Jan19 scim webinar-04

SCIM Webinar
Jan 18, 2012

Patrick Harding, CTO
Paul Madsen, Senior Technical Architect

© 2010 Ping Identity Corporation

Background & Overview


Current State
• Enterprises need programmatic mechanisms to manage
users/roles/groups in Cloud apps

• Large SaaS vendors have implemented proprietary API’s
• Google, Salesforce, Cisco Webex, Successfactors, etc
• All very similar, work well


Call to Arms
• At Cloud Identity Summit 2010
• Attendees established need for an ‘open standard’ for
provisioning cloud users

• Google, Salesforce, Ping Identity, UnboundID, Microsoft
created ‘Cloud Directory’ user group

• Initial discussions at IIW 12


2011 - Year of Development
• Q1 2011 • Q3 2011
• Initial Draft SCIM Spec • SCIM Working Group
developed by Ping, established under OWF
UnboundID and Salesforce • Cisco, Sailpoint, Google
• Q2 2011 contribute

• Draft SCIM Spec introduced • Q4 2011
at IIW 13 • Multiple vendors
• Significant interest and demonstrate interop at IIW
discussion 14
• SCIM V1.0 in December
2011


SCIM 1.0 Specification Set

http://simplecloud.info

REST API SAML Binding (draft) Future bindings
CRUD methods Attribute mapping
response codes

Core Schema
User, Enterprise Extension, Groups, Config


SCIM Basics
• Core Schema
• Represents User, Groups, Schema, Bulk etc
• Defines basic user attributes (name, address contactetc.)

• REST API
• Defines Create, Read, Update& Delete methods to synchronize
user object information

• SAML Binding
• Supports Just-In-Time provisioning during SSO
• Maps SCIM schema to SAML AttributeStatement


Example 1: Push

User
Directory

1. Create/Update/Delete
User Object

SCIM API Cloud App User Store
Client Provider

2. Status


Example 2: SAML JIT

User
Directory

SAML IdP SAML SP User Store

1. SAML Token w/
User Object

Browser


Example 3: OpenID JIT + Pull

User Store

OpenIDIdP API 2. Read User Object OpenID SP User Store

3. User Object

1. OpenID Response

Browser


What’s Next?
• Implementation, implementation, implementation !!!
• Major cloud application platforms have indicated that they will
implement SCIM in 2012

• SCIM working group to move to the IETF in 2012
• Use SCIM v1.0 as baseline submission
• Working code, successful deployments are key
• SCIM v2.0 will address issues


Technical


Terminology
• Service Provider: A web application that
provides identity information via the SCIM
protocol (think SaaS)
• Consumer: A website or application that uses
the SCIM protocol to manage identity data
maintained by the Service Provider. (think
Enterprise)
• Resource: The Service Provider managed
artifact containing one or more attributes; e.g.,
User or Group


Schema
• SCIM provides a minimal core schema for
representing Resources of different types

• User, Groups, Schema, Bulk etc

• User schema took as starting point the
Portable Contacts schema [1]

• Basic user attributes (name, address contact,
groups, password etc.)

[1] - http://www.portablecontacts.net/draft-spec.html


Schema-Password?
• Group torn on whether to support password management in
schema

• Acknowldgement that best practice is that enterprise users NOT
be provisioned with passwords at SaaS providers

• But
• Current reality doesn’t everywhere reflect ideal
• Hope/expectation that SCIM will be applied beyond Cloud

• Consumers can specify an initial password when creating a
new User (POST) or to reset an existing User's password
(PATCH)


Schema-Enterprise extension
• Extends generic user with enterprise
semantics

• Adds manager, department,
organization, etc

<ent:employeeNumber>701984</ent:employeeNumber>
<ent:manager>
<ent:managerId>902c246b-6245-4190</ent:managerId>
<ent:displayName>Mandy Pepperidge</ent:displayName>
</ent:manager>
<ent:costCenter>4130</ent:costCenter>
<ent:organization>Universal Studios</ent:organization>
<ent:division>Theme Park</ent:division>
<ent:department>Tour Operations</ent:department>

Schema-Groups
• Group resources enable group & role based access control

• Groups contain members

• How Service Provider implements access control out of scope
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
Host: example.com
Accept: application/json
Authorization: Bearer h480djs93hd8 ETag: W/"a330bc54f0671c9"

{
"schemas": ["urn:scim:schemas:core:1.0"],
"members": [
{ "display": "Babs Jensen",
"value": "2819c223-7f76-453a-919d-413861904646" } ]
}

