Prabath Siriwardena (@prabath)
Senior Software Architect
2001 : OASIS PS TC
2003 : SPML 1.0 2003 : WS-‐Provisioning
2006 : SPML 2.0 2010 : SCIM community
2011 : SCIM 1.0
2012 : SCIM 1.1
2011 : RESTPML
SCIM Service Provider
/Users
/Groups SCIM Consumer
{ "schemas":[], "name":{"familyName":”siriwardena","givenName":”prabath"}, "userName":”prabath","password":”prabath123", "emails":[{"primary":true,"value":”[email protected]","type":"home"},
{"value":”[email protected]","type":"work"}] }
curl -‐v -‐k -‐-‐user admin:admin -‐d @add-‐user.json -‐-‐header "Content-‐Type:application/json" https://localhost:9443/wso2/scim/Users
add-‐user.json
curl command
{ "schemas": ["urn:scim:schemas:core:1.0"], "id": "idnext", "displayName": "IdentityNext", }
curl -‐v -‐k -‐-‐user admin:admin -‐d @add-‐group.json -‐-‐header "Content-‐Type:application/json" https://localhost:9443/wso2/scim/Groups
add-‐group.json
curl command
Provisioning
Service Provider
Domain A
Domain B
One way provisioning
Provisioning
Service Provider
Provisioning
Service Provider
Domain C
SCIM Consumer
Provisioning
Service Provider
Domain A
Domain B
One way provisioning with broker mode
Provisioning
Service Provider
Provisioning
Service Provider
Domain C
SCIM Consumer
Provisioning
Service Provider
Domain A
Domain B
Bi-‐directional provisioning
Provisioning
Service Provider
Provisioning
Service Provider
Domain C
SCIM Consumer
SCIM Consumer
SCIM Consumer
Provisioning
Service Provider
Domain A
Domain B
Multi-‐directional provisioning with a centralized PSP
Provisioning
Service Provider
Provisioning
Service Provider
Domain C
SCIM Consumer
SCIM Consumer
SCIM Consumer
Provisioning
Service Provider
Provisioning
Service Provider
Domain A
Domain B
Just-‐in-‐time provisioning with SAML2
SAML2 IdP
1
2
3
4
Provisioning
Service Provider
Domain A
Domain B
Just-‐in-‐time provisioning with SAML2
SAML2 IdP
1
2
3
5
4
Provisioning
Service Provider
SCIM Consumer (facilelogin.com)
SCIM Consumer (wso2.com)
wso2.com
facilelogin.com
Provisioning
Service Provider
SCIM Consumer
OAuth 2.0
Authorization Server
Bearer Token
Provisioning
Service Provider
SCIM Consumer
OAuth 2.0
Authorization Server
Bearer Token
Validate()
Client
Resource Owner
Resource
Scope
Action
SCIM Consumer
Provisioning
Service Provider
Provisioning
Service Provider
SCIM Consumer
OAuth 2.0
Authorization Server
Validate()
XACML PDP
XACML Request
Permit/Deny/…