What is SCIM?
SCIM (System for Cross-domain Identity Management) is an open standard protocol for automating user identity management across applications. When configured, it allows your Identity Provider (IdP) to automatically create, update, and remove user accounts in Komodor based on changes in your directory.
This removes the need to manage users manually inside Komodor. When someone joins your organization, changes roles, or leaves, their Komodor access is updated automatically through your IdP.
How Does It Work?
When SCIM is configured, your IdP pushes user and group changes to Komodor through a secure API. This includes adding a user, updating a profile, or deactivating an account.
Here is what gets synced:
User Provisioning
When a user is assigned to the Komodor application in your IdP, an account is automatically created for them in Komodor. No manual steps required.
Profile Updates
Changes to a user's profile in your IdP (name, email, etc.) are synced to Komodor automatically.
User Deprovisioning
When a user is removed from the Komodor application or deactivated in your IdP, their access to Komodor is revoked. This ensures that former employees or contractors do not retain access after offboarding.
Group and Role Sync
IdP groups can be mapped to Komodor roles, so role assignments are managed centrally from your IdP rather than set individually within Komodor.
SCIM vs. SSO
SCIM and SSO are often deployed together but serve different functions:
| SSO (SAML) | SCIM | |
|---|---|---|
| Purpose | Controls how users authenticate and log in | Controls whether user accounts exist and what access they have |
| Triggered by | A user attempting to sign in | Changes made in your IdP (add, update, remove) |
| Requires user action | Yes | No, runs automatically in the background |
Using both together gives you full lifecycle management: SSO handles login, SCIM handles provisioning and deprovisioning.
Why Use SCIM with Komodor?
- Faster onboarding: New team members get Komodor access automatically as soon as they are added in your IdP.
- Reliable offboarding: Access is revoked immediately when a user is removed in your IdP, with no manual cleanup needed in Komodor.
- Centralized access control: Manage all Komodor user access from your existing IdP without logging into Komodor to make individual changes.
- Role consistency: Role assignments stay aligned with your organization's structure and update automatically as it changes.
Supported Identity Providers
Komodor supports SCIM provisioning with the following Identity Providers:
Getting Started
- Currently evaluating Komodor? Reach out to your account team and they will be happy to walk you through the setup process.
- Existing customer? Contact Komodor Support, and we will help get you configured.
Comments
0 comments
Article is closed for comments.