The System for Cross-Domain Identity Management (SCIM) protocol is the last best hope for crossing the provisioning interoperability chasm—for on-premises and cloud-based applications. Visit the interop room to learn more about SCIM and chat with participating companies.
2. example
SCIM
topology
Externally
Hosted
On-‐Premises
Create
user
(HTTP
POST)
Identity
system
(SCIM
consumer)
SaaS
application
(SCIM
service
provider)
3. example
SCIM
topology
Externally
Hosted
On-‐Premises
Active
Directory
Create
user
(HTTP
POST)
Directory
syncIdentity
system
(SCIM
consumer)
SaaS
application
(SCIM
service
provider)
4. SCIM
iden1ty
bridge
Externally
Hosted
On-‐Premises
Active
Directory
LDAP
SCIM
SCIM
consumer
API
Partner’s
provisioning
IDaaS
Web
application
API
or
SCIM
SCIM
consumer
SCIM
provider
Directory
sync
OAuth
resource
server
Identity
Bridge
5. Interoppers
service
provider consumer
cisco sailpoint
pi
pingfederate sailpoint
pi
pingfederate unboundid
pi
pingone nexus
pi
pingone wso2
salesforce sailpoint
salesforce nexus
salesforce wso2
salesforce pi
pingfederate
unboundid pi
pingfederate
unboundid pi
pingone
unboundid wso2
wso2 sailpoint
6. Interop
tests
Category Test # Test Name
User creation 1.1 Create five users.
2.1 List one user (1.1) with attributes parameter via query to resource.
2.2 List one user (1.1) with filter via query to resource endpoint.
2.3 List users (1.1) with attributes parameter via query to resource endpoint.
3.1 Update user (1.1) via PUT.
3.2 Update user (1.1) via PATCH.
3.3 Change password for user (1.1). Verify by authenticating with server natively if possible
Group creation 4.1 Create two groups.
5.1 List one group (4.1) with attributes parameter via query to resource.
5.2 List one group (4.1) with filter via query to resource endpoint.
5.3 List groups (4.1) with attributes parameter via query to resource endpoint.
6.1 Add user (1.1 ) to group (4.1) via PUT.
6.2 Remove user (1.1) from group (4.1) via PUT.
6.3 Add user (1.1) to group (4.1) via PATCH.
6.4 Remove user (1.1) from group (4.1) via PATCH.
User deletion 7.1 Delete user (1.1).
8.1 Create two users.
8.2 Update two users (8.1) via PATCH.
8.3 Create two users via PUT, then create group via PUT with users' id attribute.
8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3).
ServiceProviderConfig retrieval 9.1 Retrieve service provider config.
Schema retrieval 10.1 Retrieve user and group schemas.
Group update
Bulk operation
User list
User update
Group list
7. unbound(sp)<-‐>pingfederate
Category Test Number Test Name unboundid pingfederate
User creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes no
2.2 List one user (1.1) with filter via query to resource endpoint. yes no
2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes no
3.1 Update user (1.1) via PUT. yes yes
3.2 Update user (1.1) via PATCH. yes no
3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. yes no
Group creation 4.1 Create two groups. yes no
5.1 List one group (4.1) with attributes parameter via query to resource. yes no
5.2 List one group (4.1) with filter via query to resource endpoint. yes no
5.3 List groups (4.1) with attributes parameter via query to resource endpoint. yes no
6.1 Add user (1.1 ) to group (4.1) via PUT. yes no
6.2 Remove user (1.1) from group (4.1) via PUT. yes no
6.3 Add user (1.1) to group (4.1) via PATCH. yes no
6.4 Remove user (1.1) from group (4.1) via PATCH. yes no
User deletion 7.1 Delete user (1.1). yes yes
8.1 Create two users. yes no
8.2 Update two users (8.1) via PATCH. yes no
8.3 Create two users via PUT, then create group via PUT with users' id attribute. yes no
8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). yes no
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes no
Schema retrieval 10.1 Retrieve user and group schemas. yes no
User list
User update
Group list
Group update
Bulk operation
8. unboundid(sp)<-‐>pingone
Category Test Number Test Name unboundid pingone
User creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes yes
2.2 List one user (1.1) with filter via query to resource endpoint. yes
2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes
3.1 Update user (1.1) via PUT. yes yes
3.2 Update user (1.1) via PATCH. yes
3.3 Change password for user (1.1). Verify by authenticating with server natively if possible.yes
Group creation 4.1 Create two groups. yes yes
5.1 List one group (4.1) with attributes parameter via query to resource. yes
