Your SlideShare is downloading. ×
0
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SCIM presentation from CIS 2012

7,147

Published on

A presentation on System for Cross-domain Identity Management (SCIM) formerly Simple Cloud Identity Management presented at the Cloud Identity Summit (CIS) 2012 by Travis Spencer, CEO of Twobo …

A presentation on System for Cross-domain Identity Management (SCIM) formerly Simple Cloud Identity Management presented at the Cloud Identity Summit (CIS) 2012 by Travis Spencer, CEO of Twobo Technologies, a consulting firm specializing in Identity and Access Management (IAM), cloud security, and mobile security

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,147
On Slideshare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
74
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Intro to SCIM Travis Spencer, CEO Twobo Technologies
  • 2. The Problem• Modern systems are massively distributed• Organizations need to automate user/group management across domain boundaries• Large cloud providers have their own APIs• Enterprise-to-enterprise is a dog’s dinner• Identity is the fly in the integration ointment
  • 3. The Resulting Reality• Tactical, bespoke methods that can’t scale• Expensive integration work & custom development• Systems maintain isolated silos of user data• X-employees continue accessing resources• Solution is automation based on open standards
  • 4. Banding Together to Solve this Problem• Salesforce, Google, UnboundID, Ping Identity, Sailpoint, Technology Nexus, etc.• Protocol drafted, tested, and released in 2011 Q1 – Initial draft of spec Q2 – Updated draft discussed at IIW Q3 – Consortium formed under OWF, interop tests at IIW Q4 – V. 1 agreed upon by consortium, submitted to IETF
  • 5. SCIM, a Modern Standard for Automation• The spec formerly known as Simple Cloud…• Provisioning API to manage users & groups• Support bulk updates for ingest & sync• Low-tech barrier, easy w/ curl & JavaScript• Designed w/ mobile in mind• Goes hand-in-glove w/ federation• Secure access using OAuth 2 et. al
  • 6. SCIM Specification SetREST API for CRUD Federation Binding• JSON & XML • SAML• Response codes • TBD: OpenID ConnectCore Schema• User • Groups• Enterprise Extension • Config
  • 7. Features of SCIM• Core schema – Models user, groups, etc. – Defines basic user attributes (name, address, etc.)• RESTful API – Defines CRUD to synchronize resources – JSON and XML data formats• Federation bindings – SAML, OIC – Supports JIT provisioning during SSO – Maps SCIM schema to federation protocols
  • 8. Push ProvisioningIdP Organization SP Organization CRUD of user object SCIM SCIM Client Server Status
  • 9. JIT ProvisioningIdP Organization SP Organization Create user on the fly IdP SP User data in federation message Browser
  • 10. JIT + PullIdP Organization SP Organization Create new user User object IdP / SCIM SP / SCIM Get User Server Client Access token in federation message Browser
  • 11. Overview of API• RESTful• Specifies well known endpoints & HTTP methods for managing core resources – User and group resources correspond to /Users and /Groups, respectively• Responses are returned in the body of the HTTP messages in JSON or XML format
  • 12. Authentication and Security• Spec does not mandate a particular authentication scheme• OAuth 2 is recommended, but others are not precluded (e.g., HTTP basic)• Client and server must exchange data over SSL/TLS
  • 13. Supported HTTP VerbsVerb MeaningGET Retrieves a resourcePOST Creates a new resourcePUT Completely update a resourcePATCH Partially update a resourceDELETE Delete a resource
  • 14. Controlling Responses• Filter (i.e., search) – Find specific resources – Request a subset of attributes• Sorting – Sort by – Sort order• Pagination – Client maintains offset and count – No server-side cursors (v. 2 probably)
  • 15. Extensible Schema• Protocol defines core schema used to represent resources of various types – Modeled after POCO & others – Also stipulates how to extend• Defines enterprise extensions – Adds manager, department, organization, etc.• Others can be created at will
  • 16. Includes Mapping from Active DirectoryActive Directory SCIMuserPrincipalName userNamemail email.value@type=workgivenName name.givenNamesn name.familyNamewhenCreated meta.whenCreateduserPassword passwordcn displayName
  • 17. Retrieving User Data GET request = GET /Users/2819c223-7f76-453a-919d-413861904646 read Host: example.com Accept: application/json User ID Authorization: Bearer h480djs93hd8 Return JSON HTTP/1.1 200 OK Attributes are Content-Type: application/json in JSON format200 = successful Location: response https://example.com/v1/Users/2819c223-7f76- 453a-919d-413861904646 ETag: W/"f250dd84f0671c3" Same User ID { ... "name":{ "formatted":"Ms. Barbara J Jensen III", "familyName":"Jensen", Attributes "givenName":"Barbara" }, "userName":"bjensen",
  • 18. Updating a Group with a new Member PATCH /Groups/acbf3ae7-8463-4692-b4fd-PATCH = only 9b4da3f908ceupdate what’s Host: example.com Secure access changed Accept: application/json using OAuth 2 Authorization: Bearer h480djs93hd8 ETag: W/"a330bc54f0671c9" { "schemas": ["urn:scim:schemas:core:1.0"], "members": [ { "display": "Babs Jensen", New group "value": "2819c223-7f76-453a…" member; others } are unchanged ] }
  • 19. SCIM vis-à-vis UserInfo Endpoint in OIC User Agent 1. Get a token AS Client RS 3. Use a token 2. Read a token User- SCIM Info OIC SCIM API Base OAuth
  • 20. What’s Next for SCIM?• More and more implementations!• PingOne and UnboundID’s synchronization server are already in the market• Major SaaS providers are launching this year• Other IAM vendors releasing soon• IETF working group has been formed – Date of completion projected for 2014 – V. 1 is available today
  • 21. Support SCIM• SaaS and IdM vendors must implement SCIM for it to solve anything• Demand standards-based automation of identity; demand SCIM • Join IETF mailing list; attend WG meetings
  • 22. Thank You and More Info• @travisspencer• @pingidentity• simplecloud.info• travisspencer.com• 2botech.com• pingidentity.com

×