SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
-
Upload
kelly-grizzle -
Category
Software
-
view
1.500 -
download
2
description
Transcript of SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You ThinkKelly Grizzle
Software Architect - SailPoint
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 2
Agenda
•What is SCIM?•Why is it important?•How is it being used?•Deeper Dive•How simple is it?
What is SCIM?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 4
System for
Cross-Domain
Identity
Management* And yes … it is also simple
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 5
What is SCIM?
• SCIM is a standard that defines schema and protocol for identity management.
• Schema- Users and Groups- Extensible- JSON
• Protocol- REST- CRUD + Search + Discovery + Bulk
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 6
Identity Protocol Landscape
Provisioning Authentication Authorization
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 7
What problems does SCIM solve?
• How do I keep my organization’s users in sync with service X?
- How do I provision a user account for service X?- How do I deprovision a user account from service X?- How do I update an existing account for service X?
• How do I manage groups?- How do I add or remove users from groups to give them the
correct level of access?- How do I create new groups?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 8
An example speaks 1111101000 words…
POST /v2/Users HTTP/1.1Host: example.comAccept: application/jsonContent-Type: application/jsonAuthorization: Bearer h480djs93hd8Content-Length: ...{ "schemas": ["urn:scim:schemas:core:2.0:User"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }}
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 9
History Lesson
July ‘10
Conceived at CIS
May ‘11
Work starts under OWF
Dec ‘11
Version 1.0
June/July ‘12
IETF WG chartered
Version 1.1
Late ‘14
Version 2.0
Why is SCIM important?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 11
A typical environment
Firewall
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 12
That’s the typical case … Ouch!
• Environments are complex- Many systems both on-prem and off-prem
• Every system has to deal with identity- Name, email, title, custom meta-information, entitlements, …
• Identity must be maintained across systems- Need one-way and often two-way synchronization
• Authorization is often driven from an external system- Example: Active Directory groups drive groups and
permissions in other applications.
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 13
Other common pain points
• Mergers and acquisitions- Need to quickly connect applications after M&A
• BYOA (bring your own app)- Proliferation of SaaS apps has lead to using applications that
IT does not even know about
• Mobile- Another case of BYOA where mobile apps need identity
information
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 14
How is identity management done?
• Manual hand-entry- Error prone and slow
• Bulk upload- High latency – often a one-time operation
• Custom APIs and connectors- High cost to develop against- Proprietary to each service provider
• SAML Just-in-Time Provisioning- No pre-provisioning- No deprovisioning
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 15
And then … there’s SCIM
• Low cost to develop- Write once and reuse- Open source libraries- Well-known and agreed upon standard
• Handles full lifecycle of identity- Create, update, AND delete
• Real-time- No waiting for manual intervention
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 16
Who else thinks SCIM is important?
How is SCIM being used?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 18
Surprisingly – not just in the cloud
• SCIM was initially created with cloud use cases in mind• It turns out that a common language to move identities on-
premises is really useful• This is some of the first “real world” adoption of SCIM• Case study: Large company with 3500 connected
applications and 82,000 users moved to SCIM for internal systems
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 19
In the enterprise
Firewall
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 20
Unsurprisingly – also in the cloud
• SaaS providers have started implementing SCIM for their identity APIs
- Salesforce.com, Cisco Webex, etc…
• Clients call these APIs from an on-premises identity management system to manage identities
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 21
Ground to cloud
Firewall
SCIMProprietary
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 22
Cloud Identity Bridge
• Important when on-premises applications need to be managed from the cloud
• Allows a single, secured SCIM channel through the firewall• Translates SCIM requests to native APIs behind the firewall
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 23
Cloud to ground
FirewallIdentity Bridge
Cloud Identity Management
Provider
SCIM
Native APIs
Deeper Dive
Schema
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 25
Schema
• Core models for User and Group• JSON representation• Extensible
- Extend existing resources (eg – enterprise user)- Define new resources (eg – role, entitlement, device)- JSON format for describing schema- Standard data types and references between objects
http://datatracker.ietf.org/doc/draft-ietf-scim-core-schema/
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 26
Example: User{ "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "resourceType": "User", "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W\/\"f250dd84f0671c3\" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ]}
Required
Complex
Simple
Multi-valued
Object type
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 27
Example: Extended User
{ "schemas":["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "$ref": "/Users/26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith" } }}
Declaration
Use
Deeper Dive
API
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 29
Operations
• Create = POST https://example.com/{v}/{resource}• Read = GET https://example.com/{v}/{resource}/{id}• Update = PUT https://example.com/{v}/{resource}/{id}• Delete = DELETE https://example.com/{v}/{resource}/{id}• *Update = PATCH https://example.com/{v}/{resource}/{id}• *Search = GET https://example.com/{v}/{resource}?
filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending} & startIndex={start} & count={maxResults}
• *Bulk
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 30
Create Request
POST /v2/Users HTTP/1.1Host: example.comAccept: application/jsonAuthorization: Bearer h480djs93hd8{ "schemas": ["urn:scim:schemas:core:2.0:User"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }}
Operation Resource Type
AuthZ“User” Payload
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 31
Create Response
HTTP/1.1 201 CreatedContent-Type: application/jsonLocation: https://example.com/v2/Users/281...ETag: W/"e180ee84f0671b1"{ "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v2/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", ...
Result code
“Permalink”
SP generated ID
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 32
Discovery
• GET /Schemas- Defines primary object definitions and extensions
• GET /ResourceTypes- Defines available resources
• endpoint URL, primary schema, schema extensions
• GET /ServiceProviderConfigs- Spec compliance
• Support for bulk, patch, etc…
- Authentication schemes• OAuth, HTTP basic, etc…
Deeper Dive
Extensions
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 34
Extending an existing resource type
• The SCIM core schema objects – User and Group – try to cover the common 80%
• Almost always extended by service providers to add custom attributes
• Only two steps required:1. Create a new schema that contains the extended attributes
2. Add the new schema to the schemaExtensions list for the resource type
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 35
Extending – Schema {
"id" : "urn:grizzle:1.0:ConferenceGoer",
"name" : "Conference Goer",
"description" : "Info about a person that attends CIS",
"attributes" : [{
"name" : "shirtSize",
"type" : "string",
"multiValued" : false,
"description" : "What conference doesn't have a t-shirt?",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "always",
"uniqueness" : "server"
}]
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 36
Extending – Resource Type
{
"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],
"id":"User",
"name":"User",
"endpoint": "/Users",
"description": "Core User",
"schema": "urn:scim:schemas:core:2.0:User",
"schemaExtensions": [{
"schema": "urn:grizzle:1.0:ConferenceGoer",
"required": false
}
]
}
Add customextensionshere
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 37
Creating a custom resource type
• Completely new resource types may be created to model objects that are unique to the service provider
• Client can use /ResourceTypes endpoint to discover these• Somewhat common for service providers to implement• Only two steps required:
1. Create a new schema that contains the attributes
2. Create a new resource type that references this schema
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 38
Custom resource type – Schema {
"id" : "urn:grizzle:1.0:BlogPost",
"name" : "Blog Post",
"description" : "A post to a blog",
"attributes" : [{
"name" : "title",
"type" : "string",
"multiValued" : false,
"description" : "The title of the blog post",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "always",
"uniqueness" : "server"
},
... other attributes - id, content, author, date, etc ...
