CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think

SCIM: Why It’s More
Important, and More
Simple, Than You Think
Kelly Grizzle
Software Architect - SailPoint

Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.2
Agenda
• What is SCIM?
• Why is it important?
• How is it being used?
• Deeper Dive
• How simple is it?

System for
Cross-Domain
Identity
Management* And yes … it is also simple

What is SCIM?
•  SCIM is a standard that defines schema and protocol for identity
management.
•  Schema
-  Users and Groups
-  Extensible
-  JSON
•  Protocol
-  REST
-  CRUD + Search + Discovery + Bulk

Identity Protocol Landscape
Provisioning Authentication Authorization

What problems does SCIM solve?
• How do I keep my organization’s users in sync with
service X?
-  How do I provision a user account for service X?
-  How do I deprovision a user account from service X?
-  How do I update an existing account for service X?
• How do I manage groups?
-  How do I add or remove users from groups to give them the
correct level of access?
-  How do I create new groups?

An example speaks 1111101000 words…
POST /v2/Users HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Authorization: Bearer h480djs93hd8
Content-Length: ...
{
"schemas": ["urn:scim:schemas:core:2.0:User"],
"externalId": "bjensen",
"userName":"bjensen",
"name": {
"familyName": "Jensen",
"givenName": "Barbara"
}
}

History Lesson
July ‘10
Conceived
at CIS
May ‘11
Work starts
under OWF
Dec ‘11
Version 1.0
June/July ‘12
IETF WG
chartered
Version 1.1
Late ‘14
Version 2.0

A typical environment
Firewall

That’s the typical case … Ouch!
•  Environments are complex
-  Many systems both on-prem and off-prem
•  Every system has to deal with identity
-  Name, email, title, custom meta-information, entitlements, …
•  Identity must be maintained across systems
-  Need one-way and often two-way synchronization
•  Authorization is often driven from an external system
-  Example: Active Directory groups drive groups and
permissions in other applications.

Other common pain points
•  Mergers and acquisitions
-  Need to quickly connect applications after M&A
•  BYOA (bring your own app)
-  Proliferation of SaaS apps has lead to using applications that
IT does not even know about
•  Mobile
-  Another case of BYOA where mobile apps need identity
information

How is identity management done?
•  Manual hand-entry
-  Error prone and slow
•  Bulk upload
-  High latency – often a one-time operation
•  Custom APIs and connectors
-  High cost to develop against
-  Proprietary to each service provider
•  SAML Just-in-Time Provisioning
-  No pre-provisioning
-  No deprovisioning

And then … there’s SCIM
•  Low cost to develop
-  Write once and reuse
-  Open source libraries
-  Well-known and agreed upon standard
•  Handles full lifecycle of identity
-  Create, update, AND delete
•  Real-time
-  No waiting for manual intervention

Who else thinks SCIM is important?

Surprisingly – not just in the cloud
•  SCIM was initially created with cloud use cases in mind
•  It turns out that a common language to move identities on-
premises is really useful
•  This is some of the first “real world” adoption of SCIM
•  Case study: Large company with 3500 connected
applications and 82,000 users moved to SCIM for internal
systems

In the enterprise
Firewall

Unsurprisingly – also in the cloud
•  SaaS providers have started implementing SCIM for their
identity APIs
-  Salesforce.com, Cisco Webex, etc…
•  Clients call these APIs from an on-premises identity
management system to manage identities

Ground to cloud
Firewall
SCIM
Proprietary

Cloud Identity Bridge
•  Important when on-premises applications need to be
managed from the cloud
•  Allows a single, secured SCIM channel through the firewall
•  Translates SCIM requests to native APIs behind the firewall

Cloud to ground
Firewall
Identity Bridge
Cloud Identity
Management
Provider
SCIM
Native APIs

Schema
•  Core models for User and Group
•  JSON representation
•  Extensible
-  Extend existing resources (eg – enterprise user)
-  Define new resources (eg – role, entitlement, device)
-  JSON format for describing schema
-  Standard data types and references between objects

Example: User
{
"id": "2819c223-7f76-453a-919d-413861904646",
"meta": {
"resourceType": "User",
"created": "2011-08-01T18:29:49.793Z",
"lastModified": "2011-08-01T18:29:49.793Z",
"location": "https://example.com/v1/Users/2819c223...",
"version": "W/"f250dd84f0671c3"
},
"name": {
"formatted": "Ms. Barbara J Jensen III",
},
"userName": "bjensen",
"phoneNumbers": [
{
"value": "555-555-8377",
"type": "work"
}
]
}
Required
Complex
Simple
Multi-valued
Object type

