System for Cross-domain Identity Management

Last updated
System for Cross-domain Identity Management
AbbreviationSCIM
StatusActive
First published2011 (2011)
Latest version2.0
September 2015 (2015-09)
Organization IETF
Base standards JSON, XML
Domain Identity management
Website tools.ietf.org/wg/scim/

System for Cross-domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between identity domains, or IT systems.

Contents

One example might be that as a company onboards new employees and separates from existing employees, they are added and removed from the company's electronic employee directory. SCIM could be used to automatically add/delete (or, provision/de-provision) accounts for those users in external systems such as Google Workspace, Office 365, or Salesforce.com. Then, a new user account would exist in the external systems for each new employee, and the user accounts for former employees might no longer exist in those systems.

In addition to simple user-record management (creating and deleting), SCIM can also be used to share information about user attributes, attribute schema, and group membership. Attributes could range from user contact information to group membership. Group membership or other attribute values are generally used to manage user permissions. Attribute values and group assignments can change, adding to the challenge of maintaining the relevant data across multiple identity domains. [1]

The SCIM standard has grown in popularity and importance, as organizations use more SaaS tools. [2] [3] A large organization can have hundreds or thousands of hosted applications (internal and external) and related servers, databases and file shares that require user provisioning. Without a standard connection method, companies must write custom software connectors to join these systems and their Identity Management (IdM) system. [4]

SCIM uses a standardised API through REST with data formatted in JSON or XML. [1]

History

The first version, SCIM 1.0, was released in 2011 by a SCIM standard working group organized under the Open Web Foundation. [5] In 2011, it was transferred to the IETF, and the current standard, SCIM 2.0 was released as IETF RFC in 2015. [2] [6]

SCIM 2.0 was completed in September 2015 and is published as IETF RFCs 7643 [7] and 7644. [8] A use-case document is also available as RFC 7642. [9]

The standard has been implemented in various IdM software. [10]

The standard was initially called Simple Cloud Identity Management (and is still called this in some places), but the name was officially changed to System for Cross-domain Identity Management (SCIM) when the IETF adopted it. [11]

Interoperability was demonstrated in October, 2011, at the Cloud Identity Summit, an IAM industry conference. There, user accounts were provisioned and de-provisioned across separate systems using SCIM standards, by a collection of IdM software vendors: Okta, CyberArk, Ping Identity, SailPoint, Technology Nexus and UnboundID. [3] In March 2012, at IETF 83 in Paris, interoperability tests continued by the same vendors, joined by Salesforce.com, BCPSoft, WSO2, Gluu, and Courion (now SecureAuth) nine companies in total. [12]

SCIM is the second standard for exchanging user data, but it builds on prior standards (e.g. SPML, PortableContacts, vCards, and LDAP directory services) in an attempt to be a simpler and more widely adopted solution for cloud services providers. [13] [14]

The SCIM standard is growing in popularity and has been adopted by numerous identity providers as well as applications. As adoption of the standard grows, so do the number of tools available. The standard leverages a number of open-source libraries [15] to facilitate development and testing frameworks [16] ensure that endpoint's compliance with the SCIM standard.


Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

In computer network engineering, an Internet Standard is a normative specification of a technology or methodology applicable to the Internet. Internet Standards are created and published by the Internet Engineering Task Force (IETF). They allow interoperation of hardware and software from different sources which allows internets to function. As the Internet became global, Internet Standards became the lingua franca of worldwide communications.

<span class="mw-page-title-main">Internet Engineering Task Force</span> Open Internet standards organization

The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and all its participants are volunteers. Their work is usually funded by employers or other sponsors.

The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network. As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telephone systems, as well as mobile phone calling over LTE (VoLTE).

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

The Internet Architecture Board (IAB) is "a committee of the Internet Engineering Task Force (IETF) and an advisory body of the Internet Society (ISOC). Its responsibilities include architectural oversight of IETF activities, Internet Standards Process oversight and appeal, and the appointment of the Request for Comments (RFC) Editor. The IAB is also responsible for the management of the IETF protocol parameter registries."

<span class="mw-page-title-main">XMPP</span> Communications protocol for message-oriented middleware

Extensible Messaging and Presence Protocol is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML, it enables the near-real-time exchange of structured data between two or more network entities. Designed to be extensible, the protocol offers a multitude of applications beyond traditional IM in the broader realm of message-oriented middleware, including signalling for VoIP, video, file transfer, gaming and other uses.

In computing, Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained.

An email address identifies an email box to which messages are delivered. While early messaging systems used a variety of formats for addressing, today, email addresses follow a set of specific rules originally standardized by the Internet Engineering Task Force (IETF) in the 1980s, and updated by RFC 5322 and 6854. The term email address in this article refers to just the addr-spec in Section 3.4 of RFC 5322. The RFC defines address more broadly as either a mailbox or group. A mailbox value can be either a name-addr, which contains a display-name and addr-spec, or the more common addr-spec alone.

In computer and telecommunications networks, presence information is a status indicator that conveys ability and willingness of a potential communication partner—for example a user—to communicate. A user's client provides presence information via a network connection to a presence service, which is stored in what constitutes his personal availability record and can be made available for distribution to other users to convey their availability for communication. Presence information has wide application in many communication services and is one of the innovations driving the popularity of instant messaging or recent implementations of voice over IP clients.

