Simple Cloud Identity Management (SCIM)



Similar documents
A Standards-based Mobile Application IdM Architecture

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

How to Extend Identity Security to Your APIs

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

Connecting Users with Identity as a Service

An Introduction to SCIM: System for Cross-Domain Identity Management

Enabling SSO for native applications

IETF 84 SCIM System for Cross-domain Identity Management. Kelly Grizzle

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

vcloud Air Platform Programmer's Guide

OpenID Connect 1.0 for Enterprise

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

Pick Your Identity Bridge

The Primer: Nuts and Bolts of Federated Identity Management

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

Federated Identity and Single Sign-On using CA API Gateway

Enable Your Applications for CAC and PIV Smart Cards

Extend and Enhance AD FS

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

The increasing popularity of mobile devices is rapidly changing how and where we

Customer Identity and Access Management (CIAM) Buyer s Guide

Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough

Title page. Alcatel-Lucent 5620 SERVICE AWARE MANAGER 13.0 R7

Single Sign-On Implementation Guide

Getting Started with Single Sign-On

USING FEDERATED AUTHENTICATION WITH M-FILES

Flexible Identity Federation

CA Nimsoft Service Desk

NetworkingPS Federated Identity Solution Solutions Overview

Open Data Center Alliance Usage: Single Sign On Authentication REv. 1.0

BYE BYE PASSWORDS. The Future of Online Identity. Hans Zandbelt Sr. Technical Architect. CTO Office - Ping Identity

Copyright Pivotal Software Inc, of 10

SAML 101. Executive Overview WHITE PAPER

Server based signature service. Overview

The Primer: Nuts and Bolts of Federated Identity Management

The Role of Identity Enabled Web Services in Cloud Computing

Using SAML for Single Sign-On in the SOA Software Platform

nexus Hybrid Access Gateway

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL SS. Single Sign-On (SSO) Solution

Cloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Interoperate in Cloud with Federation

Riverbed Cascade Shark Common REST API v1.0

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

SAML-Based SSO Solution

Active Directory Federation Services

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

CA Single Sign-On Migration Guide

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Lecture Notes for Advanced Web Security 2015

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Introduction to SAML

OPENIAM ACCESS MANAGER. Web Access Management made Easy

OpenID Deutsche telekom. Dr. Torsten Lodderstedt, Deutsche Telekom AG

VMware vcenter Log Insight Developer's Guide

Web Conferencing: Unleash the Power of Secure, Real-Time Collaboration

Web Based Single Sign-On and Access Control

An Oracle White Paper June RESTful Web Services for the Oracle Database Cloud - Multitenant Edition

Identity. Provide. ...to Office 365 & Beyond

IBM Tivoli Federated Identity Manager

Security Assertion Markup Language (SAML) Site Manager Setup

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0

PingFederate. SSO Integration Overview

How To Use Saml 2.0 Single Sign On With Qualysguard

Fairsail REST API: Guide for Developers

PRIVACY AWARE ACCESS CONTROL FOR CLOUD-BASED DATA PLATFORMS

Single Sign-On Implementation Guide

Federated Identity in the Enterprise

PHP Integration Kit. Version User Guide

Cloud SSO and Federated Identity Management Solutions and Services

OAuth Guide Release 6.0

OIOIDWS for Healthcare Token Profile for Authentication Tokens

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Flexible Identity Federation

NCSU SSO. Case Study

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

SAML-Based SSO Solution

December 2014 Keywords/Summary

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

TrustedX - PKI Authentication. Whitepaper

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

SAML Federated Identity at OASIS

Integrating Single Sign-on Across the Cloud By David Strom

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite

Secure Identity in Cloud Computing

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Onegini Token server / Web API Platform

Integration Overview. Web Services and Single Sign On

Transcription:

Simple Cloud Identity Management (SCIM) Abstract The Simple Cloud Identity Management (SCIM) specification defines a simple, RESTful protocol for identity account management operations. SCIM s model is based upon the experience of existing schemas and SaaS deployments, with specific emphasis on simplifying development and integration, and wherever possible, applying existing authentication, authorization, and privacy mechanisms.

