1 / 37

IETF 84 SCIM System for Cross-domain Identity Management

IETF 84 SCIM System for Cross-domain Identity Management. Kelly Grizzle kelly.grizzle@sailpoint.com. Agenda. Overview What problem does SCIM solve? What is SCIM? History Lesson Deeper Dive Schema Protocol Security Other areas in charter: bindings, targeting What’s Next?.

lester
Download Presentation

IETF 84 SCIM System for Cross-domain Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IETF 84SCIMSystem for Cross-domain Identity Management Kelly Grizzle kelly.grizzle@sailpoint.com

  2. Agenda • Overview • What problem does SCIM solve? • What is SCIM? • History Lesson • Deeper Dive • Schema • Protocol • Security • Other areas in charter: bindings, targeting • What’s Next?

  3. What is the problem? • How do I keep my organization’s users in sync with service X? • How do I provision a user account for service X? • How do I deprovision a user account from service X? • How do I update an existing account for service X? • How do I manage groups? • How do I add or remove users from groups to give them the correct level of access? • How do I create new groups?

  4. What is the problem?

  5. What is a user? dn: cn=HomeJSimpson,o=domain-name cn: HomerJSimpson objectClass: top                        objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson mail: HJSimpson@burnsco.com givenname: Homer sn: Simpson postalAddress: 742 Evergreen Terrace l: Springfield st: Kentsouri postalCode: 01234 telephoneNumber: (888) 555-1111 jpegPhoto: http://www.simpsons.com/homer.jpg …

  6. How do we do it today? X X X X X X X X X And, there is always schema-mapping to deal with…

  7. What is SCIM? • SCIM is a standard that defines schema and protocol for identity management. • Schema • Core representations of users and groups • Extensible • JSON/XML* • Protocol • REST, HTTP, Synchronous • CRUD + Search* + Discovery + Bulk* • And more cool stuff… • The “S” word

  8. An example speaks 1111101000 words… POST /v1/Users HTTP/1.1 Host: example.com Accept: application/json Content-Type: application/json Authorization: Bearer h480djs93hd8 Content-Length: ... { "schemas": ["urn:scim:schemas:core:1.0"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } }

  9. History Lesson • July 2010: Conceived at Cloud Identity Summit • May 2011: Officially began at IIW 12 • Oct 2011 – May 2012: 3 interop events with 9 vendors (open source and proprietary) • Dec 2011: Released 1.0 specification under OWF(Open Web Foundation) • March 2012: BoF at IETF 83 • June 2012: WG chartered • July 2012: 1.1 specification released under OWF • August 3, 2012: Here we are … first WG meeting

  10. Deeper Dive • Schema • Protocol • Security • SAML and LDAP bindings • Targeting

  11. Schema • Core models for User and Group • JSON and XML* representations • Extensibility • Extend existing resources (eg – enterprise user) • Define new resources (eg – role) • http://tools.ietf.org/html/draft-scim-core-schema-00

  12. Model

  13. Simple Structure • A resource is: • An attribute container • Name spaced • An attribute is: • Simple or complex • Single or multi-valued

  14. Example: User { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W\/\"f250dd84f0671c3\" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ] } Required Complex Simple Complex multi-valued

  15. Example: Extended User { "schemas": ["urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:1.0": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith“ } } } Declaration Use

  16. Example: Group { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "displayName": "Tour Guides", "members": [ { "value": "2819c223-7f76-453a-919d-413861904646", "displayName": "Babs Jensen", "type": "User" }, { "value": "2819c223-7f76-453a-919d-413861904646", "displayName": "Mandy Pepperidge", "type": "User" } ] } Type (User|Group) Optional & Read-only

  17. Protocol • REST, HTTP, Synchronous • CRUD + Search* + Discovery + Bulk* • Simple MTI, Complex optional • Extensible*, Versioned • “cURL” friendly • http://tools.ietf.org/html/draft-scim-api-00

  18. Operations • Create = POST https://example.com/{v}/{resource} • Read = GET https://example.com/{v}/{resource}/{id} • Update = PUT https://example.com/{v}/{resource}/{id} • Delete = DELETE https://example.com/{v}/{resource}/{id} • *Update = PATCH https://example.com/{v}/{resource}/{id} • *Search = GET https://example.com/{v}/{resource}? filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending} & startIndex={start} & count={maxResults} • *Bulk

  19. Discovery • GET /Schemas • Introspect resources and attribute extensions • GET /ServiceProviderConfigs • Spec compliance • Support for bulk, patch, etc… • Authentication schemes • OAuth, HTTP basic, etc… • Data formats • Support XML?

