scim-docs/content/overview/scenario.md

32 lines
1.8 KiB
Markdown
Raw Normal View History

2024-08-29 10:10:19 +00:00
---
title: How to use SCIM?
description : An **opinion on using SCIM** to provide information such as mail, first name, last name, group... accross different application **with an Identity Provider**.
2024-08-29 10:10:19 +00:00
color : blue-2
weight : 3
---
2024-11-04 16:07:02 +00:00
{{< imgproc "scim-diagram.png" "Scim diagram" "float-right">}}
2024-08-29 10:10:19 +00:00
### SCIM Client and Server
While SCIM is a protocol for provisioning and managing identity, there **isnt really a concept of Identity Provider (IdP)** within its architecture. Instead, SCIM architecture consists (only) of **a Client which makes HTTP calls, and a Server, which receives them**.
2024-08-29 10:10:19 +00:00
**An opinion on SCIM use**
A possible architecture could be as follows : a **SCIM Client collocated with the Identity Provider** reflects changes by calling all **SCIM Servers collocated with each application**.
2024-08-29 10:10:19 +00:00
With this architecture, there is a need for interoperability at 2 levels :
2024-08-29 10:10:19 +00:00
* **between the user management UI and the IdP** (the database where identity are stored)
* and **between the IdP and the applications**.
Thus, the **IdP acts as both a SCIM client and server** ; as a client when sending requests to apps and as a server when receiving requests from management UI.
2024-08-29 10:10:19 +00:00
### How does it work ?
2024-08-29 10:10:19 +00:00
With SCIM protocol, **clients can create, read, update, delete (CRUD) users and groups from a server.**
In this scenario the standard SCIM API is used each time an user should be CRUDed in the Identity Provider.
2024-08-29 10:10:19 +00:00
And, when a resource is modified in the user database of the Identity Provider, the event is propagated to the configured applications. In this case the IdP becomes a client for these applications (which act as a SCIM Server in this scenario).
2024-08-29 10:10:19 +00:00
#### In essence
<mark>SCIM compliant **open source Web SSO providers** along with **applications that support SCIM API** for user provisioning could provide a seamless user experience.</mark>