SCIM in the Real World: Adoption is Growing
-
Upload
kelly-grizzle -
Category
Software
-
view
286 -
download
5
Transcript of SCIM in the Real World: Adoption is Growing
SCIM in the Real WorldKelly Grizzle
Software Architect – SailPoint
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 2
Overview
• What is SCIM?• Trends in SCIM Usage• Who are you and what’s your problem?
- Identity Gurus- Service Providers
• Case Studies• Where is SCIM today and where is it going?
What is SCIM?System for Cross-Domain Identity Management
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 4
Identity Management+
REST=
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 5
Identity Management + REST = SCIM
• REST is just architectural pattern- SCIM defines an identity management profile for it
• SCIM provides…- Standard definitions for User and Group- Standard operations
• Create, Read, Update, Delete, Search, Partial Update, Bulk
- Extensibility• Add more attributes to existing object types or define new object
types
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 6
Example – Retrieve User Request
GET /Users/2819c223-7f76-453a-919d-413861904646Host: example.comAccept: application/scim+jsonAuthorization: Bearer h480djs93hd8
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 7
Example – Retrieve User ResponseHTTP/1.1 200 OK
Content-Type: application/scim+json
Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "2819c223-7f76-453a-919d-413861904646",
"name": {
"formatted": "Ms. Barbara J Jensen III",
"familyName": "Jensen",
"givenName": "Barbara“
},
"meta": {
"resourceType": "User",
"created": "2011-08-01T18:29:49.793Z",
...
}
}
Self-describingpayload
Single-valuedattribute
Complexattribute
Manydata types
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 8
CRUD Operations
POST /UsersPUT /Users/2819c223-7f76-453a-919d-413861904646PATCH /Users/2819c223-7f76-453a-919d-413861904646DELETE /Users/2819c223-7f76-453a-919d-413861904646
GET /Users?startIndex=10&count=5&filter=userName sw “J”GET /Users/2819c223-7f76-453a-919d-413861904646
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 9
Server Configuration Operations
GET /ResourceTypes- Return the types of resources that are supported- Endpoint URL, schema, etc…
GET /Schemas/- Return the schema definitions- Attributes names and types, etc…
GET /ServiceProviderConfigs- Return info about what is supported by the server- Authn methods, optional features, etc…
Trends in SCIM Usage
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 11
Trends
• Enterprises are using SCIM Gateways to communicate between internal systems
• Service providers use SCIM for directory access- Store extended information, but often not visible externally
• IAM and IDaaS vendors provide SCIM Servers to expose identity information and use SCIM Clients to read/write external systems
• Common threads in custom password extensions• SCIM is seen as the identity management API
Who are you?
IAM Gurus!
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 14
99 problems and identity is #1I GOT 99 PROBLEMS
AND IDENTITY IS #1!
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 15
Problem!!! Bob needs a new account
SCIM Solution: Provision
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 16
Problem!!! Bob can’t login!
SCIM Solution: Password reset
* Alternate Solution: Single sign-on … but this isn’t a SAML / OIDC workshop.
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 17
Problem!!! Bob can’t read the financials
SCIM Solution: Add him to a group orgive him some entitlements
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 18
Problem!!! I need to know Bob’s access
SCIM Solution: Read User and Group Data
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 19
Problem!!! Bob has been a bad boy
SCIM Solution: Deprovision
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 20
Problem!! Apps team needs to r/w identity
SCIM Solution: Standard but extensible API
CAN I PLEASE STORE…
THESE ATTRIBUTESIN YOUR DIRECTORY?
Case StudyFortune 100 Chip Maker
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 22
The Setup
• Started considering options between a failed Oracle Identity Manager project and “the next thing”
• Needed a façade- Prevent IAM vendor lock-in- Needed co-existence between old and new IAM systems
• Extensibility was crucial!• “We wanted a 20 year solution.” –IAM Guru
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 23
The Solution
Create a SCIM gateway to serve as a central identity hub
SCIM Gateway Cluster
Legacy Apps
IAM System SSO
Directory Server
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 24
The Interesting Parts
• Extended user schema to hold custom information• Extended endpoints to support many additional features
- Email verification• POST /EmailVerificationTokens to create a token• POST /EmailVerification to verify email using token
- Password reset• POST /PasswordResetTokens to create a token• POST /PasswordChanges to change password using token
- Security token management for SSO• POST /SecurityTokens to create authenticated session token• DELETE /SecurityTokens to invalidate
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 25
More Interesting Parts
• More extended endpoints…- Notifications (email or SMS)
• POST /Notifications to send a notification with user information merged in (welcome email, forgot login ID, etc…)
- Role management• PATCH /Roles to change membership for a role
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 26
The Benefits
• Ability to add new information and features without breaking existing clients
- If there is anything in JSON that you don't recognize, throw it away
“SCIM has been critical and program-saving. It is exactly what we needed at exactly the right time, and fills a crucial role in our environment."
--IAM Guru
Case StudyFortune 500 Pharmaceuticals
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 28
The Setup
• Need to support identity on a large portfolio of applications- Not all application teams are resourced equally
• Wanted an abstraction of provisioning from specific implementations
- Allow for seamless upgrades of IAM system- Ease cost of implementation for smaller applications
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 29
The Solution
Create a SCIM gateway to serve as a central identity hub
SCIM SOA Gateway
On-prem Apps
IAM System Cloud Apps
Directory Server
DO YOU SEEA TREND HERE?
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 30
The Benefits
• SCIM gives agility in adopting new versions of IAM system• SCIM isolates IAM system if a SaaS vendor changes their
identity model- Connector continues to work with an updated schema- Important for SaaS vendors that can update at any time
• If an application vendor is small it's not worth it to write a custom connector
- Small vendors are very willing to implement SCIM as their standard identity API
Who are you?
