Blog

What is a SCIM Connector and Which One Should You Use?

Discover what a SCIM connector is, why it's useful, and explore our top 3 picks for SCIM connectors to consider for improving your system's integration and management.


SCIM provisioning is a must-have feature for any app targeting enterprise clients. The protocol significantly reduces your clients’ admin burden by automating the creation, management, and deactivation of user accounts in your app.

While you can always build your own SCIM solution, most developers prefer to offload the complexities of integrating with multiple identity providers to a SCIM connector.

In this article, we’ll walk you through what exactly a SCIM connector is, why you should use one, and our top 3 recommendations for SCIM connectors you should consider.

What is a SCIM Connector?

Think of a SCIM connector as the middleman between your app and any SCIM-compliant identity providers (such as Okta, and Microsoft Entra). It acts as a centralized point of integration that your app uses to connect to multiple providers.

Rather than building your own SCIM endpoint from scratch, using a SCIM connector allows you to use a prebuilt SDK or a simplified API to communicate with the connector - which in turn communicates with your customers’ IdPs to keep your app in sync with any user provisioning or deprovisioning requests.

Whenever an IdP makes a change to how their SCIM integration works, the SCIM connector ensures that your app stays up-to-date and compatible without your dev team lifting a finger.

Why integrate with a SCIM Connector?

When building a SCIM integration, you can either build your own SCIM endpoint - that your customer’s IdPs can send requests directly to — or you can use a SCIM connector instead.

With a SCIM endpoint, you have to design and code the SCIM API yourself, not to mention handle security and ongoing maintenance. You’ll also have to write logic to parse SCIM requests, map custom attributes to your app’s data model, and handle authentication and authorization for security purposes.

If that wasn’t enough, you’re also responsible for testing, and making sure your integration is interoperable with all the IdPs your customers use — from big names like Okta and Microsoft Entra to open source providers like Authelia.

So even though implementing your own SCIM endpoint does give you full control over how user identity is processed, your implementation can get complicated really fast.

A SCIM connector significantly simplifies the integration process by:

  • Centralizing connections: You can configure connections to multiple SCIM-compliant identity providers from a single platform. Some like WorkOS, even have an admin portal you can share with your customers to let them configure the connection themselves.
  • Normalizing data across multiple providers: SCIM connectors also standardize the different attribute labels (like ‘surname’ vs. ‘lastName’) that identity providers use since they may have slightly different implementations of the SCIM standard – your app receives user data in a uniform format.
  • Handling SCIM requests at scale: As the number of SCIM requests increases, your SCIM endpoint must process these requests without significant delays. Unfortunately, the SCIM protocol doesn’t support rate limiting. Your endpoint might receive more requests than it can handle, leading to slow response times or even system crashes which may lead to potential synchronization issues between your customer’s IdP and your app.

Some SCIM connectors support rate limiting and control the flow of requests to your SCIM endpoint allowing you to process them at a rate your system can handle.

Below are the top 3 SCIM connectors worth considering:

WorkOS

WorkOS’ Directory Sync is the most feature-complete SCIM connector on the market.

It’s a set of easy-to-use developer-friendly APIs and tools that let you easily connect to all the major directory providers (such as Okta, OneLogin, Microsoft Entra, and Ping Identity), as well as popular HRIS platforms (like Workday and Rippling). You can find the full list of supported directory providers on the integrations page.

Here are some of the features of WorkOS’ Directory Sync that make it stand out among competitors:

