SlideShare a Scribd company logo

SCIM in the Real World: Adoption is Growing

Download as PPTX, PDF
Kelly Grizzle
Kelly Grizzle

The SCIM (System for Cross-Domain Identity Management) specification is beginning to gain real-world traction for both cloud and on-premises applications. In this workshop you will learn about SCIM, how it is being used in the real world, and why many consider SCIM to be a foundational piece of any identity architecture. We will also discuss how participants can help SCIM’s adoption with their organization and across the industry. Presented at Cloud Identity Summit 2015 in La Jolla.

Software
1 of 63
SCIM in the Real World Kelly Grizzle Software Architect – SailPoint
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.2 Overview • What is SCIM? • Trends in SCIM Usage • Who are you and what’s your problem? - Identity Gurus - Service Providers • Case Studies • Where is SCIM today and where is it going?
What is SCIM? System for Cross-Domain Identity Management
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.4 Identity Management + REST =
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.5 Identity Management + REST = SCIM • REST is just architectural pattern - SCIM defines an identity management profile for it • SCIM provides… - Standard definitions for User and Group - Standard operations • Create, Read, Update, Delete, Search, Partial Update, Bulk - Extensibility • Add more attributes to existing object types or define new object types
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.6 Example – Retrieve User Request GET /Users/2819c223-7f76-453a-919d-413861904646 Host: example.com Accept: application/scim+json Authorization: Bearer h480djs93hd8
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.7 Example – Retrieve User Response HTTP/1.1 200 OK Content-Type: application/scim+json Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 { "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara“ }, "meta": { "resourceType": "User", "created": "2011-08-01T18:29:49.793Z", ... } } Self-describing payload Single-valued attribute Complex attribute Many data types
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.8 CRUD Operations POST /Users PUT /Users/2819c223-7f76-453a-919d-413861904646 PATCH /Users/2819c223-7f76-453a-919d-413861904646 DELETE /Users/2819c223-7f76-453a-919d-413861904646 GET /Users?startIndex=10&count=5&filter=userName sw “J” GET /Users/2819c223-7f76-453a-919d-413861904646
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.9 Server Configuration Operations GET /ResourceTypes - Return the types of resources that are supported - Endpoint URL, schema, etc… GET /Schemas/ - Return the schema definitions - Attributes names and types, etc… GET /ServiceProviderConfigs - Return info about what is supported by the server - Authn methods, optional features, etc…
Trends in SCIM Usage
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.11 Trends • Enterprises are using SCIM Gateways to communicate between internal systems • Service providers use SCIM for directory access - Store extended information, but often not visible externally • IAM and IDaaS vendors provide SCIM Servers to expose identity information and use SCIM Clients to read/write external systems • Common threads in custom password extensions • SCIM is seen as the identity management API
Who are you?
IAM Gurus!
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.14 99 problems and identity is #1
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.15 Problem!!! Bob needs a new account SCIM Solution: Provision
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.16 Problem!!! Bob can’t login! SCIM Solution: Password reset * Alternate Solution: Single sign-on … but this isn’t a SAML / OIDC workshop.
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.17 Problem!!! Bob can’t read the financials SCIM Solution: Add him to a group or give him some entitlements
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.18 Problem!!! I need to know Bob’s access SCIM Solution: Read User and Group Data
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.19 Problem!!! Bob has been a bad boy SCIM Solution: Deprovision
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.20 Problem!! Apps team needs to r/w identity SCIM Solution: Standard but extensible API
Case Study Fortune 100 Chip Maker
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.22 The Setup • Started considering options between a failed Oracle Identity Manager project and “the next thing” • Needed a façade - Prevent IAM vendor lock-in - Needed co-existence between old and new IAM systems • Extensibility was crucial! • “We wanted a 20 year solution.” –IAM Guru
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.23 The Solution Create a SCIM gateway to serve as a central identity hub SCIM Gateway Cluster Legacy Apps IAM System SSO Directory Server
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.24 The Interesting Parts • Extended user schema to hold custom information • Extended endpoints to support many additional features - Email verification • POST /EmailVerificationTokens to create a token • POST /EmailVerification to verify email using token - Password reset • POST /PasswordResetTokens to create a token • POST /PasswordChanges to change password using token - Security token management for SSO • POST /SecurityTokens to create authenticated session token • DELETE /SecurityTokens to invalidate
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.25 More Interesting Parts • More extended endpoints… - Notifications (email or SMS) • POST /Notifications to send a notification with user information merged in (welcome email, forgot login ID, etc…) - Role management • PATCH /Roles to change membership for a role
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.26 The Benefits • Ability to add new information and features without breaking existing clients - If there is anything in JSON that you don't recognize, throw it away “SCIM has been critical and program-saving. It is exactly what we needed at exactly the right time, and fills a crucial role in our environment." --IAM Guru
Case Study Fortune 500 Pharmaceuticals
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.28 The Setup • Need to support identity on a large portfolio of applications - Not all application teams are resourced equally • Wanted an abstraction of provisioning from specific implementations - Allow for seamless upgrades of IAM system - Ease cost of implementation for smaller applications
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.29 The Solution Create a SCIM gateway to serve as a central identity hub SCIM SOA Gateway On-prem Apps IAM System Cloud Apps Directory Server
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.30 The Benefits • SCIM gives agility in adopting new versions of IAM system • SCIM isolates IAM system if a SaaS vendor changes their identity model - Connector continues to work with an updated schema - Important for SaaS vendors that can update at any time • If an application vendor is small it's not worth it to write a custom connector - Small vendors are very willing to implement SCIM as their standard identity API
