simplecloud.info Open in urlscan Pro
185.199.109.153  Public Scan

Submitted URL: http://www.simplecloud.info/
Effective URL: http://simplecloud.info/
Submission: On October 19 via manual from IL — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

 * Overview (current)
 * Specification
 * Resources
 * Implementations
   SCIM 2.0 SCIM 1.1


SYSTEM FOR CROSS-DOMAIN IDENTITY MANAGEMENT

SCIM 2, the open API for managing identities is now complete and published under
the IETF.

OVERVIEW

The System for Cross-domain Identity Management (SCIM) specification is designed
to make managing user identities in cloud-based applications and services
easier. The specification suite seeks to build upon experience with existing
schemas and deployments, placing specific emphasis on simplicity of development
and integration, while applying existing authentication, authorization, and
privacy models. Its intent is to reduce the cost and complexity of user
management operations by providing a common user schema and extension model, as
well as binding documents to provide patterns for exchanging this schema using
standard protocols. In essence: make it fast, cheap, and easy to move users in
to, out of, and around the cloud.

Information on this overview page is not normative.

MODEL

SCIM 2.0 is built on a object model where a Resource is the common denominator
and all SCIM objects are derived from it. It has id, externalId and meta as
attribute and RFC7643 defines User, Group and EnterpriseUser that extends the
common attributes.

EXAMPLE USER

This is an example of how user data can be encoded as a SCIM object in JSON.

While this example does not contain the full set of attributes available, notice
the different types of data that can be used to create SCIM objects. Simple
types like strings for id, username, etc. Complex types, i.e. attributes that
have sub-attributes, for name and address. Multivalued types for e-mail,
phonenumber, address, etc.

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "id":"2819c223-7f76-453a-919d-413861904646",
  "externalId":"dschrute",
  "meta":{
    "resourceType": "User",
    "created":"2011-08-01T18:29:49.793Z",
    "lastModified":"2011-08-01T18:29:49.793Z",
    "location":"https://example.com/v2/Users/2819c223...",
    "version":"W\/\"f250dd84f0671c3\""
  },
  "name":{
    "formatted": "Mr. Dwight K Schrute, III",
    "familyName": "Schrute",
    "givenName": "Dwight",
    "middleName": "Kurt",
    "honorificPrefix": "Mr.",
    "honorificSuffix": "III"
  },
  "userName":"dschrute",
  "phoneNumbers":[
    {
      "value":"555-555-8377",
      "type":"work"
    }
  ],
  "emails":[
    {
      "value":"dschrute@example.com",
      "type":"work",
      "primary": true
    }
  ]
}



EXAMPLE GROUP

In addition to users, SCIM includes the defintions of groups. Groups are used to
model the organizational structure of provisioned resources. Groups can contain
users or other groups.

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
  "id":"e9e30dba-f08f-4109-8486-d5c6a331660a",
  "displayName": "Sales Reps",
  "members":[
    {
      "value": "2819c223-7f76-453a-919d-413861904646",
      "$ref": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
      "display": "Dwight Schrute"
    },
    {
      "value": "902c246b-6245-4190-8e05-00816be7344a",
      "$ref": "https://example.com/v2/Users/902c246b-6245-4190-8e05-00816be7344a",
      "display": "Jim Halpert"
    }
  ],
  "meta": {
    "resourceType": "Group",
    "created": "2010-01-23T04:56:22Z",
    "lastModified": "2011-05-13T04:42:34Z",
    "version": "W\/\"3694e05e9dff592\"",
    "location": "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a"
  }
}



OPERATIONS

For manipulation of resources, SCIM provides a REST API with a rich but simple
set of operations, which support everything from patching a specific attribute
on a specific user to doing massive bulk updates:

 * Create: POST https://example.com/{v}/{resource}
 * Read: GET https://example.com/{v}/{resource}/{id}
 * Replace: PUT https://example.com/{v}/{resource}/{id}
 * Delete: DELETE https://example.com/{v}/{resource}/{id}
 * Update: PATCH https://example.com/{v}/{resource}/{id}
 * Search: GET
   https://example.com/{v}/{resource}?filter={attribute}{op}{value}&sortBy={attributeName}&sortOrder={ascending|descending}
 * Bulk: POST https://example.com/{v}/Bulk

DISCOVERY

To simplify interoperability, SCIM provides three end points to discover
supported features and specific attribute details:

 * GET /ServiceProviderConfig
   
   Specification compliance, authentication schemes, data models.

