SlideShare a Scribd company logo

SCIM in the Real World: Adoption is Growing

Download as PPTX, PDF
Kelly Grizzle
Kelly Grizzle

The SCIM (System for Cross-Domain Identity Management) specification is beginning to gain real-world traction for both cloud and on-premises applications. In this workshop you will learn about SCIM, how it is being used in the real world, and why many consider SCIM to be a foundational piece of any identity architecture. We will also discuss how participants can help SCIM’s adoption with their organization and across the industry. Presented at Cloud Identity Summit 2015 in La Jolla.

Software
1 of 63
SCIM in the Real World Kelly Grizzle Software Architect – SailPoint
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.2 Overview • What is SCIM? • Trends in SCIM Usage • Who are you and what’s your problem? - Identity Gurus - Service Providers • Case Studies • Where is SCIM today and where is it going?
What is SCIM? System for Cross-Domain Identity Management
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.4 Identity Management + REST =
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.5 Identity Management + REST = SCIM • REST is just architectural pattern - SCIM defines an identity management profile for it • SCIM provides… - Standard definitions for User and Group - Standard operations • Create, Read, Update, Delete, Search, Partial Update, Bulk - Extensibility • Add more attributes to existing object types or define new object types
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.6 Example – Retrieve User Request GET /Users/2819c223-7f76-453a-919d-413861904646 Host: example.com Accept: application/scim+json Authorization: Bearer h480djs93hd8
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.7 Example – Retrieve User Response HTTP/1.1 200 OK Content-Type: application/scim+json Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 { "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara“ }, "meta": { "resourceType": "User", "created": "2011-08-01T18:29:49.793Z", ... } } Self-describing payload Single-valued attribute Complex attribute Many data types
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.8 CRUD Operations POST /Users PUT /Users/2819c223-7f76-453a-919d-413861904646 PATCH /Users/2819c223-7f76-453a-919d-413861904646 DELETE /Users/2819c223-7f76-453a-919d-413861904646 GET /Users?startIndex=10&count=5&filter=userName sw “J” GET /Users/2819c223-7f76-453a-919d-413861904646
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.9 Server Configuration Operations GET /ResourceTypes - Return the types of resources that are supported - Endpoint URL, schema, etc… GET /Schemas/ - Return the schema definitions - Attributes names and types, etc… GET /ServiceProviderConfigs - Return info about what is supported by the server - Authn methods, optional features, etc…
Trends in SCIM Usage
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.11 Trends • Enterprises are using SCIM Gateways to communicate between internal systems • Service providers use SCIM for directory access - Store extended information, but often not visible externally • IAM and IDaaS vendors provide SCIM Servers to expose identity information and use SCIM Clients to read/write external systems • Common threads in custom password extensions • SCIM is seen as the identity management API
Who are you?
IAM Gurus!
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.14 99 problems and identity is #1
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.15 Problem!!! Bob needs a new account SCIM Solution: Provision
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.16 Problem!!! Bob can’t login! SCIM Solution: Password reset * Alternate Solution: Single sign-on … but this isn’t a SAML / OIDC workshop.
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.17 Problem!!! Bob can’t read the financials SCIM Solution: Add him to a group or give him some entitlements
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.18 Problem!!! I need to know Bob’s access SCIM Solution: Read User and Group Data
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.19 Problem!!! Bob has been a bad boy SCIM Solution: Deprovision
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.20 Problem!! Apps team needs to r/w identity SCIM Solution: Standard but extensible API
Case Study Fortune 100 Chip Maker
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.22 The Setup • Started considering options between a failed Oracle Identity Manager project and “the next thing” • Needed a façade - Prevent IAM vendor lock-in - Needed co-existence between old and new IAM systems • Extensibility was crucial! • “We wanted a 20 year solution.” –IAM Guru
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.23 The Solution Create a SCIM gateway to serve as a central identity hub SCIM Gateway Cluster Legacy Apps IAM System SSO Directory Server
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.24 The Interesting Parts • Extended user schema to hold custom information • Extended endpoints to support many additional features - Email verification • POST /EmailVerificationTokens to create a token • POST /EmailVerification to verify email using token - Password reset • POST /PasswordResetTokens to create a token • POST /PasswordChanges to change password using token - Security token management for SSO • POST /SecurityTokens to create authenticated session token • DELETE /SecurityTokens to invalidate
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.25 More Interesting Parts • More extended endpoints… - Notifications (email or SMS) • POST /Notifications to send a notification with user information merged in (welcome email, forgot login ID, etc…) - Role management • PATCH /Roles to change membership for a role
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.26 The Benefits • Ability to add new information and features without breaking existing clients - If there is anything in JSON that you don't recognize, throw it away “SCIM has been critical and program-saving. It is exactly what we needed at exactly the right time, and fills a crucial role in our environment." --IAM Guru
Case Study Fortune 500 Pharmaceuticals
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.28 The Setup • Need to support identity on a large portfolio of applications - Not all application teams are resourced equally • Wanted an abstraction of provisioning from specific implementations - Allow for seamless upgrades of IAM system - Ease cost of implementation for smaller applications
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.29 The Solution Create a SCIM gateway to serve as a central identity hub SCIM SOA Gateway On-prem Apps IAM System Cloud Apps Directory Server
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.30 The Benefits • SCIM gives agility in adopting new versions of IAM system • SCIM isolates IAM system if a SaaS vendor changes their identity model - Connector continues to work with an updated schema - Important for SaaS vendors that can update at any time • If an application vendor is small it's not worth it to write a custom connector - Small vendors are very willing to implement SCIM as their standard identity API
