51 lines
2.2 KiB
Markdown
51 lines
2.2 KiB
Markdown
---
|
||
title: Identity Management
|
||
description : A **quick overview** of some different issues that exist when **discussing identity management**, and in which environments using SCIM could be relevant.
|
||
color : yellow
|
||
weight : 1
|
||
---
|
||
{{< imgproc "illus-basics.png" "Illustation of the basics of identity magagment" >}}
|
||
|
||
{{< grid >}}
|
||
{{< card icon="user" >}}
|
||
#### Authentication
|
||
Who is this user ?
|
||
{{< /card >}}
|
||
|
||
{{< card icon="lock" >}}
|
||
#### Authorization
|
||
Is this user allowed to access this resource ?
|
||
{{< /card >}}
|
||
|
||
{{< card icon="cloud" >}}
|
||
#### Storage
|
||
Where are user’s identity & credentials stored?
|
||
{{< /card >}}
|
||
|
||
{{< card icon="prov" >}}
|
||
#### Provisioning
|
||
How to manage & transfer user’s identity ?
|
||
{{< /card >}}
|
||
{{< /grid >}}
|
||
|
||
Among all these identity management concepts, SCIM is a matter of provisioning ; it concerns how information linked to an identity is transferred between different apps.
|
||
|
||
{{< imgproc "illus-loose-data.png" "illustration of losing data" "float-right w-60">}}
|
||
|
||
### SCIM environement
|
||
Because SCIM tackle the question of provisioning, one of best the identity management environments where SCIM is relevant is an environment composed of many apps or services that are **not well integrated natively** and are used by many users.
|
||
|
||
To better understand, let's consider the use case of a hosting provider that develops a collaboration platform based on different free software.
|
||
|
||
The digital work environment is then composed of **many applications and web services** used by **different users.** These users want **a seamless user experience** across the different apps.
|
||
|
||
With a **Single Sign-on (SSO)** system, users get a unified login and logout experience but there is a catch.
|
||
|
||
### The problem
|
||
Traditional SSO protocols like OpenID Connect do **not support syncing user profiles across applications.** That's means :
|
||
* **users are not created by default in all apps** (only after they have logged in at least once)
|
||
* **no mechanisms to propagate the deletion of users**
|
||
* So its **not GDPR compliant** (by default)
|
||
|
||
#### In essence
|
||
<mark>Current existing protocols are **difficult to implement or/and to use** or are **custom for specific use case** then **non-standardized**.</mark>
|