Who are you?
Service Providers!!
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.33 99 problems and identity is #1
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.34 Problem!!! I need to expose a directory!! SCIM Solution: Read and write with SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.35 Problem!!! I need an API between my own products! SCIM Solution: Everything identity is SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.36 Problem!! My mobile app needs identities! SCIM Solution: Light-weight REST API
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.37 Problem!!! I need to get identities from my customer’s directory into my cloud app! SCIM Solution: To the cloud with SCIM!
Case Study Fortune 100 Networking
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.39 The Setup • Needed a consistent identity API that can be used: - By partners - By customers - Internally between products - To communicate with IdPs and other SaaS vendors
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.40 The Solution SCIM Identity Service Directory Clients Internal Systems Partners & IdPs Identity Sync Client Mobile Appr/w
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.41 The Interesting Parts • Additional endpoints - /Devices - /Tenants • Only available internally • Password policy is configured on tenant • Core schemas have been extended - Positive extensions: New attributes (mainly internal info) - Negative extensions: Attributes in SCIM spec that aren’t supported • Legacy APIs forward requests on to SCIM
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.42 The Benefits • Single API for everything identity • Mobile application has a light-weight API to use • SCIM clients are easy to write - Have seen no need to write a toolkit
Case Study Fortune 1000 Networking
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.44 The Setup • Needed a consistent identity API that can be used: - By customers - Internally between products - To communicate with IdPs
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.45 The Solution SCIM Identity Service Custom Clients Internal Systems IdPs AD Sync Client
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.46 The Interesting Parts • Exploring an “organizational unit” extension to facility multi- tenancy in API • Exploring a pub/sub SCIM model - Client subscribes to be notified of changes - SCIM server sends out notifications
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.47 The Benefits • Single API for everything identity • No need to provide documentation - Just point developers at the spec • Easy to implement
Case Studies in brief
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.49 PaaS – CloudFoundry • CloudFoundry is an open platform-as-a-service (PaaS) • Identity APIs leverage standards - SCIM, OAuth2, and OpenID Connect • Benefits - Use existing open API rather than reinventing the wheel - Use SCIM extensions for some non-identity APIs
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.50 IDaaS and IAM Vendors • IDaaS and IAM vendors need to: - Allow external access to their identity store - Provision/read identities and groups to/from other applications • SCIM server provides external access • SCIM client provides provisioning to other applications • Benefits - Standardized API makes external integration easy - Applications that support SCIM can be integrated immediately • No custom connector is required • No product upgrade required to support new apps SailPoint, Salesforce, Ping, VMWare, neXus, Oracle, UnboundID
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.51 Higher Education • Higher education is largely focused on federation - Need to propagate minimum amount of identity data - Authorization data (group memberships) are very important - Federation attribute payload works well for Just In Time (JIT) provisioning - SCIM enables more robust record propagation when JIT is not good enough • For example, email account provisioning often must occur before first login Federations that need attribute exchange
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.52 Higher Education • VOOT is an identity/group protocol built on top of SCIM - Adds more features around group membership • Grouper is a user/group management tool developed by Internet2 - SCIM integration allows writing to down-stream endpoints http://openvoot.org/ https://spaces.internet2.edu/display/Grouper/Grouper+SCIM+Integration VOOT and Grouper
Case Study neXus Internet of Things
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.54 The Setup • IoT provider needed: - A registry of devices associated with a user - Information about the device (bluetooth address, etc…) - A mobile app that can • Authenticate • Retrieve user information (including devices) • Communicate with devices - Devices that can send status updates
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.55 The Solution SCIM Server Mobile App GET /me (as authenticated user) { “id”: “89723-83703”, “devices”: [{ “name”: “Tesla”, “bluetoothAddress”: “000A3A58F310”, “deviceType”: “electricCar”, “batteryLife”: 58, … }, … } Bluetooth Start A/C PATCH /Cars/89723-83703 { “batteryLife”: 57, “location”: { “lat”: 30.4045541, “long”: -97.8489572 } }
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.56 The Benefits • Extended user schema to show which devices belong to each user • New endpoints for devices to read/write device information - Example: /Cars, /Vacuums • Extensible schema allows new device types to be imported via JSON files • Extremely light-weight SCIM clients on mobile app and devices - This is very important for constrained devices
Where is SCIM?
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.58 Current Status • 2.0 API, Core Schema, and Use Cases docs are complete - Will become official RFCs in the next couple months • IETF working group will continue to work on SCIM extensions - Passwords: http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/ - Notify: http://datatracker.ietf.org/doc/draft-hunt-scim-notify/ - Soft Delete: http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/ - Others TBD
Wrapping it up…
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.61 Adoption is growing… “The SCIM interface will have parity other APIs and will be a first-class citizen.” --Ian Glazer, Salesforce “I’m also proud to say Oracle’s Amit Jasuja announced at last year’s OpenWorld that Oracle IDM’s key REST API for Identity will be SCIM…” --Phil Hunt, Oracle
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.62 Adoption is growing… “SCIM works perfectly for constrained devices.” --Erik Wahlström, neXus “SCIM is simple to implement.” --Haavar Valeur, Citrix
Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.63 Questions kelly.grizzle@sailpoint.com @kelly_grizzle http://simplecloud.info

