SCIM is an open standard aimed at automating user and group management across distributed systems, addressing challenges from diverse cloud providers and integration issues. The specification facilitates CRUD operations through RESTful APIs using JSON and XML, supports secure access via OAuth 2, and allows for extensibility with enterprise extensions. Industry implementations are growing, and the IETF working group aims to enhance SCIM's adoption and functionality by 2014.

1. Intro to SCIM
Travis Spencer, CEO
Twobo Technologies

2. The Problem
• Modern systems are massively distributed
• Organizations need to automate user/group
management across domain boundaries
• Large cloud providers have their own APIs
• Enterprise-to-enterprise is a dog’s dinner
• Identity is the fly in the integration ointment

3. The Resulting Reality
• Tactical, bespoke methods that can’t scale
• Expensive integration work & custom
development
• Systems maintain isolated silos of user data
• X-employees continue accessing resources
• Solution is automation based on
open standards

4. Banding Together to Solve this Problem
• Salesforce, Google, UnboundID, Ping
Identity, Sailpoint, Technology Nexus, etc.
• Protocol drafted, tested, and released in 2011
Q1 – Initial draft of spec
Q2 – Updated draft discussed at IIW
Q3 – Consortium formed under OWF, interop tests
at IIW
Q4 – V. 1 agreed upon by consortium, submitted to
IETF

5. SCIM, a Modern Standard for Automation
• The spec formerly known as Simple Cloud…
• Provisioning API to manage users & groups
• Support bulk updates for ingest & sync
• Low-tech barrier, easy w/ curl & JavaScript
• Designed w/ mobile in mind
• Goes hand-in-glove w/ federation
• Secure access using OAuth 2 et. al

6. SCIM Specification Set
REST API for CRUD Federation Binding
• JSON & XML • SAML
• Response codes • TBD: OpenID Connect
Core Schema
• User • Groups
• Enterprise Extension • Config

7. Features of SCIM
• Core schema
– Models user, groups, etc.
– Defines basic user attributes (name, address,
etc.)
• RESTful API
– Defines CRUD to synchronize resources
– JSON and XML data formats
• Federation bindings – SAML, OIC
– Supports JIT provisioning during SSO
– Maps SCIM schema to federation protocols

8. Push Provisioning
IdP Organization SP Organization
CRUD of user object
SCIM SCIM
Client Server
Status

9. JIT Provisioning
IdP Organization SP Organization
Create user on the fly
IdP SP
User data in federation message
Browser

10. JIT + Pull
IdP Organization SP Organization
Create new user
User object
IdP /
SCIM SP / SCIM
Get User
Server Client
Access token in
federation message
Browser

11. Overview of API
• RESTful
• Specifies well known endpoints & HTTP
methods for managing core resources
– User and group resources correspond to
/Users and /Groups, respectively
• Responses are returned in the body of the
HTTP messages in JSON or XML format

12. Authentication and Security
• Spec does not mandate a particular
authentication scheme
• OAuth 2 is recommended, but others are
not precluded (e.g., HTTP basic)
• Client and server must exchange data
over SSL/TLS

13. Supported HTTP Verbs
Verb Meaning
GET Retrieves a resource
POST Creates a new resource
PUT Completely update a resource
PATCH Partially update a resource
DELETE Delete a resource

14. Controlling Responses
• Filter (i.e., search)
– Find specific resources
– Request a subset of attributes
• Sorting
– Sort by
– Sort order
• Pagination
– Client maintains offset and count
– No server-side cursors (v. 2 probably)

15. Extensible Schema
• Protocol defines core schema used to
represent resources of various types
– Modeled after POCO & others
– Also stipulates how to extend
• Defines enterprise extensions
– Adds manager, department,
organization, etc.
• Others can be created at will

16. Includes Mapping from Active Directory
Active Directory SCIM
userPrincipalName userName
mail email.value@type=work
givenName name.givenName
sn name.familyName
whenCreated meta.whenCreated
userPassword password
cn displayName

17. Retrieving User Data
GET request = GET /Users/2819c223-7f76-453a-919d-413861904646
read Host: example.com
Accept: application/json User ID
Authorization: Bearer h480djs93hd8
Return JSON
HTTP/1.1 200 OK Attributes are
Content-Type: application/json in JSON format
200 = successful Location:
response https://example.com/v1/Users/2819c223-7f76-
453a-919d-413861904646
ETag: W/"f250dd84f0671c3" Same User ID
{
...
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
Attributes
"givenName":"Barbara"
},
"userName":"bjensen",

18. Updating a Group with a new Member
PATCH /Groups/acbf3ae7-8463-4692-b4fd-
PATCH = only 9b4da3f908ce
update what’s Host: example.com Secure access
changed Accept: application/json using OAuth 2
Authorization: Bearer h480djs93hd8
ETag: W/"a330bc54f0671c9"
{
"schemas": ["urn:scim:schemas:core:1.0"],
"members": [
{
"display": "Babs Jensen", New group
"value": "2819c223-7f76-453a…" member; others
}
are unchanged
]
}

19. SCIM vis-à-vis UserInfo Endpoint in OIC
User
Agent
1. Get a token AS
Client
RS
3. Use a token
2. Read a token
User-
SCIM
Info
OIC SCIM
API
Base OAuth

20. What’s Next for SCIM?
• More and more implementations!
• PingOne and UnboundID’s synchronization
server are already in the market
• Major SaaS providers are launching this year
• Other IAM vendors releasing soon
• IETF working group has been formed
– Date of completion projected for 2014
– V. 1 is available today

21. Support SCIM
• SaaS and IdM vendors must implement
SCIM for it to solve anything
• Demand standards-based automation of
identity; demand SCIM 
• Join IETF mailing list; attend WG meetings

22. Thank You and More Info
• @travisspencer
• @pingidentity
• simplecloud.info
• travisspencer.com
• 2botech.com
• pingidentity.com