Using SCIM to Enable Cloud Identity

Silicon Valley IAM User GroupAugust 20, 2015

Provisioning IDaaS

SpeakerPat PattersonDeveloper Evangelist Architect, Salesforce@metadaddy

Agenda

1. What is User Provisioning?2. Benefits3. Standards4. Demo

User Provisioning – Managing the User Lifecycle

Create, Update,

Delete Users

User Provisioning – Managing the User Lifecycle

Create, Update,

Delete Users

Works with Other User Repositories Too

Create, Update, Delete Users

ActiveDirectory

On Premise

HRApp

Salesforce Identity Connect

Benefits

Benefits for Employee Use Cases

Security

Audit & Compliance

IT Productivity

User Termination

Who has access to what?

Automated account creation & update

Benefits for Customer and Partner Use Cases

User Onboarding

Keep User Info in Sync

Self Service

Provision user intomultiple web properties

Update email change across all apps

Access requestwith Approvals

Standards

Simple Cloud Identity Management http://www.simplecloud.info/ SCIM 1.0 released in 2011 SCIM 1.1 released in 2012 IETF working on SCIM 2.0

System for Cross-domain Identity Management

SCIM Use Cases

Provision and de-provision user accounts Update attributes on user accounts Synchronize accounts across services Manage group membership

SCIM Basics

Application-level, REST protocol OAuth recommended for

authentication/authorization Create, modify, retrieve, discover users and

groups Common user schema Extensible

SCIM Schema

Core schema– name, userName, emails etc

Enterprise extension– employeeNumber, department, manager etc

Custom extensions– e.g. urn:salesforce:schemas:extension:18CHARORGID

– Custom fields

SCIM in Action

SCIM Request – Retrieve a User

GET /services/scim/v1/Users/005E0000000HimUIAS HTTP/1.1Host: na1.salesforce.comAuthorization: Bearer ACCESS_TOKEN

SCIM Response - Core{ "displayName": "Adam Seligman", "userName": "adam@devorg.com", "id": "005E0000000HimUIAS", "emails": [ { "primary": true, "type": "work", "value": "ppatterson@salesforce.com" } ], ...

SCIM Response - Enterprise ... "urn:scim:schemas:extension:enterprise:1.0": { "employeeNumber": "156189", "manager": { "displayName": "Pat Patterson", "managerId": "005E0000000HiFiIAK" }, "organization": "00DE0000000HegHMAS" }, ...

SCIM Response - Custom

... "urn:salesforce:schemas:extension:00DE0000000HegHMAS": { "Favorite_Color__c": "Green" }, ...

SCIM Implementations

Demo

Use Case We’ll hire a new employee – Vikas Jain

– Create Salesforce account Vikas gets a promotion, with more

responsibility– Allow access to ERP system

After a long and successful career, Vikas retires– Deactivate all accounts

Q & APat PattersonDeveloper Evangelist Architect, Salesforce@metadaddy

Thank You