Summary
SCIM (System for Cross-domain Identity Management) is an open REST/JSON standard for automatically provisioning, updating, and de-provisioning user accounts between an identity system and downstream applications.
What is SCIM?
SCIM is defined in RFC 7643 and RFC 7644. It describes a standard schema for users and groups and a REST API to create, read, update, and delete those objects. Identity providers and HR systems use SCIM to push account state into the applications they integrate with, instead of forcing administrators to maintain user lists manually in every tool.
A typical flow looks like this: HR creates a new employee in the directory; the directory pushes the new user into the IdP; the IdP uses SCIM to provision the user into the linked applications — collaboration suites, ticketing systems, mesh VPN management planes, monitoring tools, and so on. When the employee leaves, the same chain removes access everywhere in seconds.
While SSO handles the "can this person log in" question at runtime, SCIM handles the "should this person exist at all" question before that. The combination of SSO plus SCIM is the modern baseline for identity lifecycle management. Many enterprise SaaS products and infrastructure tools (including NetBird from the Team tier) expose a SCIM endpoint for exactly this reason.
Why is SCIM relevant?
- Zero-touch onboarding: New users appear in every linked system automatically
- Reliable offboarding: Access is removed everywhere when the IdP removes the user
- Compliance: Auditors can prove that account lifecycle is managed and timely
- Open standard: Avoids per-application custom provisioning code
Related Terms
- Identity Provider: System that typically drives SCIM provisioning
- Single Sign-On: Runtime side of identity; SCIM handles the lifecycle side
- Keycloak: Open-source IdP supporting SCIM provisioning to downstream apps
- Zero Trust: Depends on accurate, current identity data — exactly what SCIM provides