What is a SCIM Schema?

by Alexandre Dedourges, DevSec

SCIM (System for Cross-domain Identity Management) schemas are representations of a model. They are mainly used to represent users, groups... The RFC 7643, which we will see later, is a document describing these schemas in more detail. The format commonly used to represent these data schemas is JSON (JavaScript Object Notation). These schemas allow for a standardization of identity data which makes the use of SCIM possible. 

A few reminders about SCIM

The System for Cross-domain Identity Management is a protocol created in 2011. It was created following the influx of SSO (Single Sign-On) that was coming. Three RFCs  (Request For Comments) have also been created about it by the Internet Engineering Task Force (IETF): RFC 7642, 7643 and 7644. These three documents provide more details about the use of the SCIM protocol. The first one offers a use-case, the second one focuses specifically on the schemas and the third one on the protocol. SCIM allows you to manage cloud application identities. For example, if your company needs the services of company A and company B, the use of SSO coupled with SCIM would be a good idea. Indeed, the SSO will allow you to authenticate yourself on the application of company A and company B with a single login. The SCIM protocol will allow the communication of identities between the different actors. In other words, it represents resources (users, groups, ...) in a standardized way. 

The objectives of SCIM

The main objective of SCIM is to simplify the provisioning and deprovisioning of users. User provisioning or account provisioning is used to create, modify, deactivate and delete user accounts and their profiles in an IT infrastructure or any other application linked to this infrastructure. 

Moreover, it saves time and money for the companies that use it. Indeed, it reduces the cost and complexity of user management. The IT teams can therefore devote themselves to other tasks. Nevertheless, before implementing an SCIM, it is important to understand some notions.

A few notions before starting

After a quick review of SCIM and its advantages, we will study it in more detail. However, if you want to review the basics in more details, do not hesitate to consult our SCIM introduction article.

In this article we will focus on the SCIM Core Schema. As the name implies, a schema is nothing more than a simplified representation of an object. 

Nevertheless, before going any further, it is necessary to define two important notions: the SCIM service provider and the customer. 

**The SCIM service provider **is a Web application (HTTP). This web application will provide the identity information through the SCIM protocol. It will provide the identity information, when necessary, to the applications that need it.

**The client **is the application that made an HTTP SCIM request to the Service Provider in order to query the Service Provider or to manage the identity data it holds.

There are several types of requests called "methods". These methods will allow the client to perform different types of operations on the CRUD principle (Create, Read, Update, Delete).

CRUD and HTTP Method

The current version of SCIM is version 2.0 and is based on an object model. Resources are the core element of SCIM and all other elements are derived from these resources. Everything that can be managed by the SCIM service provider is a resource. Moreover, these resources are JSON objects, each of these objects can contain one or more attributes and these attributes can belong to one or more schemas.

Indeed, most of the time, a User resource contains attributes defined in the User and EnterpriseUser schemas 

User and EnterpriseUser schemas

To summarize, our resources will contain attributes that will be defined in one or more schemas. 

Resources and attributes

Resources are therefore important elements of the SCIM protocol. Each of these resources has attributes. Let's take the example of a user. Users are the "objects" that you will have to deal with most of the time. In SCIM, a user will be considered as a resource. This kind of resource has attributes that come up frequently, such as name, first name, e-mail address... This group of attributes will therefore define our User. 

Taking the example of a user, their schematic representation would be as follows:

Example of user

In order to be used everywhere in the same way, the resources are all in JSON format. The representation of our "User" object in JSON would therefore look like this:

User object in JSON

But what about the other attributes that could be specific to a particular application? This is where the EnterpriseUser comes in, it is a complement to our User that will contain other attributes that will be specific to applications. For example, if an application needs to know the native language of a user, then this attribute "native language" will belong to the EnterpriseUser schema.

But there are also other attributes common to resources such as Id, externalId and meta. These three attributes are attributes that can be found in the majority of SCIM resources. 

  • The id represents a unique identifier for a SCIM resource as defined by the service provider. This attribute is mandatory and will always be present.

  • The externalId represents a string that is an identifier for the resource as defined by the client. This attribute is optional.

  • Meta which represents a complex attribute containing metadata of the resource. Like the creation date, the modification date... This attribute is a mandatory attribute.

The SCIM Schemas

Schemas represent a collection of attribute definitions, they allow us to describe the content of our resources. These schemas, like resources, are represented as JSON objects. 

Here is an example of schema, provided by the Internet Engineering Task Force :

Example of schema

In this schema we can see that attributes are defined by several parameters like 'required', 'mutablity'...

The definition of attributes

The definition of attributes will allow us to define our attributes, to know their characteristics. Thus, the attributes we define in our resources will have to match the definition we have given them. This is to ensure that our data conforms to our expectations and to avoid any errors.

According to RFC 7643, the SCIM protocol allows us to define the following parameters for the attributes:

  • "name"

  • "description"

  • "type"

  • "multiValued"

  • "required"

  • "canonicalValues"

  • "caseExact"

  • "mutability"

  • "returned"

  • "uniqueness"

  • "subAttributes" (only in case the resource is a complex resource, i.e. an attribute is composed of several sub-attributes)

  • “referencesTypes”

Let's go back to our previous example and focus only on the attribute definitions.

Attributes definitions
  • Here the value contained in "name" represents the name of the attribute

  • The "type" variable represents the type of data (here a string) which corresponds to a character string.

  • The "multiValued" field which indicates if an attribute contains one or more values.

  • The "description" field which provides a short description of the attribute

  • The "required" field which specifies whether an attribute must be filled in or not.

  • The "caseExact" field which specifies if a value is case sensitive or not (Example: If "Hello" = "hello" or not)

  • The "mutability" field: unique keyword (readWrite, readOnly, immutable, writeOnly) indicating the circumstances in which the attribute value can be redefined.

  • The "returned" field: a single keyword (always, never, default, request) that indicates when an attribute and associated values are returned in response to a GET request or in response to a PUT, POST or PATCH request.

  • Finally the "uniqueness" field: unique keyword (none, server, global) which specifies how the service provider applies uniqueness to attribute values.

The last two possible parameters are "canonicalValue" and "referencesTypes", but are not present in our example.

The "canonicalValue" parameter can be used to specify values that could be used in our attribute. For example the "canonicalValue" of a "Nationality" attribute would be: "French", "German"...

The "referencesTypes" parameter represents a multi-valued array of JSON strings that indicate the types of SCIM resources that can be referenced (SCIM resource, external value, uri).

The different types of attributes

The different types of attributes

SCIM schemas, a set of rules to avoid errors.

As we have seen, SCIM schemas are very useful in the implementation of the SCIM protocol. Indeed, they allow us to define the resources thanks to "rules". These rules allow us to make sure that our resource is compliant and does not contain any errors. So schemas will be a great asset in the implementation of your SCIM!

So, ready to learn more about SCIM? We tell you more at Cryptr!

Add enterprise SSO for free

Cryptr simplifies user management for your business: quick setup, guaranteed security, and multiple free features. With robust authentication and easy, fast configuration, we meet businesses' security needs hassle-free.

More articles

SAML vs SSO: Differences between SSO and SAML authentication

Uncover the key differences between SAML vs SSO in user authentication. How SAML enables SSO and their roles in enhancing identity security and login processes

Read more

A guide of Magic Link Login for Passwordless Authentication

Unlock passwordless authentication with email magic links! boost security and user experience. Discover our comprehensive guide to email magic link login

Read more