SlideShare a Scribd company logo

Scim overview

Download as PPTX, PDF
M
Morteza Ansari

The document discusses the development and implementation of the System for Cross-domain Identity Management (SCIM) protocol, highlighting its history since 2010 and various use cases for user and group provisioning between enterprises and cloud services. It describes the structure of SCIM, including its schemas, RESTful API operations, and data models for managing user identities across different platforms. The document also mentions discovery mechanisms, authentication methods, and the significance of patch and bulk operations in resource management.

Technology
1 of 28
Downloaded 71 times
1
2
3
4
Most read
5
6
7
8
9
10
11
12
13
14
Most read
15
16
17
18
19
20
21
22
Most read
23
24
25
26
27
28
1© 2014 Cisco and/or its affiliates. All rights reserved. Morteza Ansari June 23, 2014
© 2014 Cisco and/or its affiliates. All rights reserved. 2 • History • Use Cases • Schema • Protocol • References
© 2014 Cisco and/or its affiliates. All rights reserved. 3 • Started 2010 • Really started May 2011 • 12 Companies participated under OWF ADP, BCP Soft, Canarie, Cisco, Courion, Id Machines, Ping Identity, Nexux, Sailpoint, SalesForce, UnboundID, WSO2 • 1.0 was published Dec. 2011 • 12 independent implementations • Frequent interop events at IIW, CIS, and one at IETF • IETF BOF Mar. 2012 • IETF WG Jul. 2012
© 2014 Cisco and/or its affiliates. All rights reserved. 4 • How do I provision a user account for service X? • How do I de-provision a user account from service X? • How do I update an existing account for service X? • How do I keep my organization’s users in sync with service X? • How do I manage groups? • How do I cross-provision across cloud services?
© 2014 Cisco and/or its affiliates. All rights reserved. 5 • User/Group provisioning from Enterprise to Cloud
© 2014 Cisco and/or its affiliates. All rights reserved. 6 • User/Group provisioning from Enterprise to Cloud • User/Group provisioning from cloud service to cloud service
© 2014 Cisco and/or its affiliates. All rights reserved. 7 • User/Group provisioning from Enterprise to Cloud • User/Group provisioning from cloud service to cloud service • Is used in many many more cases today Enterprise provisioning/cross provisioning Identity access Many new endpoints: machines, contacts, tenants, devices, …
© 2014 Cisco and/or its affiliates. All rights reserved. 8 dn: cn=HomeJSimpson,o=domain-name cn: HomerJSimpson objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson mail: HJSimpson@burnsco.com givenname: Homer sn: Simpson postalAddress: 742 Evergreen Terrace l: Springfield st: Kentsouri postalCode: 01234 telephoneNumber: (888) 555-1111 jpegPhoto: http://www.simpsons.com/homer.jpg … Homer J. Simpson Springfield Nuclear Plant Safety Inspector (888) 555-1111 Work (123) 666-1111 Home HJSimpson@burnsco.com 742 Evergreen Terrace Springfield, Kentsouri 01234 h p://www.simpsons.com
© 2014 Cisco and/or its affiliates. All rights reserved. 9 • OASIS Standard (1.0 – 2003; 2.0 – 2006) • No core Schema • Complex – real or perceived • Some traction within enterprises, none for cloud services • Limited support - few tools/products “Built it, nobody came!”
© 2014 Cisco and/or its affiliates. All rights reserved. 10 • Set of pre-defined schema – Users & Groups • RESTful API definition • CRUD • Bulk operations • Search • Discovery • Extension semantics (basic in 1.x) • Support for complex data models • SIMPLE!!!
© 2014 Cisco and/or its affiliates. All rights reserved. 11 • Rich information model • XML & JSON data models • Concrete artifacts Users & Groups • Usage semantics MTI & recommended • Extensibility Enterprise User
© 2014 Cisco and/or its affiliates. All rights reserved. 12 • Resource is an attribute container • An attribute is Simple or Complex Single value or Plural • Extensible • Data type added in 2.0 { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "701984", "userName": "bjensen@example.com", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara", "middleName": "Jane", "honorificPrefix": "Ms.", "honorificSuffix": "III" }, "displayName": "Babs Jensen", "nickName": "Babs", "profileUrl": "https://login.example.com/bjensen", "emails": [ { "value": "bjensen@example.com", "type": "work", "primary": true }, { "value": "babs@jensen.org", "type": "home" } ], "meta": { "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W/"a330bc54f0671c9"", "location": "https://example.com/v1/Users/2819c223-7f76" } }
© 2014 Cisco and/or its affiliates. All rights reserved. 13 { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W/"f250dd84f0671c3" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ] } Required Complex Simple Complex multi-valued
