---
title: Why is SCIM better ?
description : Differences between several centralized user management protocols in a world of web application hosting that show **SCIM is an upgrade.**
color : green
weight : 4
---
### Others management protocols
{{< switch-box title="Ldap" >}}
With this LDAP approach **everything is centralized** (except authorization).
![LDAP diagram](media/ldap-diagram.svg)
**Everything speaks the LDAP protocol langage.** Identities are stored in an LDAP directory, which is provisioned via LDAP protocol. Authentication is done by the application that asks the user’s credentials and validates them against the directory via LDAP protocol.
{{< /switch-box >}}
{{< switch-box title="Ldap+SSO" >}}
This architecture **tackles the two main drawbacks of the only LDAP approach** : the missing single sign-on and the security vulnerability. **Authentication is delegated to other web protocols** (like OAuth, OIDC or SAML). This way, the user logs in only once to the identity provider.
![LDAP with SSO diagram](media/ldap-sso-diagram.svg)
{{< /switch-box >}}
{{< switch-box title="SSO" >}}
On modern web infrastructure, LDAP started to be abandoned because **loose provisioning can also be done via SSO protocols.**
![SSO only diagram](media/sso-diagram.svg)
{{< /switch-box >}}
{{< switch-box title="SSO+SCIM" >}}
**SCIM solve the remaining problems** via a simple standard web api. This infrastructure is **event driven, a provisioning action on the IdP is quickly passed on all applications.**
![SSO with SCIM diagram](media/sso-scim-diagram.svg)
{{< /switch-box >}}
| | LDAP | LDAP & SSO | SSO | SSO & SCIM |
| -------- | -------- | -------- | -------- | -------- |
| Easy to implement | {{< svg-render cross >}}
*Mature but old and difficult* | {{< svg-render cross >}}
*Mature but old and difficult* | {{< svg-render cross >}} {{< svg-render check >}}
*Simple and web native, but non-standard IdP* | {{< svg-render check >}}
*Cli or UI could be used on IdP or on apps* |
| Many implementations | {{< svg-render check >}} | {{< svg-render check >}} | {{< svg-render check >}} | {{< svg-render cross >}}
*Not a lot of implementations yet* |
| Single sign-on | {{< svg-render cross >}}
*User must sign-on each application* | {{< svg-render check >}} | {{< svg-render check >}} | {{< svg-render check >}} |
| No trust issues | {{< svg-render cross >}}
*Expose user’s credentials to each application* | {{< svg-render cross >}}
***???????*** | {{< svg-render check >}}
*Zero trust in applications* | {{< svg-render check >}}
*Zero trust in applications* |
| Scalable provisioning | {{< svg-render cross >}}
*By diffing, each app reads all and compares it* | {{< svg-render cross >}}
*By diffing, each app reads all and compares it* | {{< svg-render check >}}
*No diffing, modern storage, SQL database can be used* | {{< svg-render check >}}
*Real time atomic provisioning* |
| Scalable provisioning | {{< svg-render cross >}}
*Only when apps trigger it or when the user logs in* | {{< svg-render cross >}}
*Only when apps trigger it or when the user logs in* | {{< svg-render cross >}}
*No way to remove a user from the application* | {{< svg-render check >}} |
| GDPR Compliant | {{< svg-render cross >}} | {{< svg-render cross >}} | {{< svg-render cross >}} | {{< svg-render check >}} |