(Peter Gietz)
SCIM is a modern restful protocol for providing of identity data.
SCIM is supported by many vendors and developers and can be used to integrate different open source products.
It has an extension mechanism -different schema, same REST protocol
I am trying to use SCIM for the provisioning system, would compare it with SQL because you can update, remove, delete.
We would rather talk about the schema extensions.
If the service provider gets the data at a certain point at time and the user will not come again, the service provider will always have the old data. One solution is using SCIM for just-in-time provisioning and to keep the data for only one session - that is a good idea. It does not cover any used case, because if you attach logging privileges, it does not work. DSP should delete all data except permanent ID.
In practice, do you have any experience of how difficult it is to extend this SCIM schemes and integrate it in different libraries? Is there a registry of extensions?
Nowadays we have a standard for enterprise users and standard for groups. That is the standard schema. A lot of companies did additional schema, using the extensions which are quite easy; difficult it is to standardize those extensions.
What extra work we have to do so the software knows there is no extension? The protocol allows that itself, you can generate SCIM servers and order the extensions.
What are realistic use cases to make people do a bunch of work? Use case would be identity management software at large, to make a software from different vendors operable.
We can extend for our attribute profile, we have federation attributes and these would be the attributes passed via SCIM, so we pass identity attributes on the use case.
When you say integrate these things what do you mean? It must have the brain of operation? You could specify which schemas you use if the community agrees on that. Within communities, such community standards could evolve.
There is one special use case, Swiss eduID which goes away from the idea of just in time provision to more centralized aggregating of attributes that need provision. If campus directories already have eduPerson, it would be quite easy to do provisioning based on SCIM.
As I understand SCIM, it is not so sophisticated, it facilitates only semi-local extensions.
How can we aggregate these extensions? I do not see a big difference between SCIM and LDAP in this respect, you also have objects and enterprise user is derived from user.
There are two concepts, there is a SCIM object, and then there is schema and the object can have more than one schema.
Schema is something that helps us, but we still need mapping? If your app is not based on SCIM, you need mapping.
SCIM was invented, to have standard provisioning.
Do you think there would be enough interest, at least in higher education? With eduID in mind, to have this eduPerson, it shouldn’t be too much work to specify.
The application should provide a SCIM interface, SCIM should be done by the application. It is important that every good application supports SCIM.
Maybe we should start small, if we have use case already, we have the infrastructure to boost this, we just need somebody who is willing to put some work into drafting something. Once it is drafted we could start telling about it.
SCIM seems to be successful, at least in cloud world chances are better in SCIM than in SPML. It is not a sure thing, but any standard is better than no standard.
Is there any objection to using URN as a name in SCIM extension? You could even put OID in URN.
So to SCIM or not to SCIM?
Radovan was quite explicit yesterday saying not to SCIM, he is the developer and his version of SCIM was not operable with another implementation of SCIM and I think he, in general, doesn’t believe in standards so much. There is also a practical problem, it is not as interoperable as people would like. If you are looking at special data, a name and a small set of groups, it is pretty straight-forward. Nobody wants to replace anything with SCIM, but using it would help a lot. But in this room, everyone agrees to SCIM.
