scim overview
DESCRIPTION
Slides presented at the Bay Area Identity Developers meetup in June 2014. Covers an overview of SCIM, its history, the schema, and protocol semantics.TRANSCRIPT
1© 2014 Cisco and/or its affiliates. All rights reserved.
Morteza Ansari
SCIM Overview
June 23, 2014
© 2014 Cisco and/or its affiliates. All rights reserved. 2
Agenda• History
• Use Cases
• Schema
• Protocol
• References
© 2014 Cisco and/or its affiliates. All rights reserved. 3
History• Started 2010
• Really started May 2011
• 12 Companies participated under OWFADP, BCP Soft, Canarie, Cisco, Courion, Id Machines, Ping Identity, Nexux, Sailpoint, SalesForce, UnboundID, WSO2
• 1.0 was published Dec. 2011
• 12 independent implementations
• Frequent interop events at IIW, CIS, and one at IETF
• IETF BOF Mar. 2012
• IETF WG Jul. 2012
© 2014 Cisco and/or its affiliates. All rights reserved. 4
Use Cases• How do I provision a user account for service X?
• How do I de-provision a user account from service X?
• How do I update an existing account for service X?
• How do I keep my organization’s users in sync with service X?
• How do I manage groups?
• How do I cross-provision across cloud services?
© 2014 Cisco and/or its affiliates. All rights reserved. 5
Use Cases• User/Group provisioning from
Enterprise to Cloud
© 2014 Cisco and/or its affiliates. All rights reserved. 6
Use Cases• User/Group provisioning from
Enterprise to Cloud
• User/Group provisioning fromcloud service to cloud service
© 2014 Cisco and/or its affiliates. All rights reserved. 7
Use Cases• User/Group provisioning from
Enterprise to Cloud
• User/Group provisioning fromcloud service to cloud service
• Is used in many many more cases todayEnterprise provisioning/cross provisioning
Identity access
Many new endpoints: machines, contacts, tenants, devices, …
© 2014 Cisco and/or its affiliates. All rights reserved. 8
What is a User?dn: cn=HomeJSimpson,o=domain-name
cn: HomerJSimpson
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: [email protected]
givenname: Homer
sn: Simpson
postalAddress: 742 Evergreen Terrace
l: Springfield
st: Kentsouri
postalCode: 01234
telephoneNumber: (888) 555-1111
jpegPhoto: http://www.simpsons.com/homer.jpg
…
© 2014 Cisco and/or its affiliates. All rights reserved. 9
Why not SPML?• OASIS Standard (1.0 – 2003; 2.0 – 2006)
• No core Schema
• Complex – real or perceived
• Some traction within enterprises, none for cloud services
• Limited support - few tools/products
“Built it, nobody came!”
© 2014 Cisco and/or its affiliates. All rights reserved. 10
What is SCIM?• Set of pre-defined schema – Users & Groups
• RESTful API definition
• CRUD
• Bulk operations
• Search
• Discovery
• Extension semantics (basic in 1.x)
• Support for complex data models
• SIMPLE!!!
© 2014 Cisco and/or its affiliates. All rights reserved. 11
Schema• Rich information model
• XML & JSON data models
• Concrete artifactsUsers & Groups
• Usage semanticsMTI & recommended
• ExtensibilityEnterprise User
© 2014 Cisco and/or its affiliates. All rights reserved. 12
Schema• Resource is an attribute container
• An attribute is Simple or Complex
Single value or Plural
• Extensible
• Data type added in 2.0
{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "701984", "userName": "[email protected]", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara", "middleName": "Jane", "honorificPrefix": "Ms.", "honorificSuffix": "III" }, "displayName": "Babs Jensen", "nickName": "Babs", "profileUrl": "https://login.example.com/bjensen", "emails": [ { "value": "[email protected]", "type": "work", "primary": true }, { "value": "[email protected]", "type": "home" } ], "meta": { "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v1/Users/2819c223-7f76" }}
© 2014 Cisco and/or its affiliates. All rights reserved. 13
Example: User{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W\/\"f250dd84f0671c3\" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ]}
Required
Complex
Simple
Complexmulti-valued
© 2014 Cisco and/or its affiliates. All rights reserved. 14
Example: Extended User
{ "schemas": ["urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:1.0": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith“ } }}
Declaration
Use
© 2014 Cisco and/or its affiliates. All rights reserved. 15
Example: Group
{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "displayName": "Tour Guides", "members": [ { "value": "2819c223-7f76-453a-919d-413861904646", "displayName": "Babs Jensen", "type": "User" }, { "value": ”4769c303-ab76-673a-769d-413867987436", "displayName": "Mandy Pepperidge", "type": "User" } ]}