5.2 List one group (4.1) with filter via query to resource endpoint. yes
5.3 List groups (4.1) with attributes parameter via query to resource endpoint. yes
6.1 Add user (1.1 ) to group (4.1) via PUT. yes yes
6.2 Remove user (1.1) from group (4.1) via PUT. yes yes
6.3 Add user (1.1) to group (4.1) via PATCH. yes
6.4 Remove user (1.1) from group (4.1) via PATCH. yes
User deletion 7.1 Delete user (1.1). yes yes
8.1 Create two users. yes
8.2 Update two users (8.1) via PATCH. yes
8.3 Create two users via PUT, then create group via PUT with users' id attribute. yes
8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). yes
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes yes
Schema retrieval 10.1 Retrieve user and group schemas. yes yes
User list
User update
Group list
Group update
Bulk operation
9. salesforce(sp)<-‐>sailpoint
Category Test Number Test Name salesforce sailpoint
User creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes no
2.2 List one user (1.1) with filter via query to resource endpoint. no
2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes yes
3.1 Update user (1.1) via PUT. no
3.2 Update user (1.1) via PATCH. yes no
3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. no
Group creation 4.1 Create two groups. yes
5.1 List one group (4.1) with attributes parameter via query to resource. no
5.2 List one group (4.1) with filter via query to resource endpoint. no
5.3 List groups (4.1) with attributes parameter via query to resource endpoint. list only yes
6.1 Add user (1.1 ) to group (4.1) via PUT. no
6.2 Remove user (1.1) from group (4.1) via PUT. no
6.3 Add user (1.1) to group (4.1) via PATCH. yes(Entitlements) no
6.4 Remove user (1.1) from group (4.1) via PATCH. yes(Entitlements) no
User deletion 7.1 Delete user (1.1). yes(Deactivate) yes
8.1 Create two users. no
8.2 Update two users (8.1) via PATCH. no
8.3 Create two users via PUT, then create group via PUT with users' id attribute. no
8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes yes
Schema retrieval 10.1 Retrieve user and group schemas. user only yes
User list
User update
Group list
Group update
Bulk operation
10. salesforce(sp)<-‐>wso2
Category Test Number Test Name salesforce wso2
User creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes No
2.2 List one user (1.1) with filter via query to resource endpoint. no
yes(for
userNa
2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes No
3.1 Update user (1.1) via PUT. no Yes
3.2 Update user (1.1) via PATCH. yes No
3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. no Yes
Group creation 4.1 Create two groups. yes Yes
5.1 List one group (4.1) with attributes parameter via query to resource. no No
5.2 List one group (4.1) with filter via query to resource endpoint. no Yes
5.3 List groups (4.1) with attributes parameter via query to resource endpoint. list only No
6.1 Add user (1.1 ) to group (4.1) via PUT. no Yes
6.2 Remove user (1.1) from group (4.1) via PUT. no Yes
6.3 Add user (1.1) to group (4.1) via PATCH. yes(Entitlements) No
6.4 Remove user (1.1) from group (4.1) via PATCH. yes(Entitlements) No
User deletion 7.1 Delete user (1.1). yes(Deactivate) Yes
8.1 Create two users. no Yes
8.2 Update two users (8.1) via PATCH. no No
8.3 Create two users via PUT, then create group via PUT with users' id attribute. no No
8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no No
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes No
Schema retrieval 10.1 Retrieve user and group schemas. user only No
Group update
Bulk operation
User list
User update
Group list
11. salesforce(sp)<-‐>pingfederate
Category Test Number Test Name salesforce pingfederate
User creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes no
2.2 List one user (1.1) with filter via query to resource endpoint. no no
2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes no
3.1 Update user (1.1) via PUT. no yes
3.2 Update user (1.1) via PATCH. yes no
3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. no no
Group creation 4.1 Create two groups. yes no
5.1 List one group (4.1) with attributes parameter via query to resource. no no
5.2 List one group (4.1) with filter via query to resource endpoint. no no
5.3 List groups (4.1) with attributes parameter via query to resource endpoint. list only no
6.1 Add user (1.1 ) to group (4.1) via PUT. no no
6.2 Remove user (1.1) from group (4.1) via PUT. no no
6.3 Add user (1.1) to group (4.1) via PATCH. yes(Entitlements) no
