scim-docs/content/overview/comparison.md
2024-11-04 17:07:02 +01:00

3.5 KiB
Raw Permalink Blame History

title description color weight
Why is SCIM better ? Differences between several centralized user management protocols in a world of web application hosting that show **SCIM is an upgrade.** green 4

Others management protocols

{{< switch-box title="Ldap" >}} With this LDAP approach everything is centralized (except authorization).

{{< imgproc "ldap-diagram.png" "LDAP diagram" "mr-t-1-5 mr-b-1-5">}}

Everything speaks the LDAP protocol langage. Identities are stored in an LDAP directory, which is provisioned via LDAP protocol. Authentication is done by the application that asks the users credentials and validates them against the directory via LDAP protocol. {{< /switch-box >}}

{{< switch-box title="Ldap+SSO" >}} This architecture tackles the two main drawbacks of the only LDAP approach : the missing single sign-on and the security vulnerability. Authentication is delegated to other web protocols (like OAuth, OIDC or SAML). This way, the user logs in only once to the identity provider.

{{< imgproc "ldap-sso-diagram.png" "LDAP with SSO diagram" "mr-t-1-5 mr-b-1-5" >}}

{{< /switch-box >}}

{{< switch-box title="SSO" >}} On modern web infrastructure, LDAP started to be abandoned because loose provisioning can also be done via SSO protocols.

{{< imgproc "sso-diagram.png" "SSO only diagram" "mr-t-1-5 mr-b-1-5" >}}

{{< /switch-box >}}

{{< switch-box title="SSO+SCIM" >}} SCIM solve the remaining problems via a simple standard web api. This infrastructure is event driven, a provisioning action on the IdP is quickly passed on all applications.

{{< imgproc "sso-scim-diagram.png" "SSO with SCIM diagram" "mr-t-1-5 mr-b-1-5" >}}

{{< /switch-box >}}

LDAP LDAP & SSO SSO SSO & SCIM
Easy to implement {{< svg-render cross >}}
Mature but old and difficult
{{< svg-render cross >}}
Mature but old and difficult
{{< svg-render cross >}} {{< svg-render check >}}
Simple and web native, but non-standard IdP
{{< svg-render check >}}
Cli or UI could be used on IdP or on apps
Many implementations {{< svg-render check >}} {{< svg-render check >}} {{< svg-render check >}} {{< svg-render cross >}}
Not a lot of implementations yet
Single sign-on {{< svg-render cross >}}
User must sign-on each application
{{< svg-render check >}} {{< svg-render check >}} {{< svg-render check >}}
No trust issues {{< svg-render cross >}}
Expose users credentials to each application
{{< svg-render cross >}} {{< svg-render check >}}
Zero trust in applications
{{< svg-render check >}}
Zero trust in applications
Scalable provisioning {{< svg-render cross >}}
By diffing, each app reads all and compares it
{{< svg-render cross >}}
By diffing, each app reads all and compares it
{{< svg-render check >}}
No diffing, modern storage, SQL database can be used
{{< svg-render check >}}
Real time atomic provisioning
Scalable provisioning {{< svg-render cross >}}
Only when apps trigger it or when the user logs in
{{< svg-render cross >}}
Only when apps trigger it or when the user logs in
{{< svg-render cross >}}
No way to remove a user from the application
{{< svg-render check >}}
GDPR Compliant {{< svg-render cross >}} {{< svg-render cross >}} {{< svg-render cross >}} {{< svg-render check >}}