2. Example – an employee joining
WSO2
LDAP
Other internal
apps
Provisioning system
Other cloud apps/services
Image courtesy : http://www.crn.com/slide-shows/applications-os/223800159/google-apps-marketplace-10-hot-cloud-applications.htm
http://newmediasense.net/more-than-50-cloud-developers-commit-to-jive-apps-market%E2%84%A2/222888/
3. Creation, maintenance & deactivation of user accounts,
in one or more systems or applications,
in response to automated or interactive business processes.
-Wikipedia
What is it..?
4. Identifying the parties involved…
ECS – Enterprise Cloud Subscriber
CSU – cloud service user
Other internal
apps
Provisioning system
Other cloud
apps/services
CSP– cloud service provider
LDAP
6. Problems with current approach..
Rredundant integration efforts for ECS & CSP.
Maintenance nightmare of multiple connectors.
Complexity and cost.
7. Solution would be a common protocol that everyone agrees on.
Image courtesy : http://causerelatedmarketing.blogspot.com/2011/09/lets-bring-open-standards-to-practice.html
9. How open standard solves current problems..?
Other internal
apps
Provisioning system
Other cloud apps/services
LDAP
10. Emerging open standard.
REST API.
Platform neutral schema.
SAML binding.
Emphasis on simplicity and interoperability.
In a nutshell...
11. REST API
resource endpoints
supported HTTP methods
PROTOCOL
In a nutshell...
12. REST API
SCIM REST API is relative to a base URL
https://example.com/scim/v1/
Requests made via HTTP operations on a URL derived from
the Base URL
POST -> https://example.com/scim/v1/Users
JSON / XML formats
PROTOCOL
In a nutshell...
13. Resource – collection of attributes.
Schema defines attributes.
SCIM Core Schema
Extension Model:
Additive – similar to auxiliary object classes in LDAP.
SCHEMA
In a nutshell...
14. Other SCIM schemas
User Schema, Enterprise User Schema Extension
Group Schema
Service Provider Configuration Schema
Resource Schema
SCHEMA
In a nutshell...
15. Minimal user representation in JSON & XML formats.
SCHEMA
In a nutshell...
16. SCIM - SAML Mapping
Attributes
SSO Assertion
AttributeQuery
Metadata
SAMLBINDING
In a nutshell...
17. Started in mid 2010.
Version 1.0 approved in Dec 2011.
Working on submitting to IETF.
Discussions made open at
cloud-directory@googlegroups.com
Brief history…
19. REST API
Light weight with JSON support.
Avoids performance bottleneck on the connector.
20. SAML Binding
Just InTime Provisioning with SSO.
Pull / Push based Identity Management.
21. More...
Defined core + optional capabilities.
Based on existing deployments and standards - LDAP, SAML.
Several implementations.
Adoption by major cloud vendors.
24. Security Considerations
Authentication and Authorization
- OAuth2 bearer recommended.
Should be overTLS
Password attribute not to be returned.
PROTOCOL
25. Automated Provisioning :
Internal Apps
SaaS 1
SaaS 2
SCIM based
enterprise
provisioning
system
HR Administrator
(1) Create
user account
(2)Create user (3)ok
38. Identity Provisioning.
Value of open standards in the space of provisioning.
SCIM along with highlights from the spec.
Why SCIM...?
Use cases of SCIM in Identity Management solution.
Adoption of SCIM inWSO2 Identity Server and Stratos.
42. • QuickStart
• Development
Support
• Development
Services
• Production
Support
• Turnkey Solutions
• WSO2 Mobile Services Solution
• WSO2 FIX Gateway Solution
• WSO2 SAP Gateway Solution