CIS13: SCIM Interop
0 likes1,024 views
The document outlines SCIM (System for Cross-domain Identity Management) interoperability tests conducted at the 2013 Cloud Identity Summit, focusing on user and group management operations across various identity systems and service providers like Active Directory, Salesforce, PingFederate, and others. Test cases include user creation, listing, updating, and deletion, along with service provider configuration and schema retrieval, evaluating compliance between different implementations. Results demonstrate varying levels of success across different service provider integrations, highlighting areas for improvement in SCIM support.
CIS13: SCIM Interop
- 1. SCIM 1.1 Interop Cloud Iden1ty Summit 2013
- 2. example SCIM topology Externally Hosted On-‐Premises Create user (HTTP POST) Identity system (SCIM consumer) SaaS application (SCIM service provider)
- 3. example SCIM topology Externally Hosted On-‐Premises Active Directory Create user (HTTP POST) Directory syncIdentity system (SCIM consumer) SaaS application (SCIM service provider)
- 4. SCIM iden1ty bridge Externally Hosted On-‐Premises Active Directory LDAP SCIM SCIM consumer API Partner’s provisioning IDaaS Web application API or SCIM SCIM consumer SCIM provider Directory sync OAuth resource server Identity Bridge
- 5. Interoppers service provider consumer cisco sailpoint pi pingfederate sailpoint pi pingfederate unboundid pi pingone nexus pi pingone wso2 salesforce sailpoint salesforce nexus salesforce wso2 salesforce pi pingfederate unboundid pi pingfederate unboundid pi pingone unboundid wso2 wso2 sailpoint
- 6. Interop tests Category Test # Test Name User creation 1.1 Create five users. 2.1 List one user (1.1) with attributes parameter via query to resource. 2.2 List one user (1.1) with filter via query to resource endpoint. 2.3 List users (1.1) with attributes parameter via query to resource endpoint. 3.1 Update user (1.1) via PUT. 3.2 Update user (1.1) via PATCH. 3.3 Change password for user (1.1). Verify by authenticating with server natively if possible Group creation 4.1 Create two groups. 5.1 List one group (4.1) with attributes parameter via query to resource. 5.2 List one group (4.1) with filter via query to resource endpoint. 5.3 List groups (4.1) with attributes parameter via query to resource endpoint. 6.1 Add user (1.1 ) to group (4.1) via PUT. 6.2 Remove user (1.1) from group (4.1) via PUT. 6.3 Add user (1.1) to group (4.1) via PATCH. 6.4 Remove user (1.1) from group (4.1) via PATCH. User deletion 7.1 Delete user (1.1). 8.1 Create two users. 8.2 Update two users (8.1) via PATCH. 8.3 Create two users via PUT, then create group via PUT with users' id attribute. 8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). ServiceProviderConfig retrieval 9.1 Retrieve service provider config. Schema retrieval 10.1 Retrieve user and group schemas. Group update Bulk operation User list User update Group list
- 7. unbound(sp)<-‐>pingfederate Category Test Number Test Name unboundid pingfederate User creation 1.1 Create five users. yes yes 2.1 List one user (1.1) with attributes parameter via query to resource. yes no 2.2 List one user (1.1) with filter via query to resource endpoint. yes no 2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes no 3.1 Update user (1.1) via PUT. yes yes 3.2 Update user (1.1) via PATCH. yes no 3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. yes no Group creation 4.1 Create two groups. yes no 5.1 List one group (4.1) with attributes parameter via query to resource. yes no 5.2 List one group (4.1) with filter via query to resource endpoint. yes no 5.3 List groups (4.1) with attributes parameter via query to resource endpoint. yes no 6.1 Add user (1.1 ) to group (4.1) via PUT. yes no 6.2 Remove user (1.1) from group (4.1) via PUT. yes no 6.3 Add user (1.1) to group (4.1) via PATCH. yes no 6.4 Remove user (1.1) from group (4.1) via PATCH. yes no User deletion 7.1 Delete user (1.1). yes yes 8.1 Create two users. yes no 8.2 Update two users (8.1) via PATCH. yes no 8.3 Create two users via PUT, then create group via PUT with users' id attribute. yes no 8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). yes no ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes no Schema retrieval 10.1 Retrieve user and group schemas. yes no User list User update Group list Group update Bulk operation
