By NHI Mgmt Group Editorial TeamPublished 2025-10-08Domain: Governance & RiskSource: PassBolt

TL;DR: Near real-time user provisioning and deprovisioning through Microsoft Entra ID and Okta can automate manual account handling and reduce sync gaps in larger environments, according to PassBolt. The governance issue is lifecycle accuracy: access review and offboarding processes only work when directory changes reach the target system quickly and consistently.


At a glance

What this is: Passbolt’s SCIM update shows how automated directory sync can tighten user provisioning, offboarding, and account state accuracy across connected systems.

Why it matters: It matters because IAM teams need provisioning paths that keep identity state aligned across directories, password vaults, and downstream applications without relying on manual cleanup.

By the numbers:

👉 Read Passbolt's article on SCIM provisioning for user lifecycle management


Context

SCIM is an identity provisioning standard that lets a source system, usually an identity provider, create, update, or remove accounts in a target application through API calls. In practical terms, it reduces the delay between a directory change and the corresponding access change, which is exactly where many user lifecycle gaps appear in IAM programmes.

For teams managing user lifecycle access at scale, the issue is not whether identities can be created manually. The real problem is whether onboarding and offboarding stay accurate when turnover is high, directories are fragmented, and account state needs to follow the authoritative source without drift.


Key questions

Q: How should security teams use SCIM in user lifecycle management?

A: Security teams should use SCIM to automate the movement of account state between an authoritative identity provider and downstream applications, then verify that the target system actually reflects those changes. SCIM reduces manual errors, but it does not replace access policy, approval logic, or periodic review of who should have access in the first place.

Q: Why do user provisioning gaps matter even when directories are synced?

A: Provisioning gaps matter because directory synchronisation only helps if the target system processes the change fast enough to remove outdated access. If onboarding and offboarding lag behind the source directory, orphaned accounts, stale entitlements, and audit exceptions can persist even though the identity provider is technically up to date.

Q: What breaks when SCIM is used as a substitute for access governance?

A: What breaks is the distinction between account movement and access decision-making. SCIM can create, update, or remove identities, but it cannot determine role fit, privileged access need, or whether a given user should belong to a sensitive group. Without separate governance, automation can accelerate the wrong state just as efficiently as the right one.

Q: How do teams handle group automation in systems that use encryption keys?

A: Teams should treat group automation in encrypted systems as a security design question, not a directory mapping exercise. If group membership changes who can decrypt or re-encrypt data, the workflow may need additional controls, approvals, or exceptions because the access effect is cryptographic, not just administrative.


Technical breakdown

How SCIM provisioning works between an IdP and Passbolt

SCIM, or System for Cross-domain Identity Management, uses a standard schema and API endpoints so an identity provider can manage accounts in another system. The IdP sends create, update, and delete actions to endpoints such as /Users and /Groups, and the target application applies those changes to its own identity store. This reduces custom integration logic and makes lifecycle actions more repeatable. In Passbolt’s case, the SCIM plugin is designed to keep user records aligned with the directory source of truth while preserving the application’s own security model.

Practical implication: treat SCIM as a lifecycle synchronisation mechanism, not as a substitute for access governance.

Why SCIM improves onboarding and offboarding accuracy

Manual provisioning and LDAP sync often leave a gap between directory change and effective access change. SCIM narrows that gap by letting the authoritative IdP trigger user creation, disablement, or deletion as soon as the source record changes. That matters most where turnover is high or where stale access creates audit and security exposure. The architectural point is simple: the closer the target system stays to the source directory, the less opportunity there is for orphaned accounts and delayed revocation.

Practical implication: measure how long it takes for identity changes in the IdP to become effective in the application.

Why group sync is harder than user sync in a secrets vault

User provisioning is straightforward because the system is updating a person’s account state. Group synchronisation is different in a vault or encrypted collaboration tool, because group membership can imply sharing secrets or changing cryptographic access paths. Passbolt notes that its security model relies on the user’s ability to decrypt and re-encrypt secrets with their private key, which means the server and provisioning provider cannot simply manage access as a normal directory attribute. This is a common pattern in identity systems where authorization is tied to cryptographic control rather than simple group assignment.

Practical implication: do not assume group lifecycle can be automated the same way as account lifecycle in encrypted systems.



NHI Mgmt Group analysis

SCIM is a lifecycle control, not an identity governance strategy. The standard solves the mechanical problem of synchronising account state between a directory and a target application. It does not decide who should have access, how access should be reviewed, or which entitlements are appropriate for a given role. IAM teams should treat SCIM as the transport layer for lifecycle events, not the policy layer that governs them.