Example: Extended User
{
"schemas":["urn:scim:schemas:core:2.0:User",
"urn:scim:schemas:extension:enterprise:2.0:User"],
"id": "2819c223-7f76-453a-919d-413861904646",
"userName": "bjensen",
"urn:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "701984",
"costCenter": "4130",
"organization": "Universal Studios",
"division": "Theme Park",
"department": "Tour Operations",
"manager": {
"managerId": "26118915-6090-4610-87e4-49d8ca9f808d",
"$ref": "/Users/26118915-6090-4610-87e4-49d8ca9f808d",
"displayName": "John Smith"
}
}
}
Declaration
Use

Operations
•  Create = POST https://example.com/{v}/{resource}
•  Read = GET https://example.com/{v}/{resource}/{id}
•  Update = PUT https://example.com/{v}/{resource}/{id}
•  Delete = DELETE https://example.com/{v}/{resource}/{id}
•  *Update = PATCH https://example.com/{v}/{resource}/{id}
•  *Search = GET https://example.com/{v}/{resource}?
filter={attribute} {op} {value} & sortBy={attributeName} &
sortOrder={ascending|descending} & startIndex={start} &
count={maxResults}
•  *Bulk

Create Request
POST /v2/Users HTTP/1.1
Host: example.com
Accept: application/json
{
"userName":"bjensen",
"name": {
}
}
Operation Resource Type
AuthZ
“User” Payload

Create Response
HTTP/1.1 201 Created
Location: https://example.com/v2/Users/281...
ETag: W/"e180ee84f0671b1"
{
"id": "2819c223-7f76-453a-919d-413861904646",
"meta": {
"created": "2011-08-01T21:32:44.882Z",
"lastModified": "2011-08-01T21:32:44.882Z",
"location": "https://example.com/v2/Users/281...",
"version": "W/"e180ee84f0671b1""
},
"name":{
"familyName":"Jensen",
...
Result code
“Permalink”
SP generated ID

Discovery
•  GET /Schemas
-  Defines primary object definitions and extensions
•  GET /ResourceTypes
-  Defines available resources
•  endpoint URL, primary schema, schema extensions
•  GET /ServiceProviderConfigs
-  Spec compliance
•  Support for bulk, patch, etc…
-  Authentication schemes
•  OAuth, HTTP basic, etc…

Extending an existing resource type
•  The SCIM core schema objects – User and Group – try to
cover the common 80%
•  Almost always extended by service providers to add custom
attributes
•  Only two steps required:
1.  Create a new schema that contains the extended attributes
2.  Add the new schema to the schemaExtensions list for the
resource type

Extending – Schema
{
"id" : "urn:grizzle:1.0:ConferenceGoer",
"name" : "Conference Goer",
"description" : "Info about a person that attends CIS",
"attributes" : [{
"name" : "shirtSize",
"type" : "string",
"multiValued" : false,
"description" : "What conference doesn't have a t-shirt?",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "always",
"uniqueness" : "server"
}]

Extending – Resource Type
{
"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],
"id":"User",
"name":"User",
"endpoint": "/Users",
"description": "Core User",
"schema": "urn:scim:schemas:core:2.0:User",
"schemaExtensions": [{
"schema": "urn:grizzle:1.0:ConferenceGoer",
"required": false
}
]
}
Add custom
extensions
here

Creating a custom resource type
•  Completely new resource types may be created to model
objects that are unique to the service provider
•  Client can use /ResourceTypes endpoint to discover these
•  Somewhat common for service providers to implement
•  Only two steps required:
1.  Create a new schema that contains the attributes
2.  Create a new resource type that references this schema

Custom resource type – Schema
{
"id" : "urn:grizzle:1.0:BlogPost",
"name" : "Blog Post",
"description" : "A post to a blog",
"attributes" : [{
"name" : "title",
"type" : "string",
"multiValued" : false,
"description" : "The title of the blog post",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "always",
"uniqueness" : "server"
},
... other attributes - id, content, author, date, etc ...

