IETF 84 SCIM System for Cross-domain Identity Management Kelly Grizzle kelly.grizzle@sailpoint.com
Agenda Overview What problem does SCIM solve? What is SCIM? History Lesson Deeper Dive Schema Protocol Security Other areas in charter: bindings, targeting What s Next?
What is the problem? How do I keep my organization s users in sync with service X? How do I provision a user account for service X? How do I deprovision a user account from service X? How do I update an existing account for service X? How do I manage groups? How do I add or remove users from groups to give them the correct level of access? How do I create new groups? 3
What is the problem? Mobile Connec vity Service Email Service Payroll Service SCIM Client Organiza on Directory 4
What is a user? dn: cn=homejsimpson,o=domain-name cn: HomerJSimpson objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson mail: HJSimpson@burnsco.com givenname: Homer sn: Simpson postaladdress: 742 Evergreen Terrace l: Springfield st: Kentsouri postalcode: 01234 telephonenumber: (888) 555-1111 jpegphoto: http://www.simpsons.com/homer.jpg Homer J. Simpson Springfield Nuclear Plant Safety Inspector (888) 555-1111 Work (123) 666-1111 Home HJSimpson@burnsco.com 742 Evergreen Terrace Springfield, Kentsouri 01234 h p://www.simpsons.com 5
How do we do it today? Error-Prone Labor-Intensive Stale Accounts (no deprovision) Vendor-specific Manual, Hand-entry Bulk, CSV Latency Days Hours/Days Other No simple fetch method, no two-way synchronization Custom APIs & Connectors SAML Just-in-Time Provisioning No pre-provisioning, no groups And, there is always schema-mapping to deal with 6
What is SCIM? SCIM is a standard that defines schema and protocol for identity management. Schema Core representations of users and groups Extensible JSON/XML* Protocol REST, HTTP, Synchronous CRUD + Search* + Discovery + Bulk* And more cool stuff The S word
An example speaks 1111101000 words POST /v1/users HTTP/1.1 Host: example.com Accept: application/json Content-Type: application/json Authorization: Bearer h480djs93hd8 Content-Length:... { "schemas": ["urn:scim:schemas:core:1.0"], "externalid": "bjensen", "username":"bjensen", "name": { "familyname": "Jensen", "givenname": "Barbara"
History Lesson July 2010: Conceived at Cloud Identity Summit May 2011: Officially began at IIW 12 Oct 2011 May 2012: 3 interop events with 9 vendors (open source and proprietary) Dec 2011: Released 1.0 specification under OWF (Open Web Foundation) March 2012: BoF at IETF 83 June 2012: WG chartered July 2012: 1.1 specification released under OWF August 3, 2012: Here we are first WG meeting
Deeper Dive Schema Protocol Security SAML and LDAP bindings Targeting
Schema Core models for User and Group JSON and XML* representations Extensibility Extend existing resources (eg enterprise user) Define new resources (eg role) http://tools.ietf.org/html/draft-scim-core-schema-00
Model
Simple Structure A resource is: An attribute container Name spaced An attribute is: Simple or complex Single or multi-valued
Required Complex Simple Complex multi-valued { Example: User "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalid": "bjensen", "meta": { "created": "2011-08-01T18:29:49.793Z", "lastmodified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/users/2819c223...", "version": "W\/\"f250dd84f0671c3\", "name": { "formatted": "Ms. Barbara J Jensen III", "familyname": "Jensen", "givenname": "Barbara", "username": "bjensen", "phonenumbers": [ { "value": "555-555-8377", "type": "work" ]
Example: Extended User Declaration Use { "schemas": ["urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalid": "bjensen", "username": "bjensen", "urn:scim:schemas:extension:enterprise:1.0": { "employeenumber": "701984", "costcenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerid": "26118915-6090-4610-87e4-49d8ca9f808d", "displayname": "John Smith
Example: Group { Type (User Group) Optional & Read-only "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "displayname": "Tour Guides", "members": [ { "value": "2819c223-7f76-453a-919d-413861904646", "displayname": "Babs Jensen", "type": "User", { "value": "2819c223-7f76-453a-919d-413861904646", "displayname": "Mandy Pepperidge", "type": "User" ]
Protocol REST, HTTP, Synchronous CRUD + Search* + Discovery + Bulk* Simple MTI, Complex optional Extensible*, Versioned curl friendly http://tools.ietf.org/html/draft-scim-api-00
Operations Create = POST https://example.com/{v/{resource Read = GET https://example.com/{v/{resource/{id Update = PUT https://example.com/{v/{resource/{id Delete = DELETE https://example.com/{v/{resource/{id *Update = PATCH https://example.com/{v/{resource/{id *Search = GET https://example.com/{v/{resource? filter={attribute {op {value & sortby={attributename & sortorder={ascending descending & startindex={start & count={maxresults *Bulk
Discovery GET /Schemas Introspect resources and attribute extensions GET /ServiceProviderConfigs Spec compliance Support for bulk, patch, etc Authentication schemes OAuth, HTTP basic, etc Data formats Support XML?
