Download - CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think

SCIM: Why It’s More Important, and More Simple, Than You Think Kelly Grizzle Software Architect - SailPoint

Copyright © SailPoint Technologies, Inc. 2013 All rights reserved. 2

Agenda

• What is SCIM? • Why is it important? • How is it being used? • Deeper Dive • How simple is it?

What is SCIM?


System for Cross-Domain

Identity Management

* And yes … it is also simple


What is SCIM?

•  SCIM is a standard that defines schema and protocol for identity management.

•  Schema -  Users and Groups -  Extensible -  JSON

•  Protocol -  REST -  CRUD + Search + Discovery + Bulk


Identity Protocol Landscape

Provisioning Authentication Authorization


What problems does SCIM solve?

• How do I keep my organization’s users in sync with service X?

- How do I provision a user account for service X? - How do I deprovision a user account from service X? - How do I update an existing account for service X?

• How do I manage groups? - How do I add or remove users from groups to give them the

correct level of access? - How do I create new groups?


An example speaks 1111101000 words… POST /v2/Users HTTP/1.1 Host: example.com Accept: application/json Content-Type: application/json Authorization: Bearer h480djs93hd8 Content-Length: ... { "schemas": ["urn:scim:schemas:core:2.0:User"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } }


History Lesson

July ‘10 Conceived at CIS

May ‘11 Work starts under OWF

Dec ‘11 Version 1.0

June/July ‘12 IETF WG chartered Version 1.1

Late ‘14 Version 2.0

Why is SCIM important?


A typical environment

Firewall


That’s the typical case … Ouch!

• Environments are complex -  Many systems both on-prem and off-prem

• Every system has to deal with identity -  Name, email, title, custom meta-information, entitlements, …

•  Identity must be maintained across systems -  Need one-way and often two-way synchronization

• Authorization is often driven from an external system -  Example: Active Directory groups drive groups and

permissions in other applications.


Other common pain points

• Mergers and acquisitions -  Need to quickly connect applications after M&A

• BYOA (bring your own app) -  Proliferation of SaaS apps has lead to using applications that

IT does not even know about • Mobile

-  Another case of BYOA where mobile apps need identity information


How is identity management done?

• Manual hand-entry -  Error prone and slow

• Bulk upload -  High latency – often a one-time operation

• Custom APIs and connectors -  High cost to develop against -  Proprietary to each service provider

• SAML Just-in-Time Provisioning -  No pre-provisioning -  No deprovisioning


And then … there’s SCIM

• Low cost to develop -  Write once and reuse -  Open source libraries -  Well-known and agreed upon standard

• Handles full lifecycle of identity -  Create, update, AND delete

• Real-time -  No waiting for manual intervention


Who else thinks SCIM is important?

How is SCIM being used?


Surprisingly – not just in the cloud

• SCIM was initially created with cloud use cases in mind •  It turns out that a common language to move identities on-

premises is really useful • This is some of the first “real world” adoption of SCIM • Case study: Large company with 3500 connected

applications and 82,000 users moved to SCIM for internal systems


In the enterprise

Firewall


Unsurprisingly – also in the cloud

• SaaS providers have started implementing SCIM for their identity APIs

-  Salesforce.com, Cisco Webex, etc… • Clients call these APIs from an on-premises identity

management system to manage identities


Ground to cloud

Firewall

SCIM Proprietary


Cloud Identity Bridge

•  Important when on-premises applications need to be managed from the cloud

• Allows a single, secured SCIM channel through the firewall • Translates SCIM requests to native APIs behind the firewall


Cloud to ground

Firewall Identity Bridge

Cloud Identity Management

Provider

SCIM

Native APIs

Deeper Dive Schema


Schema

• Core models for User and Group •  JSON representation • Extensible

-  Extend existing resources (eg – enterprise user) -  Define new resources (eg – role, entitlement, device) -  JSON format for describing schema -  Standard data types and references between objects

http://datatracker.ietf.org/doc/draft-ietf-scim-core-schema/


Example: User { "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "resourceType": "User", "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W\/\"f250dd84f0671c3\" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ] }

