SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014

SCIM: Why It’s More
Important, and More
Simple, Than You Think
Kelly Grizzle
Software Architect - SailPoint

Copyright © SailPoint Technologies, Inc. 2013 All rights reserved.2
Agenda
•What is SCIM?
•Why is it important?
•How is it being used?
•Deeper Dive
•How simple is it?

System for
Cross-Domain
Identity
Management
* And yes … it is also simple

What is SCIM?
• SCIM is a standard that defines schema and protocol for identity
management.
• Schema
- Users and Groups
- Extensible
- JSON
• Protocol
- REST
- CRUD + Search + Discovery + Bulk

Identity Protocol Landscape
Provisioning Authentication Authorization

What problems does SCIM solve?
• How do I keep my organization’s users in sync with
service X?
- How do I provision a user account for service X?
- How do I deprovision a user account from service X?
- How do I update an existing account for service X?
• How do I manage groups?
- How do I add or remove users from groups to give them the
correct level of access?
- How do I create new groups?

An example speaks 1111101000 words…
POST /v2/Users HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Authorization: Bearer h480djs93hd8
Content-Length: ...
{
"schemas": ["urn:scim:schemas:core:2.0:User"],
"externalId": "bjensen",
"userName":"bjensen",
"name": {
"familyName": "Jensen",
"givenName": "Barbara"
}
}

History Lesson
July ‘10
Conceived
at CIS
May ‘11
Work starts
under OWF
Dec ‘11
Version 1.0
June/July ‘12
IETF WG
chartered
Version 1.1
Late ‘14
Version 2.0

A typical environment
Firewall

That’s the typical case … Ouch!
• Environments are complex
- Many systems both on-prem and off-prem
• Every system has to deal with identity
- Name, email, title, custom meta-information, entitlements, …
• Identity must be maintained across systems
- Need one-way and often two-way synchronization
• Authorization is often driven from an external system
- Example: Active Directory groups drive groups and
permissions in other applications.

Other common pain points
• Mergers and acquisitions
- Need to quickly connect applications after M&A
• BYOA (bring your own app)
- Proliferation of SaaS apps has lead to using applications that
IT does not even know about
• Mobile
- Another case of BYOA where mobile apps need identity
information

How is identity management done?
• Manual hand-entry
- Error prone and slow
• Bulk upload
- High latency – often a one-time operation
• Custom APIs and connectors
- High cost to develop against
- Proprietary to each service provider
• SAML Just-in-Time Provisioning
- No pre-provisioning
- No deprovisioning

And then … there’s SCIM
• Low cost to develop
- Write once and reuse
- Open source libraries
- Well-known and agreed upon standard
• Handles full lifecycle of identity
- Create, update, AND delete
• Real-time
- No waiting for manual intervention

Who else thinks SCIM is important?

Surprisingly – not just in the cloud
• SCIM was initially created with cloud use cases in mind
• It turns out that a common language to move identities on-
premises is really useful
• This is some of the first “real world” adoption of SCIM
• Case study: Large company with 3500 connected
applications and 82,000 users moved to SCIM for internal
systems

In the enterprise
Firewall

Unsurprisingly – also in the cloud
• SaaS providers have started implementing SCIM for their
identity APIs
- Salesforce.com, Cisco Webex, etc…
• Clients call these APIs from an on-premises identity
management system to manage identities

Ground to cloud
Firewall
SCIM
Proprietary

Cloud Identity Bridge
• Important when on-premises applications need to be
managed from the cloud
• Allows a single, secured SCIM channel through the firewall
• Translates SCIM requests to native APIs behind the firewall

Cloud to ground
Firewall
Identity Bridge
Cloud Identity
Management
Provider
SCIM
Native APIs

Schema
• Core models for User and Group
• JSON representation
• Extensible
- Extend existing resources (eg – enterprise user)
- Define new resources (eg – role, entitlement, device)
- JSON format for describing schema
- Standard data types and references between objects

Example: User
{
"id": "2819c223-7f76-453a-919d-413861904646",
"meta": {
"resourceType": "User",
"created": "2011-08-01T18:29:49.793Z",
"lastModified": "2011-08-01T18:29:49.793Z",
"location": "https://example.com/v1/Users/2819c223...",
"version": "W/"f250dd84f0671c3"
},
"name": {
"formatted": "Ms. Barbara J Jensen III",
},
"userName": "bjensen",
"phoneNumbers": [
{
"value": "555-555-8377",
"type": "work"
}
]
}
Required
Complex
Simple
Multi-valued
Object type

