The identity provider basically needs to communicate three kinds of changes to other software:The addition of new users (e.g. Put very simply, SCIM just defines some rules for the JSON that the identity provider sends and the JSON that the identity provider expects to receive in response. If your customer wants your software to hook into their identity provider, your software becomes the server – and your customer’s identity provider becomes the client. Given its role as the client, your customer’s identity provider needs to authenticate itself to you. It needs to prove that it’s actually the identity provider – and not some attacker – to make the changes it’s requesting.