Notifications
Clear all
Topic starter
06/06/2026 1:33 am
TL;DR: Keycloak’s experimental SCIM Realm API covers core user and group CRUD, filtering, pagination, and Entra validation, but it still lacks bulk operations, sorting, custom attributes, multi-tenant design, and a SCIM-specific authorization model, according to WorkOS. The gap between spec compliance and production-grade directory sync remains the real risk for enterprise IAM teams.
NHIMG editorial — based on content published by WorkOS: Keycloak's experimental SCIM API and what is still missing
Questions worth separating out
Q: What breaks when SCIM only supports the basics but not production sync behaviour?
A: Basic SCIM support often breaks when real IdPs send custom attributes, rely on sorting, or expect consistent PATCH handling.
Q: Why do directory sync integrations fail even when the SCIM spec is supported?
A: They fail because the spec does not remove implementation variance across Okta, Entra, JumpCloud, and other IdPs.
Q: How do organisations know whether a SCIM integration is actually ready for production?
A: They know it is ready when it preserves required attributes, isolates tenant data cleanly, handles the IdPs they actually use, and avoids broad admin-level connector permissions.
Practitioner guidance
- Validate IdP behaviour before rollout Test the endpoint against the exact directories you support, including Entra, Okta, and any customer-specific IdP, because SCIM behaviour differs in PATCH, filtering, and attribute handling.
- Map required attributes before enabling sync Confirm whether downstream access rules depend on custom fields such as department, costCenter, or tenant metadata, and block production use until those attributes are preserved end to end.
- Separate provisioning scope from admin scope Check whether the connector uses broad admin roles or a dedicated SCIM permission model, then reduce the blast radius with tenant-scoped tokens and least-privilege access.
What's in the full article
WorkOS's full research covers the operational detail this post intentionally leaves for the source:
- Side-by-side feature mapping for Keycloak SCIM API v26.4 and Directory Sync across CRUD, filtering, sorting, and discovery endpoints
- Attribute handling detail for core, enterprise, and custom schemas, including raw attribute preservation and group mapping behaviour
- Multi-tenant and authorization design differences, including per-realm exposure versus per-organization bearer tokens
- IdP compatibility notes across Entra, Okta, JumpCloud, OneLogin, Ping, Rippling, Google Workspace, and BambooHR
👉 Read WorkOS's analysis of Keycloak SCIM readiness and directory sync gaps →
Keycloak SCIM vs. production sync needs: what is still missing?
Explore further
06/06/2026 2:45 am
SCIM is a governance control, not a protocol checkbox. The real measure of directory sync is whether identity events arrive with the right scope, attributes, and tenant context intact. A system can be SCIM-compliant in a narrow sense and still fail the operational requirement that IAM teams actually care about: controlled lifecycle propagation into downstream applications. Practitioners should evaluate provisioning as an access governance pipeline, not an API feature.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Should security teams prefer tenant-scoped sync over per-realm provisioning models?
A: Yes, when the application serves multiple customers and needs clear lifecycle boundaries. Tenant-scoped sync narrows the blast radius of connector credentials, aligns provisioning with customer ownership, and avoids turning an identity administration structure into a multi-tenant governance risk.
👉 Read our full editorial: Keycloak's experimental SCIM support still falls short for production
