Intro to SCIM

Travis Spencer, CEO

Twobo Technologies

The Problem

• Modern systems are massively distributed

• Organizations need to automate user/group

management across domain boundaries

• Large cloud providers have their own APIs

• Enterprise-to-enterprise is a dog’s dinner

• Identity is the fly in the integration ointment

The Resulting Reality

• Tactical, bespoke methods that can’t scale

• Expensive integration work & custom

development

• Systems maintain isolated silos of user data

• X-employees continue accessing resources

• Solution is automation based on

open standards

Banding Together to Solve this Problem

• Salesforce, Google, UnboundID, Ping Identity, Sailpoint, Technology Nexus, etc.

• Protocol drafted, tested, and released in 2011

Q1 – Initial draft of spec

Q2 – Updated draft discussed at IIW

Q3 – Consortium formed under OWF, interop tests at IIW

Q4 – V. 1 agreed upon by consortium, submitted to IETF

SCIM, a Modern Standard for Automation

• The spec formerly known as Simple Cloud…

• Provisioning API to manage users & groups

• Support bulk updates for ingest & sync

• Low-tech barrier, easy w/ curl & JavaScript

• Designed w/ mobile in mind

• Goes hand-in-glove w/ federation

• Secure access using OAuth 2 et. al

SCIM Specification Set

Core Schema • User • Groups • Enterprise Extension • Config

Federation Binding • SAML • TBD: OpenID Connect

REST API for CRUD • JSON & XML • Response codes

Features of SCIM

• Core schema – Models user, groups, etc.

– Defines basic user attributes (name, address, etc.)

• RESTful API – Defines CRUD to synchronize resources

– JSON and XML data formats

• Federation bindings – SAML, OIC – Supports JIT provisioning during SSO

– Maps SCIM schema to federation protocols

Push Provisioning

SCIM Client

SCIM Server

CRUD of user object

Status

IdP Organization SP Organization

JIT Provisioning

IdP SP

IdP Organization SP Organization

Browser

User data in federation message

Create user on the fly

JIT + Pull

IdP / SCIM

Server

SP / SCIM Client

IdP Organization SP Organization

Browser

Access token in federation message

Get User

User object

Create new user

Overview of API

• RESTful

• Specifies well known endpoints & HTTP

methods for managing core resources

– User and group resources correspond to

/Users and /Groups, respectively

• Responses are returned in the body of the

HTTP messages in JSON or XML format

Authentication and Security

• Spec does not mandate a particular

authentication scheme

• OAuth 2 is recommended, but others are

not precluded (e.g., HTTP basic)

• Client and server must exchange data

over SSL/TLS

Supported HTTP Verbs

Verb Meaning

GET Retrieves a resource

POST Creates a new resource

PUT Completely update a resource

PATCH Partially update a resource

DELETE Delete a resource

Controlling Responses

• Filter (i.e., search)

– Find specific resources

– Request a subset of attributes

• Sorting

– Sort by

– Sort order

• Pagination

– Client maintains offset and count

– No server-side cursors (v. 2 probably)

Extensible Schema

• Protocol defines core schema used to represent resources of various types

– Modeled after POCO & others

– Also stipulates how to extend

• Defines enterprise extensions

– Adds manager, department, organization, etc.

• Others can be created at will

Includes Mapping from Active Directory

Active Directory SCIM

userPrincipalName userName

mail email.value@type=work

givenName name.givenName

sn name.familyName

whenCreated meta.whenCreated

userPassword password

cn displayName

GET /Users/2819c223-7f76-453a-919d-413861904646

Host: example.com

Accept: application/json

Authorization: Bearer h480djs93hd8

Retrieving User Data

HTTP/1.1 200 OK

Content-Type: application/json

Location:

https://example.com/v1/Users/2819c223-7f76-

453a-919d-413861904646

ETag: W/"f250dd84f0671c3"

{

...

"name":{

"formatted":"Ms. Barbara J Jensen III",

"familyName":"Jensen",

"givenName":"Barbara"

},

"userName":"bjensen",

User ID

GET request = read

Same User ID

Attributes

200 = successful response

Return JSON

Attributes are in JSON format

Updating a Group with a new Member

PATCH /Groups/acbf3ae7-8463-4692-b4fd-

9b4da3f908ce

Host: example.com

Accept: application/json

Authorization: Bearer h480djs93hd8

ETag: W/"a330bc54f0671c9"

{

"schemas": ["urn:scim:schemas:core:1.0"],

"members": [

{

"display": "Babs Jensen",

"value": "2819c223-7f76-453a…"

}

]

}

PATCH = only update what’s

changed Secure access using OAuth 2

New group member; others are unchanged

SCIM vis-à-vis UserInfo Endpoint in OIC

Client

User Agent AS

RS

User-Info

OIC

Base OAuth

3. Use a token 2. Read a token

1. Get a token

SCIM API

SCIM

What’s Next for SCIM?

• More and more implementations!

• PingOne and UnboundID’s synchronization

server are already in the market

• Major SaaS providers are launching this year

• Other IAM vendors releasing soon

• IETF working group has been formed

– Date of completion projected for 2014

– V. 1 is available today

Support SCIM

• SaaS and IdM vendors must implement

SCIM for it to solve anything

• Demand standards-based automation of

identity; demand SCIM

• Join IETF mailing list; attend WG meetings

Thank You and More Info

• @travisspencer

• @pingidentity

• simplecloud.info

• travisspencer.com

• 2botech.com

• pingidentity.com