Who are you?
Service Providers!!
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.33 99 problems and identity is #1
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.34 Problem!!! I need to expose a directory!! SCIM Solution: Read and write with SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.35 Problem!!! I need an API between my own products! SCIM Solution: Everything identity is SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.36 Problem!! My mobile app needs identities! SCIM Solution: Light-weight REST API
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.37 Problem!!! I need to get identities from my customer’s directory into my cloud app! SCIM Solution: To the cloud with SCIM!
Case Study Fortune 100 Networking
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.39 The Setup • Needed a consistent identity API that can be used: - By partners - By customers - Internally between products - To communicate with IdPs and other SaaS vendors
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.40 The Solution SCIM Identity Service Directory Clients Internal Systems Partners & IdPs Identity Sync Client Mobile Appr/w
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.41 The Interesting Parts • Additional endpoints - /Devices - /Tenants • Only available internally • Password policy is configured on tenant • Core schemas have been extended - Positive extensions: New attributes (mainly internal info) - Negative extensions: Attributes in SCIM spec that aren’t supported • Legacy APIs forward requests on to SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.42 The Benefits • Single API for everything identity • Mobile application has a light-weight API to use • SCIM clients are easy to write - Have seen no need to write a toolkit
Case Study Fortune 1000 Networking
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.44 The Setup • Needed a consistent identity API that can be used: - By customers - Internally between products - To communicate with IdPs
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.45 The Solution SCIM Identity Service Custom Clients Internal Systems IdPs AD Sync Client
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.46 The Interesting Parts • Exploring an “organizational unit” extension to facility multi- tenancy in API • Exploring a pub/sub SCIM model - Client subscribes to be notified of changes - SCIM server sends out notifications
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.47 The Benefits • Single API for everything identity • No need to provide documentation - Just point developers at the spec • Easy to implement
Case Studies in brief
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.49 PaaS – CloudFoundry • CloudFoundry is an open platform-as-a-service (PaaS) • Identity APIs leverage standards - SCIM, OAuth2, and OpenID Connect • Benefits - Use existing open API rather than reinventing the wheel - Use SCIM extensions for some non-identity APIs
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.50 IDaaS and IAM Vendors • IDaaS and IAM vendors need to: - Allow external access to their identity store - Provision/read identities and groups to/from other applications • SCIM server provides external access • SCIM client provides provisioning to other applications • Benefits - Standardized API makes external integration easy - Applications that support SCIM can be integrated immediately • No custom connector is required • No product upgrade required to support new apps SailPoint, Salesforce, Ping, VMWare, neXus, Oracle, UnboundID
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.51 Higher Education • Higher education is largely focused on federation - Need to propagate minimum amount of identity data - Authorization data (group memberships) are very important - Federation attribute payload works well for Just In Time (JIT) provisioning - SCIM enables more robust record propagation when JIT is not good enough • For example, email account provisioning often must occur before first login Federations that need attribute exchange
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.52 Higher Education • VOOT is an identity/group protocol built on top of SCIM - Adds more features around group membership • Grouper is a user/group management tool developed by Internet2 - SCIM integration allows writing to down-stream endpoints http://openvoot.org/ https://spaces.internet2.edu/display/Grouper/Grouper+SCIM+Integration VOOT and Grouper
Case Study neXus Internet of Things
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.54 The Setup • IoT provider needed: - A registry of devices associated with a user - Information about the device (bluetooth address, etc…) - A mobile app that can • Authenticate • Retrieve user information (including devices) • Communicate with devices - Devices that can send status updates
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.55 The Solution SCIM Server Mobile App GET /me (as authenticated user) { “id”: “89723-83703”, “devices”: [{ “name”: “Tesla”, “bluetoothAddress”: “000A3A58F310”, “deviceType”: “electricCar”, “batteryLife”: 58, … }, … } Bluetooth Start A/C PATCH /Cars/89723-83703 { “batteryLife”: 57, “location”: { “lat”: 30.4045541, “long”: -97.8489572 } }
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.56 The Benefits • Extended user schema to show which devices belong to each user • New endpoints for devices to read/write device information - Example: /Cars, /Vacuums • Extensible schema allows new device types to be imported via JSON files • Extremely light-weight SCIM clients on mobile app and devices - This is very important for constrained devices
Where is SCIM?
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.58 Current Status • 2.0 API, Core Schema, and Use Cases docs are complete - Will become official RFCs in the next couple months • IETF working group will continue to work on SCIM extensions - Passwords: http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/ - Notify: http://datatracker.ietf.org/doc/draft-hunt-scim-notify/ - Soft Delete: http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/ - Others TBD
Wrapping it up…
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.61 Adoption is growing… “The SCIM interface will have parity other APIs and will be a first-class citizen.” --Ian Glazer, Salesforce “I’m also proud to say Oracle’s Amit Jasuja announced at last year’s OpenWorld that Oracle IDM’s key REST API for Identity will be SCIM…” --Phil Hunt, Oracle
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.62 Adoption is growing… “SCIM works perfectly for constrained devices.” --Erik Wahlström, neXus “SCIM is simple to implement.” --Haavar Valeur, Citrix
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.63 Questions kelly.grizzle@sailpoint.com @kelly_grizzle http://simplecloud.info