 * GET /ResourceTypes
   
   An endpoint used to discover the types of resources available.

 * GET /Schemas
   
   Introspect resources and attribute extensions.

CREATE REQUEST

To create a resource, send an HTTP POST request to the resource's respective end
point. In the example below we see the creation of a User.

As can be seen in this and later examples the URL contains a version number so
that different versions of the SCIM API can co-exist. Available versions can be
dynamically discovered via the ServiceProviderConfig end point.

POST /v2/Users  HTTP/1.1
Accept: application/json
Authorization: Bearer h480djs93hd8
Host: example.com
Content-Length: ...
Content-Type: application/json

{
  "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
  "externalId":"dschrute",
  "userName":"dschrute",
  "name":{
    "familyName":"Schrute",
    "givenName":"Dwight"
  }
}


CREATE RESPONSE

A response contains the created Resource and HTTP code 201 to indicate that the
Resource has been created successfully. Note that the returned user contains
more data than was posted, id and meta data have been added by the service
provider to make a complete User resource. A location header indicates where the
resource can be fetched in subsequent requests.

HTTP/1.1 201 Created
Content-Type: application/scim+json
Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"e180ee84f0671b1"

{
  "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
  "id":"2819c223-7f76-453a-919d-413861904646",
  "externalId":"dschrute",
  "meta":{
    "resourceType":"User",
    "created":"2011-08-01T21:32:44.882Z",
    "lastModified":"2011-08-01T21:32:44.882Z",
    "location": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
    "version":"W\/\"e180ee84f0671b1\""
  },
  "name":{
    "familyName":"Schrute",
    "givenName":"Dwight"
  },
  "userName":"dschrute"
}


GET REQUEST

Fetching resources is done by sending HTTP GET requests to the desired Resource
end point, as in this example.

GET /v2/Users/2819c223-7f76-453a-919d-413861904646 HTTP/1.1
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8


GET RESPONSE

The response to a GET contains the Resource. The Etag header can, in subsequent
requests, be used to prevent concurrent modifications of Resources.

HTTP/1.1 200 OK HTTP/1.1
Content-Type: application/scim+json
Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"f250dd84f0671c3"

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "id":"2819c223-7f76-453a-919d-413861904646",
  "externalId":"dschrute",
  "meta":{
    "resourceType": "User",
    "created":"2011-08-01T18:29:49.793Z",
    "lastModified":"2011-08-01T18:29:49.793Z",
    "location":"https://example.com/v2/Users/2819c223...",
    "version":"W\/\"f250dd84f0671c3\""
  },
  "name":{
    "formatted": "Mr. Dwight K Schrute, III",
    "familyName": "Schrute",
    "givenName": "Dwight",
    "middleName": "Kurt",
    "honorificPrefix": "Mr.",
    "honorificSuffix": "III"
  },
  "userName":"dschrute",
  "phoneNumbers":[
    {
      "value":"555-555-8377",
      "type":"work"
    }
  ],
  "emails":[
    {
      "value":"dschrute@example.com",
      "type":"work",
      "primary": true
    }
  ]
}


FILTER REQUEST

In addition to getting single Resources it is possible to fetch sets of
Resources by querying the Resource end point without the id of a specific
Resource. Typically, a fetch request will include a filter to be applied to the
Resources. SCIM has support for the filter operations equals, contains, starts
with, and more. In addition to filtering the response it is also possible to ask
the service provider to sort the Resources in the response.

