← All terms
SCIM (System for Cross-domain Identity Management)

What is SCIM (System for Cross-domain Identity Management)?

SCIM is an open standard for automatically creating, updating, and deactivating user accounts across applications from a central identity source.

Last updated: 13 July 2026

How SCIM works

SCIM defines a REST API with a standard JSON schema for users and groups. An identity platform acts as the SCIM client: when a user is created, changed, or deactivated in the central directory, it pushes the corresponding create, update, or delete request to each connected application, which acts as the SCIM server.

The schema covers common attributes like user name, email, and active status, along with group memberships used to drive entitlements inside the application. Because SCIM 2.0 is a published IETF standard (RFC 7643 and 7644), any compliant application can be provisioned by any compliant identity platform without custom integration code.

Why SCIM matters

Manual account management does not scale and does not stay accurate. New hires wait days for access, role changes leave stale permissions behind, and departed employees keep active accounts, which is one of the most common audit findings and breach vectors. SCIM automates the full joiner-mover-leaver cycle so accounts always mirror the authoritative HR or directory record.

Deprovisioning is the highest-value piece: the moment an identity is disabled centrally, SCIM propagates the deactivation to every connected application. Combined with SSO, this gives organizations both instant access cutoff and clean per-application account hygiene, which SSO alone cannot provide.

SCIM in practice

A typical setup connects an authoritative source, often the HR system or a directory, to the identity platform, then enables SCIM provisioning per application with attribute and group mappings. Decisions include which attributes flow where, how conflicts are resolved, and whether deactivation means disabling or deleting the account; disabling is usually safer for audit trails.

Not every application supports SCIM, so mature platforms fall back to connectors, directory sync, or manual workflows for the rest. Monosign supports SCIM 2.0 in both directions, provisioning accounts into applications and accepting inbound provisioning from external identity sources.

Frequently asked questions

What is the difference between SCIM and SAML?
They solve different problems. SAML handles authentication at sign-in time, telling the application who the user is. SCIM handles account lifecycle, creating and removing the account itself before and after sign-in ever happens. Most enterprise integrations use both together.
Do I still need SCIM if I already have SSO?
Yes. SSO controls whether a user can sign in, but the account inside the application, along with its data, roles, and license, still exists until something removes it. SCIM automates that removal and keeps roles and groups current, closing the gap that SSO leaves open.
What happens when an application does not support SCIM?
Identity platforms cover the gap with application-specific connectors, API integrations, directory synchronization, or ticket-driven manual workflows as a last resort. The goal stays the same: no account should outlive the identity it belongs to.