Date post: | 15-Jan-2015 |
Category: |
Technology |
Upload: | twobo-technologies |
View: | 6,153 times |
Download: | 0 times |
Intro to SCIM
Travis Spencer, CEO
Twobo Technologies
The Problem
• Modern systems are massively distributed
• Organizations need to automate user/group
management across domain boundaries
• Large cloud providers have their own APIs
• Enterprise-to-enterprise is a dog’s dinner
• Identity is the fly in the integration ointment
The Resulting Reality
• Tactical, bespoke methods that can’t scale
• Expensive integration work & custom
development
• Systems maintain isolated silos of user data
• X-employees continue accessing resources
• Solution is automation based on
open standards
Banding Together to Solve this Problem
• Salesforce, Google, UnboundID, Ping Identity, Sailpoint, Technology Nexus, etc.
• Protocol drafted, tested, and released in 2011
Q1 – Initial draft of spec
Q2 – Updated draft discussed at IIW
Q3 – Consortium formed under OWF, interop tests at IIW
Q4 – V. 1 agreed upon by consortium, submitted to IETF
SCIM, a Modern Standard for Automation
• The spec formerly known as Simple Cloud…
• Provisioning API to manage users & groups
• Support bulk updates for ingest & sync
• Low-tech barrier, easy w/ curl & JavaScript
• Designed w/ mobile in mind
• Goes hand-in-glove w/ federation
• Secure access using OAuth 2 et. al
SCIM Specification Set
Core Schema • User • Groups • Enterprise Extension • Config
Federation Binding • SAML • TBD: OpenID Connect
REST API for CRUD • JSON & XML • Response codes
Features of SCIM
• Core schema – Models user, groups, etc.
– Defines basic user attributes (name, address, etc.)
• RESTful API – Defines CRUD to synchronize resources
– JSON and XML data formats
• Federation bindings – SAML, OIC – Supports JIT provisioning during SSO
– Maps SCIM schema to federation protocols
Push Provisioning
SCIM Client
SCIM Server
CRUD of user object
Status
IdP Organization SP Organization
JIT Provisioning
IdP SP
IdP Organization SP Organization
Browser
User data in federation message
Create user on the fly
JIT + Pull
IdP / SCIM
Server
SP / SCIM Client
IdP Organization SP Organization
Browser
Access token in federation message
Get User
User object
Create new user
Overview of API
• RESTful
• Specifies well known endpoints & HTTP
methods for managing core resources
– User and group resources correspond to
/Users and /Groups, respectively
• Responses are returned in the body of the
HTTP messages in JSON or XML format
Authentication and Security
• Spec does not mandate a particular
authentication scheme
• OAuth 2 is recommended, but others are
not precluded (e.g., HTTP basic)
• Client and server must exchange data
over SSL/TLS
Supported HTTP Verbs
Verb Meaning
GET Retrieves a resource
POST Creates a new resource
PUT Completely update a resource
PATCH Partially update a resource
DELETE Delete a resource
Controlling Responses
• Filter (i.e., search)
– Find specific resources
– Request a subset of attributes
• Sorting
– Sort by
– Sort order
• Pagination
– Client maintains offset and count
– No server-side cursors (v. 2 probably)
Extensible Schema
• Protocol defines core schema used to represent resources of various types
– Modeled after POCO & others
– Also stipulates how to extend
• Defines enterprise extensions
– Adds manager, department, organization, etc.
• Others can be created at will
Includes Mapping from Active Directory
Active Directory SCIM
userPrincipalName userName
mail email.value@type=work
givenName name.givenName
sn name.familyName
whenCreated meta.whenCreated
userPassword password
cn displayName
GET /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/json
Authorization: Bearer h480djs93hd8
Retrieving User Data
HTTP/1.1 200 OK
Content-Type: application/json
Location:
https://example.com/v1/Users/2819c223-7f76-
453a-919d-413861904646
ETag: W/"f250dd84f0671c3"
{
...
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
},
"userName":"bjensen",
User ID
GET request = read
Same User ID
Attributes
200 = successful response
Return JSON
Attributes are in JSON format
Updating a Group with a new Member
PATCH /Groups/acbf3ae7-8463-4692-b4fd-
9b4da3f908ce
Host: example.com
Accept: application/json
Authorization: Bearer h480djs93hd8
ETag: W/"a330bc54f0671c9"
{
"schemas": ["urn:scim:schemas:core:1.0"],
"members": [
{
"display": "Babs Jensen",
"value": "2819c223-7f76-453a…"
}
]
}
PATCH = only update what’s
changed Secure access using OAuth 2
New group member; others are unchanged
SCIM vis-à-vis UserInfo Endpoint in OIC
Client
User Agent AS
RS
User-Info
OIC
Base OAuth
3. Use a token 2. Read a token
1. Get a token
SCIM API
SCIM
What’s Next for SCIM?
• More and more implementations!
• PingOne and UnboundID’s synchronization
server are already in the market
• Major SaaS providers are launching this year
• Other IAM vendors releasing soon
• IETF working group has been formed
– Date of completion projected for 2014
– V. 1 is available today
Support SCIM
• SaaS and IdM vendors must implement
SCIM for it to solve anything
• Demand standards-based automation of
identity; demand SCIM
• Join IETF mailing list; attend WG meetings
Thank You and More Info
• @travisspencer
• @pingidentity
• simplecloud.info
• travisspencer.com
• 2botech.com
• pingidentity.com