Service Providers!!
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 33
99 problems and identity is #1WE ALSO GOT
99 IDENTITY PROBLEMS!
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 34
Problem!!! I need to expose a directory!!
SCIM Solution: Read and write with SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 35
Problem!!! I need an API between my own products!
SCIM Solution: Everything identity is SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 36
Problem!! My mobile app needs identities!
SCIM Solution: Light-weight REST API
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 37
Problem!!! I need to get identities from my customer’s directory into my cloud app!
SCIM Solution: To the cloud with SCIM!
Case StudyFortune 100 Networking
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 39
The Setup
• Needed a consistent identity API that can be used:- By partners- By customers- Internally between products- To communicate with IdPs and other SaaS vendors
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 40
The Solution
SCIM Identity Service
DirectoryClients
Internal SystemsPartners &
IdPs
IdentitySync Client
r/w
r/w
r/w
read only
Mobile Appr/
w
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 41
The Interesting Parts
• Additional endpoints- /Devices- /Tenants
• Only available internally• Password policy is configured on tenant
• Core schemas have been extended- Positive extensions: New attributes (mainly internal info)- Negative extensions: Attributes in SCIM spec that aren’t
supported
• Legacy APIs forward requests on to SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 42
The Benefits
• Single API for everything identity• Mobile application has a light-weight API to use• SCIM clients are easy to write
- Have seen no need to write a toolkit
Case StudyFortune 1000 Networking
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 44
The Setup
• Needed a consistent identity API that can be used:- By customers- Internally between products- To communicate with IdPs
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 45
The Solution
SCIM Identity Service
CustomClients
Internal Systems IdPs
ADSync Client
r/w
r/w
r/w
r/w
DOES THISLOOK FAMILIAR?
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 46
The Interesting Parts
• Exploring an “organizational unit” extension to facility multi-tenancy in API
• Exploring a pub/sub SCIM model- Client subscribes to be notified of changes- SCIM server sends out notifications
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 47
The Benefits
• Single API for everything identity• No need to provide documentation
- Just point developers at the spec
• Easy to implement
Case Studiesin brief
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 49
PaaS – CloudFoundry
• CloudFoundry is an open platform-as-a-service (PaaS)• Identity APIs leverage standards
- SCIM, OAuth2, and OpenID Connect
• Benefits- Use existing open API rather than reinventing the wheel- Use SCIM extensions for some non-identity APIs
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 50
IDaaS and IAM Vendors
• IDaaS and IAM vendors need to:- Allow external access to their identity store- Provision/read identities and groups to/from other applications
• SCIM server provides external access• SCIM client provides provisioning to other applications• Benefits
- Standardized API makes external integration easy- Applications that support SCIM can be integrated immediately
• No custom connector is required• No product upgrade required to support new apps
SailPoint, Salesforce, Ping, VMWare, neXus, Oracle, UnboundID
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 51
Higher Education
• Higher education is largely focused on federation- Need to propagate minimum amount of identity data- Authorization data (group memberships) are very important- Federation attribute payload works well for Just In Time (JIT)
provisioning- SCIM enables more robust record propagation when JIT is not
good enough• For example, email account provisioning often must occur before
first login
Federations that need attribute exchange
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 52
Higher Education
• VOOT is an identity/group protocol built on top of SCIM- Adds more features around group membership
• Grouper is a user/group management tool developed by Internet2
- SCIM integration allows writing to down-stream endpoints
http://openvoot.org/
https://spaces.internet2.edu/display/Grouper/Grouper+SCIM+Integration
VOOT and Grouper
Case StudyneXusInternet of Things
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 54
The Setup
• IoT provider needed:- A registry of devices associated with a user- Information about the device (bluetooth address, etc…)- A mobile app that can
• Authenticate• Retrieve user information (including devices)• Communicate with devices
- Devices that can send status updates
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 55
The Solution
SCIM Server
Mobile App
GET /me(as authenticated user)
{ “id”: “89723-83703”, “devices”: [{ “name”: “Tesla”, “bluetoothAddress”: “000A3A58F310”, “deviceType”: “electricCar”, “batteryLife”: 58, … }, …}
BluetoothStart A/C
PATCH /Cars/89723-83703{ “batteryLife”: 57, “location”: { “lat”: 30.4045541, “long”: -97.8489572 }}
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 56
The Benefits
• Extended user schema to show which devices belong to each user
• New endpoints for devices to read/write device information- Example: /Cars, /Vacuums
• Extensible schema allows new device types to be imported via JSON files
• Extremely light-weight SCIM clients on mobile app and devices
- This is very important for constrained devices
Where is SCIM?
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 58
Current Status
• 2.0 API, Core Schema, and Use Cases docs are complete- Will become official RFCs in the next couple months
• IETF working group will continue to work on SCIM extensions
- Passwords: http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/
- Notify: http://datatracker.ietf.org/doc/draft-hunt-scim-notify/
- Soft Delete: http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/
- Others TBD
Wrapping it up…
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 61
Adoption is growing…
“The SCIM interface will have parity other APIs and will be a first-class citizen.”
--Ian Glazer, Salesforce
“I’m also proud to say Oracle’s Amit Jasuja announced at last year’s OpenWorld that Oracle IDM’s key REST API for Identity will be SCIM…”
--Phil Hunt, Oracle
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 62
Adoption is growing…
“SCIM works perfectly for constrained devices.”--Erik Wahlström, neXus
“SCIM is simple to implement.”--Haavar Valeur, Citrix
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 63
[email protected]@kelly_grizzle
http://simplecloud.info