IETF 84 SCIM System for Cross-domain Identity Management. Kelly Grizzle

Transcription

1 IETF 84 SCIM System for Cross-domain Identity Management Kelly Grizzle

2 Agenda Overview What problem does SCIM solve? What is SCIM? History Lesson Deeper Dive Schema Protocol Security Other areas in charter: bindings, targeting What s Next?

3 What is the problem? How do I keep my organization s users in sync with service X? How do I provision a user account for service X? How do I deprovision a user account from service X? How do I update an existing account for service X? How do I manage groups? How do I add or remove users from groups to give them the correct level of access? How do I create new groups? 3

4 What is the problem? Mobile Connec vity Service Service Payroll Service SCIM Client Organiza on Directory 4

5 What is a user? dn: cn=homejsimpson,o=domain-name cn: HomerJSimpson objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson mail: HJSimpson@burnsco.com givenname: Homer sn: Simpson postaladdress: 742 Evergreen Terrace l: Springfield st: Kentsouri postalcode: telephonenumber: (888) jpegphoto: Homer J. Simpson Springfield Nuclear Plant Safety Inspector (888) Work (123) Home HJSimpson@burnsco.com 742 Evergreen Terrace Springfield, Kentsouri h p:// 5

6 How do we do it today? Error-Prone Labor-Intensive Stale Accounts (no deprovision) Vendor-specific Manual, Hand-entry Bulk, CSV Latency Days Hours/Days Other No simple fetch method, no two-way synchronization Custom APIs & Connectors SAML Just-in-Time Provisioning No pre-provisioning, no groups And, there is always schema-mapping to deal with 6

7 What is SCIM? SCIM is a standard that defines schema and protocol for identity management. Schema Core representations of users and groups Extensible JSON/XML* Protocol REST, HTTP, Synchronous CRUD + Search* + Discovery + Bulk* And more cool stuff The S word

8 An example speaks words POST /v1/users HTTP/1.1 Host: example.com Accept: application/json Content-Type: application/json Authorization: Bearer h480djs93hd8 Content-Length:... { "schemas": ["urn:scim:schemas:core:1.0"], "externalid": "bjensen", "username":"bjensen", "name": { "familyname": "Jensen", "givenname": "Barbara"

9 History Lesson July 2010: Conceived at Cloud Identity Summit May 2011: Officially began at IIW 12 Oct 2011 May 2012: 3 interop events with 9 vendors (open source and proprietary) Dec 2011: Released 1.0 specification under OWF (Open Web Foundation) March 2012: BoF at IETF 83 June 2012: WG chartered July 2012: 1.1 specification released under OWF August 3, 2012: Here we are first WG meeting

10 Deeper Dive Schema Protocol Security SAML and LDAP bindings Targeting

11 Schema Core models for User and Group JSON and XML* representations Extensibility Extend existing resources (eg enterprise user) Define new resources (eg role)

12 Model

13 Simple Structure A resource is: An attribute container Name spaced An attribute is: Simple or complex Single or multi-valued

14 Required Complex Simple Complex multi-valued { Example: User "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d ", "externalid": "bjensen", "meta": { "created": " T18:29:49.793Z", "lastmodified": " T18:29:49.793Z", "location": " "version": "W\/\"f250dd84f0671c3\", "name": { "formatted": "Ms. Barbara J Jensen III", "familyname": "Jensen", "givenname": "Barbara", "username": "bjensen", "phonenumbers": [ { "value": " ", "type": "work" ]

15 Example: Extended User Declaration Use { "schemas": ["urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0"], "id": "2819c223-7f76-453a-919d ", "externalid": "bjensen", "username": "bjensen", "urn:scim:schemas:extension:enterprise:1.0": { "employeenumber": "701984", "costcenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerid": " e4-49d8ca9f808d", "displayname": "John Smith

16 Example: Group { Type (User Group) Optional & Read-only "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d ", "displayname": "Tour Guides", "members": [ { "value": "2819c223-7f76-453a-919d ", "displayname": "Babs Jensen", "type": "User", { "value": "2819c223-7f76-453a-919d ", "displayname": "Mandy Pepperidge", "type": "User" ]

17 Protocol REST, HTTP, Synchronous CRUD + Search* + Discovery + Bulk* Simple MTI, Complex optional Extensible*, Versioned curl friendly

18 Operations Create = POST Read = GET Update = PUT Delete = DELETE *Update = PATCH *Search = GET filter={attribute {op {value & sortby={attributename & sortorder={ascending descending & startindex={start & count={maxresults *Bulk

19 Discovery GET /Schemas Introspect resources and attribute extensions GET /ServiceProviderConfigs Spec compliance Support for bulk, patch, etc Authentication schemes OAuth, HTTP basic, etc Data formats Support XML?

