SCIM (Simple Cloud Identity Management) (3H)

From IIW

Session Topic: SCIM (T3H)

Convener: Morteza Ansari

Notes-taker(s): Kelly Grizzle

Tags for the session - technology discussed/ideas considered:

SCIM, Cloud, Provisioning


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

SCIM Overview

  • Discussions started around a year ago
  • Spec arose because most major cloud vendors have proprietary APIs for identity and group management
  • Currently close to 1.0 version working under OWF. Interop testing happening now.
  • Spec consists of a REST API, schemas for identity and group that can be extended. Core schema contains basic user and group attributes and an enterprise user extension.

Discussion of user IDs

  • User IDs must be globally unique within the service provider
  • Multi-tenancy can be handled by including tenant information in user ID or via the URLs for the REST endpoints.

Other similar schemas – OpenSocial, OpenID Connect

  • SCIM was based originally on PortableContacts.
  • There are small differences between the SCIM schema and existing specs, but the existing specs either had too much or too little.
  • It is alright to diverge from existing standards when use cases call for it (eg – enterprise vs. consumer, etc…)
  • We are open to input on how to make it better! Please join the discussion at http://www.simplecloud.info.

Who has signed on to this effort?

  • Salesforce.com, Cisco (Webex), Google, Ping, UnboundID, Technology Nexus, SailPoint, others
  • A goal was to keep it simple enough to drive adoption and achieve critical mass.

Group membership

  • Consider specifying information associated with a group membership (eg – your role with respect to the group – admin, etc…)
  • This concept makes a lot of sense with “collaboration groups”, maybe not so much with “security groups”

Mappings from SCIM to other schemas

  • Group is working on creating standard mappings between the SCIM user and group schemas to other schemas (eg – Active Directory, inetOrgPerson)

Next Steps

  • Wrap up draft 1.0 version of the spec within the next month
  • Not quite sure how to get this blessed by the larger community
  • BoF at winter/spring IETF?
  • Move to a standards body after 1.0 is complete.