Type (User|Group)
Optional &Read-only
© 2014 Cisco and/or its affiliates. All rights reserved. 16
Protocol• HTTP/REST
• CRUD
• Bulk
• Search
• Discovery
• Simple MTI, Complex optional
• Extensible
• Versioned
• “cURL” friendly
© 2014 Cisco and/or its affiliates. All rights reserved. 17
Operations• Discovery
• Create = POST https://example.com/{v}/{resource}
• Read = GET https://example.com/{v}/{resource}/{id}
• Update = PUT https://example.com/{v}/{resource}/{id}
• Delete = DELETE https://example.com/{v}/{resource}/{id}
• Update = PATCH https://example.com/{v}/{resource}/{id}
• Search = https://example.com/{v}/{resource}? filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending}
• Bulk
© 2014 Cisco and/or its affiliates. All rights reserved. 18
Discovery• GET /Schemas
Introspect resources and attribute extensions
• GET /ServiceProviderConfigsSpec compliance
Support for bulk, patch, etc…
Authentication schemes
OAuth, HTTP basic, etc…
Data formats
Support XML
© 2014 Cisco and/or its affiliates. All rights reserved. 19
Create Request
POST /v1/Users HTTP/1.1Host: example.comAccept: application/jsonAuthorization: Bearer h480djs93hd8{ "schemas": ["urn:scim:schemas:core:1.0"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }}
Operation Resource Type
Format AuthZ
“User” Payload
© 2014 Cisco and/or its affiliates. All rights reserved. 20
Create Response
HTTP/1.1 201 CreatedContent-Type: application/jsonLocation: https://example.com/v1/Users/281...ETag: W/"e180ee84f0671b1"{` "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen"}
Result code Format“Permalink” SP generated ID
© 2014 Cisco and/or its affiliates. All rights reserved. 21
Get Request
GET /v1/Users/2819c223-7f76-453a-919d-413861904646.jsonHost: example.comAuthorization: Bearer h480djs93hd8
Operation Resource Type Stable ID Format
© 2014 Cisco and/or its affiliates. All rights reserved. 22
Get Response
HTTP/1.1 200 OKContent-Type: application/jsonLocation: https://example.com/v1/Users/281...ETag: W/"e180ee84f0671b1"{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen"}
Result codeFormat
“Permalink” SP ID
© 2014 Cisco and/or its affiliates. All rights reserved. 23
Search Request
GET /v1/Users?filter=title pr and userType eq "Employee" &sortBy=title &sortOrder=ascending &attributes=title,username &startIndex=11 &count=10Host: example.comAccept: application/jsonAuthorization: Bearer h480djs93hd8
Operation Resource TypeURL encoded filter
Sorting
Partial results
Index-based pagination
© 2014 Cisco and/or its affiliates. All rights reserved. 24
Search Response
{ "schemas": ["urn:scim:schemas:core:1.0"], "totalResults": 2, "Resources": [ { "id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97", "title": "Assistant VP", "userName": "bjensen" }, { "id": "a4a25dd3-17a0-4dac-a2ac-ce211e125f57", "title": "VP", "userName": "jsmith" } ]}
Pagination
Users
SP ID ever present
© 2014 Cisco and/or its affiliates. All rights reserved. 25
Patch & Bulk• PATCH
Allows providing partial updates to resources
May be important if modifying a large multi-valued attribute on a resource (eg – group members)
• BulkAllows performing many operations at once
Useful for synchronizing data into a service provider
• Both are optional
© 2014 Cisco and/or its affiliates. All rights reserved. 26
Security Consideration• TLS MTI
• Standard HTTP considerations apply
• Authentication is discoverable, OAuth bearer token recommended
• HTTP basic is commonly implemented for interoperability
• Authorization attributes are *VERY* loosely definedRoles, groups, and entitlements
© 2014 Cisco and/or its affiliates. All rights reserved. 27
Sensitive Data { "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "password": "maybe_plaintext", "roles": [ { "value": "RA" } ], "groups": [ { "value": "2819c223-7f76-453a-919d-982763095", "display": "Student" } ], "entitlements": [ { "value": "delete users" } ]}
Password
AuthZ
© 2014 Cisco and/or its affiliates. All rights reserved. 28
References• http://www.simplecloud.info
• SCIMv1.1http://www.simplecloud.info/specs/draft-scim-core-schema-01.html
http://www.simplecloud.info/specs/draft-scim-api-01.html
• SCIMv2.0http://tools.ietf.org/html/draft-ietf-scim-core-schema
http://tools.ietf.org/html/draft-ietf-scim-api
http://tools.ietf.org/html/draft-ietf-scim-use-cases
• IETF SCIM WG http://tools.ietf.org/wg/scim/
• mailto: [email protected]
• Credit for slides: IETF WG, Trey Drake & Kelly Grizzle