been deprovisioned, and ended up canceling the entire contract.

Directory sync exists to solve this problem: instead of doing all of this work manually, your application talks to Google’s IdP and automatically gets the information about their organization. Google’s IdP already knows which users exist and which groups each user belongs to, and an IT admin can simply map those groups to the right permissions in your app. 

The SCIM idea is simple, but implementing it is…not. You can read more in depth about SCIM and what it takes to implement here.

Benefits of SCIM provisioning

You can group the benefits of SCIM (and there are many) into a few categories:

• Automatic deprovisioning to eliminate security vulnerabilities.
• Pre-provisioning user accounts instead of manually adding and removing users.
• Automated access management instead of manually assigning groups and roles.
• More accurate, simpler billing instead of manually tracking seats.
• Syncing additional user attributes to bring useful external data into your app.

Let’s go more in depth on each.

Automatic deprovisioning

SCIM automatically removes users when they leave a company. When a user offboards and gets removed from an organization’s IdP, your app will automatically get notified of that change so you can deprovision their account on your end. End-to-end automation of this process eliminates the chance that someone will forget to revoke a user’s access until after they’ve left the company.

This is something that you can only do with SCIM. If you’re just using SSO, there’s no way for your app to be proactively notified when a user needs to be de-provisioned. The IT Admin is at the mercy of the session length to revoke access.

Pre-provisioning user accounts

With SCIM-based directory sync, IT admins (or you) don’t need to add user accounts to your application manually; instead, they sync automatically through your customer’s IdP. The obvious benefit is reducing manual work. Another one is it gives users immediate access — they don’t have to wait around for IT to set up accounts, which is a big win when you’re onboarding a lot of people.

Back to our Google example. They’ve got thousands of software engineers, all of whom you want to be engaged and using GitHub. 

Without SCIM, you’re kind of at the mercy of your sales team (or whoever has a relationship with champions at Google) to continue reminding Google that their engineers should create and use GitHub accounts; after all, they’re already paying for them. With SCIM though, you already know – via the IdP – who each developer is, what their email is, and what groups they’re in. So you can say, send them an email saying something like:

“Hey. Your organization is using GitHub to manage their code. You can get started here.”

For businesses like Figma, Slack, and Notion that heavily rely (or once upon a time, did rely) on product-led growth, improving seat utilization is critical to improving net dollar retention. The more users actively use your product, the better your case is for renewal next year. And if you can show that all of the seats that an enterprise purchased are being actively used, it’s much easier to argue for expansion to more of them. 

This is helpful if you do usage-based billing, too. Even if you don’t charge per seat, the more seats you have filled, the more people there are to do whatever things you charge for. 

Automated access management

SCIM syncs user roles and permissions from the organization’s IdP, which is especially useful for large teams. As employees switch roles, SCIM updates their access in real time, preventing potential security gaps and saving IT from manual updates.

Companies using Just-in-Time (JIT) Provisioning to provision accounts at first login don’t benefit from these continuous access updates.

There are potential vulnerabilities involved with access management, too. In the same sense that an employee who no longer works at a company needs to be deprovisioned immediately, someone who changes internal status needs to have their roles and permissions updated immediately too. 

For example, imagine a user of your tool switches teams from engineering to management. Without SCIM, an IT admin would need to manually go into GitHub, remove them from the engineering group, and add them to the management group. In the time before that gets done, the employee has access to engineering resources that they shouldn’t. With SCIM though, this happens immediately and automatically once the IT admin updates the groups in the IdP.

It’s worth mentioning that you can hack SSO to get access management to work, but it will be a terrible experience: you will need to force users to re-authenticate every time there’s a group or role change, which means it won’t solve any of the security issues. SCIM was created specifically to solve this problem and you should use it.

More accurate, simpler billing

This one is pretty straightforward. SCIM gives you a convenient mechanism for accurately measuring how many seats to bill for and when. A common billing-related issue is that a user no longer works at your customer, but their seat wasn’t deprovisioned in your tool, so the customer is still paying for them. For GSuite users among us, the sting of realizing you’ve been paying for an email account for a user that hasn’t worked here in 6 months is probably somewhat familiar. 

Additionally, SCIM allows applications to easily provision “reviewer” roles in collaborative platforms like Loom, Vercel, and Netlify. These "reviewer" roles often do not count towards seat usage, and SCIM ensures accurate billing by only charging for more active roles, such as "owners" and "members."

With SCIM though, users automatically get deprovisioned when they’re removed from the IdP, so you have automated guarantees that your customers aren’t being charged for seats they’re not using.

A good example is Loom. They have 3 roles in the product: default, viewer, and editor. Viewers are free, and editor roles are charged per seat. SCIM allows them to sync these roles from a customer’s IdP and be dead sure exactly how many editors (billed seats) there are, so they can bill their customers accurately. 

Syncing additional user attributes

Some applications require more than just basic groups and roles to provide a nice-to-have feature. Basic examples include profile URLs, preferred name, title, etc. Not having this information wouldn’t fundamentally break your application, but it’s nice to have. So syncing these attributes via SCIM can help you provide that extra mile to your customers.

