scim: why it’s more important, and more simple, than you think - cis 2014

SCIM: Why It’s More Important, and More Simple, Than You ThinkKelly Grizzle

Software Architect - SailPoint

Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 2

Agenda

•What is SCIM?•Why is it important?•How is it being used?•Deeper Dive•How simple is it?

What is SCIM?


System for

Cross-Domain

Identity

Management* And yes … it is also simple


What is SCIM?

• SCIM is a standard that defines schema and protocol for identity management.

• Schema- Users and Groups- Extensible- JSON

• Protocol- REST- CRUD + Search + Discovery + Bulk


Identity Protocol Landscape

Provisioning Authentication Authorization


What problems does SCIM solve?

• How do I keep my organization’s users in sync with service X?

- How do I provision a user account for service X?- How do I deprovision a user account from service X?- How do I update an existing account for service X?

• How do I manage groups?- How do I add or remove users from groups to give them the

correct level of access?- How do I create new groups?


An example speaks 1111101000 words…

POST /v2/Users HTTP/1.1Host: example.comAccept: application/jsonContent-Type: application/jsonAuthorization: Bearer h480djs93hd8Content-Length: ...{ "schemas": ["urn:scim:schemas:core:2.0:User"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }}


History Lesson

July ‘10

Conceived at CIS

May ‘11

Work starts under OWF

Dec ‘11

Version 1.0

June/July ‘12

IETF WG chartered

Version 1.1

Late ‘14

Version 2.0

Why is SCIM important?


A typical environment

Firewall


That’s the typical case … Ouch!

• Environments are complex- Many systems both on-prem and off-prem

• Every system has to deal with identity- Name, email, title, custom meta-information, entitlements, …

• Identity must be maintained across systems- Need one-way and often two-way synchronization

• Authorization is often driven from an external system- Example: Active Directory groups drive groups and

permissions in other applications.


Other common pain points

• Mergers and acquisitions- Need to quickly connect applications after M&A

• BYOA (bring your own app)- Proliferation of SaaS apps has lead to using applications that

IT does not even know about

• Mobile- Another case of BYOA where mobile apps need identity

information


How is identity management done?

• Manual hand-entry- Error prone and slow

• Bulk upload- High latency – often a one-time operation

• Custom APIs and connectors- High cost to develop against- Proprietary to each service provider

• SAML Just-in-Time Provisioning- No pre-provisioning- No deprovisioning


And then … there’s SCIM

• Low cost to develop- Write once and reuse- Open source libraries- Well-known and agreed upon standard

• Handles full lifecycle of identity- Create, update, AND delete

• Real-time- No waiting for manual intervention


Who else thinks SCIM is important?

How is SCIM being used?


Surprisingly – not just in the cloud

• SCIM was initially created with cloud use cases in mind• It turns out that a common language to move identities on-

premises is really useful• This is some of the first “real world” adoption of SCIM• Case study: Large company with 3500 connected

applications and 82,000 users moved to SCIM for internal systems


In the enterprise

Firewall


Unsurprisingly – also in the cloud

• SaaS providers have started implementing SCIM for their identity APIs

- Salesforce.com, Cisco Webex, etc…

• Clients call these APIs from an on-premises identity management system to manage identities


Ground to cloud

Firewall

SCIMProprietary


Cloud Identity Bridge

• Important when on-premises applications need to be managed from the cloud

• Allows a single, secured SCIM channel through the firewall• Translates SCIM requests to native APIs behind the firewall


Cloud to ground

FirewallIdentity Bridge

Cloud Identity Management

Provider

SCIM

Native APIs

Deeper Dive

Schema


Schema

• Core models for User and Group• JSON representation• Extensible

- Extend existing resources (eg – enterprise user)- Define new resources (eg – role, entitlement, device)- JSON format for describing schema- Standard data types and references between objects

http://datatracker.ietf.org/doc/draft-ietf-scim-core-schema/





Example: User{ "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "resourceType": "User", "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W\/\"f250dd84f0671c3\" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ]}

Required

Complex

Simple

Multi-valued

Object type


Example: Extended User

{ "schemas":["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "$ref": "/Users/26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith" } }}