Delayed deprovisioning remains the real failure mode in user lifecycle management. Organisations often manage access as if removal happens when someone leaves the directory, but the security outcome depends on when the downstream system receives and applies that change. That timing gap is where orphaned access, audit exceptions, and unnecessary exposure persist. The practical conclusion is that lifecycle latency should be monitored as a control outcome, not assumed away.

Cryptographic access models change what automation can safely touch. Passbolt’s refusal to treat group sync like ordinary directory replication reflects a broader governance pattern: when access is bound to encryption keys or secret-sharing semantics, identity automation has to respect cryptographic boundaries. That is why lifecycle controls must be designed around the system’s trust model, not just the directory schema.

When turnover is high, identity drift becomes a governance problem before it becomes a technical one. High-churn environments expose the weakness of manual account handling fastest, but the real issue is programme design. If the authoritative source, downstream sync, and deprovisioning verification are not aligned, then lifecycle policy cannot prove itself operationally. Practitioners should see SCIM as one piece of lifecycle assurance, not the whole answer.

From our research:

  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
  • For a broader control lens, NIST Cybersecurity Framework 2.0 helps teams connect identity lifecycle events to govern, protect, detect, respond, and recover functions.

What this signals

Lifecycle automation is becoming a baseline expectation for identity programmes. As organisations scale faster than manual administration can keep up, SCIM-style provisioning will increasingly define whether account state stays trustworthy enough for audit and access review. Teams that still depend on ad hoc joins and leavers handling will find that delay, not policy intent, is what undermines control effectiveness.

Account lifecycle and entitlement lifecycle are not the same problem. SCIM can improve identity state accuracy, but privileged access, group design, and exception handling still need separate governance. That distinction matters because many programmes will misread automation coverage as governance maturity if they do not measure what SCIM does not touch.

Access verification must move closer to the control point. If the source of truth is an IdP and the target system enforces sensitive access rules, the operating model should include verification that the downstream state changed as expected. In practice, that means pairing provisioning automation with control testing and a current view of high-risk accounts through resources such as the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.


For practitioners

  • Map the authoritative source for every lifecycle action Define which system is allowed to create, update, disable, or delete each account type, then document where SCIM is the source of execution and where human approval still applies.
  • Test deprovisioning as a control outcome Run removal scenarios and verify that the downstream application reflects the directory change quickly enough to prevent stale access from surviving a normal offboarding event.
  • Separate user sync from entitlement design Use SCIM to move account state, but keep entitlement decisions, privileged access, and group membership rules under explicit governance so automation does not become policy by default.
  • Validate encrypted-system exceptions before enabling group automation Where secrets or keys are involved, confirm whether group membership implies cryptographic access changes and require a dedicated design review before turning on group sync.

Key takeaways

  • SCIM improves lifecycle speed, but it does not replace access policy or entitlement governance.
  • The main security value is reducing stale access after directory changes, especially in high-turnover environments.
  • Encrypted systems need special handling because group membership can alter cryptographic access, not just administrative membership.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03SCIM affects how quickly identity state is updated and revoked across systems.
NIST CSF 2.0PR.AC-4Least-privilege and access revocation depend on accurate account state propagation.
NIST Zero Trust (SP 800-207)AC-4Zero Trust requires timely, authoritative access changes rather than stale synchronisation.

Treat SCIM as part of continuous access enforcement and validate revocation at the application layer.


Key terms

  • SCIM: System for Cross-domain Identity Management is an open standard for synchronising identity data between an authoritative source and a target application. It uses common schemas and API endpoints so accounts can be created, updated, or removed consistently across systems without bespoke integration logic.
  • Lifecycle Synchronisation: Lifecycle synchronisation is the process of keeping account state aligned between the source of truth and downstream systems. In practice, it reduces orphaned access, stale identities, and manual error, but it still needs governance to decide which changes should be automated and which should be approved.
  • Cryptographic Access Boundary: A cryptographic access boundary is the point at which access is controlled by keys, encryption, or secret-sharing rather than simple directory membership. In these systems, automation must respect decryption rights and key custody, because a normal group update can have security consequences beyond administration.

What's in the full article

Passbolt's full post covers the operational detail this post intentionally leaves for the source:

  • SCIM setup steps for Passbolt Pro, including endpoint generation and token handling
  • Attribute mapping examples for Microsoft Entra ID and Okta provisioning flows
  • Supported and unsupported SCIM actions, including email update rejection and group sync limitations
  • Implementation notes on why encrypted secret sharing changes the group lifecycle model

👉 Passbolt's full post covers the setup flow, supported actions, and current SCIM limitations for Passbolt Pro.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-10-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org