SCIM – As An ATTRUBUTE Provider?
Session Topic: SCIM as User Attribute Provider
Wednesday 4H
Convener: J. Richer
Notes-taker(s): Trey Drake
Goal: Shared, externalizable profile enabling RPs to both consume and augment the same user against different personas
IS SCIM a sensible solution for enabling RPs to get a holistic view of the user. Convenience.
Use case: Col Joe with CAC……notion is sharing of persona/identity across IDPs and RPs
• SCIM box "Dick" gets data from RPs
- Q: does the box need the data or does it just need to know where the data is.
- Where does authorization happen? When data is provisioned.
- Lots of authorization issues - broker has knowledge of all user accounts
o you can do this today by bouncing around to various user IDPs and collecting data, correlate. Problem with this lots of data leakage.
o Why isn't the answer to just use OAuth2 to front end SCIM and do this with standard scopes
o Who's job is this? IDP or RP? RP of RPs? Who should be weighted more?
• RP>broker IDP (get user profile)->if not login to broker then establish a profile->RP broker pulls profile info from IDP->next time user logs into different IDP the RP can then ask the broker RP to correlate
• 1 login for each IDP relationship and 2 for the broker
• In this model each RP has lost control of its data.
• Sure SCIM can model complex user relationships
• How to do this w/o driving users crazy and being blacklisted by IDPs