How SCIM works
SCIM defines a REST API with a standard JSON schema for users and groups. An identity platform acts as the SCIM client: when a user is created, changed, or deactivated in the central directory, it pushes the corresponding create, update, or delete request to each connected application, which acts as the SCIM server.
The schema covers common attributes like user name, email, and active status, along with group memberships used to drive entitlements inside the application. Because SCIM 2.0 is a published IETF standard (RFC 7643 and 7644), any compliant application can be provisioned by any compliant identity platform without custom integration code.
Why SCIM matters
Manual account management does not scale and does not stay accurate. New hires wait days for access, role changes leave stale permissions behind, and departed employees keep active accounts, which is one of the most common audit findings and breach vectors. SCIM automates the full joiner-mover-leaver cycle so accounts always mirror the authoritative HR or directory record.
Deprovisioning is the highest-value piece: the moment an identity is disabled centrally, SCIM propagates the deactivation to every connected application. Combined with SSO, this gives organizations both instant access cutoff and clean per-application account hygiene, which SSO alone cannot provide.
SCIM in practice
A typical setup connects an authoritative source, often the HR system or a directory, to the identity platform, then enables SCIM provisioning per application with attribute and group mappings. Decisions include which attributes flow where, how conflicts are resolved, and whether deactivation means disabling or deleting the account; disabling is usually safer for audit trails.
Not every application supports SCIM, so mature platforms fall back to connectors, directory sync, or manual workflows for the rest. Monosign supports SCIM 2.0 in both directions, provisioning accounts into applications and accepting inbound provisioning from external identity sources.