SCIM in the Real World: Adoption is Growing

SCIM in the Real WorldKelly Grizzle

Software Architect – SailPoint

Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 2

Overview

• What is SCIM?• Trends in SCIM Usage• Who are you and what’s your problem?

- Identity Gurus- Service Providers

• Case Studies• Where is SCIM today and where is it going?

What is SCIM?System for Cross-Domain Identity Management


Identity Management+

REST=


Identity Management + REST = SCIM

• REST is just architectural pattern- SCIM defines an identity management profile for it

• SCIM provides…- Standard definitions for User and Group- Standard operations

• Create, Read, Update, Delete, Search, Partial Update, Bulk

- Extensibility• Add more attributes to existing object types or define new object

types


Example – Retrieve User Request

GET /Users/2819c223-7f76-453a-919d-413861904646Host: example.comAccept: application/scim+jsonAuthorization: Bearer h480djs93hd8


Example – Retrieve User ResponseHTTP/1.1 200 OK

Content-Type: application/scim+json

Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646{

"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],

"id": "2819c223-7f76-453a-919d-413861904646",

"name": {

"formatted": "Ms. Barbara J Jensen III",

"familyName": "Jensen",

"givenName": "Barbara“

},

"meta": {

"resourceType": "User",

"created": "2011-08-01T18:29:49.793Z",

...

}

}

Self-describingpayload

Single-valuedattribute

Complexattribute

Manydata types

https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646

https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646


CRUD Operations

POST /UsersPUT /Users/2819c223-7f76-453a-919d-413861904646PATCH /Users/2819c223-7f76-453a-919d-413861904646DELETE /Users/2819c223-7f76-453a-919d-413861904646

GET /Users?startIndex=10&count=5&filter=userName sw “J”GET /Users/2819c223-7f76-453a-919d-413861904646


Server Configuration Operations

GET /ResourceTypes- Return the types of resources that are supported- Endpoint URL, schema, etc…

GET /Schemas/- Return the schema definitions- Attributes names and types, etc…

GET /ServiceProviderConfigs- Return info about what is supported by the server- Authn methods, optional features, etc…

Trends in SCIM Usage


Trends

• Enterprises are using SCIM Gateways to communicate between internal systems

• Service providers use SCIM for directory access- Store extended information, but often not visible externally

• IAM and IDaaS vendors provide SCIM Servers to expose identity information and use SCIM Clients to read/write external systems

• Common threads in custom password extensions• SCIM is seen as the identity management API

Who are you?

IAM Gurus!


99 problems and identity is #1I GOT 99 PROBLEMS

AND IDENTITY IS #1!


Problem!!! Bob needs a new account

SCIM Solution: Provision


Problem!!! Bob can’t login!

SCIM Solution: Password reset

* Alternate Solution: Single sign-on … but this isn’t a SAML / OIDC workshop.


Problem!!! Bob can’t read the financials

SCIM Solution: Add him to a group orgive him some entitlements


Problem!!! I need to know Bob’s access

SCIM Solution: Read User and Group Data


Problem!!! Bob has been a bad boy

SCIM Solution: Deprovision


Problem!! Apps team needs to r/w identity

SCIM Solution: Standard but extensible API

CAN I PLEASE STORE…

THESE ATTRIBUTESIN YOUR DIRECTORY?

Case StudyFortune 100 Chip Maker


The Setup

• Started considering options between a failed Oracle Identity Manager project and “the next thing”

• Needed a façade- Prevent IAM vendor lock-in- Needed co-existence between old and new IAM systems

• Extensibility was crucial!• “We wanted a 20 year solution.” –IAM Guru


The Solution

Create a SCIM gateway to serve as a central identity hub

SCIM Gateway Cluster

Legacy Apps

IAM System SSO

Directory Server


The Interesting Parts

• Extended user schema to hold custom information• Extended endpoints to support many additional features

- Email verification• POST /EmailVerificationTokens to create a token• POST /EmailVerification to verify email using token

- Password reset• POST /PasswordResetTokens to create a token• POST /PasswordChanges to change password using token

- Security token management for SSO• POST /SecurityTokens to create authenticated session token• DELETE /SecurityTokens to invalidate


More Interesting Parts

• More extended endpoints…- Notifications (email or SMS)

• POST /Notifications to send a notification with user information merged in (welcome email, forgot login ID, etc…)

- Role management• PATCH /Roles to change membership for a role


The Benefits

• Ability to add new information and features without breaking existing clients

- If there is anything in JSON that you don't recognize, throw it away

“SCIM has been critical and program-saving. It is exactly what we needed at exactly the right time, and fills a crucial role in our environment."

--IAM Guru

Case StudyFortune 500 Pharmaceuticals


The Setup

• Need to support identity on a large portfolio of applications- Not all application teams are resourced equally

• Wanted an abstraction of provisioning from specific implementations

- Allow for seamless upgrades of IAM system- Ease cost of implementation for smaller applications


The Solution

Create a SCIM gateway to serve as a central identity hub

SCIM SOA Gateway

On-prem Apps

IAM System Cloud Apps

Directory Server

DO YOU SEEA TREND HERE?


The Benefits

• SCIM gives agility in adopting new versions of IAM system• SCIM isolates IAM system if a SaaS vendor changes their

identity model- Connector continues to work with an updated schema- Important for SaaS vendors that can update at any time

• If an application vendor is small it's not worth it to write a custom connector

- Small vendors are very willing to implement SCIM as their standard identity API

Who are you?

Service Providers!!