In addition to filtering the response it is also possible to ask the service
provider to sort the Resources in the response, return specific attributes of
the resources, and return only a subset of the resources.

 * https://example.com/{resource}?filter={attribute} {op} {value} &
   sortBy={attributeName}&sortOrder={ascending|descending}&attributes={attributes}
 * https://example.com/Users?filter=title pr and userType eq
   “Employee”&sortBy=title&sortOrder=ascending&attributes=title,username

FILTER RESPONSE

The response to a GET request is a list of matching resources:

{
  "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
  "totalResults":2,
  "Resources":[
    {
      "id":"c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
      "title":"Assistant VP",
      "userName":"dschrute"
    },
    {
      "id":"a4a25dd3-17a0-4dac-a2ac-ce211e125f57",
      "title":"VP",
      "userName":"jsmith"
    }
  ]
}



SPECIFICATION

SCIM 2.0

SCIM 2.0 is released as RFC7642, RFC7643 and RFC7644 under IETF in September
2015.

 * RFC7643 - SCIM: Core Schema
   
   The Core Schema provides a platform-neutral schema and extension model for
   representing users and groups.

 * RFC7644 - SCIM: Protocol
   
   The SCIM Protocol is an application-level, REST protocol for provisioning and
   managing identity data on the web.

 * RFC7642 - SCIM: Definitions, Overview, Concepts, and Requirements
   
   This document lists the user scenarios and use cases of System for
   Cross-domain Identity Management (SCIM).

Related documents and extensions.

 * draft-ansari-scim-soft-delete
   
   This document specifies a profile that handles soft delete of Users on SCIM
   Service Providers.

 * draft-hunt-scim-notify
   
   In a SCIM environment, changes to resources may be requested by multiple
   parties. As time goes by an interested subscriber may wish to be informed
   about resource state changes that are occurring at the SCIM service provider.
   This specification defines a hub notification service that can be used to
   publish and distribute events to interested registered subscribers.

 * draft-hunt-scim-password-mgmt
   
   This specification defines a set of password and account status extensions
   for managing passwords and password usage (e.g. failures) and other related
   session data. The specification defines new ResourceTypes that enable
   management of passwords and account recovery functions.

 * draft-wahl-scim-jit-profile
   
   This document specifies a profile of the System for Cross-Domain Identity
   Management Protocol (SCIM). Servers which implement protocols such as SAML or
   OpenID Connect receive user identities through those protocols and often
   cache them, and this profile of SCIM defines how an identity provider can
   notify a SCIM server of changes to user accounts.

 * SCIM and vCard mapping
   
   This document defines a mapping between SCIM and vCard.

 * draft-grizzle-scim-pam-ext
   
   This document contains a SCIM 2.0 extension for Privileged Access Management,
   which includes extensions to the core User and Group objects, and new
   resource types and schemas for standard Privileged Access Management
   constructs. This extension is intended to provide greater interoperability
   between PAM software and clients, a common language for PAM concepts, and a
   baseline that can be further extended to support more complex PAM
   requirements.

SCIM 1.1

Second official release of the SCIM specification, released in July 2012.
Compatible with 1.0 and contains cleanups and clarifications on issues found
during interop testing.

 * Core Schema
   
   The Core Schema provides a platform-neutral schema and extension model for
   representing users and groups in JSON and XML formats.

 * REST API
   
   The SCIM Protocol is an application-level, REST protocol for provisioning and
   managing identity data on the web.

SCIM 1.0 - DEPRECATED

First official release of the SCIM specification, released in December 2011.

 * Scenarios Doc - draft 4
   
   The senario document was created to guide the development of the
   specification and is not normative.

 * Core Schema
   
   The Core Schema provides a platform-neutral schema and extension model for
   representing users and groups in JSON and XML formats.

 * REST API
   
   The SCIM Protocol is an application-level, REST protocol for provisioning and
   managing identity data on the web.

 * SAML 2.0 Binding - draft 1
   
   Defines a binding of SCIM schema to SAML messages and assertions.