Example: Extended User
{
"schemas":["urn:scim:schemas:core:2.0:User",
"urn:scim:schemas:extension:enterprise:2.0:User"],
"id": "2819c223-7f76-453a-919d-413861904646",
"userName": "bjensen",
"urn:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "701984",
"costCenter": "4130",
"organization": "Universal Studios",
"division": "Theme Park",
"department": "Tour Operations",
"manager": {
"managerId": "26118915-6090-4610-87e4-49d8ca9f808d",
"$ref": "/Users/26118915-6090-4610-87e4-49d8ca9f808d",
"displayName": "John Smith"
}
}
}
Declaration
Use

Operations
• Create = POST https://example.com/{v}/{resource}
• Read = GET https://example.com/{v}/{resource}/{id}
• Update = PUT https://example.com/{v}/{resource}/{id}
• Delete = DELETE https://example.com/{v}/{resource}/{id}
• *Update = PATCH https://example.com/{v}/{resource}/{id}
• *Search = GET https://example.com/{v}/{resource}?
filter={attribute} {op} {value} & sortBy={attributeName} &
sortOrder={ascending|descending} & startIndex={start} &
count={maxResults}
• *Bulk

Create Request
POST /v2/Users HTTP/1.1
Host: example.com
Accept: application/json
{
"userName":"bjensen",
"name": {
}
}
Operation Resource Type
AuthZ
“User” Payload

Create Response
HTTP/1.1 201 Created
Location: https://example.com/v2/Users/281...
ETag: W/"e180ee84f0671b1"
{
"id": "2819c223-7f76-453a-919d-413861904646",
"meta": {
"created": "2011-08-01T21:32:44.882Z",
"lastModified": "2011-08-01T21:32:44.882Z",
"location": "https://example.com/v2/Users/281...",
"version": "W/"e180ee84f0671b1""
},
"name":{
"familyName":"Jensen",
...
Result code
“Permalink”
SP generated ID

Discovery
• GET /Schemas
- Defines primary object definitions and extensions
• GET /ResourceTypes
- Defines available resources
• endpoint URL, primary schema, schema extensions
• GET /ServiceProviderConfigs
- Spec compliance
• Support for bulk, patch, etc…
- Authentication schemes
• OAuth, HTTP basic, etc…

Extending an existing resource type
• The SCIM core schema objects – User and Group – try to
cover the common 80%
• Almost always extended by service providers to add custom
attributes
• Only two steps required:
1. Create a new schema that contains the extended attributes
2. Add the new schema to the schemaExtensions list for the
resource type

Extending – Schema
{
"id" : "urn:grizzle:1.0:ConferenceGoer",
"name" : "Conference Goer",
"description" : "Info about a person that attends CIS",
"attributes" : [{
"name" : "shirtSize",
"type" : "string",
"multiValued" : false,
"description" : "What conference doesn't have a t-shirt?",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "always",
"uniqueness" : "server"
}]

Extending – Resource Type
{
"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],
"id":"User",
"name":"User",
"endpoint": "/Users",
"description": "Core User",
"schema": "urn:scim:schemas:core:2.0:User",
"schemaExtensions": [{
"schema": "urn:grizzle:1.0:ConferenceGoer",
"required": false
}
]
}
Add custom
extensions
here

Creating a custom resource type
• Completely new resource types may be created to model
objects that are unique to the service provider
• Client can use /ResourceTypes endpoint to discover these
• Somewhat common for service providers to implement
• Only two steps required:
1. Create a new schema that contains the attributes
2. Create a new resource type that references this schema

Custom resource type – Schema
{
"id" : "urn:grizzle:1.0:BlogPost",
"name" : "Blog Post",
"description" : "A post to a blog",
"attributes" : [{
"name" : "title",
"type" : "string",
"multiValued" : false,
"description" : "The title of the blog post",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "always",
"uniqueness" : "server"
},
... other attributes - id, content, author, date, etc ...