Declaration

Use

Deeper Dive

API


Operations

• Create = POST https://example.com/{v}/{resource}• Read = GET https://example.com/{v}/{resource}/{id}• Update = PUT https://example.com/{v}/{resource}/{id}• Delete = DELETE https://example.com/{v}/{resource}/{id}• *Update = PATCH https://example.com/{v}/{resource}/{id}• *Search = GET https://example.com/{v}/{resource}?

filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending} & startIndex={start} & count={maxResults}

• *Bulk

https://example.com/%7Bv%7D/%7Bresource%7D

https://example.com/%7Bv%7D/%7Bresource%7D/%7Bid%7D



https://example.com/%7Bv%7D/resource/%7Bid%7D


Create Request

POST /v2/Users HTTP/1.1Host: example.comAccept: application/jsonAuthorization: Bearer h480djs93hd8{ "schemas": ["urn:scim:schemas:core:2.0:User"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }}

Operation Resource Type

AuthZ“User” Payload


Create Response

HTTP/1.1 201 CreatedContent-Type: application/jsonLocation: https://example.com/v2/Users/281...ETag: W/"e180ee84f0671b1"{ "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v2/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", ...

Result code

“Permalink”

SP generated ID

https://example.com/v2/Users/281


Discovery

• GET /Schemas- Defines primary object definitions and extensions

• GET /ResourceTypes- Defines available resources

• endpoint URL, primary schema, schema extensions

• GET /ServiceProviderConfigs- Spec compliance

• Support for bulk, patch, etc…

- Authentication schemes• OAuth, HTTP basic, etc…

Deeper Dive

Extensions


Extending an existing resource type

• The SCIM core schema objects – User and Group – try to cover the common 80%

• Almost always extended by service providers to add custom attributes

• Only two steps required:1. Create a new schema that contains the extended attributes

2. Add the new schema to the schemaExtensions list for the resource type


Extending – Schema {

"id" : "urn:grizzle:1.0:ConferenceGoer",

"name" : "Conference Goer",

"description" : "Info about a person that attends CIS",

"attributes" : [{

"name" : "shirtSize",

"type" : "string",

"multiValued" : false,

"description" : "What conference doesn't have a t-shirt?",

"required" : false,

"caseExact" : false,

"mutability" : "readWrite",

"returned" : "always",

"uniqueness" : "server"

}]


Extending – Resource Type

{

"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],

"id":"User",

"name":"User",

"endpoint": "/Users",

"description": "Core User",

"schema": "urn:scim:schemas:core:2.0:User",

"schemaExtensions": [{

"schema": "urn:grizzle:1.0:ConferenceGoer",

"required": false

}

]

}

Add customextensionshere


Creating a custom resource type

• Completely new resource types may be created to model objects that are unique to the service provider

• Client can use /ResourceTypes endpoint to discover these• Somewhat common for service providers to implement• Only two steps required:

1. Create a new schema that contains the attributes

2. Create a new resource type that references this schema


Custom resource type – Schema {

"id" : "urn:grizzle:1.0:BlogPost",

"name" : "Blog Post",

"description" : "A post to a blog",

"attributes" : [{

"name" : "title",

"type" : "string",

"multiValued" : false,

"description" : "The title of the blog post",

"required" : true,

"caseExact" : false,

"mutability" : "readWrite",

"returned" : "always",

"uniqueness" : "server"

},

... other attributes - id, content, author, date, etc ...


Custom resource type – Resource Type

{

"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],

"id": "BlogPost",

"name": "Blog Post",

"endpoint": "/BlogPosts",

"description": "Posts to a boring blog",

"schema": "urn:grizzle:1.0:BlogPost"

}

Reference the custom schema


Custom resource type – GET Request

GET /v2/BlogPosts

Host: example.com

Authorization: Bearer h480djs93hd8


Custom resource type – GET ResponseHTTP/1.1 200 OK

Content-Type: application/json

{

"schemas": ["urn:scim:api:messages:2.0:ListResponse"],

"totalResults": 5,

"Resources": [{

"id": "281838-af839018e4-8377ba87e90",

"title": "Welcome to my blog!",

"content": "...",

"meta": {

"resourceType": "BlogPost",

"created": "2011-08-01T21:32:44.882Z",

"lastModified": "2011-08-01T21:32:44.882Z",

"location": "https://example.com/v2/BlogPosts/281..."

