Fast Cloud Identity Provisioning

Back in July, I wrote about a new RESTful API that cloud providers and provisioning vendors are working on for doing identity provisioning and synching: Simple Cloud Identity Management, or SCIM (like the milk). At last week's Internet Identity Workshop -- only five months after this draft spec made its formal debut! -- I had a chance to see the SCIM developers' live interop session in action. The interop saw successful participation by the likes of Cisco, Ping Identity, Sailpoint, salesforce.com, Technology Nexus, and UnboundID, with user accounts being securely created and torn down rapid-fire over the ether.

What's more, in talking with a more traditional on-premises identity vendor later in the week, I discovered that they loved how SCIM was shaping up, and planned to check it out ASAP as a way they could expose their own provisioning functionality.

In this Zero Trust world, with perimeters melting all over the place, I'm seeing signs that this lightweight API trend for IdM functionality is only going to accelerate. What do you think? If you're coming to Forrester Security Forum in a couple of weeks, I hope you'll grab me for a conversation about how this trend impacts your plans.

Categories:

Comments

Simple Cloud User Management

So how many rounds did the "Simple Cloud User Management" joke make at the IIW???? :)

Heh

At least as many as the South Lake Union Trolley jokes around Seattle did in the last few years!

Securing the 3LO for Mobile/Installed Apps

Lol.

Btw, did you get a chance to attend the IIW talk with Scotty, Travis and Tarik about securing the 3LO for Mobile/Installed Apps??? If so, what are your thoughts on the scheme they proposed?

Saqib.
p.s. I do miss the witty titles on pushing strings :)

Mobile client registration

The model they proposed is really quite interesting. I have to study it in more depth, but if they've cracked the "mobile client instance registration" problem, that would be really key. I was thinking it looks a little bit like the solution a bunch of us outlined in this I-D:

http://www.ietf.org/id/draft-hardjono-oauth-dynreg-01.txt

(I'll work on that whole witty title thing... Wait till you see the new research report I've got coming out any day now.)

Rather cumbersome

Would really like hear your thoughts on the scheme once you have studied it in-depth.

Personally, I think it is an interesting idea, but rather cumbersome. From an enterprise point of view, using a Mobile Device Management suite to whitelist a marketplace of trusted apps would be a easier way to address problem with untrusted apps. However, I understand that only addresses the enterprise use case, and not the consumer use case. For consumer space, a scheme like what Scotty, Travis and Tarik proposed would be required.

Adoption of SCIM

SCIM will be adopted by all Cloud provisioning actors.
We are also following SCIM since the beginning of the project and it will be integrated in our provisioning platform.
Standalone, our product also works perfectly with the Microsoft meta directory (Fim Synchronization services) and permits to extend the capababilities of FIM 2010. Customers who have invested in this platform will be able to maximize their investment. Connected to FIM 2010, our product CloudAnywhere plugs FIM 2010 to the Cloud and will integrate SCIM into FIM 2010.
More informations at http://www.bcpsoft.fr/en/synchro/cloudanywhere-en/

SCIM

Eve;
Totllly agree on SCIM. We are in the process of adding support for it in our Flagship ViewDS Discovery Server (Directory) and our new ViewDS Identity Bridge Synchronisation and Integration Engine.

Andrew Ferguson
www.viewds.com.

Additional SCIM support

Andrew, thanks for letting us know about your product plans!