scim-docs/content/overview/identity-management.md
2024-11-04 17:07:02 +01:00

51 lines
2.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Identity Management
description : A **quick overview** of some different issues that exist when **discussing identity management**, and in which environments using SCIM could be relevant.
color : yellow
weight : 1
---
{{< imgproc "illus-basics.png" "Illustation of the basics of identity magagment" >}}
{{< grid >}}
{{< card icon="user" >}}
#### Authentication
Who is this user ?
{{< /card >}}
{{< card icon="lock" >}}
#### Authorization
Is this user allowed to access this resource ?
{{< /card >}}
{{< card icon="cloud" >}}
#### Storage
Where are users identity & credentials stored?
{{< /card >}}
{{< card icon="prov" >}}
#### Provisioning
How to manage & transfer users identity ?
{{< /card >}}
{{< /grid >}}
Among all these identity management concepts, SCIM is a matter of provisioning ; it concerns how information linked to an identity is transferred between different apps.
{{< imgproc "illus-loose-data.png" "illustration of losing data" "float-right w-60">}}
### SCIM environement
Because SCIM tackle the question of provisioning, one of best the identity management environments where SCIM is relevant is an environment composed of many apps or services that are **not well integrated natively** and are used by many users.
To better understand, let's consider the use case of a hosting provider that develops a collaboration platform based on different free software.
The digital work environment is then composed of **many applications and web services** used by **different users.** These users want **a seamless user experience** across the different apps.
With a **Single Sign-on (SSO)** system, users get a unified login and logout experience but there is a catch.
### The problem
Traditional SSO protocols like OpenID Connect do **not support syncing user profiles across applications.** That's means :
* **users are not created by default in all apps** (only after they have logged in at least once)
* **no mechanisms to propagate the deletion of users**
* So its **not GDPR compliant** (by default)
#### In essence
<mark>Current existing protocols are **difficult to implement or/and to use** or are **custom for specific use case** then **non-standardized**.</mark>