470 likes | 589 Views
IETF 84 SCIM System for Cross-domain Identity Management. Kelly Grizzle kelly.grizzle@sailpoint.com. Agenda. Overview What problem does SCIM solve? What is SCIM? History Lesson Deeper Dive Schema Protocol Security Other areas in charter: bindings, targeting What’s Next?.
E N D
IETF 84SCIMSystem for Cross-domain Identity Management Kelly Grizzle kelly.grizzle@sailpoint.com
Agenda • Overview • What problem does SCIM solve? • What is SCIM? • History Lesson • Deeper Dive • Schema • Protocol • Security • Other areas in charter: bindings, targeting • What’s Next?
What is the problem? • How do I keep my organization’s users in sync with service X? • How do I provision a user account for service X? • How do I deprovision a user account from service X? • How do I update an existing account for service X? • How do I manage groups? • How do I add or remove users from groups to give them the correct level of access? • How do I create new groups?
What is a user? dn: cn=HomeJSimpson,o=domain-name cn: HomerJSimpson objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson mail: HJSimpson@burnsco.com givenname: Homer sn: Simpson postalAddress: 742 Evergreen Terrace l: Springfield st: Kentsouri postalCode: 01234 telephoneNumber: (888) 555-1111 jpegPhoto: http://www.simpsons.com/homer.jpg …
How do we do it today? X X X X X X X X X And, there is always schema-mapping to deal with…
What is SCIM? • SCIM is a standard that defines schema and protocol for identity management. • Schema • Core representations of users and groups • Extensible • JSON/XML* • Protocol • REST, HTTP, Synchronous • CRUD + Search* + Discovery + Bulk* • And more cool stuff… • The “S” word
An example speaks 1111101000 words… POST /v1/Users HTTP/1.1 Host: example.com Accept: application/json Content-Type: application/json Authorization: Bearer h480djs93hd8 Content-Length: ... { "schemas": ["urn:scim:schemas:core:1.0"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } }
History Lesson • July 2010: Conceived at Cloud Identity Summit • May 2011: Officially began at IIW 12 • Oct 2011 – May 2012: 3 interop events with 9 vendors (open source and proprietary) • Dec 2011: Released 1.0 specification under OWF(Open Web Foundation) • March 2012: BoF at IETF 83 • June 2012: WG chartered • July 2012: 1.1 specification released under OWF • August 3, 2012: Here we are … first WG meeting
Deeper Dive • Schema • Protocol • Security • SAML and LDAP bindings • Targeting
Schema • Core models for User and Group • JSON and XML* representations • Extensibility • Extend existing resources (eg – enterprise user) • Define new resources (eg – role) • http://tools.ietf.org/html/draft-scim-core-schema-00
Simple Structure • A resource is: • An attribute container • Name spaced • An attribute is: • Simple or complex • Single or multi-valued
Example: User { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W\/\"f250dd84f0671c3\" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ] } Required Complex Simple Complex multi-valued
Example: Extended User { "schemas": ["urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:1.0": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith“ } } } Declaration Use
Example: Group { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "displayName": "Tour Guides", "members": [ { "value": "2819c223-7f76-453a-919d-413861904646", "displayName": "Babs Jensen", "type": "User" }, { "value": "2819c223-7f76-453a-919d-413861904646", "displayName": "Mandy Pepperidge", "type": "User" } ] } Type (User|Group) Optional & Read-only
Protocol • REST, HTTP, Synchronous • CRUD + Search* + Discovery + Bulk* • Simple MTI, Complex optional • Extensible*, Versioned • “cURL” friendly • http://tools.ietf.org/html/draft-scim-api-00
Operations • Create = POST https://example.com/{v}/{resource} • Read = GET https://example.com/{v}/{resource}/{id} • Update = PUT https://example.com/{v}/{resource}/{id} • Delete = DELETE https://example.com/{v}/{resource}/{id} • *Update = PATCH https://example.com/{v}/{resource}/{id} • *Search = GET https://example.com/{v}/{resource}? filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending} & startIndex={start} & count={maxResults} • *Bulk
Discovery • GET /Schemas • Introspect resources and attribute extensions • GET /ServiceProviderConfigs • Spec compliance • Support for bulk, patch, etc… • Authentication schemes • OAuth, HTTP basic, etc… • Data formats • Support XML?
