SSOReady concepts: SCIM Groups

Understanding SCIM Groups in SSOReady

A SCIM group is a group your customer’s identity provider provisioned in a SCIM directory. For guidance on how you should sync SCIM groups into your application, see “Syncing Groups” in the SCIM quickstart guide.

As noted in the SCIM quickstart: Unless you have a specific need for SCIM groups, you should defer implementing them. Most of the time, syncing a SCIM user attribute is a simpler solution.

SCIM groups are implemented inconsistently between different Identity Providers. Some popular Identity Providers like Okta make them awkward for your customers to use. You’re typically best off waiting for a customer to come to you with a specific use-case or requirement before implementing group syncing.

This document details how a SCIM groups appears in the SSOReady web application that you as a developer use. This UI is meant to see that the SCIM sync is working, and as a debugging aid. From your application, you can programmatically get a SCIM group by ID using the Get SCIM Group API endpoint.

Properties

A SCIM group, as displayed in the SSOReady web app.

SCIM Group ID

Every SCIM group has an ID starting with scim_group_..., for example:

scim_group_1b480vb5wd27avbqunvl1sa1s

SCIM group IDs are universally unique.

Display Name

Every SCIM group has a displayName, which is human-readable and assigned by your customer.

Deleted

When a SCIM provider deprovisions or deletes a SCIM group, they are not deleted from SSOReady entirely. Instead, they are marked with deleted set to true.

Deleted groups appear in the list of SCIM groups just like any other SCIM groups do. It is your responsibility to decide how to handle a deleted group. SSOReady’s recommendations on this are discussed in “Deprovisioning (deleting or soft-deleting) groups” in the SCIM quickstart guide.

As noted in the SCIM quickstart guide, deprovisioning groups is less important than deprovisioning users. Not all identity providers even support deprovisioning/deleting groups.

For that reason, SSOReady does not recommend you implement group deprovisioning unless you have a specific use-case.

Attributes

Identity providers may include arbitrary attributes on SCIM groups, and SSOReady will store these as the attributes on the groups.

No two identity providers include the same set of attributes. Many customers will configure their identity provider differently, and have different SCIM group attributes. Don’t expect consistency when relying on SCIM group attributes, but they are all there if you need them.

Though SCIM group attributes may be inconsistent, you can always rely on a SCIM group displayName being present.

Users

From the SSOReady app, you can see a list of users within each group. A group may have no users in it at all. A group may contain deprovisioned users.

From your application, you can get a list of users within an organization programmatically by calling the List SCIM Users endpoint with a groupId parameter.