Skip to main content

Learn more about SCIM

System for Cross-domain Identity Management (SCIM) enables automated user and group lifecycle management between your identity provider (IdP) and your DigiCert​​®​​ account, DigiCert’s unified single sign in experience.

When SCIM is enabled, your IdP becomes the source of truth for users and groups in DigiCert services. SCIM works alongside or without single sign-on (SSO) to ensure users and groups are created, updated, and removed automatically without manual administration in DigiCert. SCIM works independently of how users authenticate.

What can SCIM manage?

SCIM allows you to centrally manage:

  • User creation and updates

  • User removal or access revocation (deprovisioning)

  • Group creation and updates

  • Group membership management

Astuce

SCIM doesn’t manage role or service access assignments. Role assignment isn’t supported through the IdP

How does SCIM work?

SCIM provisions users and groups into DigiCert​​®​​ account. After they’re provisioned, role and service access assignments are managed within DigiCert. Roles can be assigned to groups in DigiCert, and users inherit access based on their group membership.

  1. A user or group is created, updated, or removed in your IdP, such as Okta or Microsoft Entra ID.

  2. The IdP sends a SCIM request to your DigiCert​​®​​ account to provision, update, or deprovision the user or group, including group membership changes.

  3. Your DigiCert account provisions or updates the corresponding user and group records and applies membership changes to keep them synced with your IdP.

  4. Groups provisioned from your IdP remain synced with your IdP and can’t be modified in DigiCert for user details or membership. However, you can assign service access and user roles to those groups. All users in a group inherit the roles and service access assigned to that group.

  5. Changes are reflected automatically and consistently across linked DigiCert services.

Supported identity providers

DigiCert® account supports SCIM integration with common enterprise IdPs, including:

  • Okta

  • Microsoft Entra ID (formerly Azure AD)

What is the difference between SSO and SCIM?

SCIM and SSO are independent capabilities within DigiCert® account.

  • SSO controls how users authenticate when signing in.

  • SCIM manages user lifecycle events, such as provisioning, updates, and deprovisioning.

Astuce

You can enable either or both of these capabilities, however SCIM, and SSO are recommended for most enterprise environments.

About groups used for SCIM provisioning

SCIM provisioning for DigiCert​​®​​ account relies on groups in your IdP to manage user access. You can use existing groups or create new groups for DigiCert​​®​​ account.

Before assigning groups to the SCIM application, ensure that:

  • The group exists in your IdP

  • The group contains the users who require the same services and user roles

Dans cette section​: