Overviews on Scim - Libre.sh //localhost:1313/overview/ Recent content in Overviews on Scim - Libre.sh Hugo en Identity Management //localhost:1313/overview/identity-management/ Mon, 01 Jan 0001 00:00:00 +0000 //localhost:1313/overview/identity-management/ <picture> <source srcset="media/small/illus-basics.svg" media="(max-width: 768px)"> <img src="media/illus-basics.svg" alt="Illustation of the basics of identity magagment"> </picture> <p><section class="grid"> <div class="card flex"> <svg width="39" height="39" viewBox="0 0 39 39" xmlns="http://www.w3.org/2000/svg"> <path fill-rule="evenodd" clip-rule="evenodd" d="M26.591 14.1817C26.591 16.0624 25.8439 17.866 24.5141 19.1958C23.1843 20.5256 21.3807 21.2726 19.5001 21.2726C17.6195 21.2726 15.8159 20.5256 14.4861 19.1958C13.1563 17.866 12.4092 16.0624 12.4092 14.1817C12.4092 12.3011 13.1563 10.4975 14.4861 9.1677C15.8159 7.8379 17.6195 7.09082 19.5001 7.09082C21.3807 7.09082 23.1843 7.8379 24.5141 9.1677C25.8439 10.4975 26.591 12.3011 26.591 14.1817ZM23.0455 14.1817C23.0455 15.122 22.672 16.0238 22.0071 16.6887C21.3422 17.3536 20.4404 17.7272 19.5001 17.7272C18.5598 17.7272 17.658 17.3536 16.9931 16.6887C16.3282 16.0238 15.9546 15.122 15.9546 14.1817C15.9546 13.2414 16.3282 12.3396 16.9931 11.6747C17.658 11.0098 18.5598 10.6363 19.5001 10.6363C20.4404 10.6363 21.3422 11.0098 22.0071 11.6747C22.672 12.3396 23.0455 13.2414 23.0455 14.1817Z" /> <path fill-rule="evenodd" clip-rule="evenodd" d="M19.5 0C8.73068 0 0 8.73068 0 19.5C0 30.2693 8.73068 39 19.5 39C30.2693 39 39 30.2693 39 19.5C39 8.73068 30.2693 0 19.5 0ZM3.54545 19.5C3.54545 23.205 4.80941 26.6157 6.92782 29.3245C8.41555 27.3707 10.3348 25.7874 12.5357 24.6982C14.7366 23.609 17.1595 23.0433 19.6152 23.0455C22.0391 23.0432 24.4316 23.5942 26.6103 24.6565C28.789 25.7188 30.6965 27.2644 32.1874 29.1755C33.7234 27.161 34.7576 24.8097 35.2044 22.3161C35.6512 19.8226 35.4979 17.2584 34.757 14.8359C34.0161 12.4134 32.709 10.2021 30.9438 8.38507C29.1787 6.568 27.0062 5.19739 24.6061 4.38663C22.2061 3.57587 19.6475 3.34828 17.142 3.72268C14.6366 4.09708 12.2563 5.06272 10.1981 6.53969C8.13991 8.01665 6.46303 9.9625 5.30618 12.2162C4.14933 14.4699 3.54577 16.9667 3.54545 19.5ZM19.5 35.4545C15.8375 35.46 12.2855 34.2001 9.44509 31.8878C10.5884 30.2511 12.1101 28.9148 13.8808 27.9926C15.6515 27.0703 17.6188 26.5895 19.6152 26.5909C21.5868 26.5893 23.5303 27.0581 25.2843 27.9584C27.0383 28.8587 28.5522 30.1645 29.7003 31.7673C26.8378 34.1546 23.2273 35.4598 19.5 35.4545Z" /> </svg> <h4 id="authentication">Authentication</h4> <p>Who is this user ?</p> The solution, SCIM //localhost:1313/overview/scim/ Mon, 01 Jan 0001 00:00:00 +0000 //localhost:1313/overview/scim/ <img alt="Scim diagram" src="media/scim-diagram-ressource.svg" class="float-right"> <h3 id="quick-overview">Quick overview</h3> <p>The <strong>SCIM protocol</strong> is an application-level protocol for <strong>provisioning</strong> and <strong>managing identity</strong> data specified through SCIM schemas. Its intent is to <strong>reduce the cost and complexity</strong> of user management operations.</p> <ul> <li>A <strong>common existing user schema and deployments</strong></li> <li><strong>Extension models</strong></li> <li>Placing specific emphasis on <strong>simplicity of development and integration</strong></li> <li><strong>Applying existing models</strong> (authentication, authorization, and privacy)</li> <li>Binding documents to provide <strong>patterns for exchanging this schema using standard protocols</strong></li> <li>Easily improve <strong>GDPR compliance</strong></li> <li><strong>Consolidate the user experience</strong> across multiple FOSS applications as one platform</li> </ul> <section class="grid"> <div class="card flex"> <h4 id="resource-based">Resource based</h4> <p>In SCIM 2.0 <strong>a Resource is the common denominator</strong> and all SCIM objects are derived from it.</p> How do we use SCIM ? //localhost:1313/overview/scenario/ Mon, 01 Jan 0001 00:00:00 +0000 //localhost:1313/overview/scenario/ <img alt="Scim diagram" src="media/scim-diagram-1.svg" class="float-right"> <h3 id="scim-client-and-server">SCIM Client and Server</h3> <p>While SCIM is a protocol for provisioning and managing identity, there <strong>isn’t really a concept of Identity Provider (IdP)</strong>. In SCIM architecture, there is (only) <strong>the Client, making the HTTP calls and the Server receiving them</strong>.</p> <p><strong>Our use of SCIM</strong> Our chosen architecture is as follows : a <strong>SCIM Client collocated with the Identity Provider</strong> will reflect changes by calling all <strong>SCIM Server collocated with each application</strong>.</p> Why is SCIM better ? //localhost:1313/overview/comparison/ Mon, 01 Jan 0001 00:00:00 +0000 //localhost:1313/overview/comparison/ <h3 id="others-management-protocols">Others management protocols</h3> <div id="Ldap" class="switch-box"> <p>With this LDAP approach <strong>everything is centralized</strong> (except authorization).</p> <picture> <source srcset="media/small/ldap-diagram.svg" media="(max-width: 768px)"> <img src="media/ldap-diagram.svg" alt="LDAP diagram"> </picture> <p><strong>Everything speaks the LDAP protocol langage.</strong> Identities are stored in an LDAP directory, which is provisioned via LDAP protocol. Authentication is done by the application that asks the user’s credentials and validates them against the directory via LDAP protocol.</p> </div> <div id="Ldap&#43;SSO" class="switch-box"> <p>This architecture <strong>tackles the two main drawbacks of the only LDAP approach</strong> : the missing single sign-on and the security vulnerability. <strong>Authentication is delegated to other web protocols</strong> (like OAuth, OIDC or SAML). This way, the user logs in only once to the identity provider.</p>