Transforming User and License Management

Client Background

A leading Fintech company offers a SaaS product that requires users to have licenses. Previously, they relied on traditional Identity and Access Management (IAM) practices, which involved manual and inconsistent license management. This approach led to issues such as over-provisioning, security risks, and increased operational costs.

TechGrit's technical team, led by seasoned IAM experts, conducted an in-depth analysis of the client's user management challenges. They observed the manual, error-prone processes of traditional IAM and recognized the scalability issues faced by the rapidly growing SaaS company. After extensive research and benchmarking against industry best practices, the team identified SCIM as a superior solution.  

To address these challenges, the company decided to implement the System for Cross-domain Identity Management (SCIM), a standard protocol designed for automating user provisioning and de-provisioning across various identity domains. This implementation would allow their enterprise clients to:

• Provision and de-provision users automatically based on their internal directories (e.g., Azure AD, Okta).

• Assign licenses to users within their organization.

• Revoke licenses when a user is de-provisioned or no longer needs access.

Client Requirements

1. SCIM API Endpoints

The implementation required building SCIM 2.0-compliant API endpoints within the license management system for managing user resources and licenses:

• POST /Users: Provision a new user and assign a license.

• PATCH /Users/{userId}: Update user attributes or licenses.

• DELETE /Users/{userId}: De-provision a user and revoke the license.

• GET /Users: Retrieve user information and licensing details.
  

2. SCIM Resource Schema

The default SCIM User schema needed to be extended to include licensing attributes, such as:
entitlements: This field represents the licenses assigned to a user, indicating specific licenses or subscriptions.

• active: A Boolean flag that indicates whether the user has an active license.
  

3.  License Management Logic

The following logic was implemented:

• When a user is provisioned, the system checks the entitlements attribute to assign the appropriate license.

• When a user is de-provisioned, the associated license is revoked.

• When a user is updated, licensing details are adjusted if the entitlements have changed.

​​

4. Mapping SCIM Attributes to License System:

SCIM User attributes (such as userName, active, and entitlements) were mapped to the fields in the license management system.

5.  Authentication:  

SCIM API endpoints were secured using OAuth 2.0 or Basic Authentication to ensure that only authorized clients could manage their users and licenses.

6.  Sync and Update Mechanism:  

A synchronization mechanism was developed to facilitate updates between the license management system and the client’s identity provider (IdP). This could involve webhooks, polling, or real-time updates using SCIM events.

Workflow Example

1. User Provisioning:

• The client’s identity provider (IdP) sends a POST request to https://license-system.com/scim/v2/Users with user details.
• The SCIM API in the system checks the entitlements field and assigns the appropriate license.
• The user is added to the license management system with the assigned license(s).

​2. User License Update:

• The client updates a user’s license entitlements, which triggers a PATCH request to https://license-system.com/scim/v2/Users/{userId}.  
• The SCIM API updates the license entitlements in the system to reflect the new licenses assigned to the user.  

3. User De-provisioning:

• When a user is removed from the client’s IdP, a DELETE request is sent to https://license-system.com/scim/v2/Users/{userId}.
• The SCIM API revokes the user’s licenses and removes them from the system.

SCIM API Implementation Outline

The SCIM API adhered to SCIM 2.0 specifications and implemented standard responses for various actions, including:

• 201 Created for provisioning

• 200 OK for successful updates, and

• 204 No Content for deletions.

SCIM Implementation Challenges: Solutions and Strategies

1. Complex Mappings:

Mapping the SCIM schema to the application's internal user and group model was initially challenging. SCIM provides a standard schema, but existing user attributes and roles didn't fully align with SCIM's default structure.

• Solution: A mapping layer was introduced to convert SCIM attributes to internal representations, allowing flexibility.

2. Performance Optimization:

Bulk SCIM requests for large organizations could lead to performance bottlenecks.

• Solution: To avoid performance bottlenecks, batch processing and asynchronous handling were implemented. Bulk operations (POST /Users?bulk=true) were optimized for large requests.

3. Error Handling and Retry Mechanisms:

When syncing with various IdPs, connectivity issues or malformed data often resulted in synchronization errors.  

• Solution: A robust retry mechanism and detailed error reporting were added to manage transient issues and malformed requests.

4. Security Concerns:

Given that SCIM manages sensitive user data, ensuring the secure exchange of information between IdPs and applications was critical.

• Solution: OAuth 2.0 with bearer tokens was utilized for authentication, and all data exchanges were secured with TLS.

Why SCIM is Preferable Over Traditional IAM  

1. Standardization:

Traditional IAM approaches often require building custom connectors for each IdP, while SCIM provides a standardized schema and protocol, allowing easier integrations.

• Example: With SCIM, adding a new Identity Provider (like Azure AD or Okta) only requires configuration changes instead of developing custom APIs.
  

2. Automation:

SCIM automates critical user lifecycle events like onboarding, offboarding, and profile synchronization. In contrast, traditional IAM systems often require manual intervention or custom scripts to manage these workflows.

• Benefit: Enterprises can save significant operational costs by reducing manual provisioning.  

3. Scalability:

SCIM is designed to handle large-scale identity synchronization across domains, which is a challenge for traditional IAM systems that aren’t optimized for bulk user operations.

• Example: Our client can now handle syncing users for enterprise clients with thousands of employees without overwhelming the system.

4. Cross-Platform Interoperability:

SCIM’s open standard allows it to work across different platforms and identity systems, whereas traditional IAM systems may be more tightly coupled with specific vendor solutions.  

• Benefit: Our client customers can use any compatible IdP, ensuring flexibility and future-proofing their infrastructure.

Result

After integrating SCIM, the client reported:

• A 40% reduction in onboarding time for new customers.
• A significant decrease in support tickets related to user management issues.
• Improved security through automated user deactivation, reducing orphan accounts.
• Faster onboarding of new enterprise customers, as SCIM integration allowed for seamless connections to existing identity systems.

Flow Diagram

Conclusion

Implementing SCIM provided the client with a scalable and automated solution for managing user identities. By leveraging SCIM, they reduced operational complexity, improved security, and enabled seamless integration with customer identity systems. Compared to traditional IAM approaches, SCIM’s standardization and automation make it the preferred choice for modern SaaS applications serving large enterprise customers.