Jan19 scim webinar-04
-
Upload
paul-madsen -
Category
Technology
-
view
883 -
download
4
description
Transcript of Jan19 scim webinar-04
© 2010 Ping Identity Corporation
SCIM WebinarJan 18, 2012
Patrick Harding, CTO
Paul Madsen, Senior Technical Architect
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Background & Overview
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Current State
• Enterprises need programmatic mechanisms to manage
users/roles/groups in Cloud apps
• Large SaaS vendors have implemented proprietary API’s
• Google, Salesforce, Cisco Webex, Successfactors, etc
• All very similar, work well
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Call to Arms
• At Cloud Identity Summit 2010
• Attendees established need for an ‘open standard’ for
provisioning cloud users
• Google, Salesforce, Ping Identity, UnboundID, Microsoft
created ‘Cloud Directory’ user group
• Initial discussions at IIW 12
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
2011 - Year of Development
• Q1 2011
• Initial Draft SCIM Spec
developed by Ping,
UnboundID and Salesforce
• Q2 2011
• Draft SCIM Spec introduced
at IIW 13
• Significant interest and
discussion
• Q3 2011
• SCIM Working Group
established under OWF
• Cisco, Sailpoint, Google
contribute
• Q4 2011
• Multiple vendors
demonstrate interop at IIW
14
• SCIM V1.0 in December
2011
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
SCIM 1.0 Specification Set
Core SchemaUser, Enterprise Extension, Groups, Config
REST APICRUD
methodsresponse
codes
SAML Binding (draft)Attribute
mapping
Future bindings
http://simplecloud.info
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
SCIM Basics
• Core Schema
• Represents User, Groups, Schema, Bulk etc
• Defines basic user attributes (name, address contact etc.)
• REST API
• Defines Create, Read, Update & Delete methods to synchronize
user object information
• SAML Binding
• Supports Just-In-Time provisioning during SSO
• Maps SCIM schema to SAML AttributeStatement
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Example 1: Push
SCIMClient
Cloud AppProvider
User Store
1. Create/Update/DeleteUser Object
2. Status
User Directory
API
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Example 2: SAML JIT
SAML IdP SAML SP
1. SAML Token w/User Object
Browser
User Directory
User Store
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Example 3: OpenID JIT + Pull
OpenID IdP OpenID SP
1. OpenID Response
Browser
User Store
User StoreAPI 2. Read User Object
3. User Object
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
What’s Next?
• Implementation, implementation, implementation !!!
• Major cloud application platforms have indicated that they will
implement SCIM in 2012
• SCIM working group to move to the IETF in 2012
• Use SCIM v1.0 as baseline submission
• Working code, successful deployments are key
• SCIM v2.0 will address issues
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Technical
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Terminology
•Service Provider: A web application that provides identity information via the SCIM protocol (think SaaS)
•Consumer: A website or application that uses the SCIM protocol to manage identity data maintained by the Service Provider. (think Enterprise)
•Resource: The Service Provider managed artifact containing one or more attributes; e.g., User or Group
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Schema
• SCIM provides a minimal core schema for
representing Resources of different types
• User, Groups, Schema, Bulk etc
• User schema took as starting point the
Portable Contacts schema [1]
• Basic user attributes (name, address contact,
groups, password etc.)
[1] - http://www.portablecontacts.net/draft-spec.html
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Schema-Password?
• Group torn on whether to support password management in
schema
• Acknowldgement that best practice is that enterprise users
NOT be provisioned with passwords at SaaS providers
• But
• Current reality doesn’t everywhere reflect ideal
• Hope/expectation that SCIM will be applied beyond Cloud
• Consumers can specify an initial password when creating a
new User (POST) or to reset an existing User's password
(PATCH)
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Schema-Enterprise extension
• Extends generic user with enterprise
semantics
• Adds manager, department,
organization, etc
<ent:employeeNumber>701984</ent:employeeNumber> <ent:manager>
<ent:managerId>902c246b-6245-4190</ent:managerId> <ent:displayName>Mandy Pepperidge</ent:displayName> </ent:manager> <ent:costCenter>4130</ent:costCenter> <ent:organization>Universal Studios</ent:organization> <ent:division>Theme Park</ent:division> <ent:department>Tour Operations</ent:department>
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Schema-Groups
• Group resources enable group & role based access control
• Groups contain members
• How Service Provider implements access control out of scope
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ceHost: example.comAccept: application/json Authorization: Bearer h480djs93hd8 ETag: W/"a330bc54f0671c9"
{ "schemas": ["urn:scim:schemas:core:1.0"], "members": [ { "display": "Babs Jensen", "value": "2819c223-7f76-453a-919d-413861904646" } ] }
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Schema-Metadata
• Service Provider Configuration Resource enables a Service
Provider to expose its compliance with SCIM specification
in a standardized form & provide additional implementation
details to Consumers.
{ "schemas": ["urn:scim:schemas:core:1.0"]"patch": { "supported":true }, "bulk": { "supported":true, "maxOperations":1000,"maxPayloadSize":1048576 }, "filter": { "supported":true, "maxResults": 200 }, "changePassword" : { "supported":true }"authenticationSchemes": [ { "name": "OAuth Bearer Token",
"specUrl":"http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01", "documentationUrl":"http://example.com/help/oauth.html",
"type":"oauthbearertoken", "primary": true },}
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Schema- representative AD Mapping
AD SCIM
userPrincipalName userName
mail email.value (type=work)
givenName name.givenName
sn name.familyName
whenCreated meta.whenCreated
userPassword password
cn displayName
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
API
• Specifies well known endpoints & HTTP methods for managing
Resources defined in the core schema
• User and Group Resources correspond to /Users and /Groups
respectively
• REStful (really)
• Responses are returned in the body of the HTTP response,
formatted as JSON or XML, depending on what is requested
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
API-Architecture
Client ServiceProvider
Resources
Resource representation
Response
API
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
API-Verbage
• API uses HTTP verbs as follows
• GET (retrieves an existing resource)
• POST (creates a new resource)
• PUT (overrides an existing resource)
• BATCH (partially modifies an existing resource)
• DELETE (deletes an existing resource)
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
API-Authentication
• SCIM does not mandate a particular authentication scheme by
which Consumers authenticate to Service Providers
• OAuth 2.0 is RECOMMENDED, but other schemes (eg HTTP
Basic) not precluded
• Consumers and Service Providers MUST implement TLS
© 2010 Ping Identity Corporation
POST /User HTTP/1.1Host: example.com Accept: application/xml Authorization: Bearer h480djs93hd8
<?xml version="1.0" encoding="UTF-8"?><scim:User xmlns:scim="urn:scim:schemas:core:1.0">
<userName>[email protected]</userName><externalId>701984</externalId><emails>
<email><value>[email protected]</value><primary>true</primary><type>work</type></email>
</emails></scim:User>
API-Authentication-OAuth example
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
API-Response codes
• API uses/overrides HTTP Response codes to indicate
operation success or failure.
• In addition, Service Providers return errors in body of the
response and human-readable explanations.
HTTP/1.1 404 NOT FOUND
{"Errors":[
{ "description":"Resource 2819c223-7f76-453a-919d- not
found", "code":"404" } ]}
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
API-Error codes
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
API-Response operations
• SCIM defines a standard set of operations that can be used to
filter, sort, and paginate response results.
• Consumers may request a subset of Resources by specifying
the 'filter' URL query parameter containing a filter expression.
• Sorting allows Consumers to specify the order in which
Resources are returned by specifying a combination of sortBy
and sortOrder URL parameters
• Pagination parameters can be used together to "page through"
large numbers of Resources so as not to overwhelm the
Consumer or Service Provider
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
SAML Binding
• Supports a JIT provisioning model where users created in real
time (vs a priori via API)
• Binds SCIM User objects to SAML Attributes
• Expectation is that other SSO/JIT bindings will follow in time
• SAML binding not voted out with API and Core Schema, group
needs to resolve tension between
• SCIM push for simplicity
• Existing SAML Attribute Person Profiles
• Complex attributes don’t easily map into SAML Attributes
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
SAML Binding-Architecture
Client ServiceProvider
ResourcesResource representation
Browser
SAMLSP
SAMLIdP
© 2010 Ping Identity Corporation
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="SCIM.userName">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]
</saml:AttributeValue> </saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" Name="SCIM.name.formatted">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Ms. Babs J Jensen III
</saml:AttributeValue> </saml:Attribute>
</saml:AttributeStatement>
SAML Binding-SAML Attributes
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Conclusions
•SCIM has potential to be important IdM standard in & out of cloud
•But, if SCIM is to avoid SPML's fate, adoption is key
•Start demand ingIdM vendors and SaaS providers add support
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Thank you
@pingcto, @paulmadsen
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Demo
© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation© 2010 Ping Identity Corporation
Demo
Enterprise Salesforce
User StoreSCIM
AD
SFDC
Ping Cloud