© 2014 Cisco and/or its affiliates. All rights reserved. 14 { "schemas": ["urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:1.0": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith“ } } } Declaration Use
© 2014 Cisco and/or its affiliates. All rights reserved. 15 { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "displayName": "Tour Guides", "members": [ { "value": "2819c223-7f76-453a-919d-413861904646", "displayName": "Babs Jensen", "type": "User" }, { "value": ”4769c303-ab76-673a-769d-413867987436", "displayName": "Mandy Pepperidge", "type": "User" } ] } Type (User|Group) Optional & Read-only
© 2014 Cisco and/or its affiliates. All rights reserved. 16 • HTTP/REST • CRUD • Bulk • Search • Discovery • Simple MTI, Complex optional • Extensible • Versioned • “cURL” friendly
© 2014 Cisco and/or its affiliates. All rights reserved. 17 • Discovery • Create = POST https://example.com/{v}/{resource} • Read = GET https://example.com/{v}/{resource}/{id} • Update = PUT https://example.com/{v}/{resource}/{id} • Delete = DELETE https://example.com/{v}/{resource}/{id} • Update = PATCH https://example.com/{v}/{resource}/{id} • Search = https://example.com/{v}/{resource}? filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending} • Bulk
© 2014 Cisco and/or its affiliates. All rights reserved. 18 • GET /Schemas Introspect resources and attribute extensions • GET /ServiceProviderConfigs Spec compliance Support for bulk, patch, etc… Authentication schemes OAuth, HTTP basic, etc… Data formats Support XML
© 2014 Cisco and/or its affiliates. All rights reserved. 19 POST /v1/Users HTTP/1.1 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 { "schemas": ["urn:scim:schemas:core:1.0"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } } Operation Resource Type Format AuthZ “User” Payload
© 2014 Cisco and/or its affiliates. All rights reserved. 20 HTTP/1.1 201 Created Content-Type: application/json Location: https://example.com/v1/Users/281... ETag: W/"e180ee84f0671b1" {` "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W/"e180ee84f0671b1"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" } Result code Format “Permalink” SP generated ID
© 2014 Cisco and/or its affiliates. All rights reserved. 21 GET /v1/Users/2819c223-7f76-453a-919d-413861904646.json Host: example.com Authorization: Bearer h480djs93hd8 Operation Resource Type Stable ID Format
© 2014 Cisco and/or its affiliates. All rights reserved. 22 HTTP/1.1 200 OK Content-Type: application/json Location: https://example.com/v1/Users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W/"e180ee84f0671b1"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" } Result code Format “Permalink” SP ID
© 2014 Cisco and/or its affiliates. All rights reserved. 23 GET /v1/Users?filter=title pr and userType eq "Employee" &sortBy=title &sortOrder=ascending &attributes=title,username &startIndex=11 &count=10 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 Operation Resource Type URL encoded filter Sorting Partial results Index-based pagination
© 2014 Cisco and/or its affiliates. All rights reserved. 24 { "schemas": ["urn:scim:schemas:core:1.0"], "totalResults": 2, "Resources": [ { "id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97", "title": "Assistant VP", "userName": "bjensen" }, { "id": "a4a25dd3-17a0-4dac-a2ac-ce211e125f57", "title": "VP", "userName": "jsmith" } ] } Pagination Users SP ID ever present
© 2014 Cisco and/or its affiliates. All rights reserved. 25 • PATCH Allows providing partial updates to resources May be important if modifying a large multi-valued attribute on a resource (eg – group members) • Bulk Allows performing many operations at once Useful for synchronizing data into a service provider • Both are optional
© 2014 Cisco and/or its affiliates. All rights reserved. 26 • TLS MTI • Standard HTTP considerations apply • Authentication is discoverable, OAuth bearer token recommended • HTTP basic is commonly implemented for interoperability • Authorization attributes are *VERY* loosely defined Roles, groups, and entitlements
© 2014 Cisco and/or its affiliates. All rights reserved. 27 { "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "password": "maybe_plaintext", "roles": [ { "value": "RA" } ], "groups": [ { "value": "2819c223-7f76-453a-919d-982763095", "display": "Student" } ], "entitlements": [ { "value": "delete users" } ] } Password AuthZ
© 2014 Cisco and/or its affiliates. All rights reserved. 28 • http://www.simplecloud.info • SCIMv1.1 http://www.simplecloud.info/specs/draft-scim-core-schema-01.html http://www.simplecloud.info/specs/draft-scim-api-01.html • SCIMv2.0 http://tools.ietf.org/html/draft-ietf-scim-core-schema http://tools.ietf.org/html/draft-ietf-scim-api http://tools.ietf.org/html/draft-ietf-scim-use-cases • IETF SCIM WG http://tools.ietf.org/wg/scim/ • mailto: scim@ietf.org • Credit for slides: IETF WG, Trey Drake & Kelly Grizzle

