Standardizing Identity Provisioning with SCIM
-
Upload
wso2 -
Category
Technology
-
view
3.397 -
download
2
description
Transcript of Standardizing Identity Provisioning with SCIM
Hasini Gunasinghe Software Engineer
Example – an employee joining WSO2
LDAP Other internal
apps
Provisioning system
Other cloud apps/services
Image courtesy : http://www.crn.com/slide-shows/applications-os/223800159/google-apps-marketplace-10-hot-cloud-applications.htm http://newmediasense.net/more-than-50-cloud-developers-commit-to-jive-apps-market%E2%84%A2/222888/
Creation, maintenance & deactivation of user accounts, in one or more systems or applications,
in response to automated or interactive business processes.
-Wikipedia
What is it..?
Identifying the parties involved…
ECS – Enterprise Cloud Subscriber
CSU – cloud service user
Other internal apps
Provisioning system
Other cloud apps/services
CSP– cloud service provider LDAP
Current approach...
Other internal apps
Provisioning system
Other cloud apps/services
LDAP
Problems with current approach..
Rredundant integration efforts for ECS & CSP. Maintenance nightmare of multiple connectors.
Complexity and cost.
Solution would be a common protocol that everyone agrees on.
Image courtesy : http://causerelatedmarketing.blogspot.com/2011/09/lets-bring-open-standards-to-practice.html
1. Authentication :
SAML based WS-Trust & SSO, OpenID, OAuth
2. Authorization: XACML
3. Provisioning:
SPML, WS-Provisioning, SCIM
How open standard solves current problems..?
Other internal apps
Provisioning system
Other cloud apps/services
LDAP
Emerging open standard. REST API.
Platform neutral schema.
SAML binding.
Emphasis on simplicity and interoperability.
In a nutshell...
REST API
resource endpoints
supported HTTP methods
PRO
TO
CO
L
In a nutshell...
REST API
SCIM REST API is relative to a base URL
https://example.com/scim/v1/
Requests made via HTTP operations on a URL derived from the Base URL
POST -> https://example.com/scim/v1/Users
JSON / XML formats
PRO
TO
CO
L
In a nutshell...
Resource – collection of attributes.
Schema defines attributes.
SCIM Core Schema
Extension Model: Additive – similar to auxiliary object classes in LDAP.
SC
HE
MA
In a nutshell...
Other SCIM schemas
User Schema, Enterprise User Schema Extension
Group Schema
Service Provider Configuration Schema
Resource Schema
SC
HE
MA
In a nutshell...
Minimal user representation in JSON & XML formats.
SC
HE
MA
In a nutshell...
SCIM - SAML Mapping
Attributes
SSO Assertion
AttributeQuery
Metadata
SA
ML B
IND
ING
In a nutshell...
Started in mid 2010.
Version 1.0 approved in Dec 2011.
Working on submitting to IETF.
Discussions made open at
Brief history…
Platform neutral schema
Mandatory core schema with extension model. Flexibility
Interoperability
Simplicity.
REST API Light weight with JSON support.
Avoids performance bottleneck on the connector.
SAML Binding Just In Time Provisioning with SSO. Pull / Push based Identity Management.
More... Defined core + optional capabilities. Based on existing deployments and standards - LDAP, SAML.
Several implementations.
Adoption by major cloud vendors.
Identity Provisioning.
Value of open standards in the space of provisioning.
SCIM.
Why SCIM...?
Security Considerations
Authentication and Authorization
- OAuth2 bearer recommended.
Should be over TLS
Password attribute not to be returned.
PRO
TO
CO
L
Automated Provisioning :
Internal Apps
SaaS 1
SaaS 2
SCIM based enterprise
provisioning system
HR Administrator
(1) Create user account
(2)Create user (3)ok
Example – Creare User - Request
PRO
TO
CO
L
Example – Creare User - Response
PRO
TO
CO
L
JIT provisioning with SSO - Pull
SaaS Enterprise
SSO IdP User
Create user account
SCIM User Identity
SAML Attribute Query
SAML Response
SSO Redirect
Login
Example – SAML Attribute Query
SA
ML B
indin
g
Bulk UM Operations:
Initial imports of CSU accounts.
Scheduled synchronizations.
LDAP
SaaS
LDAP SaaS
Example : POST on Bulk endpoint
PRO
TO
CO
L
Identity Synchronization: Partial updates with PATCH Conditional overwrites with ETag
Example – PATCH
PRO
TO
CO
L
Identity Retrieval: Filtering Conditional retrieval with Etag
Identity Retrieval: Partial retrival – with “attributes” query parameter
Pagination
Sorting
GET /Users?startIndex=1&count=10
De-provisioning:
SaaS
Enterprise SSO IdP
SCIM based enterprise
provisioning system
LDAP
(1) Delete user account
(2)Delete user (3)ok
(4)Delete user
(5)ok
(6)Request access (7)Deny
Internal apps
Provisioning system
Other cloud apps/services
LDAP
Identity Provisioning.
Value of open standards in the space of provisioning.
SCIM along with highlights from the spec.
Why SCIM...?
Use cases of SCIM in Identity Management solution. Adoption of SCIM in WSO2 Identity Server and Stratos.
http://www.simplecloud.info/
http://en.wikipedia.org/wiki/Provisioning#User_provisioning
https://ail.google.com/mail/u/0/?ui=2&ik=ad9ae58f41&view=att&th=1331a70983344a32&attid=0.1&disp=thd&realattid=f_gtxto6mk0&zw
Selected Customers
• QuickStart • Development
Support • Development
Services • Production
Support • Turnkey Solutions
• WSO2 Mobile Services Solution
• WSO2 FIX Gateway Solution
• WSO2 SAP Gateway Solution