Required

Complex

Simple

Multi-valued

Object type


Example: Extended User { "schemas":["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "$ref": "/Users/26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith" } } }

Declaration

Use

Deeper Dive API


Operations

• Create = POST https://example.com/{v}/{resource} • Read = GET https://example.com/{v}/{resource}/{id} • Update = PUT https://example.com/{v}/{resource}/{id} • Delete = DELETE https://example.com/{v}/{resource}/{id} •  *Update = PATCH https://example.com/{v}/{resource}/{id} •  *Search = GET https://example.com/{v}/{resource}? filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending} & startIndex={start} & count={maxResults}

•  *Bulk


Create Request

POST /v2/Users HTTP/1.1 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 { "schemas": ["urn:scim:schemas:core:2.0:User"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } }

Operation Resource Type

AuthZ “User” Payload


Create Response

HTTP/1.1 201 Created Content-Type: application/json Location: https://example.com/v2/Users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v2/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", ...

Result code

“Permalink”

SP generated ID


Discovery

•  GET /Schemas -  Defines primary object definitions and extensions

•  GET /ResourceTypes -  Defines available resources

•  endpoint URL, primary schema, schema extensions

•  GET /ServiceProviderConfigs -  Spec compliance

•  Support for bulk, patch, etc… -  Authentication schemes

•  OAuth, HTTP basic, etc…

Deeper Dive Extensions


Extending an existing resource type

• The SCIM core schema objects – User and Group – try to cover the common 80%

• Almost always extended by service providers to add custom attributes

• Only two steps required: 1.  Create a new schema that contains the extended attributes 2.  Add the new schema to the schemaExtensions list for the

resource type


Extending – Schema {

"id" : "urn:grizzle:1.0:ConferenceGoer",

"name" : "Conference Goer",

"description" : "Info about a person that attends CIS",

"attributes" : [{

"name" : "shirtSize",

"type" : "string",

"multiValued" : false,

"description" : "What conference doesn't have a t-shirt?",

"required" : false,

"caseExact" : false,

"mutability" : "readWrite",

"returned" : "always",

"uniqueness" : "server"

}]


Extending – Resource Type

{

"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],

"id":"User",

"name":"User",

"endpoint": "/Users",

"description": "Core User",

"schema": "urn:scim:schemas:core:2.0:User",

"schemaExtensions": [{

"schema": "urn:grizzle:1.0:ConferenceGoer",

"required": false

}

]

}

Add custom extensions here


Creating a custom resource type

• Completely new resource types may be created to model objects that are unique to the service provider

• Client can use /ResourceTypes endpoint to discover these • Somewhat common for service providers to implement • Only two steps required:

1.  Create a new schema that contains the attributes 2.  Create a new resource type that references this schema


Custom resource type – Schema {

"id" : "urn:grizzle:1.0:BlogPost",

"name" : "Blog Post",

"description" : "A post to a blog",

"attributes" : [{

"name" : "title",

"type" : "string",

"multiValued" : false,

"description" : "The title of the blog post",

"required" : true,

"caseExact" : false,

"mutability" : "readWrite",

"returned" : "always",

"uniqueness" : "server"

},

... other attributes - id, content, author, date, etc ...


Custom resource type – Resource Type

{

"schemas": ["urn:scim:schemas:core:2.0:ResourceType"],

"id": "BlogPost",

"name": "Blog Post",

"endpoint": "/BlogPosts",

"description": "Posts to a boring blog",

"schema": "urn:grizzle:1.0:BlogPost"

}

Reference the custom schema


Custom resource type – GET Request

GET /v2/BlogPosts

Host: example.com

Authorization: Bearer h480djs93hd8


Custom resource type – GET Response HTTP/1.1 200 OK

Content-Type: application/json

{

"schemas": ["urn:scim:api:messages:2.0:ListResponse"],

"totalResults": 5,

"Resources": [{

"id": "281838-af839018e4-8377ba87e90",

"title": "Welcome to my blog!",

"content": "...",

"meta": {

"resourceType": "BlogPost",

"created": "2011-08-01T21:32:44.882Z",

"lastModified": "2011-08-01T21:32:44.882Z",

"location": "https://example.com/v2/BlogPosts/281..."