Schema-Metadata
• Service Provider Configuration Resource enables a Service
Provider to expose its compliance with SCIM specification
in a standardized form & provide additional implementation
details to Consumers.
{
"schemas": ["urn:scim:schemas:core:1.0"]
"patch": { "supported":true },
"bulk": { "supported":true, "maxOperations":1000,"maxPayloadSize":1048576
},
"filter": { "supported":true, "maxResults": 200 },
"changePassword" : { "supported":true }
"authenticationSchemes": [ { "name": "OAuth Bearer Token",
"specUrl":"http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01",
"documentationUrl":"http://example.com/help/oauth.html",
"type":"oauthbearertoken", "primary": true },
}


Schema- representative AD Mapping

AD SCIM
userPrincipalName userName
mail email.value (type=work)
givenName name.givenName
sn name.familyName
whenCreated meta.whenCreated
userPassword password
cn displayName


API
• Specifies well known endpoints & HTTP methods for managing
Resources defined in the core schema

• User and Group Resources correspond to /Users and /Groups
respectively

• REStful (really)

• Responses are returned in the body of the HTTP response,
formatted as JSON or XML, depending on what is requested


API-Architecture

Resource
representation
Client API Service
Provider

Response
Resources


API-Verbage
• API uses HTTP verbs as follows
• GET (retrieves an existing resource)
• POST (creates a new resource)
• PUT (overrides an existing resource)
• BATCH (partially modifies an existing resource)
• DELETE (deletes an existing resource)


API-Authentication
• SCIM does not mandate a particular authentication scheme by
which Consumers authenticate to Service Providers

• OAuth 2.0 is RECOMMENDED, but other schemes (eg HTTP
Basic) not precluded

• Consumers and Service Providers MUST implement TLS


API-Authentication-OAuth example
POST /User HTTP/1.1
Host: example.com
Accept: application/xml
Authorization: Bearer h480djs93hd8

<?xml version="1.0" encoding="UTF-8"?>
<scim:User xmlns:scim="urn:scim:schemas:core:1.0">
<userName>bjensen@example.com</userName>
<externalId>701984</externalId>
<emails>
<email>
<value>bjensen@example.com</value>
<primary>true</primary>
<type>work</type>
</email>
</emails>
</scim:User>


API-Response codes
• API uses/overrides HTTP Response codes to indicate
operation success or failure.

• In addition, Service Providers return errors in body of the
response and human-readable explanations.

HTTP/1.1 404 NOT FOUND

{
"Errors":[
{
"description":"Resource 2819c223-7f76-453a-919d- not found",
"code":"404" } ]
}


API-Error codes


API-Response operations
• SCIM defines a standard set of operations that can be used to
filter, sort, and paginate response results.

• Consumers may request a subset of Resources by specifying
the 'filter' URL query parameter containing a filter expression.

• Sorting allows Consumers to specify the order in which
Resources are returned by specifying a combination of sortBy
and sortOrder URL parameters

• Pagination parameters can be used together to "page through"
large numbers of Resources so as not to overwhelm the
Consumer or Service Provider


SAML Binding
• Supports a JIT provisioning model where users created in real
time (vs a priori via API)

• Binds SCIM User objects to SAML Attributes

• Expectation is that other SSO/JIT bindings will follow in time

• SAML binding not voted out with API and Core Schema, group
needs to resolve tension between
• SCIM push for simplicity
• Existing SAML Attribute Person Profiles

• Complex attributes don’t easily map into SAML Attributes


SAML Binding-Architecture

Client SAML SAML Service
IdP SP Provider

Resource Resources
representation

Browser


SAML Binding-SAML Attributes
<saml:AttributeStatement
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:scim="http://placeholder.scim.org/2011/schema/extension">
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified" Name="SCIM.userName">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance" xsi:type="xs:string">bjensen@example.com
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified" Name="SCIM.name.formatted">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance" xsi:type="xs:string">Ms. Babs J Jensen III
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>


Conclusions
• SCIM has potential to be important IdM
standard in & out of cloud
• But, if SCIM is to avoid SPML's fate, adoption is
key
• Start demand ingIdM vendors and SaaS
providers add support


Thank you

@pingcto, @paulmadsen


Demo


Demo

SCIM User Store
SFDC
Enterprise Salesforce
Ping Cloud
AD


Jan19 scim webinar-04

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Jan19 scim webinar-04

Similaire à Jan19 scim webinar-04 (20)

Plus de Paul Madsen

Plus de Paul Madsen (12)

Dernier

Dernier (20)

Jan19 scim webinar-04