SCIM Access Token
Service Name: System for Cross-domain Identity Management (SCIM)
Service Description: SCIM is an open standard for automating the exchange of user identity information between identity domains or IT systems. It provides a defined schema for representing users and groups and a REST API for managing these resources.
Service Address: Varies by implementation (commonly used with services like Okta, Azure AD, OneLogin, etc.)
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the service level depending on the identity provider implementing SCIM.
Secret Access Scope: Grants programmatic access to create, read, update, and delete user and group information across systems. Allows for automated user provisioning and deprovisioning.
Secret Revokement URL: Varies by implementation - typically managed through the identity provider's admin console.
Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY2ltX3Rva2VuIjoidHJ1ZSIsImV4cCI6MTcxNjIzOTAyMn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Suspicious Activity Investigation Instructions:
- Review access logs in your identity provider for unusual SCIM API calls.
- Check for unexpected user provisioning or deprovisioning activities.
- Monitor for changes to user attributes or group memberships that weren't authorized.
- Look for API calls from unusual IP addresses or outside normal business hours.
- Verify if there are any failed authentication attempts using the SCIM token.
Mitigation Instructions:
- Immediately revoke the compromised SCIM token through your identity provider's admin console.
- Generate a new SCIM token with appropriate permissions.
- Update the token in any applications or services that legitimately use SCIM integration.
- Review and adjust the scope of permissions assigned to the SCIM token.
- Implement IP restrictions for SCIM API access if supported by your identity provider.
- Enable audit logging for all SCIM-related activities.
- Consider implementing token rotation policies for SCIM access tokens.
- Review all user accounts for unauthorized changes that may have occurred during the compromise period.