Recommended

SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
Kelly Grizzle
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
WSO2
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
Amazon Web Services
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 Charon
HasiniG
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
 

Recommended

SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
Kelly Grizzle
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
WSO2
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
Amazon Web Services
 
WSO2 Charon
WSO2 CharonWSO2 Charon
WSO2 Charon
HasiniG
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
 
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Amazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
Amazon Web Services
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance
John Varghese
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017
Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017
Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017
Amazon Web Services Korea
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower security
Shiu-Fun Poon
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
Apigee | Google Cloud
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 
Deploying Confluent Platform for Production
Deploying Confluent Platform for ProductionDeploying Confluent Platform for Production
Deploying Confluent Platform for Production
confluent
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
BeyondTrust
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
Amazon Web Services
 
Serverless Architecture on AWS
Serverless Architecture on AWSServerless Architecture on AWS
Serverless Architecture on AWS
Rajind Ruparathna
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
Amazon Web Services
 
Intro to Amazon ECS
Intro to Amazon ECSIntro to Amazon ECS
Intro to Amazon ECS
Amazon Web Services
 
Guide to an API-first Strategy
Guide to an API-first StrategyGuide to an API-first Strategy
Guide to an API-first Strategy
Kellton Tech Solutions Ltd
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
Amazon Web Services
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
Hitachi ID Systems, Inc.
 
Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0
Kelly Grizzle
 

More Related Content

What's hot

Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Amazon Web Services
 
Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017
Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017
Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017
Amazon Web Services Korea
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
BeyondTrust
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
Amazon Web Services
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 

What's hot (20)

Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
Behind the Scenes: Exploring the AWS Global Network (NET305) - AWS re:Invent ...
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017
Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017
Amazon Cognito를 활용한 모바일 인증 및 보안, 자원 접근 제어 기법 - AWS Summit Seoul 2017
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower security
 
How to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Deploying Confluent Platform for Production
Deploying Confluent Platform for ProductionDeploying Confluent Platform for Production
Deploying Confluent Platform for Production
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
 
Serverless Architecture on AWS
Serverless Architecture on AWSServerless Architecture on AWS
Serverless Architecture on AWS
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Intro to Amazon ECS
Intro to Amazon ECSIntro to Amazon ECS
Intro to Amazon ECS
 
Guide to an API-first Strategy
Guide to an API-first StrategyGuide to an API-first Strategy
Guide to an API-first Strategy
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 

