CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
-
Upload
cloudidsummit -
Category
Technology
-
view
272 -
download
3
description
Transcript of CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
SCIM: Why It’s More Important, and More Simple, Than You Think Kelly Grizzle Software Architect - SailPoint
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 2
Agenda
• What is SCIM? • Why is it important? • How is it being used? • Deeper Dive • How simple is it?
What is SCIM?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 4
System for Cross-Domain
Identity Management
* And yes … it is also simple
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 5
What is SCIM?
• SCIM is a standard that defines schema and protocol for identity management.
• Schema - Users and Groups - Extensible - JSON
• Protocol - REST - CRUD + Search + Discovery + Bulk
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 6
Identity Protocol Landscape
Provisioning Authentication Authorization
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 7
What problems does SCIM solve?
• How do I keep my organization’s users in sync with service X?
- How do I provision a user account for service X? - How do I deprovision a user account from service X? - How do I update an existing account for service X?
• How do I manage groups? - How do I add or remove users from groups to give them the
correct level of access? - How do I create new groups?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 8
An example speaks 1111101000 words… POST /v2/Users HTTP/1.1 Host: example.com Accept: application/json Content-Type: application/json Authorization: Bearer h480djs93hd8 Content-Length: ... { "schemas": ["urn:scim:schemas:core:2.0:User"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } }
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 9
History Lesson
July ‘10 Conceived at CIS
May ‘11 Work starts under OWF
Dec ‘11 Version 1.0
June/July ‘12 IETF WG chartered Version 1.1
Late ‘14 Version 2.0
Why is SCIM important?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 11
A typical environment
Firewall
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 12
That’s the typical case … Ouch!
• Environments are complex - Many systems both on-prem and off-prem
• Every system has to deal with identity - Name, email, title, custom meta-information, entitlements, …
• Identity must be maintained across systems - Need one-way and often two-way synchronization
• Authorization is often driven from an external system - Example: Active Directory groups drive groups and
permissions in other applications.
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 13
Other common pain points
• Mergers and acquisitions - Need to quickly connect applications after M&A
• BYOA (bring your own app) - Proliferation of SaaS apps has lead to using applications that
IT does not even know about • Mobile
- Another case of BYOA where mobile apps need identity information
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 14
How is identity management done?
• Manual hand-entry - Error prone and slow
• Bulk upload - High latency – often a one-time operation
• Custom APIs and connectors - High cost to develop against - Proprietary to each service provider
• SAML Just-in-Time Provisioning - No pre-provisioning - No deprovisioning
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 15
And then … there’s SCIM
• Low cost to develop - Write once and reuse - Open source libraries - Well-known and agreed upon standard
• Handles full lifecycle of identity - Create, update, AND delete
• Real-time - No waiting for manual intervention
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 16
Who else thinks SCIM is important?
