SCIM (System for Cross-domain Identity Management) v2.0 is an identity management standard that enhances extensibility, allowing for new object types and relationships within identity management APIs. Key features include simplified operations for user account management, secure searching, and event notification capabilities. While SCIM 2.0 is not backwards compatible with v1.1, it offers significant improvements and ease of implementation for organizations managing user identities.

1. Master IAM in
the Cloud with
SCIM v2.0
Kelly Grizzle
Software Architect – SailPoint

2. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Overview
• What is SCIM?
• Use Cases
• Your special snowflake
• Differences between 1.1 and 2.0
• What's coming?
• Adoption

3. What is SCIM?
System for Cross-Domain Identity
Management

4. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Identity Management
+
REST
=

5. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Identity Management + REST = SCIM
• REST is just architectural pattern
- SCIM defines an identity management profile for it
• SCIM provides…
- Standard definitions for User and Group
• Expressed in JSON (Javascript Object Notation)
- Standard operations
• Create, Read, Update, Delete, Search, Partial Update, Bulk
- Extensibility
• Add more attributes to existing object types or define new object types

6. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Example – Retrieve User Request
GET /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8

7. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Example – Retrieve User Response
HTTP/1.1 200 OK
Content-Type: application/scim+json
Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "2819c223-7f76-453a-919d-413861904646",
"name": {
"formatted": "Ms. Barbara J Jensen III",
"familyName": "Jensen",
"givenName": "Barbara“
},
"meta": {
"resourceType": "User",
"created": "2011-08-01T18:29:49.793Z",
...
}
}
Self-describing
payload
Single-valued
attribute
Complex
attribute
Many
data types

8. Use Cases
SCIM … huh … yeah … what is it good
for? Absolutely … LOTS!

9. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Use Cases
• Create account
• Add or remove access to a user
• Read a user’s current access so that it can be certified
• Terminate a user
• Provide user information for a corporate directory
• Synchronize user information from one application to another

10. Is your identity
management API a
special snowflake?

11. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
It seemed like such a good idea … until…
It looks so beautiful … until …
you have to integrate with it.

12. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
And you end up with something like this…
OR

13. Differences between
SCIM v1.1 and v2.0

14. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
EXTENSIBILITY
=

15. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
SCIM 2.0 is much more extensible
• The BIGGEST and BEST change since SCIM 1.1
• A server can define
- Extensions to core objects (users and groups)
• Need to store your users’ favorite tattoo parlors? No problem!
- Completely new types of objects
• Roles, profiles, oauth clients, toasters, whatever the heck you want!
- Relationships between objects
• This toaster belongs to this user
• A client can ask the server to describe itself

16. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Other goodies
• Simplified PATCH (partial update of objects)
• Secure searching (POST to /.search endpoint)
- In case this bothers you - GET /Users?filter=ssn eq “379-941-9832”
• Add /Me endpoint to retrieve authenticated user’s information
• Reference data type to describe relationships
• General hardening of the slushy spots in the spec

17. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Is 2.0 Backwards Compatible?
Short answer – No … but it’s not that different.
• Things to look out for…
- New /ResourceTypes endpoint and changes to /Schemas
- Addition of meta.resourceType to each resource
- References (eg – manager) now use $ref syntax
- PATCH syntax was reworked

18. What’s new with SCIM?
Cha…cha…cha…cha…changes!

19. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
What’s new?
• Polling
- Ability to ask for recent changes
• Events
- Clients can subscribe to a server to be notified about changes
• Discovery
- Use /.well-known/scim to get basic information about a SCIM
server
• TIER (Trust & Identity in Education & Research)
- Internet2 group is creating standardized EduUser and EduGroup
extensions

20. SCIM Adoption
Who is using it?

22. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Also … within organizations
• Many organizations are using SCIM as their internal identity
management API
• Often use a “SCIM Gateway” at the center of their infrastructure
• Benefits
- Simplifies adding new systems into the environment
- Isolates disruptions from change (eg – changing ERP vendor)
- Prevents reinventing the wheel
- Ease of implementation by using existing libraries
• The spec is also relatively straight-forward and easy to implement

23. Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
SCIM 2.0 is the way to go!

24. Questions?
@kelly_grizzle
kelly.grizzle@sailpoint.com
http://simplecloud.info
SCIM Master Class
Wednesday
2:30 – 3:20: User Provisioning 101
3:30 – 4:20: SCIM 2 in Depth
4:30 – 5:20: SCIM 2 Interop Report