[beberlei]

SCIM is a sensible protocol and useful for syncing users and groups from central system to apps, syncing the clear text password is the problem, it should be used to sync user id and group membership only and the OpenId Connect performs the login.

[hnzix]

> OpenId Connect performs the login

Doesn't this presume that the third-party app supports OIDC? Which again makes it dependant on the vendors, not Okta.

[jf]

It presumes that the legacy app supports an SSO protocol like OIDC, SAML, or WS-Fed. Ideally the app will support one of those protocols directly, otherwise it’s possible to bolt on support for one of those protocols via a proxy.