SCIM in the Real World: Adoption is Growing

SCIM in the
Real World
Kelly Grizzle
Software Architect – SailPoint

Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.2
Overview
• What is SCIM?
• Trends in SCIM Usage
• Who are you and what’s your problem?
- Identity Gurus
- Service Providers
• Case Studies
• Where is SCIM today and where is it going?

What is SCIM?
System for Cross-Domain
Identity Management

Identity Management
+
REST
=

Identity Management + REST = SCIM
• REST is just architectural pattern
- SCIM defines an identity management profile for it
• SCIM provides…
- Standard definitions for User and Group
- Standard operations
• Create, Read, Update, Delete, Search, Partial Update, Bulk
- Extensibility
• Add more attributes to existing object types or define new object
types

Example – Retrieve User Request
GET /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8

Example – Retrieve User Response
HTTP/1.1 200 OK
Content-Type: application/scim+json
Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "2819c223-7f76-453a-919d-413861904646",
"name": {
"formatted": "Ms. Barbara J Jensen III",
"familyName": "Jensen",
"givenName": "Barbara“
},
"meta": {
"resourceType": "User",
"created": "2011-08-01T18:29:49.793Z",
...
}
}
Self-describing
payload
Single-valued
attribute
Complex
attribute
Many
data types

CRUD Operations
POST /Users
PUT /Users/2819c223-7f76-453a-919d-413861904646
PATCH /Users/2819c223-7f76-453a-919d-413861904646
DELETE /Users/2819c223-7f76-453a-919d-413861904646
GET /Users?startIndex=10&count=5&filter=userName sw “J”
GET /Users/2819c223-7f76-453a-919d-413861904646

Server Configuration Operations
GET /ResourceTypes
- Return the types of resources that are supported
- Endpoint URL, schema, etc…
GET /Schemas/
- Return the schema definitions
- Attributes names and types, etc…
GET /ServiceProviderConfigs
- Return info about what is supported by the server
- Authn methods, optional features, etc…

Trends
• Enterprises are using SCIM Gateways to communicate
between internal systems
• Service providers use SCIM for directory access
- Store extended information, but often not visible externally
• IAM and IDaaS vendors provide SCIM Servers to expose
identity information and use SCIM Clients to read/write
external systems
• Common threads in custom password extensions
• SCIM is seen as the identity management API

99 problems and identity is #1

Problem!!! Bob needs a new account
SCIM Solution: Provision

Problem!!! Bob can’t login!
SCIM Solution: Password reset
* Alternate Solution: Single sign-on … but this isn’t a SAML / OIDC workshop.

Problem!!! Bob can’t read the financials
SCIM Solution: Add him to a group or
give him some entitlements

Problem!!! I need to know Bob’s access
SCIM Solution: Read User and Group Data

Problem!!! Bob has been a bad boy
SCIM Solution: Deprovision

Problem!! Apps team needs to r/w identity
SCIM Solution: Standard but extensible API

Case Study
Fortune 100 Chip
Maker

The Setup
• Started considering options between a failed Oracle Identity
Manager project and “the next thing”
• Needed a façade
- Prevent IAM vendor lock-in
- Needed co-existence between old and new IAM systems
• Extensibility was crucial!
• “We wanted a 20 year solution.” –IAM Guru

The Solution
Create a SCIM gateway to serve as a central identity hub
SCIM Gateway Cluster
Legacy Apps
IAM System SSO
Directory Server

The Interesting Parts
• Extended user schema to hold custom information
• Extended endpoints to support many additional features
- Email verification
• POST /EmailVerificationTokens to create a token
• POST /EmailVerification to verify email using token
- Password reset
• POST /PasswordResetTokens to create a token
• POST /PasswordChanges to change password using token
- Security token management for SSO
• POST /SecurityTokens to create authenticated session token
• DELETE /SecurityTokens to invalidate

More Interesting Parts
• More extended endpoints…
- Notifications (email or SMS)
• POST /Notifications to send a notification with user information merged in
(welcome email, forgot login ID, etc…)
- Role management
• PATCH /Roles to change membership for a role

The Benefits
• Ability to add new information and features without breaking
existing clients
- If there is anything in JSON that you don't recognize, throw it
away
“SCIM has been critical and program-saving. It is exactly what
we needed at exactly the right time, and fills a crucial role in
our environment."
--IAM Guru

Case Study
Fortune 500
Pharmaceuticals

The Setup
• Need to support identity on a large portfolio of applications
- Not all application teams are resourced equally
• Wanted an abstraction of provisioning from specific
implementations
- Allow for seamless upgrades of IAM system
- Ease cost of implementation for smaller applications

The Solution
Create a SCIM gateway to serve as a central identity hub
SCIM SOA Gateway
On-prem Apps
IAM System Cloud Apps
Directory Server

The Benefits
• SCIM gives agility in adopting new versions of IAM system
• SCIM isolates IAM system if a SaaS vendor changes their
identity model
- Connector continues to work with an updated schema
- Important for SaaS vendors that can update at any time
• If an application vendor is small it's not worth it to write a
custom connector
- Small vendors are very willing to implement SCIM as their
standard identity API

99 problems and identity is #1

Problem!!! I need to expose a directory!!
SCIM Solution: Read and write with SCIM

Problem!!! I need an API between my own
products!
SCIM Solution: Everything identity is SCIM

Problem!! My mobile app needs identities!
SCIM Solution: Light-weight REST API

Problem!!! I need to get identities from my
customer’s directory into my cloud app!
SCIM Solution: To the cloud with SCIM!