More Related Content

What's hot (20)

PDF
OpenStack Architecture
Mirantis
 
PDF
SCIM presentation from CIS 2012
Twobo Technologies
 
PDF
Highlights of WSO2 API Manager 4.0.0
WSO2
 
PDF
Kubernetes and Prometheus
Weaveworks
 
PPTX
Secure your app with keycloak
Guy Marom
 
PDF
Combining logs, metrics, and traces for unified observability
Elasticsearch
 
PPTX
ClearPass design scenarios that solve the toughest security policy requirements
Aruba, a Hewlett Packard Enterprise company
 
PDF
Open Policy Agent
Torin Sandall
 
PPTX
Azure role based access control (rbac)
Srikanth Kappagantula
 
PPTX
Istio a service mesh
Chandresh Pancholi
 
PDF
Detecting secrets in code committed to gitlab (in real time)
Chandrapal Badshah
 
PDF
Getting Started with ThousandEyes
ThousandEyes
 
PDF
OpenStack Architecture
Mirantis
 
PDF
Logs/Metrics Gathering With OpenShift EFK Stack
Josef Karásek
 
PPTX
Forti web
Lan & Wan Solutions
 
PDF
Kubernetes security
Thomas Fricke
 
PPTX
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Lance Peterman
 
PDF
Understanding Azure AD
New Horizons Ireland
 
PDF
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
PDF
CIS Security Benchmark
Rahul Khengare
 
OpenStack Architecture
Mirantis
 
SCIM presentation from CIS 2012
Twobo Technologies
 
Highlights of WSO2 API Manager 4.0.0
WSO2
 
Kubernetes and Prometheus
Weaveworks
 
Secure your app with keycloak
Guy Marom
 
Combining logs, metrics, and traces for unified observability
Elasticsearch
 
ClearPass design scenarios that solve the toughest security policy requirements
Aruba, a Hewlett Packard Enterprise company
 
Open Policy Agent
Torin Sandall
 
Azure role based access control (rbac)
Srikanth Kappagantula
 
Istio a service mesh
Chandresh Pancholi
 
Detecting secrets in code committed to gitlab (in real time)
Chandrapal Badshah
 
Getting Started with ThousandEyes
ThousandEyes
 
OpenStack Architecture
Mirantis
 
Logs/Metrics Gathering With OpenShift EFK Stack
Josef Karásek
 
Forti web
Lan & Wan Solutions
 
Kubernetes security
Thomas Fricke
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Lance Peterman
 
Understanding Azure AD
New Horizons Ireland
 
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
CIS Security Benchmark
Rahul Khengare
 

Viewers also liked (8)

PPTX
SCIM in the Real World: Adoption is Growing
Kelly Grizzle
 
PDF
Security in Practice
Prabath Siriwardena
 
PPTX
Lessons learned from the design of the SCIM API
Erik Wahlström
 
PPTX
Jan19 scim webinar-04
Paul Madsen
 
PDF
Open Standard Based identity Provisioning System for Cloud
Prabath Siriwardena
 
PDF
WSO2 Charon
HasiniG
 
PPTX
SCIM 2.0 - Choose your own identity adventure
Kelly Grizzle
 
PDF
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
SCIM in the Real World: Adoption is Growing
Kelly Grizzle
 