Custom resource type – Resource Type
{
"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],
"id": "BlogPost",
"name": "Blog Post",
"endpoint": "/BlogPosts",
"description": "Posts to a boring blog",
"schema": "urn:grizzle:1.0:BlogPost"
}
Reference the custom schema

Custom resource type – GET Request
GET /v2/BlogPosts
Host: example.com

Custom resource type – GET Response
HTTP/1.1 200 OK
{
"schemas": ["urn:scim:api:messages:2.0:ListResponse"],
"totalResults": 5,
"Resources": [{
"id": "281838-af839018e4-8377ba87e90",
"title": "Welcome to my blog!",
"content": "...",
"meta": {
"resourceType": "BlogPost",
"created": "2011-08-01T21:32:44.882Z",
"lastModified": "2011-08-01T21:32:44.882Z",
"location": "https://example.com/v2/BlogPosts/281..."

SCIM Core Values
•  Simplicity
-  “Make it as simple as possible but no simpler.”
- Einstein
•  Solving real-world problems
•  Ease of implementation by consumers
-  Don’t make it too hard for service providers either
•  Support the 80% in the core
-  Extensions for everything else
•  Interoperability

How to kick the tires
•  Download the UnboundID Reference Server Implementation
if you need a server to test against
-  https://www.unboundid.com/resources/scim/
•  If you are trying to play with a service provider’s API
-  cURL
-  REST Console (Chrome Extension)

cURL

REST Console
•  A Chrome extension that easily allows making REST calls
•  Use this if a command line scares you
•  There are other alternatives out there

Getting under the hood
•  If you want to write a SCIM client or server there are a number of
open source libraries
•  Most libraries currently support SCIM 1.1 (not 2.0)
•  UnboundID SDK
-  Client and server java libraries
-  Most full-featured and well maintained
•  python-scim
-  SCIM object models for Python
•  scim-query-filter-parser
-  Search filter parsing library for Ruby
•  More at http://www.simplecloud.info/#implementations

UnboundID SDK
•  Open source and developed by UnboundID
•  Recent enhancements to improve client usability -
https://code.google.com/p/scimsdk/source/detail?r=355
•  I prototyped a SCIM server and wrote a library to make
server development easier
-  Library cut the lines of code by 68% (down to <300)
-  Needs a bit of work to be ready for prime time

It’s so easy even Mark Diodati can do it!
•  Mark wrote a SCIM client while an analyst at Gartner
•  Written in Perl
•  Reads attributes from a SCIM server and writes to an Excel
file
•  Reads changes in Excel file and synchronizes them to a
SCIM server

Wait … I already have a REST API!
•  Option 1: Have a separate URL-space for identity-related
SCIM APIs
-  https://example.com/rest/MyObjects
-  https://example.com/rest/scim/Users
•  Option 2: Consider using SCIMs schemas and resource
types to define your entire REST API
-  It is already well-defined
-  Supports many data types and references between objects
-  It is self-describing through /Schemas and /ResourceTypes
-  Make use of SCIM libraries for fast implementation
•  Just do it! Customers constantly ask for a common API!

Key take-aways
•  Identity and app proliferation = frustration
•  SCIM is the only sustainable option that can handle the
scale and complexity of provisioning in today’s environments
•  Build a standards-based identity infrastructure
-  Provisioning à SCIM
-  Authentication à OpenID Connect or SAML
-  Authorization à OAuth2

What does it mean for me?
•  Consider using SCIM for your internal environment
-  Not just a cloud API
•  SCIM is a good foundation for any REST API
-  It can be used for more than just identities
•  It’s easy to get started if you use the tools that are already
available
•  Use SCIM 1.1 for now
-  Real-world adoption of SCIM 2.0 will happen in 2015

References
• Start here…
- http://www.simplecloud.info/
•  Get involved here…
-  http://www.ietf.org/mail-archive/web/scim/current/maillist.html
•  All of the gory details here…
-  http://datatracker.ietf.org/wg/scim/documents/
-  http://datatracker.ietf.org/doc/draft-ietf-scim-api/
-  http://datatracker.ietf.org/doc/draft-ietf-scim-core-schema/
•  Implementing a client or server in Java? Start here…
-  https://www.unboundid.com/resources/scim/
•  Implementing a client or server in not Java? Start here…
-  http://www.simplecloud.info/#implementations

Questions
kelly.grizzle@sailpoint.com
@kelly_grizzle
http://simplecloud.info

CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think

Similar to CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think (20)

More from CloudIDSummit

More from CloudIDSummit (20)

Recently uploaded

Recently uploaded (20)

CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think