Suche senden
Hochladen
Jan19 scim webinar-04
•
Als PPTX, PDF herunterladen
•
5 gefällt mir
•
1,080 views
Paul Madsen
Folgen
Overview of the Simple Cloud Identity Management spec
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 35
Jetzt herunterladen
Empfohlen
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is Growing
Kelly Grizzle
CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...
CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...
CloudIDSummit
Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0
Kelly Grizzle
When IGA meets PAM ... through their mutual friend SCIM
When IGA meets PAM ... through their mutual friend SCIM
Kelly Grizzle
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
Kelly Grizzle
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
Twobo Technologies
Scim overview
Scim overview
Morteza Ansari
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
HasiniG
Empfohlen
SCIM in the Real World: Adoption is Growing
SCIM in the Real World: Adoption is Growing
Kelly Grizzle
CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...
CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...
CloudIDSummit
Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0
Kelly Grizzle
When IGA meets PAM ... through their mutual friend SCIM
When IGA meets PAM ... through their mutual friend SCIM
Kelly Grizzle
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
Kelly Grizzle
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
Twobo Technologies
Scim overview
Scim overview
Morteza Ansari
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
HasiniG
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
WSO2
WSO2 Charon
WSO2 Charon
HasiniG
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CloudIDSummit
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
oow123
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
CloudIDSummit
SANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity Manager
OracleIDM
Oracle Identity Governance Technical Overview - 11gR2PS3
Oracle Identity Governance Technical Overview - 11gR2PS3
Atul Goyal
Overview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer Presentation
Delivery Centric
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-final
OracleIDM
OIM Sizing Guide 11gR2PS1
OIM Sizing Guide 11gR2PS1
Atul Goyal
Oracle Directory Services - Customer Presentation
Oracle Directory Services - Customer Presentation
Delivery Centric
Self Service Access Control - Help Yourself to More Productivity
Self Service Access Control - Help Yourself to More Productivity
Atul Goyal
Con9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - final
OracleIDM
Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric World
Michele Leroux Bustamante
OIM Connector for Webservices
OIM Connector for Webservices
Atul Goyal
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
Andris Soroka
Oracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer Presentation
Delivery Centric
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
WSO2
Centrify Intellect event
Centrify Intellect event
intellectsecurity
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity Chalktalk
Craig Wu
What's new for Developers in SharePoint 2013
What's new for Developers in SharePoint 2013
Marius Constantinescu [MVP]
Weitere ähnliche Inhalte
Was ist angesagt?
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
WSO2
WSO2 Charon
WSO2 Charon
HasiniG
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CloudIDSummit
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
oow123
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
CloudIDSummit
SANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity Manager
OracleIDM
Oracle Identity Governance Technical Overview - 11gR2PS3
Oracle Identity Governance Technical Overview - 11gR2PS3
Atul Goyal
Overview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer Presentation
Delivery Centric
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-final
OracleIDM
OIM Sizing Guide 11gR2PS1
OIM Sizing Guide 11gR2PS1
Atul Goyal
Oracle Directory Services - Customer Presentation
Oracle Directory Services - Customer Presentation
Delivery Centric
Self Service Access Control - Help Yourself to More Productivity
Self Service Access Control - Help Yourself to More Productivity
Atul Goyal
Con9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - final
OracleIDM
Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric World
Michele Leroux Bustamante
OIM Connector for Webservices
OIM Connector for Webservices
Atul Goyal
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
Andris Soroka
Oracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer Presentation
Delivery Centric
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
WSO2
Centrify Intellect event
Centrify Intellect event
intellectsecurity
Was ist angesagt?
(20)
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
WSO2 Charon
WSO2 Charon
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
SANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity Manager
Oracle Identity Governance Technical Overview - 11gR2PS3
Oracle Identity Governance Technical Overview - 11gR2PS3
Overview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer Presentation
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-final
OIM Sizing Guide 11gR2PS1
OIM Sizing Guide 11gR2PS1
Oracle Directory Services - Customer Presentation
Oracle Directory Services - Customer Presentation
Self Service Access Control - Help Yourself to More Productivity
Self Service Access Control - Help Yourself to More Productivity
Con9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - final
Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric World
OIM Connector for Webservices
OIM Connector for Webservices
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga N...
Oracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer Presentation
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
An Enhanced User Experience for Automobile Purchases with the WSO2 Mobile Ser...
