SCIM (Simple Cloud Identity Management) (3H)
From IIW
Session Topic: SCIM (T3H)
Convener: Morteza Ansari
Notes-taker(s): Kelly Grizzle
Tags for the session - technology discussed/ideas considered:
SCIM, Cloud, Provisioning
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
SCIM Overview
- Discussions started around a year ago
- Spec arose because most major cloud vendors have proprietary APIs for identity and group management
- Currently close to 1.0 version working under OWF. Interop testing happening now.
- Spec consists of a REST API, schemas for identity and group that can be extended. Core schema contains basic user and group attributes and an enterprise user extension.
Discussion of user IDs
- User IDs must be globally unique within the service provider
- Multi-tenancy can be handled by including tenant information in user ID or via the URLs for the REST endpoints.
Other similar schemas – OpenSocial, OpenID Connect
- SCIM was based originally on PortableContacts.
- There are small differences between the SCIM schema and existing specs, but the existing specs either had too much or too little.
- It is alright to diverge from existing standards when use cases call for it (eg – enterprise vs. consumer, etc…)
- We are open to input on how to make it better! Please join the discussion at http://www.simplecloud.info.
Who has signed on to this effort?
- Salesforce.com, Cisco (Webex), Google, Ping, UnboundID, Technology Nexus, SailPoint, others
- A goal was to keep it simple enough to drive adoption and achieve critical mass.
Group membership
- Consider specifying information associated with a group membership (eg – your role with respect to the group – admin, etc…)
- This concept makes a lot of sense with “collaboration groups”, maybe not so much with “security groups”
Mappings from SCIM to other schemas
- Group is working on creating standard mappings between the SCIM user and group schemas to other schemas (eg – Active Directory, inetOrgPerson)
Next Steps
- Wrap up draft 1.0 version of the spec within the next month
- Not quite sure how to get this blessed by the larger community
- BoF at winter/spring IETF?
- Move to a standards body after 1.0 is complete.