Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Standardizing Identity Provisioning with SCIM


Published on

Today enterprise solutions adopt products and services from multiple cloud providers in order to accomplish various business requirements. This means that it is no longer sufficient to maintain user …

Today enterprise solutions adopt products and services from multiple cloud providers in order to accomplish various business requirements. This means that it is no longer sufficient to maintain user identities only in corporate LDAP. In most cases, SaaS providers also need dedicated user accounts created for the cloud service users, which raises the need of identity provisioning mechanisms to be in place.

Published in: Technology

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Hasini GunasingheSoftware Engineer
  • 2. Example – an employee joining WSO2 Provisioning systemOther internal apps LDAP Other cloud apps/services Image courtesy :
  • 3. What is it..? Creation, maintenance & deactivation of user accounts, in one or more systems or applications,in response to automated or interactive business processes. -Wikipedia
  • 4. Identifying the parties involved…CSU – cloud service userECS – Enterprise Cloud Subscriber Provisioning system Other internal Other cloud apps apps/services LDAP CSP– cloud service provider
  • 5. Current approach... Provisioning systemOther internal Other cloud apps/services apps LDAP
  • 6. Problems with current approach.. Rredundant integration efforts for ECS & CSP. Maintenance nightmare of multiple connectors. Complexity and cost.
  • 7. Solution would be a common protocol that everyone agrees on.Image courtesy :
  • 8. 1. Authentication : SAML based WS-Trust & SSO, OpenID, OAuth2. Authorization: XACML3. Provisioning: SPML, WS-Provisioning, SCIM
  • 9. How open standard solves current problems..?LDAP Provisioning system Other internal Other cloud apps/services apps
  • 10. In a nutshell... Emerging open standard. REST API. Platform neutral schema. SAML binding. Emphasis on simplicity and interoperability.
  • 11. In a nutshell...  REST API  resource endpoints  supported HTTP methodsPROTOCOL
  • 12. In a nutshell...  REST API  SCIM REST API is relative to a base URL  Requests made via HTTP operations on a URL derived from the Base URL POST ->  JSON / XML formats
  • 13. In a nutshell...  Resource – collection of attributes.  Schema defines attributes.SCHEMA  SCIM Core Schema  Extension Model: Additive – similar to auxiliary object classes in LDAP.
  • 14. In a nutshell...  Other SCIM schemas  User Schema, Enterprise User Schema ExtensionSCHEMA  Group Schema  Service Provider Configuration Schema  Resource Schema
  • 15. In a nutshell...  Minimal user representation in JSON & XML formats.SCHEMA
  • 16. In a nutshell...  SCIM - SAML Mapping  AttributesSAML BINDING  SSO Assertion  AttributeQuery  Metadata
  • 17. Brief history… Started in mid 2010. Version 1.0 approved in Dec 2011. Working on submitting to IETF. Discussions made open at
  • 18. Platform neutral schema Mandatory core schema with extension model. Flexibility Interoperability Simplicity.
  • 19. REST API Light weight with JSON support. Avoids performance bottleneck on the connector.
  • 20. SAML Binding Just In Time Provisioning with SSO. Pull / Push based Identity Management.
  • 21. More... Defined core + optional capabilities. Based on existing deployments and standards - LDAP, SAML. Several implementations. Adoption by major cloud vendors.
  • 22.  Identity Provisioning. Value of open standards in the space of provisioning. SCIM. Why SCIM...?
  • 23.  Security Considerations  Authentication and Authorization - OAuth2 bearer recommended.PROTOCOL  Should be over TLS  Password attribute not to be returned.
  • 24.  Automated Provisioning : SaaS 1 SCIM based (1) Create enterprise user account provisioning systemHR Administrator (2)Create user (3)ok SaaS 2 Internal Apps
  • 25.  Example – Creare User - RequestPROTOCOL
  • 26.  Example – Creare User - ResponsePROTOCOL
  • 27.  JIT provisioning with SSO - Pull Enterprise SaaS SSO IdP User Login SSO Redirect SAML Response SAML Attribute Query SCIM User Identity Create user account
  • 28.  Example – SAML Attribute QuerySAML Binding
  • 29.  Bulk UM Operations: Initial imports of CSU accounts. SaaS LDAP Scheduled synchronizations. SaaS LDAP
  • 30.  Example : POST on Bulk endpointPROTOCOL
  • 31.  Identity Synchronization: Partial updates with PATCH Conditional overwrites with ETag
  • 32.  Example – PATCHPROTOCOL
  • 33.  Identity Retrieval: Filtering Conditional retrieval with Etag
  • 34.  Identity Retrieval: Partial retrival – with “attributes” query parameter Pagination GET /Users?startIndex=1&count=10 Sorting
  • 35. De-provisioning: (4)Delete user (1) Delete SCIM based SaaS user account enterprise (5)ok provisioning system (6)Request (7)Deny access (3)ok (2)Delete user Enterprise SSO IdP LDAP
  • 36. LDAP Provisioning system Internal apps Other cloud apps/services
  • 37.  Identity Provisioning. Value of open standards in the space of provisioning. SCIM along with highlights from the spec. Why SCIM...? Use cases of SCIM in Identity Management solution. Adoption of SCIM in WSO2 Identity Server and Stratos.
  • 38. 
  • 39. Selected Customers e58f41&view=att&th=1331a70983344a32&atti d=0.1&disp=thd&realattid=f_gtxto6mk0&zw
  • 40. • QuickStart• Development Support• Development Services• Production Support• Turnkey Solutions • WSO2 Mobile Services Solution • WSO2 FIX Gateway Solution • WSO2 SAP Gateway Solution
  • 41.  Contact Us… 