.png)
It’s crucial to understand some essential concepts related to IAM, like SSO, SCIM, and SAML, before delving deeper into setting up a system that works for your company. Here’s an overview of the three technologies:
Single Sign-On (SSO) is a user authentication service allowing the use of one set of login credentials to access multiple applications, eliminating the need to remember multiple passwords and reducing the risk of password theft.
System for Cross-domain Identity Management (SCIM) is a protocol for the automated provisioning and deprovisioning of user identities across different systems and applications. This can save organizations time and resources by eliminating the need for them to manually manage user identities and accesses in each system. By automatically changing a user's profiles and privileges to reflect status changes, SCIM ensures data is protected and least privilege access is enforced. For example, an employee leaves a company which triggers an off-boarding so SCIM is used to auto-deprovision the user so they no longer have rights to access apps and data. SCIM is also important for the overall access governance.
Security Assertion Markup Language (SAML) is an XML-based standard allowing for authentication and authorization data to be exchanged between different systems. SAML allows access to an application only if the user correctly authenticates themselves. This can be used to implement SSO, as well as other security features like multi-factor authentication.
Let’s dive in a bit deeper into each of them and also how they compare to one another.
Both SCIM (System for Cross-domain Identity Management) and SAML (Security Assertion Markup Language) are useful protocols in the identity management ecosystem. SCIM and SAML share the common goals of enhancing security and streamlining the management of user access and privileges. However, the protocols differ in their applications. SCIM is primarily focused on managing and governing user identity information across different systems, whereas SAML is designed to facilitate authentication and single sign-on (SSO) across various domains. Together, they create a secure and efficient online identity management system that enforces least privileged access rights.
SCIM and SAML can be used as complementary protocols to achieve holistic identity and access management: SAML will authenticate users, and SCIM will provision and deprovision users and licences. They work together to complement each other in an identity and access management system. Whereas SAML authenticates users, SCIM ensures that those users are current employees and that their privileges properly reflect their roles and departments.
User accounts within a system can be created, updated, and deleted. This process is known as provisioning. When provisioning events happen, they must be synced across multiple applications and systems. For example the HR system will let the IAM now when and in which team the new user will join to which impacts the setup of the user profile. Often, account provisioning impacts user groups and group memberships. The goal is to have a provisioning process that is automated but provisioning may also be performed manually. Manual provisioning can be seen in smaller companies or where on- and off-boardings are not very numerous. Ideally, provisioning and deprovisioning gets automated to ensure employee authentication and privileges are quickly and accurately reflected in the workplace.
Companies that need to ensure that access control is enforced and least privileged access rights are applied may want to implement both SCIM and SAML. However, a smaller organization may choose to initially implement SAML SSO to optimize productivity and secure access.
SAML, however, often requires manually managing user permissions and offboarding/deleting user accounts as employees leave or move to different departments. Later, the addition of SCIM provisioning provides full automation and visibility of everyone's access and permissions.
SSO Disadvantages:
SAML Disadvantages:
SCIM Disadvantages:
Overall, provisioning via SCIM and SSO comes often with a more than significant price tag and difficult implementation. With tools like Okta, the cost per user might end up between 15€ and 18€ per month and additional costs to pay thousands of Euros to pay to the vendors to get the tier for the SSO. The search for alternatives to Okta quickly becomes a priority when mid-size companies start paying high five-digit sums for their IAM system (read further to see what IAM tool might be a better solution than Okta).
Especially small and mid-size organisation with only a few hundreds users are often seen to struggle using SCIM and SAML in an efficient manner. Alternatives like Okta deliver this service but with a significant price tag and complex implementation. Corma is an alternative to SCIM implementation for user account provisioning and deprovisioning. Corma automatically provisions users for several hundred applications and connects with Identity Providers like Google Workspace, Microsoft 365, and Okta.
Corma can handle access requests and approvals for SaaS apps via Slack. With a custom workflow builder it is easy to set up a system for custom approval flows based on users and apps. Corma does this by using APIs: SaaS apps can easily be added as needed.
Corma offers a plug-and-play solution to non-enterprise organizations that use a wide variety of SaaS applications. It’s also useful for larger enterprises that rely on SCIM, but struggle with large numbers of applications that don't support SCIM.
%20(1).png)
.png)
.png)
.png)