OIDC is far preferable to SAML, but the last time I touched this, half the reason why customers preferred SAML was because their IdP supported SCIM but only for SAML applications.
That's a very fair point! I'm going to add mention of SCIM / directory sync. I feel like it's easiest to stick that into the CISO section, since a big part of SCIM is just the deprovisioning aspect?
And yeah, you're right -- Okta, for example, doesn't let you add SCIM to an OIDC application. It's unfortunate -- there's no deep technical reason you can't mix OIDC and SCIM -- but it is the world we live in.
> a big part of SCIM is just the deprovisioning aspect?
The "just" makes it sound like this is a minor point. This is a huge point. Enterprises are forced by their customers and regulators to show that terminated employees lose access immediately. There are two ways to make that happen: force everything to flow through a VPN, and SCIM. Most SaaS providers do not support IP allowlisting needed to enforce that all traffic flows through the VPN, and the only alternative to enforce that user sessions are terminated immediately is if the SaaS keeps sessions in a database and those sessions are revoked as part of SCIM. Otherwise the sessions could continue to be valid for days or even longer, presenting a risk of allowing terminated employees to wreck untold havok.
Oh don't get me wrong at all -- deprovisioning is huge indeed!
I'm not going to misleadingly edit my initial comment, and your comment is fair. I said "just" when I should have said "precisely". As in, I was already talking about how SAML interacts with "Bob from Sales got fired, probably should kick him out of the CRM". SAML gives you "Bob can't log into the CRM ever again", SCIM gives you "... and his CRM user and sessions are immediately revoked".
OIDC is far preferable to SAML, but the last time I touched this, half the reason why customers preferred SAML was because their IdP supported SCIM but only for SAML applications.