cis13: scim interop
DESCRIPTION
The System for Cross-Domain Identity Management (SCIM) protocol is the last best hope for crossing the provisioning interoperability chasm—for on-premises and cloud-based applications. Visit the interop room to learn more about SCIM and chat with participating companies.TRANSCRIPT
SCIM 1.1 Interop
Cloud Iden1ty Summit 2013
example SCIM topology
Externally HostedOn-‐Premises Create user
(HTTP POST)
Identity system(SCIM consumer)
SaaS application(SCIM service provider)
example SCIM topology
Externally HostedOn-‐Premises
Active Directory
Create user(HTTP PO
ST)
Directory syncIdentity system(SCIM consumer)
SaaS application(SCIM service provider)
SCIM iden1ty bridge
Externally Hosted
On-‐Premises
Active Directory
LDAP
SCIM
SCIM consumer
API
Partner’s provisioning IDaaS
Web application
API or
SCIM
SCIM consumerSCIM providerDirectory sync
OAuth resource server
IdentityBridge
Interoppers service provider consumercisco sailpointpi pingfederate sailpointpi pingfederate unboundidpi pingone nexuspi pingone wso2salesforce sailpointsalesforce nexussalesforce wso2salesforce pi pingfederateunboundid pi pingfederateunboundid pi pingoneunboundid wso2wso2 sailpoint
Interop tests Category Test # Test NameUser creation 1.1 Create five users.
2.1 List one user (1.1) with attributes parameter via query to resource.2.2 List one user (1.1) with filter via query to resource endpoint.2.3 List users (1.1) with attributes parameter via query to resource endpoint.3.1 Update user (1.1) via PUT.3.2 Update user (1.1) via PATCH.3.3 Change password for user (1.1). Verify by authenticating with server natively if possible.
Group creation 4.1 Create two groups.5.1 List one group (4.1) with attributes parameter via query to resource.5.2 List one group (4.1) with filter via query to resource endpoint.5.3 List groups (4.1) with attributes parameter via query to resource endpoint.6.1 Add user (1.1 ) to group (4.1) via PUT.6.2 Remove user (1.1) from group (4.1) via PUT.6.3 Add user (1.1) to group (4.1) via PATCH.6.4 Remove user (1.1) from group (4.1) via PATCH.
User deletion 7.1 Delete user (1.1).8.1 Create two users.8.2 Update two users (8.1) via PATCH.8.3 Create two users via PUT, then create group via PUT with users' id attribute.8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3).
ServiceProviderConfig retrieval 9.1 Retrieve service provider config.Schema retrieval 10.1 Retrieve user and group schemas.
Group update
Bulk operation
User list
User update
Group list
unbound(sp)<-‐>pingfederate
Category Test Number Test Name unboundid pingfederateUser creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes no2.2 List one user (1.1) with filter via query to resource endpoint. yes no2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes no3.1 Update user (1.1) via PUT. yes yes3.2 Update user (1.1) via PATCH. yes no3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. yes no
Group creation 4.1 Create two groups. yes no5.1 List one group (4.1) with attributes parameter via query to resource. yes no5.2 List one group (4.1) with filter via query to resource endpoint. yes no5.3 List groups (4.1) with attributes parameter via query to resource endpoint. yes no6.1 Add user (1.1 ) to group (4.1) via PUT. yes no6.2 Remove user (1.1) from group (4.1) via PUT. yes no6.3 Add user (1.1) to group (4.1) via PATCH. yes no6.4 Remove user (1.1) from group (4.1) via PATCH. yes no
User deletion 7.1 Delete user (1.1). yes yes8.1 Create two users. yes no8.2 Update two users (8.1) via PATCH. yes no8.3 Create two users via PUT, then create group via PUT with users' id attribute. yes no8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). yes no
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes noSchema retrieval 10.1 Retrieve user and group schemas. yes no
User list
User update
Group list
Group update
Bulk operation
unboundid(sp)<-‐>pingone
Category Test Number Test Name unboundid pingoneUser creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes yes2.2 List one user (1.1) with filter via query to resource endpoint. yes2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes3.1 Update user (1.1) via PUT. yes yes3.2 Update user (1.1) via PATCH. yes3.3 Change password for user (1.1). Verify by authenticating with server natively if possible.yes
Group creation 4.1 Create two groups. yes yes5.1 List one group (4.1) with attributes parameter via query to resource. yes5.2 List one group (4.1) with filter via query to resource endpoint. yes5.3 List groups (4.1) with attributes parameter via query to resource endpoint. yes6.1 Add user (1.1 ) to group (4.1) via PUT. yes yes6.2 Remove user (1.1) from group (4.1) via PUT. yes yes6.3 Add user (1.1) to group (4.1) via PATCH. yes6.4 Remove user (1.1) from group (4.1) via PATCH. yes
