eSCIMo - User Provisioning over Web
1 like•1,980 views
This document provides an overview of the System for Cross-domain Identity Management (SCIM) standard and eSCIMo, an open source implementation of SCIM for provisioning users and groups over LDAP or other data stores. It describes SCIM schemas, data models, APIs, and how eSCIMo maps schemas to attributes in LDAP. eSCIMo includes a Maven plugin to generate Java classes from schemas and a client to perform CRUD operations.
![SCIM Data Model
User
Name : Naveen S
UID : naveens
Last Name : Sivashankar
First Name : Naveen
{
}
"schemas": ["urn:scim:schemas:core:2.0:User"],
"id": "45ceb739-1695-4c03-ab18-33ac71e91875",
"userName": "naveens",
"displayName": "Naveen S",
"active": true,
"name": {
"familyName": "Sivashankar",
"givenName": "Naveen Sivashankar"
},
"emails" : [{"naveens@example.com"},{"ns@mymail.com"}],
…
7](https://image.slidesharecdn.com/ldapcon2013escimo-131119095026-phpapp02/85/eSCIMo-User-Provisioning-over-Web-7-320.jpg)
![SCIM Data Model...
e.g. Extended user
User
Enterprise User
Name : Naveen S
UID : naveens
Employee No : 11011
Cost Center : 007
{
"schemas": ["urn:scim:schemas:core:2.0:User",
"urn:scim:schemas:extension:enterprise:2.0:User"],
"id": "45ceb739-1695-4c03-ab18-33ac71e91875",
"userName": "naveens",
...
"urn:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "11011",
"costCenter": "007"
…
}
}](https://image.slidesharecdn.com/ldapcon2013escimo-131119095026-phpapp02/85/eSCIMo-User-Provisioning-over-Web-8-320.jpg)
![SCIM Data Model...
Group
Name : Administrators
Members : naveens
{
"schemas": ["urn:scim:schemas:core:2.0:Group"],
"id": "484fbc39-ae09-427b-896f-d469d28895ad",
"displayName": "Administrators",
"members": [
{
"value": "45ceb739-1695-4c03-ab18-33ac71e91875",
"$ref": "http://localhost:8080/v2/Users/45ceb739-16954c03-ab18-33ac71e91875",
"display": "naveens"
} ]
}
9](https://image.slidesharecdn.com/ldapcon2013escimo-131119095026-phpapp02/85/eSCIMo-User-Provisioning-over-Web-9-320.jpg)
![How Does It Work...
Attribute mapping contd...
Mapping a multi-valued attribute
e.g. "emails"
: [{"naveens@example.com"},{"ns@mymail.com"}]
<multival-attribute name="emails">
<at-group>
<attribute name="value" mappedTo="mail" />
</at-group>
</multival-attribute>
17](https://image.slidesharecdn.com/ldapcon2013escimo-131119095026-phpapp02/85/eSCIMo-User-Provisioning-over-Web-17-320.jpg)
![How Does It Work...
Attribute mapping contd...
e.x "groups": [
{
"id": "484fbc39-ae09-427b-896f-d469d28895ad",
"$ref": "http://localhost:8080/v2/Groups/484fbc39-ae09-427b-896fd469d28895ad",
"display": "Administrators"
}]
"id" - How can we fetch the ID of the member entry?
"$ref" - How do we build a URL dynamically?
