SCIM (Simple Cloud Identity Management) (3H)

From IIW
Jump to: navigation, search

Session Topic: SCIM (T3H)

Convener: Morteza Ansari

Notes-taker(s): Kelly Grizzle

Tags for the session - technology discussed/ideas considered:

SCIM, Cloud, Provisioning

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

SCIM Overview

  • Discussions started around a year ago
  • Spec arose because most major cloud vendors have proprietary APIs for identity and group management
  • Currently close to 1.0 version working under OWF. Interop testing happening now.
  • Spec consists of a REST API, schemas for identity and group that can be extended. Core schema contains basic user and group attributes and an enterprise user extension.

Discussion of user IDs

  • User IDs must be globally unique within the service provider
  • Multi-tenancy can be handled by including tenant information in user ID or via the URLs for the REST endpoints.

Other similar schemas – OpenSocial, OpenID Connect

  • SCIM was based originally on PortableContacts.
  • There are small differences between the SCIM schema and existing specs, but the existing specs either had too much or too little.
  • It is alright to diverge from existing standards when use cases call for it (eg – enterprise vs. consumer, etc…)
  • We are open to input on how to make it better! Please join the discussion at

Who has signed on to this effort?

  •, Cisco (Webex), Google, Ping, UnboundID, Technology Nexus, SailPoint, others
  • A goal was to keep it simple enough to drive adoption and achieve critical mass.

Group membership

  • Consider specifying information associated with a group membership (eg – your role with respect to the group – admin, etc…)
  • This concept makes a lot of sense with “collaboration groups”, maybe not so much with “security groups”

Mappings from SCIM to other schemas

  • Group is working on creating standard mappings between the SCIM user and group schemas to other schemas (eg – Active Directory, inetOrgPerson)

Next Steps

  • Wrap up draft 1.0 version of the spec within the next month
  • Not quite sure how to get this blessed by the larger community
  • BoF at winter/spring IETF?
  • Move to a standards body after 1.0 is complete.