User deletion 7.1 Delete user (1.1). yes yes8.1 Create two users. yes8.2 Update two users (8.1) via PATCH. yes8.3 Create two users via PUT, then create group via PUT with users' id attribute. yes8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). yes
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes yesSchema retrieval 10.1 Retrieve user and group schemas. yes yes
User list
User update
Group list
Group update
Bulk operation
salesforce(sp)<-‐>sailpoint
Category Test Number Test Name salesforce sailpointUser creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes no2.2 List one user (1.1) with filter via query to resource endpoint. no
2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes yes3.1 Update user (1.1) via PUT. no
3.2 Update user (1.1) via PATCH. yes no3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. no
Group creation 4.1 Create two groups. yes
5.1 List one group (4.1) with attributes parameter via query to resource. no
5.2 List one group (4.1) with filter via query to resource endpoint. no
5.3 List groups (4.1) with attributes parameter via query to resource endpoint. list only yes6.1 Add user (1.1 ) to group (4.1) via PUT. no
6.2 Remove user (1.1) from group (4.1) via PUT. no
6.3 Add user (1.1) to group (4.1) via PATCH. yes(Entitlements) no6.4 Remove user (1.1) from group (4.1) via PATCH. yes(Entitlements) no
User deletion 7.1 Delete user (1.1). yes(Deactivate) yes8.1 Create two users. no
8.2 Update two users (8.1) via PATCH. no
8.3 Create two users via PUT, then create group via PUT with users' id attribute. no
8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes yesSchema retrieval 10.1 Retrieve user and group schemas. user only yes
User list
User update
Group list
Group update
Bulk operation
salesforce(sp)<-‐>wso2
Category Test Number Test Name salesforce wso2User creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes No
2.2 List one user (1.1) with filter via query to resource endpoint. noyes(for userNa
2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes No
3.1 Update user (1.1) via PUT. no Yes
3.2 Update user (1.1) via PATCH. yes No
3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. no Yes
Group creation 4.1 Create two groups. yes Yes
5.1 List one group (4.1) with attributes parameter via query to resource. no No
5.2 List one group (4.1) with filter via query to resource endpoint. no Yes
5.3 List groups (4.1) with attributes parameter via query to resource endpoint. list only No
6.1 Add user (1.1 ) to group (4.1) via PUT. no Yes
6.2 Remove user (1.1) from group (4.1) via PUT. no Yes
6.3 Add user (1.1) to group (4.1) via PATCH. yes(Entitlements) No
6.4 Remove user (1.1) from group (4.1) via PATCH. yes(Entitlements) No
User deletion 7.1 Delete user (1.1). yes(Deactivate) Yes
8.1 Create two users. no Yes
8.2 Update two users (8.1) via PATCH. no No
8.3 Create two users via PUT, then create group via PUT with users' id attribute. no No
8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no No
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes No
Schema retrieval 10.1 Retrieve user and group schemas. user only No
Group update
Bulk operation
User list
User update
Group list
salesforce(sp)<-‐>pingfederate
Category Test Number Test Name salesforce pingfederateUser creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes no2.2 List one user (1.1) with filter via query to resource endpoint. no no2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes no3.1 Update user (1.1) via PUT. no yes3.2 Update user (1.1) via PATCH. yes no3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. no no
Group creation 4.1 Create two groups. yes no5.1 List one group (4.1) with attributes parameter via query to resource. no no5.2 List one group (4.1) with filter via query to resource endpoint. no no5.3 List groups (4.1) with attributes parameter via query to resource endpoint. list only no6.1 Add user (1.1 ) to group (4.1) via PUT. no no6.2 Remove user (1.1) from group (4.1) via PUT. no no6.3 Add user (1.1) to group (4.1) via PATCH. yes(Entitlements) no6.4 Remove user (1.1) from group (4.1) via PATCH. yes(Entitlements) no
User deletion 7.1 Delete user (1.1). yes(Deactivate) yes8.1 Create two users. no no8.2 Update two users (8.1) via PATCH. no no8.3 Create two users via PUT, then create group via PUT with users' id attribute. no no8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no no
