Today’s standards corner is an update about SCIM Protocol (System for Cross-domain Identity Management), its current status, and its use in relation to LDAP directory services.
In late October, the SCIM Working Group
of the IETF wrapped up discussions on SCIM 2.0 and the proposed standards drafts
are now considered Working Group Consensus Documents. As editor and on behalf of the working group, I’m proud to say that the specifications are now going through final review by the wider IETF community.
The SCIM 2.0 specifications are the first formalization of specifications contributed to the IETF back in August of 2012. Significant improvements have been made including:
- An improved extension model including the flexibility to extend existing User and Group resources as well as the ability to define new resource types and endpoints opening the door for new extensions in the future.
- The ability to query multiple resource types based on both attribute filters including support for sub-attribute filters in a multi-valued complex attribute (for example filter=addresses[type eq “work” and value ew “@example.com”]).
- Support for secure queries that do not require passing confidential parameters via URLs.
- A more powerful PATCH command based on JSON PATCH (RFC6902) that allows sub-attribute updating.
- The ability to request specific attributes and exclude others (for optimized data flow).
- Processing rules follows the Robustness Principle (Postel's Law): be conservative in what you do, be liberal in what is accepted.
- Standardized error responses. And,
- JSON based messages and data, standardized UTF-8 encoding, and mime-type support
I’m also proud to say Oracle’s Amit Jasuja announced at the recent OpenWorld that Oracle IDM’s key REST API for Identity will be SCIM. In making this announcement at OOW, Oracle joins many other implementers by supporting SCIM’s RESTful approach to IDM and a broader use of identity the proposed provisioning standard.
While I’m on the subject of SCIM, I’d like to position SCIM in the context of LDAP as this seems to be a question for many. Why a new protocol? Is SCIM better than LDAP? Why should enterprises to build yet another protocol infrastructure?
To answer this, consider that there are multiple changes occurring in enterprise identity environments:
- Many enterprises are moving from single-domain Intranets to building enterprise systems that span multiple cloud providers across multiple-domains over the open Internet in many cases. Further each domain will have its own local identity profile needs and security infrastructure even though we might share federated authentication between the enterprise and cloud providers.
- There has been a major shift in application architecture towards REST placing emphasis on HTTP based services. Almost all enterprise applications are being re-written industry-wide to support open RESTful HTTP based services.
- New authentication and authorization systems based on OAuth2 (RFC6749) and multi-factored authentication enable more secure inter-service communication including delegated authorization.
While LDAP has been incredibly successful over the past 15 years or so, it is starting to show its age. In addition to the above, some additional SCIM advantages include:
- Support for complex attributes - which in practical terms gives the capability to store the same kind of information you see in today’s mobile phone contact applications where each contact can have multiple addresses, multiple phone numbers and email addresses.
- SCIM can support multi-factor authentication and OAuth2 delegated authorization like any other HTTP based service.
- SCIM use of the robustness principle allows enterprise clients to offer common identity information and let service provider’s pick and choose schema they wish to accept simplifying configuration and inter-operability. This flexibility is probably one of the largest inter-operability factors when provisioning in cross-domain environments.
With regards to the costs of yet another protocol infrastructure, I think we have to consider that the question often pits LDAP in competition with SCIM. This is probably a false economy debate. The business challenge that SCIM is intended to primarily answer is how to provision enterprise users to the cloud on new cloud application services. SCIM provides the protocol link for enterprises to leverage enterprise identity and provision to the cloud -- something that is new regardless of protocol used. As such, SCIM is not really a protocol that enterprises have to pay to implement as infrastructure unless they want to run SCIM services internally.
If you haven't already, I encourage you to contact your IDM vendor (including Oracle!) and ask about their upcoming support for SCIM 2.0 ands its advantages for moving enterprise services to the cloud!
Author: Phil Hunt
Phil Hunt is an active member of multiple industry standards groups and committees and has spearheaded discussions, creation and ratification of industry standards on privacy and security including IGF, SCIM and OAuth, among others. Being an active voice in the industry standards development world, we have invited him to share his discussions, thoughts, news & updates, and discuss use cases, implementation success stories (and even failures) around industry standards on this monthly column.