Upload
kelly-grizzle
View
257
Download
3
Embed Size (px)
Citation preview
Master IAM in the Cloud with SCIM v2.0Kelly GrizzleSoftware Architect – SailPoint
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Overview
• What is SCIM?• Use Cases• Your special snowflake• Differences between 1.1 and 2.0• What's coming?• Adoption
What is SCIM?System for Cross-Domain Identity Management
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Identity Management+
REST=
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Identity Management + REST = SCIM
• REST is just architectural pattern- SCIM defines an identity management profile for it
• SCIM provides…- Standard definitions for User and Group
• Expressed in JSON (Javascript Object Notation)- Standard operations
• Create, Read, Update, Delete, Search, Partial Update, Bulk- Extensibility
• Add more attributes to existing object types or define new object types
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Example – Retrieve User Request
GET /Users/2819c223-7f76-453a-919d-413861904646Host: example.comAccept: application/scim+jsonAuthorization: Bearer h480djs93hd8
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Example – Retrieve User ResponseHTTP/1.1 200 OKContent-Type: application/scim+jsonLocation: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646{ "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara“ }, "meta": { "resourceType": "User", "created": "2011-08-01T18:29:49.793Z", ... }}
Self-describingpayload
Single-valuedattribute
Complexattribute
Manydata types
Use CasesSCIM … huh … yeah … what is it good for? Absolutely … LOTS!
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Use Cases
• Create account• Add or remove access to a user• Read a user’s current access so that it can be certified• Terminate a user• Provide user information for a corporate directory• Synchronize user information from one application to another
Is your identity management API a special snowflake?
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
It seemed like such a good idea … until…It looks so beautiful … until …you have to integrate with it.
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
And you end up with something like this…
OR
Differences between SCIM v1.1 and v2.0
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
EXTENSIBILITY=
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
SCIM 2.0 is much more extensible
• The BIGGEST and BEST change since SCIM 1.1• A server can define
- Extensions to core objects (users and groups)• Need to store your users’ favorite tattoo parlors? No problem!
- Completely new types of objects• Roles, profiles, oauth clients, toasters, whatever the heck you want!
- Relationships between objects• This toaster belongs to this user
• A client can ask the server to describe itself
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Other goodies
• Simplified PATCH (partial update of objects)• Secure searching (POST to /.search endpoint)
- In case this bothers you - GET /Users?filter=ssn eq “379-941-9832”• Add /Me endpoint to retrieve authenticated user’s information• Reference data type to describe relationships• General hardening of the slushy spots in the spec
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Is 2.0 Backwards Compatible?
Short answer – No … but it’s not that different.
• Things to look out for…- New /ResourceTypes endpoint and changes to /Schemas- Addition of meta.resourceType to each resource- References (eg – manager) now use $ref syntax- PATCH syntax was reworked
What’s new with SCIM?Cha…cha…cha…cha…changes!
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
What’s new?
• Polling- Ability to ask for recent changes
• Events- Clients can subscribe to a server to be notified about changes
• Discovery- Use /.well-known/scim to get basic information about a SCIM
server• TIER (Trust & Identity in Education & Research)
- Internet2 group is creating standardized EduUser and EduGroup extensions
SCIM AdoptionWho is using it?
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
Also … within organizations
• Many organizations are using SCIM as their internal identity management API
• Often use a “SCIM Gateway” at the center of their infrastructure• Benefits
- Simplifies adding new systems into the environment- Isolates disruptions from change (eg – changing ERP vendor)- Prevents reinventing the wheel- Ease of implementation by using existing libraries
• The spec is also relatively straight-forward and easy to implement
Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.
SCIM 2.0 is the way to go!
Questions?@[email protected]
http://simplecloud.info
SCIM Master Class
Wednesday2:30 – 3:20: User Provisioning 1013:30 – 4:20: SCIM 2 in Depth4:30 – 5:20: SCIM 2 Interop Report