20 Create Request Operation Resource Type POST /v1/users HTTP/1.1 Format Host: example.com AuthZ Accept: application/json Authorization: Bearer h480djs93hd8 { "schemas": ["urn:scim:schemas:core:1.0"], "externalid": "bjensen", "username":"bjensen", "name": { "familyname": "Jensen", "givenname": "Barbara" User Payload

21 Result code Create Response Format Permalink HTTP/ Created Content-Type: application/json Location: ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d ", "externalid": "bjensen", "meta": { "created": " T21:32:44.882Z", "lastmodified": " T21:32:44.882Z", "location": " "version": "W\/\"e180ee84f0671b1\"", "name":{ "familyname":"jensen", "givenname":"barbara", "username":"bjensen" SP generated ID

22 Get Request Operation Resource Type Stable ID Format GET /v1/users/2819c223-7f76-453a-919d json Host: example.com Authorization: Bearer h480djs93hd8

23 Result code Get Response Format Permalink SP ID HTTP/ OK Content-Type: application/json Location: ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d ", "externalid": "bjensen", "meta": { "created": " T21:32:44.882Z", "lastmodified": " T21:32:44.882Z", "location": " "version": "W\/\"e180ee84f0671b1\"", "name":{ "familyname":"jensen", "givenname":"barbara", "username":"bjensen"

24 Search Request Operation Resource Type URL encoded filter GET /v1/users?filter=title pr and usertype eq "Employee" &sortby=title Sorting &sortorder=ascending &attributes=title,username Partial results &startindex=11 &count=10 Index-based pagination Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8

25 Search Response { Pagination Users "schemas": ["urn:scim:schemas:core:1.0"], "totalresults": 2, "Resources": [ { "id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97", "title": "Assistant VP", "username": "bjensen", { "id": "a4a25dd3-17a0-4dac-a2ac-ce211e125f57", "title": "VP", "username": "jsmith" ] SP ID ever present

26 PATCH and Bulk PATCH Allows providing partial updates to resources May be important if modifying a large multi-valued attribute on a resource (eg group members) Bulk Allows performing many operations at once Useful for synchronizing data into a service provider Both are optional

27 Protocol Extensibility Version in URL Follow RESTful principles Additional URL arguments Additional resource endpoints

28 XML Schema XML XSD Core Resource, User, Group Payload wrappers, Errors Schema, Bulk, ServiceProviderConfig Enterprise Extension

29 Security Considerations Protocol Sensitive information abounds Authorization attributes are loosely defined Roles, groups, and entitlements

30 Protocol Security TLS MTI Standard HTTP considerations apply Authentication is discoverable, OAuth bearer token recommended HTTP basic is commonly implemented for interoperability

31 Sensitive Information in User Password AuthZ { "id": "2819c223-7f76-453a-919d ", "externalid": "bjensen", "name": { "familyname": "Jensen", "givenname": "Barbara", "username": "bjensen", "password": "maybe_plaintext", "roles": [ { "value": "RA" ], "groups": [ { "value": "2819c223-7f76-453a-919d ", "display": "Student" ], "entitlements": [ { "value": "delete users" ]

32 Hi/Low Fidelity Bindings LDAP SAML OpenID Connect

33 Targeting Proposed extension Allows a server to proxy a SCIM request to a target system GET Optionally can store links to target accounts on the core user

34 1.1 Release Released in July 2012 under OWF Mainly clarifications and small error fixes Many of these were found during interop testing Will serve as starting point for working group Final release under OWF

35 What s next? See charter for milestones Use cases document Binding documents (LDAP, SAML) Targeting document Continue working on schema and protocol * And much more

36 SCIM Core Values Simplicity Make it as simple as possible but no simpler. - Einstein Solving real-world problems Ease of implementation by consumers Don t make it too hard for service providers either Support the 80% in the core Extensions for everything else Interoperability

37 For more information 1.1 Drafts (should be on datatracker soon) Site overhaul coming soon!