Re: [provision] FYI: Simple Cloud Identity Management (SCIM)

On Mon, Apr 25, 2011 at 11:59 AM, Gary Cole <gary.cole@oracle.com> wrote:

The major attraction of SCIM appears to be REST. That, and the chance to make a fresh start (which sometimes amounts to the grass being greener).

There was also talk of managing the life-cycle of identities, and of managing access. That amounts to a standard schema or to the *functional* equivalent of a standard schema. In case that statement is unclear, the Password Capability in SPMLv2 is an attempt to abstract password management as functions or methods or operations rather than as a set of attributes (e.g., "password", "passwordExpireDate"). The Identity Connector Framework took the opposite approach of predefining certain object-classes and attributes: a connector that declares one of those "reserved words" in its schema opts into the contract for that object-class or attribute.

It's not terribly difficult to define a RESTful interface that addresses the use-cases for identity management. I've done it before in a way that was generic enough to support users with accounts on many different types of applications. I imagine that one also could define a RESTful interface that manages access. Getting people to agree on any particular representation is more difficult; this was the main problem that beset the standard schema effort. Standards are like treaties; vendors must have more to gain by cooperative competition than by proprietary competition in order to adopt a standard meaningfully.

Google seems happy enough with its proprietary API, according to the article. We'd have to see how interested the SCIM community would be in having our help--and whether in fact that would be considered helpful.

Gary

On Apr 25, 2011, at 9:38 AM, Richard Sand wrote:

Well we knew this was coming...

It doesn't surprise me that this effort is underway, only that it took them so long to get started. Google's existing API has a decent REST interface that supports the basic CRUD operations on users, groups, and roles, but uses a somewhat clumsy XML payload which was not actually intended for purposes of provisioning. OpenPTK (which I believe is backed by Oracle) also has a REST interface that can use SPML payload amongst others.

I guess on the call today we can have a discussion about where we go from here.

Richard Sand | CEO
239 Kings Highway East | Haddonfield | New Jersey 08033 | USA
Mobile: +1 267 984 3651| Office: +1 856 795 1722| Fax: +1 856 795 1733

-----Original Message-----
From: John, Anil [mailto:Anil.John@jhuapl.edu]
Sent: Monday, April 25, 2011 9:57 AM
To: provision@lists.oasis-open.org
Subject: [provision] FYI: Simple Cloud Identity Management (SCIM)

From SPML churn rises new crack at provisioning standard
http://www.pingidentity.com/blogs/pingtalk/index.cfm/2011/4/22/SPML-churn-leaves-provisioning-proprietary

SCIM - will SPML shortcomings be reinvented?
http://blogs.kuppingercole.com/kuppinger/2011/04/23/scim-will-spml-shortcomings-be-reinvented/

Regards,

- Anil

:-
:- Anil John
:- Johns Hopkins University - APL
:- http://www.jhuapl.edu
:- +1 240.228.0612
:-
:- E-Mail Response Time: 24 hrs
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

provision message