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 39
Custom resource type – Resource Type
{
"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],
"id": "BlogPost",
"name": "Blog Post",
"endpoint": "/BlogPosts",
"description": "Posts to a boring blog",
"schema": "urn:grizzle:1.0:BlogPost"
}
Reference the custom schema
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 40
Custom resource type – GET Request
GET /v2/BlogPosts
Host: example.com
Authorization: Bearer h480djs93hd8
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 41
Custom resource type – GET ResponseHTTP/1.1 200 OK
Content-Type: application/json
{
"schemas": ["urn:scim:api:messages:2.0:ListResponse"],
"totalResults": 5,
"Resources": [{
"id": "281838-af839018e4-8377ba87e90",
"title": "Welcome to my blog!",
"content": "...",
"meta": {
"resourceType": "BlogPost",
"created": "2011-08-01T21:32:44.882Z",
"lastModified": "2011-08-01T21:32:44.882Z",
"location": "https://example.com/v2/BlogPosts/281..."
},
...
How simple is SCIM?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 43
SCIM Core Values
• Simplicity- “Make it as simple as possible but no simpler.”
- Einstein
• Solving real-world problems• Ease of implementation by consumers
- Don’t make it too hard for service providers either
• Support the 80% in the core- Extensions for everything else
• Interoperability
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 44
How to kick the tires
• Download the UnboundID Reference Server Implementation if you need a server to test against
- https://www.unboundid.com/resources/scim/
• If you are trying to play with a service provider’s API- cURL- REST Console (Chrome Extension)
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 45
cURL
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 46
REST Console
• A Chrome extension that easily allows making REST calls• Use this if a command line scares you• There are other alternatives out there
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 47
Getting under the hood
• If you want to write a SCIM client or server there are a number of open source libraries
• Most libraries currently support SCIM 1.1 (not 2.0)• UnboundID SDK
- Client and server java libraries- Most full-featured and well maintained
• python-scim- SCIM object models for Python
• scim-query-filter-parser- Search filter parsing library for Ruby
• More at http://www.simplecloud.info/#implementations
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 48
UnboundID SDK
• Open source and developed by UnboundID• Recent enhancements to improve client usability - https://
code.google.com/p/scimsdk/source/detail?r=355• I prototyped a SCIM server and wrote a library to make
server development easier- Library cut the lines of code by 68% (down to <300)- Needs a bit of work to be ready for prime time
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 49
It’s so easy even Mark Diodati can do it!
• Mark wrote a SCIM client while an analyst at Gartner• Written in Perl• Reads attributes from a SCIM server and writes to an Excel
file• Reads changes in Excel file and synchronizes them to a
SCIM server
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 50
Wait … I already have a REST API!• Option 1: Have a separate URL-space for identity-related
SCIM APIs- https://example.com/rest/MyObjects- https://example.com/rest/scim/Users
• Option 2: Consider using SCIMs schemas and resource types to define your entire REST API
- It is already well-defined- Supports many data types and references between objects- It is self-describing through /Schemas and /ResourceTypes- Make use of SCIM libraries for fast implementation
• Just do it! Customers constantly ask for a common API!
What next?
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 52
Key take-aways
• Identity and app proliferation = frustration• SCIM is the only sustainable option that can handle the
scale and complexity of provisioning in today’s environments• Build a standards-based identity infrastructure
- Provisioning SCIM- Authentication OpenID Connect or SAML- Authorization OAuth2
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 53
What does it mean for me?
• Consider using SCIM for your internal environment- Not just a cloud API
• SCIM is a good foundation for any REST API- It can be used for more than just identities
• It’s easy to get started if you use the tools that are already available
• Use SCIM 1.1 for now- Real-world adoption of SCIM 2.0 will happen in 2015
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 54
References
• Start here…- http://www.simplecloud.info/
• Get involved here…- http://www.ietf.org/mail-archive/web/scim/current/maillist.html
• All of the gory details here…- http://datatracker.ietf.org/wg/scim/documents/- http://datatracker.ietf.org/doc/draft-ietf-scim-api/- http://datatracker.ietf.org/doc/draft-ietf-scim-core-schema/
• Implementing a client or server in Java? Start here…- https://www.unboundid.com/resources/scim/
• Implementing a client or server in not Java? Start here…- http://www.simplecloud.info/#implementations
Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 55
[email protected]@kelly_grizzle
http://simplecloud.info