- 8. unboundid(sp)<-‐>pingone Category Test Number Test Name unboundid pingone User creation 1.1 Create five users. yes yes 2.1 List one user (1.1) with attributes parameter via query to resource. yes yes 2.2 List one user (1.1) with filter via query to resource endpoint. yes 2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes 3.1 Update user (1.1) via PUT. yes yes 3.2 Update user (1.1) via PATCH. yes 3.3 Change password for user (1.1). Verify by authenticating with server natively if possible.yes Group creation 4.1 Create two groups. yes yes 5.1 List one group (4.1) with attributes parameter via query to resource. yes 5.2 List one group (4.1) with filter via query to resource endpoint. yes 5.3 List groups (4.1) with attributes parameter via query to resource endpoint. yes 6.1 Add user (1.1 ) to group (4.1) via PUT. yes yes 6.2 Remove user (1.1) from group (4.1) via PUT. yes yes 6.3 Add user (1.1) to group (4.1) via PATCH. yes 6.4 Remove user (1.1) from group (4.1) via PATCH. yes User deletion 7.1 Delete user (1.1). yes yes 8.1 Create two users. yes 8.2 Update two users (8.1) via PATCH. yes 8.3 Create two users via PUT, then create group via PUT with users' id attribute. yes 8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). yes ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes yes Schema retrieval 10.1 Retrieve user and group schemas. yes yes User list User update Group list Group update Bulk operation
- 9. salesforce(sp)<-‐>sailpoint Category Test Number Test Name salesforce sailpoint User creation 1.1 Create five users. yes yes 2.1 List one user (1.1) with attributes parameter via query to resource. yes no 2.2 List one user (1.1) with filter via query to resource endpoint. no 2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes yes 3.1 Update user (1.1) via PUT. no 3.2 Update user (1.1) via PATCH. yes no 3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. no Group creation 4.1 Create two groups. yes 5.1 List one group (4.1) with attributes parameter via query to resource. no 5.2 List one group (4.1) with filter via query to resource endpoint. no 5.3 List groups (4.1) with attributes parameter via query to resource endpoint. list only yes 6.1 Add user (1.1 ) to group (4.1) via PUT. no 6.2 Remove user (1.1) from group (4.1) via PUT. no 6.3 Add user (1.1) to group (4.1) via PATCH. yes(Entitlements) no 6.4 Remove user (1.1) from group (4.1) via PATCH. yes(Entitlements) no User deletion 7.1 Delete user (1.1). yes(Deactivate) yes 8.1 Create two users. no 8.2 Update two users (8.1) via PATCH. no 8.3 Create two users via PUT, then create group via PUT with users' id attribute. no 8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes yes Schema retrieval 10.1 Retrieve user and group schemas. user only yes User list User update Group list Group update Bulk operation
- 10. salesforce(sp)<-‐>wso2 Category Test Number Test Name salesforce wso2 User creation 1.1 Create five users. yes yes 2.1 List one user (1.1) with attributes parameter via query to resource. yes No 2.2 List one user (1.1) with filter via query to resource endpoint. no yes(for userNa 2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes No 3.1 Update user (1.1) via PUT. no Yes 3.2 Update user (1.1) via PATCH. yes No 3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. no Yes Group creation 4.1 Create two groups. yes Yes 5.1 List one group (4.1) with attributes parameter via query to resource. no No 5.2 List one group (4.1) with filter via query to resource endpoint. no Yes 5.3 List groups (4.1) with attributes parameter via query to resource endpoint. list only No 6.1 Add user (1.1 ) to group (4.1) via PUT. no Yes 6.2 Remove user (1.1) from group (4.1) via PUT. no Yes 6.3 Add user (1.1) to group (4.1) via PATCH. yes(Entitlements) No 6.4 Remove user (1.1) from group (4.1) via PATCH. yes(Entitlements) No User deletion 7.1 Delete user (1.1). yes(Deactivate) Yes 8.1 Create two users. no Yes 8.2 Update two users (8.1) via PATCH. no No 8.3 Create two users via PUT, then create group via PUT with users' id attribute. no No 8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no No ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes No Schema retrieval 10.1 Retrieve user and group schemas. user only No Group update Bulk operation User list User update Group list
- 11. salesforce(sp)<-‐>pingfederate Category Test Number Test Name salesforce pingfederate User creation 1.1 Create five users. yes yes 2.1 List one user (1.1) with attributes parameter via query to resource. yes no 2.2 List one user (1.1) with filter via query to resource endpoint. no no 2.3 List users (1.1) with attributes parameter via query to resource endpoint. yes no 3.1 Update user (1.1) via PUT. no yes 3.2 Update user (1.1) via PATCH. yes no 3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. no no Group creation 4.1 Create two groups. yes no 5.1 List one group (4.1) with attributes parameter via query to resource. no no 5.2 List one group (4.1) with filter via query to resource endpoint. no no 5.3 List groups (4.1) with attributes parameter via query to resource endpoint. list only no 6.1 Add user (1.1 ) to group (4.1) via PUT. no no 6.2 Remove user (1.1) from group (4.1) via PUT. no no 6.3 Add user (1.1) to group (4.1) via PATCH. yes(Entitlements) no 6.4 Remove user (1.1) from group (4.1) via PATCH. yes(Entitlements) no User deletion 7.1 Delete user (1.1). yes(Deactivate) yes 8.1 Create two users. no no 8.2 Update two users (8.1) via PATCH. no no 8.3 Create two users via PUT, then create group via PUT with users' id attribute. no no 8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no no ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes no Schema retrieval 10.1 Retrieve user and group schemas. user only no User list User update Group list Group update Bulk operation