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes noSchema retrieval 10.1 Retrieve user and group schemas. user only no
User list
User update
Group list
Group update
Bulk operation
pingfederate(sp)<-‐>sailpoint
Category Test Number Test Name pi pingfederate sailpointUser creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. yes no2.2 List one user (1.1) with filter via query to resource endpoint. no2.3 List users (1.1) with attributes parameter via query to resource endpoint. no3.1 Update user (1.1) via PUT. yes yes3.2 Update user (1.1) via PATCH. no3.3 Change password for user (1.1). Verify by authenticating with server natively if possible.yes yes
Group creation 4.1 Create two groups. no5.1 List one group (4.1) with attributes parameter via query to resource. no5.2 List one group (4.1) with filter via query to resource endpoint. no5.3 List groups (4.1) with attributes parameter via query to resource endpoint. no6.1 Add user (1.1 ) to group (4.1) via PUT. no6.2 Remove user (1.1) from group (4.1) via PUT. no6.3 Add user (1.1) to group (4.1) via PATCH. no6.4 Remove user (1.1) from group (4.1) via PATCH. no
User deletion 7.1 Delete user (1.1). yes yes8.1 Create two users. no8.2 Update two users (8.1) via PATCH. no8.3 Create two users via PUT, then create group via PUT with users' id attribute. no8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes yes
Schema retrieval 10.1 Retrieve user and group schemas. no
User list
User update
Group list
Group update
Bulk operation
wso2(sp)<-‐>pingone
Category Test Number Test Name wso2 pingoneUser creation 1.1 Create five users. yes yes
2.1 List one user (1.1) with attributes parameter via query to resource. No NA2.2 List one user (1.1) with filter via query to resource endpoint. yes(for userName attribute only) yes2.3 List users (1.1) with attributes parameter via query to resource endpoint. No NA3.1 Update user (1.1) via PUT. Yes yes3.2 Update user (1.1) via PATCH. No NA3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. Yes yes
Group creation 4.1 Create two groups. Yes yes5.1 List one group (4.1) with attributes parameter via query to resource. No NA5.2 List one group (4.1) with filter via query to resource endpoint. Yes yes5.3 List groups (4.1) with attributes parameter via query to resource endpoint. No NA6.1 Add user (1.1 ) to group (4.1) via PUT. Yes yes6.2 Remove user (1.1) from group (4.1) via PUT. Yes yes6.3 Add user (1.1) to group (4.1) via PATCH. No NA6.4 Remove user (1.1) from group (4.1) via PATCH. No NA
User deletion 7.1 Delete user (1.1). Yes yes8.1 Create two users. Yes yes8.2 Update two users (8.1) via PATCH. No NA8.3 Create two users via PUT, then create group via PUT with users' id attribute. No No8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). No NA
ServiceProviderConfig retrieval 9.1 Retrieve service provider config. No NASchema retrieval 10.1 Retrieve user and group schemas. No NA
User list
User update
Group list
Group update
Bulk operation
Ac1ve Directory Oracle Directory Server
Monitor Directory for User Changes (Create, Update, Delete/Disable)
SCIM
SCIM Consumer SCIM Service Provider
Create, Update, Delete Users
SaaS Provider
Benefits • Synchronize local corporate directory
accounts with the UnboundID Iden1ty Data PlaOorm
Iden-ty Data Pla2orm
Ac1ve Directory Oracle Directory Server
Monitor Directory for User Changes (Create, Update, Delete/Disable)
SCIM Consumer SCIM Service Provider
Benefits • Synchronize local corporate directory
accounts with Salesforce • Enable Single Sign-‐On between
workforce to Salesforce
SCIM Create, Update, Disable Users
SAML SSO
Active Directory
HostedOn-‐Premises
PingFederate
IdentityIQSCIM
Service ProviderSCIM
Consumer
SCIMService Provider
(1) Identity pull via SCIM
(2) Identity
push via SCIM
(3) Add/Delete/Modify
(5) SAML SSO
User
(4) Kerbe
ros SSO
Benefits
* Authoritative cloud identity store* Workflow, identity and access governance* SSO from Desktop to SaaSSeamless provisioning
CRUD users and access using SSO
Authen1cate
RDP
HTTP
SAML
X509
SAML User Storages
User aYributes
User data
Benefits: • Easier onboarding of new services • Iden1ty life cycle management • Easier single sign on • Control access to local or cloud systems
CRUD users and access using SSO
RDP
HTTP
HTTP
Authen1cate
X509
SAML User Storages
User aYributes
User data
Benefits: • Easier onboarding of new services • Iden1ty life cycle management • Easier single sign on • Control access to local or cloud systems
