SCIM (Simple Cloud Identity Management) (3H)

Session Topic: SCIM (T3H)

Convener: Morteza Ansari

Notes-taker(s): Kelly Grizzle

Tags for the session - technology discussed/ideas considered: 

SCIM, Cloud, Provisioning

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

SCIM Overview
 * Discussions started around a year ago
 * Spec arose because most major cloud vendors have proprietary APIs for identity and group management
 * Currently close to 1.0 version working under OWF. Interop testing happening now.
 * Spec consists of a REST API, schemas for identity and group that can be extended. Core schema contains basic user and group attributes and an enterprise user extension.

Discussion of user IDs
 * User IDs must be globally unique within the service provider
 * Multi-tenancy can be handled by including tenant information in user ID or via the URLs for the REST endpoints.

Other similar schemas – OpenSocial, OpenID Connect
 * SCIM was based originally on PortableContacts.
 * There are small differences between the SCIM schema and existing specs, but the existing specs either had too much or too little.
 * It is alright to diverge from existing standards when use cases call for it (eg – enterprise vs. consumer, etc…)
 * We are open to input on how to make it better! Please join the discussion at http://www.simplecloud.info.

Who has signed on to this effort?
 * Salesforce.com, Cisco (Webex), Google, Ping, UnboundID, Technology Nexus, SailPoint, others
 * A goal was to keep it simple enough to drive adoption and achieve critical mass.

Group membership
 * Consider specifying information associated with a group membership (eg – your role with respect to the group – admin, etc…)
 * This concept makes a lot of sense with “collaboration groups”, maybe not so much with “security groups”

Mappings from SCIM to other schemas
 * Group is working on creating standard mappings between the SCIM user and group schemas to other schemas (eg – Active Directory, inetOrgPerson)

Next Steps
 * Wrap up draft 1.0 version of the spec within the next month
 * Not quite sure how to get this blessed by the larger community
 * BoF at winter/spring IETF?
 * Move to a standards body after 1.0 is complete.