How-to Playbook

How to set up SSO and SCIM

SSO controls how people log in; SCIM controls who exists. Together they close the gap where former employees keep access nobody remembered to revoke.

Talk to usFree to start - no card required.

What SSO and SCIM each do

Single sign-on (SSO) lets employees authenticate to many apps through one identity provider, so access decisions and multi-factor policies live in one place. SCIM (System for Cross-domain Identity Management) automates the provisioning and deprovisioning of accounts, so when someone joins or leaves, their access is created or removed everywhere automatically rather than app by app.

Why they belong together

EventSSO handlesSCIM handles
New hireLogin via the identity providerCreating accounts in downstream apps
Role changeContinued authenticationUpdating group and access assignments
DepartureBlocking loginDeprovisioning the accounts entirely
SSO and SCIM in combination

The rollout steps

  1. 1Choose an identity provider as the single source of truth for identities.
  2. 2Connect apps to SSO so authentication routes through the identity provider.
  3. 3Enable SCIM where supported to sync account creation, updates, and removal.
  4. 4Map groups to roles so access follows the principle of least privilege.
  5. 5Test the joiner, mover, and leaver flows end to end before relying on them.
  6. 6Feed the provisioning record into your access reviews as evidence.

How this supports compliance

  • Access reviews use provisioning data to confirm who has access to what and why.
  • Automated deprovisioning is exactly the control auditors test under SOC 2 and ISO 27001.
  • The identity and access trail feeds continuous control monitoring rather than a manual export.
  • Least-privilege group mappings are documented, so access decisions are defensible.

Frequently asked questions

What is the difference between SSO and SCIM?

SSO controls authentication - how users log in - through one identity provider. SCIM controls provisioning - whether an account exists at all - by automatically creating, updating, and removing accounts across apps. SSO manages login; SCIM manages lifecycle. You generally want both, because each closes a gap the other cannot.

Why do I need SCIM if I already have SSO?

Because SSO alone leaves standing accounts in place. A departed employee blocked from login may still have accounts that exist in downstream apps, which is a common audit finding. SCIM deprovisions those accounts automatically, so access is truly removed rather than just login being blocked.

How do SSO and SCIM help with SOC 2 or ISO 27001?

Automated provisioning and deprovisioning are core access controls that auditors test directly. When joiner, mover, and leaver flows run through SSO and SCIM, you can produce evidence that access is granted on least privilege and removed promptly, which is exactly what SOC 2 and ISO 27001 access controls require.

What is a joiner-mover-leaver process?

It is the lifecycle of access: creating accounts when someone joins, updating them when they change roles, and removing them when they leave. SSO and SCIM automate this so access changes flow from the identity provider, rather than depending on someone remembering to update each app manually.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

Turn provisioning into audit evidence

Fintra and SentriAI use access data as continuous control evidence. Free to start, no card required.

Talk to us