Similar to SCIM in the Real World: Adoption is Growing

Manage Content In-Place, Migrate as Needed for Records and Retention
Manage Content In-Place, Migrate as Needed for Records and Retention Manage Content In-Place, Migrate as Needed for Records and Retention
Manage Content In-Place, Migrate as Needed for Records and Retention
Zia Consulting
 

Similar to SCIM in the Real World: Adoption is Growing (20)

Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 
Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0Master IAM in the Cloud with SCIM v2.0
Master IAM in the Cloud with SCIM v2.0
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You ThinkCIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
 
Why the Microsoft 365 Administrator should care about the Power Platform Gove...
Why the Microsoft 365 Administrator should care about the Power Platform Gove...Why the Microsoft 365 Administrator should care about the Power Platform Gove...
Why the Microsoft 365 Administrator should care about the Power Platform Gove...
 
Proven Practices for Office 365 Deployment, Security and Management
Proven Practices for Office 365 Deployment, Security and ManagementProven Practices for Office 365 Deployment, Security and Management
Proven Practices for Office 365 Deployment, Security and Management
 
Identity as a Managed Cloud Service
Identity as a Managed Cloud ServiceIdentity as a Managed Cloud Service
Identity as a Managed Cloud Service
 
Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013
Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013
Webinar: Ten Ways to Enhance Your Salesforce.com Application in 2013
 
Which One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentWhich One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development Environment
 
Enterprise Security: Tableau vs. Power BI
Enterprise Security: Tableau vs. Power BIEnterprise Security: Tableau vs. Power BI
Enterprise Security: Tableau vs. Power BI
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and Technology
 
A Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterA Study in Borderless Over Perimeter
A Study in Borderless Over Perimeter
 
MuleSoft Meetup Charlotte 2019
MuleSoft Meetup Charlotte 2019MuleSoft Meetup Charlotte 2019
MuleSoft Meetup Charlotte 2019
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access Manager
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
 
Manage Content In-Place, Migrate as Needed for Records and Retention
Manage Content In-Place, Migrate as Needed for Records and Retention Manage Content In-Place, Migrate as Needed for Records and Retention
Manage Content In-Place, Migrate as Needed for Records and Retention
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower Costs
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 

Recently uploaded

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
software pro Development
 

Recently uploaded (20)

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...How to Choose the Right Laravel Development Partner in New York City_compress...
How to Choose the Right Laravel Development Partner in New York City_compress...
 