- 12. pingfederate(sp)<-‐>sailpoint Category Test Number Test Name pi pingfederate sailpoint User creation 1.1 Create five users. yes yes 2.1 List one user (1.1) with attributes parameter via query to resource. yes no 2.2 List one user (1.1) with filter via query to resource endpoint. no 2.3 List users (1.1) with attributes parameter via query to resource endpoint. no 3.1 Update user (1.1) via PUT. yes yes 3.2 Update user (1.1) via PATCH. no 3.3 Change password for user (1.1). Verify by authenticating with server natively if possible.yes yes Group creation 4.1 Create two groups. no 5.1 List one group (4.1) with attributes parameter via query to resource. no 5.2 List one group (4.1) with filter via query to resource endpoint. no 5.3 List groups (4.1) with attributes parameter via query to resource endpoint. no 6.1 Add user (1.1 ) to group (4.1) via PUT. no 6.2 Remove user (1.1) from group (4.1) via PUT. no 6.3 Add user (1.1) to group (4.1) via PATCH. no 6.4 Remove user (1.1) from group (4.1) via PATCH. no User deletion 7.1 Delete user (1.1). yes yes 8.1 Create two users. no 8.2 Update two users (8.1) via PATCH. no 8.3 Create two users via PUT, then create group via PUT with users' id attribute. no 8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). no ServiceProviderConfig retrieval 9.1 Retrieve service provider config. yes yes Schema retrieval 10.1 Retrieve user and group schemas. no User list User update Group list Group update Bulk operation
- 13. wso2(sp)<-‐>pingone Category Test Number Test Name wso2 pingone User creation 1.1 Create five users. yes yes 2.1 List one user (1.1) with attributes parameter via query to resource. No NA 2.2 List one user (1.1) with filter via query to resource endpoint. yes(for userName attribute only) yes 2.3 List users (1.1) with attributes parameter via query to resource endpoint. No NA 3.1 Update user (1.1) via PUT. Yes yes 3.2 Update user (1.1) via PATCH. No NA 3.3 Change password for user (1.1). Verify by authenticating with server natively if possible. Yes yes Group creation 4.1 Create two groups. Yes yes 5.1 List one group (4.1) with attributes parameter via query to resource. No NA 5.2 List one group (4.1) with filter via query to resource endpoint. Yes yes 5.3 List groups (4.1) with attributes parameter via query to resource endpoint. No NA 6.1 Add user (1.1 ) to group (4.1) via PUT. Yes yes 6.2 Remove user (1.1) from group (4.1) via PUT. Yes yes 6.3 Add user (1.1) to group (4.1) via PATCH. No NA 6.4 Remove user (1.1) from group (4.1) via PATCH. No NA User deletion 7.1 Delete user (1.1). Yes yes 8.1 Create two users. Yes yes 8.2 Update two users (8.1) via PATCH. No NA 8.3 Create two users via PUT, then create group via PUT with users' id attribute. No No 8.4 Remove users (8.3) from group (4.1) via PATCH, then delete two users (8.3). No NA ServiceProviderConfig retrieval 9.1 Retrieve service provider config. No NA Schema retrieval 10.1 Retrieve user and group schemas. No NA User list User update Group list Group update Bulk operation
- 17. Ac1ve Directory Oracle Directory Server Monitor Directory for User Changes (Create, Update, Delete/Disable) SCIM SCIM Consumer SCIM Service Provider Create, Update, Delete Users SaaS Provider Benefits • Synchronize local corporate directory accounts with the UnboundID Iden1ty Data PlaOorm Iden-ty Data Pla2orm
- 18. Ac1ve Directory Oracle Directory Server Monitor Directory for User Changes (Create, Update, Delete/Disable) SCIM Consumer SCIM Service Provider Benefits • Synchronize local corporate directory accounts with Salesforce • Enable Single Sign-‐On between workforce to Salesforce SCIM Create, Update, Disable Users SAML SSO
- 19. Active Directory Hosted On-‐Premises PingFederate IdentityIQ SCIM Service Provider SCIM Consumer SCIM Service Provider (1) Identity pull via SCIM (2) Identity push via SCIM (3) Add/Delete/Modify (5) SAM L SSO User (4) Kerberos SSO Benefits * Authoritative cloud identity store * Workflow, identity and access governance * SSO from Desktop to SaaS Seamless provisioning
- 20. CRUD users and access using SSO Authen1cate RDP HTTP SAML X509 SAML User Storages User aYributes User data Benefits: • Easier onboarding of new services • Iden1ty life cycle management • Easier single sign on • Control access to local or cloud systems
- 21. CRUD users and access using SSO RDP HTTP HTTP Authen1cate X509 SAML User Storages User aYributes User data Benefits: • Easier onboarding of new services • Iden1ty life cycle management • Easier single sign on • Control access to local or cloud systems