SCIM vs JIT
As I spend more time working on provisioning of identities to various systems, I become more acquainted with the two terms JIT and SCIM; and while on the face they seem like they are doing the same job, there are some important differences. I thought it would be a good idea to write a short post on what these two are, how they differ, and when to use one or the other. Hopefully, someone would find this helpful.
Definitions
ℹ️
Just In Time (JIT) provisioning is somewhat of an "extension" to SAML that allows for immediate provisioning of users authenticating via SAML if no matching user exists on the target system.
ℹ️
System for Cross-domain Identity Management (SCIM) specification is an HTTP-based protocol that makes managing identities in multi-domain scenarios easier to support via a standardized service. (RFC 7644)
Similarities
- Both JIT and SCIM provision users on target systems, thus allowing administrators to focus on other activities and reducing the manual work related to access management.
- Both JIT and SCIM are quite popular and seem to be supported in many systems, sometimes both are available on the same systems.
Differences
- SCIM is well-defined in RFC 7644, JIT is mostly defined by the system implementing it, which leads to ridiculously varying implementations and supported features.
- JIT usually doesn't cost additional money on top of the cost of SSO (if there is one), SCIM is often locked behind enterprise plans and costs quite a lot of money to upgrade the subscription before it can be used.
- Most implementations of JIT I came across just create the user and offer limited possibility –if at all– to update the users groups, roles or licences. SCIM implementations offer more functions and allow for more complicated provisioning flows (automated roles, licenses assignments, etc.)
- JIT can provision users, but it can't delete (or in some cases, disable) them. SCIM can both provision and delete users from target systems. This might become daunting if IT needs to manually to clean users and licences.
- SCIM can be used by some governance tools to fetch users information.
Which One To Use?
- If the system you are integrating supports SCIM and you can afford the cost that's typically needed to gain access to the feature, go for it, as it will make your provisioning much better and allows you to build more powerful setups.
- If the system doesn't support SCIM or you can't afford the upgrade cost, using JIT is better than manual provisioning, as it will save you some time and improve the user experience.
- Sometimes a system supports SCIM and you can afford the cost but the system itself has no critical value or sensitivity tied to it and in that situation, it's more pragmatic to use JIT unless there is a lot of team and group management that might be simplified by using SCIM.
Outro
This was a rather quick glance into SCIM and JIT, their differences, similarities, and when to use one or the other. There is much more to both topics and I encourage you read some of the links below or mess around with some configurations if you have access to an identity provider and some test system to use as targets.