Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SCIM: Why It’s More
Important, and More
Simple, Than You Think
Kelly Grizzle
Software Architect - SailPoint
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.2
Agenda
• What is SCIM?
• Why is it important?
• How is...
What is SCIM?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.4
System for
Cross-Domain
Identity
Management* And yes …...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.5
What is SCIM?
•  SCIM is a standard that defines schem...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.6
Identity Protocol Landscape
Provisioning Authenticatio...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.7
What problems does SCIM solve?
• How do I keep my orga...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.8
An example speaks 1111101000 words…
POST /v2/Users HTT...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.9
History Lesson
July ‘10
Conceived
at CIS
May ‘11
Work ...
Why is SCIM
important?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.11
A typical environment
Firewall
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.12
That’s the typical case … Ouch!
•  Environments are c...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.13
Other common pain points
•  Mergers and acquisitions
...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.14
How is identity management done?
•  Manual hand-entry...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.15
And then … there’s SCIM
•  Low cost to develop
-  Wri...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.16
Who else thinks SCIM is important?
How is SCIM
being used?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.18
Surprisingly – not just in the cloud
•  SCIM was init...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.19
In the enterprise
Firewall
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.20
Unsurprisingly – also in the cloud
•  SaaS providers ...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.21
Ground to cloud
Firewall
SCIM
Proprietary
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.22
Cloud Identity Bridge
•  Important when on-premises a...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.23
Cloud to ground
Firewall
Identity Bridge
Cloud Identi...
Deeper Dive
Schema
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.25
Schema
•  Core models for User and Group
•  JSON repr...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.26
Example: User
{
"schemas": ["urn:scim:schemas:core:2....
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.27
Example: Extended User
{
"schemas":["urn:scim:schemas...
Deeper Dive
API
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.29
Operations
•  Create = POST https://example.com/{v}/{...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.30
Create Request
POST /v2/Users HTTP/1.1
Host: example....
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.31
Create Response
HTTP/1.1 201 Created
Content-Type: ap...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.32
Discovery
•  GET /Schemas
-  Defines primary object d...
Deeper Dive
Extensions
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.34
Extending an existing resource type
•  The SCIM core ...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.35
Extending – Schema
{
"id" : "urn:grizzle:1.0:Conferen...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.36
Extending – Resource Type
{
"schemas": ["urn:scim:sch...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.37
Creating a custom resource type
•  Completely new res...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.38
Custom resource type – Schema
{
"id" : "urn:grizzle:1...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.39
Custom resource type – Resource Type
{
"schemas": ["u...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.40
Custom resource type – GET Request
GET /v2/BlogPosts
...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.41
Custom resource type – GET Response
HTTP/1.1 200 OK
C...
How simple is
SCIM?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.43
SCIM Core Values
•  Simplicity
-  “Make it as simple ...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.44
How to kick the tires
•  Download the UnboundID Refer...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.45
cURL
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.46
REST Console
•  A Chrome extension that easily allows...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.47
Getting under the hood
•  If you want to write a SCIM...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.48
UnboundID SDK
•  Open source and developed by Unbound...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.49
It’s so easy even Mark Diodati can do it!
•  Mark wro...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.50
Wait … I already have a REST API!
•  Option 1: Have a...
What next?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.52
Key take-aways
•  Identity and app proliferation = fr...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.53
What does it mean for me?
•  Consider using SCIM for ...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.54
References
• Start here…
- http://www.simplecloud.inf...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.55
Questions
kelly.grizzle@sailpoint.com
@kelly_grizzle
...
Upcoming SlideShare
Loading in …5
×

CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think

846 views

Published on

Kelly Grizzle, SailPoint

Why the Simple Cloud Identity Management (SCIM) specification should be supported by IAM vendors and SaaS vendors and their customers to improve manageability and
governance for cloud applications, with demonstration of some of the available open-source tools that allow it to easily be integrated into the IAM infrastructure.

