hngopher.com

       [HN Gopher] SCIM: System for Cross-Domain Identity Management
       ___________________________________________________________________
        
       SCIM: System for Cross-Domain Identity Management
        
       Author : stefankuehnel
       Score  : 19 points
       Date   : 2024-11-09 22:15 UTC (46 minutes ago)
        
 (HTM) web link (scim.cloud)
 (TXT) w3m dump (scim.cloud)
        
       | tptacek wrote:
       | Most people in the SAAS space know SCIM as the protocol that
       | automatically enrolls new employees at customers into your
       | product.
        
       | anthk wrote:
       | SCIM is another acronym which means something else; in case of
       | Unix desktops, an input method.
        
       | DaiPlusPlus wrote:
       | > SCIM 2.0 is built on a object model where a Resource is the
       | common denominator and all SCIM objects are derived from it. It
       | has id, externalId and meta as attribute and RFC7643 defines
       | User, Group and EnterpriseUser that extends the common
       | attributes.
       | 
       | Hang on... zoom and enhance!
       | 
       | > It has id, externalId and meta as attribute
       | 
       | Uhhh, so a SCIM object can only only 1 `externalId` value?
       | 
       | ...that's a deal-killer right there because Federated Identity
       | schemes will need to handle users that have multiple external
       | identity references (e.g. think how StackOverflow lets the same
       | SO User login using Google, GitHub, even Facebook (in 2024?!) -
       | how is that meant to be represented by SCIM?
       | 
       | (I'll confess that I've only skimmed the SCIM docs; if I'm
       | mistaken then I look forward to being told I'm wrong because it
       | means I can learn something new today).
        
       | lll-o-lll wrote:
       | SCIM is great, if your expectations are sufficiently low. Mostly
       | for the fact that it's a de-facto industry standard. Have a large
       | stable of software products that your employees use? SCIM lets
       | you provision and, importantly, de-provision users and assign
       | them "groups" (roles) from your centralized Identity Management
       | system. Most IdP's and software will support SCIM, so it's just
       | wiring things up.
       | 
       | The biggest oversight when SCIM was designed was the expectation
       | of an inbound connection from the provisioning software (e.g.
       | Azure) to the SAAS or similar. This means that in hybrid
       | environments (e.g. most large enterprises), you are having to
       | whitelist umpteen different ip ranges from the Cloud Provider.
       | Some IdP's have solved this with a local agent you install on-
       | premise to reverse the connection, but Azure is not one of these.
        
       ___________________________________________________________________
       (page generated 2024-11-09 23:01 UTC)