Recommended

SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014Kelly Grizzle
 
CyberArk
CyberArkCyberArk
CyberArkJimmy Sze
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 

Recommended

SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014Kelly Grizzle
 
CyberArk
CyberArkCyberArk
CyberArkJimmy Sze
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML Programming Talents
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol OverviewMike Schwartz
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101OneLogin
 
Policy as Code: IT Governance With HashiCorp Sentinel
Policy as Code: IT Governance With HashiCorp SentinelPolicy as Code: IT Governance With HashiCorp Sentinel
Policy as Code: IT Governance With HashiCorp SentinelMitchell Pronschinske
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
AWS IAM
AWS IAMAWS IAM
AWS IAMDiego Pacheco
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access ManagementPrashanth BS
 
Aws IAM
Aws IAMAws IAM
Aws IAMChamali Liyanage
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Amazon Web Services
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSAcourses
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
 
SC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security SolutionsSC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security SolutionsFredBrandonAuthorMCP
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
cmi5-xapi-camp
cmi5-xapi-campcmi5-xapi-camp
cmi5-xapi-campBill McDonald
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Cloud transformation and Evolution of Integration Patterns
Cloud transformation and Evolution of Integration PatternsCloud transformation and Evolution of Integration Patterns
Cloud transformation and Evolution of Integration PatternsSrikanth Prathipati
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustFrans Sauermann
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationHitachi ID Systems, Inc.
 
Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Kelly Grizzle
 

More Related Content

What's hot

Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101OneLogin
 
Policy as Code: IT Governance With HashiCorp Sentinel
Policy as Code: IT Governance With HashiCorp SentinelPolicy as Code: IT Governance With HashiCorp Sentinel
Policy as Code: IT Governance With HashiCorp SentinelMitchell Pronschinske
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access ManagementPrashanth BS
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Amazon Web Services
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSAcourses
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
 
SC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security SolutionsSC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security SolutionsFredBrandonAuthorMCP
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Cloud transformation and Evolution of Integration Patterns
Cloud transformation and Evolution of Integration PatternsCloud transformation and Evolution of Integration Patterns
Cloud transformation and Evolution of Integration PatternsSrikanth Prathipati
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustFrans Sauermann
 

What's hot (20)

Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
 
Policy as Code: IT Governance With HashiCorp Sentinel
Policy as Code: IT Governance With HashiCorp SentinelPolicy as Code: IT Governance With HashiCorp Sentinel
Policy as Code: IT Governance With HashiCorp Sentinel
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 
AWS IAM
AWS IAMAWS IAM
AWS IAM
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
 
Aws IAM
Aws IAMAws IAM
Aws IAM
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summary
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor Technology
 
SC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security SolutionsSC-900 Capabilities of Microsoft Security Solutions
SC-900 Capabilities of Microsoft Security Solutions
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
cmi5-xapi-camp
cmi5-xapi-campcmi5-xapi-camp
cmi5-xapi-camp
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Cloud transformation and Evolution of Integration Patterns
Cloud transformation and Evolution of Integration PatternsCloud transformation and Evolution of Integration Patterns
Cloud transformation and Evolution of Integration Patterns
 
COSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero TrustCOSAC 2021 presentation - AWS Zero Trust
COSAC 2021 presentation - AWS Zero Trust
 

Similar to SCIM in the Real World: Adoption is Growing

Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Kelly Grizzle
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You ThinkCIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You ThinkCloudIDSummit
 
Why the Microsoft 365 Administrator should care about the Power Platform Gove...
Why the Microsoft 365 Administrator should care about the Power Platform Gove...Why the Microsoft 365 Administrator should care about the Power Platform Gove...
Why the Microsoft 365 Administrator should care about the Power Platform Gove...Sara Barbosa
 
Proven Practices for Office 365 Deployment, Security and Management
Proven Practices for Office 365 Deployment, Security and ManagementProven Practices for Office 365 Deployment, Security and Management
Proven Practices for Office 365 Deployment, Security and ManagementPerficient, Inc.
 
Identity as a Managed Cloud Service
Identity as a Managed Cloud ServiceIdentity as a Managed Cloud Service
Identity as a Managed Cloud ServiceForgeRock
 
Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013
Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013
Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013Emtec Inc.
 
Which One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentWhich One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentBitbar
 
Enterprise Security: Tableau vs. Power BI
Enterprise Security: Tableau vs. Power BIEnterprise Security: Tableau vs. Power BI
Enterprise Security: Tableau vs. Power BISenturus
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Systems, Inc.
 
A Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterA Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterForgeRock
 
MuleSoft Meetup Charlotte 2019
MuleSoft Meetup Charlotte 2019MuleSoft Meetup Charlotte 2019
MuleSoft Meetup Charlotte 2019Subhash Patel
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2DianaGray10
 
Manage Content In-Place, Migrate as Needed for Records and Retention
Manage Content In-Place, Migrate as Needed for Records and Retention Manage Content In-Place, Migrate as Needed for Records and Retention
Manage Content In-Place, Migrate as Needed for Records and RetentionZia Consulting
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsImperva
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Amazon Web Services
 

Similar to SCIM in the Real World: Adoption is Growing (20)

Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 
Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You ThinkCIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
 
Why the Microsoft 365 Administrator should care about the Power Platform Gove...
Why the Microsoft 365 Administrator should care about the Power Platform Gove...Why the Microsoft 365 Administrator should care about the Power Platform Gove...
Why the Microsoft 365 Administrator should care about the Power Platform Gove...
 