RESOURCES

LOGO

 * Logos in EPS format

 * PNG 48x16px (Black and white)
 * PNG 48x16px (White)
 * PNG 68x24px (Boxed black and white)
 * PNG 72x24px (Black and white)
 * PNG 792x270px (Black and white)

 * GIF 48x16px (Black and white)
 * GIF 48x16px (White)
 * GIF 68x24px (Boxed black and white)
 * GIF 72x24px (Black and white)

 * JPG 792x270px (Black and white)

SCIM 2.0 IMPLEMENTATIONS

Know of an implementation that should be listed?

Submit a pull request to the github repository or send an email with information
about name, type, license, developer, URL and if it's a SCIM 1.1 or SCIM 2.0
implementation.

Project Name Client Server Open Source Developer Link Vector Flow No Yes No
Vector Flow details Anaplan SCIM API No Yes No Anaplan, Inc. details AWS SSO No
Yes No Amazon Web Services details Axiad Cloud No Yes No Axiad details ConnId
Yes No Yes, Apache2.0 Tirasa details i2scim Yes Yes Yes, Apache 2.0 License
Independent Identity Inc details IAM Adapta Yes No No Adapta details Azure
Active Directory SCIM Provisioning Yes Yes No Microsoft details AuthX Yes No
Yes, MIT License The Control Group details Centrify Privileged Access Security
No Yes No Centrify Corporation details Idaptive Yes Yes No Idaptive details
Curity Identity Server Yes Yes No Curity details CzechIdM SCIM module No Yes
Yes, MIT License BCV solutions details django_scim No Yes Yes, MIT License
Atlassian details django-scim2 No Yes Yes, MIT License Paul Logston @ 15Five
details eSCIMo Yes Yes Yes, ASL 2.0 Apache Software Foundation details Federated
Directory No Yes No Fed Blokes details GARANCY Identity Manager Yes No No Beta
Systems IAM Software details GitHub Business SAML SSO with SCIM Provisioning No
Yes No GitHub, Inc details Gluu Yes Yes Yes, MIT License Gluu.org details GoSCIM
No Yes (openended building blocks + an example server implementation) Yes, MIT
License Weinan Qiu details hscim No Yes Yes, AGPL License Wire Swiss GmbH
details Identity Broker No Yes No UNIFY Solutions details JumpCloud Yes Yes No
JumpCloud details Microsoft Identity Manager (MIM) - SCIMv2 Management Agent Yes
No No Traxion details Monokee No Yes No Monokee details SCIM Gateway No Yes No
Traxion details Okta Provisioning Yes No No Okta details Omada Identity Suite
Yes No No Omada details One Identity - Identity Manager Yes No No One Identity
details OneLogin Provisioning Yes No No OneLogin details The OptimalCloud Yes
Yes No Optimal IdM details Oracle Identity Cloud Service Yes Yes No Oracle
details Oracle Identity Manager No Yes No Oracle details Outreach SCIM API No
Yes No Outreach, Inc. details Owin.Scim No Yes Yes, MIT License PowerDMS details
Peakon No Yes No Peakon details PhenixID Identity Provisioning Yes Yes No
PhenixID details PingDataGovernance (formerly UnboundID Data Broker) No Yes No
Ping Identity details RadiantOne FID Yes Yes No Radiant Logic details SailPoint
IdentityIQ Yes Yes No SailPoint details SailPoint IdentityNow Yes No No
SailPoint details Salesforce No Yes No Salesforce details scim No Yes Yes, MIT
License Elimity details scimterface No Yes Yes, MIT License Will-Low details
SimpleIdentityServer Yes Yes Yes Habart Thierry details SOFFID IAM Yes Yes Yes
www.soffid.com details Syncope Yes Yes Yes, ASL 2.0 Apache Software Foundation
details Trello No Yes No Trello details UnboundID SCIM 2 SDK for Java Yes Yes
Yes. GPL, LGPL, or UnboundID Free License. Ping Identity (acquirer of UnboundID)
details WSO2 Charon Yes Yes Apache 2.0 License WSO2 Inc details Reward Gateway
No Yes No Reward Gateway details CircleHD No Yes No CircleHD Inc. details
personify scim server No Yes Yes MIT License personify.be details Aquera SCIM
Gateway Yes Yes No Aquera details SCIM-SDK Yes Yes Yes, BSD-3-Clause Pascal
Knüppel details idaas.nl Yes Yes Yes, MIT License Arie Timmerman details
scim-patch No Yes Yes, Unlicense Thomas Poignant details Eletive No Yes No
Eletive details CrossID No Yes No CrossID details Symantec Directory No Yes No
Broadcom details NetIQ Identity Manager Yes No No Micro Focus details Blink No
Yes No Blink details Gong No Yes No Gong details ideiio Yes Yes No ideiio
details AlexisHR Provisioning Yes Yes No AlexisHR AB details FusionAuth SCIM No
Yes No FusionAuth details Calendly No Yes No Calendly details Saviynt Yes No No
Saviynt details Slack SCIM No Yes No Slack Technologies details