Published in: Technology
  • Be the first to comment

CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think

  1. 1. SCIM: Why It’s More Important, and More Simple, Than You Think Kelly Grizzle Software Architect - SailPoint
  2. 2. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.2 Agenda • What is SCIM? • Why is it important? • How is it being used? • Deeper Dive • How simple is it?
  3. 3. What is SCIM?
  4. 4. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.4 System for Cross-Domain Identity Management* And yes … it is also simple
  5. 5. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.5 What is SCIM? •  SCIM is a standard that defines schema and protocol for identity management. •  Schema -  Users and Groups -  Extensible -  JSON •  Protocol -  REST -  CRUD + Search + Discovery + Bulk
  6. 6. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.6 Identity Protocol Landscape Provisioning Authentication Authorization
  7. 7. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.7 What problems does SCIM solve? • How do I keep my organization’s users in sync with service X? -  How do I provision a user account for service X? -  How do I deprovision a user account from service X? -  How do I update an existing account for service X? • How do I manage groups? -  How do I add or remove users from groups to give them the correct level of access? -  How do I create new groups?
  8. 8. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.8 An example speaks 1111101000 words… POST /v2/Users HTTP/1.1 Host: example.com Accept: application/json Content-Type: application/json Authorization: Bearer h480djs93hd8 Content-Length: ... { "schemas": ["urn:scim:schemas:core:2.0:User"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } }
  9. 9. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.9 History Lesson July ‘10 Conceived at CIS May ‘11 Work starts under OWF Dec ‘11 Version 1.0 June/July ‘12 IETF WG chartered Version 1.1 Late ‘14 Version 2.0
  10. 10. Why is SCIM important?
  11. 11. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.11 A typical environment Firewall
  12. 12. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.12 That’s the typical case … Ouch! •  Environments are complex -  Many systems both on-prem and off-prem •  Every system has to deal with identity -  Name, email, title, custom meta-information, entitlements, … •  Identity must be maintained across systems -  Need one-way and often two-way synchronization •  Authorization is often driven from an external system -  Example: Active Directory groups drive groups and permissions in other applications.
  13. 13. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.13 Other common pain points •  Mergers and acquisitions -  Need to quickly connect applications after M&A •  BYOA (bring your own app) -  Proliferation of SaaS apps has lead to using applications that IT does not even know about •  Mobile -  Another case of BYOA where mobile apps need identity information
  14. 14. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.14 How is identity management done? •  Manual hand-entry -  Error prone and slow •  Bulk upload -  High latency – often a one-time operation •  Custom APIs and connectors -  High cost to develop against -  Proprietary to each service provider •  SAML Just-in-Time Provisioning -  No pre-provisioning -  No deprovisioning
  15. 15. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.15 And then … there’s SCIM •  Low cost to develop -  Write once and reuse -  Open source libraries -  Well-known and agreed upon standard •  Handles full lifecycle of identity -  Create, update, AND delete •  Real-time -  No waiting for manual intervention
  16. 16. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.16 Who else thinks SCIM is important?
  17. 17. How is SCIM being used?
  18. 18. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.18 Surprisingly – not just in the cloud •  SCIM was initially created with cloud use cases in mind •  It turns out that a common language to move identities on- premises is really useful •  This is some of the first “real world” adoption of SCIM •  Case study: Large company with 3500 connected applications and 82,000 users moved to SCIM for internal systems
  19. 19. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.19 In the enterprise Firewall
  20. 20. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.20 Unsurprisingly – also in the cloud •  SaaS providers have started implementing SCIM for their identity APIs -  Salesforce.com, Cisco Webex, etc… •  Clients call these APIs from an on-premises identity management system to manage identities
  21. 21. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.21 Ground to cloud Firewall SCIM Proprietary
  22. 22. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.22 Cloud Identity Bridge •  Important when on-premises applications need to be managed from the cloud •  Allows a single, secured SCIM channel through the firewall •  Translates SCIM requests to native APIs behind the firewall
  23. 23. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.23 Cloud to ground Firewall Identity Bridge Cloud Identity Management Provider SCIM Native APIs