Proven Practices for Office 365 Deployment, Security and Management
Proven Practices for Office 365 Deployment, Security and ManagementProven Practices for Office 365 Deployment, Security and Management
Proven Practices for Office 365 Deployment, Security and Management
 
Identity as a Managed Cloud Service
Identity as a Managed Cloud ServiceIdentity as a Managed Cloud Service
Identity as a Managed Cloud Service
 
Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013
Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013
Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013
 
Which One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentWhich One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development Environment
 
Enterprise Security: Tableau vs. Power BI
Enterprise Security: Tableau vs. Power BIEnterprise Security: Tableau vs. Power BI
Enterprise Security: Tableau vs. Power BI
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
 
A Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterA Study in Borderless Over Perimeter
A Study in Borderless Over Perimeter
 
MuleSoft Meetup Charlotte 2019
MuleSoft Meetup Charlotte 2019MuleSoft Meetup Charlotte 2019
MuleSoft Meetup Charlotte 2019
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
 
Manage Content In-Place, Migrate as Needed for Records and Retention
Manage Content In-Place, Migrate as Needed for Records and Retention Manage Content In-Place, Migrate as Needed for Records and Retention
Manage Content In-Place, Migrate as Needed for Records and Retention
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower Costs
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
 

Recently uploaded

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 

Recently uploaded (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 

SCIM in the Real World: Adoption is Growing

  • 1. SCIM in the Real World Kelly Grizzle Software Architect – SailPoint
  • 2. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.2 Overview • What is SCIM? • Trends in SCIM Usage • Who are you and what’s your problem? - Identity Gurus - Service Providers • Case Studies • Where is SCIM today and where is it going?
  • 3. What is SCIM? System for Cross-Domain Identity Management
  • 4. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.4 Identity Management + REST =
  • 5. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.5 Identity Management + REST = SCIM • REST is just architectural pattern - SCIM defines an identity management profile for it • SCIM provides… - Standard definitions for User and Group - Standard operations • Create, Read, Update, Delete, Search, Partial Update, Bulk - Extensibility • Add more attributes to existing object types or define new object types
  • 6. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.6 Example – Retrieve User Request GET /Users/2819c223-7f76-453a-919d-413861904646 Host: example.com Accept: application/scim+json Authorization: Bearer h480djs93hd8
  • 7. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.7 Example – Retrieve User Response HTTP/1.1 200 OK Content-Type: application/scim+json Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 { "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara“ }, "meta": { "resourceType": "User", "created": "2011-08-01T18:29:49.793Z", ... } } Self-describing payload Single-valued attribute Complex attribute Many data types
  • 8. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.8 CRUD Operations POST /Users PUT /Users/2819c223-7f76-453a-919d-413861904646 PATCH /Users/2819c223-7f76-453a-919d-413861904646 DELETE /Users/2819c223-7f76-453a-919d-413861904646 GET /Users?startIndex=10&count=5&filter=userName sw “J” GET /Users/2819c223-7f76-453a-919d-413861904646
  • 9. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.9 Server Configuration Operations GET /ResourceTypes - Return the types of resources that are supported - Endpoint URL, schema, etc… GET /Schemas/ - Return the schema definitions - Attributes names and types, etc… GET /ServiceProviderConfigs - Return info about what is supported by the server - Authn methods, optional features, etc…
  • 11. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.11 Trends • Enterprises are using SCIM Gateways to communicate between internal systems • Service providers use SCIM for directory access - Store extended information, but often not visible externally • IAM and IDaaS vendors provide SCIM Servers to expose identity information and use SCIM Clients to read/write external systems • Common threads in custom password extensions • SCIM is seen as the identity management API
  • 14. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.14 99 problems and identity is #1
  • 15. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.15 Problem!!! Bob needs a new account SCIM Solution: Provision
  • 16. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.16 Problem!!! Bob can’t login! SCIM Solution: Password reset * Alternate Solution: Single sign-on … but this isn’t a SAML / OIDC workshop.
