Ping Identity > Blogs > PingTalk 

PingTalk Blog

San Diego - Nearly 75% of companies deploying an emerging, standardized provisioning protocol are doing so to link internal systems, according to a company that helped write the specification and was first to support it.

Directory provider UnboundID in January rolled out an implementation of the Simple Cloud Identity Management protocol (SCIM; now known as System for Cross-Domain Identity Management at the IETF) and three-quarters of those that have adopted it are provisioning users across their internal mix of platforms.

Another 25% are using it for what the SCIM creators envisioned; enterprises avoiding the headache of writing another connector. Those companies are linking to software-as-a-service providers via SCIM to provision users to cloud services, namely Salesforce.com.

'We turned a protocol and schema problem into a mapping problem, which is easier to solve. I map my SCIM thing to my LDAP thing," said Trey Drake, an architect for Unbound ID and an editor of the SCIM specification.

He appeared last week as part of a roundtable hosted by Gartner analyst Mark Diodati at the Catalyst Conference. Others on the panel were SCIM specification contributors Patrick Harding, CTO of Ping Identity, and Darran Rolls, enterprise security specialist at SailPoint.

SCIM is a REST-based data access protocol for provisioning and managing user identity in the cloud. It supports creating, editing, deleting, querying and retrieving user resources. The intent is to create a fast and efficient way for enterprises to provide access to cloud services.

The spec is now before the Internet Engineering Task Force (IETF) in hopes of being blessed as a standard.

"There is adoption and it works," says Drake. "If you look at the spec and grok it you see a generalized REST API with a well defined way to represent thing that map well to an LDAP directory or to a user store."

Salesforce.com also has thrown its gigantic weight (92,000 customers) behind the spec. In July, Chuck Mortimore, director of product management for identity and security at Salesforce, told attendees at the Cloud Identity Summit (CIS) that the service provider had rolled out a test implementation of SCIM to a handful of customers.

Those testers are using SCIM for standardized provisioning of services, he said.

Mortimore said the Winter release of the Salesforce.com platform would include a pilot of SCIM, and he said SCIM support will be official in the platform sometime next year.

"We believe there needs to be a standard here," Mortimore said at CIS and reiterated at Catalyst from his chair in the roundtable audience. "And we want to take a leadership position as we do in so many things cloud."

Gartner's Diodati for his part made a point around ease of use by writing his own SCIM client and reviewing it with those at the roundtable session.

"Back in the day with standardized provisioning efforts we were trying to correct the connector issues," said Diodati.  "Today in the cloud, you can't control it, you can't put a connector on it, it becomes more acute to have a standard protocol."

He said SCIM fits in nicely with other standard identity protocols, the newly minted OAuth 2.0 and the traditional Security Assertion Markup Language (SAML).

Diodati thinks the right people are at the table, service providers, identity infrastrcture vendors and major end-users, but he said there are detractors who are keeping the work honest or those presenting alternatives.

Microsoft's Graph API, which has some functions similar to SCIM, is helping frame conversations and counterpoints.

UnboundID's Drake says he wants to add features to SCIM and deepen the comparisons with Graph API, most notably a notification service for when changes happen.

"I think we have been doing the right things with the spec," says Drake. "But there is still work to do."

Add your comment