Centrify Intellect event
Centrify Intellect event
Ähnlich wie Jan19 scim webinar-04
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity Chalktalk
Craig Wu
What's new for Developers in SharePoint 2013
What's new for Developers in SharePoint 2013
Marius Constantinescu [MVP]
Building IAM for OpenStack
Building IAM for OpenStack
Steve Martinelli
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
Amazon Web Services
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
Vincent Biret
The SharePoint 2013 App Model
The SharePoint 2013 App Model
SPC Adriatics
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
NCCOMMS
Understanding the WSO2 Platform and Technology
Understanding the WSO2 Platform and Technology
WSO2
Modernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIs
Apigee | Google Cloud
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
Christian Glahn
Angular js firebase-preso
Angular js firebase-preso
Avinash Kondagunta
Inthiyaz-4.6Years-SharePoint
Inthiyaz-4.6Years-SharePoint
Inthiyaz Pathan
Cognito Customer Deep Dive
Cognito Customer Deep Dive
Amazon Web Services
A great api is hard to find
A great api is hard to find
Dan Diephouse
First Look at Azure Logic Apps (BAUG)
First Look at Azure Logic Apps (BAUG)
Daniel Toomey
OpenStack Architecture
OpenStack Architecture
Mirantis
OpenStack Architecture
OpenStack Architecture
Mirantis
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
nick_garrod
Integrated Services for Web Applications
Integrated Services for Web Applications
Saltmarch Media
Amazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services
Ähnlich wie Jan19 scim webinar-04
(20)
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity Chalktalk
What's new for Developers in SharePoint 2013
What's new for Developers in SharePoint 2013
Building IAM for OpenStack
Building IAM for OpenStack
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
#SPFestSea azr302 The SharePoint Framework and the #MicrosoftGraph under ster...
The SharePoint 2013 App Model
The SharePoint 2013 App Model
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
O365Con18 - Hybrid SharePoint Deep Dive - Thomas Vochten
Understanding the WSO2 Platform and Technology
Understanding the WSO2 Platform and Technology
Modernizing an Existing SOA-based Architecture with APIs
Modernizing an Existing SOA-based Architecture with APIs
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
Angular js firebase-preso
Angular js firebase-preso
Inthiyaz-4.6Years-SharePoint
Inthiyaz-4.6Years-SharePoint
Cognito Customer Deep Dive
Cognito Customer Deep Dive
A great api is hard to find
A great api is hard to find
First Look at Azure Logic Apps (BAUG)
First Look at Azure Logic Apps (BAUG)
OpenStack Architecture
OpenStack Architecture
OpenStack Architecture
OpenStack Architecture
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
Integrated Services for Web Applications
Integrated Services for Web Applications
Amazon Cognito Deep Dive
Amazon Cognito Deep Dive
Mehr von Paul Madsen
Onboarding in the IoT
Onboarding in the IoT
Paul Madsen
Native application Single SignOn
Native application Single SignOn
Paul Madsen
BYOD - it's an identity thing
BYOD - it's an identity thing
Paul Madsen
Madsen byod-csa-02
Madsen byod-csa-02
Paul Madsen
A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdM
Paul Madsen
Saas webinar-dec6-01
Saas webinar-dec6-01
Paul Madsen
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision Framework
Paul Madsen
Gluecon oauth-03
Gluecon oauth-03
Paul Madsen
Proxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAML
Paul Madsen
DIWD Concordia
DIWD Concordia
Paul Madsen
Oauth 01
Oauth 01
Paul Madsen
Iiw2007b Madsen 01
Iiw2007b Madsen 01
Paul Madsen
Mehr von Paul Madsen
(12)
Onboarding in the IoT
Onboarding in the IoT
Native application Single SignOn
Native application Single SignOn
BYOD - it's an identity thing
BYOD - it's an identity thing
Madsen byod-csa-02
Madsen byod-csa-02
A recipe for standards-based Cloud IdM
A recipe for standards-based Cloud IdM
Saas webinar-dec6-01
Saas webinar-dec6-01
Mobile Native OAuth Decision Framework
Mobile Native OAuth Decision Framework
Gluecon oauth-03
Gluecon oauth-03
Proxying Assurance between OpenID & SAML
Proxying Assurance between OpenID & SAML
DIWD Concordia
DIWD Concordia
Oauth 01
Oauth 01
Iiw2007b Madsen 01
Iiw2007b Madsen 01
Kürzlich hochgeladen
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
apidays
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
danishmna97
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Dropbox
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
Kürzlich hochgeladen
(20)
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jan19 scim webinar-04
1.
SCIM Webinar
Jan 18, 2012 Patrick Harding, CTO Paul Madsen, Senior Technical Architect © 2010 Ping Identity Corporation
2.
Background & Overview ©
2010 Ping Identity Corporation
3.
Current State • Enterprises
need programmatic mechanisms to manage users/roles/groups in Cloud apps • Large SaaS vendors have implemented proprietary API’s • Google, Salesforce, Cisco Webex, Successfactors, etc • All very similar, work well © 2010 Ping Identity Corporation
4.
