Jan19 scim webinar-04


Published on

Overview of the Simple Cloud Identity Management spec

Published in: Technology

Jan19 scim webinar-04

  1. 1. SCIM Webinar Jan 18, 2012 Patrick Harding, CTO Paul Madsen, Senior Technical Architect© 2010 Ping Identity Corporation
  2. 2. Background & Overview© 2010 Ping Identity Corporation
  3. 3. Current State• Enterprises need programmatic mechanisms to manage users/roles/groups in Cloud apps• Large SaaS vendors have implemented proprietary API’s • Google, Salesforce, Cisco Webex, Successfactors, etc • All very similar, work well© 2010 Ping Identity Corporation
  4. 4. Call to Arms• At Cloud Identity Summit 2010 • Attendees established need for an ‘open standard’ for provisioning cloud users• Google, Salesforce, Ping Identity, UnboundID, Microsoft created ‘Cloud Directory’ user group• Initial discussions at IIW 12© 2010 Ping Identity Corporation
  5. 5. © 2010 Ping Identity Corporation
  6. 6. 2011 - Year of Development• Q1 2011 • Q3 2011 • Initial Draft SCIM Spec • SCIM Working Group developed by Ping, established under OWF UnboundID and Salesforce • Cisco, Sailpoint, Google• Q2 2011 contribute • Draft SCIM Spec introduced • Q4 2011 at IIW 13 • Multiple vendors • Significant interest and demonstrate interop at IIW discussion 14 • SCIM V1.0 in December 2011© 2010 Ping Identity Corporation
  7. 7. SCIM 1.0 Specification Set http://simplecloud.infoREST API SAML Binding (draft) Future bindings CRUD methods Attribute mapping response codesCore Schema User, Enterprise Extension, Groups, Config © 2010 Ping Identity Corporation
  8. 8. SCIM Basics • Core Schema • Represents User, Groups, Schema, Bulk etc • Defines basic user attributes (name, address contactetc.) • REST API • Defines Create, Read, Update& Delete methods to synchronize user object information • SAML Binding • Supports Just-In-Time provisioning during SSO • Maps SCIM schema to SAML AttributeStatement© 2010 Ping Identity Corporation
  9. 9. Example 1: Push User Directory 1. Create/Update/Delete User Object SCIM API Cloud App User Store Client Provider 2. Status© 2010 Ping Identity Corporation
  10. 10. Example 2: SAML JIT User DirectorySAML IdP SAML SP User Store 1. SAML Token w/ User ObjectBrowser © 2010 Ping Identity Corporation
  11. 11. Example 3: OpenID JIT + Pull User StoreOpenIDIdP API 2. Read User Object OpenID SP User Store 3. User Object 1. OpenID ResponseBrowser © 2010 Ping Identity Corporation
  12. 12. What’s Next?• Implementation, implementation, implementation !!! • Major cloud application platforms have indicated that they will implement SCIM in 2012• SCIM working group to move to the IETF in 2012 • Use SCIM v1.0 as baseline submission • Working code, successful deployments are key • SCIM v2.0 will address issues© 2010 Ping Identity Corporation
  13. 13. Technical© 2010 Ping Identity Corporation
  14. 14. Terminology• Service Provider: A web application that provides identity information via the SCIM protocol (think SaaS)• Consumer: A website or application that uses the SCIM protocol to manage identity data maintained by the Service Provider. (think Enterprise)• Resource: The Service Provider managed artifact containing one or more attributes; e.g., User or Group © 2010 Ping Identity Corporation
  15. 15. Schema• SCIM provides a minimal core schema for representing Resources of different types• User, Groups, Schema, Bulk etc• User schema took as starting point the Portable Contacts schema [1]• Basic user attributes (name, address contact, groups, password etc.) [1] - http://www.portablecontacts.net/draft-spec.html © 2010 Ping Identity Corporation
  16. 16. Schema-Password?• Group torn on whether to support password management in schema• Acknowldgement that best practice is that enterprise users NOT be provisioned with passwords at SaaS providers• But • Current reality doesn’t everywhere reflect ideal • Hope/expectation that SCIM will be applied beyond Cloud• Consumers can specify an initial password when creating a new User (POST) or to reset an existing Users password (PATCH) © 2010 Ping Identity Corporation
  17. 17. Schema-Enterprise extension • Extends generic user with enterprise semantics • Adds manager, department, organization, etc<ent:employeeNumber>701984</ent:employeeNumber><ent:manager><ent:managerId>902c246b-6245-4190</ent:managerId><ent:displayName>Mandy Pepperidge</ent:displayName></ent:manager><ent:costCenter>4130</ent:costCenter><ent:organization>Universal Studios</ent:organization><ent:division>Theme Park</ent:division><ent:department>Tour Operations</ent:department> © 2010 Ping Identity Corporation
  18. 18. Schema-Groups • Group resources enable group & role based access control • Groups contain members • How Service Provider implements access control out of scopePATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ceHost: example.comAccept: application/jsonAuthorization: Bearer h480djs93hd8 ETag: W/"a330bc54f0671c9"{"schemas": ["urn:scim:schemas:core:1.0"],"members": [ { "display": "Babs Jensen", "value": "2819c223-7f76-453a-919d-413861904646" } ]} © 2010 Ping Identity Corporation
  19. 19. Schema-Metadata• Service Provider Configuration Resource enables a Service Provider to expose its compliance with SCIM specification in a standardized form & provide additional implementation details to Consumers. { "schemas": ["urn:scim:schemas:core:1.0"] "patch": { "supported":true }, "bulk": { "supported":true, "maxOperations":1000,"maxPayloadSize":1048576 }, "filter": { "supported":true, "maxResults": 200 }, "changePassword" : { "supported":true } "authenticationSchemes": [ { "name": "OAuth Bearer Token", "specUrl":"http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01", "documentationUrl":"http://example.com/help/oauth.html", "type":"oauthbearertoken", "primary": true }, } © 2010 Ping Identity Corporation
  20. 20. Schema- representative AD Mapping AD SCIM userPrincipalName userName mail email.value (type=work) givenName name.givenName sn name.familyName whenCreated meta.whenCreated userPassword password cn displayName © 2010 Ping Identity Corporation
  21. 21. API• Specifies well known endpoints & HTTP methods for managing Resources defined in the core schema• User and Group Resources correspond to /Users and /Groups respectively• REStful (really)• Responses are returned in the body of the HTTP response, formatted as JSON or XML, depending on what is requested © 2010 Ping Identity Corporation
  22. 22. API-Architecture Resource representationClient API Service Provider Response Resources © 2010 Ping Identity Corporation
  23. 23. API-Verbage• API uses HTTP verbs as follows • GET (retrieves an existing resource) • POST (creates a new resource) • PUT (overrides an existing resource) • BATCH (partially modifies an existing resource) • DELETE (deletes an existing resource)© 2010 Ping Identity Corporation
  24. 24. API-Authentication• SCIM does not mandate a particular authentication scheme by which Consumers authenticate to Service Providers• OAuth 2.0 is RECOMMENDED, but other schemes (eg HTTP Basic) not precluded• Consumers and Service Providers MUST implement TLS© 2010 Ping Identity Corporation
  25. 25. API-Authentication-OAuth examplePOST /User HTTP/1.1Host: example.comAccept: application/xmlAuthorization: Bearer h480djs93hd8<?xml version="1.0" encoding="UTF-8"?><scim:User xmlns:scim="urn:scim:schemas:core:1.0"><userName>bjensen@example.com</userName><externalId>701984</externalId><emails><email><value>bjensen@example.com</value><primary>true</primary><type>work</type></email></emails></scim:User> © 2010 Ping Identity Corporation
  26. 26. API-Response codes• API uses/overrides HTTP Response codes to indicate operation success or failure.• In addition, Service Providers return errors in body of the response and human-readable explanations. HTTP/1.1 404 NOT FOUND { "Errors":[ { "description":"Resource 2819c223-7f76-453a-919d- not found", "code":"404" } ] }© 2010 Ping Identity Corporation
  27. 27. API-Error codes© 2010 Ping Identity Corporation
  28. 28. API-Response operations• SCIM defines a standard set of operations that can be used to filter, sort, and paginate response results.• Consumers may request a subset of Resources by specifying the filter URL query parameter containing a filter expression.• Sorting allows Consumers to specify the order in which Resources are returned by specifying a combination of sortBy and sortOrder URL parameters• Pagination parameters can be used together to "page through" large numbers of Resources so as not to overwhelm the Consumer or Service Provider © 2010 Ping Identity Corporation
  29. 29. SAML Binding• Supports a JIT provisioning model where users created in real time (vs a priori via API)• Binds SCIM User objects to SAML Attributes• Expectation is that other SSO/JIT bindings will follow in time• SAML binding not voted out with API and Core Schema, group needs to resolve tension between • SCIM push for simplicity • Existing SAML Attribute Person Profiles• Complex attributes don’t easily map into SAML Attributes© 2010 Ping Identity Corporation
  30. 30. SAML Binding-ArchitectureClient SAML SAML Service IdP SP Provider Resource Resources representationBrowser © 2010 Ping Identity Corporation
  31. 31. SAML Binding-SAML Attributes<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.userName"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">bjensen@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.name.formatted"><saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III</saml:AttributeValue></saml:Attribute></saml:AttributeStatement> © 2010 Ping Identity Corporation
  32. 32. Conclusions• SCIM has potential to be important IdM standard in & out of cloud• But, if SCIM is to avoid SPMLs fate, adoption is key• Start demand ingIdM vendors and SaaS providers add support© 2010 Ping Identity Corporation
  33. 33. Thank you @pingcto, @paulmadsen© 2010 Ping Identity Corporation
  34. 34. Demo© 2010 Ping Identity Corporation
  35. 35. Demo SCIM User Store SFDCEnterprise Salesforce Ping Cloud AD © 2010 Ping Identity Corporation