scim-docs/content/overview/identity-management.md
2024-11-04 17:07:02 +01:00

2.2 KiB
Raw Permalink Blame History

title description color weight
Identity Management A **quick overview** of some different issues that exist when **discussing identity management**, and in which environments using SCIM could be relevant. yellow 1

{{< imgproc "illus-basics.png" "Illustation of the basics of identity magagment" >}}

{{< grid >}} {{< card icon="user" >}}

Authentication

Who is this user ? {{< /card >}}

{{< card icon="lock" >}}

Authorization

Is this user allowed to access this resource ? {{< /card >}}

{{< card icon="cloud" >}}

Storage

Where are users identity & credentials stored? {{< /card >}}

{{< card icon="prov" >}}

Provisioning

How to manage & transfer users identity ? {{< /card >}} {{< /grid >}}

Among all these identity management concepts, SCIM is a matter of provisioning ; it concerns how information linked to an identity is transferred between different apps.

{{< imgproc "illus-loose-data.png" "illustration of losing data" "float-right w-60">}}

SCIM environement

Because SCIM tackle the question of provisioning, one of best the identity management environments where SCIM is relevant is an environment composed of many apps or services that are not well integrated natively and are used by many users.

To better understand, let's consider the use case of a hosting provider that develops a collaboration platform based on different free software.

The digital work environment is then composed of many applications and web services used by different users. These users want a seamless user experience across the different apps.

With a Single Sign-on (SSO) system, users get a unified login and logout experience but there is a catch.

The problem

Traditional SSO protocols like OpenID Connect do not support syncing user profiles across applications. That's means :

  • users are not created by default in all apps (only after they have logged in at least once)
  • no mechanisms to propagate the deletion of users
  • So its not GDPR compliant (by default)

In essence

Current existing protocols are difficult to implement or/and to use or are custom for specific use case then non-standardized.