SCIM 2.0 - Choose your own identity adventure

SCIM 2.0Choose your own identity adventure!Kelly Grizzle, Software Architect SailPointJune 8, 2016

You find yourself in a strange new place – IdentityLand.

Behind you lie the remains of shattered identity projects that went over budget and never lived up to their promises.

Ahead of you is a murky forest filled with many dangers.

Do you…

Try to patch up the shattered projects?

Cast your hopes on a brighter future?

You spend the next 20 years wandering around IdentityLand. Despite your best efforts, you continue to get bogged down in the tangles of yore. Exhaustion eventually overpowers you and you die – alone, unhappy, and never achieving your full potential (just like your high school guidance counselor warned).

Cast your hopes on a brighter future?

Good choice! IdentityLand may be scary, but it is ever changing and full of wonderful things. In fact, with the proper guidance, you may find that life here will be much easier than you anticipated..

As you wander through this new land you soon recognize that you’re not alone! There are many others that call IdentityLand home.

Through your rugged good looks, rapier wit, and – of course – your organizational acumen, you quickly curry favor among the people of IdentityLand.

They thirst for a strong leader and ask you to be their king.

Do you…

Accept the challenge?

Politely decline so you can spend more time playing Call of Duty?

Slacker! You have let down a people in desperate need.

You gain 20 pounds and lose all of your friends. IdentityLand remains a place of chaos, destined to become a lawless and desolate place.

Accept the challenge?

The King is dead …Long live the King!

Joy! A new baby is born in your kingdom!

As king, you are responsible for welcoming this new life into IdentityLand, as well as documenting the new arrival.

Do you…

Let the new parents handle this?

Use the “just in time” baby registry system?

Try a novel new approach?

The happy new parents quickly become overwhelmed and dismayed by the documentation that they have to fill out. This stress leads to a fight over what to name the baby, and they finally settle on “Helga” to spite one another.Dad is exhausted by his new duties and the ensuing fights, and ends up filling out half of the paperwork incorrectly.

Use the “just in time” baby registry system?


Bad plan. Although the new child gets documented upon birth, the insurance company requires that the baby is pre-registered.

Mom and Dad have to pay 200 pieces of gold for a penalty.


Instead of encumbering the parents with mountains of error-prone paperwork, you decide that there must be a better way.

You convene a group of advisors and dub them the “Smart-est, Creative-est, Innovative-est, Men/Women” (aka – SCIM).

They put their minds to work and develop a system that will register the new child both with the kingdom and with the insurance company prior to birth.

Over time IdentityLand starts to grow and flourish. However, with this prosperity the existing structures start to show signs of strain. To combat this, you decree that each village must have a local governor, and you appoint able men and women to fill these roles. To make it official and stuff, you must deliver these decrees to the new leaders, emblazoned with the Seal of IdentityLand.

Do you…

Send squires throughout the land?


It takes weeks to round up a capable set of squires that speak all of the dialects across the land. Had it not been for Mainframesington, this process could have gone a bit smoother. Unfortunately, the younger squires only know how to say “two beers, please” and “where is the bathroom” in the ancient language used in this part of the kingdom. You are forced to rely on Roger to deliver this decree, who is old … like really old. The mountainous terrain leading to Mainframesington proved too difficult a task for poor old Roger.


The “Smart-est, Creative-est, Innovative-est, Men/Women” reconvene, and come up with a way to send the decrees to all provinces at the same time. Not only does the decree make it to all destinations in record time, it is also sent in a standard dialect that can be understood by all!

The new governors are really doing a bang up job, and the tensions in the land subside.

As king, you decide to perform a census of the land. This will help you to better understand your kingdom and review any sub-decrees that have been made by the governors.

Do you…

Send the squires to knock on all doors?

Try something novel?

Have you learned nothing??!Now that poor old Roger has met an untimely end, you’re pretty much out of luck here.


Again, you reassemble the “Smart-est, Creative-est, Innovative-est, Men/Women”, and again they deliver.Building upon their systems for baby registration and decree-management, they invent a way for each village to send a standardized census form back to the king.

The census has revealed that the governor of Nefarious City has been unscrupulous in his dealings, and has issued sub-decrees that allow his cronies to pillage the poor citizens of this region!

Do you…

Send a squire to revoke these decrees and sack the governor?


You immediately send a squire to Nefarious City to remedy the situation. Unfortunately, the pull of corruption is too strong for the ignoble squire to resist. The governor issued him a sub-decree that granted him “free beignets for life” and he fell to the dark power of sweet, fluffy deliciousness.

