Jan19 scim webinar-04

© 2010 Ping Identity Corporation

SCIM WebinarJan 18, 2012

Patrick Harding, CTO

Paul Madsen, Senior Technical Architect

© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation

Background & Overview


Current State

• Enterprises need programmatic mechanisms to manage

users/roles/groups in Cloud apps

• Large SaaS vendors have implemented proprietary API’s

• Google, Salesforce, Cisco Webex, Successfactors, etc

• All very similar, work well


Call to Arms

• At Cloud Identity Summit 2010

• Attendees established need for an ‘open standard’ for

provisioning cloud users

• Google, Salesforce, Ping Identity, UnboundID, Microsoft

created ‘Cloud Directory’ user group

• Initial discussions at IIW 12


2011 - Year of Development

• Q1 2011

• Initial Draft SCIM Spec

developed by Ping,

UnboundID and Salesforce

• Q2 2011

• Draft SCIM Spec introduced

at IIW 13

• Significant interest and

discussion

• Q3 2011

• SCIM Working Group

established under OWF

• Cisco, Sailpoint, Google

contribute

• Q4 2011

• Multiple vendors

demonstrate interop at IIW

14

• SCIM V1.0 in December

2011


SCIM 1.0 Specification Set

Core SchemaUser, Enterprise Extension, Groups, Config

REST APICRUD

methodsresponse

codes

SAML Binding (draft)Attribute

mapping

Future bindings

http://simplecloud.info


SCIM Basics

• Core Schema

• Represents User, Groups, Schema, Bulk etc

• Defines basic user attributes (name, address contact etc.)

• REST API

• Defines Create, Read, Update & Delete methods to synchronize

user object information

• SAML Binding

• Supports Just-In-Time provisioning during SSO

• Maps SCIM schema to SAML AttributeStatement


Example 1: Push

SCIMClient

Cloud AppProvider

User Store

1. Create/Update/DeleteUser Object

2. Status

User Directory

API


Example 2: SAML JIT

SAML IdP SAML SP

1. SAML Token w/User Object

Browser

User Directory

User Store


Example 3: OpenID JIT + Pull

OpenID IdP OpenID SP

1. OpenID Response

Browser

User Store

User StoreAPI 2. Read User Object

3. User Object


What’s Next?

• Implementation, implementation, implementation !!!

• Major cloud application platforms have indicated that they will

implement SCIM in 2012

• SCIM working group to move to the IETF in 2012

• Use SCIM v1.0 as baseline submission

• Working code, successful deployments are key

• SCIM v2.0 will address issues


Technical


Terminology

•Service Provider: A web application that provides identity information via the SCIM protocol (think SaaS)

•Consumer: A website or application that uses the SCIM protocol to manage identity data maintained by the Service Provider. (think Enterprise)

•Resource: The Service Provider managed artifact containing one or more attributes; e.g., User or Group


Schema

• SCIM provides a minimal core schema for

representing Resources of different types

• User, Groups, Schema, Bulk etc

• User schema took as starting point the

Portable Contacts schema [1]

• Basic user attributes (name, address contact,

groups, password etc.)

[1] - http://www.portablecontacts.net/draft-spec.html


Schema-Password?

• Group torn on whether to support password management in

schema

• Acknowldgement that best practice is that enterprise users

NOT be provisioned with passwords at SaaS providers

• But

• Current reality doesn’t everywhere reflect ideal

• Hope/expectation that SCIM will be applied beyond Cloud

• Consumers can specify an initial password when creating a

new User (POST) or to reset an existing User's password

(PATCH)


Schema-Enterprise extension

• Extends generic user with enterprise

semantics

• Adds manager, department,

organization, etc

<ent:employeeNumber>701984</ent:employeeNumber> <ent:manager>

<ent:managerId>902c246b-6245-4190</ent:managerId> <ent:displayName>Mandy Pepperidge</ent:displayName> </ent:manager> <ent:costCenter>4130</ent:costCenter> <ent:organization>Universal Studios</ent:organization> <ent:division>Theme Park</ent:division> <ent:department>Tour Operations</ent:department>


Schema-Groups

• Group resources enable group & role based access control

• Groups contain members

• How Service Provider implements access control out of scope

PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ceHost: example.comAccept: application/json Authorization: Bearer h480djs93hd8 ETag: W/"a330bc54f0671c9"

{ "schemas": ["urn:scim:schemas:core:1.0"], "members": [ { "display": "Babs Jensen", "value": "2819c223-7f76-453a-919d-413861904646" } ] }


Schema-Metadata

• Service Provider Configuration Resource enables a Service

Provider to expose its compliance with SCIM specification

in a standardized form & provide additional implementation

details to Consumers.

