1© 2014 Cisco and/or its affiliates. All rights reserved.

Morteza Ansari

SCIM Overview

June 23, 2014

© 2014 Cisco and/or its affiliates. All rights reserved. 2

Agenda• History

• Use Cases

• Schema

• Protocol

• References

© 2014 Cisco and/or its affiliates. All rights reserved. 3

History• Started 2010

• Really started May 2011

• 12 Companies participated under OWFADP, BCP Soft, Canarie, Cisco, Courion, Id Machines, Ping Identity, Nexux, Sailpoint, SalesForce, UnboundID, WSO2

• 1.0 was published Dec. 2011

• 12 independent implementations

• Frequent interop events at IIW, CIS, and one at IETF

• IETF BOF Mar. 2012

• IETF WG Jul. 2012

© 2014 Cisco and/or its affiliates. All rights reserved. 4

Use Cases• How do I provision a user account for service X?

• How do I de-provision a user account from service X?

• How do I update an existing account for service X?

• How do I keep my organization’s users in sync with service X?

• How do I manage groups?

• How do I cross-provision across cloud services?

© 2014 Cisco and/or its affiliates. All rights reserved. 5

Use Cases• User/Group provisioning from

Enterprise to Cloud

© 2014 Cisco and/or its affiliates. All rights reserved. 6

Use Cases• User/Group provisioning from

Enterprise to Cloud

• User/Group provisioning fromcloud service to cloud service

© 2014 Cisco and/or its affiliates. All rights reserved. 7

Use Cases• User/Group provisioning from

Enterprise to Cloud

• User/Group provisioning fromcloud service to cloud service

• Is used in many many more cases todayEnterprise provisioning/cross provisioning

Identity access

Many new endpoints: machines, contacts, tenants, devices, …

© 2014 Cisco and/or its affiliates. All rights reserved. 8

What is a User?dn: cn=HomeJSimpson,o=domain-name

cn: HomerJSimpson                          

objectClass: top                       

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

mail: HJSimpson@burnsco.com

givenname: Homer

sn: Simpson

postalAddress: 742 Evergreen Terrace

l: Springfield

st: Kentsouri

postalCode: 01234

telephoneNumber: (888) 555-1111

jpegPhoto: http://www.simpsons.com/homer.jpg

…

© 2014 Cisco and/or its affiliates. All rights reserved. 9

Why not SPML?• OASIS Standard (1.0 – 2003; 2.0 – 2006)

• No core Schema

• Complex – real or perceived

• Some traction within enterprises, none for cloud services

• Limited support - few tools/products

“Built it, nobody came!”

© 2014 Cisco and/or its affiliates. All rights reserved. 10

What is SCIM?• Set of pre-defined schema – Users & Groups

• RESTful API definition

• CRUD

• Bulk operations

• Search

• Discovery

• Extension semantics (basic in 1.x)

• Support for complex data models

• SIMPLE!!!

© 2014 Cisco and/or its affiliates. All rights reserved. 11

Schema• Rich information model

• XML & JSON data models

• Concrete artifactsUsers & Groups

• Usage semanticsMTI & recommended

• ExtensibilityEnterprise User

© 2014 Cisco and/or its affiliates. All rights reserved. 12

Schema• Resource is an attribute container

• An attribute is Simple or Complex

Single value or Plural

• Extensible

• Data type added in 2.0

{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "701984", "userName": "bjensen@example.com", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara", "middleName": "Jane", "honorificPrefix": "Ms.", "honorificSuffix": "III" }, "displayName": "Babs Jensen", "nickName": "Babs", "profileUrl": "https://login.example.com/bjensen", "emails": [ { "value": "bjensen@example.com", "type": "work", "primary": true }, { "value": "babs@jensen.org", "type": "home" } ], "meta": { "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v1/Users/2819c223-7f76" }}

© 2014 Cisco and/or its affiliates. All rights reserved. 13

Example: User{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W\/\"f250dd84f0671c3\" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ]}

Required

Complex

Simple

Complexmulti-valued

© 2014 Cisco and/or its affiliates. All rights reserved. 14

Example: Extended User

{ "schemas": ["urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:1.0": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith“ } }}

Declaration

Use

© 2014 Cisco and/or its affiliates. All rights reserved. 15

Example: Group

{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "displayName": "Tour Guides", "members": [ { "value": "2819c223-7f76-453a-919d-413861904646", "displayName": "Babs Jensen", "type": "User" }, { "value": ”4769c303-ab76-673a-769d-413867987436", "displayName": "Mandy Pepperidge", "type": "User" } ]}

Type (User|Group)