6.4 Remove user (1.1) from group (4.1) via PATCH. yes(Entitlements) no
User deletion 7.1 Delete user (1.1). yes(Deactivate) yes
8.1 Create two users. no no
8.2 Update two users (8.1) via PATCH. no no
8.3 Create two users via PUT, then create group via PUT with users' id attribute. no no
8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no no
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes no
Schema retrieval 10.1 Retrieve user and group schemas. user only no
User list
User update
Group list
Group update
Bulk operation
12. pingfederate(sp)<-‐>sailpoint
Category Test Number Test Name pi pingfederate sailpoint
User creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes no
2.2 List one user (1.1) with filter via query to resource endpoint. no
2.3 List users (1.1) with attributes parameter via query to resource endpoint. no
3.1 Update user (1.1) via PUT. yes yes
3.2 Update user (1.1) via PATCH. no
3.3 Change password for user (1.1). Verify by authenticating with server natively if possible.yes yes
Group creation 4.1 Create two groups. no
5.1 List one group (4.1) with attributes parameter via query to resource. no
5.2 List one group (4.1) with filter via query to resource endpoint. no
5.3 List groups (4.1) with attributes parameter via query to resource endpoint. no
6.1 Add user (1.1 ) to group (4.1) via PUT. no
6.2 Remove user (1.1) from group (4.1) via PUT. no
6.3 Add user (1.1) to group (4.1) via PATCH. no
6.4 Remove user (1.1) from group (4.1) via PATCH. no
User deletion 7.1 Delete user (1.1). yes yes
8.1 Create two users. no
8.2 Update two users (8.1) via PATCH. no
8.3 Create two users via PUT, then create group via PUT with users' id attribute. no
8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes yes
Schema retrieval 10.1 Retrieve user and group schemas. no
User list
User update
Group list
Group update
Bulk operation
13. wso2(sp)<-‐>pingone
Category Test Number Test Name wso2 pingone
User creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. No NA
2.2 List one user (1.1) with filter via query to resource endpoint. yes(for userName attribute only) yes
2.3 List users (1.1) with attributes parameter via query to resource endpoint. No NA
3.1 Update user (1.1) via PUT. Yes yes
3.2 Update user (1.1) via PATCH. No NA
3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. Yes yes
Group creation 4.1 Create two groups. Yes yes
5.1 List one group (4.1) with attributes parameter via query to resource. No NA
5.2 List one group (4.1) with filter via query to resource endpoint. Yes yes
5.3 List groups (4.1) with attributes parameter via query to resource endpoint. No NA
6.1 Add user (1.1 ) to group (4.1) via PUT. Yes yes
6.2 Remove user (1.1) from group (4.1) via PUT. Yes yes
6.3 Add user (1.1) to group (4.1) via PATCH. No NA
6.4 Remove user (1.1) from group (4.1) via PATCH. No NA
User deletion 7.1 Delete user (1.1). Yes yes
8.1 Create two users. Yes yes
8.2 Update two users (8.1) via PATCH. No NA
8.3 Create two users via PUT, then create group via PUT with users' id attribute. No No
8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). No NA
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. No NA
Schema retrieval 10.1 Retrieve user and group schemas. No NA
User list
User update
Group list
Group update
Bulk operation
14.
15.
16.
17. Ac1ve
Directory
Oracle
Directory
Server
Monitor
Directory
for
User
Changes
(Create,
Update,
Delete/Disable)
SCIM
SCIM
Consumer
SCIM
Service
Provider
Create,
Update,
Delete
Users
SaaS
Provider
Benefits
• Synchronize
local
corporate
directory
accounts
with
the
UnboundID
Iden1ty
Data
PlaOorm
Iden-ty
Data
Pla2orm
18. Ac1ve
Directory
Oracle
Directory
Server
Monitor
Directory
for
User
Changes
(Create,
Update,
Delete/Disable)
SCIM
Consumer
SCIM
Service
Provider
Benefits
• Synchronize
local
corporate
directory
accounts
with
Salesforce
• Enable
Single
Sign-‐On
between
workforce
to
Salesforce
SCIM
Create,
Update,
Disable
Users
SAML
SSO
20. CRUD
users
and
access
using
SSO
Authen1cate
RDP
HTTP
SAML
X509
SAML
User
Storages
User
aYributes
User
data
Benefits:
•
Easier
onboarding
of
new
services
•
Iden1ty
life
cycle
management
•
Easier
single
sign
on
•
Control
access
to
local
or
cloud
systems
21. CRUD
users
and
access
using
SSO
RDP
HTTP
HTTP
Authen1cate
X509
SAML
User
Storages
User
aYributes
User
data
Benefits:
•
Easier
onboarding
of
new
services
•
Iden1ty
life
cycle
management
•
Easier
single
sign
on
•
Control
access
to
local
or
cloud
systems