description : Differences between several centralized user management protocols in a world of web application hosting that show **SCIM is an upgrade.**
<strong>Everything speaks the LDAP protocol langage.</strong> Identities are stored in an LDAP directory, which is provisioned via LDAP protocol. Authentication is done by the application that asks the user’s credentials and validates them against the directory via LDAP protocol.
This architecture <strong>tackles the two main drawbacks of the only LDAP approach</strong> : the missing single sign-on and the security vulnerability. <strong>Authentication is delegated to other web protocols</strong> (like OAuth, OIDC or SAML). This way, the user logs in only once to the identity provider.
<strong>SCIM solve the remaining problems</strong> via a simple standard web api. This infrastructure is <strong>event driven, a provisioning action on the IdP is quickly passed on all applications.</strong>
| Easy to implement | {{<svg-rendercross>}} <br>*Mature but old and difficult* | {{<svg-rendercross>}} <br>*Mature but old and difficult* | {{<svg-rendercross>}} {{<svg-rendercheck>}} <br>*Simple and web native, but non-standard IdP* | {{<svg-rendercheck>}} <br>*Cli or UI could be used on IdP or on apps* |
| Many implementations | {{<svg-rendercheck>}} | {{<svg-rendercheck>}} | {{<svg-rendercheck>}} | {{<svg-rendercross>}} <br>*Not a lot of implementations yet* |
| Single sign-on | {{<svg-rendercross>}} <br>*User must sign-on each application* | {{<svg-rendercheck>}} | {{<svg-rendercheck>}} | {{<svg-rendercheck>}} |
| Scalable provisioning | {{<svg-rendercross>}} <br>*By diffing, each app reads all and compares it* | {{<svg-rendercross>}} <br>*By diffing, each app reads all and compares it* | {{<svg-rendercheck>}} <br>*No diffing, modern storage, SQL database can be used* | {{<svg-rendercheck>}} <br>*Real time atomic provisioning* |
| Scalable provisioning | {{<svg-rendercross>}} <br>*Only when apps trigger it or when the user logs in* | {{<svg-rendercross>}} <br>*Only when apps trigger it or when the user logs in* | {{<svg-rendercross>}} <br>*No way to remove a user from the application* | {{<svg-rendercheck>}} |