Security in Practice
Prabath Siriwardena
 
Lessons learned from the design of the SCIM API
Erik Wahlström
 
Jan19 scim webinar-04
Paul Madsen
 
Open Standard Based identity Provisioning System for Cloud
Prabath Siriwardena
 
WSO2 Charon
HasiniG
 
SCIM 2.0 - Choose your own identity adventure
Kelly Grizzle
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
Ad

Similar to Scim overview (20)

PPTX
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Cisco DevNet
 
PDF
Programming with Azure Active Directory
Joonas Westlin
 
PPTX
OpenStack: Everything You Need To Know to Get Started (ATO2014)
Mark Voelker
 
PPTX
SharePoint and Office 365 Development Workshop
Eric Shupps
 
PDF
Learning the basics of Apache NiFi for iot OSS Europe 2020
Timothy Spann
 
PDF
cv hatem elewa new(1)
Hatem Elewa
 
PPTX
API Deep Dive: APIC EM Rest API
Cisco DevNet
 
PPTX
SharePoint Saturday Ottawa 2014 - Microsoft Azure : Central component of your...
PimpMySharePoint
 
PPTX
Grokking Engineering - Data Analytics Infrastructure at Viki - Huy Nguyen
Huy Nguyen
 
PDF
Connect(); 2016 한시간 총정리
명신 김
 
PDF
Introduction to Apache NiFi 1.11.4
Timothy Spann
 
PPTX
Kraken
PayPal
 
PPTX
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Cisco DevNet
 
PDF
The Server Side of Responsive Web Design
Dave Olsen
 
PDF
Framework for IoT Interoperability
Samsung Open Source Group
 
PDF
Tracking crime as it occurs with apache phoenix, apache hbase and apache nifi
Timothy Spann
 
PDF
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CloudIDSummit
 
PPTX
OpenStack: Everything You Need to Know To Get Started
All Things Open
 
PPTX
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Harry McLaren
 
PDF
Webex APIs for Administrators - DEVNET_2610 - Cisco Live 2019
Cisco DevNet
 
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Cisco DevNet
 
Programming with Azure Active Directory
Joonas Westlin
 
OpenStack: Everything You Need To Know to Get Started (ATO2014)
Mark Voelker
 
SharePoint and Office 365 Development Workshop
Eric Shupps
 
Learning the basics of Apache NiFi for iot OSS Europe 2020
Timothy Spann
 
cv hatem elewa new(1)
Hatem Elewa
 
API Deep Dive: APIC EM Rest API
Cisco DevNet
 
SharePoint Saturday Ottawa 2014 - Microsoft Azure : Central component of your...
PimpMySharePoint
 
Grokking Engineering - Data Analytics Infrastructure at Viki - Huy Nguyen
Huy Nguyen
 
Connect(); 2016 한시간 총정리
명신 김
 
Introduction to Apache NiFi 1.11.4
Timothy Spann
 
Kraken
PayPal
 
Webex Teams Widgets Technical Drill down - Cisco Live Orlando 2018 - DEVNET-3891
Cisco DevNet
 
The Server Side of Responsive Web Design
Dave Olsen
 
Framework for IoT Interoperability
Samsung Open Source Group
 
Tracking crime as it occurs with apache phoenix, apache hbase and apache nifi
Timothy Spann
 
CIS14: SCIM: Why It’s More Important, and More Simple, Than You Think
CloudIDSummit
 
OpenStack: Everything You Need to Know To Get Started
All Things Open
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Harry McLaren
 
Webex APIs for Administrators - DEVNET_2610 - Cisco Live 2019
Cisco DevNet
 
Ad

Recently uploaded (20)

PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PPTX
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
The Future of Artificial Intelligence (AI)
Mukul
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 

