[Openid-specs-fastfed] SCIM relationships
Phil Hunt
phil.hunt at oracle.com
Tue Nov 8 17:12:02 UTC 2016
On today’s call we talked about
a: how and where attribute mapping should occur
b: using SCIM to do ongoing provisioning and updating
A couple of comments:
* While SCIM has standardized attributes(claims), the values for entitlements (something a user has/is given), roles (something a user is), and groups often tend to be problematic. We talked about some of these cases. I think “who” does the mapping of these types of claims will depend largely on “b”.
* There are actually several different types of relationships that could be established. Broadly speaking I would break them down into directory vs. provisioning centric:
Directory Centric
Where the application uses the OpenID Connect/SCIM profile and obtains an access token to the SCIM endpoint. That access token can be used in two ways:
i) Just-in-time - the token is short lived and the app grabs what it needs every time the user logs into the app via connect
ii) Ongoing / delegated - the app polls the SCIM repository independently based on some other event criteria (eg. the SCIM provider issues an event saying the record has changed)
Provisioning Centric:
i) One-time: As part of fast fed, the application is provisioned with the first “copy” of the user. No further updates are needed
ii) On-going provisioning system: A provisioning system at the IDP is set up to send SCIM commands to each application based on changes at the IDP
iii) On-going event system (loose-coupled): The provisioning system sends events to the application. The applications reconcile and take appropriate action
There may be more variations here.
My gut feeling is that the directory method that will be easiest to standardize across all scenarios would be Directory-centric “ii” where the app either polls or uses SCIM events to trigger apps doing occasional reconciliation. This might be easier to use at it has the fewest missing pieces and has a certain amount of adaptability to it. For example, an app could get data only once, it could update every time the user accesses, it could poll, or it could use events to “poll” only when a change notice has been delivered.
Phil
@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20161108/5977241f/attachment.html>
More information about the Openid-specs-fastfed
mailing list