How does Single Sign-On (SSO) work?

SSO delegates authentication to a central Identity Provider (IdP). When you access an app, it redirects you to the IdP, which verifies your credentials. The IdP then returns a SAML assertion or OIDC JWT token to the app, granting access without a separate password.

What is the difference between SAML and OIDC?

SAML (2005) uses XML-based assertions and is dominant in enterprise SSO. OIDC (2014) uses JSON Web Tokens and is built on OAuth 2.0, favored by modern and consumer-facing apps. Both achieve single sign-on but differ in token format, complexity, and ecosystem fit.

What is SCIM provisioning?

SCIM (System for Cross-domain Identity Management) automates user lifecycle management. It creates accounts when employees join, updates attributes when roles change, and deactivates accounts upon departure — all via a standardized REST API between the IdP and connected applications.

What happens when an employee leaves without proper offboarding?

Without automated offboarding, departed employees retain access to company applications, creating orphaned accounts. This poses security risks including data exfiltration, unauthorized access, and compliance violations. On average, organizations take 7+ days to fully deprovision access manually.

The Identity Journey — SSO, SCIM & Offboarding

01 / 06

Meet the Identity Providers

These providers are interchangeable — they all serve as your organization's Identity Provider (IdP):

Google

Cloud Identity

Microsoft

Entra ID

Others

Okta · JumpCloud · OneLogin

⇅ INTERCHANGEABLE VIA STANDARDS ⇅

Your Identity Provider

Google, Microsoft, Okta, or any IdP

Your IdP is the single source of truth. It stores and manages:

display name email department groups security policies account status

It speaks these protocols to connected apps:

SAML 2.0 OIDC OAuth 2.0 SCIM

02 / 06

Single Sign-On: one login, every app

YOU

APP

IdP

TOKEN

ACCESS

SAML 2.0

OIDC

You click "Sign in via SSO" on an app (the Service Provider)
The app redirects your browser to your Identity Provider with a SAML AuthnRequest
You authenticate (or are already signed in via session cookie)
The IdP generates a signed XML SAML Assertion containing your identity attributes
Your browser POSTs the assertion back to the app's ACS endpoint
The app validates the signature, extracts your identity, and grants access

Format

XML

Since

2005

Best for

Enterprise SSO

Transport

Browser redirect

You click "Sign in via SSO" on an app (the Relying Party)
The app redirects to your Identity Provider's authorization endpoint
You authenticate and consent to the requested scopes
The IdP returns an authorization code to the app's callback URL
The app exchanges the code for an ID Token (JWT) and Access Token server-to-server
The app reads your identity claims from the JWT and grants access

Format

JSON / JWT

Since

2014

Best for

Modern & mobile apps

Built on

OAuth 2.0

03 / 06

Your connected world

Your Identity Provider

Google, Microsoft, Okta, or any IdP

Click any app to see what identity data flows through

How SCIM automates user lifecycle across each app:

Slack

CreateUpdateDeactivateGroups

Business+

Salesforce

CreateUpdateDeactivateProfiles

Enterprise

GitHub

CreateUpdateDeactivateTeams

Ent. Cloud

Zoom

CreateUpdateDeactivateGroups

Business

Jira

CreateUpdateDeactivateGroups

Guard

AWS

CreateUpdateDeactivateRoles

IAM IdC

Yellow = partial or non-standard · Plan = minimum required for SCIM

04 / 06

SCIM: the automation layer

HR System

IdP

SCIM 2.0

All Apps

SCIM (System for Cross-domain Identity Management) is a REST API standard that automates user lifecycle management. Instead of manually creating and removing accounts, your IdP pushes changes automatically.

CREATE

New hire added to HR system. SCIM provisions accounts across all connected apps within minutes. No IT tickets needed.

UPDATE

Employee changes department or role. SCIM updates group memberships, permissions, and attributes across every app simultaneously.

DEACTIVATE

Employee departs. SCIM suspends or removes their accounts from all connected apps instantly. No orphaned access.

Explore the full SCIM Support Matrix →

05 / 06

The offboarding question

An employee's last day. Their access to company data across every connected app must be revoked. How does your organization handle it?

With automation

HR marks departure in system
IdP triggers SCIM deprovisioning
All app access revoked in minutes
Sessions terminated automatically
Audit trail generated

With SCIM-based automation, the entire offboarding process is triggered by a single action in your HR system. The IdP propagates the status change to every connected application via SCIM DELETE or PATCH requests. Active sessions are invalidated, OAuth tokens are revoked, and a complete audit trail is generated for compliance. Average time to full deprovisioning: under 15 minutes.

Without automation

IT creates ticket for each app
Manual login to each admin console
Some apps forgotten or delayed
Shared accounts overlooked
No centralized audit trail

Without automation, IT must manually disable accounts in each application individually. The average organization takes 7+ days to fully deprovision a departing employee. During that window, the former employee retains access to sensitive data, creating security risks. Shared credentials, API keys, and service accounts are frequently overlooked, leaving persistent access long after departure.

The individual perspective: You authenticate once and access everything. The admin perspective: Every connected app is another account to manage, another access point to secure, and another system to deprovision when someone leaves. Identity lifecycle management is the bridge between convenience and security.

Google vs Microsoft: SCIM provisioning capabilities

Google Workspace

Outbound SCIMAuto-provisioning limited to ~30 Google Workspace Marketplace apps. No native SCIM client for arbitrary endpoints.

Custom AppsRequires Cloud Identity Premium ($7.20/user/mo) or a third-party IdP like Okta for SCIM to non-Marketplace apps.

Group SyncManaged via Google Groups API, separate from SCIM user provisioning. Limited cross-app group mapping.

Attribute MappingMinimal customization. Fixed attribute set per auto-provisioned app.

DeprovisioningSuspends Google account. App-level deprovisioning depends on each integration's implementation.

Best ForGoogle-ecosystem orgs, startups primarily using Marketplace-integrated apps.

Microsoft Entra ID

Outbound SCIMBuilt-in SCIM 2.0 client provisioning to 100+ gallery apps and any custom SCIM endpoint.

Custom AppsFull support for non-gallery apps via custom SCIM connector. No additional licensing for provisioning.

Group SyncScope-based provisioning — assign specific Entra ID groups to each app. Supports group-to-role mapping.

Attribute MappingRich expression language with transformations, functions, and conditional logic per app.

DeprovisioningSupports soft-delete (PATCH active=false) and hard-delete. Quarantine mode pauses on high error rates.

Best ForDiverse SaaS environments, enterprises needing fine-grained provisioning control and audit trails.

06 / 06

Your identity architecture

Google

Cloud Identity

Microsoft

Entra ID

Others

Okta · JumpCloud

SAML 2.0 OIDC SCIM

SlackSalesforceGitHub ZoomJiraAWS

One source of truth

Your IdP centralizes identity. Every app trusts it for authentication, so you never manage separate passwords.

Protocols matter

SAML and OIDC both achieve SSO but differ in format and era. Understanding both helps you evaluate vendor support.

Automation is essential

SCIM turns manual IT work into automated workflows. Provisioning, updates, and offboarding happen in minutes, not days.

Offboarding is security

Every unrevoked account is a risk. Automated deprovisioning closes the gap between departure and access removal.

Continue exploring

Market Map SCIM Matrix Stack Builder Glossary