SCIM & OpenID Connect: From Co-existence to Harmony
SCIM & Open ID Connect
Tuesday 5I Convener: Prateek Mishra
Notes-taker(s): Mike Schwartz
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
SCIM - System for Cross Domain Identity Management Specs are here: http://simplecloud.info
Provides schema for use objects, for example:
{"id": "12345680", "username": "joe", etc. }
REST API's for user and group management.
OpenID Connect provides for federated authentication, and provides user_claims
Why can't we use SCIM schema in OpenID Flows?
OpenID has a "profile callback mechanism", i.e. user_info endpoint.
Using the information coming back from OpenID Connect, an relying party may implement "Just in-time" JIT provisioning
OpenID Connect defines its own (different schema) for a person (does not define groups or roles).
Mike Schwartz pointed out that OpenID Connect is used to enable a person to authorize the release of attributes about himself, whereas SCIM is used by the enterprise to provision users in a SaaS.
Phil Hunt pointed out that OpenID Connect is generally delivering simple attribute value pairs, SCIM is better at conveying complex attribute values.
Use Case: An enterprise with a directory service needs work with a SaaS Provider. The SaaS Service provides a SCIM endpoint to enable the enterprise to provision user and group information. SaaS service needs to advertise its scim endpoints via a Manifest. Does the SaaS need to do JIT? Or Bulk provisioning? JIT does not support de-provisioning.
Prateek says Oracle is interested to start a working group about this problem so it can solve their internal SaaS and industry SaaS issues.
Phil has published a SCIM discovery Spec: https://tools.ietf.org/html/draft-hunt-scim-discovery-00
There is also SCIM configuration endpoint: https://tools.ietf.org/html/rfc7644#section-4
Prateek says the business problem is that SCIM lacks coherent security that makes it a real standard across many service providers.