Re: [provision] FYI: Simple Cloud Identity Management (SCIM)

[Gary Cole <gary.cole@oracle.com>]

The major attraction of SCIM appears to be REST.  That, and the chance  
to make a fresh start (which sometimes amounts to the grass being  
greener).

There was also talk of managing the life-cycle of identities, and of  
managing access.  That amounts to a standard schema or to the  
*functional* equivalent of a standard schema.  In case that statement  
is unclear, the Password Capability in SPMLv2 is an attempt to  
abstract password management as functions or methods or operations  
rather than as a set of attributes (e.g., "password",  
"passwordExpireDate"). The Identity Connector Framework took the  
opposite approach of predefining certain object-classes and  
attributes: a connector that declares one of those "reserved words" in  
its schema opts into the contract for that object-class or attribute.

It's not terribly difficult to define a RESTful interface that  
addresses the use-cases for identity management.  I've done it before  
in a way that was generic enough to support users with accounts on  
many different types of applications.  I imagine that one also could  
define a RESTful interface that manages access.  Getting people to  
agree on any particular representation is more difficult; this was the  
main problem that beset the standard schema effort.  Standards are  
like treaties; vendors must have more to gain by cooperative  
competition than by proprietary competition in order to adopt a  
standard meaningfully.

Google seems happy enough with its proprietary API, according to the  
article.  We'd have to see how interested the SCIM community would be  
in having our help--and whether in fact that would be considered  
helpful.

Gary

On Apr 25, 2011, at 9:38 AM, Richard Sand wrote:

> Well we knew this was coming...
>
> It doesn't surprise me that this effort is underway, only that it  
> took them so long to get started. Google's existing API has a decent  
> REST interface that supports the basic CRUD operations on users,  
> groups, and roles, but uses a somewhat clumsy XML payload which was  
> not actually intended for purposes of provisioning. OpenPTK (which I  
> believe is backed by Oracle) also has a REST interface that can use  
> SPML payload amongst others.
>
> I guess on the call today we can have a discussion about where we go  
> from here.
>
> Richard Sand | CEO
> 239 Kings Highway East | Haddonfield | New Jersey 08033 | USA
> Mobile: +1 267 984 3651| Office: +1 856 795 1722| Fax: +1 856 795 1733
>
>
>
>
> -----Original Message-----
> From: John, Anil [mailto:Anil.John@jhuapl.edu]
> Sent: Monday, April 25, 2011 9:57 AM
> To: provision@lists.oasis-open.org
> Subject: [provision] FYI: Simple Cloud Identity Management (SCIM)
>
> From SPML churn rises new crack at provisioning standard
> http://www.pingidentity.com/blogs/pingtalk/index.cfm/2011/4/22/SPML-churn-leaves-provisioning-proprietary
>
> SCIM - will SPML shortcomings be reinvented?
> http://blogs.kuppingercole.com/kuppinger/2011/04/23/scim-will-spml-shortcomings-be-reinvented/
>
> Regards,
>
> - Anil
>
> :-
> :- Anil John
> :- Johns Hopkins University - APL
> :- http://www.jhuapl.edu
> :- +1 240.228.0612
> :-
> :- E-Mail Response Time: 24 hrs
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>