Nefarious City remains under the thumb of this dastardly governor, and the people continue to suffer.


“Smart-est, Creative-est, Innovative-est, Men/Women” unite!!! They devise a genius system that will automatically revoke the governor’s decree and all sub-decrees issued by the governor. To top it off, a magical spell is cast on the governor that binds him in a dreadful dungeon, where he spends the rest of his days being subjected to endless loops of “Hootie & the Blowfish” and “The Bachelor”.

Congratulations!!!

You have successfully navigated the perils of IdentityLand. A long reign, filled with peace and prosperity is surely in your future!

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

Now for a new adventure…• How to SCIM

- Demo- Implementing clients & servers- Gotchas

• Changes in 2.0• Extensions

- Postel’s law- Creating new resource types- Extending resource types


DEMO


Implementing SCIM – Tips

• Go with SCIM 2.0 … v1.1 is a dying breed• Use a library to get a jump start

- UnboundID to release SCIM 2.0 library soon (1.1 already exists)- Other libraries available – see http://simplecloud.info

• Start simple- Ignore PATCH, /Bulk, .search, /Me, attributes/excludedAttributes,

etags, and filtering for your initial implementation- Once the simple case is working, layer on more functionality

http://simplecloud.info/


Implementing a SCIM client

• Make your client resilient- Some servers return bad data

• Start by reading /Schemas to know what to expect- Some servers require certain fields that may not be required in the

core User schema• Always pass Accept header – some servers require this

- Use application/scim+json- Also pass Content-Type header for POST/PUT/PATCH


Implementing a SCIM server

• Some clients can be strict when reading responses- Make sure that your /Schemas and /ResourceTypes endpoints

return the correct information• This may not match the examples in the specs

- Make sure to include schemas and meta.resourceType in responses

- Encode dates exactly as specified by the spec• Require SSL/TLS – you are dealing with secure information• Implement CORS (Cross-Origin Resource Sharing) if the clients

might be implemented in javascript


Changes between SCIM v1.1 and SCIM v2.0


Extensibility

• SCIM v1.1 only had /Schemas- Made it difficult to share schema extensions and was

underspecified• SCIM v2.0 adds /ResourceTypes

- Includes name, endpoint, schemas, and schema extensions- References /Schemas endpoint to define acceptable content for

the resource


References

• SCIM v1.1 did not have a syntax to reference other objects- Added reference data type that uses URL of referenced object

"groups": [{ "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", "$ref": "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", "display": "Tour Guides"}]


PATCH now uses JSON Patch-like Syntax

• Now consists of an array of patch operations- Add, remove, or replace

PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce...{ "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations": [{ "op": "add", "path": "members", "value": [{ "display": "Babs Jensen", "$ref": "https://example.com/v2/Users/2819c223...413861904646", "value": "2819c223-7f76-453a-919d-413861904646" }] }]}


Secure Searches

• SCIM v1.1 required filters on the query string- GET /Users?filter=ssn eq “379-941-9832”

POST /Users/.search...{ "schemas": ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"], "attributes": ["displayName", "userName"], "filter": “ssn eq \“379-941-9832\"", "startIndex": 1, "count": 10}


The /Me endpoint

• Retrieve authenticated user’s information- Similar to OIDC UserInfo endpoint

GET /Me{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:toast4u:1.0:MyToaster" ], "id": "2819c223-7f76-453a-919d-413861904646", "userName": "bjensen", ...}


More attribute information in /Schemas

• Mutability- readOnly, readWrite, immutable, writeOnly

• Returned- always, never, default, request

• Uniqueness- none, server, global

• Reference Types- A resource type (eg – User or Group)- External (eg – a photo URL)


Extensions


“Be conservative in what you do, be liberal in what you accept from others”

-Postel’s Law (aka – The Robustness Principle)


Creating new Resource Types

• Two easy steps- Add the new type to /ResourceTypes- Add the schema(s) for the new type to /Schemas

• Internet-enabled Toaster!!


