CIS 2015 SCIM in the Real World - Kelly Grizzle
-
Upload
cloudidsummit -
Category
Technology
-
view
100 -
download
0
Transcript of CIS 2015 SCIM in the Real World - Kelly Grizzle
SCIM in the Real World
Kelly Grizzle Software Architect – SailPoint
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 2
Overview
• What is SCIM? • Trends in SCIM Usage • Who are you and what’s your problem?
- Identity Gurus - Service Providers
• Case Studies • Where is SCIM today and where is it going?
What is SCIM? System for Cross-Domain Identity Management
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 4
Identity Management +
REST =
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 5
Identity Management + REST = SCIM
• REST is just architectural pattern - SCIM defines an identity management profile for it
• SCIM provides… - Standard definitions for User and Group - Standard operations
• Create, Read, Update, Delete, Search, Partial Update, Bulk - Extensibility
• Add more attributes to existing object types or define new object types
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 6
Example – Retrieve User Request
GET /Users/2819c223-7f76-453a-919d-413861904646 Host: example.com Accept: application/scim+json Authorization: Bearer h480djs93hd8
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 7
Example – Retrieve User Response HTTP/1.1 200 OK Content-Type: application/scim+json Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 {
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "2819c223-7f76-453a-919d-413861904646",
"name": {
"formatted": "Ms. Barbara J Jensen III",
"familyName": "Jensen",
"givenName": "Barbara“
},
"meta": {
"resourceType": "User",
"created": "2011-08-01T18:29:49.793Z",
...
}
}
Self-describing payload
Single-valued attribute
Complex attribute
Many data types
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 8
CRUD Operations
POST /Users PUT /Users/2819c223-7f76-453a-919d-413861904646 PATCH /Users/2819c223-7f76-453a-919d-413861904646 DELETE /Users/2819c223-7f76-453a-919d-413861904646 GET /Users?startIndex=10&count=5&filter=userName sw “J” GET /Users/2819c223-7f76-453a-919d-413861904646
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 9
Server Configuration Operations GET /ResourceTypes
- Return the types of resources that are supported - Endpoint URL, schema, etc…
GET /Schemas/
- Return the schema definitions - Attributes names and types, etc…
GET /ServiceProviderConfigs - Return info about what is supported by the server - Authn methods, optional features, etc…
Trends in SCIM Usage
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 11
Trends
• Enterprises are using SCIM Gateways to communicate between internal systems
• Service providers use SCIM for directory access - Store extended information, but often not visible externally
• IAM and IDaaS vendors provide SCIM Servers to expose identity information and use SCIM Clients to read/write external systems
• Common threads in custom password extensions • SCIM is seen as the identity management API
Who are you?
IAM Gurus!
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 14
99 problems and identity is #1
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 15
Problem!!! Bob needs a new account
SCIM Solution: Provision
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 16
Problem!!! Bob can’t login!
SCIM Solution: Password reset
* Alternate Solution: Single sign-on … but this isn’t a SAML / OIDC workshop.
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 17
Problem!!! Bob can’t read the financials
SCIM Solution: Add him to a group or give him some entitlements
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 18
Problem!!! I need to know Bob’s access
SCIM Solution: Read User and Group Data
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 19
Problem!!! Bob has been a bad boy
SCIM Solution: Deprovision
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 20
Problem!! Apps team needs to r/w identity
SCIM Solution: Standard but extensible API
Case Study Fortune 100 Chip Maker
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 22
The Setup
• Started considering options between a failed Oracle Identity Manager project and “the next thing”
• Needed a façade - Prevent IAM vendor lock-in - Needed co-existence between old and new IAM systems
• Extensibility was crucial! • “We wanted a 20 year solution.” –IAM Guru
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 23
The Solution Create a SCIM gateway to serve as a central identity hub
SCIM Gateway Cluster
Legacy Apps
IAM System SSO
Directory Server
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 24
The Interesting Parts
• Extended user schema to hold custom information • Extended endpoints to support many additional features
- Email verification • POST /EmailVerificationTokens to create a token • POST /EmailVerification to verify email using token
- Password reset • POST /PasswordResetTokens to create a token • POST /PasswordChanges to change password using token
- Security token management for SSO • POST /SecurityTokens to create authenticated session token • DELETE /SecurityTokens to invalidate
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 25
More Interesting Parts
• More extended endpoints… - Notifications (email or SMS)
• POST /Notifications to send a notification with user information merged in (welcome email, forgot login ID, etc…)
- Role management • PATCH /Roles to change membership for a role
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 26
The Benefits
• Ability to add new information and features without breaking existing clients
- If there is anything in JSON that you don't recognize, throw it away
“SCIM has been critical and program-saving. It is exactly what we needed at exactly the right time, and fills a crucial role in our environment."
--IAM Guru
Case Study Fortune 500 Pharmaceuticals
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 28
The Setup
• Need to support identity on a large portfolio of applications - Not all application teams are resourced equally
• Wanted an abstraction of provisioning from specific implementations
- Allow for seamless upgrades of IAM system - Ease cost of implementation for smaller applications
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 29
The Solution Create a SCIM gateway to serve as a central identity hub
SCIM SOA Gateway
On-prem Apps
IAM System Cloud Apps
Directory Server
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 30
The Benefits
• SCIM gives agility in adopting new versions of IAM system • SCIM isolates IAM system if a SaaS vendor changes their
identity model - Connector continues to work with an updated schema - Important for SaaS vendors that can update at any time
• If an application vendor is small it's not worth it to write a custom connector
- Small vendors are very willing to implement SCIM as their standard identity API
Who are you?
