5 Things That Will Not be a Nightmare Anymore, If You Support SCIM

The System for Cross-domain Identity Management (SCIM) specification is designed to manage user identity in cloud-based applications and services in a standardized way to enable interoperability, security, and scalability. Understanding the use of SCIM in real world could be somewhat challenging for a beginner. Following illustrates a high level overview of five major use cases of SCIM. In each case, SCIM is used as an open connector which acts as a mutual agreement between two functionally separated parties.

For a better understanding, each use case is associated with a real world scenario followed by a brief explanation on it.

  1. Migration of the Identities

A company ABC Enterprise has an application LetsChat which uses the identity information of its employees (e.g. identifiers, attributes). These identity information is stored at a cloud which is controlled by a free cloud service provider, FreeCloud. However ABC Enterprise has decided to move those identity information to a different cloud service provider SmartCloud for better security and services. Apart from that, ABC Enterprise has purchased another application SecureMail which also relies on the identity information.

With the use of SCIM by all related parties, ABC Enterprise can easily migrate the identity information to SmartCloud without changing the representation of identity information and plus SecureMail can use the identity information straightaway without the need of explicit connector. This indeed saves time, cost and most importantly eliminate the pain of change.

Figure 1. Migration of the Identities

2. Single Sign-On (SSO) Service

Michelle has an account in her favorite social media application PeopleBook which is hosted in a cloud service provider SmartCloud. SmartCloud has federated their user identities with another cloud service provider OurCloud. Michelle came up with a requirement to use an application called ManageMe which is hosted in OurCloud. ManageMe will relies on the identity information provided by the SmartCloud to do the authentication for Michelle. Hence Michelle receives the requested service from ManageMe running on OurCloud without having to authenticate to that application
 explicitly.

SCIM schema and protocol provides the feasibility of establishing an open standard of exchanging the user identities between SmartCloud and OurCloud and also between applications and the related cloud services.In short, it creates a platform with inter-operable and scalable architecture and reduce the time and costs of all the involved parties.

3. Provisioning of the User Accounts for a Community of Interest (COI)

HumanHR is an organization which provides Human Resource (HR) services to a community of interest Orange Inc. Orange Inc has offices all around the world and their information systems are composed of set of applications running on private and public clouds along with traditional IT systems. All local Orange Inc offices are responsible for collecting personal information of their employees (i.e., user identities and attributes). On the other hand HumanHR provides the HR services as Software as a Service (SaaS) on public and private clouds. Hence HumanHR is handling the identity information provisioning and distribution across all Orange Inc offices. Also HumanHR allows managing of personal information of the individual employees by themselves if they are eligible for doing that. (e.g. update of an address or a telephone number by the user himself).

Figure 3. Provisioning of the User Accounts for a Community of Interest (COI)

This scenario simply emphasizes the need of an open connector for identity provisioning and distribution. Imagine the cost and human-time it would take if each Orange Inc local offices use their own schema and protocol for identity exchange. With SCIM based mechanism in place all personal accounts are globally available to any authorized user or application across the Orange Inc system through the services provided by HumanHR within a blink of an eye.

4. Transfer of Attributes to a Relying Party’s Website

Sam has an account in a directory service DServe. Sam then visits a website of relying party Loople. Web site requires some attributes of the visited user to operate properly. At the Sam’s first visit to the site, he selects required attributes and authorize the transfer of the attribute data from directory service DServe to the Loople web site though any authorization protocol (e.g. OAuth, SAML).

Figure 4. Transfer of Attributes to a Relying Party’s Website

Again the SCIM schema and protocol come handy here as it is required to build a mutual agreement between DServer and Loople web site to exchange attributes. Usage of SCIM in a scenario like this would simply provides the service providers with secure inter-operable feasibility.

5. Change Notifications

Sushiko has an account in directory service WEServe and she has authorize the attribute transfer from the WeServe to a relying party web site example.com. The attributes of Sushiko change later in directory service WEServe.(e.g. Sushiko changes her name or mobile number). However example.com may have a cache of those attributes, and if it was aware of these changes to its cached copy, it would potentially cause a state change in it. However the size of the changes could be substantially large and not all the changes will cause an interest in the relaying party. Hence, directory service WEServe wishes to notify example.com that there are changes potentially of interest, such that example.com can at an appropriate time subsequently contact directory service WEServe and retrieve just the subset of changes of interest to it.

Figure 5. Change Notifications

Even though with the change notification system, SCIM does not have to do much, possibility of achieving the said mechanism is provided by the inter-operable and scalable nature of SCIM.


What are mentioned above are just few major use cases of SCIM in real world. However in the actual implementations, SCIM explore more spread-ed set of requirements. Therefore it is up-to you to decide what SCIM can do for you and for your business and adopt it to make your life easier.

References

  1. https://tools.ietf.org/html/rfc7643
  2. https://tools.ietf.org/html/rfc7644
  3. https://tools.ietf.org/html/rfc7642