  24. 24. Deeper Dive Schema
  25. 25. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.25 Schema •  Core models for User and Group •  JSON representation •  Extensible -  Extend existing resources (eg – enterprise user) -  Define new resources (eg – role, entitlement, device) -  JSON format for describing schema -  Standard data types and references between objects
  26. 26. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.26 Example: User { "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "resourceType": "User", "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W/"f250dd84f0671c3" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ] } Required Complex Simple Multi-valued Object type
  27. 27. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.27 Example: Extended User { "schemas":["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "$ref": "/Users/26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith" } } } Declaration Use
  28. 28. Deeper Dive API
  29. 29. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.29 Operations •  Create = POST https://example.com/{v}/{resource} •  Read = GET https://example.com/{v}/{resource}/{id} •  Update = PUT https://example.com/{v}/{resource}/{id} •  Delete = DELETE https://example.com/{v}/{resource}/{id} •  *Update = PATCH https://example.com/{v}/{resource}/{id} •  *Search = GET https://example.com/{v}/{resource}? filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending} & startIndex={start} & count={maxResults} •  *Bulk
  30. 30. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.30 Create Request POST /v2/Users HTTP/1.1 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 { "schemas": ["urn:scim:schemas:core:2.0:User"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } } Operation Resource Type AuthZ “User” Payload
  31. 31. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.31 Create Response HTTP/1.1 201 Created Content-Type: application/json Location: https://example.com/v2/Users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v2/Users/281...", "version": "W/"e180ee84f0671b1"" }, "name":{ "familyName":"Jensen", ... Result code “Permalink” SP generated ID
  32. 32. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.32 Discovery •  GET /Schemas -  Defines primary object definitions and extensions •  GET /ResourceTypes -  Defines available resources •  endpoint URL, primary schema, schema extensions •  GET /ServiceProviderConfigs -  Spec compliance •  Support for bulk, patch, etc… -  Authentication schemes •  OAuth, HTTP basic, etc…
  33. 33. Deeper Dive Extensions
  34. 34. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.34 Extending an existing resource type •  The SCIM core schema objects – User and Group – try to cover the common 80% •  Almost always extended by service providers to add custom attributes •  Only two steps required: 1.  Create a new schema that contains the extended attributes 2.  Add the new schema to the schemaExtensions list for the resource type
  35. 35. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.35 Extending – Schema { "id" : "urn:grizzle:1.0:ConferenceGoer", "name" : "Conference Goer", "description" : "Info about a person that attends CIS", "attributes" : [{ "name" : "shirtSize", "type" : "string", "multiValued" : false, "description" : "What conference doesn't have a t-shirt?", "required" : false, "caseExact" : false, "mutability" : "readWrite", "returned" : "always", "uniqueness" : "server" }]
  36. 36. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.36 Extending – Resource Type { "schemas": ["urn:scim:schemas:core:2.0:ResourceType"], "id":"User", "name":"User", "endpoint": "/Users", "description": "Core User", "schema": "urn:scim:schemas:core:2.0:User", "schemaExtensions": [{ "schema": "urn:grizzle:1.0:ConferenceGoer", "required": false } ] } Add custom extensions here
  37. 37. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.37 Creating a custom resource type •  Completely new resource types may be created to model objects that are unique to the service provider •  Client can use /ResourceTypes endpoint to discover these •  Somewhat common for service providers to implement •  Only two steps required: 1.  Create a new schema that contains the attributes 2.  Create a new resource type that references this schema
  38. 38. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.38 Custom resource type – Schema { "id" : "urn:grizzle:1.0:BlogPost", "name" : "Blog Post", "description" : "A post to a blog", "attributes" : [{ "name" : "title", "type" : "string", "multiValued" : false, "description" : "The title of the blog post", "required" : true, "caseExact" : false, "mutability" : "readWrite", "returned" : "always", "uniqueness" : "server" }, ... other attributes - id, content, author, date, etc ...
  39. 39. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.39 Custom resource type – Resource Type { "schemas": ["urn:scim:schemas:core:2.0:ResourceType"], "id": "BlogPost", "name": "Blog Post", "endpoint": "/BlogPosts", "description": "Posts to a boring blog", "schema": "urn:grizzle:1.0:BlogPost" } Reference the custom schema