  20. Create Request Operation Resource Type POST /v1/Users HTTP/1.1 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 { "schemas": ["urn:scim:schemas:core:1.0"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } } Format AuthZ “User” Payload

  21. Create Response Result code Format “Permalink” HTTP/1.1 201 Created Content-Type: application/json Location: https://example.com/v1/Users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" } SP generated ID

  22. Get Request Operation Resource Type Format Stable ID GET /v1/Users/2819c223-7f76-453a-919d-413861904646.json Host: example.com Authorization: Bearer h480djs93hd8

  23. Get Response Result code Format “Permalink” SP ID HTTP/1.1 200 OK Content-Type: application/json Location: https://example.com/v1/Users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" }

  24. Search Request Operation Resource Type URL encoded filter GET /v1/Users?filter=title pr and userTypeeq "Employee" &sortBy=title &sortOrder=ascending &attributes=title,username &startIndex=11 &count=10 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 Sorting Partial results Index-based pagination

  25. Search Response Users { "schemas": ["urn:scim:schemas:core:1.0"], "totalResults": 2, "Resources": [ { "id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97", "title": "Assistant VP", "userName": "bjensen" }, { "id": "a4a25dd3-17a0-4dac-a2ac-ce211e125f57", "title": "VP", "userName": "jsmith" } ] } SP ID ever present Pagination

  26. PATCH and Bulk • PATCH • Allows providing partial updates to resources • May be important if modifying a large multi-valued attribute on a resource (eg – group members) • Bulk • Allows performing many operations at once • Useful for synchronizing data into a service provider • Both are optional

  27. Protocol Extensibility • Version in URL • https://example.com/{version}/{resource} • Follow RESTfulprinciples • Additional URL arguments • Additional resource endpoints

  28. XML Schema • XML XSD • Core • Resource, User, Group • Payload wrappers, Errors • Schema, Bulk, ServiceProviderConfig • Enterprise Extension

  29. Security Considerations • Protocol • Sensitive information abounds • Authorization attributes are loosely defined • Roles, groups, and entitlements

  30. Protocol Security • TLS MTI • Standard HTTP considerations apply • Authentication is discoverable, OAuth bearer token recommended • HTTP basic is commonly implemented for interoperability

  31. Sensitive Information in User { "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "password": "maybe_plaintext", "roles": [ { "value": "RA" } ], "groups": [ { "value": "2819c223-7f76-453a-919d-982763095", "display": "Student" } ], "entitlements": [ { "value": "delete users" } ] } Password AuthZ

  32. Hi/Low Fidelity Bindings • LDAP • SAML • OpenIDConnect

  33. Targeting • Proposed extension • Allows a server to proxy a SCIM request to a target system • GET https://example.com/Targets/crm/Users/{id} • Optionally can store links to target accounts on the core user • http://tools.ietf.org/html/draft-hunt-scim-targeting-00

  34. 1.1 Release • Released in July 2012 under OWF • Mainly clarifications and small error fixes • Many of these were found during interoptesting • Will serve as starting point for working group • Final release under OWF

  35. What’s next? • See charter for milestones • http://datatracker.ietf.org/wg/scim/charter/ • Use cases document • Binding documents (LDAP, SAML) • Targeting document • Continue working on schema and protocol • http://code.google.com/p/scim/issues/list * • And much more…

  36. SCIM Core Values • Simplicity • “Make it as simple as possible but no simpler.” - Einstein • Solving real-world problems • Ease of implementation by consumers • Don’t make it too hard for service providers either • Support the 80% in the core • Extensions for everything else • Interoperability

  37. For more information… • 1.1 Drafts (should be on datatracker soon) • http://scim.googlecode.com/svn/trunk/specs/draft-scim-api-01.txt • http://scim.googlecode.com/svn/trunk/specs/draft-scim-core-schema-01.txt • http://www.simplecloud.info/ • Site overhaul coming soon! • http://datatracker.ietf.org/wg/scim/

More Related