Yesterday I talked about the state of identity standards with regards to authentication and authorization. Today I’ll cover attributes, user provisioning, and where we ought to go as an industry.
Attributes
The wheel of attributes is roundish. There are two parts to the attribute story: access and representation. We can access attributes… sorta. There’s no clear winner that is optimized for the modern web. We’ve got graph APIs, ADAP, and UserInfo Endpoints – not to mention proprietary APIs as well. Notice I added the constraint of “optimized for the modern web.” If remove that constraint, then we could say that access to attributes is a fully solved problem: LDAP. But we are going to need a protocol that enables workers in the modern web to access attributes… and LDAP ain’t it.
As for a standardized representation, we have one. Name-value pairs. In fact, name-value pairs might be the new comma. And although NVP are ubiquitous, we don’t have a standard schema. What is the inetOrgPerson of a new generation? There is no inetOrgPerson for millennial developers to use. But does that even matter? We could take SCIM’s schema and decree it to be the standard. But we all know, that each of us would extend the hell out of it. Yes we started with a standard schema, but every service provider’s schema is nearly unique.
User Provisioning
User provisioning is nearly round. Let’s face it the wheel that SPML v2 built was not round. The example that the standard provided wasn’t even valid XML – not an auspicious start. In fact, SPML was a step away from roundness when we think about DSML v2. DSML v2 was a round wheel. It wouldn’t be very useful to day but it would roll.
So what about SCIM? I’m bullish on it. Some really smart people worked on it, including my boss. We (saleforce.com) are supporting it. Others such as Cisco, Oracle, SailPoint, Technology Nexus, and others are supporting. We hope you support it too. In fact, hopefully, at the end of this week it might just get a final version of the 2.0 draft at the IETF meeting in Toronto. SCIM definitely needs more miles on the road, but I believe that the use cases that have been used to form SCIM are fairly representative of a majority of use cases we have. It can’t do everything but better believe it can do something.
And this narrow focus is important as we think about the work we must do. As we as an industry shift from just dealing with employee identities to those of customers, citizens, and things, there is shift from heavy rich user provisioning to lighter weight registration and profile management. SCIM is just as applicable in an employee identity scenario as it is in a customer identity scenario. And thus is well positioned to make the transition. Continue reading Do we have a round wheel yet? Part 2 of my musings on identity standards