CIS 2015 SCIM in the Real World - Kelly Grizzle

SCIM in the
Real World
Kelly Grizzle
Software Architect – SailPoint

Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.2
Overview
•  What is SCIM?
•  Trends in SCIM Usage
•  Who are you and what’s your problem?
-  Identity Gurus
-  Service Providers
•  Case Studies
•  Where is SCIM today and where is it going?

What is SCIM?
System for Cross-Domain
Identity Management

Identity Management
+
REST
=

Identity Management + REST = SCIM
•  REST is just architectural pattern
-  SCIM defines an identity management profile for it
•  SCIM provides…
-  Standard definitions for User and Group
-  Standard operations
•  Create, Read, Update, Delete, Search, Partial Update, Bulk
-  Extensibility
•  Add more attributes to existing object types or define new object
types

Example – Retrieve User Request
GET /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8

Example – Retrieve User Response
HTTP/1.1 200 OK
Content-Type: application/scim+json
Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "2819c223-7f76-453a-919d-413861904646",
"name": {
"formatted": "Ms. Barbara J Jensen III",
"familyName": "Jensen",
"givenName": "Barbara“
},
"meta": {
"resourceType": "User",
"created": "2011-08-01T18:29:49.793Z",
...
}
}
Self-describing
payload
Single-valued
attribute
Complex
attribute
Many
data types

CRUD Operations
POST /Users
PUT /Users/2819c223-7f76-453a-919d-413861904646
PATCH /Users/2819c223-7f76-453a-919d-413861904646
DELETE /Users/2819c223-7f76-453a-919d-413861904646
GET /Users?startIndex=10&count=5&filter=userName sw “J”
GET /Users/2819c223-7f76-453a-919d-413861904646

Server Configuration Operations
GET /ResourceTypes
-  Return the types of resources that are supported
-  Endpoint URL, schema, etc…
GET /Schemas/
-  Return the schema definitions
-  Attributes names and types, etc…
GET /ServiceProviderConfigs
-  Return info about what is supported by the server
-  Authn methods, optional features, etc…

Trends
•  Enterprises are using SCIM Gateways to communicate
between internal systems
•  Service providers use SCIM for directory access
-  Store extended information, but often not visible externally
•  IAM and IDaaS vendors provide SCIM Servers to expose
identity information and use SCIM Clients to read/write
external systems
•  Common threads in custom password extensions
•  SCIM is seen as the identity management API

99 problems and identity is #1

Problem!!! Bob needs a new account
SCIM Solution: Provision

Problem!!! Bob can’t login!
SCIM Solution: Password reset
* Alternate Solution: Single sign-on … but this isn’t a SAML / OIDC workshop.

Problem!!! Bob can’t read the financials
SCIM Solution: Add him to a group or
give him some entitlements

Problem!!! I need to know Bob’s access
SCIM Solution: Read User and Group Data

Problem!!! Bob has been a bad boy
SCIM Solution: Deprovision

Problem!! Apps team needs to r/w identity
SCIM Solution: Standard but extensible API

Case Study
Fortune 100 Chip
Maker

The Setup
•  Started considering options between a failed Oracle Identity
Manager project and “the next thing”
•  Needed a façade
-  Prevent IAM vendor lock-in
-  Needed co-existence between old and new IAM systems
•  Extensibility was crucial!
•  “We wanted a 20 year solution.” –IAM Guru

The Solution
Create a SCIM gateway to serve as a central identity hub
SCIM Gateway Cluster
Legacy Apps
IAM System SSO
Directory Server

The Interesting Parts
•  Extended user schema to hold custom information
•  Extended endpoints to support many additional features
-  Email verification
•  POST /EmailVerificationTokens to create a token
•  POST /EmailVerification to verify email using token
-  Password reset
•  POST /PasswordResetTokens to create a token
•  POST /PasswordChanges to change password using token
-  Security token management for SSO
•  POST /SecurityTokens to create authenticated session token
•  DELETE /SecurityTokens to invalidate

More Interesting Parts
•  More extended endpoints…
-  Notifications (email or SMS)
•  POST /Notifications to send a notification with user information merged in
(welcome email, forgot login ID, etc…)
-  Role management
•  PATCH /Roles to change membership for a role

The Benefits
•  Ability to add new information and features without breaking
existing clients
-  If there is anything in JSON that you don't recognize, throw it
away
“SCIM has been critical and program-saving. It is exactly what
we needed at exactly the right time, and fills a crucial role in
our environment."
--IAM Guru

Case Study
Fortune 500
Pharmaceuticals

The Setup
•  Need to support identity on a large portfolio of applications
-  Not all application teams are resourced equally
•  Wanted an abstraction of provisioning from specific
implementations
-  Allow for seamless upgrades of IAM system
-  Ease cost of implementation for smaller applications

The Solution
Create a SCIM gateway to serve as a central identity hub
SCIM SOA Gateway
On-prem Apps
IAM System Cloud Apps
Directory Server

The Benefits
•  SCIM gives agility in adopting new versions of IAM system
•  SCIM isolates IAM system if a SaaS vendor changes their
identity model
-  Connector continues to work with an updated schema
-  Important for SaaS vendors that can update at any time
•  If an application vendor is small it's not worth it to write a
custom connector
-  Small vendors are very willing to implement SCIM as their
standard identity API

99 problems and identity is #1

Problem!!! I need to expose a directory!!
SCIM Solution: Read and write with SCIM

Problem!!! I need an API between my own
products!
SCIM Solution: Everything identity is SCIM

Problem!! My mobile app needs identities!
SCIM Solution: Light-weight REST API

Problem!!! I need to get identities from my
customer’s directory into my cloud app!
SCIM Solution: To the cloud with SCIM!

