[midPoint] Blog: SCIM in 2020

Radovan Semancik radovan.semancik at evolveum.com
Thu Jun 25 14:58:13 CEST 2020 

Dear midPoint community,

System for Cross-domain Identity Management (SCIM) is a specification 
for universal identity provisioning interface. Universal interfaces are, 
generally speaking, a good idea. However, I am quite skeptical about 
SCIM. Identity management interfaces may seem to be dead simple, yet 
they are notoriously hard to get right. Did SCIM get it right?

Identity management is all about creating accounts, isn’t it? All we 
need is to agree whether the right name for the attribute is username or 
login. Mix in some schema extension capabilities, wrap it all in a nice 
REST API and we are done. How hard can that be?

Turns out it is /much/ harder than it seems. It is “we cannot get this 
right for almost 20 years” hard. The reasons for this are subtle and 
counter-intuitive. This is far beyond what can fit into a blog post. 
Therefore I have written it down in a longer article:

SCIM Troubles 
<https://docs.evolveum.com/midpoint/devel/design/scim-troubles/> at 
https://docs.evolveum.com/midpoint/devel/design/scim-troubles/.

I have been in identity management since early 2000s. I have seen DSML, 
SPML1 and SPML2 that reinvented the LDAP wheel in XML. I have seen SCIM1 
that reinvented the SPML wheel in JSON. Now we have SCIM2 and there are 
talks about SCIM3. I would like to say that now I have seen everything. 
But I’m quite sure that I haven’t. SCIM hype is rising and I’m afraid 
that there is more to come. However, there is still a chance that I’m 
wrong about SCIM. There is a chance that my past experiences influenced 
my judgement about current developments. If that is the case then please 
let me know where I’m wrong. I will try to re-consider my position.

Coincidentally, the moment as I was writing the SCIM article, I received 
news that there may be a contribution of SCIM gateway for midPoint quite 
soon. Even though I’m not exactly over-excited about SCIM, I’m quite 
happy about such contribution. I will let you know when it is published. 
This is going to be a very interesting experiment. We will see how SCIM 
really works with midPoint. Because it is engineering reality that 
matters, not some talks or blog posts. If there is enough interest in 
that SCIM gateway, we will even consider adopting it as midPoint core 
component. Let the community decide!

(Reposted from Evolveum blog <https://evolveum.com/scim-in-2020/>)

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200625/fdc403f7/attachment.htm>

More information about the midPoint mailing list