User Provisioning Over Web

Kiran Ayyagari

Kiran Ayyagari

PMC ApacheDS project

Consulting & Support on ApacheDS

Started project eSCIMo

kayyagari@keydap.com, kayyagari@apache.org

2

What Is SCIM

System for Cross-domain Identity Management

A standard for provisioning

3

SCIM Schema

A collection of attribute definitions

4

e.g. { "id": "urn:scim:schemas:core:2.0:User", "name": "User", "description": "Core User", "attributes":[ { "name":"id", "type":"string", "multiValued":false, "description":"Unique identifier for the SCIM ressource. REQUIRED.", "readOnly":true, "required":true, "caseExact":false }, ... }

SCIM Schema...

Simple Attributee.g. userName – a user's name

Complex Attributee.g. name – a collection of firstName, lastName etc.

Multi-valued Attributee.g. emails – a collection of all emails

Sub-attributee.g. familyName – a user's family name

5

SCIM Schema...

Platform neutral JSON format URN as a ID

6

SCIM Data Model

7

Name : Naveen S UID : naveensLast Name : SivashankarFirst Name : Naveen

User

{ "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", "displayName": "Naveen S", "active": true, "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" }, "emails" : [{"naveens@example.com"},{"ns@mymail.com"}], …}

SCIM Data Model...

e.g. Extended user

{ "schemas": ["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", ... "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "11011", "costCenter": "007" … }}

Name : Naveen S UID : naveens

Employee No : 11011 Cost Center : 007

User Enterprise User

SCIM Data Model...

9

{ "schemas": ["urn:scim:schemas:core:2.0:Group"], "id": "484fbc39-ae09-427b-896f-d469d28895ad", "displayName": "Administrators", "members": [ { "value": "45ceb739-1695-4c03-ab18-33ac71e91875", "$ref": "http://localhost:8080/v2/Users/45ceb739-1695-4c03-ab18-33ac71e91875", "display": "naveens" } ]}

Name : AdministratorsMembers : naveens

Group

SCIM API

Uses REST Supports

CRUD operations Bulk modification Paged search

What Is eSCIMo

An implementation of SCIM v2.0 Supports LDAP as a backend by default Can work with any LDAP server Embeddable in ApacheDS

11

Running eSCIMo

Scenario 1

12

App Server/Container

eSCIMoeSCIMo LDAP Server

Running eSCIMo...

Scenario 2

13

ApacheDS

Jetty

eSCIMoeSCIMo

Architecture of eSCIMo

14

Resource Provider Interface

LDAP Resource Provider

RDBMS Resource Provider

???? Resource Provider

RDBMS ???LDAP

Security Filter

Implemented

Not Implemented

REST API

How Does It Work?

Attribute mapping Mapping a simple attribute -

e.g. "id": "45ceb739-1695-4c03-ab18-33ac71e91875"

"userName": "naveens"

<attribute name="id" mappedTo="entryUUID" />

<attribute name="userName" mappedTo="uid" />

15

How Does It Work...

Attribute mapping contd...

Mapping a complex attribute

e.g. "name": {

"familyName": "Sivashankar",

"givenName": "Naveen Sivashankar"

}

<complex-attribute name="name">

<at-group>

<attribute name="familyName" mappedTo="sn" />

<attribute name="givenName" mappedTo="cn" />

</at-group>

</complex-attribute>

16

How Does It Work...

Attribute mapping contd...

Mapping a multi-valued attribute

e.g. "emails" : [{"naveens@example.com"},{"ns@mymail.com"}]

<multival-attribute name="emails">

<at-group>

<attribute name="value" mappedTo="mail" />

</at-group>

</multival-attribute>

17

How Does It Work...

Attribute mapping contd...

e.x "groups": [

{

"id": "484fbc39-ae09-427b-896f-d469d28895ad",

"$ref": "http://localhost:8080/v2/Groups/484fbc39-ae09-427b-896f-d469d28895ad",

"display": "Administrators"

} ]

"id" - How can we fetch the ID of the member entry?

"$ref" - How do we build a URL dynamically?

18

How Does It Work... Attribute Handlers

Handler Implementation

public class GroupsAttributeHandler extends LdapAttributeHandler {

public void read();

public void write();

public void patch();

}

Handler definition

<handler name="groupsHandler"

class="org.apache.directory.scim.ldap.handlers.GroupsAttributeHandler" />

Handler mapping

<multival-attribute name="groups" baseDn="ou=system"

filter="(uniqueMember=$entryDn)" handlerRef="groupsHandler" />

19

eSCIMo Json2Java

Is a Maven plugin Generates Java classes from SCIM schemas

20

eSCIMo Client

Works with the generated model classes

e.x. Adding a User resource

User user = new User();

user.setUserName( "naveens" );

user.setDisplayName( "Naveen Sivashankar" );

user.setPassword( "secret" );

Name name = new Name();

name.setFamilyName( "Sivashankar" );

name.setGivenName( "Naveen" );

user.setName( name );

EscimoResult result = client.addUser( user );

21

Demo

22

Questions

23

?

Thank you!