eSCIMo - User Provisioning over Web

User Provisioning Over Web

Kiran Ayyagari

PMC ApacheDS project

Consulting & Support on ApacheDS

Started project eSCIMo

kayyagari@keydap.com, kayyagari@apache.org

What Is SCIM

System for Cross-domain Identity Management

A standard for provisioning

SCIM Schema

A collection of attribute definitions

e.g. { "id": "urn:scim:schemas:core:2.0:User", "name": "User", "description": "Core User", "attributes":[ { "name":"id", "type":"string", "multiValued":false, "description":"Unique identifier for the SCIM ressource. REQUIRED.", "readOnly":true, "required":true, "caseExact":false }, ... }

SCIM Schema...

Simple Attributee.g. userName – a user's name

Complex Attributee.g. name – a collection of firstName, lastName etc.

Multi-valued Attributee.g. emails – a collection of all emails

Sub-attributee.g. familyName – a user's family name

SCIM Schema...

Platform neutral JSON format URN as a ID

SCIM Data Model

Name : Naveen S UID : naveensLast Name : SivashankarFirst Name : Naveen

{ "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", "displayName": "Naveen S", "active": true, "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" }, "emails" : [{"naveens@example.com"},{"ns@mymail.com"}], …}

SCIM Data Model...

e.g. Extended user

{ "schemas": ["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", ... "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "11011", "costCenter": "007" … }}

Name : Naveen S UID : naveens

Employee No : 11011 Cost Center : 007

User Enterprise User

SCIM Data Model...

{ "schemas": ["urn:scim:schemas:core:2.0:Group"], "id": "484fbc39-ae09-427b-896f-d469d28895ad", "displayName": "Administrators", "members": [ { "value": "45ceb739-1695-4c03-ab18-33ac71e91875", "$ref": "http://localhost:8080/v2/Users/45ceb739-1695-4c03-ab18-33ac71e91875", "display": "naveens" } ]}

Name : AdministratorsMembers : naveens

SCIM API

Uses REST Supports

CRUD operations Bulk modification Paged search

What Is eSCIMo

An implementation of SCIM v2.0 Supports LDAP as a backend by default Can work with any LDAP server Embeddable in ApacheDS

Running eSCIMo

Scenario 1

App Server/Container

eSCIMoeSCIMo LDAP Server

Running eSCIMo...

Scenario 2

ApacheDS

eSCIMoeSCIMo

Architecture of eSCIMo

Resource Provider Interface

LDAP Resource Provider

RDBMS Resource Provider

???? Resource Provider

RDBMS ???LDAP

Security Filter

Implemented

Not Implemented

REST API

How Does It Work?

Attribute mapping Mapping a simple attribute -

e.g. "id": "45ceb739-1695-4c03-ab18-33ac71e91875"

"userName": "naveens"

How Does It Work...

Attribute mapping contd...

Mapping a complex attribute

e.g. "name": {

"familyName": "Sivashankar",

"givenName": "Naveen Sivashankar"

<complex-attribute name="name">

<at-group>

</at-group>

</complex-attribute>

How Does It Work...

Mapping a multi-valued attribute

e.g. "emails" : [{"naveens@example.com"},{"ns@mymail.com"}]

<multival-attribute name="emails">

<at-group>

</at-group>

</multival-attribute>

How Does It Work...

e.x "groups": [

"id": "484fbc39-ae09-427b-896f-d469d28895ad",

"$ref": "http://localhost:8080/v2/Groups/484fbc39-ae09-427b-896f-d469d28895ad",

"display": "Administrators"

"id" - How can we fetch the ID of the member entry?

"$ref" - How do we build a URL dynamically?

How Does It Work... Attribute Handlers

Handler Implementation

public class GroupsAttributeHandler extends LdapAttributeHandler {

public void read();

public void write();

public void patch();

Handler definition

<handler name="groupsHandler"

class="org.apache.directory.scim.ldap.handlers.GroupsAttributeHandler" />

Handler mapping

<multival-attribute name="groups" baseDn="ou=system"

filter="(uniqueMember=$entryDn)" handlerRef="groupsHandler" />

eSCIMo Json2Java

Is a Maven plugin Generates Java classes from SCIM schemas

eSCIMo Client

Works with the generated model classes

e.x. Adding a User resource

User user = new User();

user.setUserName( "naveens" );

user.setDisplayName( "Naveen Sivashankar" );

user.setPassword( "secret" );

Name name = new Name();

name.setFamilyName( "Sivashankar" );

name.setGivenName( "Naveen" );

user.setName( name );

EscimoResult result = client.addUser( user );

Questions

Thank you!

eSCIMo - User Provisioning over Web

Technology

Understanding SSD Over Provisioning - Flash Memory … · Provisioning What is SSD Over Provisioning ... Typical Uses for That Radix . System Memory . ... SI – International System

Provisioning User Guide

User Oriented Provisioning of Secure Virtualized Infrastructure

3rd Party User Provisioning with Salesforce Identity

User provisioning-best-practices

Active Directory federation user provisioning

User Provisioning Best Practices

PocketToken End-User Provisioning Guide – Android End-User Provisioning Guide – Android Tap “+” (as noted in Figure 3) on the upper-right to start. This will bring up the Provisioning

CASE STUDY USER PROVISIONING PROCESSES IN IDENTITY

SAP User Provisioning Tool

End User Provisioning - Oracle€¦ · End User Provisioning Tasks and Account Types By Product Overview 1 - 3 Oracle Utilities Cloud Services End-User Provisioning Guide End User

Automating user provisioning with SAP NW BPM

Summer '15: User Provisioning for Connected Apps

End User Provisioning - Oracle · End user provisioning involves creating user records and granting appropriate access for users of Oracle Utilities cloud services. This guide provides

Cisco Voice Services Provisioning Tool User Guide

Buyer’s Guide for a User Provisioning Solution€¦ · · 2011-07-21Control: The organization ... well-implemented user provisioning solution provides essential ... Buyer’s

NetIQ Identity Manager Home and Provisioning Dashboard User

User Self Provisioning Portal Solution

Selecting a User Provisioning Solution

User Provisioning from Okta to IDCS