Your SlideShare is downloading. ×
0
Hasini Gunasinghe
Software Engineer
Example – an employee joining
WSO2
LDAP
Other internal
apps
Provisioning system
Other cloud apps/services
Image courtesy :...
Creation, maintenance & deactivation of user accounts,
in one or more systems or applications,
in response to automated or...
Identifying the parties involved…
ECS – Enterprise Cloud Subscriber
CSU – cloud service user
Other internal
apps
Provision...
Current approach...
Other internal
apps
Provisioning system
Other cloud apps/services
LDAP
Problems with current approach..
 Rredundant integration efforts for ECS & CSP.
 Maintenance nightmare of multiple conne...
Solution would be a common protocol that everyone agrees on.
Image courtesy : http://causerelatedmarketing.blogspot.com/20...
1. Authentication :
SAML based WS-Trust & SSO, OpenID, OAuth
2. Authorization:
XACML
3. Provisioning:
SPML, WS-Provisionin...
How open standard solves current problems..?
Other internal
apps
Provisioning system
Other cloud apps/services
LDAP
 Emerging open standard.
 REST API.
 Platform neutral schema.
 SAML binding.
 Emphasis on simplicity and interoperabi...
 REST API
 resource endpoints
 supported HTTP methods
PROTOCOL
In a nutshell...
 REST API
 SCIM REST API is relative to a base URL
https://example.com/scim/v1/
 Requests made via HTTP operations on a...
 Resource – collection of attributes.
 Schema defines attributes.
 SCIM Core Schema
 Extension Model:
Additive – simil...
 Other SCIM schemas
 User Schema, Enterprise User Schema Extension
 Group Schema
 Service Provider Configuration Schem...
 Minimal user representation in JSON & XML formats.
SCHEMA
In a nutshell...
 SCIM - SAML Mapping
 Attributes
 SSO Assertion
 AttributeQuery
 Metadata
SAMLBINDING
In a nutshell...
 Started in mid 2010.
 Version 1.0 approved in Dec 2011.
 Working on submitting to IETF.
 Discussions made open at
clo...
Platform neutral schema
 Mandatory core schema with extension model.
 Flexibility
 Interoperability
 Simplicity.
REST API
 Light weight with JSON support.
 Avoids performance bottleneck on the connector.
SAML Binding
 Just InTime Provisioning with SSO.
 Pull / Push based Identity Management.
More...
 Defined core + optional capabilities.
 Based on existing deployments and standards - LDAP, SAML.
 Several impl...
 Identity Provisioning.
 Value of open standards in the space of provisioning.
 SCIM.
 Why SCIM...?
 Security Considerations
 Authentication and Authorization
- OAuth2 bearer recommended.
 Should be overTLS
 Password a...
 Automated Provisioning :
Internal Apps
SaaS 1
SaaS 2
SCIM based
enterprise
provisioning
system
HR Administrator
(1) Crea...
 Example – Creare User - Request
PROTOCOL
 Example – Creare User - Response
PROTOCOL
 JIT provisioning with SSO - Pull
SaaS
Enterprise
SSO IdP
User
Create user account
SCIM User Identity
SAML Attribute Quer...
 Example – SAML Attribute Query
SAMLBinding
 Bulk UM Operations:
 Initial imports of CSU accounts.
 Scheduled synchronizations.
LDAP
SaaS
LDAP
SaaS
 Example :
POST on Bulk endpoint
PROTOCOL
 Identity Synchronization:
 Partial updates with PATCH
 Conditional overwrites with ETag
 Example – PATCH
PROTOCOL
 Identity Retrieval:
 Filtering
 Conditional retrieval with Etag
 Identity Retrieval:
 Partial retrival – with “attributes” query parameter
 Pagination
 Sorting
GET /Users?startIndex=...
De-provisioning:
SaaS
Enterprise
SSO IdP
SCIM based
enterprise
provisioning
system
LDAP
(1) Delete
user account
(2)Delete...
Internal apps
Provisioning system
Other cloud apps/services
LDAP
 Identity Provisioning.
 Value of open standards in the space of provisioning.
 SCIM along with highlights from the spe...
 http://www.simplecloud.info/
 http://en.wikipedia.org/wiki/Provisioning#User_provisioning
https://ail.google.com/mail/u/0/?ui=2&ik=ad9a
e58f41&view=att&th=1331a70983344a32&atti
d=0.1&disp=thd&realattid=f_gtxto6mk...
• QuickStart
• Development
Support
• Development
Services
• Production
Support
• Turnkey Solutions
• WSO2 Mobile Services ...
 Contact Us…
 bizdev@wso2.com
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
Upcoming SlideShare
Loading in...5
×

Standardizing Identity Provisioning with SCIM

2,279

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,279
On Slideshare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
36
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Standardizing Identity Provisioning with SCIM"

  1. 1. Hasini Gunasinghe Software Engineer
  2. 2. Example – an employee joining WSO2 LDAP Other internal apps Provisioning system Other cloud apps/services Image courtesy : http://www.crn.com/slide-shows/applications-os/223800159/google-apps-marketplace-10-hot-cloud-applications.htm http://newmediasense.net/more-than-50-cloud-developers-commit-to-jive-apps-market%E2%84%A2/222888/
  3. 3. Creation, maintenance & deactivation of user accounts, in one or more systems or applications, in response to automated or interactive business processes. -Wikipedia What is it..?
  4. 4. Identifying the parties involved… ECS – Enterprise Cloud Subscriber CSU – cloud service user Other internal apps Provisioning system Other cloud apps/services CSP– cloud service provider LDAP
  5. 5. Current approach... Other internal apps Provisioning system Other cloud apps/services LDAP
  6. 6. Problems with current approach..  Rredundant integration efforts for ECS & CSP.  Maintenance nightmare of multiple connectors.  Complexity and cost.
  7. 7. Solution would be a common protocol that everyone agrees on. Image courtesy : http://causerelatedmarketing.blogspot.com/2011/09/lets-bring-open-standards-to-practice.html
  8. 8. 1. Authentication : SAML based WS-Trust & SSO, OpenID, OAuth 2. Authorization: XACML 3. Provisioning: SPML, WS-Provisioning, SCIM
  9. 9. How open standard solves current problems..? Other internal apps Provisioning system Other cloud apps/services LDAP
  10. 10.  Emerging open standard.  REST API.  Platform neutral schema.  SAML binding.  Emphasis on simplicity and interoperability. In a nutshell...
  11. 11.  REST API  resource endpoints  supported HTTP methods PROTOCOL In a nutshell...
  12. 12.  REST API  SCIM REST API is relative to a base URL https://example.com/scim/v1/  Requests made via HTTP operations on a URL derived from the Base URL POST -> https://example.com/scim/v1/Users  JSON / XML formats PROTOCOL In a nutshell...
  13. 13.  Resource – collection of attributes.  Schema defines attributes.  SCIM Core Schema  Extension Model: Additive – similar to auxiliary object classes in LDAP. SCHEMA In a nutshell...
  14. 14.  Other SCIM schemas  User Schema, Enterprise User Schema Extension  Group Schema  Service Provider Configuration Schema  Resource Schema SCHEMA In a nutshell...
  15. 15.  Minimal user representation in JSON & XML formats. SCHEMA In a nutshell...
  16. 16.  SCIM - SAML Mapping  Attributes  SSO Assertion  AttributeQuery  Metadata SAMLBINDING In a nutshell...
  17. 17.  Started in mid 2010.  Version 1.0 approved in Dec 2011.  Working on submitting to IETF.  Discussions made open at cloud-directory@googlegroups.com Brief history…
  18. 18. Platform neutral schema  Mandatory core schema with extension model.  Flexibility  Interoperability  Simplicity.
  19. 19. REST API  Light weight with JSON support.  Avoids performance bottleneck on the connector.
  20. 20. SAML Binding  Just InTime Provisioning with SSO.  Pull / Push based Identity Management.
  21. 21. More...  Defined core + optional capabilities.  Based on existing deployments and standards - LDAP, SAML.  Several implementations.  Adoption by major cloud vendors.
  22. 22.  Identity Provisioning.  Value of open standards in the space of provisioning.  SCIM.  Why SCIM...?
  23. 23.  Security Considerations  Authentication and Authorization - OAuth2 bearer recommended.  Should be overTLS  Password attribute not to be returned. PROTOCOL
  24. 24.  Automated Provisioning : Internal Apps SaaS 1 SaaS 2 SCIM based enterprise provisioning system HR Administrator (1) Create user account (2)Create user (3)ok
  25. 25.  Example – Creare User - Request PROTOCOL
  26. 26.  Example – Creare User - Response PROTOCOL
  27. 27.  JIT provisioning with SSO - Pull SaaS Enterprise SSO IdP User Create user account SCIM User Identity SAML Attribute Query SAML Response SSO Redirect Login
  28. 28.  Example – SAML Attribute Query SAMLBinding
  29. 29.  Bulk UM Operations:  Initial imports of CSU accounts.  Scheduled synchronizations. LDAP SaaS LDAP SaaS
  30. 30.  Example : POST on Bulk endpoint PROTOCOL
  31. 31.  Identity Synchronization:  Partial updates with PATCH  Conditional overwrites with ETag
  32. 32.  Example – PATCH PROTOCOL
  33. 33.  Identity Retrieval:  Filtering  Conditional retrieval with Etag
  34. 34.  Identity Retrieval:  Partial retrival – with “attributes” query parameter  Pagination  Sorting GET /Users?startIndex=1&count=10
  35. 35. De-provisioning: SaaS Enterprise SSO IdP SCIM based enterprise provisioning system LDAP (1) Delete user account (2)Delete user(3)ok (4)Delete user (5)ok (6)Request access(7)Deny
  36. 36. Internal apps Provisioning system Other cloud apps/services LDAP
  37. 37.  Identity Provisioning.  Value of open standards in the space of provisioning.  SCIM along with highlights from the spec.  Why SCIM...?  Use cases of SCIM in Identity Management solution.  Adoption of SCIM inWSO2 Identity Server and Stratos.
  38. 38.  http://www.simplecloud.info/  http://en.wikipedia.org/wiki/Provisioning#User_provisioning
  39. 39. https://ail.google.com/mail/u/0/?ui=2&ik=ad9a e58f41&view=att&th=1331a70983344a32&atti d=0.1&disp=thd&realattid=f_gtxto6mk0&zw Selected Customers
  40. 40. • QuickStart • Development Support • Development Services • Production Support • Turnkey Solutions • WSO2 Mobile Services Solution • WSO2 FIX Gateway Solution • WSO2 SAP Gateway Solution
  41. 41.  Contact Us…  bizdev@wso2.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×