User Provisioning Over Web
Kiran Ayyagari
Kiran Ayyagari

PMC ApacheDS project
Consulting & Support on ApacheDS
Started project eSCIMo
kayyagari@keydap.com, kayyaga...
What Is SCIM




System for Cross-domain Identity
Management
A standard for provisioning

3
SCIM Schema
A collection of attribute definitions
e.g.

{

}

"id": "urn:scim:schemas:core:2.0:User",
"name": "User",
"des...
SCIM Schema...


Simple Attribute

e.g. userName – a user's name


Complex Attribute

e.g. name – a collection of firstN...
SCIM Schema...


Platform neutral



JSON format



URN as a ID

6
SCIM Data Model
User
Name : Naveen S
UID : naveens
Last Name : Sivashankar
First Name : Naveen

{

}

"schemas": ["urn:sci...
SCIM Data Model...
e.g. Extended user
User

Enterprise User

Name : Naveen S
UID : naveens

Employee No : 11011
Cost Cente...
SCIM Data Model...
Group
Name : Administrators
Members : naveens

{

"schemas": ["urn:scim:schemas:core:2.0:Group"],
"id":...
SCIM API


Uses REST



Supports


CRUD operations



Bulk modification



Paged search
What Is eSCIMo


An implementation of SCIM v2.0



Supports LDAP as a backend by default



Can work with any LDAP serv...
Running eSCIMo
Scenario 1
App Server/
Container
eSCIMo
eSCIMo

LDAP Server

12
Running eSCIMo...
Scenario 2
ApacheDS
Jetty
eSCIMo
eSCIMo

13
Architecture of eSCIMo
Security Filter

REST API
Resource Provider Interface

LDAP Resource
Provider


RDBMS Resource
Pr...
How Does It Work?
Attribute mapping
Mapping a simple attribute -

e.g. "id": "45ceb739-1695-4c03-ab18-33ac71e91875"
"userN...
How Does It Work...
Attribute mapping contd...
Mapping a complex attribute
e.g.

"name": {
"familyName": "Sivashankar",
"g...
How Does It Work...
Attribute mapping contd...
Mapping a multi-valued attribute
e.g. "emails"

: [{"naveens@example.com"},...
How Does It Work...
Attribute mapping contd...
e.x "groups": [
{
"id": "484fbc39-ae09-427b-896f-d469d28895ad",
"$ref": "ht...
How Does It Work...
Attribute Handlers
Handler Implementation
public class GroupsAttributeHandler extends LdapAttributeHan...
eSCIMo Json2Java


Is a Maven plugin



Generates Java classes from SCIM schemas

20
eSCIMo Client


Works with the generated model classes

e.x. Adding a User resource
User user = new User();
user.setUserN...
Demo

22
Questions

?

23
Thank you!
Upcoming SlideShare
Loading in …5
×

eSCIMo - User Provisioning over Web

1,395 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,395
On SlideShare
0
From Embeds
0
Number of Embeds
298
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