Case Study
Fortune 100
Networking

The Setup
•  Needed a consistent identity API that can be used:
-  By partners
-  By customers
-  Internally between products
-  To communicate with IdPs and other SaaS vendors

The Solution
SCIM Identity Service
Directory
Clients
Internal Systems
Partners &
IdPs
Identity
Sync Client
r/w r/w
Mobile Appr/w

•  Additional endpoints
-  /Devices
-  /Tenants
•  Only available internally
•  Password policy is configured on tenant
•  Core schemas have been extended
-  Positive extensions: New attributes (mainly internal info)
-  Negative extensions: Attributes in SCIM spec that aren’t
supported
•  Legacy APIs forward requests on to SCIM

The Benefits
•  Single API for everything identity
•  Mobile application has a light-weight API to use
•  SCIM clients are easy to write
-  Have seen no need to write a toolkit

Case Study
Fortune 1000
Networking

The Setup
•  Needed a consistent identity API that can be used:
-  By customers
-  Internally between products
-  To communicate with IdPs

The Solution
SCIM Identity Service
Custom
Clients
Internal Systems IdPs
AD
Sync Client
r/w r/w

•  Exploring an “organizational unit” extension to facility multi-
tenancy in API
•  Exploring a pub/sub SCIM model
-  Client subscribes to be notified of changes
-  SCIM server sends out notifications

The Benefits
•  Single API for everything identity
•  No need to provide documentation
-  Just point developers at the spec
•  Easy to implement

PaaS – CloudFoundry
•  CloudFoundry is an open platform-as-a-service (PaaS)
•  Identity APIs leverage standards
-  SCIM, OAuth2, and OpenID Connect
•  Benefits
-  Use existing open API rather than reinventing the wheel
-  Use SCIM extensions for some non-identity APIs

IDaaS and IAM Vendors
•  IDaaS and IAM vendors need to:
-  Allow external access to their identity store
-  Provision/read identities and groups to/from other applications
•  SCIM server provides external access
•  SCIM client provides provisioning to other applications
•  Benefits
-  Standardized API makes external integration easy
-  Applications that support SCIM can be integrated immediately
•  No custom connector is required
•  No product upgrade required to support new apps
SailPoint, Salesforce, Ping, VMWare, neXus, Oracle, UnboundID

Higher Education
•  Higher education is largely focused on federation
-  Need to propagate minimum amount of identity data
-  Authorization data (group memberships) are very important
-  Federation attribute payload works well for Just In Time (JIT)
provisioning
-  SCIM enables more robust record propagation when JIT is not
good enough
•  For example, email account provisioning often must occur before
first login
Federations that need attribute exchange

Higher Education
•  VOOT is an identity/group protocol built on top of SCIM
-  Adds more features around group membership
•  Grouper is a user/group management tool developed by
Internet2
-  SCIM integration allows writing to down-stream endpoints
http://openvoot.org/
https://spaces.internet2.edu/display/Grouper/Grouper+SCIM+Integration
VOOT and Grouper

Case Study
neXus
Internet of Things

The Setup
•  IoT provider needed:
-  A registry of devices associated with a user
-  Information about the device (bluetooth address, etc…)
-  A mobile app that can
•  Authenticate
•  Retrieve user information (including devices)
•  Communicate with devices
-  Devices that can send status updates

The Solution
SCIM Server
Mobile App
GET /me
(as authenticated user)
{
“id”: “89723-83703”,
“devices”: [{
“name”: “Tesla”,
“bluetoothAddress”: “000A3A58F310”,
“deviceType”: “electricCar”,
“batteryLife”: 58,
…
},
…
}
Bluetooth
Start A/C
PATCH /Cars/89723-83703
{
“batteryLife”: 57,
“location”: {
“lat”: 30.4045541,
“long”: -97.8489572
}
}

The Benefits
•  Extended user schema to show which devices belong to
each user
•  New endpoints for devices to read/write device information
-  Example: /Cars, /Vacuums
•  Extensible schema allows new device types to be imported
via JSON files
•  Extremely light-weight SCIM clients on mobile app and
devices
-  This is very important for constrained devices

Current Status
•  2.0 API, Core Schema, and Use Cases docs are complete
-  Will become official RFCs in the next couple months
•  IETF working group will continue to work on SCIM
extensions
-  Passwords: http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/
-  Notify: http://datatracker.ietf.org/doc/draft-hunt-scim-notify/
-  Soft Delete: http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/
-  Others TBD

Adoption is growing…
“The SCIM interface will have parity other APIs and will be a
first-class citizen.”
--Ian Glazer, Salesforce
“I’m also proud to say Oracle’s Amit Jasuja announced at last
year’s OpenWorld that Oracle IDM’s key REST API for
Identity will be SCIM…”
--Phil Hunt, Oracle

Adoption is growing…
“SCIM works perfectly for constrained devices.”
--Erik Wahlström, neXus
“SCIM is simple to implement.”
--Haavar Valeur, Citrix

Questions
kelly.grizzle@sailpoint.com
@kelly_grizzle
http://simplecloud.info

CIS 2015 SCIM in the Real World - Kelly Grizzle

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CIS 2015 SCIM in the Real World - Kelly Grizzle

Similar to CIS 2015 SCIM in the Real World - Kelly Grizzle (20)

More from CloudIDSummit

More from CloudIDSummit (20)

Recently uploaded

Recently uploaded (20)

CIS 2015 SCIM in the Real World - Kelly Grizzle