Might we Re-charter SCIM? - Find out on July 29
Published Jul 28 2021 09:00 AM 3,273 Views
Microsoft

How many of you have looked at the SCIM specifications (IETF RFC 7643 / 7644) and thought “could they be made simpler or clearer”?  Here is your chance to make a difference.  The IETF’s 111th Plenary Meeting is running virtually as we speak, and this Thursday (July 29thone of the events in the plenary is a “Birds of a Feather” (or BoF) meeting for taking new steps with SCIM (the session identifier is sins).  We hope to convince the IETF Area Directors and the community that there is further work to be done in this area, and no matter what your opinion is, you should bring that opinion to the BoF meeting and be heard!   You don’t have to be a standards person – if you are working with SCIM and just getting stuck, that is important implementer feedback that we want to hear. 

 

The Lead Up 

The topic has been discussed in informal bi-weekly meetings for the last two months (we call it the SCIM Interest Group), with strong participation and lots of healthy opinions.  We started by reviewing the many different draft extensions that are out there for SCIM, and a lot of those reviews are available on the SCIM IG Youtube channel if you are interested.  We applied for the BoF meeting to get feedback from a larger audience and to judge whether we have momentum, and now we are going to find out. 

 

Microsoft View 

When it comes to SCIM, Microsoft is interested in participating for several simple reasons: 

Operational Clarity 

  • At the time SCIM was born, the cloud was still new and the possibilities were not known.  The very common assumed implementation pattern was a push model from on-premises to cloud, and this led to assumptions about who would be pushing what data where.  These days however, the combinations of push and pull, client and server, are much more varied. We think that some simple updates in language and better profiling of common implementation roles could make the specification much more intuitive to adopt – thus helping overall interoperability across the identity community and getting us closer to making SCIM a must-have cross-domain interface. 

End to End Automation as a First Order Goal 

  • The Identity world is now increasingly powered by automation and AI.  Connectivity is no longer just about web single-sign on; the new and growing requirement today is for automated corporate oversight, including governance, provisioning, risk detection and threat intelligence. And we don’t only want to automate the connections, we want to automate the establishment of the connection.  We are hoping to research whether there is additional metadata or even schema that could facilitate a more seamless bootstrapping of various protocols in the multi-cloud world, including protocols like Shared Signals and Events(SSE)/CAEP or Fastfed, with a plan to lay the groundwork for the explosion in multi-cloud automation that growing industry verticals like CIEM exemplify. 

Security Best Practice & Multi-cloud Updates 

  • In the API Security world, a lot has happened since the first SCIM work began.  OAuth 2.0 has become the preferred mechanism for protecting APIs and a number of extensions have evolved that increase security during access token presentation.  We want the negotiation of industry-best security to be well specified for identity data 

 

How to Get Involved 

The most important thing to do is to sign up for the IETF Birds of a Feather meeting.   Registration is here: https://registration.ietf.org/111/.   There is no membership requirement, but there is a fee – a day pass costs $125 but there are fee waivers available if that cost is too great. 

You can also join our merry band in the SCIM Interest Group – connection data is on our wiki: Explanation of our goals, how to get involved, and pages on our dedicated work efforts (github.com) . We meet every 2 weeks, in two different times of day to encourage global participation. For updates, the easiest way to stay informed is to subscribe to the SCIM Mailing list at IETF. 

We hope your excitement about this standards work is as great as ours and we cannot strongly enough encourage your participation – the best specifications are made from diverse input, and the more breadth we have in implementation experience and point of view, the better we will do.  Join us! 

Co-Authors
Version history
Last update:
‎Nov 04 2021 11:14 AM
Updated by: