The SCIM standard was created to simplify user management in the cloud by defining a schema for representing users and groups and a REST API for all the necessary CRUD operations. VOOT is a layer on top of SCIM to exchange information about groups in federated environments.

1. VOOT
Andreas Åkre Solberg
UNINETT
Stockholm, April 2014

2. Consumer Service
Provider
Resource
Resource
Resource
CRUD

3. Typical protocol stack
HTTP
OAuth
SCIM
Resources as JSON
SCIM CRUD operations
REST

4. User
Group
…
…
Resource types

5. {
"schemas": [
"urn:scim:schemas:core:1.0”
],
"id": "2819c223-413861904646",
"userName": "bjensen@example.com",
"displayName": "Babs Jensen",
"preferredLanguage": "en_US",
"locale": "en_US",
"timezone": "America/Los_Angeles"
}
{
"schemas": [
"urn:scim:schemas:core:1.0"
],
"id": "e9e30dba-f08f-4109",
"displayName": "Tour Guides"
}
Resource
instances
Resource
types
Schemas
User Group
SCIM
Core
User
SCIM
Core
Group
SCIM
Core
Enterprise User

6. Attributes
Multi-valued
Single-valued
Simple
Complex
String
Boolean
Decimal
Integer
DateTime
Binary

7. SCIM Extension model
› Extension Schemas
› New Resource types

8. VOOT
as of April 2014
Built on top of SCIM 2.0.
› Minor SCIM adjustments (needs to be sorted out)
› Schemas for groups
› New resource types
› Pre-defined group types
Todo
› Use case and best practice
› Architecture, federation and more
Work in progress

9. User Group
is member of
**
SCIM
Too simple group membership model
VOOT
is extending SCIM
User Role Group
Group
Type
Only one role object for each combination of user and group

10. TranslatableString
{
"id": "e01eafb1-5f1c-4992-fcd5-ab0160c7ad24",
"description": {
"en": "Second year mathematics at the university",
"nb": "Andre årets mattekurs ved universitet"
}
}
{
"id": "e01eafb1-5f1c-4992-fcd5-ab0160c7ad24",
"description": "Andre årets mattekurs ved universitet"
}
HTTP Content negotiation
?translate=1

11. {
"""""id":""""""""e01eafb1-5f1c-4992-fcd5-ab0160c7ad24",
"""""sourceID":""voot:sources:uninett:fs",
"""""displayName_":"{
"""""""""en":""Course"M.201"Mathematics"at"University"of"Oslo",
"""""""""nb":""Fag"M.201"Matematikk"ved"Universitetet"i"Oslo"
""""},
"""""description":"{
"""""""""en":""Second"year"mathematics"at"the"university",
"""""""""nb":""Andre"årets"mattekurs"ved"universitet"
""""},
"""""groupType":""voot:groupTypes:edu:courses",
"""""notBefore":""2006-08-01T12:00:00Z",
"""""groupActive":""true,
"""""public":"""true,
"""""may":"{
"""""""""listMembers":"true,
"""""""""manageMembers":"false
""""}
}
Groups
› sourceID
› id, name and description
› groupType (reference)
› permissions (for current user)
› active?
› public?
› time limitation (notBefore, notAfter)

12. {
"""""basic":""admin",
"""""displayName_":"{
"""""""""en":""Teacher",
"""""""""nb":""Lærer"
""""},
"""""notBefore":"""""2014B01B01T12:00:00Z",
"""""notAfter":""""""2014B08B01T12:00:00Z",
"""""roleActive":"""true,
"""""course_role":"""teacher"
}
Roles
› basic role abstraction (member, admin and owner)
› displayName
› groupType (reference)
› active?
› time limitation (notBefore, notAfter)
› Refers to both
user and group
If a user is member of a group, there
exists one and only one role object for
that relation.
› Embedded in group list
› Embedded in user list
› Standalone

13. {
"""""id":""voot:groupTypes:edu:courses",
"""""displayName":"{
"""""""""en":""Course",
"""""""""nb":""Fag"
""""},
"""""sourceID":""voot:sources:uninett:fs",
"""""groupSchemas":"""""[
"""""""""voot:groupschemaX"
""""],
"""""roleSchemas":""[
"""""""""voot:roleschemaX"
""""]
}
GroupTypes › Predefined list
VOOT spec contains a set of well defined
group types for higher education.
› Dynamic support
Clients does not need to understand
group types in advance, but may want to
sort groups according to type regardless.
› Schemas
Refers to schemas for with extended
attributes for both groups and roles.

14. GroupTypes
Harmonization / standardisation needed
Institution
with schema that maps
eduPerson affiliation
Ad-Hoc
OrgUnit
Cohort Study Course

15. GroupTypes
Information about course is
obtained from group and
role resource.
Course
{
"""""id":""""""""e01eafb1-5f1c-4992-fcd5-ab0160c7ad24",
"""""displayName_":"{
"""""""""en":"“Mathematics"101”
""""}
"""""groupType":""voot:groupTypes:edu:courses",
"""""notBefore":""2006-08-01T12:00:00Z",
"""""groupActive":""true,
"""""public":"""true,
"""""may":"{
"""""""""listMembers":"true,
"""""""""manageMembers":"false
""""}
}
{
"""""basic":""admin",
"""""displayName_":"{
"""""""""en":""Teacher",
"""""""""nb":""Lærer"
""""},
"""""notBefore":"""""2014-01-01T12:00:00Z",
"""""notAfter":""""""2014-08-01T12:00:00Z",
"""""roleActive":"""true,
"""""course_role":"""teacher"
}

18. {BASE}/me
VOOT Protocol
Information about me
{BASE}/me/Groups
The groups that I am member of
Responds with a list (ResourceList) of group
resources, where the role for the current user
is embedded in the vootRole property.
{BASE}/Roles/{GROUPID}/{USERID}
The role for a given combination of user and group.
{BASE}/Groups/{GROUPID}/members
List of members of a group
Responds with a list (ResourceList) of role
resources, where the user object is embedded.
{BASE}/Groups?search={SEARCH-TERM}
Querying for public groups

19. Next…
Continue work with specification
Involve with SCIM 2.0 standardisation
Implementation to get understanding
Interop between federations
Further work on architecture, cross-federation