eSCIMo - User Provisioning over Web

  1. 1. User Provisioning Over Web Kiran Ayyagari
  2. 2. Kiran Ayyagari PMC ApacheDS project Consulting & Support on ApacheDS Started project eSCIMo kayyagari@keydap.com, kayyagari@apache.org 2
  3. 3. What Is SCIM   System for Cross-domain Identity Management A standard for provisioning 3
  4. 4. SCIM Schema A collection of attribute definitions e.g. { } "id": "urn:scim:schemas:core:2.0:User", "name": "User", "description": "Core User", "attributes":[ { "name":"id", "type":"string", "multiValued":false, "description":"Unique identifier for the SCIM ressource. REQUIRED.", "readOnly":true, "required":true, "caseExact":false }, ... 4
  5. 5. SCIM Schema...  Simple Attribute e.g. userName – a user's name  Complex Attribute e.g. name – a collection of firstName, lastName etc.  Multi-valued Attribute e.g. emails – a collection of all emails  Sub-attribute e.g. familyName – a user's family name 5
  6. 6. SCIM Schema...  Platform neutral  JSON format  URN as a ID 6
  7. 7. SCIM Data Model User Name : Naveen S UID : naveens Last Name : Sivashankar First Name : Naveen { } "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", "displayName": "Naveen S", "active": true, "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" }, "emails" : [{"naveens@example.com"},{"ns@mymail.com"}], … 7
  8. 8. SCIM Data Model... e.g. Extended user User Enterprise User Name : Naveen S UID : naveens Employee No : 11011 Cost Center : 007 { "schemas": ["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", ... "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "11011", "costCenter": "007" … } }
  9. 9. SCIM Data Model... Group Name : Administrators Members : naveens { "schemas": ["urn:scim:schemas:core:2.0:Group"], "id": "484fbc39-ae09-427b-896f-d469d28895ad", "displayName": "Administrators", "members": [ { "value": "45ceb739-1695-4c03-ab18-33ac71e91875", "$ref": "http://localhost:8080/v2/Users/45ceb739-16954c03-ab18-33ac71e91875", "display": "naveens" } ] } 9
  10. 10. SCIM API  Uses REST  Supports  CRUD operations  Bulk modification  Paged search
  11. 11. What Is eSCIMo  An implementation of SCIM v2.0  Supports LDAP as a backend by default  Can work with any LDAP server  Embeddable in ApacheDS 11
  12. 12. Running eSCIMo Scenario 1 App Server/ Container eSCIMo eSCIMo LDAP Server 12
  13. 13. Running eSCIMo... Scenario 2 ApacheDS Jetty eSCIMo eSCIMo 13
  14. 14. Architecture of eSCIMo Security Filter REST API Resource Provider Interface  LDAP Resource Provider  RDBMS Resource Provider  ???? Resource Provider Implemented  Not Implemented LDAP RDBMS 14 ???
  15. 15. How Does It Work? Attribute mapping Mapping a simple attribute - e.g. "id": "45ceb739-1695-4c03-ab18-33ac71e91875" "userName": "naveens" <attribute name="id" mappedTo="entryUUID" /> <attribute name="userName" mappedTo="uid" /> 15
  16. 16. How Does It Work... Attribute mapping contd... Mapping a complex attribute e.g. "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" } <complex-attribute name="name"> <at-group> <attribute name="familyName" mappedTo="sn" /> <attribute name="givenName" mappedTo="cn" /> </at-group> </complex-attribute> 16
  17. 17. How Does It Work... Attribute mapping contd... Mapping a multi-valued attribute e.g. "emails" : [{"naveens@example.com"},{"ns@mymail.com"}] <multival-attribute name="emails"> <at-group> <attribute name="value" mappedTo="mail" /> </at-group> </multival-attribute> 17
  18. 18. How Does It Work... Attribute mapping contd... e.x "groups": [ { "id": "484fbc39-ae09-427b-896f-d469d28895ad", "$ref": "http://localhost:8080/v2/Groups/484fbc39-ae09-427b-896fd469d28895ad", "display": "Administrators" }] "id" - How can we fetch the ID of the member entry? "$ref" - How do we build a URL dynamically? 18
  19. 19. How Does It Work... Attribute Handlers Handler Implementation public class GroupsAttributeHandler extends LdapAttributeHandler { public void read(); public void write(); public void patch(); } Handler definition <handler name="groupsHandler" class="org.apache.directory.scim.ldap.handlers.GroupsAttributeHandler" /> Handler mapping <multival-attribute name="groups" baseDn="ou=system" filter="(uniqueMember=$entryDn)" handlerRef="groupsHandler" /> 19
  20. 20. eSCIMo Json2Java  Is a Maven plugin  Generates Java classes from SCIM schemas 20
  21. 21. eSCIMo Client  Works with the generated model classes e.x. Adding a User resource User user = new User(); user.setUserName( "naveens" ); user.setDisplayName( "Naveen Sivashankar" ); user.setPassword( "secret" ); Name name = new Name(); name.setFamilyName( "Sivashankar" ); name.setGivenName( "Naveen" ); user.setName( name ); EscimoResult result = client.addUser( user ); 21
  22. 22. Demo 22
  23. 23. Questions ? 23
  24. 24. Thank you!

×