Table of Contents Abstract.................................................................. 1 Introduction............................................................... 3 The SCIM Specification....................................................... 3 Use Cases................................................................ 4 Create User Cloud to Cloud Multiplexing.................................... 4 Delete User Enterprise to Cloud........................................... 5 Create User Just in Time................................................. 6 Summary................................................................. 7 References................................................................ 7

Introduction The 4 A s of Identity Management are authentication, authorization, account management and audit logging. Currently, when enterprise employees access cloud applications, authentication is the only A with an accepted standard (SAML). While SAML allows an enterprise to assert identities for employees as they access cloud-based applications relevant to their role, there are cases where the SaaS provider requires an existing account to be waiting for that employee. To date, there is no widely accepted standard protocol for the enterprise to manage (i.e., create, delete) these cloud identities. Consequently, various SaaS providers have defined their own proprietary interfaces, which means enterprise customers are forced to support a variety of logically similar but differently formatted interfaces. More and more, SaaS applications are accessed through non-browser channels. Native mobile applications installed on mobile devices are a new key driver. Because enterprises cannot necessarily rely on SSO control for SaaS access control, they need active and explicit mechanisms to delete accounts from SaaS providers upon employee termination. While the Services Provisioning Markup Language (SPML) specification addresses many of the use cases targeted by SCIM, SPML has not seen wide adoption within the enterprise, and none at all between the enterprise and the Cloud. SaaS providers generally opt for (arguably) simpler REST protocols rather than the SOAP stack associated with SPML, and the power of SPML is seen by many as overkill for basic cloud-based account management tasks. The Simple Cloud Identity Management (SCIM) protocol defines a simple, RESTful protocol for identity account management operations. SCIM s model is based on the experience of existing schemas and SaaS deployments, placing specific emphasis on simplicity of development and integration, and wherever possible, applying existing authentication, authorization, and privacy mechanisms. The SCIM Specification The SCIM specification has three major components: 1) The core schema provides an abstract schema and extension model for representing users and groups in the context of cloud applications. Standard serializations of that schema using JSON and XML are provided. 2) The SCIM protocol defines a REST API for exchanging user and user-related resources via JSON and/or XML. 3) Bindings define how to carry SCIM information on protocols other than the SCIM-defined REST API. An example is the SAML binding. SCIM recommends using the OAuth protocol for SCIM API call authentication. p3

Use Cases The following are representative SCIM use cases. The use cases are mapped onto the appropriate pieces of the SCIM specification set that support them. Create User Cloud to Cloud Multiplexing An enterprise hires a new employee in a role that requires access to several different SaaS providers. The enterprise uses a SaaS provider for their HR functions. Upon the new employee being entered into the HR SaaS provider systems, the HR SaaS provider sends a SCIM message to the appropriate additional SaaS providers, indicating that a new account should be created. The sequence is shown below. The SCIM REST API defines the form of the create user message sent from the HR SaaS provider. An example message is shown here: POST /User HTTP/1.1 Host: saas2.com Content-Type: application/json Authorization: Bearer h480djs93hd8 Content-Length:... { schemas :[ urn:scim:schemas:core:1.0 ], username : bjensen@example.com, name : { familyname : Jensen, givenname : Barbara }, displayname : Babs Jensen, emails :[ { value : bjensen@example.com, type : work, primary :true}]} p4

