SCIM — System for Cross -Domain Identity Management

What is SCIM?

System for Cross -domain Identity Management is known as SCIM. SCIM is protocol, started in May 2011. SCIM 1.0 is the first version and 12 companies participated under OWF (Ohio Works First). In September 2015 SCIM 2.0 is released.

This protocol is an application-level HTTP based protocol. This protocol uses for provisioning and managing identity data in the web and cross-domain environments. This protocol supports CURD operations in identity resources such as Users and Groups. SCIM uses JSON payloads to pass SCIM resources and protocol-specific payload messages, which contain request parameters and response parameters. “application/scim+json” is the media type of SCIM.

What is identity provisioning ?

According to Wikipedia,:

Identity provisioning is about creation, maintenance and deactivation of user accounts, in one or more systems or applications, in response to automated or interactive business processes.

When considering traditional approach,we have to face lots of problem such as, Redundant integration efforts for ECS ( Enterprise Cloud Subscriber) and CSP (Cloud Service Providers), Maintenance difficulties in multiple connectors, Complexity and Cost.

When considering above problems, Solution would be a common protocol that everyone should agrees on. This common protocol is name as SCIM.

SCIM 2.0 is based on the object model. Resource is considered as common denominator, and all other objects are derived from it. And Resources have id,externalId and meta as the attributes. Users, Groups and EnterpriseUser derived those common attributes from Resource.

SCIM 2.0 version Object Model

There are well-known endpoints that used in SCIM client to access services. They are “/Users” endpoint for Users “/Groups” endpoint for Groups and “/Me” endpoint for Self. And we use HTTP methods with simple REST API for managing these resources.

HTTP    SCIM Usage
Method
------ --------------------------------------------------------- GET Retrieves one or more complete or partial resources.

POST Depending on the endpoint, creates new resources, createsa
search request, or MAY be used to bulk-modify resources.

PUT Modifies a resource by replacing existing attributes with a
specified set of replacement attributes (replace). PUT
MUST NOT be used to create new resources.

PATCH Modifies a resource with a set of client-specified changes
(partial update).

DELETE Deletes a resource.

SCIM HTTP Methods

This shows how the above HTTP operations are performed according to Resource type and Endpoint.

Resource Endpoint         Operations             Description
-------- ---------------- ---------------------- -------------------
User /Users GET Retrieve, add,
POST modify Users.
PUT
PATCH
DELETE

Group /Groups GET Retrieve, add,
POST modify Groups.
PUT
PATCH
DELETE

Self /Me GET,POST, PUT, PATCH, Alias for
DELETE operations
against a
resource
mapped to an
authenticated
subject (e.g.,
User).

Service /ServiceProvider GET Retrieve service
provider Config provider's
config. configuration.

Resource /ResourceTypes GET Retrieve
type supported
resource types.

Schema /Schemas GET Retrieve one or
more
supported
schemas.

Bulk /Bulk POST Bulk updates to
one
or more
resources.

Search [prefix]/.search POST Search from
system
root or within a
resource
endpoint
for one or more
resource types
using POST.

Defined Endpoints

For your better understanding here i’m going to show some examples, on how the SCIM protocol works.

01) Creating a client using HTTP POST method, “/Users” is the endpoint.

POST /Users HTTP/1.1
 Host: example.com
 Accept: application/scim+json
 Content-Type: application/scim+json
 Authorization: Bearer h480djs93hd8
 Content-Length: ...
 {
 "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
 "userName":"bjensen",
 "externalId":"bjensen",
 "name":{
 "formatted":"Ms. Barbara J Jensen III",
 "familyName":"Jensen",
 "givenName":"Barbara"
 }
 }
Server response for the above request

HTTP/1.1 201 Created
 Content-Type: application/scim+json
 Location:
 https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
 ETag: W/"e180ee84f0671b1"
 {
 "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
 "id":"2819c223-7f76-453a-919d-413861904646",
 "externalId":"bjensen",
 "meta":{
 "resourceType":"User",
 "created":"2011-08-01T21:32:44.882Z",
 "lastModified":"2011-08-01T21:32:44.882Z",
 "location":
 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
 "version":"W\/\"e180ee84f0671b1\""
 },
 "name":{
 "formatted":"Ms. Barbara J Jensen III",
 "familyName":"Jensen",
 "givenName":"Barbara"
 },
 "userName":"bjensen"
 }

02)Retrieving a client using HTTP GET method, “/Users” is the endpoint.

GET /Users/2819c223-7f76-453a-919d-413861904646
 Host: example.com
 Accept: application/scim+json
 Authorization: Bearer h480djs93hd8

Server response for the above request
 HTTP/1.1 200 OK
 Content-Type: application/scim+json
 Location:
 https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
 ETag: W/"f250dd84f0671c3"
 {
 "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
 "id":"2819c223-7f76-453a-919d-413861904646",
 "externalId":"bjensen",
 "meta":{
 "resourceType":"User",
 "created":"2011-08-01T18:29:49.793Z",
 "lastModified":"2011-08-01T18:29:49.793Z",
 "location":
 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
 "version":"W\/\"f250dd84f0671c3\""
 },
 "name":{
 "formatted":"Ms. Barbara J Jensen III",
 "familyName":"Jensen",
 "givenName":"Barbara"
 },

There are many companies that already use this protocol.

If you are interesting to know more about this, you can follow below links and get more knowledge about this.

01) https://tools.ietf.org/html/rfc7644#section-3.2

02) http://www.simplecloud.info/

03) http://www.ateam-oracle.com/what-is-scim/

04) https://blogs.oracle.com/fusionmiddleware/standards-corner%3a-the-ietf-publishes-scim-v2