SCIM 1.1 IMPLEMENTATIONS

Know of an implementation that should be listed?

Submit a pull request to the github repository or send an email with information
about name, type, license, developer, URL and if it's a SCIM 1.1 or SCIM 2.0
implementation.

Project Name Client Server Open Source Developer Link CA Directory No Yes No
CATechnologies details CA Identity Manager Yes No No CATechnologies details
Cisco No Yes No Cisco details Cloud Foundry UAA No Yes Yes, Apache2.0 Pivotal
details ConnId Yes No Yes, Apache2.0 Tirasa details ConnId/Polygon Yes No
Yes,Apache2.0 Evolveum details Curity Identity Server Yes No No Curity details
ForgeRock Identity Management(IDM) Yes No Partial(delayed release), MIT, et.al
ForgeRock details GARANCY Identity Manager Yes No No BetaSystemsIAMSoftware
details Gluu Yes Yes Yes, MITLicense Gluu.org details Grouper Yes No Yes,
Apache2.2 Internet2 details IBM Security Directory Integrator Yes Yes No IBM
details IngydotNet No Yes Yes, MIT IngydötNet details JumpCloud Yes No No
JumpCloud details Kudos No Yes No KudosInc. details McAfee Provisioning Service
Yes No No McAfee details neXus Hybrid Access Manager Yes No No neXus details
Okta Provisioning Yes No No Okta details One Login Provisioning Yes No No
OneLogin details Open SCIM Yes Yes Yes, GPLV3 Google Code details PhenixID User
Provisioning Module Yes No No PhenixID details Ping DataSync (formerly UnboundID
SyncServer) Yes No No PingIdentity(acquirerofUnboundID) details Ping Directory
(formerly UnboundIDDataStore) No Yes No PingIdentity (acquirer of UnboundID)
details PingFederate Yes Yes No PingIdentity details PingOne Yes Yes No
PingIdentity details python-scim No No Yes,MITLicense ConcordusApplications
details Radiant One VDS Yes Yes No RadiantLogic details SailPoint Identity IQ
Yes No No SailPoint details SailPoint Identity Now Yes No No SailPoint details
Salesforce No Yes No Salesforce details SCIMEasy No Yes Yes,Apache-2.0
EugeneZhukov details SCIMProxy Yes Yes Yes,MITLicense neXus details Slack No Yes
No SlackTechnologies details Switch Identity Governance Yes Yes No
SwitchIdentityGovernanceLtd details UnboundID SCIM1.1 SDK for Java Yes Yes Yes,
GPL, LGPL, orUnboundIDFreeLicense. PingIdentity(acquirerofUnboundID) details
VMware Identity Manager Yes Yes No VMWare details WSO2Charon Yes Yes Yes, Apache
2.0 License WSO2Inc details ideiio Yes Yes No ideiio details