How does SCIM Schema Discovery work

The System for Cross-domain Identity Management (SCIM) is an open standard designed to automate user provisioning between identity providers like Okta, Azure AD, and SailPoint, and service providers. It operates through a REST API and a JSON schema that represent users and groups, defined in RFC 7643 for core schema and RFC 7644 for protocol operations. SCIM uses a layered discovery model with three endpoints to determine server capabilities: ServiceProviderConfig, ResourceTypes, and Schemas. These endpoints inform clients about supported operations, the types of resources managed, and the attributes of each resource type. While Okta and Entra have unique approaches to using these endpoints, SailPoint and other mature clients might already be familiar with standard schemas. SCIM implementations can vary significantly across different identity providers, often requiring custom integrations that can be resource-intensive to maintain. WorkOS addresses this challenge by hosting SCIM servers to offer a unified API that supports various identity provider directories, allowing developers to focus on building their core products rather than managing SCIM integrations.