By Cassa Niedringhaus Posted February 8, 2020
Web application provisioning has changed dramatically in the last two decades, and new protocols have cropped up to help IT admins better manage enterprise app access. In the modern enterprise, streamlining these processes helps time-strapped IT admins onboard users more quickly. First we’ll cover app provisioning as it was historically, and then we’ll compare two protocols that are newer to the scene: Just-in-Time (JIT) and System for Cross-domain Identity Management (SCIM) provisioning.
History of Web Application Provisioning
Software-as-a Service (SaaS) applications (think: Salesforce®) sent shockwaves through the IT industry in the 1990s. They changed the way software was delivered to companies and challenged the traditional Active Directory® domain because AD didn’t extend natively to them.
These apps required manual access management because AD was built for on-prem domains — not cloud services. Eventually, a new protocol, SAML (Security Assertion Markup Language), and various third-party vendors emerged to federate AD identities to these apps.
As the use of SaaS apps has continued to increase since then, admins now search for solutions that not only allow them to use authoritative identities in these apps but that also allow them to streamline the process of account management. Several protocols exist to make the process of user lifecycle management in web apps easier — though they differ in key ways.
One such protocol is Just-in-Time provisioning, which extends the SAML protocol to pass user attributes from the central identity provider to apps like Salesforce.
From the central directory, an IT admin can create new users and authorize their app access — rather than creating a new user in the central directory, authorizing their app access, and then creating a corresponding account for that user in the app(s).
Instead, users trigger the creation of those accounts automatically the first time they log in to an app. Before JIT, this kind of automation was not possible, and each account required manual creation by an IT admin or manager. SCIM provisioning, by comparison, takes automation to the next level.