Service Providers!!
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 33
99 problems and identity is #1
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 34
Problem!!! I need to expose a directory!!
SCIM Solution: Read and write with SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 35
Problem!!! I need an API between my own products!
SCIM Solution: Everything identity is SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 36
Problem!! My mobile app needs identities!
SCIM Solution: Light-weight REST API
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 37
Problem!!! I need to get identities from my customer’s directory into my cloud app!
SCIM Solution: To the cloud with SCIM!
Case Study Fortune 100 Networking
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 39
The Setup
• Needed a consistent identity API that can be used: - By partners - By customers - Internally between products - To communicate with IdPs and other SaaS vendors
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 40
The Solution
SCIM Identity Service
Directory Clients
Internal Systems Partners &
IdPs
Identity Sync Client
r/w r/w
Mobile App r/w
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 41
The Interesting Parts
• Additional endpoints - /Devices - /Tenants
• Only available internally • Password policy is configured on tenant
• Core schemas have been extended - Positive extensions: New attributes (mainly internal info) - Negative extensions: Attributes in SCIM spec that aren’t
supported • Legacy APIs forward requests on to SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 42
The Benefits
• Single API for everything identity • Mobile application has a light-weight API to use • SCIM clients are easy to write
- Have seen no need to write a toolkit
Case Study Fortune 1000 Networking
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 44
The Setup
• Needed a consistent identity API that can be used: - By customers - Internally between products - To communicate with IdPs
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 45
The Solution
SCIM Identity Service
Custom Clients
Internal Systems IdPs
AD Sync Client
r/w r/w
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 46
The Interesting Parts
• Exploring an “organizational unit” extension to facility multi-tenancy in API
• Exploring a pub/sub SCIM model - Client subscribes to be notified of changes - SCIM server sends out notifications
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 47
The Benefits
• Single API for everything identity • No need to provide documentation
- Just point developers at the spec • Easy to implement
Case Studies in brief
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 49
PaaS – CloudFoundry
• CloudFoundry is an open platform-as-a-service (PaaS) • Identity APIs leverage standards
- SCIM, OAuth2, and OpenID Connect • Benefits
- Use existing open API rather than reinventing the wheel - Use SCIM extensions for some non-identity APIs
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 50
IDaaS and IAM Vendors
• IDaaS and IAM vendors need to: - Allow external access to their identity store - Provision/read identities and groups to/from other applications
• SCIM server provides external access • SCIM client provides provisioning to other applications • Benefits
- Standardized API makes external integration easy - Applications that support SCIM can be integrated immediately
• No custom connector is required • No product upgrade required to support new apps
SailPoint, Salesforce, Ping, VMWare, neXus, Oracle, UnboundID
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 51
Higher Education
• Higher education is largely focused on federation - Need to propagate minimum amount of identity data - Authorization data (group memberships) are very important - Federation attribute payload works well for Just In Time (JIT)
provisioning - SCIM enables more robust record propagation when JIT is not
good enough • For example, email account provisioning often must occur before
first login
Federations that need attribute exchange
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 52
Higher Education
• VOOT is an identity/group protocol built on top of SCIM - Adds more features around group membership
• Grouper is a user/group management tool developed by Internet2
- SCIM integration allows writing to down-stream endpoints
http://openvoot.org/ https://spaces.internet2.edu/display/Grouper/Grouper+SCIM+Integration
VOOT and Grouper
Case Study neXus Internet of Things
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 54
The Setup
• IoT provider needed: - A registry of devices associated with a user - Information about the device (bluetooth address, etc…) - A mobile app that can
• Authenticate • Retrieve user information (including devices) • Communicate with devices
- Devices that can send status updates
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 55
The Solution
SCIM Server
Mobile App
GET /me (as authenticated user)
{ “id”: “89723-83703”, “devices”: [{ “name”: “Tesla”, “bluetoothAddress”: “000A3A58F310”, “deviceType”: “electricCar”, “batteryLife”: 58, … }, … }
Bluetooth Start A/C
PATCH /Cars/89723-83703 { “batteryLife”: 57, “location”: { “lat”: 30.4045541, “long”: -97.8489572 } }
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 56
The Benefits
• Extended user schema to show which devices belong to each user
• New endpoints for devices to read/write device information - Example: /Cars, /Vacuums
• Extensible schema allows new device types to be imported via JSON files
• Extremely light-weight SCIM clients on mobile app and devices
- This is very important for constrained devices
Where is SCIM?
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 58
Current Status
• 2.0 API, Core Schema, and Use Cases docs are complete - Will become official RFCs in the next couple months
• IETF working group will continue to work on SCIM extensions
- Passwords: http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/
- Notify: http://datatracker.ietf.org/doc/draft-hunt-scim-notify/
- Soft Delete: http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/
- Others TBD
Wrapping it up…
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 61
Adoption is growing…
“The SCIM interface will have parity other APIs and will be a first-class citizen.”
--Ian Glazer, Salesforce “I’m also proud to say Oracle’s Amit Jasuja announced at last year’s OpenWorld that Oracle IDM’s key REST API for Identity will be SCIM…”
--Phil Hunt, Oracle
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 62
Adoption is growing…
“SCIM works perfectly for constrained devices.” --Erik Wahlström, neXus
“SCIM is simple to implement.”
--Haavar Valeur, Citrix
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved. 63
Questions [email protected] @kelly_grizzle http://simplecloud.info