Today enterprise solutions adopt products and services from multiple cloud providers in order to accomplish various business requirements. This means that it is no longer sufficient to maintain user identities only in corporate LDAP. In most cases, SaaS providers also need dedicated user accounts created for the cloud service users, which raises the need of identity provisioning mechanisms to be in place.
2. Example – an employee joining
WSO2
Provisioning system
Other internal
apps LDAP
Other cloud apps/services
Image courtesy : http://www.crn.com/slide-shows/applications-os/223800159/google-apps-marketplace-10-hot-cloud-applications.htm
http://newmediasense.net/more-than-50-cloud-developers-commit-to-jive-apps-market%E2%84%A2/222888/
3. What is it..?
Creation, maintenance & deactivation of user accounts,
in one or more systems or applications,
in response to automated or interactive business processes.
-Wikipedia
4. Identifying the parties involved…
CSU – cloud service user
ECS – Enterprise Cloud Subscriber
Provisioning system
Other internal
Other cloud
apps apps/services
LDAP
CSP– cloud service provider
5. Current approach...
Provisioning system
Other internal Other cloud apps/services
apps LDAP
6. Problems with current approach..
Rredundant integration efforts for ECS & CSP.
Maintenance nightmare of multiple connectors.
Complexity and cost.
7. Solution would be a common protocol that everyone agrees on.
Image courtesy : http://causerelatedmarketing.blogspot.com/2011/09/lets-bring-open-standards-to-practice.html
9. How open standard solves current problems..?
LDAP Provisioning system
Other internal Other cloud apps/services
apps
10. In a nutshell...
Emerging open standard.
REST API.
Platform neutral schema.
SAML binding.
Emphasis on simplicity and interoperability.
11. In a nutshell...
REST API
resource endpoints
supported HTTP methods
PROTOCOL
12. In a nutshell...
REST API
SCIM REST API is relative to a base URL
https://example.com/scim/v1/
PROTOCOL
Requests made via HTTP operations on a URL derived from
the Base URL
POST -> https://example.com/scim/v1/Users
JSON / XML formats
13. In a nutshell...
Resource – collection of attributes.
Schema defines attributes.
SCHEMA
SCIM Core Schema
Extension Model:
Additive – similar to auxiliary object classes in LDAP.
14. In a nutshell...
Other SCIM schemas
User Schema, Enterprise User Schema Extension
SCHEMA
Group Schema
Service Provider Configuration Schema
Resource Schema
15. In a nutshell...
Minimal user representation in JSON & XML formats.
SCHEMA
16. In a nutshell...
SCIM - SAML Mapping
Attributes
SAML BINDING
SSO Assertion
AttributeQuery
Metadata
17. Brief history…
Started in mid 2010.
Version 1.0 approved in Dec 2011.
Working on submitting to IETF.
Discussions made open at
cloud-directory@googlegroups.com
19. REST API
Light weight with JSON support.
Avoids performance bottleneck on the connector.
20. SAML Binding
Just In Time Provisioning with SSO.
Pull / Push based Identity Management.
21. More...
Defined core + optional capabilities.
Based on existing deployments and standards - LDAP, SAML.
Several implementations.
Adoption by major cloud vendors.
22. Identity Provisioning.
Value of open standards in the space of provisioning.
SCIM.
Why SCIM...?
23.
24. Security Considerations
Authentication and Authorization
- OAuth2 bearer recommended.
PROTOCOL
Should be over TLS
Password attribute not to be returned.
25. Automated Provisioning :
SaaS 1
SCIM based
(1) Create enterprise
user account
provisioning
system
HR Administrator
(2)Create user (3)ok
SaaS 2
Internal Apps
35. Identity Retrieval:
Partial retrival – with “attributes” query parameter
Pagination
GET /Users?startIndex=1&count=10
Sorting
36. De-provisioning:
(4)Delete user
(1) Delete SCIM based SaaS
user account enterprise (5)ok
provisioning
system (6)Request
(7)Deny access
(3)ok (2)Delete user
Enterprise
SSO IdP
LDAP
37. LDAP Provisioning system
Internal apps
Other cloud apps/services
38. Identity Provisioning.
Value of open standards in the space of provisioning.
SCIM along with highlights from the spec.
Why SCIM...?
Use cases of SCIM in Identity Management solution.
Adoption of SCIM in WSO2 Identity Server and Stratos.
42. • QuickStart
• Development
Support
• Development
Services
• Production
Support
• Turnkey Solutions
• WSO2 Mobile Services Solution
• WSO2 FIX Gateway Solution
• WSO2 SAP Gateway Solution