Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Most enterprise solutions adopt products and services from multiple cloud providers to accomplish various business requirements. This makes it insufficient to maintain user identities only in a corporate LDAP. Identity provisioning plays a key role in propagating user identities across different SaaS providers. The challenge that the SCIM (system for cross-domain identity management) specification intends to address is, how to propagate these user identities in an unconventional manner.

SPML concepts

Service Provisioning Markup Language (SPML) is an XML-based framework developed by OASIS for exchanging user, resource and service provisioning information between cooperating organizations. The Service Provisioning Markup language is the open standard for the integration and interoperation of service provisioning requests. The goal of SPML is to allow organizations to securely and quickly set up user interfaces for Web services and applications, by letting enterprise platforms such as Web portals, application servers, and service centers generate provisioning requests within and across organizations. This can lead to automation of user or system access and entitlement rights to electronic services across diverse IT infrastructures, so that customers are not locked into proprietary solutions.

SCIM concepts

The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in the WSO2 Identity Server easier. Identity provisioning is a key aspect of any Identity Management Solution. In simple terms, it is to create, maintain and delete user accounts and related identities in one or more systems or applications in response to business processes which are initiated either by humans directly or by automated tasks.

...

System for Cross-domain Identity Management is an emerging open standard which defines a comprehensive REST API along with a platform neutral schema and a SAML binding to facilitate the user management operations across SaaS applications; placing specific emphasis on simplicity and interoperability as well.

Implementing SCIM with WSO2 CHARON

This is about WSO2 Charon - one of the SCIM implementations which are made available under Apache 2.0 license.

The following diagram provides an overview on the module breakdown of Charon along with purpose of each module and planned tasks of them.

Image Removed

The following includes a brief introduction on each of the modules.

  • Charon-Core: This is the API that exposes an implementation of the SCIM specification. It can be used by any SCIM service provider or client implementation to support SCIM operations/functionalities. In addition to that, it also allows room for extension points to be plugged in according to the particular server side/client side implementation, such as authentication handler, user storage, encoders/decoders etc.
  • Charon-Utils: This contains a set of default implementations of the extension points mentioned above. For example: Basic Auth, OAuth handlers, LDAP based user storage etc. A particular implementation that uses charon-core as SCIM API can use these default implementations as building blocks.
  • Charon-Deployment (Note: this is renamed as Charon-Impl): A reference implementation of SCIM service provider is shipped with this module. Currently it is a Apache Wink based web app that can be deployed in any application server - such as Tomcat, and enables the SCIM endpoints to be exposed. This is based on the above two modules: charon-core and charon-utils, and illustrates how any SCIM implementation can utilize the API and supporting module provided by Charon.
  • Charon-Samples: This contains samples illustrating the SCIM use cases. Samples mainly contain the SCIM client side implementations which can be run against a SCIM server, and hence can also be referenced to get to know how the API provided by Charon can be used to implement SCIM client side.

Charon-Deployment

Charon-Deployment is the reference implementation of SCIM service provider that is shipped with Charon. The following illustrates how any concrete implementation of a SCIM service provider can make use of Charon-Core (the SCIM API) with Charon-Utils (optional).

The SCIM service provider needs to be a RESTful web application. REST is an architectural style of building networked applications. There are several ways to implement REST style based applications - such as Servlets and JAX-RS based frameworks. In the reference implementation of Charon-SCIM service provider, the latter approach is selected since JAX-RS hides underlying HTTP handling and binds the servlets nicely to individual methods in the Java classes using annotations. Annotations can also dynamically extract information from HTTP requests and map application-generated exceptions to HTTP response codes. 

 Out of the JAX-RS implementations, Apache-Wink was selected since it better catered to the requirements. The Charon-Impl module creates an Apache-Wink based web application which can be deployed in an application server like Tomcat and which acts as a SCIM service provider.

The following is a deployment diagram of Charon-SCIM service provider (the web application provided by Charon-Impl module). It also gives a high level idea on how Charon-Core and Charon-Utils modules are utilized.

Image Removed

As this diagram of the reference implementation illustrates, a SCIM service provider can be developed using any REST implementation and SCIM-defined resources can be exposed utilizing the API provided by the Charon-Core.

On the other hand, SCIM Consumers can also be implemented using the client API of Charon-Core.