Create Request Operation Resource Type POST /v1/Users HTTP/1.1 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 { "schemas": ["urn:scim:schemas:core:1.0"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } } Format AuthZ “User” Payload
Create Response Result code Format “Permalink” HTTP/1.1 201 Created Content-Type: application/json Location: https://example.com/v1/Users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" } SP generated ID
Get Request Operation Resource Type Format Stable ID GET /v1/Users/2819c223-7f76-453a-919d-413861904646.json Host: example.com Authorization: Bearer h480djs93hd8
Get Response Result code Format “Permalink” SP ID HTTP/1.1 200 OK Content-Type: application/json Location: https://example.com/v1/Users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" }
Search Request Operation Resource Type URL encoded filter GET /v1/Users?filter=title pr and userTypeeq "Employee" &sortBy=title &sortOrder=ascending &attributes=title,username &startIndex=11 &count=10 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 Sorting Partial results Index-based pagination
Search Response Users { "schemas": ["urn:scim:schemas:core:1.0"], "totalResults": 2, "Resources": [ { "id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97", "title": "Assistant VP", "userName": "bjensen" }, { "id": "a4a25dd3-17a0-4dac-a2ac-ce211e125f57", "title": "VP", "userName": "jsmith" } ] } SP ID ever present Pagination
PATCH and Bulk • PATCH • Allows providing partial updates to resources • May be important if modifying a large multi-valued attribute on a resource (eg – group members) • Bulk • Allows performing many operations at once • Useful for synchronizing data into a service provider • Both are optional
Protocol Extensibility • Version in URL • https://example.com/{version}/{resource} • Follow RESTfulprinciples • Additional URL arguments • Additional resource endpoints
XML Schema • XML XSD • Core • Resource, User, Group • Payload wrappers, Errors • Schema, Bulk, ServiceProviderConfig • Enterprise Extension
Security Considerations • Protocol • Sensitive information abounds • Authorization attributes are loosely defined • Roles, groups, and entitlements
Protocol Security • TLS MTI • Standard HTTP considerations apply • Authentication is discoverable, OAuth bearer token recommended • HTTP basic is commonly implemented for interoperability
Sensitive Information in User { "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "password": "maybe_plaintext", "roles": [ { "value": "RA" } ], "groups": [ { "value": "2819c223-7f76-453a-919d-982763095", "display": "Student" } ], "entitlements": [ { "value": "delete users" } ] } Password AuthZ
Hi/Low Fidelity Bindings • LDAP • SAML • OpenIDConnect
Targeting • Proposed extension • Allows a server to proxy a SCIM request to a target system • GET https://example.com/Targets/crm/Users/{id} • Optionally can store links to target accounts on the core user • http://tools.ietf.org/html/draft-hunt-scim-targeting-00
1.1 Release • Released in July 2012 under OWF • Mainly clarifications and small error fixes • Many of these were found during interoptesting • Will serve as starting point for working group • Final release under OWF
What’s next? • See charter for milestones • http://datatracker.ietf.org/wg/scim/charter/ • Use cases document • Binding documents (LDAP, SAML) • Targeting document • Continue working on schema and protocol • http://code.google.com/p/scim/issues/list * • And much more…
SCIM Core Values • Simplicity • “Make it as simple as possible but no simpler.” - Einstein • Solving real-world problems • Ease of implementation by consumers • Don’t make it too hard for service providers either • Support the 80% in the core • Extensions for everything else • Interoperability
For more information… • 1.1 Drafts (should be on datatracker soon) • http://scim.googlecode.com/svn/trunk/specs/draft-scim-api-01.txt • http://scim.googlecode.com/svn/trunk/specs/draft-scim-core-schema-01.txt • http://www.simplecloud.info/ • Site overhaul coming soon! • http://datatracker.ietf.org/wg/scim/