  • Events API: Most SCIM connectors use webhooks for directory updates. The problem with webhooks is that they don’t guarantee events will arrive in order (you may end up processing a stale event after a new one), are highly variable in implementation from provider to provider, and while they can support rate limiting, this feature largely depends on the provider.
  • The Events API is seamless: Events are ordered sequentially as they occur, can be retrieved after delivery (you can go back to an event and reprocess it if needed) and they’re extremely flexible (you can process events at your own pace depending on what your system can handle).
  • Normalized attributes: Identity providers often label the same data in various ways (think email and email_address). leading to inconsistent data formats that can be tricky to process. Directory Sync normalizes the attributes for you meaning you get consistent data from all your customers’ IdPs.
  • Easier customer onboarding: WorkOS provides an admin portal that can be sent to your customer’s IT admin. The portal lets them configure your connection to their IdP, or map any custom attributes you need.
  • Thorough documentation: The WorkOS docs are extremely in-depth and thorough. It’s easy to read and packed with examples and even includes complete sample apps in multiple programming languages that you can reference. And if you have a question not covered in the docs, you can always reach out to the team directly from Slack.
  • Straight-forward pricing: Unlike competitors who use scaling monthly active users (MAU) based pricing, Directory Sync pricing is straightforward and easy to forecast at $125 per month for each company you onboard. WorkOS automatically applies bulk-volume discounts, and while a sales team is on hand if required, you can self-service with transparent, upfront pricing.

SCIM provisioning is not the only identity solution offered by WorkOS. You can handle all your enterprise authentication needs from a single WorkOS integration – like Enterprise Single Sign-On (SSO) and audit logs.

Frontegg

Frontegg is an end-to-end user management platform for B2B SaaS apps. On top of other features like SSO, it also supports SCIM provisioning for identity providers like Okta and Azure AD.

Frontegg’s standout feature is its self-service provisioning capability. Through the Frontegg Admin Portal, your customer can easily set up their SCIM connection by themselves and configure the user attributes and roles they use within their IdP.

And, like many SCIM connectors, Frontegg uses webhooks to send directory updates from your customer’s IdPs to your app.

One of the downsides of using Frontegg as a SCIM connector is that SCIM provisioning is only available by request —  you have to speak to Frontegg to enable it in the admin portal. Worse still, the pricing is not exactly transparent - you’ll have to contact their sales team for details.

This lack of upfront availability and hidden SCIM pricing could be a hurdle if you want to quickly compare it with other competitors in the market before you commit.

Stytch

Stytch is a comprehensive authentication service that offers end-to-end user authentication services.

It stands out in the market, particularly for its focus on both consumer authentication and b2b authentication, making it a good option if you have both an enterprise and a general consumer customer base.

SCIM provisioning is one of their latest additions to their b2b authentication service (though it’s still in early access). That said, according to their docs, you can use it to connect to multiple identity providers and similarly to Frontegg, receive directory updates to your app via webhooks.

Like Frontegg, one downside of using Stytch as your SCIM connector is that the pricing is unclear. SCIM is included in their custom tier and you’ll have to contact their sales team to get a quote.

FAQ

What is a SCIM Connector used for?

A SCIM connector acts as the middleman between your customer’s IdP and your app. Instead of directly processing requests from your customer’s IdP, you connect to the SCIM connector and it communicates all the directory updates made by your customer’s admin to your app.

What are some examples of SCIM Connectors?

Examples of SCIM Connectors include WorkOS, Frontegg, and Stytch.

Do you have to use a SCIM Connector?

You don’t have to use a SCIM connector but it’s highly recommended if you’re connecting to multiple SCIM providers. It significantly reduces your workload by giving you a single platform for connecting to multiple providers. If you want to build your own endpoint from scratch, read this article instead.

Finishing up

The SCIM connector you choose will hinge on several factors:

  • Your current authentication stack
  • Your budget
  • Your need for scalability
  • Your desired customer onboarding experience

If you want the most scalable, developer-friendly solution with per-company pricing, choose WorkOS’ Directory Sync. It allows you to quickly connect to all major corporate identity providers with a straightforward, API-based integration.

  • Get started fast: With SDKs for every popular platform, and Slack-based support, you can implement Directory Sync in minutes rather than weeks.
  • Events-based processing: WorkOS’ Events API means every SCIM request is processed in order, and in real-time. You’ll never miss a provisioning request again.
  • Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS for each company you onboard - whether they’re syncing 10 or 10,000 users with your app.

https://workos.com/directory-sync

In this article

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.