A presentation on System for Cross-domain Identity Management (SCIM) formerly Simple Cloud Identity Management presented at the Cloud Identity Summit (CIS) 2012 by Travis Spencer, CEO of Twobo Technologies, a consulting firm specializing in Identity and Access Management (IAM), cloud security, and mobile security
2. The Problem
• Modern systems are massively distributed
• Organizations need to automate user/group
management across domain boundaries
• Large cloud providers have their own APIs
• Enterprise-to-enterprise is a dog’s dinner
• Identity is the fly in the integration ointment
3. The Resulting Reality
• Tactical, bespoke methods that can’t scale
• Expensive integration work & custom
development
• Systems maintain isolated silos of user data
• X-employees continue accessing resources
• Solution is automation based on
open standards
4. Banding Together to Solve this Problem
• Salesforce, Google, UnboundID, Ping
Identity, Sailpoint, Technology Nexus, etc.
• Protocol drafted, tested, and released in 2011
Q1 – Initial draft of spec
Q2 – Updated draft discussed at IIW
Q3 – Consortium formed under OWF, interop tests
at IIW
Q4 – V. 1 agreed upon by consortium, submitted to
IETF
5. SCIM, a Modern Standard for Automation
• The spec formerly known as Simple Cloud…
• Provisioning API to manage users & groups
• Support bulk updates for ingest & sync
• Low-tech barrier, easy w/ curl & JavaScript
• Designed w/ mobile in mind
• Goes hand-in-glove w/ federation
• Secure access using OAuth 2 et. al
6. SCIM Specification Set
REST API for CRUD Federation Binding
• JSON & XML • SAML
• Response codes • TBD: OpenID Connect
Core Schema
• User • Groups
• Enterprise Extension • Config
7. Features of SCIM
• Core schema
– Models user, groups, etc.
– Defines basic user attributes (name, address,
etc.)
• RESTful API
– Defines CRUD to synchronize resources
– JSON and XML data formats
• Federation bindings – SAML, OIC
– Supports JIT provisioning during SSO
– Maps SCIM schema to federation protocols
10. JIT + Pull
IdP Organization SP Organization
Create new user
User object
IdP /
SCIM SP / SCIM
Get User
Server Client
Access token in
federation message
Browser
11. Overview of API
• RESTful
• Specifies well known endpoints & HTTP
methods for managing core resources
– User and group resources correspond to
/Users and /Groups, respectively
• Responses are returned in the body of the
HTTP messages in JSON or XML format
12. Authentication and Security
• Spec does not mandate a particular
authentication scheme
• OAuth 2 is recommended, but others are
not precluded (e.g., HTTP basic)
• Client and server must exchange data
over SSL/TLS
13. Supported HTTP Verbs
Verb Meaning
GET Retrieves a resource
POST Creates a new resource
PUT Completely update a resource
PATCH Partially update a resource
DELETE Delete a resource
14. Controlling Responses
• Filter (i.e., search)
– Find specific resources
– Request a subset of attributes
• Sorting
– Sort by
– Sort order
• Pagination
– Client maintains offset and count
– No server-side cursors (v. 2 probably)
15. Extensible Schema
• Protocol defines core schema used to
represent resources of various types
– Modeled after POCO & others
– Also stipulates how to extend
• Defines enterprise extensions
– Adds manager, department,
organization, etc.
• Others can be created at will
16. Includes Mapping from Active Directory
Active Directory SCIM
userPrincipalName userName
mail email.value@type=work
givenName name.givenName
sn name.familyName
whenCreated meta.whenCreated
userPassword password
cn displayName
17. Retrieving User Data
GET request = GET /Users/2819c223-7f76-453a-919d-413861904646
read Host: example.com
Accept: application/json User ID
Authorization: Bearer h480djs93hd8
Return JSON
HTTP/1.1 200 OK Attributes are
Content-Type: application/json in JSON format
200 = successful Location:
response https://example.com/v1/Users/2819c223-7f76-
453a-919d-413861904646
ETag: W/"f250dd84f0671c3" Same User ID
{
...
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
Attributes
"givenName":"Barbara"
},
"userName":"bjensen",
18. Updating a Group with a new Member
PATCH /Groups/acbf3ae7-8463-4692-b4fd-
PATCH = only 9b4da3f908ce
update what’s Host: example.com Secure access
changed Accept: application/json using OAuth 2
Authorization: Bearer h480djs93hd8
ETag: W/"a330bc54f0671c9"
{
"schemas": ["urn:scim:schemas:core:1.0"],
"members": [
{
"display": "Babs Jensen", New group
"value": "2819c223-7f76-453a…" member; others
}
are unchanged
]
}
19. SCIM vis-à-vis UserInfo Endpoint in OIC
User
Agent
1. Get a token AS
Client
RS
3. Use a token
2. Read a token
User-
SCIM
Info
OIC SCIM
API
Base OAuth
20. What’s Next for SCIM?
• More and more implementations!
• PingOne and UnboundID’s synchronization
server are already in the market
• Major SaaS providers are launching this year
• Other IAM vendors releasing soon
• IETF working group has been formed
– Date of completion projected for 2014
– V. 1 is available today
21. Support SCIM
• SaaS and IdM vendors must implement
SCIM for it to solve anything
• Demand standards-based automation of
identity; demand SCIM
• Join IETF mailing list; attend WG meetings
22. Thank You and More Info
• @travisspencer
• @pingidentity
• simplecloud.info
• travisspencer.com
• 2botech.com
• pingidentity.com