{ "schemas": ["urn:scim:schemas:core:1.0"]"patch": { "supported":true }, "bulk": { "supported":true, "maxOperations":1000,"maxPayloadSize":1048576 }, "filter": { "supported":true, "maxResults": 200 }, "changePassword" : { "supported":true }"authenticationSchemes": [ { "name": "OAuth Bearer Token",

"specUrl":"http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01", "documentationUrl":"http://example.com/help/oauth.html",

"type":"oauthbearertoken", "primary": true },}


Schema- representative AD Mapping

AD SCIM

userPrincipalName userName

mail email.value (type=work)

givenName name.givenName

sn name.familyName

whenCreated meta.whenCreated

userPassword password

cn displayName


API

• Specifies well known endpoints & HTTP methods for managing

Resources defined in the core schema

• User and Group Resources correspond to /Users and /Groups

respectively

• REStful (really)

• Responses are returned in the body of the HTTP response,

formatted as JSON or XML, depending on what is requested


API-Architecture

Client ServiceProvider

Resources

Resource representation

Response

API


API-Verbage

• API uses HTTP verbs as follows

• GET (retrieves an existing resource)

• POST (creates a new resource)

• PUT (overrides an existing resource)

• BATCH (partially modifies an existing resource)

• DELETE (deletes an existing resource)


API-Authentication

• SCIM does not mandate a particular authentication scheme by

which Consumers authenticate to Service Providers

• OAuth 2.0 is RECOMMENDED, but other schemes (eg HTTP

Basic) not precluded

• Consumers and Service Providers MUST implement TLS


POST /User HTTP/1.1Host: example.com Accept: application/xml Authorization: Bearer h480djs93hd8

<?xml version="1.0" encoding="UTF-8"?><scim:User xmlns:scim="urn:scim:schemas:core:1.0">

<userName>[email protected]</userName><externalId>701984</externalId><emails>

<email><value>[email protected]</value><primary>true</primary><type>work</type></email>

</emails></scim:User>

API-Authentication-OAuth example


API-Response codes

• API uses/overrides HTTP Response codes to indicate

operation success or failure.

• In addition, Service Providers return errors in body of the

response and human-readable explanations.

HTTP/1.1 404 NOT FOUND

{"Errors":[

{ "description":"Resource 2819c223-7f76-453a-919d- not

found", "code":"404" } ]}


API-Error codes


API-Response operations

• SCIM defines a standard set of operations that can be used to

filter, sort, and paginate response results.

• Consumers may request a subset of Resources by specifying

the 'filter' URL query parameter containing a filter expression.

• Sorting allows Consumers to specify the order in which

Resources are returned by specifying a combination of sortBy

and sortOrder URL parameters

• Pagination parameters can be used together to "page through"

large numbers of Resources so as not to overwhelm the

Consumer or Service Provider


SAML Binding

• Supports a JIT provisioning model where users created in real

time (vs a priori via API)

• Binds SCIM User objects to SAML Attributes

• Expectation is that other SSO/JIT bindings will follow in time

• SAML binding not voted out with API and Core Schema, group

needs to resolve tension between

• SCIM push for simplicity

• Existing SAML Attribute Person Profiles

• Complex attributes don’t easily map into SAML Attributes


SAML Binding-Architecture

Client ServiceProvider

ResourcesResource representation

Browser

SAMLSP

SAMLIdP


<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="SCIM.userName">

<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]

</saml:AttributeValue> </saml:Attribute>

<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="SCIM.name.formatted">

<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ms. Babs J Jensen III

</saml:AttributeValue> </saml:Attribute>

</saml:AttributeStatement>

SAML Binding-SAML Attributes


Conclusions

•SCIM has potential to be important IdM standard in & out of cloud

•But, if SCIM is to avoid SPML's fate, adoption is key

•Start demand ingIdM vendors and SaaS providers add support


Thank you

@pingcto, @paulmadsen


Demo


Demo

Enterprise Salesforce

User StoreSCIM

AD

SFDC

Ping Cloud

Jan19 scim webinar-04

Technology

Transcript of Jan19 scim webinar-04