SCIM Playground

Appearance

How does SCIM relate to OpenID Connect

OpenID Connect and SCIM are both involved in sharing identity information between parties, but they serve different purposes and work in different ways.

OpenID Connect (OIDC) is an authentication protocol built on top of OAuth 2.0. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server. OIDC also provides basic profile information about the end-user in an interoperable and REST-like manner, like SCIM, but somewhat more limited.

OpenID Connect Profile for SCIM Services

The OpenID Connect Profile for SCIM Services is a specification that defines how OpenID Connect (OIDC) relying parties can discover, register for, and access SCIM services as part of an OpenID Provider's (OP) services.

This specification extends the standard OIDC Discovery metadata to include a reference to a SCIM /Me endpoint. This endpoint is similar to the OIDC userinfo endpoint, but it provides a richer data set and offers better control over the output.

Here's a more detailed explanation:

  • Discovery: The specification defines how OIDC relying parties can discover SCIM services. This is typically done through the OIDC Discovery document, which is a JSON document that an OP publishes at a well-known URL. The Discovery document contains key-value pairs that provide details about the OP's configuration, including its SCIM services.

  • Registration: The specification also defines how OIDC relying parties can register for SCIM services. This is usually done through dynamic client registration, where the relying party sends a registration request to the OP's registration endpoint.

  • Access: Once registered, the OIDC relying party can access the SCIM services. This is done by making requests to the SCIM /Me endpoint, which returns information about the authenticated end-user. The /Me endpoint is similar to the OIDC userinfo endpoint, but it provides a richer set of attributes and allows the client to specify which attributes it wants to receive.

The OpenID Connect Profile for SCIM Services provides a standardized way for OIDC relying parties to discover, register for, and access SCIM services.