SCIM & OpenID Connect: From Co-existence to Harmony

From IIW

SCIM & Open ID Connect

Tuesday 5I Convener: Prateek Mishra

Notes-taker(s): Mike Schwartz

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

SCIM - System for Cross Domain Identity Management Specs are here:

Provides schema for use objects, for example:

{"id": "12345680",  "username": "joe",  etc. }

REST API's for user and group management.

OpenID Connect provides for federated authentication, and provides user_claims

Why can't we use SCIM schema in OpenID Flows?

OpenID has a "profile callback mechanism", i.e. user_info endpoint.

Using the information coming back from OpenID Connect, an relying party may implement "Just in-time" JIT provisioning

OpenID Connect defines its own (different schema) for a person (does not define groups or roles).

Mike Schwartz pointed out that OpenID Connect is used to enable a person to authorize the release of attributes about himself, whereas SCIM is used by the enterprise to provision users in a SaaS.

Phil Hunt pointed out that OpenID Connect is generally delivering simple attribute value pairs, SCIM is better at conveying complex attribute values.

Use Case: An enterprise with a directory service needs work with a SaaS Provider. The SaaS Service provides a SCIM endpoint to enable the enterprise to provision user and group information. SaaS service needs to advertise its scim endpoints via a Manifest. Does the SaaS need to do JIT? Or Bulk provisioning?  JIT does not support de-provisioning.

Prateek says Oracle is interested to start a working group about this problem so it can solve their internal SaaS and industry SaaS issues.

Phil has published a SCIM discovery Spec:

There is also SCIM configuration endpoint:

Prateek says the business problem is that SCIM lacks coherent security that makes it a real standard across many service providers.