An OCI Identity domain is a container of users, groups, their associated apps and security configurations.
Like many other Identity systems, an OCI Identity domain requires a user profile created before access is granted to a user.
OCI Identity domains support various options for bringing users in –
- SCIM APIs – SCIM complaint REST APIs for inbound user provisioning and sync. SCIM is an open specification that standardizes user and group management across applications.
- Just In Time provisioning – A user profile is created at runtime when a user tries to login for the first time via SAML or OIDC.
- Other tooling like AD bridge, provisioning bridge, or the least recommended manual CSV import option.
So, many customers ask this question : “Should we use JIT or SCIM?”
Even though the end state seems to be the same, i.e., a user profile gets created in an Identity domain, and the user is allowed to access the end application, both these options are meant for solving different use cases.
JIT mostly helps solve some specific CIAM (Customer Identity and Access Management) use cases or Enterprise use cases wherein determining all the users accessing a system upfront is hard.
Consumer users often prefer to access any new application using their existing accounts from a third-party provider like Google/Facebook/Apple.
For example, a movie ticketing portal would want to make it easier for its consumers to sign in with their preferred login provider. Just in time provisioning makes perfect sense in this case. An end-user does not have to go through any additional user registration, enhancing the login experience.
In case of most enterprise use cases, where an enterprise has all the employee login and entitlement data and exactly understands who should be allowed to access which target systems, SCIM is the way to go. JIT does not support de-activating or deleting a user, and from a security and cost perspective, this is a big gap for Enterprise usecases.
Using SCIM, a customer can manage CRUD (Create, Read, Update, Delete) operations on users and groups in a target system like OCI identity domains.You could also use SCIM to extend the schemas for your company’s users and groups. The SCIM specification defines a minimum set of attributes for the user schema, but this schema can be extended.
Identity domains also support storing credentials other than a password like an API key in a user profile. If a customer uses JIT instead of SCIM and an employee with an API key leaves the organization, JIT will leave a stale user with an API key around. That is a security risk! A user may not be able to login to the OCI console but will still be able to invoke OCI APIs and manage resources using the key.
Managing users and groups via SCIM APIs is always my first choice and here is why –
| JIT | SCIM | Winner | |
|---|---|---|---|
| When does this happen? | When a user tries to access an app protected with Identity domain for the first time. User profile gets automatically created in Identity domain. | Via an offline automated process. Users’ lifecycle groups and group memberships can be managed using SCIM APIs. | SCIM JIT flow will add a bit of latency. Any errors during JIT will be somewhat visible to the end user not just the administrators of your company! Offline automation to integrate with SCIM is not visible to end users. Does not alter or does not add more time to the spinning pinwheel during an end user login flow |
| Dependency on External SAML or OIDC IDP | Yes | No | SCIM JIT only works if you have an external IDP. If IAM domain is your IDP, JIT cannot be used. |
| Does it support user and group lifecycle management? | No. With JIT you can only create a user during a login flow. | SCIM supports user/group and group membership lifecycle management | SCIM |
| Schema extension | No specific standard | The SCIM specification defines a minimum set of attributes for the user schema, but this schema can be extended. | SCIM |
| Cost ? | Customers need to setup other processes to delete/deactivate user accounts. Keeping stale identities is never a good idea. |
Identity domain is licensed based on the number of users per month plus there are user limits to be aware of. SCIM helps remove the inactive users in an automated fashion to keep cost under control. | SCIM |
| Consumer based use cases or Enterprise use cases where users accessing the target system can not be identified upfront. | No alteration required in the SSO flow. Provides seamless login experience. | Not useful. | JIT |
Summary
Enterprise use cases where users of an application are employees or partners, automated user provisioning and sync using SCIM APIs should be the first choice. Most Identity provisioning systems used by enterprises are SCIM complaint and integrating with OCI identity domains becomes straight-forward.
JIT may seem easier to configure initially but please do the right thing and choose the best option depending on your use case. JIT is good in some very specific use cases but remember that additional tooling is needed to clean up users/groups in the target systems eventually.