18](https://image.slidesharecdn.com/ldapcon2013escimo-131119095026-phpapp02/85/eSCIMo-User-Provisioning-over-Web-18-320.jpg)
eSCIMo - User Provisioning over Web
- 1. User Provisioning Over Web Kiran Ayyagari
- 2. Kiran Ayyagari PMC ApacheDS project Consulting & Support on ApacheDS Started project eSCIMo [email protected], [email protected] 2
- 3. What Is SCIM System for Cross-domain Identity Management A standard for provisioning 3
- 4. SCIM Schema A collection of attribute definitions e.g. { } "id": "urn:scim:schemas:core:2.0:User", "name": "User", "description": "Core User", "attributes":[ { "name":"id", "type":"string", "multiValued":false, "description":"Unique identifier for the SCIM ressource. REQUIRED.", "readOnly":true, "required":true, "caseExact":false }, ... 4
- 5. SCIM Schema... Simple Attribute e.g. userName – a user's name Complex Attribute e.g. name – a collection of firstName, lastName etc. Multi-valued Attribute e.g. emails – a collection of all emails Sub-attribute e.g. familyName – a user's family name 5
- 6. SCIM Schema... Platform neutral JSON format URN as a ID 6
- 7. SCIM Data Model User Name : Naveen S UID : naveens Last Name : Sivashankar First Name : Naveen { } "schemas": ["urn:scim:schemas:core:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", "displayName": "Naveen S", "active": true, "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" }, "emails" : [{"[email protected]"},{"[email protected]"}], … 7
- 8. SCIM Data Model... e.g. Extended user User Enterprise User Name : Naveen S UID : naveens Employee No : 11011 Cost Center : 007 { "schemas": ["urn:scim:schemas:core:2.0:User", "urn:scim:schemas:extension:enterprise:2.0:User"], "id": "45ceb739-1695-4c03-ab18-33ac71e91875", "userName": "naveens", ... "urn:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "11011", "costCenter": "007" … } }
- 9. SCIM Data Model... Group Name : Administrators Members : naveens { "schemas": ["urn:scim:schemas:core:2.0:Group"], "id": "484fbc39-ae09-427b-896f-d469d28895ad", "displayName": "Administrators", "members": [ { "value": "45ceb739-1695-4c03-ab18-33ac71e91875", "$ref": "http://localhost:8080/v2/Users/45ceb739-16954c03-ab18-33ac71e91875", "display": "naveens" } ] } 9
- 10. SCIM API Uses REST Supports CRUD operations Bulk modification Paged search
- 11. What Is eSCIMo An implementation of SCIM v2.0 Supports LDAP as a backend by default Can work with any LDAP server Embeddable in ApacheDS 11
- 12. Running eSCIMo Scenario 1 App Server/ Container eSCIMo eSCIMo LDAP Server 12
- 14. Architecture of eSCIMo Security Filter REST API Resource Provider Interface LDAP Resource Provider RDBMS Resource Provider ???? Resource Provider Implemented Not Implemented LDAP RDBMS 14 ???
- 15. How Does It Work? Attribute mapping Mapping a simple attribute - e.g. "id": "45ceb739-1695-4c03-ab18-33ac71e91875" "userName": "naveens" <attribute name="id" mappedTo="entryUUID" /> <attribute name="userName" mappedTo="uid" /> 15
- 16. How Does It Work... Attribute mapping contd... Mapping a complex attribute e.g. "name": { "familyName": "Sivashankar", "givenName": "Naveen Sivashankar" } <complex-attribute name="name"> <at-group> <attribute name="familyName" mappedTo="sn" /> <attribute name="givenName" mappedTo="cn" /> </at-group> </complex-attribute> 16
- 17. How Does It Work... Attribute mapping contd... Mapping a multi-valued attribute e.g. "emails" : [{"[email protected]"},{"[email protected]"}] <multival-attribute name="emails"> <at-group> <attribute name="value" mappedTo="mail" /> </at-group> </multival-attribute> 17
- 18. How Does It Work... Attribute mapping contd... e.x "groups": [ { "id": "484fbc39-ae09-427b-896f-d469d28895ad", "$ref": "http://localhost:8080/v2/Groups/484fbc39-ae09-427b-896fd469d28895ad", "display": "Administrators" }] "id" - How can we fetch the ID of the member entry? "$ref" - How do we build a URL dynamically? 18
- 19. How Does It Work... Attribute Handlers Handler Implementation public class GroupsAttributeHandler extends LdapAttributeHandler { public void read(); public void write(); public void patch(); } Handler definition <handler name="groupsHandler" class="org.apache.directory.scim.ldap.handlers.GroupsAttributeHandler" /> Handler mapping <multival-attribute name="groups" baseDn="ou=system" filter="(uniqueMember=$entryDn)" handlerRef="groupsHandler" /> 19
- 20. eSCIMo Json2Java Is a Maven plugin Generates Java classes from SCIM schemas 20
- 21. eSCIMo Client Works with the generated model classes e.x. Adding a User resource User user = new User(); user.setUserName( "naveens" ); user.setDisplayName( "Naveen Sivashankar" ); user.setPassword( "secret" ); Name name = new Name(); name.setFamilyName( "Sivashankar" ); name.setGivenName( "Naveen" ); user.setName( name ); EscimoResult result = client.addUser( user ); 21
- 22. Demo 22
- 23. Questions ? 23
- 24. Thank you!