Open in app

Sign in

Write

Sign in

Design Overview of SCIM2

Sarubi Thillainathan
4 min readDec 31, 2019

--

In my previous blog, I talked about what is SCIM and why so forth. Here I'm going to discuss the design overview of SCIM.

Introduction

SCIM stands System for Cross-domain Identity Management (SCIM) which is designed to manage user identities in cloud-based applications and services. It talks about how you are going to transfer data and how data looks like once you established the really high level of trust between two systems.

SCIM mainly defines two things schema and protocol, the schema defines how resources look like (i.e example how user object looks like), the protocol defines how we are going to send the resource to another system. Most of the Identity vendor, cloud-based applications and services agree on a common way of communicating via SCIM standards.

SCIM Resources

A SCIM provides a set of resources which are exchanged via an HTTP-based protocol. Basically, SCIM provides Users and Groups, also provide an empty container where we can create our own type of resources as well. Apart from that SCIM made User as an extensible under Enterprise User. Because the user doesn’t really look like the same in all systems so it has to be extended. We can define our custom attributes to the user under Enterprise User.

The following diagram illustrates the object model of SCIM 2.0. As shown below, Resource is the common denominator and all SCIM objects are derived from it.

SCIM resources

SCIM Schema

As we already know SCIM provides a set of resources, each resources allowable contents are defined by a set of schema URIs and a resource type. SCIM’s schema is not a document-centric one such as with XML-Schema. Instead, SCIM’s support of schema is attribute-based, where each attribute may have a different type, mutability, cardinality, or returnability. Resources are categorized into common resource types such as “User” or “Group”. Each resource should have id and meta as attributes along with its particular resource type core attributes. SCIM defines how the user and group objects look like and what are the attributes it can have.

Following is the minimal core schema for representing of users and groups (resources), encompassing common attributes found in many existing deployments and schemas.

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "id": "2819c223-7f76-453a-919d-413861904646",
  "userName": "bjensen@example.com",
  "meta": {
    "resourceType": "User",
    "created": "2010-01-23T04:56:22Z",
    "lastModified": "2011-05-13T04:42:34Z",
    "version": "W\/\"3694e05e9dff590\"",
    "location":
     "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
  }
}

The following is an example of the SCIM Group representation in JSON format.

{
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
     "id": "e9e30dba-f08f-4109-8486-d5c6a331660a",
     "displayName": "Tour Guides",
     "members": [
       {
         "value": "2819c223-7f76-453a-919d-413861904646",
         "$ref":
   "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
         "display": "Babs Jensen"
       },
       {
         "value": "902c246b-6245-4190-8e05-00816be7344a",
         "$ref":
   "https://example.com/v2/Users/902c246b-6245-4190-8e05-00816be7344a",
         "display": "Mandy Pepperidge"
       }
     ],
     "meta": {
       "resourceType": "Group",
       "created": "2010-01-23T04:56:22Z",
       "lastModified": "2011-05-13T04:42:34Z",
       "version": "W\/\"3694e05e9dff592\"",
       "location":
   "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a"
     }
   }

SCIM API

Now let's talk about SCIM2 API endpoints, following are the support SCIM2 API endpoints and HTTP verbs.

SCIM Endpoints and supported operations

What are the advantages over SCIM2,

  1. It is a REST-based protocol
  2. Most importantly CURL Friendly, when multiple enterprises are trying to talk to each other, pretty easily we can get the curl and understand how the objects look like in other systems.
  3. Firewall friendly open up via HTTPS ports.
  4. OAuth2 recommended, SCIM doesn’t define authentication methods, It talks about how you are going to transfer data once you established the really high level of trust between two systems.

WSO2 Identity Server and SCIM

From IS 5.3.0 onwards WSO2 Identity Server supports SCIM and efficiently undertakes the complex task of identity management across enterprise applications, services and APIs.

WSO2 Identity Server supports SCIM 1.1 and SCIM 2.0 for identity provisioning. In addition to that, WSO2 provides an open-source SCIM implementation library named WSO2 Charon under Apache 2.0 license. WSO2 Charon can be used by anyone who wants to add SCIM-based provisioning support for their applications. WSO2 Charon is integrated with WSO2 Identity Server in order to provide SCIM-based identity provisioning.

The following is a high-level overview of the SCIM Service Provider architecture of WSO2 Identity Server.

SCIM architecture of WSO2 IS

In my next blog will talk about detail manner of SCIM operations with WSO2 Identity Server.

[1] https://wso2.com/library/article/2017/10/system-for-cross-domain-identity-management-scim/

[2]https://tools.ietf.org/html/rfc7644

Wso2
Scim
Identity Server

--

--

Sarubi Thillainathan

Written by Sarubi Thillainathan

41 Followers

Interested in NLG, AI, DL | PhD Student@Saarland University | Former RA@UoM |Former SSE@WSO2 | CS Graduated from UOR

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams