Documente Academic
Documente Profesional
Documente Cultură
COM
PROVISIONING
§ Platform
neutral – JSON
§ Handles
inbound user & SaaS
Provider
provisioning Identity Provider
requests SCIM
SCIM Service
Provider
Identity
§ Propagates Identity Store Store
changes to
identity store
SCIM BASICS
§ Take some information • Give an action about that info to another
(schemas) organization
§ Maps from AD/LDAP – GET
– User email (mail) – POST
– Username – PUT
(userPrincipalName)
– DELETE
– cn
SaaS
– sn Identity Provider
§ Specifies well-known endpoints and HTTP methods for managing core resources
– User and group resources correspond to /Users and /Groups, respectively
– “https://serviceprovider.com/scim/Users” or
“https://serviceprovider.com/scim/Groups”
§ Standard serializations of the schema using JSON and XML are provided
– Lightweight, platform independent with JSON
– Responses are returned in the body of the HTTP messages in JSON or XML format
HR Directory
I see the directory has just deleted a
user.
HR SCIM Client SaaS1, you need to delete this user too!
SaaS1
OK!
DELETE https://sp.com:8443/Users/41209481-3252-141-A214B-14D1
Account Data
SSO transaction IdP corporate directory IdP corporate directory
Source
Pros Cons
Manual No additional configuration. Doesn't scale.
– Group schema
› Contain members, influencing group- and role- based access control. “Add
Bob to the manager group..”
locale Single No
timezone Single No
active Single No
password Single No
emails Multi No
phoneNumbers Multi No
ims Multi No
photos Multi No
addresses Complex, Multi No
groups Multi No
entitlements Multi No
roles Multi No
x509 Certificates Multi No
SCHEMA - GROUPS
§ Group resources enable group- and role- based access
control
§ Groups contain members
§ How SP implements access control out of scope
PATCH /Groups/abe73-727ef
Host: example.com
Accept: application/json
Authorization: Bearer 48h74e2cf ETag: W/”a537bc”
{
“schemas”: [“urn:scim:schemas:core:1.0”]
“members”:[
{“display”: “Babs Jensen”,
“value”: “24626efab457be” }]
}
SCHEMA - ENTERPRISE EXTENSION
§ Extends generic user with enterprise semantics
§ Others can be created at will
§ Attributes:
– employeeNumber
– costCenter
– organization
– division
– department
– manager
SCIM CORE SCHEMA (REQUIRED!)
Resource Attribute Sub-Attribute Required? Modifiable? Comment
externalId No No Defined by the consumer at the time of
resource creation – “Stable and non-
reassignable”. May eliminate the need for the
consumer to maintain local mapping of user
resource
id Yes No Defined by the service provider at the time of
resource creation – “stable and non-
reassignable”
meta created No No Included in SCIM response.
lastModified No No Included in SCIM response.
location No No Included in SCIM response. URI of resource (e.g.
“https://yourscim.com:8334/Users/uid-
mdio,ou=people,o=yourscim.com”
POST Create
PUT Modify Default operation for modify. Requires all user attributes in the request.
PATCH Modify Opitional operation. Requires only modified attributes in the request.
DELETE Delete
Groups GET Retrieve
POST Create
PUT Modify Default operation for modify. Requires the list of all valid id(s) that have
group membership
PATCH Modify Optional operation – may not be supported. Requires only the id(s) for
changes (e.g. group membership)
DELETE Delete
ServiceProviderConfigs GET Retreive
Schemas GET Retrieve
Bulk POST Modify Optional operation. Enables the modification of many resources.
Consumer must embed the operation (e.g. POST, PUT, PATCH, DELETE)
for each resource modification. Retrieval of multiple resources is not a
bulk operation (this achieved with a GET on the resource).
SCHEMA – METADATA
§ To simplify interoperability, SCIM provides two end points to
discover supported features and specific attribute details:
– GET /ServiceProviderConfigs
› Specification compliance, authentication schemes, data models.
– GET /Schemas
› Introspect resources and attribute extensions.
– E.g. “Hi, SCIM Service Provider! What do you support?”
“schemas”:[“um:scim”schema”core”1.0”]
“patch”:{“supported”:true},
“bulk”:,”maxOperations”:1000,”maxPayloadSize”:1048576},
“filter”:{“supported”:true,”maxResults”:200},
“changePassword”:{“supported”:true},
API – RESPONSE CODES
§ Returned by SCIM service provider
– After receiving a SCIM request (“update this user!”)
§ API uses / overrides HTTP Response Codes
– indicates operation success or failure
§ Errors are returned in body of the response and human-
readable explanations
HTTP/1.1 404 NOT FOUND
{
“Errors”:[
{
“description”:”Resource 3525-151-987a-1b-not found”,
“code”:”404”}]
} Copyright © 2015 Ping Identity Corp. All rights reserved.30
API – ERROR CODES
Code Applicability Suggested Explanation
404 NOT FOUND GET,PUT,PATCH,DELETE Specified resource, e.g. User, does not exist
409 CONFLICT PUT,PATCH,DELETE The specified version number does not match the resource’s
latest version number or a Service Provider refused to create
a new, duplicate resource
412 PRECONDITION FAILED PUT,PATCH,DELETE Failed to update as Resource {id} changed on the server last
retrieved
413 REQUEST ENTITY TOO POST {“maxOperations”:1000,”maxPayload”:1048576}
LARGE
500 INTERNAL SERVER GET,POST,PUT,PATCH,DELETE An internal error. Implementers SHOULD provide descriptive
ERROR debugging advice
501 NOT IMPLEMENTED GET,POST,PUT,PATCH,DELETE Service Provider does not support the request operation
SCIM HAS SOME HISTORY…
§ Started at Cloud Identity Summit 2010
› https://yourscim.com/V2/Users