Optional &Read-only

© 2014 Cisco and/or its affiliates. All rights reserved. 16

Protocol• HTTP/REST

• CRUD

• Bulk

• Search

• Discovery

• Simple MTI, Complex optional

• Extensible

• Versioned

• “cURL” friendly

© 2014 Cisco and/or its affiliates. All rights reserved. 17

Operations• Discovery

• Create = POST https://example.com/{v}/{resource}

• Read = GET https://example.com/{v}/{resource}/{id}

• Update = PUT https://example.com/{v}/{resource}/{id}

• Delete = DELETE https://example.com/{v}/{resource}/{id}

• Update = PATCH https://example.com/{v}/{resource}/{id}

• Search = https://example.com/{v}/{resource}? filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending}

• Bulk

© 2014 Cisco and/or its affiliates. All rights reserved. 18

Discovery• GET /Schemas

Introspect resources and attribute extensions

• GET /ServiceProviderConfigsSpec compliance

Support for bulk, patch, etc…

Authentication schemes

OAuth, HTTP basic, etc…

Data formats

Support XML

© 2014 Cisco and/or its affiliates. All rights reserved. 19

Create Request

POST /v1/Users HTTP/1.1Host: example.comAccept: application/jsonAuthorization: Bearer h480djs93hd8{ "schemas": ["urn:scim:schemas:core:1.0"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }}

Operation Resource Type

Format AuthZ

“User” Payload

© 2014 Cisco and/or its affiliates. All rights reserved. 20

Create Response

HTTP/1.1 201 CreatedContent-Type: application/jsonLocation: https://example.com/v1/Users/281...ETag: W/"e180ee84f0671b1"{` "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen"}

Result code Format“Permalink” SP generated ID

© 2014 Cisco and/or its affiliates. All rights reserved. 21

Get Request

GET /v1/Users/2819c223-7f76-453a-919d-413861904646.jsonHost: example.comAuthorization: Bearer h480djs93hd8

Operation Resource Type Stable ID Format

© 2014 Cisco and/or its affiliates. All rights reserved. 22

Get Response

HTTP/1.1 200 OKContent-Type: application/jsonLocation: https://example.com/v1/Users/281...ETag: W/"e180ee84f0671b1"{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen"}

Result codeFormat

“Permalink” SP ID

© 2014 Cisco and/or its affiliates. All rights reserved. 23

Search Request

GET /v1/Users?filter=title pr and userType eq "Employee" &sortBy=title &sortOrder=ascending &attributes=title,username &startIndex=11 &count=10Host: example.comAccept: application/jsonAuthorization: Bearer h480djs93hd8

Operation Resource TypeURL encoded filter

Sorting

Partial results

Index-based pagination

© 2014 Cisco and/or its affiliates. All rights reserved. 24

Search Response

{ "schemas": ["urn:scim:schemas:core:1.0"], "totalResults": 2, "Resources": [ { "id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97", "title": "Assistant VP", "userName": "bjensen" }, { "id": "a4a25dd3-17a0-4dac-a2ac-ce211e125f57", "title": "VP", "userName": "jsmith" } ]}

Pagination

Users

SP ID ever present

© 2014 Cisco and/or its affiliates. All rights reserved. 25

Patch & Bulk• PATCH

Allows providing partial updates to resources

May be important if modifying a large multi-valued attribute on a resource (eg – group members)

• BulkAllows performing many operations at once

Useful for synchronizing data into a service provider

• Both are optional

© 2014 Cisco and/or its affiliates. All rights reserved. 26

Security Consideration• TLS MTI

• Standard HTTP considerations apply

• Authentication is discoverable, OAuth bearer token recommended

• HTTP basic is commonly implemented for interoperability

• Authorization attributes are *VERY* loosely definedRoles, groups, and entitlements

© 2014 Cisco and/or its affiliates. All rights reserved. 27

Sensitive Data { "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "password": "maybe_plaintext", "roles": [ { "value": "RA" } ], "groups": [ { "value": "2819c223-7f76-453a-919d-982763095", "display": "Student" } ], "entitlements": [ { "value": "delete users" } ]}

Password

AuthZ

© 2014 Cisco and/or its affiliates. All rights reserved. 28

References• http://www.simplecloud.info

• SCIMv1.1http://www.simplecloud.info/specs/draft-scim-core-schema-01.html

http://www.simplecloud.info/specs/draft-scim-api-01.html

• SCIMv2.0http://tools.ietf.org/html/draft-ietf-scim-core-schema

http://tools.ietf.org/html/draft-ietf-scim-api

http://tools.ietf.org/html/draft-ietf-scim-use-cases

• IETF SCIM WG http://tools.ietf.org/wg/scim/

• mailto: scim@ietf.org

• Credit for slides: IETF WG, Trey Drake & Kelly Grizzle