99 problems and identity is #1WE ALSO GOT

99 IDENTITY PROBLEMS!


Problem!!! I need to expose a directory!!

SCIM Solution: Read and write with SCIM


Problem!!! I need an API between my own products!

SCIM Solution: Everything identity is SCIM


Problem!! My mobile app needs identities!

SCIM Solution: Light-weight REST API


Problem!!! I need to get identities from my customer’s directory into my cloud app!

SCIM Solution: To the cloud with SCIM!

Case StudyFortune 100 Networking


The Setup

• Needed a consistent identity API that can be used:- By partners- By customers- Internally between products- To communicate with IdPs and other SaaS vendors


The Solution

SCIM Identity Service

DirectoryClients

Internal SystemsPartners &

IdPs

IdentitySync Client

r/w

r/w

r/w

read only

Mobile Appr/

w



• Additional endpoints- /Devices- /Tenants

• Only available internally• Password policy is configured on tenant

• Core schemas have been extended- Positive extensions: New attributes (mainly internal info)- Negative extensions: Attributes in SCIM spec that aren’t

supported

• Legacy APIs forward requests on to SCIM


The Benefits

• Single API for everything identity• Mobile application has a light-weight API to use• SCIM clients are easy to write

- Have seen no need to write a toolkit

Case StudyFortune 1000 Networking


The Setup

• Needed a consistent identity API that can be used:- By customers- Internally between products- To communicate with IdPs


The Solution

SCIM Identity Service

CustomClients

Internal Systems IdPs

ADSync Client

r/w

r/w

r/w

r/w

DOES THISLOOK FAMILIAR?



• Exploring an “organizational unit” extension to facility multi-tenancy in API

• Exploring a pub/sub SCIM model- Client subscribes to be notified of changes- SCIM server sends out notifications


The Benefits

• Single API for everything identity• No need to provide documentation

- Just point developers at the spec

• Easy to implement

Case Studiesin brief


PaaS – CloudFoundry

• CloudFoundry is an open platform-as-a-service (PaaS)• Identity APIs leverage standards

- SCIM, OAuth2, and OpenID Connect

• Benefits- Use existing open API rather than reinventing the wheel- Use SCIM extensions for some non-identity APIs


IDaaS and IAM Vendors

• IDaaS and IAM vendors need to:- Allow external access to their identity store- Provision/read identities and groups to/from other applications

• SCIM server provides external access• SCIM client provides provisioning to other applications• Benefits

- Standardized API makes external integration easy- Applications that support SCIM can be integrated immediately

• No custom connector is required• No product upgrade required to support new apps

SailPoint, Salesforce, Ping, VMWare, neXus, Oracle, UnboundID


Higher Education

• Higher education is largely focused on federation- Need to propagate minimum amount of identity data- Authorization data (group memberships) are very important- Federation attribute payload works well for Just In Time (JIT)

provisioning- SCIM enables more robust record propagation when JIT is not

good enough• For example, email account provisioning often must occur before

first login

Federations that need attribute exchange


Higher Education

• VOOT is an identity/group protocol built on top of SCIM- Adds more features around group membership

• Grouper is a user/group management tool developed by Internet2

- SCIM integration allows writing to down-stream endpoints

http://openvoot.org/

https://spaces.internet2.edu/display/Grouper/Grouper+SCIM+Integration

VOOT and Grouper





Case StudyneXusInternet of Things


The Setup

• IoT provider needed:- A registry of devices associated with a user- Information about the device (bluetooth address, etc…)- A mobile app that can

• Authenticate• Retrieve user information (including devices)• Communicate with devices

- Devices that can send status updates


The Solution

SCIM Server

Mobile App

GET /me(as authenticated user)

{ “id”: “89723-83703”, “devices”: [{ “name”: “Tesla”, “bluetoothAddress”: “000A3A58F310”, “deviceType”: “electricCar”, “batteryLife”: 58, … }, …}

BluetoothStart A/C

PATCH /Cars/89723-83703{ “batteryLife”: 57, “location”: { “lat”: 30.4045541, “long”: -97.8489572 }}


The Benefits

• Extended user schema to show which devices belong to each user

• New endpoints for devices to read/write device information- Example: /Cars, /Vacuums

• Extensible schema allows new device types to be imported via JSON files

• Extremely light-weight SCIM clients on mobile app and devices

- This is very important for constrained devices

Where is SCIM?


Current Status

• 2.0 API, Core Schema, and Use Cases docs are complete- Will become official RFCs in the next couple months

• IETF working group will continue to work on SCIM extensions

- Passwords: http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/

- Notify: http://datatracker.ietf.org/doc/draft-hunt-scim-notify/

- Soft Delete: http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/

- Others TBD

http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/

http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/

http://datatracker.ietf.org/doc/draft-hunt-scim-notify/

http://datatracker.ietf.org/doc/draft-hunt-scim-notify/

http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/

http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/

Wrapping it up…


Adoption is growing…

“The SCIM interface will have parity other APIs and will be a first-class citizen.”

--Ian Glazer, Salesforce

“I’m also proud to say Oracle’s Amit Jasuja announced at last year’s OpenWorld that Oracle IDM’s key REST API for Identity will be SCIM…”

--Phil Hunt, Oracle


Adoption is growing…

“SCIM works perfectly for constrained devices.”--Erik Wahlström, neXus

“SCIM is simple to implement.”--Haavar Valeur, Citrix


[email protected]@kelly_grizzle

http://simplecloud.info

SCIM in the Real World: Adoption is Growing

Software

Transcript of SCIM in the Real World: Adoption is Growing