Hacker News new | ask | show | jobs
by hnzix 1358 days ago
SCIM integration is for legacy apps that don't support modern auth. I'm not an expert, but I believe Okta is essentially filling in the legacy app's login page automatically. By definition this action requires a password to be transmitted in plaintext.

The answer is for the third-party apps to add modern auth, but this is dependent on the vendor, not Okta. The only alternative is to have unmanaged logins, which is arguably worse than SCIM.

SCIM is there as a last resort, its use is heavily discouraged.
2 comments
paranoidrobot 1358 days ago
SCIM is also there to allow filling gaps between systems that use federated identity.

Say you use Google Workspace for your staff and have some application that uses SAML.

How do you tell the application about the users and groups in Google?

Well ideally Google has built an integration that can do this. That's not a big set of integrations, though.

Perhaps your application can just read the incoming user's identity and membership details during the login process.

If none of that is an option, you need to use something to read the lists of users and groups, and push those over to your application. SCIM is a reasonable (if not 'great') way of doing this.

AWS SSO[1] (now "AWS IAM Identity Center") is an example of this.

[1] https://docs.aws.amazon.com/singlesignon/latest/developergui...

e: Also, you need to consider the de-provisioning thing, too. Leaving resources hanging around for people that have left can be expensive and/or annoying.

link
Spooky23 1357 days ago
> How do you tell the application about the users and groups in Google?

You have the application use SLDAP to query the group with entitlements to the system.

There’s no magic here. The google integrations are using SCIM iirc.

link
beberlei 1358 days ago
SCIM is a sensible protocol and useful for syncing users and groups from central system to apps, syncing the clear text password is the problem, it should be used to sync user id and group membership only and the OpenId Connect performs the login.
link
hnzix 1358 days ago
> OpenId Connect performs the login

Doesn't this presume that the third-party app supports OIDC? Which again makes it dependant on the vendors, not Okta.

link
jf 1358 days ago
It presumes that the legacy app supports an SSO protocol like OIDC, SAML, or WS-Fed. Ideally the app will support one of those protocols directly, otherwise it’s possible to bolt on support for one of those protocols via a proxy.
link