},

...

How simple is SCIM?


SCIM Core Values

• Simplicity -  “Make it as simple as possible but no simpler.”

- Einstein

• Solving real-world problems • Ease of implementation by consumers

-  Don’t make it too hard for service providers either • Support the 80% in the core

-  Extensions for everything else •  Interoperability


How to kick the tires

• Download the UnboundID Reference Server Implementation if you need a server to test against

-  https://www.unboundid.com/resources/scim/ •  If you are trying to play with a service provider’s API

-  cURL -  REST Console (Chrome Extension)


cURL


REST Console

• A Chrome extension that easily allows making REST calls • Use this if a command line scares you • There are other alternatives out there


Getting under the hood •  If you want to write a SCIM client or server there are a number of

open source libraries •  Most libraries currently support SCIM 1.1 (not 2.0) •  UnboundID SDK

-  Client and server java libraries -  Most full-featured and well maintained

•  python-scim -  SCIM object models for Python

•  scim-query-filter-parser -  Search filter parsing library for Ruby

•  More at http://www.simplecloud.info/#implementations


UnboundID SDK

• Open source and developed by UnboundID • Recent enhancements to improve client usability -

https://code.google.com/p/scimsdk/source/detail?r=355 •  I prototyped a SCIM server and wrote a library to make

server development easier -  Library cut the lines of code by 68% (down to <300) -  Needs a bit of work to be ready for prime time


It’s so easy even Mark Diodati can do it!

• Mark wrote a SCIM client while an analyst at Gartner • Written in Perl • Reads attributes from a SCIM server and writes to an Excel

file • Reads changes in Excel file and synchronizes them to a

SCIM server


Wait … I already have a REST API! • Option 1: Have a separate URL-space for identity-related

SCIM APIs -  https://example.com/rest/MyObjects -  https://example.com/rest/scim/Users

• Option 2: Consider using SCIMs schemas and resource types to define your entire REST API

-  It is already well-defined -  Supports many data types and references between objects -  It is self-describing through /Schemas and /ResourceTypes -  Make use of SCIM libraries for fast implementation

•  Just do it! Customers constantly ask for a common API!

What next?


Key take-aways

•  Identity and app proliferation = frustration • SCIM is the only sustainable option that can handle the

scale and complexity of provisioning in today’s environments • Build a standards-based identity infrastructure

-  Provisioning à SCIM -  Authentication à OpenID Connect or SAML -  Authorization à OAuth2


What does it mean for me?

• Consider using SCIM for your internal environment -  Not just a cloud API

• SCIM is a good foundation for any REST API -  It can be used for more than just identities

•  It’s easy to get started if you use the tools that are already available

• Use SCIM 1.1 for now -  Real-world adoption of SCIM 2.0 will happen in 2015


References • Start here…

- http://www.simplecloud.info/ •  Get involved here…

-  http://www.ietf.org/mail-archive/web/scim/current/maillist.html •  All of the gory details here…

-  http://datatracker.ietf.org/wg/scim/documents/ -  http://datatracker.ietf.org/doc/draft-ietf-scim-api/ -  http://datatracker.ietf.org/doc/draft-ietf-scim-core-schema/

•  Implementing a client or server in Java? Start here… -  https://www.unboundid.com/resources/scim/

•  Implementing a client or server in not Java? Start here… -  http://www.simplecloud.info/#implementations


Questions [email protected] @kelly_grizzle http://simplecloud.info