<span class="mw-page-title-main">JSON</span> Open standard file format and data interchange

JSON is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays. It is a commonly used data format with diverse uses in electronic data interchange, including that of web applications with servers.

The LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing Lightweight Directory Access Protocol (LDAP) directory content and update requests. LDIF conveys directory content as a set of records, one record for each object. It also represents update requests, such as Add, Modify, Delete, and Rename, as a set of records, one record for each update request.

WHOIS is a query and response protocol that is used for querying databases that store an Internet resource's registered users or assignees. These resources include domain names, IP address blocks and autonomous systems, but it is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The current iteration of the WHOIS protocol was drafted by the Internet Society, and is documented in RFC 3912.

<span class="mw-page-title-main">Open Grid Forum</span> Computing standards organization

The Open Grid Forum (OGF) is a community of users, developers, and vendors for standardization of grid computing. It was formed in 2006 in a merger of the Global Grid Forum and the Enterprise Grid Alliance. The OGF models its process on the Internet Engineering Task Force (IETF), and produces documents with many acronyms such as OGSA, OGSI, and JSDL.

An IPv6 transition mechanism is a technology that facilitates the transitioning of the Internet from the Internet Protocol version 4 (IPv4) infrastructure in use since 1983 to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, transition technologies are designed to permit hosts on either network type to communicate with any other host.

OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Meta Platforms, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

<span class="mw-page-title-main">Locator/Identifier Separation Protocol</span>

Locator/ID Separation Protocol (LISP) is a "map-and-encapsulate" protocol which is developed by the Internet Engineering Task Force LISP Working Group. The basic idea behind the separation is that the Internet architecture combines two functions, routing locators and identifiers in one number space: the IP address. LISP supports the separation of the IPv4 and IPv6 address space following a network-based map-and-encapsulate scheme. In LISP, both identifiers and locators can be IP addresses or arbitrary elements like a set of GPS coordinates or a MAC address.

<span class="mw-page-title-main">WebFinger</span> Protocol for the discovery of information about people and things identified by a URI

WebFinger is a protocol specified by the Internet Engineering Task Force IETF in RFC 7033 that allows for discovery of information about people and things identified by a URI. Information about a person might be discovered via an acct: URI, for example, which is a URI that looks like an email address.

User-Managed Access (UMA) is an OAuth-based access management protocol standard for party-to-party authorization. Version 1.0 of the standard was approved by the Kantara Initiative on March 23, 2015.

References

  1. 1 2 Internet Engineering Task Force, Network Working Group (May 11, 2015). System for Cross-Domain Identity Management: Core Schema. Draft 19. Retrieved 2015-05-17.
  2. 1 2 Wilson, Neil (June 22, 2011). "SCIMming along..." UnboundID blog. (link: neil-wilson). Retrieved May 11, 2015.
  3. 1 2 "Identity Management Companies To Demonstrate Simple Cloud Identity Management (SCIM) Specification at Internet Identity Workshop (IIW)" (Press release). SailPoint. October 18, 2011. Archived from the original on 2016-03-04. Retrieved May 11, 2015.
  4. Grizzle, Kelly (March 10, 2014). "SCIM: Provisioning users, killing connectors". SecureID News. SecureID. Retrieved May 17, 2015.
  5. "SCIM Overview". scim.cloud. Simple Cloud Identity Management. Retrieved May 17, 2015.
  6. Internet Engineering Task Force, Network Working Group (August 2, 2012). System for Cross-Domain Identity Management: Core Schema 1.1. Version 1.1. Retrieved 2015-05-11.
  7. Hunt, Phil; Grizzle, Kelly; Wahlstroem, Erik; Mortimore, Chuck (September 2015). "RFC 7643: System for Cross-domain Identity Management: Core Schema". ietf.org. Internet Engineering Task Force.
  8. Hunt, Phil; Grizzle, Kelly; Ansari, Morteza; Wahlstroem, Erik; Mortimore, Chuck (September 2015). "RFC 7644: System for Cross-domain Identity Management: Protocol". ietf.org. Internet Engineering Task Force.
  9. Li, Kepeng; Hunt, Phil; Khasnabish, Bhumip; Nadalin, Anthony; Zeltsan, Zachary (September 2015). "RFC 7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements". ietf.org. Internet Engineering Task Force.
  10. "Known SCIM implementations". scim.cloud. Simple Cloud Identity Management.
  11. Hunt, Phil (February 27, 2014). "Standards Corner: SCIM and the Shifting Enterprise Identity Center of Gravity". Oracle Fusion Middleware (blog). Oracle. Retrieved May 17, 2015.
  12. "Logistics and attendee info for the March 2012 SCIM interop event". SCIM, Simple Cloud Identity Management. April 26, 2012. Retrieved May 11, 2015.
  13. "SCIM: How It Works" (Article). PingIdentity.com. Retrieved July 28, 2020.
  14. Internet Engineering Task Force, Network Working Group (September 2015). "Section 1, Introduction". System for Cross-Domain Identity Management: Core Schema. RFC7643. Retrieved 2023-05-19.
  15. "Provisioning with SCIM – design, build, and test your SCIM endpoint". 2 March 2020.
  16. "Test Your SCIM Endpoint · AzureAD/SCIMReferenceCode Wiki". GitHub .