Mountain View, Calif. - The group working on a specification for standards-based user provisioning in the cloud is holding true to its charter as it works toward completion, but it is discussing future steps that could include new schema options and extensions.
The effort to standardized the System for Cross-domain Identity Management (SCIM) protocol landed in the Internet Engineering Task Force in July and it quickly became apparent that the spec holds hidden gems for some with specific needs around directory and identity and access management software.
SCIM is a REST-based data access protocol for provisioning and managing user identity in the cloud. It supports creating, editing, deleting, querying and retrieving user resources. The intent is to create a fast and efficient way for enterprises to provide access to cloud services.
Working group chair Morteza Ansari who is a principal engineer with Cisco, said Wednesday that the group is dedicated to its IETF charter and will only discuss expanding SCIM’s scope after the 2.0 version is completed. The charter’s timetable calls for that to happen in 2014.
Ansari was leading a discussion on SCIM for attendees at the Internet Identity Workshop. Ansari and other working group members are gearing up for the next IETF meeting on Nov. 1 in Atlanta, Ga.
The SCIM working group formed at the IETF three months ago and began with SCIM 1.1, a spec developed by an independent group that included Cisco, Google, Ping Identity, Nexus, SailPoint, Salesforce.com, VMware, and UnboundID.
“The charter is relatively straight forward at least until we deliver the base spec,” said Ansari. “Once we deliver we will have discussions about extending.”
Ansari says interest in SCIM grew way beyond what was first expected and many vendors (including Ping) have already adopted the specification and are offering support to companies and organizations.
Ansari said SCIM refinements so far have been minor, including clarifications and adding more definition around extensibility.
“We also have some new abilities to do certain things so we don’t paint ourselves in a corner, but everything has been backward compatible with 1.1,” he said.
Even those in the working group who have been pushing on the spec’s boundaries are content to get 2.0 completed in line with the charter and then get down to other discussions.
Phil Hunt, a working group member from Oracle, is already thinking about the specification from a directory angle. And others like UnboundID and VMWare have adopted SCIM and added extensions to their implementation to meet customer needs.
Ansari said a proposal would be but forth to add a few paragraphs to SCIM concerning multi-tenancy and the specs API.
“This is not a proposal to change the charter,” said Trey Drake, a working group member from UnboundID. “There is no change to the charter. Round one is a lightweight provisioning engine, then we can talk extensions. We are not doing that until we get the basics down.”
The group is sensitive to changes given the nearly three years it took to complete OAuth 2.0, which SCIM points to as an authentication mechanism, after that working group wavered from its initial goals and was crippled by in-fighting.
“I feel we are 99% of the way done,” said Pam Dingle, a working group member from Ping Identity. “We need to clean up a few things and get 2.0 done. No one wants a repeat of OAuth.”
Ansari knows that SCIM has potential beyond its original roots, but he is not getting ahead of himself.
“If it comes out as an RFC with the broader clean-up and tweaks it will facilitate a much broader set of use cases,” he said.
But that is a discussion for another day.