Keycloak's experimental SCIM API: What's in it and what's still missing

Keycloak introduced an experimental SCIM Realm API in version 26.4, providing a way for Identity Providers (IdPs) to push users and groups into a Keycloak realm, but it comes with limitations and is not yet ready for full production use. This API enables basic SCIM 2.0 operations such as CRUD on users and groups, filtering, and pagination, while lacking support for features like bulk operations, custom attributes, and a SCIM-specific authorization model. Although the release is validated against Microsoft Entra, it misses broader IdP compatibility, multi-tenancy, and organization support, which are essential for broader B2B use cases. The WorkOS Directory Sync service, in contrast, offers a more comprehensive SCIM solution that normalizes IdP variations and supports multi-tenancy, custom attributes, and a wider range of IdPs, making it suitable for production across diverse environments. Keycloak's API mainly serves teams using Keycloak as an identity store and is not suited for applications needing extensive IdP support or custom schema capabilities.