Scim overview

  • 1. 1© 2014 Cisco and/or its affiliates. All rights reserved. Morteza Ansari June 23, 2014
  • 2. © 2014 Cisco and/or its affiliates. All rights reserved. 2 • History • Use Cases • Schema • Protocol • References
  • 3. © 2014 Cisco and/or its affiliates. All rights reserved. 3 • Started 2010 • Really started May 2011 • 12 Companies participated under OWF ADP, BCP Soft, Canarie, Cisco, Courion, Id Machines, Ping Identity, Nexux, Sailpoint, SalesForce, UnboundID, WSO2 • 1.0 was published Dec. 2011 • 12 independent implementations • Frequent interop events at IIW, CIS, and one at IETF • IETF BOF Mar. 2012 • IETF WG Jul. 2012
  • 4. © 2014 Cisco and/or its affiliates. All rights reserved. 4 • How do I provision a user account for service X? • How do I de-provision a user account from service X? • How do I update an existing account for service X? • How do I keep my organization’s users in sync with service X? • How do I manage groups? • How do I cross-provision across cloud services?
  • 5. © 2014 Cisco and/or its affiliates. All rights reserved. 5 • User/Group provisioning from Enterprise to Cloud
  • 6. © 2014 Cisco and/or its affiliates. All rights reserved. 6 • User/Group provisioning from Enterprise to Cloud • User/Group provisioning from cloud service to cloud service
  • 7. © 2014 Cisco and/or its affiliates. All rights reserved. 7 • User/Group provisioning from Enterprise to Cloud • User/Group provisioning from cloud service to cloud service • Is used in many many more cases today Enterprise provisioning/cross provisioning Identity access Many new endpoints: machines, contacts, tenants, devices, …
  • 8. © 2014 Cisco and/or its affiliates. All rights reserved. 8 dn: cn=HomeJSimpson,o=domain-name cn: HomerJSimpson objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson mail: [email protected] givenname: Homer sn: Simpson postalAddress: 742 Evergreen Terrace l: Springfield st: Kentsouri postalCode: 01234 telephoneNumber: (888) 555-1111 jpegPhoto: http://www.simpsons.com/homer.jpg … Homer J. Simpson Springfield Nuclear Plant Safety Inspector (888) 555-1111 Work (123) 666-1111 Home [email protected] 742 Evergreen Terrace Springfield, Kentsouri 01234 h p://www.simpsons.com
  • 9. © 2014 Cisco and/or its affiliates. All rights reserved. 9 • OASIS Standard (1.0 – 2003; 2.0 – 2006) • No core Schema • Complex – real or perceived • Some traction within enterprises, none for cloud services • Limited support - few tools/products “Built it, nobody came!”
  • 10. © 2014 Cisco and/or its affiliates. All rights reserved. 10 • Set of pre-defined schema – Users & Groups • RESTful API definition • CRUD • Bulk operations • Search • Discovery • Extension semantics (basic in 1.x) • Support for complex data models • SIMPLE!!!
  • 11. © 2014 Cisco and/or its affiliates. All rights reserved. 11 • Rich information model • XML & JSON data models • Concrete artifacts Users & Groups • Usage semantics MTI & recommended • Extensibility Enterprise User
  • 12. © 2014 Cisco and/or its affiliates. All rights reserved. 12 • Resource is an attribute container • An attribute is Simple or Complex Single value or Plural • Extensible • Data type added in 2.0 { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "701984", "userName": "[email protected]", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara", "middleName": "Jane", "honorificPrefix": "Ms.", "honorificSuffix": "III" }, "displayName": "Babs Jensen", "nickName": "Babs", "profileUrl": "https://login.example.com/bjensen", "emails": [ { "value": "[email protected]", "type": "work", "primary": true }, { "value": "[email protected]", "type": "home" } ], "meta": { "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W/"a330bc54f0671c9"", "location": "https://example.com/v1/Users/2819c223-7f76" } }
  • 13. © 2014 Cisco and/or its affiliates. All rights reserved. 13 { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W/"f250dd84f0671c3" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ] } Required Complex Simple Complex multi-valued
  • 14. © 2014 Cisco and/or its affiliates. All rights reserved. 14 { "schemas": ["urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:1.0": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith“ } } } Declaration Use
  • 15. © 2014 Cisco and/or its affiliates. All rights reserved. 15 { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "displayName": "Tour Guides", "members": [ { "value": "2819c223-7f76-453a-919d-413861904646", "displayName": "Babs Jensen", "type": "User" }, { "value": ”4769c303-ab76-673a-769d-413867987436", "displayName": "Mandy Pepperidge", "type": "User" } ] } Type (User|Group) Optional & Read-only
