| SCIM is also there to allow filling gaps between systems that use federated identity. Say you use Google Workspace for your staff and have some application that uses SAML. How do you tell the application about the users and groups in Google? Well ideally Google has built an integration that can do this. That's not a big set of integrations, though. Perhaps your application can just read the incoming user's identity and membership details during the login process. If none of that is an option, you need to use something to read the lists of users and groups, and push those over to your application. SCIM is a reasonable (if not 'great') way of doing this. AWS SSO[1] (now "AWS IAM Identity Center") is an example of this. [1] https://docs.aws.amazon.com/singlesignon/latest/developergui... e: Also, you need to consider the de-provisioning thing, too. Leaving resources hanging around for people that have left can be expensive and/or annoying. |
You have the application use SLDAP to query the group with entitlements to the system.
There’s no magic here. The google integrations are using SCIM iirc.