How is SCIM being used?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 18
Surprisingly – not just in the cloud
• SCIM was initially created with cloud use cases in mind • It turns out that a common language to move identities on-
premises is really useful • This is some of the first “real world” adoption of SCIM • Case study: Large company with 3500 connected
applications and 82,000 users moved to SCIM for internal systems
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 19
In the enterprise
Firewall
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 20
Unsurprisingly – also in the cloud
• SaaS providers have started implementing SCIM for their identity APIs
- Salesforce.com, Cisco Webex, etc… • Clients call these APIs from an on-premises identity
management system to manage identities
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 21
Ground to cloud
Firewall
SCIM Proprietary
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 22
Cloud Identity Bridge
• Important when on-premises applications need to be managed from the cloud
• Allows a single, secured SCIM channel through the firewall • Translates SCIM requests to native APIs behind the firewall
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 23
Cloud to ground
Firewall Identity Bridge
Cloud Identity Management
Provider
SCIM
Native APIs
Deeper Dive Schema
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 25
Schema
• Core models for User and Group • JSON representation • Extensible
- Extend existing resources (eg – enterprise user) - Define new resources (eg – role, entitlement, device) - JSON format for describing schema - Standard data types and references between objects
http://datatracker.ietf.org/doc/draft-ietf-scim-core-schema/
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 26
Example: User { "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "resourceType": "User", "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W\/\"f250dd84f0671c3\" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ] }
Required
Complex
Simple
Multi-valued
Object type
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 27
Example: Extended User { "schemas":["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "$ref": "/Users/26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith" } } }
Declaration
Use
Deeper Dive API
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 29
Operations
• Create = POST https://example.com/{v}/{resource} • Read = GET https://example.com/{v}/{resource}/{id} • Update = PUT https://example.com/{v}/{resource}/{id} • Delete = DELETE https://example.com/{v}/{resource}/{id} • *Update = PATCH https://example.com/{v}/{resource}/{id} • *Search = GET https://example.com/{v}/{resource}? filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending} & startIndex={start} & count={maxResults}
• *Bulk
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 30
Create Request
POST /v2/Users HTTP/1.1 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 { "schemas": ["urn:scim:schemas:core:2.0:User"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } }
Operation Resource Type
AuthZ “User” Payload
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 31
Create Response
HTTP/1.1 201 Created Content-Type: application/json Location: https://example.com/v2/Users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v2/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", ...
Result code
“Permalink”
SP generated ID
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 32
Discovery
• GET /Schemas - Defines primary object definitions and extensions
• GET /ResourceTypes - Defines available resources
• endpoint URL, primary schema, schema extensions
• GET /ServiceProviderConfigs - Spec compliance
• Support for bulk, patch, etc… - Authentication schemes
• OAuth, HTTP basic, etc…
Deeper Dive Extensions
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 34
Extending an existing resource type
• The SCIM core schema objects – User and Group – try to cover the common 80%
• Almost always extended by service providers to add custom attributes
• Only two steps required: 1. Create a new schema that contains the extended attributes 2. Add the new schema to the schemaExtensions list for the
resource type
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 35
Extending – Schema {
"id" : "urn:grizzle:1.0:ConferenceGoer",
"name" : "Conference Goer",
"description" : "Info about a person that attends CIS",
"attributes" : [{
"name" : "shirtSize",
"type" : "string",
"multiValued" : false,
"description" : "What conference doesn't have a t-shirt?",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "always",
"uniqueness" : "server"
}]
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 36
Extending – Resource Type
{
"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],
"id":"User",
"name":"User",
"endpoint": "/Users",
"description": "Core User",
"schema": "urn:scim:schemas:core:2.0:User",
"schemaExtensions": [{
"schema": "urn:grizzle:1.0:ConferenceGoer",
"required": false
}
]
}
Add custom extensions here
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 37
Creating a custom resource type
• Completely new resource types may be created to model objects that are unique to the service provider
• Client can use /ResourceTypes endpoint to discover these • Somewhat common for service providers to implement • Only two steps required:
1. Create a new schema that contains the attributes 2. Create a new resource type that references this schema
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 38
Custom resource type – Schema {
"id" : "urn:grizzle:1.0:BlogPost",
"name" : "Blog Post",
"description" : "A post to a blog",
"attributes" : [{
"name" : "title",
"type" : "string",
"multiValued" : false,
"description" : "The title of the blog post",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "always",
"uniqueness" : "server"
},
... other attributes - id, content, author, date, etc ...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 39
Custom resource type – Resource Type
{
"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],
"id": "BlogPost",
"name": "Blog Post",
"endpoint": "/BlogPosts",
"description": "Posts to a boring blog",
"schema": "urn:grizzle:1.0:BlogPost"
}
Reference the custom schema
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 40
Custom resource type – GET Request
GET /v2/BlogPosts
Host: example.com
Authorization: Bearer h480djs93hd8
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 41
Custom resource type – GET Response HTTP/1.1 200 OK
Content-Type: application/json
{
"schemas": ["urn:scim:api:messages:2.0:ListResponse"],
"totalResults": 5,
"Resources": [{
"id": "281838-af839018e4-8377ba87e90",
"title": "Welcome to my blog!",
"content": "...",
"meta": {
"resourceType": "BlogPost",
"created": "2011-08-01T21:32:44.882Z",
"lastModified": "2011-08-01T21:32:44.882Z",
"location": "https://example.com/v2/BlogPosts/281..."