Custom resource type – Resource Type
{
"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],
"id": "BlogPost",
"name": "Blog Post",
"endpoint": "/BlogPosts",
"description": "Posts to a boring blog",
"schema": "urn:grizzle:1.0:BlogPost"
}
Reference the custom schema

Custom resource type – GET Request
GET /v2/BlogPosts
Host: example.com

Custom resource type – GET Response
HTTP/1.1 200 OK
{
"schemas": ["urn:scim:api:messages:2.0:ListResponse"],
"totalResults": 5,
"Resources": [{
"id": "281838-af839018e4-8377ba87e90",
"title": "Welcome to my blog!",
"content": "...",
"meta": {
"resourceType": "BlogPost",
"created": "2011-08-01T21:32:44.882Z",
"lastModified": "2011-08-01T21:32:44.882Z",
"location": "https://example.com/v2/BlogPosts/281..."

SCIM Core Values
• Simplicity
- “Make it as simple as possible but no simpler.”
- Einstein
• Solving real-world problems
• Ease of implementation by consumers
- Don’t make it too hard for service providers either
• Support the 80% in the core
- Extensions for everything else
• Interoperability

How to kick the tires
• Download the UnboundID Reference Server Implementation
if you need a server to test against
- https://www.unboundid.com/resources/scim/
• If you are trying to play with a service provider’s API
- cURL
- REST Console (Chrome Extension)

cURL

REST Console
• A Chrome extension that easily allows making REST calls
• Use this if a command line scares you
• There are other alternatives out there

Getting under the hood
• If you want to write a SCIM client or server there are a number of
open source libraries
• Most libraries currently support SCIM 1.1 (not 2.0)
• UnboundID SDK
- Client and server java libraries
- Most full-featured and well maintained
• python-scim
- SCIM object models for Python
• scim-query-filter-parser
- Search filter parsing library for Ruby
• More at http://www.simplecloud.info/#implementations

UnboundID SDK
• Open source and developed by UnboundID
• Recent enhancements to improve client usability -
https://code.google.com/p/scimsdk/source/detail?r=355
• I prototyped a SCIM server and wrote a library to make
server development easier
- Library cut the lines of code by 68% (down to <300)
- Needs a bit of work to be ready for prime time

It’s so easy even Mark Diodati can do it!
• Mark wrote a SCIM client while an analyst at Gartner
• Written in Perl
• Reads attributes from a SCIM server and writes to an Excel
file
• Reads changes in Excel file and synchronizes them to a
SCIM server

Wait … I already have a REST API!
• Option 1: Have a separate URL-space for identity-related
SCIM APIs
- https://example.com/rest/MyObjects
- https://example.com/rest/scim/Users
• Option 2: Consider using SCIMs schemas and resource
types to define your entire REST API
- It is already well-defined
- Supports many data types and references between objects
- It is self-describing through /Schemas and /ResourceTypes
- Make use of SCIM libraries for fast implementation
• Just do it! Customers constantly ask for a common API!

Key take-aways
• Identity and app proliferation = frustration
• SCIM is the only sustainable option that can handle the
scale and complexity of provisioning in today’s environments
• Build a standards-based identity infrastructure
- Provisioning  SCIM
- Authentication  OpenID Connect or SAML
- Authorization  OAuth2

What does it mean for me?
• Consider using SCIM for your internal environment
- Not just a cloud API
• SCIM is a good foundation for any REST API
- It can be used for more than just identities
• It’s easy to get started if you use the tools that are already
available
• Use SCIM 1.1 for now
- Real-world adoption of SCIM 2.0 will happen in 2015

References
• Start here…
- http://www.simplecloud.info/
• Get involved here…
- http://www.ietf.org/mail-archive/web/scim/current/maillist.html
• All of the gory details here…
- http://datatracker.ietf.org/wg/scim/documents/
- http://datatracker.ietf.org/doc/draft-ietf-scim-api/
- http://datatracker.ietf.org/doc/draft-ietf-scim-core-schema/
• Implementing a client or server in Java? Start here…
- https://www.unboundid.com/resources/scim/
• Implementing a client or server in not Java? Start here…
- http://www.simplecloud.info/#implementations

Questions
kelly.grizzle@sailpoint.com
@kelly_grizzle
http://simplecloud.info

SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014

Similar to SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014 (20)

Recently uploaded

Recently uploaded (20)

SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014

Editor's Notes