Lessons learned from the design of the SCIM API

Erik Wahlström

Technology Strategist

9/19/20131

Erik Wahlström


9/19/20132

Lessons learned from the design

of the SCIM API

Erik Wahlström


9/19/20133

Todays topics

What is SCIM?

What problems does it solve?

Lessons learned.

Erik Wahlström


9/19/20134

System for Cross-domain Identity Management

Enterprises are distributed.

Life cycle management.

Move users in and out of the cloud.

Erik Wahlström


9/19/20135

What does it do?

Lightweight provisioning protocol.

Defines a schema and a protocol.

Developed by Salesforce, Google, Cisco, UnboundID, Ping

Identity, Sailpoint, neXus, Microsoft, VMWare, Oracle etc.

Erik Wahlström


9/19/20136

The SCIM players

One server that need or creates data.

Another server that stores data.

A high level of trust between them.

In Sweden, remember PuL (Personuppgiftslagen).

User consents in Germany.

Erik Wahlström


9/19/20137

Synchronize

HRUsers

Erik Wahlström


9/19/20138

On demand provisioning

Users

Erik Wahlström


9/19/20139

Inter-clouds

Users

Erik Wahlström


9/19/201310

Before SCIM

Everybody rolled there own

Provisioning plugins

SPML

Erik Wahlström


9/19/201311

neXus + SCIM = true

Control of our users.

Simplified single sign on.

Important step for the cloud.

Important step for privacy.

Erik Wahlström


9/19/201312

Schema and API

Erik Wahlström


9/19/201313

ResourceServiceProviderConfigs

User

Group

EnterpriseUser

Schema

Erik Wahlström


9/19/201314

Erik Wahlström


9/19/201315

API

REST based protocol

cURL friendly

Firewall friendly

OAuth2 recommended

SSL/TLS

Erik Wahlström


9/19/201316

API Endpoints and HTTP verbs

What End point Verb

User /Users GET, POST, PUT, PATCH, DELETE

Group /Groups GET, POST, PUT, PATCH, DELETE

Service Provider Configuration /ServiceProviderConfigs GET

Schema /Schemas GET

Bulk /Bulk POST

Erik Wahlström


9/19/201317

Erik Wahlström


9/19/201318

Erik Wahlström


9/19/201319

Erik Wahlström


9/19/201320

Erik Wahlström


9/19/201321

Other features in the API

Filtering, paging and sorting

User storages can be huge

Filter language

Discovery

Schemas

Service provider configurations

Erik Wahlström


9/19/201322

Lessons learned

Erik Wahlström


9/19/201323

Extensibility

80

2000

Erik Wahlström


9/19/201324

Erik Wahlström


9/19/201325

Versioning of API and schema

/v1/Users/erikw

/v2/Users/erikw

"schemas": ["urn:scim:schemas:core:1.0"],

"schemas": ["urn:scim:schemas:core:2.0:User"]

Erik Wahlström


9/19/201326

Weak ETags for versioning of

data

Erik Wahlström


9/19/201327

Error handling

Erik Wahlström


9/19/201328

HTTP method overloading

Erik Wahlström


9/19/201329

Release

Erik Wahlström


9/19/201330

Changed and worked on in 2.0

Reference resources

Search using only identifier

Search using POST

A hum to drop XML.

Integrations with OpenID Connect and SAML

Erik Wahlström


9/19/201331

More info and thanks.

http://www.simplecloud.info

https://tools.ietf.org/wg/scim/

@erik_wahlstrom

[email protected]

http://www.simplecloud.info

https://tools.ietf.org/wg/scim/

mailto:[email protected]

Lessons learned from the design of the SCIM API

Technology

Transcript of Lessons learned from the design of the SCIM API