SCIM Overview and Concept
SCIM stands for “Simplified Cloud Identity Management” and later it has
been changed to “System for Cross-domain Identity Management”. SCIM was
originally developed for Cloud services, but according to later
understanding decided that it was not bounded to Cloud and can be used
purely on-premise scenarios as well. New name reflects above idea.
Originally SCIM was developed with three main actors.
-
CSP: Cloud Service Provider
-
A CSP is the entity which is holding identities of end users and also
provide services for user management.
-
ECS: Enterprise Cloud Subscriber
-
The ECS Actor is a single entity which is given administrative
responsibility to manage other identity accounts.
-
CSU: Cloud Service User
-
A CSU represents the real cloud service end user.
WSO2 Identity Server as a SCIM Provider
According to new definition of SCIM (Sysem for Cross-domain Identity
Management) WSO2 Identity Server also can act as SCIM provider which is
similar to Cloud Service Provider.
-
WSO2 Identity Server
-
Similar to Cloud Service Provider. Provide services to manage end
user identities.
-
Authorized Entity for Provisioning
-
Similar to Enterprise Cloud Subscriber. Authorized Entity will be
single identity who has administrative privilege to manage end user
accounts.
-
End User
- Similar to Cloud Service User.
How we have done things on C4
In C4 Up to Identity Server 5.3.0 we have been using SCIM only for
provisioning users from external system to Identity Server (Inbound
Provisioning). Also In C4 we have couple of SOAP services to manage user
identities.
UserAdmin: Used for Management Console user management operations.
RemoteUserStoreManagerService: Manage user identities in user store
remotely.
UserInformationRecoveryService: Self signup, Username recovery, Password
recovery
Even though above services have been implemented for different objectives
there are lot of duplicate efforts. For an example add user operation is
included in all three services. Sometimes when you switch among different
services for same functionality for an example
UserInformationRecoveryService → registerUser to SCIM add user operation or
UserAdmin add user operation you may find different data formats and
performance issues due to different implementations.
What is new for C5 ?
What we are proposing new is reuse standard SCIM APIs for all user
management functionalities. Since SCIM 2.0 provide more comprehensive user
management functionalities we can build common layer to serve all user
management use cases for different channels. Basically User Admin can
manage other identity accounts via SCIM APIs without having separate
implementation.
Further we can extend the usage of SCIM for identity management
functionalities as well. For an example we can achieve self sign up by
sending anonymous SCIM request to SCIM '/Me' endpoint.
For some use cases we may need to do custom implementation which might be
out of SCIM specification. For an example SCIM does not allow to assign
roles to user.
Finally what we want to achieve is alter multiple user management APIs like
UserAdmin, RemoteUserStoreManagerService, UserInformationRecoveryService
with standard SCIM APIs.
Much appreciate your suggestions and feedbacks.
Thanks,
Gayan
--
Gayan Gunawardana
Software Engineer; WSO2 Inc.; http://wso2.com/
Email: [email protected]
Mobile: +94 (71) 8020933
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
