SSO got an upgrade: OpenID Connect & SCIM for Cross-Domain Identity Management

Single Sign-On (SSO) is an important feature for modern SaaS applications and Enterprise software. It allows users to sign in once and access multiple applications without having to sign in again, but it also allows a company to manage user access across many applications from different vendors in a centralized way.

In most cases, SSO is implemented using the OpenID Connect (OIDC) protocol. OpenID Connect is an identity layer on top of OAuth 2.0, which allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.

Today, we'd like to introduce you to SCIM, the System for Cross-domain Identity Management. SCIM is a standard for automating the exchange of user identity information between identity domains, or IT systems. SCIM goes hand in hand with OpenID Connect and can greatly improve the user experience and security of your SSO implementation.

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows an application (OIDC client) to verify the identity of the end-user based on the authentication performed by an identity provider (OIDC server). Once the user is authenticated, the client can obtain name value pairs of user information (OIDC claims) from the identity provider in a standardized way.

OpenID Connect is designed to be easy to use and implement, and it is widely supported by many identity providers and client libraries. It is also extensible, which means that you can add custom claims and scopes to the standard OIDC flow.

That said, OpenID Connect by itself is not a complete solution to manage user identities across multiple applications. It is focused on the authentication part of the SSO process, but it does not provide a standardized way to manage user identities and their attributes across different applications.

Here are some examples of what OpenID Connect is lacking:

• if a user changes their email address in one application, this change is not automatically propagated to other applications
• if a user is deactivated in one application, this change is not automatically propagated to other applications
• if a user is added to a group in one application, this change is not automatically propagated to other applications

In a nutshell, OpenID Connect is not actively synchronizing user identities, their attributes, and their permissions across different applications, it's really just about authenticating users.

When you deactivate a user, e.g. because they left the company or their account was compromised, you want to make sure that their session is terminated in all applications they had access to.

This is where SCIM comes into play.

Let's take a look at how we're using SCIM at WunderGraph to illustrate how it works. We're providing an API Management solution for GraphQL APIs, which comes with a dashboard where users can manage their APIs. Users need to sign in to access the dashboard, so we're using OpenID Connect to delegate the authentication to an identity provider like Okta, Auth0, AWS Cognito or Keycloak.

This works great but has some limitations. For example, it's common that different teams within a company own different Subgraphs (GraphQL Microservices). Only a user on the same team should have the permission to manage the Subgraph, e.g. updating the GraphQL Schema, which is equivalent to updating the contract of the API.

When a user joins a team, or gets access to a new Resource, we'd like to automatically grant them the necessary permissions. On the other hand, employees might also change teams or leave the company, in which case we'd like to automatically revoke their permissions.

If we're simply using OpenID Connect, we'd have three options to manage permissions:

1. manage permissions manually in the dashboard
2. revoke their session so that they have to sign in again to get the updated permissions
3. implement a custom solution to synchronize permissions across applications

Option 1 is not scalable and error-prone. Option 2 is not user-friendly and can lead to security issues. What if the sign-out doesn't work properly? What if a user login gets compromised and we're not able to force a sign-out? Option 3 sounds like a possible solution, but we'd have to implement such a "bridge" for every identity provider we support.

This is where SCIM comes into play. SCIM standardizes the solution to Option 3. Here's how it looks like in our example.

There are three main events that trigger a SCIM operation:

1. User is added to the SCIM application (provisioning)
2. User is updated in the SCIM application (update)
3. User is removed from the SCIM application (deprovisioning)

For each of these events, the Identity Provider sends a request to the SCIM application, which needs to implement the SCIM API protocol to handle these requests.

To handle these requests, the SCIM application needs to implement the following endpoints:

• POST /Users/<user-id>
• PUT /Users/<user-id>

When these endpoints are called, we're updating the user's permissions in our system, e.g. by allowing them to manage a Subgraph or revoking their permissions.

According to the BetterCloud State of SaaS Ops 2023 Report , the average company uses 130 SaaS applications on average.

This means that a company has to manage user identities across all these applications, which can be a daunting task if done manually. SSO is no longer a nice-to-have feature or something that only large enterprises need, it's essentially becoming the baseline for modern SaaS applications and the default for Enterprise software.

SCIM plays a crucial role in this context, as it facilitates the synchronization of user identities, their attributes, and their permissions across all these applications. It allows companies to automate the onboarding and offboarding of employees, as well as the management of user permissions across different applications.

In summary, if you're building a SaaS application that targets companies or enterprises, you should consider implementing SCIM in addition to OpenID Connect to provide a seamless and secure SSO experience for your users.

We've introduced you to SCIM, the System for Cross-domain Identity Management, and explained how it works alongside OpenID Connect. We've discussed the different responsibilities of OpenID Connect and SCIM, and how both protocols can be used together to provide a seamless and secure SSO experience for your users.

We've also shown you a practical example of how we're using SCIM at WunderGraph, and shared some insights on how to implement SCIM in your own application.

I think it's time to level up your SSO game. With the ever-increasing number of SaaS applications and the complexity of managing user identities across different applications, SCIM is becoming an essential part of any SSO implementation.