Call to Arms •
At Cloud Identity Summit 2010 • Attendees established need for an ‘open standard’ for provisioning cloud users • Google, Salesforce, Ping Identity, UnboundID, Microsoft created ‘Cloud Directory’ user group • Initial discussions at IIW 12 © 2010 Ping Identity Corporation
5.
© 2010 Ping
Identity Corporation
6.
2011 - Year
of Development • Q1 2011 • Q3 2011 • Initial Draft SCIM Spec • SCIM Working Group developed by Ping, established under OWF UnboundID and Salesforce • Cisco, Sailpoint, Google • Q2 2011 contribute • Draft SCIM Spec introduced • Q4 2011 at IIW 13 • Multiple vendors • Significant interest and demonstrate interop at IIW discussion 14 • SCIM V1.0 in December 2011 © 2010 Ping Identity Corporation
7.
SCIM 1.0 Specification
Set http://simplecloud.info REST API SAML Binding (draft) Future bindings CRUD methods Attribute mapping response codes Core Schema User, Enterprise Extension, Groups, Config © 2010 Ping Identity Corporation
8.
SCIM Basics •
Core Schema • Represents User, Groups, Schema, Bulk etc • Defines basic user attributes (name, address contactetc.) • REST API • Defines Create, Read, Update& Delete methods to synchronize user object information • SAML Binding • Supports Just-In-Time provisioning during SSO • Maps SCIM schema to SAML AttributeStatement © 2010 Ping Identity Corporation
9.
Example 1: Push
User Directory 1. Create/Update/Delete User Object SCIM API Cloud App User Store Client Provider 2. Status © 2010 Ping Identity Corporation
10.
Example 2: SAML
JIT User Directory SAML IdP SAML SP User Store 1. SAML Token w/ User Object Browser © 2010 Ping Identity Corporation
11.
Example 3: OpenID
JIT + Pull User Store OpenIDIdP API 2. Read User Object OpenID SP User Store 3. User Object 1. OpenID Response Browser © 2010 Ping Identity Corporation
12.
What’s Next? • Implementation,
implementation, implementation !!! • Major cloud application platforms have indicated that they will implement SCIM in 2012 • SCIM working group to move to the IETF in 2012 • Use SCIM v1.0 as baseline submission • Working code, successful deployments are key • SCIM v2.0 will address issues © 2010 Ping Identity Corporation
13.
Technical © 2010 Ping
Identity Corporation
14.
Terminology • Service Provider:
A web application that provides identity information via the SCIM protocol (think SaaS) • Consumer: A website or application that uses the SCIM protocol to manage identity data maintained by the Service Provider. (think Enterprise) • Resource: The Service Provider managed artifact containing one or more attributes; e.g., User or Group © 2010 Ping Identity Corporation
15.
Schema • SCIM provides
a minimal core schema for representing Resources of different types • User, Groups, Schema, Bulk etc • User schema took as starting point the Portable Contacts schema [1] • Basic user attributes (name, address contact, groups, password etc.) [1] - http://www.portablecontacts.net/draft-spec.html © 2010 Ping Identity Corporation
16.
Schema-Password? • Group torn
on whether to support password management in schema • Acknowldgement that best practice is that enterprise users NOT be provisioned with passwords at SaaS providers • But • Current reality doesn’t everywhere reflect ideal • Hope/expectation that SCIM will be applied beyond Cloud • Consumers can specify an initial password when creating a new User (POST) or to reset an existing User's password (PATCH) © 2010 Ping Identity Corporation
17.
Schema-Enterprise extension
• Extends generic user with enterprise semantics • Adds manager, department, organization, etc <ent:employeeNumber>701984</ent:employeeNumber> <ent:manager> <ent:managerId>902c246b-6245-4190</ent:managerId> <ent:displayName>Mandy Pepperidge</ent:displayName> </ent:manager> <ent:costCenter>4130</ent:costCenter> <ent:organization>Universal Studios</ent:organization> <ent:division>Theme Park</ent:division> <ent:department>Tour Operations</ent:department> © 2010 Ping Identity Corporation
18.
Schema-Groups
• Group resources enable group & role based access control • Groups contain members • How Service Provider implements access control out of scope PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 ETag: W/"a330bc54f0671c9" { "schemas": ["urn:scim:schemas:core:1.0"], "members": [ { "display": "Babs Jensen", "value": "2819c223-7f76-453a-919d-413861904646" } ] } © 2010 Ping Identity Corporation
19.
