IETF 84 SCIM System for Cross-domain Identity Management Kelly Grizzle [email protected] Agenda • Overview – What problem does SCIM solve? – What is SCIM? – History Lesson • Deeper Dive – – – – Schema Protocol Security Other.
Download ReportTranscript IETF 84 SCIM System for Cross-domain Identity Management Kelly Grizzle [email protected] Agenda • Overview – What problem does SCIM solve? – What is SCIM? – History Lesson • Deeper Dive – – – – Schema Protocol Security Other.
IETF 84 SCIM System for Cross-domain Identity Management Kelly Grizzle [email protected] Agenda • Overview – What problem does SCIM solve? – What is SCIM? – History Lesson • Deeper Dive – – – – Schema Protocol Security Other areas in charter: bindings, targeting • What’s Next? What is the problem? • How do I keep my organization’s users in sync with service X? – How do I provision a user account for service X? – How do I deprovision a user account from service X? – How do I update an existing account for service X? • How do I manage groups? – How do I add or remove users from groups to give them the correct level of access? – How do I create new groups? 3 What is the problem? Mobile Connec vity Service Email Service Payroll Service SCIM Client Organiza on Directory 4 What is a user? dn: cn=HomeJSimpson,o=domain-name cn: HomerJSimpson objectClass: top Homer J. Simpson objectClass: person Springfield Nuclear Plant objectClass: organizationalPerson Safety Inspector objectClass: inetOrgPerson (888) 555-1111 Work mail: [email protected] (123) 666-1111 Home givenname: Homer [email protected] sn: Simpson 742 Evergreen Terrace Springfield, Kentsouri 01234 postalAddress: 742 Evergreen Terrace h p://www.simpsons.com l: Springfield st: Kentsouri postalCode: 01234 telephoneNumber: (888) 555-1111 jpegPhoto: http://www.simpsons.com/homer.jpg … 5 How do we do it today? Manual, Hand-entry Bulk, CSV Days Hours/Days Custom APIs & Connectors SAML Just-in-Time Provisioning Error-Prone Labor-Intensive Stale Accounts (no deprovision) Vendor-specific Latency Other No simple fetch method, no two-way synchronization No pre-provisioning, no groups And, there is always schema-mapping to deal with… 6 What is SCIM? • SCIM is a standard that defines schema and protocol for identity management. • Schema – Core representations of users and groups – Extensible – JSON/XML* • Protocol – REST, HTTP, Synchronous – CRUD + Search* + Discovery + Bulk* • And more cool stuff… • The “S” word An example speaks 1111101000 words… POST /v1/Users HTTP/1.1 Host: example.com Accept: application/json Content-Type: application/json Authorization: Bearer h480djs93hd8 Content-Length: ... { "schemas": ["urn:scim:schemas:core:1.0"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } } History Lesson • July 2010: Conceived at Cloud Identity Summit • May 2011: Officially began at IIW 12 • Oct 2011 – May 2012: 3 interop events with 9 vendors (open source and proprietary) • Dec 2011: Released 1.0 specification under OWF (Open Web Foundation) • March 2012: BoF at IETF 83 • June 2012: WG chartered • July 2012: 1.1 specification released under OWF • August 3, 2012: Here we are … first WG meeting Deeper Dive • • • • • Schema Protocol Security SAML and LDAP bindings Targeting Schema • Core models for User and Group • JSON and XML* representations • Extensibility – Extend existing resources (eg – enterprise user) – Define new resources (eg – role) • http://tools.ietf.org/html/draft-scim-core-schema-00 Model Simple Structure • A resource is: – An attribute container – Name spaced • An attribute is: – Simple or complex – Single or multi-valued Example: User Required { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T18:29:49.793Z", "lastModified": "2011-08-01T18:29:49.793Z", "location": "https://example.com/v1/Users/2819c223...", "version": "W\/\"f250dd84f0671c3\" }, "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "phoneNumbers": [ { "value": "555-555-8377", "type": "work" } ] Complex Simple Complex multi-valued } Example: Extended User { "schemas": ["urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "userName": "bjensen", "urn:scim:schemas:extension:enterprise:1.0": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith“ } } Declaration Use } Example: Group { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "displayName": "Tour Guides", "members": [ { Type (User|Group) "value": "2819c223-7f76-453a-919d-413861904646", "displayName": "Babs Jensen", "type": "User" }, { "value": "2819c223-7f76-453a-919d-413861904646", "displayName": "Mandy Pepperidge", "type": "User" } Optional & ] Read-only } Protocol • • • • • • REST, HTTP, Synchronous CRUD + Search* + Discovery + Bulk* Simple MTI, Complex optional Extensible*, Versioned “cURL” friendly http://tools.ietf.org/html/draft-scim-api-00 Operations • • • • • • Create = POST https://example.com/{v}/{resource} Read = GET https://example.com/{v}/{resource}/{id} Update = PUT https://example.com/{v}/{resource}/{id} Delete = DELETE https://example.com/{v}/{resource}/{id} *Update = PATCH