Database Security CIS 764 Presentation Mazharuddin Mohammad.
SCIM presentation from CIS 2012
-
Upload
twobo-technologies -
Category
Technology
-
view
6.153 -
download
0
description
Transcript of SCIM presentation from CIS 2012
![Page 1: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/1.jpg)
Intro to SCIM
Travis Spencer, CEO
Twobo Technologies
![Page 2: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/2.jpg)
The Problem
• Modern systems are massively distributed
• Organizations need to automate user/group
management across domain boundaries
• Large cloud providers have their own APIs
• Enterprise-to-enterprise is a dog’s dinner
• Identity is the fly in the integration ointment
![Page 3: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/3.jpg)
The Resulting Reality
• Tactical, bespoke methods that can’t scale
• Expensive integration work & custom
development
• Systems maintain isolated silos of user data
• X-employees continue accessing resources
• Solution is automation based on
open standards
![Page 4: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/4.jpg)
Banding Together to Solve this Problem
• Salesforce, Google, UnboundID, Ping Identity, Sailpoint, Technology Nexus, etc.
• Protocol drafted, tested, and released in 2011
Q1 – Initial draft of spec
Q2 – Updated draft discussed at IIW
Q3 – Consortium formed under OWF, interop tests at IIW
Q4 – V. 1 agreed upon by consortium, submitted to IETF
![Page 5: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/5.jpg)
SCIM, a Modern Standard for Automation
• The spec formerly known as Simple Cloud…
• Provisioning API to manage users & groups
• Support bulk updates for ingest & sync
• Low-tech barrier, easy w/ curl & JavaScript
• Designed w/ mobile in mind
• Goes hand-in-glove w/ federation
• Secure access using OAuth 2 et. al
![Page 6: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/6.jpg)
SCIM Specification Set
Core Schema • User • Groups • Enterprise Extension • Config
Federation Binding • SAML • TBD: OpenID Connect
REST API for CRUD • JSON & XML • Response codes
![Page 7: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/7.jpg)
Features of SCIM
• Core schema – Models user, groups, etc.
– Defines basic user attributes (name, address, etc.)
• RESTful API – Defines CRUD to synchronize resources
– JSON and XML data formats
• Federation bindings – SAML, OIC – Supports JIT provisioning during SSO
– Maps SCIM schema to federation protocols
![Page 8: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/8.jpg)
Push Provisioning
SCIM Client
SCIM Server
CRUD of user object
Status
IdP Organization SP Organization
![Page 9: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/9.jpg)
JIT Provisioning
IdP SP
IdP Organization SP Organization
Browser
User data in federation message
Create user on the fly
![Page 10: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/10.jpg)
JIT + Pull
IdP / SCIM
Server
SP / SCIM Client
IdP Organization SP Organization
Browser
Access token in federation message
Get User
User object
Create new user
![Page 11: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/11.jpg)
Overview of API
• RESTful
• Specifies well known endpoints & HTTP
methods for managing core resources
– User and group resources correspond to
/Users and /Groups, respectively
• Responses are returned in the body of the
HTTP messages in JSON or XML format
![Page 12: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/12.jpg)
Authentication and Security
• Spec does not mandate a particular
authentication scheme
• OAuth 2 is recommended, but others are
not precluded (e.g., HTTP basic)
• Client and server must exchange data
over SSL/TLS
![Page 13: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/13.jpg)
Supported HTTP Verbs
Verb Meaning
GET Retrieves a resource
POST Creates a new resource
PUT Completely update a resource
PATCH Partially update a resource
DELETE Delete a resource
![Page 14: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/14.jpg)
Controlling Responses
• Filter (i.e., search)
– Find specific resources
– Request a subset of attributes
• Sorting
– Sort by
– Sort order
• Pagination
– Client maintains offset and count
– No server-side cursors (v. 2 probably)
![Page 15: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/15.jpg)
Extensible Schema
• Protocol defines core schema used to represent resources of various types
– Modeled after POCO & others
– Also stipulates how to extend
• Defines enterprise extensions
– Adds manager, department, organization, etc.
• Others can be created at will
![Page 16: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/16.jpg)
Includes Mapping from Active Directory
Active Directory SCIM
userPrincipalName userName
mail email.value@type=work
givenName name.givenName
sn name.familyName
whenCreated meta.whenCreated
userPassword password
cn displayName
![Page 17: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/17.jpg)
GET /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/json
Authorization: Bearer h480djs93hd8
Retrieving User Data
HTTP/1.1 200 OK
Content-Type: application/json
Location:
https://example.com/v1/Users/2819c223-7f76-
453a-919d-413861904646
ETag: W/"f250dd84f0671c3"
{
...
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
},
"userName":"bjensen",
User ID
GET request = read
Same User ID
Attributes
200 = successful response
Return JSON
Attributes are in JSON format
![Page 18: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/18.jpg)
Updating a Group with a new Member
PATCH /Groups/acbf3ae7-8463-4692-b4fd-
9b4da3f908ce
Host: example.com
Accept: application/json
Authorization: Bearer h480djs93hd8
ETag: W/"a330bc54f0671c9"
{
"schemas": ["urn:scim:schemas:core:1.0"],
"members": [
{
"display": "Babs Jensen",
"value": "2819c223-7f76-453a…"
}
]
}
PATCH = only update what’s
changed Secure access using OAuth 2
New group member; others are unchanged
![Page 19: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/19.jpg)
SCIM vis-à-vis UserInfo Endpoint in OIC
Client
User Agent AS
RS
User-Info
OIC
Base OAuth
3. Use a token 2. Read a token
1. Get a token
SCIM API
SCIM
![Page 20: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/20.jpg)
What’s Next for SCIM?
• More and more implementations!
• PingOne and UnboundID’s synchronization
server are already in the market
• Major SaaS providers are launching this year
• Other IAM vendors releasing soon
• IETF working group has been formed
– Date of completion projected for 2014
– V. 1 is available today
![Page 21: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/21.jpg)
Support SCIM
• SaaS and IdM vendors must implement
SCIM for it to solve anything
• Demand standards-based automation of
identity; demand SCIM
• Join IETF mailing list; attend WG meetings
![Page 22: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/22.jpg)
Thank You and More Info
• @travisspencer
• @pingidentity
• simplecloud.info
• travisspencer.com
• 2botech.com
• pingidentity.com
![Page 23: SCIM presentation from CIS 2012](https://reader034.fdocuments.in/reader034/viewer/2022051110/54b6bbaa4a7959457f8b45ae/html5/thumbnails/23.jpg)