SCIM: Provisioning users, killing connectors
10 March, 2014
category: Corporate, Digital ID, Financial, Government
Kelly Grizzle, principal software engineer, SailPoint
Digital identity is becoming increasingly important as enterprises strive to protect and control access to online resources. A series of maturing standards is helping make identity management and single sign-on a reality for organizations deploying systems.
As 2013 came to a close SecureIDNews.co
One of the fundamental jobs of an identity and access management (IAM) system is managing changes to users and their access to various enterprise resources – a subset of IAM called provisioning. The typical organization has hundreds, sometimes thousands, of applications, servers, databases and file shares that must be provisioned, in fact I know of one recent company with approximately 3,500 unique systems.
Historically, enterprises have automated the provisioning of resource changes by using “connectors” between the IAM system and those resources to push or pull changes back and forth to make any required alterations to identities.
The recent explosion of SaaS and cloud-based applications has made it even more difficult to keep up with the need for new connectors. IAM vendors, customers and systems integrators alike need to continually build and maintain hundreds upon hundreds of connectors to make all that work. It’s no simple task, however, and many legacy IAM vendors charge a price for every connector a customer uses.
The growing abundance of available SaaS applications, and the speed at which they can be deployed, has caused the IAM market to hit a tipping point. It’s no longer practical for IAM vendors to keep writing connectors, and it’s too expensive for end users to keep using separate connectors for every application.
To address this challenge, a new standard called System for Cross-Domain Identity Management (SCIM) has been developed to create a uniform provisioning interface for SaaS and cloud applications. SCIM’s intent is to reduce the cost and complexity of managing users in and out of SaaS applications by eliminating the need for separate and proprietary connectors to each individual application.
A cross-industry team, which includes my company, SailPoint, Cisco, Ping, Salesforce.com, Technology Nexus and UnboundID, designed this specification with an emphasis on simplicity, while supporting existing authentication, authorization and privacy models.
Keeping It Simple
From the onset, SCIM was designed to be simple. It does not try to cover every provisioning use case, but rather supports the most common situations. Based on the 80/20 rule, SCIM focuses on the core tasks – the essential CRUD (create, read, update, and delete) operations – of account management and leaves out the 20 % of the “provisioning platform” extras that individual organizations have added into their respective connectors.
It does this by utilizing an extensible user schema that means the same thing, regardless of which application is being provisioned. The schema can then be extended to handle any necessary, specific IAM vendor or service-provider requirements. This simplifies provisioning for the SaaS providers, as well as for IAM vendors and customers.
SCIM clearly and simply addresses the account creation, management and deletion “interface” using a full RESTful web services approach that can be used by any application. This takes the simpler, more direct use cases and implements them using a “resource-centric” approach that is easier to write, use in the code as well as easier to read and understand in the specification.
App Vendor Support
While the need for SCIM is well understood, it’s incumbent for SaaS vendors to adopt SCIM and make the standard widely available. Several SaaS vendors, including Salesforce.com, Google and Cisco, are on the forefront of solving these issues, investing significant time to help drive SCIM forward and build SCIM interfaces into their products. Support by the major SaaS vendor platforms will prove critical if SCIM is to achieve widespread adoption.
Customers Demand for SCIM
The SCIM standard also needs the support of public and private organizations that want to simplify how they manage their identities and applications in the cloud. Many organizations now specify requirements for a simple, standardized way of managing their SaaS accounts. This growing and real customer need has resulted in pressure on SaaS vendors to support SCIM on one side, and a push for IAM vendors to make use of SCIM on the other.