https://example.com/{v}/{resource}/{id} *Search = GET https://example.com/{v}/{resource}? filter={attribute} {op} {value} & sortBy={attributeName} & sortOrder={ascending|descending} & startIndex={start} & count={maxResults} • *Bulk Discovery • GET /Schemas – Introspect resources and attribute extensions • GET /ServiceProviderConfigs – Spec compliance • Support for bulk, patch, etc… – Authentication schemes • OAuth, HTTP basic, etc… – Data formats • Support XML? Create Request Operation Resource Type POST /v1/Users HTTP/1.1 Format AuthZ Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 { "schemas": ["urn:scim:schemas:core:1.0"], "externalId": "bjensen", "userName":"bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" } } “User” Payload Create Response Result code Format “Permalink” HTTP/1.1 201 Created SP generated ID Content-Type: application/json Location: https://example.com/v1/Users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" } Get Request Operation Resource Type Stable ID Format GET /v1/Users/2819c223-7f76-453a-919d-413861904646.json Host: example.com Authorization: Bearer h480djs93hd8 Get Response Result code Format “Permalink” HTTP/1.1 200 OK SP ID Content-Type: application/json Location: https://example.com/v1/Users/281... ETag: W/"e180ee84f0671b1" { "schemas": ["urn:scim:schemas:core:1.0"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "meta": { "created": "2011-08-01T21:32:44.882Z", "lastModified": "2011-08-01T21:32:44.882Z", "location": "https://example.com/v1/Users/281...", "version": "W\/\"e180ee84f0671b1\"" }, "name":{ "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" } Search Request Operation Resource Type URL encoded filter GET /v1/Users?filter=title pr and userType eq "Employee" &sortBy=title Sorting &sortOrder=ascending &attributes=title,username Partial results &startIndex=11 Index-based pagination &count=10 Host: example.com Accept: application/json Authorization: Bearer h480djs93hd8 Search Response { Users "schemas": ["urn:scim:schemas:core:1.0"], "totalResults": 2, SP ID ever present "Resources": [ Pagination { "id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97", "title": "Assistant VP", "userName": "bjensen" }, { "id": "a4a25dd3-17a0-4dac-a2ac-ce211e125f57", "title": "VP", "userName": "jsmith" } ] } PATCH and Bulk • PATCH – Allows providing partial updates to resources – May be important if modifying a large multi-valued attribute on a resource (eg – group members) • Bulk – Allows performing many operations at once – Useful for synchronizing data into a service provider • Both are optional Protocol Extensibility • Version in URL – https://example.com/{version}/{resource} • Follow RESTful principles – Additional URL arguments – Additional resource endpoints XML Schema • XML XSD – Core • Resource, User, Group • Payload wrappers, Errors • Schema, Bulk, ServiceProviderConfig – Enterprise Extension Security Considerations • Protocol • Sensitive information abounds • Authorization attributes are loosely defined – Roles, groups, and entitlements Protocol Security • TLS MTI • Standard HTTP considerations apply • Authentication is discoverable, OAuth bearer token recommended • HTTP basic is commonly implemented for interoperability Sensitive Information in User { "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "bjensen", "name": { "familyName": "Jensen", "givenName": "Barbara" }, "userName": "bjensen", "password": "maybe_plaintext", "roles": [ { "value": "RA" } ], "groups": [ { "value": "2819c223-7f76-453a-919d-982763095", "display": "Student" } ], "entitlements": [ { "value": "delete users" } ] Password AuthZ } Hi/Low Fidelity Bindings • LDAP • SAML • OpenID Connect Targeting • Proposed extension • Allows a server to proxy a SCIM request to a target system – GET https://example.com/Targets/crm/Users/{id} • Optionally can store links to target accounts on the core user • http://tools.ietf.org/html/draft-hunt-scimtargeting-00 1.1 Release • Released in July 2012 under OWF • Mainly clarifications and small error fixes – Many of these were found during interop testing • Will serve as starting point for working group • Final release under OWF What’s next? • See charter for milestones – http://datatracker.ietf.org/wg/scim/charter/ • • • • Use cases document Binding documents (LDAP, SAML) Targeting document Continue working on schema and protocol – http://code.google.com/p/scim/issues/list * – And much more… SCIM Core Values • Simplicity – “Make it as simple as possible but no simpler.” - Einstein • Solving real-world problems • Ease of implementation by consumers – Don’t make it too hard for service providers either • Support the 80% in the core – Extensions for everything else • Interoperability For more information… • 1.1 Drafts (should be on datatracker soon) – http://scim.googlecode.com/svn/trunk/specs/draft-scim-api-01.txt – http://scim.googlecode.com/svn/trunk/specs/draft-scim-coreschema-01.txt • http://www.simplecloud.info/ – Site overhaul coming soon! • http://datatracker.ietf.org/wg/scim/