Custom SCIM schemas: Where identity provisioning meets authorization

SCIM (System for Cross-domain Identity Management) is a standard protocol used by enterprise SaaS products to synchronize user data from identity providers like Okta or Microsoft Entra into their own databases, efficiently managing tasks such as provisioning and deactivating users. However, SCIM does not inherently manage authorization context, such as team membership or roles, prompting the use of custom schema extensions. These extensions allow companies to define additional attributes tailored to their authorization models, as demonstrated by Docker and Notion, which have implemented custom extensions to manage user roles and organizational structure. Designing a custom SCIM extension involves selecting a unique URN, defining relevant attributes, and ensuring compatibility with identity providers. The process must consider the standard SCIM protocol defined by IETF RFCs 7643 and 7644, including handling PATCH operations for updating user attributes. Alternatively, services like WorkOS offer a streamlined approach by normalizing data across various identity providers, reducing the need for companies to manage SCIM servers directly.