Toaster Resource Type{ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], "id": "Toaster", "name": "Toaster", "endpoint": "/Toasters", "description": "The future is nigh! Make toast with your phone!", "schema": "urn:ietf:params:scim:schemas:toast4u:1.0:Toaster", "schemaExtensions": [{ "schema": "urn:ietf:params:scim:schemas:toast4u:1.0:EggCooker", "required": false } ], "meta": { "location": "https://example.com/v2/ResourceTypes/Toaster", "resourceType": "ResourceType" }}


{

"id": "urn:ietf:params:scim:schemas:toast4u:1.0:Toaster", "name": "Toaster",

"description": "All you need for amazing toast!",

"attributes": [{ "name": "ipAddress",

"type": "string",

"multiValued": false,

"description": "Where to talk to this toaster.",

"required": true,

"caseExact": false,

"mutability": "readWrite",

"returned": "default",

"uniqueness": "server"

},

{

"name": "state",

"type": "string",


"description": "Are we cooking?",

"required": false,

"caseExact": false,



"uniqueness": "none",

"canonicalValues" : [ "idle", "toasting" ]

}, {

"name": "darkness",

"type": "decimal",


"description": "Dial in your favorite setting",

…

}

]

}

Toaster Schema


{

"id": "urn:ietf:params:scim:schemas:toast4u:1.0:EggCooker",

"name": "EggCooker",

"description": "Add some protein to your breakfast!!",

"attributes": [{

"name": "state",

"type": "string",


"description": "Are we cooking?",

"required": false,

"caseExact": false,




"canonicalValues" : [ "idle", "cooking" ]

},

{

"name": "style",

"type": "string",


"description": "How would you like your egg?",

"required": false,

"caseExact": false,




"canonicalValues" : [ "raw", "overEasy", "animalStyle" ]

}

]

}

Egg Cooker Schema


Putting it all together!

GET /ToastersHost: example.comAccept: application/scim+jsonAuthorization: Bearer h480djs93hd8


Toasters!HTTP/1.1 200 OK

Content-Type: application/scim+json

Location: https://example.com/v2/Toasters

{

"schemas":["urn:ietf:params:scim:schemas:core:2.0:ListResponse"],

"totalResults": 1,

"Resources": [{

"schemas": [

"urn:ietf:params:scim:schemas:toast4u:1.0:Toaster",

"urn:ietf:params:scim:schemas:toast4u:1.0:EggCooker"

],

“id": “vaderToaster1“,

"ipAddress": "192.168.1.373",

"state", "idle",

"darkness": 10,

"urn:ietf:params:scim:schemas:toast4u:1.0:EggCooker": {

"state": "idle",

"style": "raw"

},

"meta": {

"resourceType": "Toaster",

"created": "2016-06-09T18:29:49.793Z",

...

}

}]`

}

List Response

"schemas":["urn:ietf:...:ListResponse"], "totalResults": 1, "Resources": [{

Toaster

"schemas": [ "urn:ietf:...:Toaster", "urn:ietf:...:EggCooker" ], "ipAddress": "192.168.1.373", "state", "idle", "darkness": 10

Egg Cooker

"urn:...:EggCooker": { "state": "idle", "style": "raw" }


Make Toast!PATCH /Toasters/vaderToaster1Host: example.comAccept: application/scim+jsonContent-Type: application/scim+jsonAuthorization: Bearer h480djs93hd8

{ "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations":[{ "op": "replace", "path": "state", "value": "cooking" }, { "op": "replace", "path": "darkness", "value": 7.2 } ]}


Success!!!


Extending an Existing Resource Type

• Two easy steps- Add the schema for the extension to /Schemas- Add the schema extension to the existing resource type


My Toaster Schema{ "id": "urn:ietf:params:scim:schemas:toast4u:1.0:MyToaster", "name": "My Toaster", "description": "Stake your claim on a toaster!!", "attributes": [{ "name": "toaster", "type": "complex", "description": "Which toaster is my favorite?", ... "subAttributes": [{ "name": "value", "type": "string", "description": "ID of the toaster", ... }, { "name": "$ref", "type": "reference", "referenceTypes": [ "Toaster" ], ... }


Extend User ResourceType{ "id": "User", "name": "User", "description": "User Account", "endpoint": "/Users", "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "schemaExtensions": [{ "schema": "urn:ietf:params:scim:schemas:toast4u:1.0:MyToaster", "required": false }]}


Babs’ Toaster!{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:toast4u:1.0:MyToaster" ], "id": "2819c223-7f76-453a-919d-413861904646", "userName": "bjensen", ... "urn:ietf:params:scim:schemas:toast4u:1.0:MyToaster": { "toaster": { "value": "vaderToaster1", "$ref": "https://example.com/v2/Toasters/vaderToaster1", "display": "Vader Toaster" } }}

Questions?@[email protected]

http://simplecloud.info

SCIM 2.0 - Choose your own identity adventure

Software

Transcript of SCIM 2.0 - Choose your own identity adventure