SCIM and user provisioning
SCIM (System for Cross-domain Identity Management) is the standard for automatically creating, updating, and deactivating user accounts across systems. In B2B CIAM it is the feature that turns “manual onboarding” into “it just works.”
The problem SCIM solves
When you sell to a 5,000-person company, you do not want their IT admin creating 5,000 accounts by hand, and you definitely do not want a former employee keeping access after they leave. SCIM lets the customer’s identity provider push account changes to your app: new hire gets an account, role change updates permissions, departure deactivates access. This is the deprovisioning side that security reviews care about most.
SCIM and SSO travel together
Enterprise SSO handles authentication (who is logging in). SCIM handles the lifecycle (which accounts exist and what they can do). Enterprise buyers usually demand both. SSO without SCIM means accounts linger after offboarding, which fails audits.
What to check with a CIAM vendor
- SCIM 2.0 support as the provisioning target for your B2B customers.
- Which providers are tested end to end (Okta, Entra, Google Workspace).
- Group and role mapping from the customer directory into your permission model.
- Deprovisioning behavior: is access removed immediately on a SCIM deactivate?
- Pricing tier: like SSO, SCIM is frequently gated to enterprise plans. See the pricing guide.
Buyer takeaway
If you sell B2B and your roadmap includes enterprise, treat SCIM as a requirement, not a nice-to-have. Filter for it in the vendor matcher, and confirm deprovisioning works in the demo rather than taking it on faith.