Thanks Ian. A few weeks ago I was up in Napa at the Cloud Identity Summit … which btw, is a great place to visit … HORRIBLEplace for a conference. Being in the middle of the wine country I only remember half of the conversations I had.But … I vividly remember two of them because they were almost identical.
I was talking with two really smart, forward-thinking guys that are responsible for the identity side of the IT infrastructure at their companies and they both told me the exact same thing. They said: “Kelly, connectors are killing me!!!”
One of them, Carlton, told me that his company – with over 82,000 employees - has a home grown identity management system that talks to 3500 target systems. 3500!!!
Any time a group starts using a new application, it has to get tied into his infrastructure. ERP, CRM, HR systems, expense tracking, project management… EVERY freaking system has an identity associated with it.
So Carlton told his consumers… “I can’t do this anymore!! Connectors are killing me. In this new world of bring your own application (BYOA), I can’t keep up with bringing all of your applications into my infrastructure.” So he drew a line in the sand.
He laid down some new rules, he said:“We’ll continue to support any application that we currently support … however… going forward if you want to tie into our identity infrastructure, your application must be able to talk SCIM. If it doesn’t, you’re going to be stuck holding the bag to get it connected.”
These new friends of mine from Napa aren’t alone. We have finally hit the tipping point. It’s too expensive to keep writing or buyingconnectors to every system that your end users want to use. You still need to be able to manage them to keep some sort of governance controls over them.
That’s where SCIM can help. The System for Cross-domain Identity Management – is a standard that defines a Schema and API for managing identities…. all built using REST and JSON.
Unlike the other standards on stage that handle authentication and authorization…SCIM handles provisioning and deprovisioning access, and provides a way to read identity and group information.Your basic CRUD – create, read, update, delete.
For you geeks out there … if you’re like me your brain thinks in code. If this makes your eyes glaze over … just look away. This is a SCIM request to read a user named Barbara Jensen. You see curl doing an HTTP GET to read the user. To get rid of the user, just change this to a DELETE.
Let’s quickly review the evolution of provisioning starting with a termination use case. An employee is terminated effective immediately due to <insert your favorite HR violation> HR escorts the employee out the door that day.
but all of his accounts to these applications still exist. It’s your job as the identity guy to make sure that his access is shut off immediately and all of his entitlements are effectively removed.How do you do this??
In the early days of provisioning…people knew that they had to manage identities but…they lacked the right tools.So what did they do? They used what they had – EMAIL! This came with obvious problems … latency, human error, forgotten/orphaned accounts…
In 2000, identity management vendors starting popping up to help solve this problem. How? With CONNECTORS!! They started developing connectors for every type of application out there. What’s the problem? COST – somebody is paying for all those custom connectors.
Now we’ve realized that we’re trying to reinvent the wheel. All of these connectors do basically the same thing, just in different ways. If all applications spoke the same language, you would only need one connector!If all applications spoke SCIM, it would be simple to just plug them together.
AdoptionSo … where does SCIM stand today? Last July, the SCIM 1.1 spec was finalized and many companies already have (or are in the process of) implementing it.We’re working on the 2.0 spec to clean up some of the loose endsAnd hope to have it ready in 6 months. [There are 14 known SCIM 1.1 implementations.]
InteropBack in Napa, eight products –including Salesforce, SailPoint, and Ping – participated in a SCIM interop eventshowcasing manyprovisioning use cases. SailPoint was pulling identitiesfrom Salesforce and syncing joiner, mover, leaver, and password events to Ping.
Connectors are killing you…So let's return to my friend, Carlton, being suffocated by connectors. In a world of wide-spread SCIM adoption, here's how his life would be different. Instead of spending all of his time writing connectors or making existing applications speak SCIM, he can focus on real business problems …
…like determining who are the riskiest usersensuring that everyone has the appropriate access … not too much, not too little automating the business processes around the identity lifecycle or giving his users a friendly portal where they can request changes.
It’s time to free ourselves from the bondage of the past 15 years. …and, kill the connector.Tell your vendors to support SCIM or you won’t play ball. Join the Revolution,visit the SCIM site at www.simplecloud.info Thanks!