  • 16. © 2014 Cisco and/or its affiliates. All rights reserved. 16 • HTTP/REST • CRUD • Bulk • Search • Discovery • Simple MTI, Complex optional • Extensible • Versioned • “cURL” friendly
  • 17. © 2014 Cisco and/or its affiliates. All rights reserved. 17 • Discovery • Create = POST https://example.com/{v}/{resource} • Read = GET https://example.com/{v}/{resource}/{id} • Update = PUT https://example.com/{v}/{resource}/{id} • Delete = DELETE https://example.com/{v}/{resource}/{id} • Update = PATCH https://example.com/{v}/{resource}/{id} • Search = https://example.com/{v}/{resource}? filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending} • Bulk
  • 18. © 2014 Cisco and/or its affiliates. All rights reserved. 18 • GET /Schemas Introspect resources and attribute extensions • GET /ServiceProviderConfigs Spec compliance Support for bulk, patch, etc… Authentication schemes OAuth, HTTP basic, etc… Data formats Support XML
  • 19. © 2014 Cisco and/or its affiliates. All rights reserved. 19 POST /v1/Users HTTP/1.1 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 { "schemas": ["urn:scim:schemas:core:1.0"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } } Operation Resource Type Format AuthZ “User” Payload
  • 20. © 2014 Cisco and/or its affiliates. All rights reserved. 20 HTTP/1.1 201 Created Content-Type: application/json Location: https://example.com/v1/Users/281... ETag: W/"e180ee84f0671b1" {` "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W/"e180ee84f0671b1"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" } Result code Format “Permalink” SP generated ID
  • 21. © 2014 Cisco and/or its affiliates. All rights reserved. 21 GET /v1/Users/2819c223-7f76-453a-919d-413861904646.json Host: example.com Authorization: Bearer h480djs93hd8 Operation Resource Type Stable ID Format
  • 22. © 2014 Cisco and/or its affiliates. All rights reserved. 22 HTTP/1.1 200 OK Content-Type: application/json Location: https://example.com/v1/Users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W/"e180ee84f0671b1"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" } Result code Format “Permalink” SP ID
  • 23. © 2014 Cisco and/or its affiliates. All rights reserved. 23 GET /v1/Users?filter=title pr and userType eq "Employee" &sortBy=title &sortOrder=ascending &attributes=title,username &startIndex=11 &count=10 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 Operation Resource Type URL encoded filter Sorting Partial results Index-based pagination
  • 24. © 2014 Cisco and/or its affiliates. All rights reserved. 24 { "schemas": ["urn:scim:schemas:core:1.0"], "totalResults": 2, "Resources": [ { "id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97", "title": "Assistant VP", "userName": "bjensen" }, { "id": "a4a25dd3-17a0-4dac-a2ac-ce211e125f57", "title": "VP", "userName": "jsmith" } ] } Pagination Users SP ID ever present
  • 25. © 2014 Cisco and/or its affiliates. All rights reserved. 25 • PATCH Allows providing partial updates to resources May be important if modifying a large multi-valued attribute on a resource (eg – group members) • Bulk Allows performing many operations at once Useful for synchronizing data into a service provider • Both are optional
  • 26. © 2014 Cisco and/or its affiliates. All rights reserved. 26 • TLS MTI • Standard HTTP considerations apply • Authentication is discoverable, OAuth bearer token recommended • HTTP basic is commonly implemented for interoperability • Authorization attributes are *VERY* loosely defined Roles, groups, and entitlements
  • 27. © 2014 Cisco and/or its affiliates. All rights reserved. 27 { "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "password": "maybe_plaintext", "roles": [ { "value": "RA" } ], "groups": [ { "value": "2819c223-7f76-453a-919d-982763095", "display": "Student" } ], "entitlements": [ { "value": "delete users" } ] } Password AuthZ
  • 28. © 2014 Cisco and/or its affiliates. All rights reserved. 28 • http://www.simplecloud.info • SCIMv1.1 http://www.simplecloud.info/specs/draft-scim-core-schema-01.html http://www.simplecloud.info/specs/draft-scim-api-01.html • SCIMv2.0 http://tools.ietf.org/html/draft-ietf-scim-core-schema http://tools.ietf.org/html/draft-ietf-scim-api http://tools.ietf.org/html/draft-ietf-scim-use-cases • IETF SCIM WG http://tools.ietf.org/wg/scim/ • mailto: [email protected] • Credit for slides: IETF WG, Trey Drake & Kelly Grizzle