},

...

How simple is SCIM?


SCIM Core Values

• Simplicity- “Make it as simple as possible but no simpler.”

- Einstein

• Solving real-world problems• Ease of implementation by consumers

- Don’t make it too hard for service providers either

• Support the 80% in the core- Extensions for everything else

• Interoperability


How to kick the tires

• Download the UnboundID Reference Server Implementation if you need a server to test against

- https://www.unboundid.com/resources/scim/

• If you are trying to play with a service provider’s API- cURL- REST Console (Chrome Extension)

https://www.unboundid.com/resources/scim/



cURL


REST Console

• A Chrome extension that easily allows making REST calls• Use this if a command line scares you• There are other alternatives out there


Getting under the hood

• If you want to write a SCIM client or server there are a number of open source libraries

• Most libraries currently support SCIM 1.1 (not 2.0)• UnboundID SDK

- Client and server java libraries- Most full-featured and well maintained

• python-scim- SCIM object models for Python

• scim-query-filter-parser- Search filter parsing library for Ruby

• More at http://www.simplecloud.info/#implementations

http://www.simplecloud.info/#implementations



UnboundID SDK

• Open source and developed by UnboundID• Recent enhancements to improve client usability - https://

code.google.com/p/scimsdk/source/detail?r=355• I prototyped a SCIM server and wrote a library to make

server development easier- Library cut the lines of code by 68% (down to <300)- Needs a bit of work to be ready for prime time

https://code.google.com/p/scimsdk/source/detail?r=355

https://code.google.com/p/scimsdk/source/detail?r=355


It’s so easy even Mark Diodati can do it!

• Mark wrote a SCIM client while an analyst at Gartner• Written in Perl• Reads attributes from a SCIM server and writes to an Excel

file• Reads changes in Excel file and synchronizes them to a

SCIM server


Wait … I already have a REST API!• Option 1: Have a separate URL-space for identity-related

SCIM APIs- https://example.com/rest/MyObjects- https://example.com/rest/scim/Users

• Option 2: Consider using SCIMs schemas and resource types to define your entire REST API

- It is already well-defined- Supports many data types and references between objects- It is self-describing through /Schemas and /ResourceTypes- Make use of SCIM libraries for fast implementation

• Just do it! Customers constantly ask for a common API!

https://example.com/rest/MyObjects

https://example.com/rest/scim/Users

What next?


Key take-aways

• Identity and app proliferation = frustration• SCIM is the only sustainable option that can handle the

scale and complexity of provisioning in today’s environments• Build a standards-based identity infrastructure

- Provisioning SCIM- Authentication OpenID Connect or SAML- Authorization OAuth2


What does it mean for me?

• Consider using SCIM for your internal environment- Not just a cloud API

• SCIM is a good foundation for any REST API- It can be used for more than just identities

• It’s easy to get started if you use the tools that are already available

• Use SCIM 1.1 for now- Real-world adoption of SCIM 2.0 will happen in 2015


References

• Start here…- http://www.simplecloud.info/

• Get involved here…- http://www.ietf.org/mail-archive/web/scim/current/maillist.html

• All of the gory details here…- http://datatracker.ietf.org/wg/scim/documents/- http://datatracker.ietf.org/doc/draft-ietf-scim-api/- http://datatracker.ietf.org/doc/draft-ietf-scim-core-schema/

• Implementing a client or server in Java? Start here…- https://www.unboundid.com/resources/scim/

• Implementing a client or server in not Java? Start here…- http://www.simplecloud.info/#implementations

http://www.simplecloud.info/



http://www.ietf.org/mail-archive/web/scim/current/maillist.html



http://datatracker.ietf.org/wg/scim/documents/

http://datatracker.ietf.org/wg/scim/documents/

http://datatracker.ietf.org/doc/draft-ietf-scim-api/

http://datatracker.ietf.org/doc/draft-ietf-scim-api/








[email protected]@kelly_grizzle

http://simplecloud.info

scim: why it’s more important, and more simple, than you think - cis 2014

Software

cloud scim

scim important

scim requests

identity apis

firewall scim proprietary

identity information

scim low cost

lifecycle of identity