Master IAM in the Cloud with SCIM v2.0Kelly GrizzleSoftware Architect – SailPoint

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

Overview

• What is SCIM?• Use Cases• Your special snowflake• Differences between 1.1 and 2.0• What's coming?• Adoption

What is SCIM?System for Cross-Domain Identity Management

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

Identity Management+

REST=

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

Identity Management + REST = SCIM

• REST is just architectural pattern- SCIM defines an identity management profile for it

• SCIM provides…- Standard definitions for User and Group

• Expressed in JSON (Javascript Object Notation)- Standard operations

• Create, Read, Update, Delete, Search, Partial Update, Bulk- Extensibility

• Add more attributes to existing object types or define new object types

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

Example – Retrieve User Request

GET /Users/2819c223-7f76-453a-919d-413861904646Host: example.comAccept: application/scim+jsonAuthorization: Bearer h480djs93hd8

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

Example – Retrieve User ResponseHTTP/1.1 200 OKContent-Type: application/scim+jsonLocation: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646{ "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara“ }, "meta": { "resourceType": "User", "created": "2011-08-01T18:29:49.793Z", ... }}

Self-describingpayload

Single-valuedattribute

Complexattribute

Manydata types

Use CasesSCIM … huh … yeah … what is it good for? Absolutely … LOTS!

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

Use Cases

• Create account• Add or remove access to a user• Read a user’s current access so that it can be certified• Terminate a user• Provide user information for a corporate directory• Synchronize user information from one application to another

Is your identity management API a special snowflake?

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

It seemed like such a good idea … until…It looks so beautiful … until …you have to integrate with it.

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

And you end up with something like this…

OR

Differences between SCIM v1.1 and v2.0

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

EXTENSIBILITY=

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

SCIM 2.0 is much more extensible

• The BIGGEST and BEST change since SCIM 1.1• A server can define

- Extensions to core objects (users and groups)• Need to store your users’ favorite tattoo parlors? No problem!

- Completely new types of objects• Roles, profiles, oauth clients, toasters, whatever the heck you want!

- Relationships between objects• This toaster belongs to this user

• A client can ask the server to describe itself

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

Other goodies

• Simplified PATCH (partial update of objects)• Secure searching (POST to /.search endpoint)

- In case this bothers you - GET /Users?filter=ssn eq “379-941-9832”• Add /Me endpoint to retrieve authenticated user’s information• Reference data type to describe relationships• General hardening of the slushy spots in the spec

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

Is 2.0 Backwards Compatible?

Short answer – No … but it’s not that different.

• Things to look out for…- New /ResourceTypes endpoint and changes to /Schemas- Addition of meta.resourceType to each resource- References (eg – manager) now use $ref syntax- PATCH syntax was reworked

What’s new with SCIM?Cha…cha…cha…cha…changes!

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

What’s new?

• Polling- Ability to ask for recent changes

• Events- Clients can subscribe to a server to be notified about changes

• Discovery- Use /.well-known/scim to get basic information about a SCIM

server• TIER (Trust & Identity in Education & Research)

- Internet2 group is creating standardized EduUser and EduGroup extensions

SCIM AdoptionWho is using it?

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

Also … within organizations

• Many organizations are using SCIM as their internal identity management API

• Often use a “SCIM Gateway” at the center of their infrastructure• Benefits

- Simplifies adding new systems into the environment- Isolates disruptions from change (eg – changing ERP vendor)- Prevents reinventing the wheel- Ease of implementation by using existing libraries

• The spec is also relatively straight-forward and easy to implement

Copyright © SailPoint Technologies, Inc. 2016 All rights reserved.

SCIM 2.0 is the way to go!

Questions?@kelly_grizzlekelly.grizzle@sailpoint.com

http://simplecloud.info

SCIM Master Class

Wednesday2:30 – 3:20: User Provisioning 1013:30 – 4:20: SCIM 2 in Depth4:30 – 5:20: SCIM 2 Interop Report