Create Request Operation Resource Type POST /v1/users HTTP/1.1 Format Host: example.com AuthZ Accept: application/json Authorization: Bearer h480djs93hd8 { "schemas": ["urn:scim:schemas:core:1.0"], "externalid": "bjensen", "username":"bjensen", "name": { "familyname": "Jensen", "givenname": "Barbara" User Payload
Result code Create Response Format Permalink HTTP/1.1 201 Created Content-Type: application/json Location: https://example.com/v1/users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalid": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastmodified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/users/281...", "version": "W\/\"e180ee84f0671b1\"", "name":{ "familyname":"jensen", "givenname":"barbara", "username":"bjensen" SP generated ID
Get Request Operation Resource Type Stable ID Format GET /v1/users/2819c223-7f76-453a-919d-413861904646.json Host: example.com Authorization: Bearer h480djs93hd8
Result code Get Response Format Permalink SP ID HTTP/1.1 200 OK Content-Type: application/json Location: https://example.com/v1/users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalid": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastmodified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/users/281...", "version": "W\/\"e180ee84f0671b1\"", "name":{ "familyname":"jensen", "givenname":"barbara", "username":"bjensen"
Search Request Operation Resource Type URL encoded filter GET /v1/users?filter=title pr and usertype eq "Employee" &sortby=title Sorting &sortorder=ascending &attributes=title,username Partial results &startindex=11 &count=10 Index-based pagination Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8
Search Response { Pagination Users "schemas": ["urn:scim:schemas:core:1.0"], "totalresults": 2, "Resources": [ { "id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97", "title": "Assistant VP", "username": "bjensen", { "id": "a4a25dd3-17a0-4dac-a2ac-ce211e125f57", "title": "VP", "username": "jsmith" ] SP ID ever present
PATCH and Bulk PATCH Allows providing partial updates to resources May be important if modifying a large multi-valued attribute on a resource (eg group members) Bulk Allows performing many operations at once Useful for synchronizing data into a service provider Both are optional
Protocol Extensibility Version in URL https://example.com/{version/{resource Follow RESTful principles Additional URL arguments Additional resource endpoints
XML Schema XML XSD Core Resource, User, Group Payload wrappers, Errors Schema, Bulk, ServiceProviderConfig Enterprise Extension
Security Considerations Protocol Sensitive information abounds Authorization attributes are loosely defined Roles, groups, and entitlements
Protocol Security TLS MTI Standard HTTP considerations apply Authentication is discoverable, OAuth bearer token recommended HTTP basic is commonly implemented for interoperability
Sensitive Information in User Password AuthZ { "id": "2819c223-7f76-453a-919d-413861904646", "externalid": "bjensen", "name": { "familyname": "Jensen", "givenname": "Barbara", "username": "bjensen", "password": "maybe_plaintext", "roles": [ { "value": "RA" ], "groups": [ { "value": "2819c223-7f76-453a-919d-982763095", "display": "Student" ], "entitlements": [ { "value": "delete users" ]
Hi/Low Fidelity Bindings LDAP SAML OpenID Connect
Targeting Proposed extension Allows a server to proxy a SCIM request to a target system GET https://example.com/targets/crm/users/{id Optionally can store links to target accounts on the core user http://tools.ietf.org/html/draft-hunt-scimtargeting-00
1.1 Release Released in July 2012 under OWF Mainly clarifications and small error fixes Many of these were found during interop testing Will serve as starting point for working group Final release under OWF
What s next? See charter for milestones http://datatracker.ietf.org/wg/scim/charter/ Use cases document Binding documents (LDAP, SAML) Targeting document Continue working on schema and protocol http://code.google.com/p/scim/issues/list * And much more
SCIM Core Values Simplicity Make it as simple as possible but no simpler. - Einstein Solving real-world problems Ease of implementation by consumers Don t make it too hard for service providers either Support the 80% in the core Extensions for everything else Interoperability
For more information 1.1 Drafts (should be on datatracker soon) http://scim.googlecode.com/svn/trunk/specs/draft-scim-api-01.txt http://scim.googlecode.com/svn/trunk/specs/draft-scim-coreschema-01.txt http://www.simplecloud.info/ Site overhaul coming soon! http://datatracker.ietf.org/wg/scim/