Case Study
Fortune 100
Networking

The Setup
• Needed a consistent identity API that can be used:
- By partners
- By customers
- Internally between products
- To communicate with IdPs and other SaaS vendors

The Solution
SCIM Identity Service
Directory
Clients
Internal Systems
Partners &
IdPs
Identity
Sync Client
Mobile Appr/w

• Additional endpoints
- /Devices
- /Tenants
• Only available internally
• Password policy is configured on tenant
• Core schemas have been extended
- Positive extensions: New attributes (mainly internal info)
- Negative extensions: Attributes in SCIM spec that aren’t
supported
• Legacy APIs forward requests on to SCIM

The Benefits
• Single API for everything identity
• Mobile application has a light-weight API to use
• SCIM clients are easy to write
- Have seen no need to write a toolkit

Case Study
Fortune 1000
Networking

The Setup
• Needed a consistent identity API that can be used:
- By customers
- Internally between products
- To communicate with IdPs

The Solution
SCIM Identity Service
Custom
Clients
Internal Systems IdPs
AD
Sync Client

• Exploring an “organizational unit” extension to facility multi-
tenancy in API
• Exploring a pub/sub SCIM model
- Client subscribes to be notified of changes
- SCIM server sends out notifications

The Benefits
• Single API for everything identity
• No need to provide documentation
- Just point developers at the spec
• Easy to implement

PaaS – CloudFoundry
• CloudFoundry is an open platform-as-a-service (PaaS)
• Identity APIs leverage standards
- SCIM, OAuth2, and OpenID Connect
• Benefits
- Use existing open API rather than reinventing the wheel
- Use SCIM extensions for some non-identity APIs

IDaaS and IAM Vendors
• IDaaS and IAM vendors need to:
- Allow external access to their identity store
- Provision/read identities and groups to/from other applications
• SCIM server provides external access
• SCIM client provides provisioning to other applications
• Benefits
- Standardized API makes external integration easy
- Applications that support SCIM can be integrated immediately
• No custom connector is required
• No product upgrade required to support new apps
SailPoint, Salesforce, Ping, VMWare, neXus, Oracle, UnboundID

Higher Education
• Higher education is largely focused on federation
- Need to propagate minimum amount of identity data
- Authorization data (group memberships) are very important
- Federation attribute payload works well for Just In Time (JIT)
provisioning
- SCIM enables more robust record propagation when JIT is not
good enough
• For example, email account provisioning often must occur before
first login
Federations that need attribute exchange

Higher Education
• VOOT is an identity/group protocol built on top of SCIM
- Adds more features around group membership
• Grouper is a user/group management tool developed by
Internet2
- SCIM integration allows writing to down-stream endpoints
http://openvoot.org/
https://spaces.internet2.edu/display/Grouper/Grouper+SCIM+Integration
VOOT and Grouper

Case Study
neXus
Internet of Things

The Setup
• IoT provider needed:
- A registry of devices associated with a user
- Information about the device (bluetooth address, etc…)
- A mobile app that can
• Authenticate
• Retrieve user information (including devices)
• Communicate with devices
- Devices that can send status updates

The Solution
SCIM Server
Mobile App
GET /me
(as authenticated user)
{
“id”: “89723-83703”,
“devices”: [{
“name”: “Tesla”,
“bluetoothAddress”: “000A3A58F310”,
“deviceType”: “electricCar”,
“batteryLife”: 58,
…
},
…
}
Bluetooth
Start A/C
PATCH /Cars/89723-83703
{
“batteryLife”: 57,
“location”: {
“lat”: 30.4045541,
“long”: -97.8489572
}
}

The Benefits
• Extended user schema to show which devices belong to
each user
• New endpoints for devices to read/write device information
- Example: /Cars, /Vacuums
• Extensible schema allows new device types to be imported
via JSON files
• Extremely light-weight SCIM clients on mobile app and
devices
- This is very important for constrained devices

Current Status
• 2.0 API, Core Schema, and Use Cases docs are complete
- Will become official RFCs in the next couple months
• IETF working group will continue to work on SCIM
extensions
- Passwords: http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/
- Notify: http://datatracker.ietf.org/doc/draft-hunt-scim-notify/
- Soft Delete: http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/
- Others TBD

Adoption is growing…
“The SCIM interface will have parity other APIs and will be a
first-class citizen.”
--Ian Glazer, Salesforce
“I’m also proud to say Oracle’s Amit Jasuja announced at last
year’s OpenWorld that Oracle IDM’s key REST API for
Identity will be SCIM…”
--Phil Hunt, Oracle

Adoption is growing…
“SCIM works perfectly for constrained devices.”
--Erik Wahlström, neXus
“SCIM is simple to implement.”
--Haavar Valeur, Citrix

Questions
kelly.grizzle@sailpoint.com
@kelly_grizzle
http://simplecloud.info

SCIM in the Real World: Adoption is Growing

More Related Content

What's hot

Similar to SCIM in the Real World: Adoption is Growing

Recently uploaded

SCIM in the Real World: Adoption is Growing