SCIM in the Real World: Adoption is Growing

  • 1. SCIM in the Real World Kelly Grizzle Software Architect – SailPoint
  • 2. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.2 Overview • What is SCIM? • Trends in SCIM Usage • Who are you and what’s your problem? - Identity Gurus - Service Providers • Case Studies • Where is SCIM today and where is it going?
  • 3. What is SCIM? System for Cross-Domain Identity Management
  • 4. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.4 Identity Management + REST =
  • 5. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.5 Identity Management + REST = SCIM • REST is just architectural pattern - SCIM defines an identity management profile for it • SCIM provides… - Standard definitions for User and Group - Standard operations • Create, Read, Update, Delete, Search, Partial Update, Bulk - Extensibility • Add more attributes to existing object types or define new object types
  • 6. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.6 Example – Retrieve User Request GET /Users/2819c223-7f76-453a-919d-413861904646 Host: example.com Accept: application/scim+json Authorization: Bearer h480djs93hd8
  • 7. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.7 Example – Retrieve User Response HTTP/1.1 200 OK Content-Type: application/scim+json Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 { "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara“ }, "meta": { "resourceType": "User", "created": "2011-08-01T18:29:49.793Z", ... } } Self-describing payload Single-valued attribute Complex attribute Many data types
  • 8. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.8 CRUD Operations POST /Users PUT /Users/2819c223-7f76-453a-919d-413861904646 PATCH /Users/2819c223-7f76-453a-919d-413861904646 DELETE /Users/2819c223-7f76-453a-919d-413861904646 GET /Users?startIndex=10&count=5&filter=userName sw “J” GET /Users/2819c223-7f76-453a-919d-413861904646
  • 9. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.9 Server Configuration Operations GET /ResourceTypes - Return the types of resources that are supported - Endpoint URL, schema, etc… GET /Schemas/ - Return the schema definitions - Attributes names and types, etc… GET /ServiceProviderConfigs - Return info about what is supported by the server - Authn methods, optional features, etc…
  • 11. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.11 Trends • Enterprises are using SCIM Gateways to communicate between internal systems • Service providers use SCIM for directory access - Store extended information, but often not visible externally • IAM and IDaaS vendors provide SCIM Servers to expose identity information and use SCIM Clients to read/write external systems • Common threads in custom password extensions • SCIM is seen as the identity management API
  • 14. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.14 99 problems and identity is #1
  • 15. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.15 Problem!!! Bob needs a new account SCIM Solution: Provision
  • 16. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.16 Problem!!! Bob can’t login! SCIM Solution: Password reset * Alternate Solution: Single sign-on … but this isn’t a SAML / OIDC workshop.
  • 17. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.17 Problem!!! Bob can’t read the financials SCIM Solution: Add him to a group or give him some entitlements
  • 18. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.18 Problem!!! I need to know Bob’s access SCIM Solution: Read User and Group Data
  • 19. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.19 Problem!!! Bob has been a bad boy SCIM Solution: Deprovision
  • 20. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.20 Problem!! Apps team needs to r/w identity SCIM Solution: Standard but extensible API
  • 22. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.22 The Setup • Started considering options between a failed Oracle Identity Manager project and “the next thing” • Needed a façade - Prevent IAM vendor lock-in - Needed co-existence between old and new IAM systems • Extensibility was crucial! • “We wanted a 20 year solution.” –IAM Guru
  • 23. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.23 The Solution Create a SCIM gateway to serve as a central identity hub SCIM Gateway Cluster Legacy Apps IAM System SSO Directory Server
  • 24. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.24 The Interesting Parts • Extended user schema to hold custom information • Extended endpoints to support many additional features - Email verification • POST /EmailVerificationTokens to create a token • POST /EmailVerification to verify email using token - Password reset • POST /PasswordResetTokens to create a token • POST /PasswordChanges to change password using token - Security token management for SSO • POST /SecurityTokens to create authenticated session token • DELETE /SecurityTokens to invalidate
  • 25. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.25 More Interesting Parts • More extended endpoints… - Notifications (email or SMS) • POST /Notifications to send a notification with user information merged in (welcome email, forgot login ID, etc…) - Role management • PATCH /Roles to change membership for a role
  • 26. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.26 The Benefits • Ability to add new information and features without breaking existing clients - If there is anything in JSON that you don't recognize, throw it away “SCIM has been critical and program-saving. It is exactly what we needed at exactly the right time, and fills a crucial role in our environment." --IAM Guru
  • 28. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.28 The Setup • Need to support identity on a large portfolio of applications - Not all application teams are resourced equally • Wanted an abstraction of provisioning from specific implementations - Allow for seamless upgrades of IAM system - Ease cost of implementation for smaller applications
  • 29. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.29 The Solution Create a SCIM gateway to serve as a central identity hub SCIM SOA Gateway On-prem Apps IAM System Cloud Apps Directory Server
  • 30. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.30 The Benefits • SCIM gives agility in adopting new versions of IAM system • SCIM isolates IAM system if a SaaS vendor changes their identity model - Connector continues to work with an updated schema - Important for SaaS vendors that can update at any time • If an application vendor is small it's not worth it to write a custom connector - Small vendors are very willing to implement SCIM as their standard identity API
  • 33. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.33 99 problems and identity is #1