The JSON object representing the new employee is sent as multiple HTTP POST messages from the HR SaaS provider to the other relevant SaaS providers. The OAuth access token delivered in the HTTP authorization header serves to authenticate the HR SaaS sender. Delete User Enterprise to Cloud An employee leaves an enterprise. To prevent unauthorized access within a SaaS provider, the enterprise must terminate all established channel access both browser-based and native mobile applications. Because the native application channel is authenticated and authorized through the issuance of a long-lived OAuth access token to the native application, revoking that channel requires that the enterprise actively push a SCIM delete user message to the SaaS provider, which will also revoke any outstanding OAuth access tokens. The sequence is show below: After the enterprise sends the SCIM delete user message to the SaaS provider, the SaaS provider will de-authorize the already issued OAuth access tokens, thereby terminating the ex-employee s mobile-channel access. Below is a representative SCIM delete message and response. DELETE /User/3f62ce30-dcd6-4dd7-abfe-2352a76f9978 Host: saas.com Authorization: Bearer jy5djs99hd8 HTTP/1.1 200 OK Unlike in the SOAP messaging model, the more RESTful SCIM uses the HTTP DELETE method to match the logical operation. As for the create call, the SCIM message is authenticated by including an OAuth access token. p5

Create User Just in Time An enterprise hires a new employee in a high turnover role that requires periodic and infrequent access to a given SaaS provider. Rather than creating a potentially unnecessary account upon hiring the new employee, the enterprise waits until the employee first accesses the SaaS application. As part of the web SSO operation from the enterprise to the SaaS application, an account is created just-in-time. The sequence is shown below: The SAML SSO assertion carries sufficient information (encoded as SAML attributes) to allow the SaaS provider to create an account for the employee. The SCIM SAML binding defines how to carry the SCIM attributes in the SAML attributes. Below is a representative sample: <saml:attributestatement xmlns:xs= http://www.w3.org/2001/xmlschema xmlns:saml= urn:oasis:names:tc:saml:2.0:assertion xmlns:scim= http://placeholder.scim.org/2011/schema/extension > <saml:attribute NameFormat= urn:oasis:names:tc:saml:2.0:attrnameformat:unspecified Name= SCIM.userName > <saml:attributevalue xmlns:xsi= http://www.w3.org/2001/xmlschema-instance xsi:type= xs:string >bjensen@example.com</saml:attributevalue> </saml:attribute> <saml:attribute NameFormat= urn:oasis:names:tc:saml:2.0:attrnameformat:unspecified Name= SCIM.name.formatted > <saml:attributevalue xmlns:xsi= http://www.w3.org/2001/xmlschema-instance xsi:type= xs:string >Ms. Babs J Jensen III</saml:AttributeValue> </saml:attribute> </saml:attributestatement> p6

The SaaS provider validates the SAML assertion, creates a local account based on the information in the attributes, and then initiates a session allowing the employee to start work. The next time the employee SSOs to the SaaS provider, the attributes would need not be sent (unless they had changed). Summary The Simple Cloud Identity Management (SCIM) specification is designed to simplify cloud-based identity management, making it more convenient and cost-effective for users to move into, out of and around the Cloud. Building upon SaaS provider and enterprise customer experience with existing proprietary mechanisms, SCIM places specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. SCIM provides a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. References 1. SCIM Protocol - http://www.simplecloud.info/specs/draft-scim-rest-api-01.html 2. SCIM Core Schema - http://www.simplecloud.info/specs/draft-scim-core-schema-01.html 3. SCIM SAML Binding - http://www.simplecloud.info/specs/draft-scim-saml2-binding-02.html 4. SPML - http://www.oasis-open.org/committees/provision/ 5. OAuth - http://oauth.net/ About Ping Identity The Cloud Identity Security Leader Ping Identity provides cloud identity security solutions to the world s foremost companies, government organizations and cloud businesses. For more information, dial U.S. toll-free 877.898.2905 or +1.303.468.2882, email sales@pingidentity.com or visit pingidentity.com. 2011 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingFederate Express, PingConnect, PingEnable, the Ping Identity logo, SignOn.com, Auto-Connect and Single Sign-On Summit are registered trademarks, trademarks or servicemarks of Ping Identity Corporation. All other product and service names mentioned are the trademarks of their respective companies. 7/11.5 p7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information