Keycloak’s experimental SCIM support still falls short for production

At a glance

What this is: Keycloak’s experimental SCIM Realm API adds baseline user and group lifecycle support, but the release still leaves major production gaps around multi-tenancy, custom attributes, sorting, bulk sync, and scoped authorization.

Why it matters: IAM and NHI teams need to treat SCIM as an operational integration problem, not just a spec checkbox, because provisioning reliability, tenant isolation, and entitlement scope all shape governance outcomes.

👉 Read WorkOS's analysis of Keycloak SCIM readiness and directory sync gaps

Context

SCIM is the provisioning layer that lets an identity provider push users, groups, and lifecycle changes into an application. In practice, the hard part is not the protocol itself but how differently major identity providers implement it, which creates drift in attributes, filtering, PATCH behaviour, and sync order.

For IAM teams, that means a SCIM endpoint is only useful when it behaves predictably across real-world directory sources and tenant boundaries. Keycloak’s experimental SCIM Realm API addresses the basic shape of the problem, but the production question remains whether it can support enterprise directory sync without forcing operators to absorb the remaining integration risk.

Key questions

Q: What breaks when SCIM only supports the basics but not production sync behaviour?

A: Basic SCIM support often breaks when real IdPs send custom attributes, rely on sorting, or expect consistent PATCH handling. The result is not just a missing feature. It is incomplete lifecycle propagation, weaker auditability, and manual compensating controls that make provisioning harder to trust in enterprise environments.

Q: Why do directory sync integrations fail even when the SCIM spec is supported?

A: They fail because the spec does not remove implementation variance across Okta, Entra, JumpCloud, and other IdPs. Differences in attribute casing, filter behaviour, and bulk handling create a gap between nominal compliance and reliable production operation.

Q: How do organisations know whether a SCIM integration is actually ready for production?

A: They know it is ready when it preserves required attributes, isolates tenant data cleanly, handles the IdPs they actually use, and avoids broad admin-level connector permissions. If any of those are unresolved, the integration is still a pilot, not a governable production control.

Q: Should security teams prefer tenant-scoped sync over per-realm provisioning models?

A: Yes, when the application serves multiple customers and needs clear lifecycle boundaries. Tenant-scoped sync narrows the blast radius of connector credentials, aligns provisioning with customer ownership, and avoids turning an identity administration structure into a multi-tenant governance risk.

Technical breakdown

SCIM 2.0 service provider basics in Keycloak

Keycloak’s SCIM Realm API exposes a realm as a SCIM 2.0 service provider through standard discovery endpoints, user and group CRUD, filtering, pagination, and core schema support. That is enough for basic lifecycle exchange, but not enough to make provisioning predictable across all identity providers. The important technical detail is that SCIM support depends on more than resource endpoints. It also depends on how the server handles schema translation, request ordering, and the edge cases created by different IdP implementations.

Practical implication: validate the exact IdP and schema path before relying on a new SCIM endpoint in production.

Why custom attributes and sorting matter in directory sync

Production directory sync rarely stops at core user fields. Enterprises often need attributes such as department, cost center, or tenant-specific metadata to drive downstream access rules and audit trails. Keycloak’s initial SCIM release does not support custom schemas or custom attributes, and it does not implement sorting. That means the integration can accept the basics but still fail the data-contract requirements that many B2B applications depend on for access governance and reporting.

Practical implication: confirm whether your access model depends on non-standard attributes before treating SCIM as complete.

Authorization model and tenant isolation are the real control plane

A SCIM endpoint is also an authorization boundary. Keycloak reuses Admin API roles such as manage-users and view-realm, which broadens the scope beyond SCIM-specific actions. It also operates per realm, not per customer organization, so multi-tenant SaaS patterns require extra structural work. By contrast, a production directory sync model needs scoped tokens, per-tenant isolation, and a permission boundary that limits the blast radius of any compromised connector credential.

Practical implication: review whether your SCIM permissions are tenant-scoped or merely admin-scoped before going live.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SCIM is a governance control, not a protocol checkbox. The real measure of directory sync is whether identity events arrive with the right scope, attributes, and tenant context intact. A system can be SCIM-compliant in a narrow sense and still fail the operational requirement that IAM teams actually care about: controlled lifecycle propagation into downstream applications. Practitioners should evaluate provisioning as an access governance pipeline, not an API feature.

Experimental SCIM exposes a production-readiness gap, not just a missing feature list. Bulk operations, sorting, custom attributes, and a dedicated permission model are not cosmetic additions. They are the pieces that make lifecycle sync resilient under enterprise conditions. When those parts are absent, operators inherit the burden of compensating for IdP variance, schema drift, and tenant separation manually.

