CIS 2015 SCIM in the Real World - Kelly Grizzle

SCIM in the Real World

Kelly Grizzle Software Architect – SailPoint

Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 2

Overview

• What is SCIM? • Trends in SCIM Usage • Who are you and what’s your problem?

-  Identity Gurus -  Service Providers

• Case Studies • Where is SCIM today and where is it going?

What is SCIM? System for Cross-Domain Identity Management


Identity Management +

REST =


Identity Management + REST = SCIM

• REST is just architectural pattern -  SCIM defines an identity management profile for it

• SCIM provides… -  Standard definitions for User and Group -  Standard operations

•  Create, Read, Update, Delete, Search, Partial Update, Bulk -  Extensibility

•  Add more attributes to existing object types or define new object types


Example – Retrieve User Request

GET /Users/2819c223-7f76-453a-919d-413861904646 Host: example.com Accept: application/scim+json Authorization: Bearer h480djs93hd8


Example – Retrieve User Response HTTP/1.1 200 OK Content-Type: application/scim+json Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 {

"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],

"id": "2819c223-7f76-453a-919d-413861904646",

"name": {

"formatted": "Ms. Barbara J Jensen III",

"familyName": "Jensen",

"givenName": "Barbara“

},

"meta": {

"resourceType": "User",

"created": "2011-08-01T18:29:49.793Z",

...

}

}

Self-describing payload

Single-valued attribute

Complex attribute

Many data types


CRUD Operations

POST /Users PUT /Users/2819c223-7f76-453a-919d-413861904646 PATCH /Users/2819c223-7f76-453a-919d-413861904646 DELETE /Users/2819c223-7f76-453a-919d-413861904646 GET /Users?startIndex=10&count=5&filter=userName sw “J” GET /Users/2819c223-7f76-453a-919d-413861904646


Server Configuration Operations GET /ResourceTypes

-  Return the types of resources that are supported -  Endpoint URL, schema, etc…

GET /Schemas/

-  Return the schema definitions -  Attributes names and types, etc…

GET /ServiceProviderConfigs -  Return info about what is supported by the server -  Authn methods, optional features, etc…

Trends in SCIM Usage


Trends

• Enterprises are using SCIM Gateways to communicate between internal systems

• Service providers use SCIM for directory access -  Store extended information, but often not visible externally

•  IAM and IDaaS vendors provide SCIM Servers to expose identity information and use SCIM Clients to read/write external systems

• Common threads in custom password extensions • SCIM is seen as the identity management API

Who are you?

IAM Gurus!


99 problems and identity is #1


Problem!!! Bob needs a new account

SCIM Solution: Provision


Problem!!! Bob can’t login!

SCIM Solution: Password reset

* Alternate Solution: Single sign-on … but this isn’t a SAML / OIDC workshop.


Problem!!! Bob can’t read the financials

SCIM Solution: Add him to a group or give him some entitlements


Problem!!! I need to know Bob’s access

SCIM Solution: Read User and Group Data


Problem!!! Bob has been a bad boy

SCIM Solution: Deprovision


Problem!! Apps team needs to r/w identity

SCIM Solution: Standard but extensible API

Case Study Fortune 100 Chip Maker


The Setup

• Started considering options between a failed Oracle Identity Manager project and “the next thing”

• Needed a façade -  Prevent IAM vendor lock-in -  Needed co-existence between old and new IAM systems

• Extensibility was crucial! •  “We wanted a 20 year solution.” –IAM Guru


The Solution Create a SCIM gateway to serve as a central identity hub

SCIM Gateway Cluster

Legacy Apps

IAM System SSO

Directory Server


The Interesting Parts

• Extended user schema to hold custom information • Extended endpoints to support many additional features

-  Email verification •  POST /EmailVerificationTokens to create a token •  POST /EmailVerification to verify email using token

-  Password reset •  POST /PasswordResetTokens to create a token •  POST /PasswordChanges to change password using token

-  Security token management for SSO •  POST /SecurityTokens to create authenticated session token •  DELETE /SecurityTokens to invalidate


More Interesting Parts

• More extended endpoints… -  Notifications (email or SMS)

•  POST /Notifications to send a notification with user information merged in (welcome email, forgot login ID, etc…)

-  Role management •  PATCH /Roles to change membership for a role


The Benefits

• Ability to add new information and features without breaking existing clients

-  If there is anything in JSON that you don't recognize, throw it away

“SCIM has been critical and program-saving. It is exactly what we needed at exactly the right time, and fills a crucial role in our environment."

--IAM Guru

Case Study Fortune 500 Pharmaceuticals


The Setup

• Need to support identity on a large portfolio of applications -  Not all application teams are resourced equally

• Wanted an abstraction of provisioning from specific implementations

-  Allow for seamless upgrades of IAM system -  Ease cost of implementation for smaller applications


The Solution Create a SCIM gateway to serve as a central identity hub

SCIM SOA Gateway

On-prem Apps

IAM System Cloud Apps

Directory Server


The Benefits

• SCIM gives agility in adopting new versions of IAM system • SCIM isolates IAM system if a SaaS vendor changes their

identity model -  Connector continues to work with an updated schema -  Important for SaaS vendors that can update at any time

•  If an application vendor is small it's not worth it to write a custom connector

-  Small vendors are very willing to implement SCIM as their standard identity API

Who are you?

Service Providers!!


