SCIM – As An ATTRUBUTE Provider?

From IIW

Session Topic: SCIM as User Attribute Provider

Wednesday 4H

Convener: J. Richer

Notes-taker(s): Trey Drake


Goal: Shared, externalizable profile enabling RPs to both consume and augment the same user against different personas

IS SCIM a sensible solution for enabling RPs to get a holistic view of the user. Convenience.

Use case: Col Joe with CAC……notion is sharing of persona/identity across IDPs and RPs


• SCIM box "Dick" gets data from RPs

- Q: does the box need the data or does it just need to know where the data is.

- Where does authorization happen? When data is provisioned.

- Lots of authorization issues - broker has knowledge of all user accounts

o you can do this today by bouncing around to various user IDPs and collecting data, correlate. Problem with this lots of data leakage.

o Why isn't the answer to just use OAuth2 to front end SCIM and do this with standard scopes

o Who's job is this? IDP or RP? RP of RPs? Who should be weighted more?

• RP>broker IDP (get user profile)->if not login to broker then establish a profile->RP broker pulls profile info from IDP->next time user logs into different IDP the RP can then ask the broker RP to correlate

• 1 login for each IDP relationship and 2 for the broker

• In this model each RP has lost control of its data.

• Sure SCIM can model complex user relationships

• How to do this w/o driving users crazy and being blacklisted by IDPs