Directory sync only works when the entitlement model is narrower than the admin model. Reusing broad admin roles for SCIM access collapses the distinction between provisioning and full administrative control. That is a governance problem, not merely an implementation shortcut. NIST CSF access governance and OWASP-NHI principles both point to the same conclusion: the connector boundary must be explicitly constrained, or the provisioning channel becomes an overpowered control surface.

Multi-tenant SCIM design is now a baseline enterprise expectation. B2B applications do not scale by mapping each customer to a separate realm unless that is the explicit product model. The market is moving toward tenant-native directory sync, scoped bearer tokens, and normalized event streams because those patterns reduce integration variance. Teams should treat per-realm-only design as a structural limitation when planning enterprise onboarding.

Normalized directory events: the hidden requirement behind successful provisioning. The operational win is not SCIM support by itself. It is a stable event model that absorbs IdP quirks without exposing application teams to every variation in PATCH semantics, attribute casing, and sync order. Practitioners should regard normalization as part of identity governance, because it is what turns directory changes into reliable access decisions.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• That gap matters here because directory sync failures often start as governance drift, so the next step is to align provisioning controls with Ultimate Guide to NHIs , The NHI Market and tenant-scoped identity design.

What this signals

Tenant-native directory sync is becoming the baseline expectation for enterprise IAM programmes. Teams that treat per-realm provisioning as sufficient will struggle once customer isolation, attribute fidelity, and admin scoping are tested together. The governance signal is clear: lifecycle automation only reduces risk when the boundary of the connector matches the boundary of the tenant.

SCIM readiness now depends on data contract discipline, not just endpoint availability. If an application cannot preserve custom attributes, stable ordering, and consistent event handling, identity governance shifts back to manual reconciliation. That is the point where provisioning stops being a control and becomes an integration liability.

The broader market pattern is that directory sync is converging with identity architecture decisions about scope, normalization, and blast radius. Teams should expect more scrutiny of connector permissions and tenant isolation, especially where provisioning touches privileged or workload identities.

For practitioners

• Validate IdP behaviour before rollout Test the endpoint against the exact directories you support, including Entra, Okta, and any customer-specific IdP, because SCIM behaviour differs in PATCH, filtering, and attribute handling.
• Map required attributes before enabling sync Confirm whether downstream access rules depend on custom fields such as department, costCenter, or tenant metadata, and block production use until those attributes are preserved end to end.
• Separate provisioning scope from admin scope Check whether the connector uses broad admin roles or a dedicated SCIM permission model, then reduce the blast radius with tenant-scoped tokens and least-privilege access.
• Design for tenant-native isolation Avoid assuming that per-realm deployment equals tenant isolation. If each customer needs separate lifecycle boundaries, verify that the SCIM architecture supports per-organization separation rather than shared admin paths.

Key takeaways

• Keycloak’s experimental SCIM release is useful for narrow provisioning use cases, but it is not yet a full production-grade directory sync control.
• The biggest gap is governance scope, because custom attributes, tenant isolation, and scoped permissions determine whether provisioning can be trusted at scale.
• IAM teams should test SCIM against real IdP behaviour, not just the standard, before treating lifecycle automation as operationally complete.

Key terms

• Scim: System for Cross-domain Identity Management is the standard used to exchange user and group lifecycle data between an identity provider and an application. In production, the protocol only solves part of the problem. The harder issue is whether the implementation preserves attributes, order, and tenant scope consistently across real directory sources.
• Directory Sync: Directory sync is the operational process of moving identity changes from a source directory into downstream applications. The important distinction is that sync must preserve both data quality and governance scope, otherwise the application receives incomplete or mis-scoped lifecycle events that create access drift.
• Tenant Isolation: Tenant isolation is the separation of one customer’s identity data, credentials, and provisioning actions from another’s. In SCIM integrations, it is a governance property as much as an architecture property because a shared connector or broad admin role can turn provisioning into a cross-customer blast radius.
• Schema Drift: Schema drift is the mismatch between the attributes an IdP sends and the fields an application can store or interpret. It often appears as missing custom fields, inconsistent group data, or varying attribute names, and it undermines the reliability of lifecycle automation even when the core protocol works.

Deepen your knowledge

SCIM lifecycle integration and tenant-scoped provisioning are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are designing directory sync for enterprise onboarding, the course is a useful fit.

This post draws on content published by WorkOS: Keycloak's experimental SCIM API and what is still missing. Read the original.