Tesseral
Back to Guides

SAML vs. SCIM: What's the Difference?

Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral

Intro

Okay, so let's admit that identity feels more complicated than it has to be. If you're feeling confused, you're not alone. We hear this all the time. There are way too many acronyms. Explainers are way too in-the-weeds.

I'll try to clear up one common source of confusion: what's the difference between SAML and SCIM?

The context

How big companies handle identity

Imagine a big company. We'll call it MegaCorp. It has thousands of employees across different divisions. Each of those employees needs to use a bunch of different SaaS apps to do their jobs. For example, the accounting team needs to access accounting software -- but they don't need admin privileges for the software that HR uses to drive annual performance reviews.

It is very easy to imagine things getting chaotic. Who has access to what?

The IT teams at big companies like MegaCorp use specialized software applications called identity providers (IDPs) to manage things, minimize the chaos, and ensure a reasonably sound security posture.

What corporate identity providers do

IDPs behave a bit like databases. Internally, IDPs maintain lists of employees, lists of software applications, and mappings that establish employees' entitlements in different software applications.

In addition to that database-esque functionality, IDPs enforce users' access to systems. They do this in basically two ways.

  1. IDPs sit between users and software applications. Users need to authenticate via IDPs to access software applications (i.e., via single sign-on).
  2. Speaking very loosely, IDPs continually update software applications with information about their users. Any time data changes in an IDP, it broadcasts that change to different software applications.

Role 1 above is basically the function of SAML.

Role 2 above is basically the function of SCIM.

What is SAML?

SAML stands for "Security Assertion Markup Language." I won't go into much detail here, but you need to know basically two things about SAML:

  1. It's a really complicated and convusing protocol that very few people understand deeply.
  2. It's used almost exclusively to drive enterprise single sign-on for SaaS applications.

Corporate identity providers sit between users and software applications. Users authenticate (i.e., log into) the IDP, which then passes information about users' successful authentication into software applications. It's basically like the IDP passes a secret note to a software application, saying, "This is John Doe. Trust me."

secret-note

That communication between the IDP and software applications uses the SAML protocol.

If you want to dig in deeper, you can check out my SAML explainer.

What is SCIM?

Above, I mentioned that identity providers keep software applications up to date. They continually pass information about users into software applications. These update communications use a standardize protocol called SCIM (the System for Cross-domain Identity Management).

austin-powers-scim

SCIM is actually not that complicated. It makes three things possible:

  1. Provisioning: when a corporate IT team 'assigns' a user to a given application, the IDP instructs that software application to create a user account. For example, if you get hired at a new company, it's reasonably likely that the company will create your Slack account over SCIM.
  2. Deprovisioning: when people leave companies, they need to be removed from software applications. SCIM makes it easy for a corporate identity provider to issue bulk communications that effectively say "shut down this user's account."
  3. Updates: this is the least important thing that SCIM does, but it makes it easy

There are some subtle details involved with real-world implementations, but we're basically just talking about CRUD operations.

If you want to learn more, you should read my SCIM explainer.

Wait, but can't SAML also provision users?

In short, yes! SAML can provision new users from an identity provider into a software application. It therefore has a little bit of overlap with the things that SCIM can do.

It is not, however, a substitute for SCIM.

SAML can only provision new users exactly at the moment they log in. It's just-in-time (JIT) provisioning only. Users just kind of ... appear out of nowhere, like this:

simpsons-appearance

By contrast, SCIM can provision users in bulk without requiring them to log in. It's a little more like this:

list GIF

Moreover, SAML can't deprovision users. This is really the most important thing that companies rely on SCIM for.

Conclusions

SAML is the technology that makes single sign-on possible. SCIM is the technology that handles provisioning and deprovisioning actions from corporate identity providers. They have different roles.

However, we often see SAML and SCIM used together. There is a sense in which they're both parts of the same comprehensive integration between a software application and a corporate identity provider.

Tesseral

If you're a software developer trying to build out SAML and SCIM support for your application, you may want to consider Tesseral. Tesseral is open source auth infrastructure built specifically for B2B SaaS applications. It comes with everything you need to handle user identities at any scale, including out-of-the-box support for both SAML and SCIM.

About the Author
Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral
Ned is the cofounder and CEO of Tesseral. Previously he worked at Gem and the Boston Consulting Group. He writes about product design, identity, and access management. You can often find him at Baker Beach in San Francisco with his puppy, Fred.
Newsletter
Top Secret by Tesseral
Resources
Pricing
Docs
Blog
Security
Company
Terms of Use
Privacy Policy
Contact us
Schedule a Call
Social
GitHub
LinkedIn
X (Twitter)