cyber-101

What is SAML and SCIM?

Exploring a foundation of identity service.

Mike Berggren

Mike Berggren

4 min read
What is SAML and SCIM?
Photo by Jarrod Erbe / Unsplash
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

Modern cybersecurity depends on effective authentication and lifecycle management of users. In order to provide access to a sensitive resource, it's absolutely critical to know the identity of the requesting party. Over the years, the mechanisms and protocols for accomplishing these tasks have been evolving. A couple popular protocols these days are SAML and SCIM. Let's unpack what these are.

SAML

SAML stands for Security Assertion Markup Language and is focused on authentication. It's an open-standard protocol and helps establish trust by exchanging important secure messages (known as "assertions") between parties. There are typically two main roles involved in these exchanges:

  • Identity Provider (IdP) - This would be the primary "home" for credentials and identities. Examples include: Microsoft Entra, Okta, Ping Identity, etc.
  • Service Provider (SP) - This is usually a separate application that needs to verify an identity. Examples include: Salesforce, Dropbox, etc.

When a user needs to authenticate to use something at a Service Provider, that SP will initiate a workflow/process to verify the user identity with the Identity Provider. In many cases, that sequence is automated (making the user experience quick/easy). It's a win-win for everyone.

If everything is approved in the workflow, an XML-encoded Security Assertion is issued for the user. Technically speaking, it's a digitally-signed secure token containing the user's attributes and permissions. In more practical terms, you can think of this like a form of digital trust between the various systems. It's the IdP's way of stating "this user is who they say they are" to the application (SP) requesting authentication. The SP then performs its own verification of the assertion data (to make sure it's authentic), determines what the user is authorized to do (level of access), and then allows/denies based on the respective attributes.

There's an important point I want to emphasize here: The Identity Provider (IdP) primary job is to authenticate the user (effectively proving that the user is who they say they are). In some cases, it will perform a light-weight check to see if a user should have access to an app at all. For example, Okta users usually have to be "assigned" to an app to proceed with a flow. That being said though, this pre-check isn't very comprehensive. Once the authentication is complete, it's the responsibility of the Service Provider (SP) to enforce robust authorization controls. Think of it this way: the IdP controls access to the application, while the SP controls access within the application.

SCIM

SCIM stands for System for Cross-domain Identity Management. It has a related purpose but it's solving a different problem: user account sprawl and the administrative challenge of account provisioning/de-provisioning. Imagine having to maintain user membership to apps every time there's a new employee... or someone leaves an organization. It's a huge headache and the level of human effort required by default adds a potential for error. SCIM offers a standardized framework for managing/maintaining user identities across multiple systems.

SCIM has two main components:

  • Resource Model - This is the framework that standardizes how user/group data is structured. The model is usually robust and supports a variety of attributes, sub-attributes, and values. It's encoded in JSON.
  • REST API Operations - These are the actions that can be performed against the model. Things like:
    • Create - Creating a new user or group record.
    • Read - Looking up details about existing resources.
    • Update - Changing the attributes for a given record.
    • Delete - Removing users or groups when they aren't present/needed on the system any more.
    • Search - Finding resources (quickly) based on search criteria.
    • Bulk - Making changes for multiple resources/users at once, so processing is more efficient.
💡
People sometimes ask why SAML uses XML instead of a more modern data structure format. This is basically just because of history. SAML 2.0 was developed in the early 2000's. At that time, JSON was still in its infancy and wasn't yet an industry standard.

Modern alternatives like OpenID Connect (OIDC) use JSON Web Tokens which are similar to SAML assertions but in a lighter mobile-friendly format. That's a topic for another day though 😄

Conclusion

Ultimately, modern identity management requires both secure entry and automated upkeep. SAML provides the authentication (the digital key), while SCIM handles the provisioning (the automated hand-off). When implemented together, they eliminate the friction of manual account management and close the security gaps caused by "zombie" accounts lingering after an employee leaves.

For more information on the topic, check out the following resources:

What Is SAML (Security Assertion Markup Language)? | Microsoft Security
Learn how the industry standard protocol, security assertion markup language (SAML), strengthens security measures and improves sign-in experiences.
Microsoft Security
What Is SCIM? Meaning and Integration | Microsoft Security
System for Cross-Domain Identity Management (SCIM) is an open-standard protocol used to simplify cloud identity and access management.
Microsoft Security
What Is SCIM?
Learn how SCIM can automate data provisioning so users can gain easy access to the applications, resources, and services they need with minimal effort.
Ping Identity Logo

Read more