Standardizing Identity Provisioning with SCIM

4,040 views

Published on

Today enterprise solutions adopt products and services from multiple cloud providers in order to accomplish various business requirements. This means that it is no longer sufficient to maintain user identities only in corporate LDAP. In most cases, SaaS providers also need dedicated user accounts created for the cloud service users, which raises the need of identity provisioning mechanisms to be in place.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,040
On SlideShare
0
From Embeds
0
Number of Embeds
738
Actions
Shares
0
Downloads
158
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Standardizing Identity Provisioning with SCIM

  1. 1. Hasini GunasingheSoftware Engineer
  2. 2. Example – an employee joining WSO2 Provisioning systemOther internal apps LDAP Other cloud apps/services Image courtesy : http://www.crn.com/slide-shows/applications-os/223800159/google-apps-marketplace-10-hot-cloud-applications.htm http://newmediasense.net/more-than-50-cloud-developers-commit-to-jive-apps-market%E2%84%A2/222888/
  3. 3. What is it..? Creation, maintenance & deactivation of user accounts, in one or more systems or applications,in response to automated or interactive business processes. -Wikipedia
  4. 4. Identifying the parties involved…CSU – cloud service userECS – Enterprise Cloud Subscriber Provisioning system Other internal Other cloud apps apps/services LDAP CSP– cloud service provider
  5. 5. Current approach... Provisioning systemOther internal Other cloud apps/services apps LDAP
  6. 6. Problems with current approach.. Rredundant integration efforts for ECS & CSP. Maintenance nightmare of multiple connectors. Complexity and cost.
  7. 7. Solution would be a common protocol that everyone agrees on.Image courtesy : http://causerelatedmarketing.blogspot.com/2011/09/lets-bring-open-standards-to-practice.html
  8. 8. 1. Authentication : SAML based WS-Trust & SSO, OpenID, OAuth2. Authorization: XACML3. Provisioning: SPML, WS-Provisioning, SCIM
  9. 9. How open standard solves current problems..?LDAP Provisioning system Other internal Other cloud apps/services apps
  10. 10. In a nutshell... Emerging open standard. REST API. Platform neutral schema. SAML binding. Emphasis on simplicity and interoperability.
  11. 11. In a nutshell...  REST API  resource endpoints  supported HTTP methodsPROTOCOL
  12. 12. In a nutshell...  REST API  SCIM REST API is relative to a base URL https://example.com/scim/v1/PROTOCOL  Requests made via HTTP operations on a URL derived from the Base URL POST -> https://example.com/scim/v1/Users  JSON / XML formats
  13. 13. In a nutshell...  Resource – collection of attributes.  Schema defines attributes.SCHEMA  SCIM Core Schema  Extension Model: Additive – similar to auxiliary object classes in LDAP.
  14. 14. In a nutshell...  Other SCIM schemas  User Schema, Enterprise User Schema ExtensionSCHEMA  Group Schema  Service Provider Configuration Schema  Resource Schema
  15. 15. In a nutshell...  Minimal user representation in JSON & XML formats.SCHEMA
  16. 16. In a nutshell...  SCIM - SAML Mapping  AttributesSAML BINDING  SSO Assertion  AttributeQuery  Metadata
  17. 17. Brief history… Started in mid 2010. Version 1.0 approved in Dec 2011. Working on submitting to IETF. Discussions made open at cloud-directory@googlegroups.com
  18. 18. Platform neutral schema Mandatory core schema with extension model. Flexibility Interoperability Simplicity.
  19. 19. REST API Light weight with JSON support. Avoids performance bottleneck on the connector.
  20. 20. SAML Binding Just In Time Provisioning with SSO. Pull / Push based Identity Management.
  21. 21. More... Defined core + optional capabilities. Based on existing deployments and standards - LDAP, SAML. Several implementations. Adoption by major cloud vendors.
  22. 22.  Identity Provisioning. Value of open standards in the space of provisioning. SCIM. Why SCIM...?
  23. 23.  Security Considerations  Authentication and Authorization - OAuth2 bearer recommended.PROTOCOL  Should be over TLS  Password attribute not to be returned.
  24. 24.  Automated Provisioning : SaaS 1 SCIM based (1) Create enterprise user account provisioning systemHR Administrator (2)Create user (3)ok SaaS 2 Internal Apps
  25. 25.  Example – Creare User - RequestPROTOCOL
  26. 26.  Example – Creare User - ResponsePROTOCOL
  27. 27.  JIT provisioning with SSO - Pull Enterprise SaaS SSO IdP User Login SSO Redirect SAML Response SAML Attribute Query SCIM User Identity Create user account
  28. 28.  Example – SAML Attribute QuerySAML Binding
  29. 29.  Bulk UM Operations: Initial imports of CSU accounts. SaaS LDAP Scheduled synchronizations. SaaS LDAP
  30. 30.  Example : POST on Bulk endpointPROTOCOL
  31. 31.  Identity Synchronization: Partial updates with PATCH Conditional overwrites with ETag
  32. 32.  Example – PATCHPROTOCOL
  33. 33.  Identity Retrieval: Filtering Conditional retrieval with Etag
  34. 34.  Identity Retrieval: Partial retrival – with “attributes” query parameter Pagination GET /Users?startIndex=1&count=10 Sorting
  35. 35. De-provisioning: (4)Delete user (1) Delete SCIM based SaaS user account enterprise (5)ok provisioning system (6)Request (7)Deny access (3)ok (2)Delete user Enterprise SSO IdP LDAP
  36. 36. LDAP Provisioning system Internal apps Other cloud apps/services
  37. 37.  Identity Provisioning. Value of open standards in the space of provisioning. SCIM along with highlights from the spec. Why SCIM...? Use cases of SCIM in Identity Management solution. Adoption of SCIM in WSO2 Identity Server and Stratos.
  38. 38.  http://www.simplecloud.info/ http://en.wikipedia.org/wiki/Provisioning#User_provisioning
  39. 39. Selected Customers https://ail.google.com/mail/u/0/?ui=2&ik=ad9a e58f41&view=att&th=1331a70983344a32&atti d=0.1&disp=thd&realattid=f_gtxto6mk0&zw
  40. 40. • QuickStart• Development Support• Development Services• Production Support• Turnkey Solutions • WSO2 Mobile Services Solution • WSO2 FIX Gateway Solution • WSO2 SAP Gateway Solution
  41. 41.  Contact Us…  bizdev@wso2.com

×