SCIM, the protocol that takes directory synchronisation further!
We are very proud to be able to announce that our products are now compatible with the SCIM protocol (System for Cross-domain Identity Management). No more tedious CSV synchronisation! SCIM is an industry standard for automating user and group provisioning/deprovisioning via identity providers (IdPs).
Isn't it already too complicated? Don't panic, we'll explain it all to you calmly!
SCIM, a complementary standard to the SAML protocol
Let's start with… what SCIM is not: an authentication manager.
Indeed, Instant Suite already uses a standard authentication manager: SAML. As a reminder, SAML serves to authenticate users via their IdP (Identity Provider) in order to connect them or create them automatically in Instant Suite.
A complete article on the subject is available, so feel free to read it again for more information.
SCIM differs from SAML in that SCIM automatically synchronises a user's new or updated data, without having to wait for the user to log in to Instant Suite to update their information.
Thus, SCIM and SAML are two complementary and well-configured protocols, offering an almost seamless experience for users and above all absolute comfort for administrators.
A standard with high added value
Shared and transmitted information can be controlled as desired
SCIM is therefore only about synchronisation of information. But a very fine management of this synchronisation: who gets what?
Thus, the IdP administrator will be able to precisely define, from their IdP, which information must be transmitted to which Service Provider. Microsoft has summed it up perfectly in this diagram:
The administrator can also define how often this information is transmitted. This is a big advantage over SAML, since with the latter the synchronisation is only performed when the user logs in. With SCIM, the entire database is updated automatically and in bulk.
This allows you to provision your accounts in advance.
Automatic employee creation and deletion
But this notion of user "creation" cannot be dissociated from that of "deletion". In other words: how can we manage turnover within the company and, more importantly, all the access that goes with it? It is therefore SCIM that will now give orders to Instant Suite to delete or anonymise the accounts of employees who are no longer part of the workforce, thus guaranteeing maximum RGPD compliance.
Simplified user group synchronisation
Finally, let's look at user groups. An organisation may need to categorise its users in different ways depending on the situation. Sometimes in a "natural" way: the organisation chart of the company, the hierarchical relationships, the distribution by site. Or in a more "operational" way for very specific use cases: the workplace first-aid representatives on the 2nd floor, the local administrators of the Toulouse site, etc. All these examples of groups can now be transmitted directly to Instant Suite.
In short, you do the work once in your IdP and the rest is automated! Moreover, you ensure that the information is the same everywhere.
Going further into future uses
From a prospective standpoint, this major upgrade of the Instant Suite platform will open the door to future innovative use cases around the Flex Office such as:
- The IdP says: "User Kim is Bob's manager". Instant Suite then automatically understands that "Kim has specific rights such as viewing and editing Bob's statements of attendance"
- The IdP says: "User Peng belongs to the Lyon site marketing department". Instant Suite then automatically understands that "User Peng can only view and book offices from the Lyon site in the area assigned to the marketing department"
SCIM at a glance
The standardised and secure SCIM protocol is:
- Carry out the actions only once on your IdP, then the information is automatically propagated in bulk
- Automate the deletion or deactivation of accounts
- Control the amount of sharing allocated to each Service Provider
- Synchronise your user groups
SCIM is compatible with the vast majority of IdPs on the market (Azure, Okta, Google, etc.).
The full list is available here: http://www.simplecloud.info/#implementations
Caution, however, as Microsoft has decided to favour Azure AD directly, ADFS is not compatible.
The implementation of SCIM will require joint work between your IdP management teams and our Service Delivery.
Contact your Key Account Manager or our Support as soon as possible if you wish to implement such a synchronisation!