  • 17. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.17 Problem!!! Bob can’t read the financials SCIM Solution: Add him to a group or give him some entitlements
  • 18. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.18 Problem!!! I need to know Bob’s access SCIM Solution: Read User and Group Data
  • 19. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.19 Problem!!! Bob has been a bad boy SCIM Solution: Deprovision
  • 20. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.20 Problem!! Apps team needs to r/w identity SCIM Solution: Standard but extensible API
  • 22. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.22 The Setup • Started considering options between a failed Oracle Identity Manager project and “the next thing” • Needed a façade - Prevent IAM vendor lock-in - Needed co-existence between old and new IAM systems • Extensibility was crucial! • “We wanted a 20 year solution.” –IAM Guru
  • 23. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.23 The Solution Create a SCIM gateway to serve as a central identity hub SCIM Gateway Cluster Legacy Apps IAM System SSO Directory Server
  • 24. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.24 The Interesting Parts • Extended user schema to hold custom information • Extended endpoints to support many additional features - Email verification • POST /EmailVerificationTokens to create a token • POST /EmailVerification to verify email using token - Password reset • POST /PasswordResetTokens to create a token • POST /PasswordChanges to change password using token - Security token management for SSO • POST /SecurityTokens to create authenticated session token • DELETE /SecurityTokens to invalidate
  • 25. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.25 More Interesting Parts • More extended endpoints… - Notifications (email or SMS) • POST /Notifications to send a notification with user information merged in (welcome email, forgot login ID, etc…) - Role management • PATCH /Roles to change membership for a role
  • 26. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.26 The Benefits • Ability to add new information and features without breaking existing clients - If there is anything in JSON that you don't recognize, throw it away “SCIM has been critical and program-saving. It is exactly what we needed at exactly the right time, and fills a crucial role in our environment." --IAM Guru
  • 28. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.28 The Setup • Need to support identity on a large portfolio of applications - Not all application teams are resourced equally • Wanted an abstraction of provisioning from specific implementations - Allow for seamless upgrades of IAM system - Ease cost of implementation for smaller applications
  • 29. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.29 The Solution Create a SCIM gateway to serve as a central identity hub SCIM SOA Gateway On-prem Apps IAM System Cloud Apps Directory Server
  • 30. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.30 The Benefits • SCIM gives agility in adopting new versions of IAM system • SCIM isolates IAM system if a SaaS vendor changes their identity model - Connector continues to work with an updated schema - Important for SaaS vendors that can update at any time • If an application vendor is small it's not worth it to write a custom connector - Small vendors are very willing to implement SCIM as their standard identity API
  • 33. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.33 99 problems and identity is #1
  • 34. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.34 Problem!!! I need to expose a directory!! SCIM Solution: Read and write with SCIM
  • 35. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.35 Problem!!! I need an API between my own products! SCIM Solution: Everything identity is SCIM
  • 36. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.36 Problem!! My mobile app needs identities! SCIM Solution: Light-weight REST API
  • 37. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.37 Problem!!! I need to get identities from my customer’s directory into my cloud app! SCIM Solution: To the cloud with SCIM!
  • 39. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.39 The Setup • Needed a consistent identity API that can be used: - By partners - By customers - Internally between products - To communicate with IdPs and other SaaS vendors
  • 40. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.40 The Solution SCIM Identity Service Directory Clients Internal Systems Partners & IdPs Identity Sync Client Mobile Appr/w
  • 41. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.41 The Interesting Parts • Additional endpoints - /Devices - /Tenants • Only available internally • Password policy is configured on tenant • Core schemas have been extended - Positive extensions: New attributes (mainly internal info) - Negative extensions: Attributes in SCIM spec that aren’t supported • Legacy APIs forward requests on to SCIM
  • 42. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.42 The Benefits • Single API for everything identity • Mobile application has a light-weight API to use • SCIM clients are easy to write - Have seen no need to write a toolkit