Schema-Metadata • Service Provider
Configuration Resource enables a Service Provider to expose its compliance with SCIM specification in a standardized form & provide additional implementation details to Consumers. { "schemas": ["urn:scim:schemas:core:1.0"] "patch": { "supported":true }, "bulk": { "supported":true, "maxOperations":1000,"maxPayloadSize":1048576 }, "filter": { "supported":true, "maxResults": 200 }, "changePassword" : { "supported":true } "authenticationSchemes": [ { "name": "OAuth Bearer Token", "specUrl":"http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01", "documentationUrl":"http://example.com/help/oauth.html", "type":"oauthbearertoken", "primary": true }, } © 2010 Ping Identity Corporation
20.
Schema- representative AD
Mapping AD SCIM userPrincipalName userName mail email.value (type=work) givenName name.givenName sn name.familyName whenCreated meta.whenCreated userPassword password cn displayName © 2010 Ping Identity Corporation
21.
API • Specifies well
known endpoints & HTTP methods for managing Resources defined in the core schema • User and Group Resources correspond to /Users and /Groups respectively • REStful (really) • Responses are returned in the body of the HTTP response, formatted as JSON or XML, depending on what is requested © 2010 Ping Identity Corporation
22.
API-Architecture
Resource representation Client API Service Provider Response Resources © 2010 Ping Identity Corporation
23.
API-Verbage • API uses
HTTP verbs as follows • GET (retrieves an existing resource) • POST (creates a new resource) • PUT (overrides an existing resource) • BATCH (partially modifies an existing resource) • DELETE (deletes an existing resource) © 2010 Ping Identity Corporation
24.
API-Authentication • SCIM does
not mandate a particular authentication scheme by which Consumers authenticate to Service Providers • OAuth 2.0 is RECOMMENDED, but other schemes (eg HTTP Basic) not precluded • Consumers and Service Providers MUST implement TLS © 2010 Ping Identity Corporation
25.
API-Authentication-OAuth example POST /User
HTTP/1.1 Host: example.com Accept: application/xml Authorization: Bearer h480djs93hd8 <?xml version="1.0" encoding="UTF-8"?> <scim:User xmlns:scim="urn:scim:schemas:core:1.0"> <userName>bjensen@example.com</userName> <externalId>701984</externalId> <emails> <email> <value>bjensen@example.com</value> <primary>true</primary> <type>work</type> </email> </emails> </scim:User> © 2010 Ping Identity Corporation
26.
API-Response codes • API
uses/overrides HTTP Response codes to indicate operation success or failure. • In addition, Service Providers return errors in body of the response and human-readable explanations. HTTP/1.1 404 NOT FOUND { "Errors":[ { "description":"Resource 2819c223-7f76-453a-919d- not found", "code":"404" } ] } © 2010 Ping Identity Corporation
27.
API-Error codes © 2010
Ping Identity Corporation
28.
API-Response operations • SCIM
defines a standard set of operations that can be used to filter, sort, and paginate response results. • Consumers may request a subset of Resources by specifying the 'filter' URL query parameter containing a filter expression. • Sorting allows Consumers to specify the order in which Resources are returned by specifying a combination of sortBy and sortOrder URL parameters • Pagination parameters can be used together to "page through" large numbers of Resources so as not to overwhelm the Consumer or Service Provider © 2010 Ping Identity Corporation
29.
SAML Binding • Supports
a JIT provisioning model where users created in real time (vs a priori via API) • Binds SCIM User objects to SAML Attributes • Expectation is that other SSO/JIT bindings will follow in time • SAML binding not voted out with API and Core Schema, group needs to resolve tension between • SCIM push for simplicity • Existing SAML Attribute Person Profiles • Complex attributes don’t easily map into SAML Attributes © 2010 Ping Identity Corporation
30.
SAML Binding-Architecture Client
SAML SAML Service IdP SP Provider Resource Resources representation Browser © 2010 Ping Identity Corporation
31.
SAML Binding-SAML Attributes <saml:AttributeStatement
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:scim="http://placeholder.scim.org/2011/schema/extension"> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.userName"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">bjensen@example.com </saml:AttributeValue> </saml:Attribute> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname- format:unspecified" Name="SCIM.name.formatted"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xsi:type="xs:string">Ms. Babs J Jensen III </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> © 2010 Ping Identity Corporation
32.
Conclusions • SCIM has
potential to be important IdM standard in & out of cloud • But, if SCIM is to avoid SPML's fate, adoption is key • Start demand ingIdM vendors and SaaS providers add support © 2010 Ping Identity Corporation
33.
Thank you
@pingcto, @paulmadsen © 2010 Ping Identity Corporation
34.
Demo © 2010 Ping
Identity Corporation
35.
Demo
SCIM User Store SFDC Enterprise Salesforce Ping Cloud AD © 2010 Ping Identity Corporation
Jetzt herunterladen