SCIM : Make it Fast, Cheap and Easy

Over the last decade, despite the negatives, world is moving towards cloud based operational environments. Albeit the process of conversion from on-premise to cloud-based is rather slow, any such a motive need to be done carefully. Identity provisioning is one of such salient perspectives which grabs more attention as with the fact that data security breaches can cause serious harm than you can ever imagine. The System for Cross-domain Identity Management (SCIM) comes to the play as an emerging open standard for making identity provisioning in cloud-based applications and services easier, cheaper and faster.

Identity provisioning, what is it?

In simple terms , creation, maintenance and deactivation of user accounts,
in one or more systems or applications, in response to automated or interactive business processes can be elucidated as identity provisioning.

Keeping aside the case of SCIM, identity provisioning in cloud based environment in traditional mode is something similar to below image with multiple redundant integration efforts from Enterprise Cloud Subscriber (ECS) to Cloud Service Providers (CSP).

Identity provisioning in traditional approach

In spite of the fact that this still makes the process to propagate, maintenance of multiple connectors with added complexity and cost could be a nightmare. The simple solution for mitigating such scenario is a simple open protocol that everyone agrees on which simply emphasis the need for System for Cross-domain Identity Management for the identity provisioning.

Identity provisioning with open standard like SCIM

According to the rfc7642, IETF explains the need for SCIM as,

The System for Cross-domain Identity Management (SCIM) specification is designed to manage user identity in cloud-based applications and services in a standardized way to enable interoperability, security, and scalability.

The first version, SCIM 1.0, was released in 2011 followed by the next release named version 1.1 in 2012 July. The current standard, SCIM 2.0 was released as IETF RFC in September 2015. Even though SCIM was initially designed with cloud based use cases in mind, it turns out that a common language to move identities on-premises could also be an eminently useful scenario which later created the platform for the SCIM to be a major adoption.


How it actually works?

SCIM is powered by the concepts of common user and group schemes and a extension model. It not just facilitating such schemes but also a binding contract to exchange those schemes using a standard protocol which makes the SCIM as an open connector. Following diagram illustrates the object model of SCIM 2.0. As can be seen Resource is the common denominator and all SCIM objects are derived from it. Resource has id, externalId and meta as attributes and RFC7643 defines User, Group and EnterpriseUser that extends the common attributes.

Object model of SCIM 2.0

For the resource manipulation purpose, SCIM provides a rich but simple REST API with set operations powerful enough to do massive bulk updates even. Following is a high level overview of the HTTP methods and the SCIM usage of them.

SCIM HTTP methods according to RFC 7644

SCIM defines endpoints according to the domain of resource type for performing the above operations. /Users, /Groups, /Me and /Bulk are such defined endpoints for resource manipulation purpose.To simplify interoperability, SCIM provides three end points as /Serviceproviderconfig, /Resourcetype and /Schema to discover supported features and specific attribute details.

Defined endpoints according to RFC 7644

For better understanding on how the SCIM protocol works, following illustrates a simple user creation operation through HTTP POST method to /Users endpoint.

Example create user request to /Users endpoint

In response to the request, server responds back stating the successful user creation with HTTP status code 201 and returns the representation of created resource.

Server’s response for create user request.

Adopt it or regret later..

“I’m also proud to say Oracle’s Amit Jasuja announced at the recent OpenWorld that Oracle IDM’s key REST API for Identity will be SCIM.”
Phil Hunt — Oracle [1]

The number of SCIM adoptions over the past few years are apparently in a fast growing pace. It’s becoming inevitably the next major standard of identity provisioning as the tech giants in the world had adopted the standard already.

Who are already in for the game?

Change is painful. But nothing is as painful as staying stuck somewhere you don’t belong. Hence it’s right time for you to evaluate what SCIM can do for you and for your business and act upon it. It’s now or never!!

References

  1. https://blogs.oracle.com/fusionmiddleware/entry/standards_corner_ietf_scim_working
  2. http://www.simplecloud.info/
  3. https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management