Jan19 scim webinar-04
Upcoming SlideShare
Loading in...5
×
 

Jan19 scim webinar-04

on

  • 1,158 views

Overview of the Simple Cloud Identity Management spec

Overview of the Simple Cloud Identity Management spec

Statistics

Views

Total Views
1,158
Views on SlideShare
1,158
Embed Views
0

Actions

Likes
4
Downloads
49
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Jan19 scim webinar-04 Jan19 scim webinar-04 Presentation Transcript

  • SCIM Webinar Jan 18, 2012 Patrick Harding, CTO Paul Madsen, Senior Technical Architect© 2010 Ping Identity Corporation
  • Background & Overview© 2010 Ping Identity Corporation
  • Current State• Enterprises need programmatic mechanisms to manage users/roles/groups in Cloud apps• Large SaaS vendors have implemented proprietary API’s • Google, Salesforce, Cisco Webex, Successfactors, etc • All very similar, work well© 2010 Ping Identity Corporation
  • Call to Arms• At Cloud Identity Summit 2010 • Attendees established need for an ‘open standard’ for provisioning cloud users• Google, Salesforce, Ping Identity, UnboundID, Microsoft created ‘Cloud Directory’ user group• Initial discussions at IIW 12© 2010 Ping Identity Corporation
  • © 2010 Ping Identity Corporation
  • 2011 - Year of Development• Q1 2011 • Q3 2011 • Initial Draft SCIM Spec • SCIM Working Group developed by Ping, established under OWF UnboundID and Salesforce • Cisco, Sailpoint, Google• Q2 2011 contribute • Draft SCIM Spec introduced • Q4 2011 at IIW 13 • Multiple vendors • Significant interest and demonstrate interop at IIW discussion 14 • SCIM V1.0 in December 2011© 2010 Ping Identity Corporation
  • SCIM 1.0 Specification Set http://simplecloud.infoREST API SAML Binding (draft) Future bindings CRUD methods Attribute mapping response codesCore Schema User, Enterprise Extension, Groups, Config © 2010 Ping Identity Corporation
  • SCIM Basics • Core Schema • Represents User, Groups, Schema, Bulk etc • Defines basic user attributes (name, address contactetc.) • REST API • Defines Create, Read, Update& Delete methods to synchronize user object information • SAML Binding • Supports Just-In-Time provisioning during SSO • Maps SCIM schema to SAML AttributeStatement© 2010 Ping Identity Corporation
  • Example 1: Push User Directory 1. Create/Update/Delete User Object SCIM API Cloud App User Store Client Provider 2. Status© 2010 Ping Identity Corporation
  • Example 2: SAML JIT User DirectorySAML IdP SAML SP User Store 1. SAML Token w/ User ObjectBrowser © 2010 Ping Identity Corporation
  • Example 3: OpenID JIT + Pull User StoreOpenIDIdP API 2. Read User Object OpenID SP User Store 3. User Object 1. OpenID ResponseBrowser © 2010 Ping Identity Corporation
  • What’s Next?• Implementation, implementation, implementation !!! • Major cloud application platforms have indicated that they will implement SCIM in 2012• SCIM working group to move to the IETF in 2012 • Use SCIM v1.0 as baseline submission • Working code, successful deployments are key • SCIM v2.0 will address issues© 2010 Ping Identity Corporation
  • Technical© 2010 Ping Identity Corporation
  • Terminology• Service Provider: A web application that provides identity information via the SCIM protocol (think SaaS)• Consumer: A website or application that uses the SCIM protocol to manage identity data maintained by the Service Provider. (think Enterprise)• Resource: The Service Provider managed artifact containing one or more attributes; e.g., User or Group © 2010 Ping Identity Corporation
  • Schema• SCIM provides a minimal core schema for representing Resources of different types• User, Groups, Schema, Bulk etc• User schema took as starting point the Portable Contacts schema [1]• Basic user attributes (name, address contact, groups, password etc.) [1] - http://www.portablecontacts.net/draft-spec.html © 2010 Ping Identity Corporation
  • Schema-Password?• Group torn on whether to support password management in schema• Acknowldgement that best practice is that enterprise users NOT be provisioned with passwords at SaaS providers• But • Current reality doesn’t everywhere reflect ideal • Hope/expectation that SCIM will be applied beyond Cloud• Consumers can specify an initial password when creating a new User (POST) or to reset an existing Users password (PATCH) © 2010 Ping Identity Corporation
  • Schema-Enterprise extension • Extends generic user with enterprise semantics • Adds manager, department, organization, etc<ent:employeeNumber>701984</ent:employeeNumber><ent:manager><ent:managerId>902c246b-6245-4190</ent:managerId><ent:displayName>Mandy Pepperidge</ent:displayName></ent:manager><ent:costCenter>4130</ent:costCenter><ent:organization>Universal Studios</ent:organization><ent:division>Theme Park</ent:division><ent:department>Tour Operations</ent:department> © 2010 Ping Identity Corporation
  • Schema-Groups • Group resources enable group & role based access control • Groups contain members • How Service Provider implements access control out of scopePATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ceHost: example.comAccept: application/jsonAuthorization: Bearer h480djs93hd8 ETag: W/"a330bc54f0671c9"{"schemas": ["urn:scim:schemas:core:1.0"],"members": [ { "display": "Babs Jensen", "value": "2819c223-7f76-453a-919d-413861904646" } ]} © 2010 Ping Identity Corporation
  • Schema-Metadata• Service Provider Configuration Resource enables a Service Provider to expose its compliance with SCIM specification in a standardized form & provide additional implementation details to Consumers. { "schemas": ["urn:scim:schemas:core:1.0"] "patch": { "supported":true }, "bulk": { "supported":true, "maxOperations":1000,"maxPayloadSize":1048576 }, "filter": { "supported":true, "maxResults": 200 }, "changePassword" : { "supported":true } "authenticationSchemes": [ { "name": "OAuth Bearer Token", "specUrl":"http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01", "documentationUrl":"http://example.com/help/oauth.html", "type":"oauthbearertoken", "primary": true }, } © 2010 Ping Identity Corporation
  • Schema- representative AD Mapping AD SCIM userPrincipalName userName mail email.value (type=work) givenName name.givenName sn name.familyName whenCreated meta.whenCreated userPassword password cn displayName © 2010 Ping Identity Corporation
  • API• Specifies well known endpoints & HTTP methods for managing Resources defined in the core schema• User and Group Resources correspond to /Users and /Groups respectively• REStful (really)• Responses are returned in the body of the HTTP response, formatted as JSON or XML, depending on what is requested © 2010 Ping Identity Corporation
  • API-Architecture Resource representationClient API Service Provider Response Resources © 2010 Ping Identity Corporation
  • API-Verbage• API uses HTTP verbs as follows • GET (retrieves an existing resource) • POST (creates a new resource) • PUT (overrides an existing resource) • BATCH (partially modifies an existing resource) • DELETE (deletes an existing resource)© 2010 Ping Identity Corporation
  • API-Authentication• SCIM does not mandate a particular authentication scheme by which Consumers authenticate to Service Providers• OAuth 2.0 is RECOMMENDED, but other schemes (eg HTTP Basic) not precluded• Consumers and Service Providers MUST implement TLS© 2010 Ping Identity Corporation
  • API-Authentication-OAuth examplePOST /User HTTP/1.1Host: example.comAccept: application/xmlAuthorization: Bearer h480djs93hd8<?xml version="1.0" encoding="UTF-8"?><scim:User xmlns:scim="urn:scim:schemas:core:1.0"><userName>bjensen@example.com</userName><externalId>701984</externalId><emails><email><value>bjensen@example.com</value><primary>true</primary><type>work</type></email></emails></scim:User> © 2010 Ping Identity Corporation
  • API-Response codes• API uses/overrides HTTP Response codes to indicate operation success or failure.• In addition, Service Providers return errors in body of the response and human-readable explanations. HTTP/1.1 404 NOT FOUND { "Errors":[ { "description":"Resource 2819c223-7f76-453a-919d- not found", "code":"404" } ] }© 2010 Ping Identity Corporation
  • API-Error codes© 2010 Ping Identity Corporation
  • API-Response operations• SCIM defines a standard set of operations that can be used to filter, sort, and paginate response results.• Consumers may request a subset of Resources by specifying the filter URL query parameter containing a filter expression.• Sorting allows Consumers to specify the order in which Resources are returned by specifying a combination of sortBy and sortOrder URL parameters• Pagination parameters can be used together to "page through" large numbers of Resources so as not to overwhelm the Consumer or Service Provider © 2010 Ping Identity Corporation
  • SAML Binding• Supports a JIT provisioning model where users created in real time (vs a priori via API)• Binds SCIM User objects to SAML Attributes• Expectation is that other SSO/JIT bindings will follow in time• SAML binding not voted out with API and Core Schema, group needs to resolve tension between • SCIM push for simplicity • Existing SAML Attribute Person Profiles• Complex attributes don’t easily map into SAML Attributes© 2010 Ping Identity Corporation
  • SAML Binding-ArchitectureClient SAML SAML Service IdP SP Provider Resource Resources representationBrowser © 2010 Ping Identity Corporation
  • SAML Binding-SAML Attributes<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.userName"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">bjensen@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.name.formatted"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III</saml:AttributeValue></saml:Attribute></saml:AttributeStatement> © 2010 Ping Identity Corporation
  • Conclusions• SCIM has potential to be important IdM standard in & out of cloud• But, if SCIM is to avoid SPMLs fate, adoption is key• Start demand ingIdM vendors and SaaS providers add support© 2010 Ping Identity Corporation
  • Thank you @pingcto, @paulmadsen© 2010 Ping Identity Corporation
  • Demo© 2010 Ping Identity Corporation
  • Demo SCIM User Store SFDCEnterprise Salesforce Ping Cloud AD © 2010 Ping Identity Corporation