Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022

Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022

What if keeping your user stores in sync across domains was as simple as running "java -jar"? With Apache SCIMPle, it is!

Apache SCIMple is a SCIM 2.0-compliant server powered by Spring Boot 3. You can run it standalone or embedded in your existing app. It exposes user management REST endpoints and handles the hassle of user synchronization for you. If your identity provider supports SCIM, use the simple way!

GitHub example: https://github.com/mraible/okta-scim-spring-boot-example
Demo script: https://github.com/mraible/okta-scim-spring-boot-example/blob/main/demo.adoc

Matt Raible

October 03, 2022

More Decks by Matt Raible

Other Decks in Programming


  1. Keep Identities in Sync The SCIMple Way Brian Demers and

    Matt Raible @briandemers / @mraible October 3, 2022
  2. @briandemers / @mraible Who are we? Brian Demers Open Source

    Developer and Java Champion Fun facts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun facts: likes to ski; into classic VWs ✌ @mraible
  3. @briandemers / @mraible Today's Agenda What is SCIM? 01 Best

    Practices 02 Apache SCIMple 03 Demo Apache SCIMple + Spring Boot 04 Action! How to get involved! 05 @briandemers / @mraible
  4. @briandemers / @mraible 01 What is SCIM? @briandemers / @mraible

  5. @briandemers / @mraible System for Cross-domain Identity Management

  6. @briandemers / @mraible TL;DR Standardized User & Groups REST API

  7. @briandemers / @mraible REST Endpoints https://example.com/api/v1/Parts https://example.com/api/v1/Orders https://example.com/api/v1/Users https://example.com/api/v1/Groups https://example.com/api/v1/Users

    https://example.com/api/v1/Groups Imagine you are building an API for an auto parts store:
  8. @briandemers / @mraible User Object { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "id":"2819c223-7f76-453a-919d-413861904646", "externalId":"dschrute",

    "userName":"dschrute", "name":{ "formatted": "Mr. Dwight K Schrute, III", "familyName": "Schrute", "givenName": "Dwight", "middleName": "Kurt", "honorificPrefix": "Mr.", "honorificSuffix": "III" }, "phoneNumbers":[{ "value":"555-555-8377", "type": "work"}], "emails":[{ "value":"[email protected]", "type":"work", "primary": true}], "meta":{ "resourceType": "User", "created":"2011-08-01T18:29:49.793Z", "lastModified":"2011-08-01T18:29:49.793Z", "location":"https:./example.com/v2/Users/2819c223..."}} application/scim+json
  9. @briandemers / @mraible What about other attributes?

  10. @briandemers / @mraible SCIM Extensions "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:srd:1.0:ability"], "urn:scim:schemas:extension:srd:1.0:ability":

    { "charisma": 14, "constitution": 12, "dexterity": 15, "intelligence": 8, "strength": 10, "wisdom": 13}
  11. @briandemers / @mraible SCIM Schemas Endpoint - /Schemas { "id":

    "urn:scim:schemas:extension:srd:1.0:ability", "name": "SDR-OGL", "description": "Systems Reference Document - Ability Scores", "attributes": [{ "name": "charisma", "description": "Charisma, measuring force of personality", "required": true, "type": "integer", "uniqueness": "none", "caseExact": false, "multiValued": false, "mutability": "readWrite", "returned": "default"} ...
  12. @briandemers / @mraible SCIM Endpoints /Users[/{id}] /Groups[/{id}] /Schemas[/{id}] /ResourceTypes[/{id}] /Bulk

  13. @briandemers / @mraible Why use SCIM?

  14. @briandemers / @mraible Why should you use SCIM? • Standardized

    RESTful API • Covers >90% of use cases • Integrate with other services
  15. @briandemers / @mraible When to avoid SCIM?

  16. @briandemers / @mraible 02 Best Practices

  17. @briandemers / @mraible • Store the "source" of the user

    • Store the "ID" of the user's source • Emails are not good IDs • The status of a user is a boolean. • SCIM supports a SQL like expression language User Model Best Practices /Users?filter=emails.value EQ "[email protected]" /Users?filter=userName EQ "bob"
  18. @briandemers / @mraible User data is sensitive! I Am Not

    A Lawyer!
  19. @briandemers / @mraible 03 Apache SCIMple @briandemers / @mraible

  20. @briandemers / @mraible ApacheDS Apache Directory Studio Apache LDAP API

    Apache Fortress Apache Kerby Apache SCIMple
  21. Apache SCIMple History @briandemers / @mraible 2013: Started at PennState

    2018: Moved to Apache Directory 2015: SCIM RFCs 2020: Something happened 2022: Jakarta APIs
  22. @briandemers / @mraible 04 Demo @briandemers / @mraible github.com/mraible/okta-scim-spring-boot-example

  23. @briandemers / @mraible 05 Action! @briandemers / @mraible

  24. @briandemers / @mraible Action Get Involved with Apache SCIMple @briandemers

    / @mraible { } YOUR LOGO HERE
  25. @briandemers / @mraible Action Get Involved with SCIMple @briandemers /

    @mraible directory.apache.org/scimple apache/directory-scimple [email protected]
  26. @briandemers / @mraible Thanks! Brian Demers @briandemers @bdemers @bdemers [email protected]

    Matt Raible @mraible @mraible @mraible [email protected] https://speakerdeck.com/mraible
  27. developer.okta.com