  40. 40. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.40 Custom resource type – GET Request GET /v2/BlogPosts Host: example.com Authorization: Bearer h480djs93hd8
  41. 41. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.41 Custom resource type – GET Response HTTP/1.1 200 OK Content-Type: application/json { "schemas": ["urn:scim:api:messages:2.0:ListResponse"], "totalResults": 5, "Resources": [{ "id": "281838-af839018e4-8377ba87e90", "title": "Welcome to my blog!", "content": "...", "meta": { "resourceType": "BlogPost", "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v2/BlogPosts/281..."
  42. 42. How simple is SCIM?
  43. 43. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.43 SCIM Core Values •  Simplicity -  “Make it as simple as possible but no simpler.” - Einstein •  Solving real-world problems •  Ease of implementation by consumers -  Don’t make it too hard for service providers either •  Support the 80% in the core -  Extensions for everything else •  Interoperability
  44. 44. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.44 How to kick the tires •  Download the UnboundID Reference Server Implementation if you need a server to test against -  https://www.unboundid.com/resources/scim/ •  If you are trying to play with a service provider’s API -  cURL -  REST Console (Chrome Extension)
  45. 45. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.45 cURL
  46. 46. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.46 REST Console •  A Chrome extension that easily allows making REST calls •  Use this if a command line scares you •  There are other alternatives out there
  47. 47. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.47 Getting under the hood •  If you want to write a SCIM client or server there are a number of open source libraries •  Most libraries currently support SCIM 1.1 (not 2.0) •  UnboundID SDK -  Client and server java libraries -  Most full-featured and well maintained •  python-scim -  SCIM object models for Python •  scim-query-filter-parser -  Search filter parsing library for Ruby •  More at http://www.simplecloud.info/#implementations
  48. 48. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.48 UnboundID SDK •  Open source and developed by UnboundID •  Recent enhancements to improve client usability - https://code.google.com/p/scimsdk/source/detail?r=355 •  I prototyped a SCIM server and wrote a library to make server development easier -  Library cut the lines of code by 68% (down to <300) -  Needs a bit of work to be ready for prime time
  49. 49. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.49 It’s so easy even Mark Diodati can do it! •  Mark wrote a SCIM client while an analyst at Gartner •  Written in Perl •  Reads attributes from a SCIM server and writes to an Excel file •  Reads changes in Excel file and synchronizes them to a SCIM server
  50. 50. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.50 Wait … I already have a REST API! •  Option 1: Have a separate URL-space for identity-related SCIM APIs -  https://example.com/rest/MyObjects -  https://example.com/rest/scim/Users •  Option 2: Consider using SCIMs schemas and resource types to define your entire REST API -  It is already well-defined -  Supports many data types and references between objects -  It is self-describing through /Schemas and /ResourceTypes -  Make use of SCIM libraries for fast implementation •  Just do it! Customers constantly ask for a common API!
  51. 51. What next?
  52. 52. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.52 Key take-aways •  Identity and app proliferation = frustration •  SCIM is the only sustainable option that can handle the scale and complexity of provisioning in today’s environments •  Build a standards-based identity infrastructure -  Provisioning à SCIM -  Authentication à OpenID Connect or SAML -  Authorization à OAuth2
  53. 53. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.53 What does it mean for me? •  Consider using SCIM for your internal environment -  Not just a cloud API •  SCIM is a good foundation for any REST API -  It can be used for more than just identities •  It’s easy to get started if you use the tools that are already available •  Use SCIM 1.1 for now -  Real-world adoption of SCIM 2.0 will happen in 2015
  54. 54. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.54 References • Start here… - http://www.simplecloud.info/ •  Get involved here… -  http://www.ietf.org/mail-archive/web/scim/current/maillist.html •  All of the gory details here… -  http://datatracker.ietf.org/wg/scim/documents/ -  http://datatracker.ietf.org/doc/draft-ietf-scim-api/ -  http://datatracker.ietf.org/doc/draft-ietf-scim-core-schema/ •  Implementing a client or server in Java? Start here… -  https://www.unboundid.com/resources/scim/ •  Implementing a client or server in not Java? Start here… -  http://www.simplecloud.info/#implementations
  55. 55. Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.55 Questions kelly.grizzle@sailpoint.com @kelly_grizzle http://simplecloud.info

×