99 problems and identity is #1


Problem!!! I need to expose a directory!!

SCIM Solution: Read and write with SCIM


Problem!!! I need an API between my own products!

SCIM Solution: Everything identity is SCIM


Problem!! My mobile app needs identities!

SCIM Solution: Light-weight REST API


Problem!!! I need to get identities from my customer’s directory into my cloud app!

SCIM Solution: To the cloud with SCIM!

Case Study Fortune 100 Networking


The Setup

• Needed a consistent identity API that can be used: -  By partners -  By customers -  Internally between products -  To communicate with IdPs and other SaaS vendors


The Solution

SCIM Identity Service

Directory Clients

Internal Systems Partners &

IdPs

Identity Sync Client

r/w r/w

Mobile App r/w



• Additional endpoints -  /Devices -  /Tenants

•  Only available internally •  Password policy is configured on tenant

• Core schemas have been extended -  Positive extensions: New attributes (mainly internal info) -  Negative extensions: Attributes in SCIM spec that aren’t

supported • Legacy APIs forward requests on to SCIM


The Benefits

• Single API for everything identity • Mobile application has a light-weight API to use • SCIM clients are easy to write

-  Have seen no need to write a toolkit

Case Study Fortune 1000 Networking


The Setup

• Needed a consistent identity API that can be used: -  By customers -  Internally between products -  To communicate with IdPs


The Solution

SCIM Identity Service

Custom Clients

Internal Systems IdPs

AD Sync Client

r/w r/w



• Exploring an “organizational unit” extension to facility multi-tenancy in API

• Exploring a pub/sub SCIM model -  Client subscribes to be notified of changes -  SCIM server sends out notifications


The Benefits

• Single API for everything identity • No need to provide documentation

-  Just point developers at the spec • Easy to implement

Case Studies in brief


PaaS – CloudFoundry

• CloudFoundry is an open platform-as-a-service (PaaS) •  Identity APIs leverage standards

-  SCIM, OAuth2, and OpenID Connect • Benefits

-  Use existing open API rather than reinventing the wheel -  Use SCIM extensions for some non-identity APIs


IDaaS and IAM Vendors

•  IDaaS and IAM vendors need to: -  Allow external access to their identity store -  Provision/read identities and groups to/from other applications

• SCIM server provides external access • SCIM client provides provisioning to other applications • Benefits

-  Standardized API makes external integration easy -  Applications that support SCIM can be integrated immediately

•  No custom connector is required •  No product upgrade required to support new apps

SailPoint, Salesforce, Ping, VMWare, neXus, Oracle, UnboundID


Higher Education

• Higher education is largely focused on federation -  Need to propagate minimum amount of identity data -  Authorization data (group memberships) are very important -  Federation attribute payload works well for Just In Time (JIT)

provisioning -  SCIM enables more robust record propagation when JIT is not

good enough •  For example, email account provisioning often must occur before

first login

Federations that need attribute exchange


Higher Education

• VOOT is an identity/group protocol built on top of SCIM -  Adds more features around group membership

• Grouper is a user/group management tool developed by Internet2

-  SCIM integration allows writing to down-stream endpoints

http://openvoot.org/ https://spaces.internet2.edu/display/Grouper/Grouper+SCIM+Integration

VOOT and Grouper

Case Study neXus Internet of Things


The Setup

•  IoT provider needed: -  A registry of devices associated with a user -  Information about the device (bluetooth address, etc…) -  A mobile app that can

•  Authenticate •  Retrieve user information (including devices) •  Communicate with devices

-  Devices that can send status updates


The Solution

SCIM Server

Mobile App

GET /me (as authenticated user)

{ “id”: “89723-83703”, “devices”: [{ “name”: “Tesla”, “bluetoothAddress”: “000A3A58F310”, “deviceType”: “electricCar”, “batteryLife”: 58, … }, … }

Bluetooth Start A/C

PATCH /Cars/89723-83703 { “batteryLife”: 57, “location”: { “lat”: 30.4045541, “long”: -97.8489572 } }


The Benefits

• Extended user schema to show which devices belong to each user

• New endpoints for devices to read/write device information -  Example: /Cars, /Vacuums

• Extensible schema allows new device types to be imported via JSON files

• Extremely light-weight SCIM clients on mobile app and devices

-  This is very important for constrained devices

Where is SCIM?


Current Status

• 2.0 API, Core Schema, and Use Cases docs are complete -  Will become official RFCs in the next couple months

•  IETF working group will continue to work on SCIM extensions

-  Passwords: http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/

-  Notify: http://datatracker.ietf.org/doc/draft-hunt-scim-notify/

-  Soft Delete: http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/

-  Others TBD

Wrapping it up…


Adoption is growing…

“The SCIM interface will have parity other APIs and will be a first-class citizen.”

--Ian Glazer, Salesforce “I’m also proud to say Oracle’s Amit Jasuja announced at last year’s OpenWorld that Oracle IDM’s key REST API for Identity will be SCIM…”

--Phil Hunt, Oracle


Adoption is growing…

“SCIM works perfectly for constrained devices.” --Erik Wahlström, neXus

“SCIM is simple to implement.”

--Haavar Valeur, Citrix


Questions [email protected] @kelly_grizzle http://simplecloud.info

CIS 2015 SCIM in the Real World - Kelly Grizzle

Technology

Transcript of CIS 2015 SCIM in the Real World - Kelly Grizzle