  • 44. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.44 The Setup • Needed a consistent identity API that can be used: - By customers - Internally between products - To communicate with IdPs
  • 45. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.45 The Solution SCIM Identity Service Custom Clients Internal Systems IdPs AD Sync Client
  • 46. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.46 The Interesting Parts • Exploring an “organizational unit” extension to facility multi- tenancy in API • Exploring a pub/sub SCIM model - Client subscribes to be notified of changes - SCIM server sends out notifications
  • 47. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.47 The Benefits • Single API for everything identity • No need to provide documentation - Just point developers at the spec • Easy to implement
  • 49. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.49 PaaS – CloudFoundry • CloudFoundry is an open platform-as-a-service (PaaS) • Identity APIs leverage standards - SCIM, OAuth2, and OpenID Connect • Benefits - Use existing open API rather than reinventing the wheel - Use SCIM extensions for some non-identity APIs
  • 50. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.50 IDaaS and IAM Vendors • IDaaS and IAM vendors need to: - Allow external access to their identity store - Provision/read identities and groups to/from other applications • SCIM server provides external access • SCIM client provides provisioning to other applications • Benefits - Standardized API makes external integration easy - Applications that support SCIM can be integrated immediately • No custom connector is required • No product upgrade required to support new apps SailPoint, Salesforce, Ping, VMWare, neXus, Oracle, UnboundID
  • 51. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.51 Higher Education • Higher education is largely focused on federation - Need to propagate minimum amount of identity data - Authorization data (group memberships) are very important - Federation attribute payload works well for Just In Time (JIT) provisioning - SCIM enables more robust record propagation when JIT is not good enough • For example, email account provisioning often must occur before first login Federations that need attribute exchange
  • 52. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.52 Higher Education • VOOT is an identity/group protocol built on top of SCIM - Adds more features around group membership • Grouper is a user/group management tool developed by Internet2 - SCIM integration allows writing to down-stream endpoints http://openvoot.org/ https://spaces.internet2.edu/display/Grouper/Grouper+SCIM+Integration VOOT and Grouper
  • 54. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.54 The Setup • IoT provider needed: - A registry of devices associated with a user - Information about the device (bluetooth address, etc…) - A mobile app that can • Authenticate • Retrieve user information (including devices) • Communicate with devices - Devices that can send status updates
  • 55. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.55 The Solution SCIM Server Mobile App GET /me (as authenticated user) { “id”: “89723-83703”, “devices”: [{ “name”: “Tesla”, “bluetoothAddress”: “000A3A58F310”, “deviceType”: “electricCar”, “batteryLife”: 58, … }, … } Bluetooth Start A/C PATCH /Cars/89723-83703 { “batteryLife”: 57, “location”: { “lat”: 30.4045541, “long”: -97.8489572 } }
  • 56. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.56 The Benefits • Extended user schema to show which devices belong to each user • New endpoints for devices to read/write device information - Example: /Cars, /Vacuums • Extensible schema allows new device types to be imported via JSON files • Extremely light-weight SCIM clients on mobile app and devices - This is very important for constrained devices
  • 58. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.58 Current Status • 2.0 API, Core Schema, and Use Cases docs are complete - Will become official RFCs in the next couple months • IETF working group will continue to work on SCIM extensions - Passwords: http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/ - Notify: http://datatracker.ietf.org/doc/draft-hunt-scim-notify/ - Soft Delete: http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/ - Others TBD
  • 60.
  • 61. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.61 Adoption is growing… “The SCIM interface will have parity other APIs and will be a first-class citizen.” --Ian Glazer, Salesforce “I’m also proud to say Oracle’s Amit Jasuja announced at last year’s OpenWorld that Oracle IDM’s key REST API for Identity will be SCIM…” --Phil Hunt, Oracle
  • 62. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.62 Adoption is growing… “SCIM works perfectly for constrained devices.” --Erik Wahlström, neXus “SCIM is simple to implement.” --Haavar Valeur, Citrix
  • 63. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.63 Questions kelly.grizzle@sailpoint.com @kelly_grizzle http://simplecloud.info