Slide 1

Slide 1 text

Keep Identities in Sync The SCIMple Way Brian Demers and Matt Raible @briandemers / @mraible October 3, 2022

Slide 2

Slide 2 text

@briandemers / @mraible Who are we? Brian Demers Open Source Developer and Java Champion Fun facts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun facts: likes to ski; into classic VWs ✌ @mraible

Slide 3

Slide 3 text

@briandemers / @mraible Today's Agenda What is SCIM? 01 Best Practices 02 Apache SCIMple 03 Demo Apache SCIMple + Spring Boot 04 Action! How to get involved! 05 @briandemers / @mraible

Slide 4

Slide 4 text

@briandemers / @mraible 01 What is SCIM? @briandemers / @mraible

Slide 5

Slide 5 text

@briandemers / @mraible System for Cross-domain Identity Management

Slide 6

Slide 6 text

@briandemers / @mraible TL;DR Standardized User & Groups REST API

Slide 7

Slide 7 text

@briandemers / @mraible REST Endpoints https://example.com/api/v1/Parts https://example.com/api/v1/Orders https://example.com/api/v1/Users https://example.com/api/v1/Groups https://example.com/api/v1/Users https://example.com/api/v1/Groups Imagine you are building an API for an auto parts store:

Slide 8

Slide 8 text

@briandemers / @mraible User Object { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "id":"2819c223-7f76-453a-919d-413861904646", "externalId":"dschrute", "userName":"dschrute", "name":{ "formatted": "Mr. Dwight K Schrute, III", "familyName": "Schrute", "givenName": "Dwight", "middleName": "Kurt", "honorificPrefix": "Mr.", "honorificSuffix": "III" }, "phoneNumbers":[{ "value":"555-555-8377", "type": "work"}], "emails":[{ "value":"dschrute@example.com", "type":"work", "primary": true}], "meta":{ "resourceType": "User", "created":"2011-08-01T18:29:49.793Z", "lastModified":"2011-08-01T18:29:49.793Z", "location":"https:./example.com/v2/Users/2819c223..."}} application/scim+json

Slide 9

Slide 9 text

@briandemers / @mraible What about other attributes?

Slide 10

Slide 10 text

@briandemers / @mraible SCIM Extensions "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:srd:1.0:ability"], "urn:scim:schemas:extension:srd:1.0:ability": { "charisma": 14, "constitution": 12, "dexterity": 15, "intelligence": 8, "strength": 10, "wisdom": 13}

Slide 11

Slide 11 text

@briandemers / @mraible SCIM Schemas Endpoint - /Schemas { "id": "urn:scim:schemas:extension:srd:1.0:ability", "name": "SDR-OGL", "description": "Systems Reference Document - Ability Scores", "attributes": [{ "name": "charisma", "description": "Charisma, measuring force of personality", "required": true, "type": "integer", "uniqueness": "none", "caseExact": false, "multiValued": false, "mutability": "readWrite", "returned": "default"} ...

Slide 12

Slide 12 text

@briandemers / @mraible SCIM Endpoints /Users[/{id}] /Groups[/{id}] /Schemas[/{id}] /ResourceTypes[/{id}] /Bulk /ServiceProviderConfig

Slide 13

Slide 13 text

@briandemers / @mraible Why use SCIM?

Slide 14

Slide 14 text

@briandemers / @mraible Why should you use SCIM? ● Standardized RESTful API ● Covers >90% of use cases ● Integrate with other services

Slide 15

Slide 15 text

@briandemers / @mraible When to avoid SCIM?

Slide 16

Slide 16 text

@briandemers / @mraible 02 Best Practices

Slide 17

Slide 17 text

@briandemers / @mraible ● Store the "source" of the user ● Store the "ID" of the user's source ● Emails are not good IDs ● The status of a user is a boolean. ● SCIM supports a SQL like expression language User Model Best Practices /Users?filter=emails.value EQ "bob@example.com" /Users?filter=userName EQ "bob"

Slide 18

Slide 18 text

@briandemers / @mraible User data is sensitive! I Am Not A Lawyer!

Slide 19

Slide 19 text

@briandemers / @mraible 03 Apache SCIMple @briandemers / @mraible

Slide 20

Slide 20 text

@briandemers / @mraible ApacheDS Apache Directory Studio Apache LDAP API Apache Fortress Apache Kerby Apache SCIMple

Slide 21

Slide 21 text

Apache SCIMple History @briandemers / @mraible 2013: Started at PennState 2018: Moved to Apache Directory 2015: SCIM RFCs 2020: Something happened 2022: Jakarta APIs

Slide 22

Slide 22 text

@briandemers / @mraible 04 Demo @briandemers / @mraible github.com/mraible/okta-scim-spring-boot-example

Slide 23

Slide 23 text

@briandemers / @mraible 05 Action! @briandemers / @mraible

Slide 24

Slide 24 text

@briandemers / @mraible Action Get Involved with Apache SCIMple @briandemers / @mraible { } YOUR LOGO HERE

Slide 25

Slide 25 text

@briandemers / @mraible Action Get Involved with SCIMple @briandemers / @mraible directory.apache.org/scimple apache/directory-scimple scimple@directory.apache.org

Slide 26

Slide 26 text

@briandemers / @mraible Thanks! Brian Demers @briandemers @bdemers @bdemers brian.demers@okta.com Matt Raible @mraible @mraible @mraible matt.raible@okta.com https://speakerdeck.com/mraible

Slide 27

Slide 27 text

developer.okta.com