But there’s another use case where these kinds of attributes are more than just nice-to-have. For spend management platforms like Brex, the title of a user and what team they’re on determines important information within the application, primarily the size of the budget they have access to. 

For workspace management solutions like Tactic, enriching data syncs with information like departments, office locations, and profile pictures allows them to deliver a richer, more personalized in-app experience for its end users. 

This is arguably a core feature within the app, and it depends on information synced via SCIM that goes beyond just groups and identity. 

The only way you can real-time automate this is through SCIM. 

Key features of SCIM provisioning

These are the most important features of SCIM provisioning:

• Automatic account creation (provisioning): Automated account creation, or “provisioning,” means that new user accounts in an app are created instantly whenever a user is added to your customer’s IdP. A SCIM takes that initial setup information and sends a provisioning request to all the connected apps. The app receives all necessary data — like username, role, department, and other attributes — from the IdP and sets up the account accordingly, typically with appropriate default permissions.
• Attribute syncing (automated account updates): When updates are made in the IdP (e.g., an employee’s title changes from “Developer” to “Lead Engineer”), SCIM instantly sends an update request to all connected applications. This request includes information on which attributes the app should update, such as job title, department, and access permissions.
• Automated account removal (deprovisioning): When an employee is offboarded from an organization, they’re removed from the IdP. SCIM detects this change and notifies all integrated apps to deactivate or delete the user’s account. This automation ensures that access is revoked across the board — removing any lingering permissions or access rights the employee may have had.

How SCIM simplifies identity management

Any updates made in this IdP, like adding a new employee or changing a user’s role/permissions, are immediately synced across all applications. Without SCIM, these updates would typically require individual configurations in each app, which could increase the chances of data inconsistencies, security gaps, or missed updates.

For example, when a new software engineer joins, SCIM automatically creates their account using connected tools like GitHub, Slack, and Jira, with the correct permissions based on their role. This saves time and ensures access is accurate from day one.

Another example is if an employee switches departments and now requires different access levels, SCIM syncs this change across all applications in real time. So, when a marketing specialist moves into a product role, their permissions in tools like Salesforce and Confluence adjust automatically, reflecting their new role without any manual updates from IT. 

Finally, if an employee leaves, SCIM instantly removes their access across all applications. Without SCIM, IT would have to remember to manually revoke access in each app manually, increasing the risk of lingering, unused accounts.

Why SCIM is crucial for enterprise security

SCIM is a big deal for enterprise security. Here’s why:

• Instant offboarding, no loose ends: When employees leave, SCIM makes sure their access is removed instantly across every app. This automatic deprovisioning closes the door on potential security issues from former employees who might otherwise retain access they shouldn’t. 
• Real-time permissions updates for role changes: With SCIM, when someone gets promoted, switches teams, or changes roles, their permissions adjust right away across all connected apps. This means people only have the access they need exactly when they need it. No more delays or outdated permissions hanging around that could become security gaps.
• Less human error with centralized control: SCIM syncs all user data straight from the Identity Provider (IdP), so IT doesn’t need to update permissions manually in each app. This centralized control means fewer mistakes, like missed revocations or incorrect permissions, which can slip through when you’re doing things app by app.
• Built-in audit trails for compliance: Nearly all SCIM providers automatically log every provisioning, update, and deprovisioning action for industries where compliance matters. Having these logs on hand simplifies audits and shows exactly who had access to what and when.

The WorkOS advantage

SCIM fundamentally reshapes identity management by automating the core user lifecycle and making it significantly easier to manage access across apps. By linking each app to a single source of truth — the organization’s IdP — SCIM eliminates data fragmentation and inconsistent access permissions. However, implementing SCIM comes with a lot of challenges. To learn more about them see these resources:

• Implementation challenges of a homegrown SCIM solution
• SCIM challenges: navigating the idiosyncrasies of different providers
• Build vs buy part I: complexities of building SSO and SCIM in-house
• SCIM complexity explained: tackle group fragmentation

Instead of building SCIM in-house you can use a provider that has already done this work for you. With WorkOS, you can drastically cut down on the total cost of ownership with APIs you can integrate in one sprint. Some of the fastest growing startups like Vercel, Loom, and Webflow use WorkOS Directory Sync to provide seamless user lifecycle management for their enterprise customers.

Instead of diving into the technical weeds of the SCIM protocol and handling each IdP’s unique requirements, Directory Sync by WorkOS lets you integrate with all the major directories like Okta, Microsoft Entra, Google Workspace, and any other SCIM-compliant provider with just a single integration.

Check out these benefits:

• Get started fast: With SDKs for every popular platform and Slack-based support, you can implement Directory Sync in minutes rather than weeks.
• Events-based processing: While webhooks are also supported, WorkOS’s Events API means every SCIM request is processed in order and in real time. You’ll never miss a provisioning request again.
• Avoid the back-and-forth: WorkOS’s Admin Portal takes the pain out of onboarding your customers’ IT teams and configuring your app to work with their identity provider.
• Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard — whether they’re syncing 10 or 10,000 users with your app.

Explore Directory Sync by WorkOS.