},
...
How simple is SCIM?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 43
SCIM Core Values
• Simplicity - “Make it as simple as possible but no simpler.”
- Einstein
• Solving real-world problems • Ease of implementation by consumers
- Don’t make it too hard for service providers either • Support the 80% in the core
- Extensions for everything else • Interoperability
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 44
How to kick the tires
• Download the UnboundID Reference Server Implementation if you need a server to test against
- https://www.unboundid.com/resources/scim/ • If you are trying to play with a service provider’s API
- cURL - REST Console (Chrome Extension)
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 45
cURL
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 46
REST Console
• A Chrome extension that easily allows making REST calls • Use this if a command line scares you • There are other alternatives out there
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 47
Getting under the hood • If you want to write a SCIM client or server there are a number of
open source libraries • Most libraries currently support SCIM 1.1 (not 2.0) • UnboundID SDK
- Client and server java libraries - Most full-featured and well maintained
• python-scim - SCIM object models for Python
• scim-query-filter-parser - Search filter parsing library for Ruby
• More at http://www.simplecloud.info/#implementations
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 48
UnboundID SDK
• Open source and developed by UnboundID • Recent enhancements to improve client usability -
https://code.google.com/p/scimsdk/source/detail?r=355 • I prototyped a SCIM server and wrote a library to make
server development easier - Library cut the lines of code by 68% (down to <300) - Needs a bit of work to be ready for prime time
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 49
It’s so easy even Mark Diodati can do it!
• Mark wrote a SCIM client while an analyst at Gartner • Written in Perl • Reads attributes from a SCIM server and writes to an Excel
file • Reads changes in Excel file and synchronizes them to a
SCIM server
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 50
Wait … I already have a REST API! • Option 1: Have a separate URL-space for identity-related
SCIM APIs - https://example.com/rest/MyObjects - https://example.com/rest/scim/Users
• Option 2: Consider using SCIMs schemas and resource types to define your entire REST API
- It is already well-defined - Supports many data types and references between objects - It is self-describing through /Schemas and /ResourceTypes - Make use of SCIM libraries for fast implementation
• Just do it! Customers constantly ask for a common API!
What next?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 52
Key take-aways
• Identity and app proliferation = frustration • SCIM is the only sustainable option that can handle the
scale and complexity of provisioning in today’s environments • Build a standards-based identity infrastructure
- Provisioning à SCIM - Authentication à OpenID Connect or SAML - Authorization à OAuth2
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 53
What does it mean for me?
• Consider using SCIM for your internal environment - Not just a cloud API
• SCIM is a good foundation for any REST API - It can be used for more than just identities
• It’s easy to get started if you use the tools that are already available
• Use SCIM 1.1 for now - Real-world adoption of SCIM 2.0 will happen in 2015
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 54
References • Start here…
- http://www.simplecloud.info/ • Get involved here…
- http://www.ietf.org/mail-archive/web/scim/current/maillist.html • All of the gory details here…
- http://datatracker.ietf.org/wg/scim/documents/ - http://datatracker.ietf.org/doc/draft-ietf-scim-api/ - http://datatracker.ietf.org/doc/draft-ietf-scim-core-schema/
• Implementing a client or server in Java? Start here… - https://www.unboundid.com/resources/scim/
• Implementing a client or server in not Java? Start here… - http://www.simplecloud.info/#implementations
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 55
Questions [email protected] @kelly_grizzle http://simplecloud.info