  • 34. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.34 Problem!!! I need to expose a directory!! SCIM Solution: Read and write with SCIM
  • 35. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.35 Problem!!! I need an API between my own products! SCIM Solution: Everything identity is SCIM
  • 36. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.36 Problem!! My mobile app needs identities! SCIM Solution: Light-weight REST API
  • 37. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.37 Problem!!! I need to get identities from my customer’s directory into my cloud app! SCIM Solution: To the cloud with SCIM!
  • 39. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.39 The Setup • Needed a consistent identity API that can be used: - By partners - By customers - Internally between products - To communicate with IdPs and other SaaS vendors
  • 40. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.40 The Solution SCIM Identity Service Directory Clients Internal Systems Partners & IdPs Identity Sync Client Mobile Appr/w
  • 41. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.41 The Interesting Parts • Additional endpoints - /Devices - /Tenants • Only available internally • Password policy is configured on tenant • Core schemas have been extended - Positive extensions: New attributes (mainly internal info) - Negative extensions: Attributes in SCIM spec that aren’t supported • Legacy APIs forward requests on to SCIM
  • 42. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.42 The Benefits • Single API for everything identity • Mobile application has a light-weight API to use • SCIM clients are easy to write - Have seen no need to write a toolkit
  • 44. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.44 The Setup • Needed a consistent identity API that can be used: - By customers - Internally between products - To communicate with IdPs
  • 45. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.45 The Solution SCIM Identity Service Custom Clients Internal Systems IdPs AD Sync Client
  • 46. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.46 The Interesting Parts • Exploring an “organizational unit” extension to facility multi- tenancy in API • Exploring a pub/sub SCIM model - Client subscribes to be notified of changes - SCIM server sends out notifications
  • 47. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.47 The Benefits • Single API for everything identity • No need to provide documentation - Just point developers at the spec • Easy to implement
  • 49. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.49 PaaS – CloudFoundry • CloudFoundry is an open platform-as-a-service (PaaS) • Identity APIs leverage standards - SCIM, OAuth2, and OpenID Connect • Benefits - Use existing open API rather than reinventing the wheel - Use SCIM extensions for some non-identity APIs
  • 50. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.50 IDaaS and IAM Vendors • IDaaS and IAM vendors need to: - Allow external access to their identity store - Provision/read identities and groups to/from other applications • SCIM server provides external access • SCIM client provides provisioning to other applications • Benefits - Standardized API makes external integration easy - Applications that support SCIM can be integrated immediately • No custom connector is required • No product upgrade required to support new apps SailPoint, Salesforce, Ping, VMWare, neXus, Oracle, UnboundID
  • 51. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.51 Higher Education • Higher education is largely focused on federation - Need to propagate minimum amount of identity data - Authorization data (group memberships) are very important - Federation attribute payload works well for Just In Time (JIT) provisioning - SCIM enables more robust record propagation when JIT is not good enough • For example, email account provisioning often must occur before first login Federations that need attribute exchange
  • 52. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.52 Higher Education • VOOT is an identity/group protocol built on top of SCIM - Adds more features around group membership • Grouper is a user/group management tool developed by Internet2 - SCIM integration allows writing to down-stream endpoints http://openvoot.org/ https://spaces.internet2.edu/display/Grouper/Grouper+SCIM+Integration VOOT and Grouper
  • 54. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.54 The Setup • IoT provider needed: - A registry of devices associated with a user - Information about the device (bluetooth address, etc…) - A mobile app that can • Authenticate • Retrieve user information (including devices) • Communicate with devices - Devices that can send status updates
  • 55. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.55 The Solution SCIM Server Mobile App GET /me (as authenticated user) { “id”: “89723-83703”, “devices”: [{ “name”: “Tesla”, “bluetoothAddress”: “000A3A58F310”, “deviceType”: “electricCar”, “batteryLife”: 58, … }, … } Bluetooth Start A/C PATCH /Cars/89723-83703 { “batteryLife”: 57, “location”: { “lat”: 30.4045541, “long”: -97.8489572 } }
  • 56. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.56 The Benefits • Extended user schema to show which devices belong to each user • New endpoints for devices to read/write device information - Example: /Cars, /Vacuums • Extensible schema allows new device types to be imported via JSON files • Extremely light-weight SCIM clients on mobile app and devices - This is very important for constrained devices
  • 58. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.58 Current Status • 2.0 API, Core Schema, and Use Cases docs are complete - Will become official RFCs in the next couple months • IETF working group will continue to work on SCIM extensions - Passwords: http://datatracker.ietf.org/doc/draft-hunt-scim-password-mgmt/ - Notify: http://datatracker.ietf.org/doc/draft-hunt-scim-notify/ - Soft Delete: http://datatracker.ietf.org/doc/draft-ansari-scim-soft-delete/ - Others TBD
  • 60.
  • 61. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.61 Adoption is growing… “The SCIM interface will have parity other APIs and will be a first-class citizen.” --Ian Glazer, Salesforce “I’m also proud to say Oracle’s Amit Jasuja announced at last year’s OpenWorld that Oracle IDM’s key REST API for Identity will be SCIM…” --Phil Hunt, Oracle
  • 62. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.62 Adoption is growing… “SCIM works perfectly for constrained devices.” --Erik Wahlström, neXus “SCIM is simple to implement.” --Haavar Valeur, Citrix
  • 63. Copyright © SailPoint Technologies, Inc. 2015 All rights reserved.63 Questions kelly.grizzle@sailpoint.com @kelly_grizzle http://simplecloud.info