Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
•
0 likes•1 view
What if keeping your user stores in sync across domains was as simple as running "java -jar"? With Apache SCIMPle, it is! Apache SCIMple is a SCIM 2.0-compliant server powered by Spring Boot 3. You can run it standalone or embedded in your existing app. It exposes user management REST endpoints and handles the hassle of user synchronization for you. If your identity provider supports SCIM, use the simple way! GitHub example: https://github.com/mraible/okta-scim-spring-boot-example Demo script: https://github.com/mraible/okta-scim-spring-boot-example/blob/main/demo.adoc
Recommended
Recommended
More Related Content
More from Matt Raible
More from Matt Raible (20)
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
- 1. Keep Identities in Sync The SCIMple Way Brian Demers and Matt Raible @briandemers / @mraible October 3, 2022
- 2. @briandemers / @mraible Who are we? Brian Demers Open Source Developer and Java Champion Fun facts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun facts: likes to ski; into classic VWs ✌ @mraible
- 3. @briandemers / @mraible Today's Agenda What is SCIM? 01 Best Practices 02 Apache SCIMple 03 Demo Apache SCIMple + Spring Boot 04 Action! How to get involved! 05 @briandemers / @mraible
- 4. @briandemers / @mraible 01 What is SCIM? @briandemers / @mraible
- 5. @briandemers / @mraible System for Cross-domain Identity Management
- 6. @briandemers / @mraible TL;DR Standardized User & Groups REST API
- 7. @briandemers / @mraible REST Endpoints https://example.com/api/v1/Parts https://example.com/api/v1/Orders https://example.com/api/v1/Users https://example.com/api/v1/Groups https://example.com/api/v1/Users https://example.com/api/v1/Groups Imagine you are building an API for an auto parts store:
- 8. @briandemers / @mraible User Object { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "id":"2819c223-7f76-453a-919d-413861904646", "externalId":"dschrute", "userName":"dschrute", "name":{ "formatted": "Mr. Dwight K Schrute, III", "familyName": "Schrute", "givenName": "Dwight", "middleName": "Kurt", "honorificPrefix": "Mr.", "honorificSuffix": "III" }, "phoneNumbers":[{ "value":"555-555-8377", "type": "work"}], "emails":[{ "value":"dschrute@example.com", "type":"work", "primary": true}], "meta":{ "resourceType": "User", "created":"2011-08-01T18:29:49.793Z", "lastModified":"2011-08-01T18:29:49.793Z", "location":"https:./example.com/v2/Users/2819c223..."}} application/scim+json
- 9. @briandemers / @mraible What about other attributes?
- 10. @briandemers / @mraible SCIM Extensions "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:srd:1.0:ability"], "urn:scim:schemas:extension:srd:1.0:ability": { "charisma": 14, "constitution": 12, "dexterity": 15, "intelligence": 8, "strength": 10, "wisdom": 13}
- 11. @briandemers / @mraible SCIM Schemas Endpoint-/Schemas { "id": "urn:scim:schemas:extension:srd:1.0:ability", "name": "SDR-OGL", "description": "Systems Reference Document - Ability Scores", "attributes": [{ "name": "charisma", "description": "Charisma, measuring force of personality", "required": true, "type": "integer", "uniqueness": "none", "caseExact": false, "multiValued": false, "mutability": "readWrite", "returned": "default"} ...
- 12. @briandemers / @mraible SCIM Endpoints /Users[/{id}] /Groups[/{id}] /Schemas[/{id}] /ResourceTypes[/{id}] /Bulk /ServiceProviderConfig
- 13. @briandemers / @mraible Why use SCIM?
- 14. @briandemers / @mraible Why should you use SCIM? ● Standardized RESTful API ● Covers >90% of use cases ● Integrate with other services
- 15. @briandemers / @mraible When to avoid SCIM?
- 16. @briandemers / @mraible 02 Best Practices
- 17. @briandemers / @mraible ● Store the "source" of the user ● Store the "ID" of the user's source ● Emails are not good IDs ● The status of a user is a boolean. ● SCIM supports a SQL like expression language User Model Best Practices /Users?filter=emails.value EQ "bob@example.com" /Users?filter=userName EQ "bob"
- 18. @briandemers / @mraible User data is sensitive! I Am Not A Lawyer!
- 19. @briandemers / @mraible 03 Apache SCIMple @briandemers / @mraible
- 20. @briandemers / @mraible ApacheDS Apache Directory Studio Apache LDAP API Apache Fortress Apache Kerby Apache SCIMple
- 21. Apache SCIMple History @briandemers / @mraible 2013: Started at PennState 2018: Moved to Apache Directory 2015: SCIM RFCs 2020: Something happened 2022: Jakarta APIs
- 22. @briandemers / @mraible 04 Demo @briandemers / @mraible github.com/mraible/okta-scim-spring-boot-example
- 23. @briandemers / @mraible 05 Action! @briandemers / @mraible
- 24. @briandemers / @mraible Action Get Involved with Apache SCIMple @briandemers / @mraible { } YOUR LOGO HERE
- 25. @briandemers / @mraible Action Get Involved with SCIMple @briandemers / @mraible directory.apache.org/scimple apache/directory-scimple scimple@directory.apache.org
- 26. @briandemers / @mraible Thanks! Brian Demers @briandemers @bdemers @bdemers brian.demers@okta.com Matt Raible @mraible @mraible @mraible matt.raible@okta.com https://speakerdeck.com/mraible