4

I want my application to be able to use an external user pool from my customers Azure AD, instead of them having to maually create every user in my application, when they already have them in Azure AD.

Initially, I though of using only OIDC for this as I can just create the user in my application upon the first login. But OIDC does not allow me to logout and deactivate the user in my application when they are deleted in Azure AD. This is an important requirement for my application.

To solve this, I think I could combine OIDC and SCIM:

  1. Azure AD provisions the users to my application through SCIM endpoints. When deactivated, Azure notifies my application through the SCIM endpoints and I can delete their session and deactivate them in my application.
  2. Login is handled with OIDC. When I have a valid OIDC token I create a session in my app. This way I don't have to manage passwords or multi factor authentication in my app.

Does it make sense to use SCIM and OIDC together?

ZachB
  • 13,051
  • 4
  • 61
  • 89
Axel
  • 71
  • 3
  • 7

1 Answers1

4

Yes, it makes sense to use SCIM and OIDC together in the way that you describe.

It also has other advantages to "pre-provision" with SCIM: for example, when users want to address accounts other users that have not logged in yet. Adding such a user to a group would not work with "just-in-time account provisioning" since the account would not exist (yet).

Hans Z.
  • 50,496
  • 12
  • 102
  • 115