SCIM: Standards Are Taking Hold In The Cloud

While software-as-a-service (SaaS) and cloud applications were designed to provide simple on-demand computing for today’s business needs, this new era of computing has opened up several identity management issues. Many enterprises and service providers are struggling with how to on-board and off-board users rapidly, accurately, and consistently.

To address this need, a new standard is being developed to create a uniform identity management interface for SaaS and cloud applications called Simple Cloud Identity Management (SCIM). Its intent is to reduce the cost and complexity of managing users in and out of SaaS applications by eliminating the need for separate and proprietary interfaces to each individual application. A cross-industry team designed this specification with an emphasis on simplicity, while supporting existing authentication, authorisation, and privacy models.

Development of the SCIM specification is moving forward rapidly, which is a clear indication of the industry demand for a simple solution for identity management interoperability. The SCIM working group, which includes my company, SailPoint, Cisco, Ping, Salesforce.com, Technology Nexus, and UnboundID, among other participants, unanimously approved the SCIM 1.0 specification in December 2011 (just 6 months after the group was formed).

In March 2012, the SCIM working group conducted additional interoperability testing of the specification at the IETF’s 83rd Meeting in Paris. The event brought together current working integrations of SCIM 1.0 and tested the level of interoperability between each participant’s products. The results of the testing will be used for the continued development of the technology and the SCIM specification. In fact, the participating companies aim to formalize a working group within IETF under which SCIM 2.0 will be developed and ratified.

SCIM represents a major advancement for identity management in the cloud. Some of you may be familiar with an XML-based framework for exchanging user, resource and service provisioning information between cooperating organisations called a Service Provisioning Markup Language (SPML). SPML did not achieve widespread industry adoption because it failed to deliver in the key areas of simplicity, industry support and true customer demand.

SCIM directly addresses these issues in order to improve manageability and governance for SaaS and cloud-based applications. As a contributor to both the SPML and SCIM working groups and to the development of the two specifications, I wanted to share my thoughts on why SCIM is good for the enterprise, cloud services providers, identity management vendors, and the industry as a whole.

Keeping It Simple

SPML turned out to be far from simple. The effort was well-intentioned by everyone involved, but ultimately, the resulting spec was too large and complex, and created as many problems for customers as it solved. At the end of the day, SPML was a complete operating model for provisioning and as such came with a lot of baggage and a lot of complex use cases. In contrast, SCIM focuses on the core tasks of account management and leaves out a lot of the “provisioning platform” extras.

This simplifies things for the resource owners (e.g., the SaaS providers) and everyone else concerned with integrating with them. SCIM clearly and simply addresses the account creation, management and deletion “interface” using a full RESTful web services approach. This takes the simpler, more direct use cases and implements them using a “resource centric” approach that is both easier to write and use in the code, and easier to read and understand in the specification.

App Vendor Support

Today’s cloud application vendors understand the importance of identity management, and they recognise the need to simplify and standardize how organisations provision to their cloud application services. Recognising the importance of solving these issues, companies like Salesforce.com, Google and Cisco have invested their time to help drive SCIM forward and build SCIM interfaces into their products.

Yes, SCIM is being jointly developed by leading identity management vendors and SaaS providers, but the core of the effort remains account centric and very focused on the SaaS application account management use cases. Our goal is to encourage widespread support by the SaaS vendor platforms (big and small).

Real Customer Demand

Despite the concerns around security and control, business adoption of the cloud is accelerating. And as more and more SaaS applications are deployed, it’s incumbent upon organisations to manage the identities they now own in the cloud.

These organisations aren’t interested in adding more complexity to their identity management implementations, and are beginning to push both management and application vendors to provide a simple, standardised way of managing their SaaS accounts. This growing and real customer need has resulted in genuine customer push – a push for their SaaS vendors to support SCIM on the account side, and a push for their identity management vendors to make best use of it.

While SCIM won’t solve all of the identity management and governance issues for SaaS and cloud-based applications, it is a critical step towards doing so. SCIM can help provide the level of account management that will facilitate increased governance and compliance for mission-critical cloud-based applications. As is typical with all industry standards, it will take some time to finalise the SCIM specification, but it is moving faster than most other industry standards I have seen in the past.

The good news for the industry is that technology vendors and service providers agree on the need for the approach and the key players are already involved to help make it a reality. As more end-user organisations demand that service providers help address the identity management challenges for their SaaS applications using SCIM, the process will only accelerate.

Darran Rolls directs the continued development and communication of SailPoint's technology strategy and vision. Before joining SailPoint, Darran worked in the CTO's office at Sun Microsystems and led strategic technology and industry standards initiatives at Waveset Technologies. A respected contributor to several international XML standards initiatives, he served as Chair of the OASIS Provisioning Services Technical Committee. In that capacity, he led a two-year industry effort to develop the Service Provisioning Markup Language (SPML) Specification. Prior to Waveset, Darran served in senior technical leadership positions at enterprise software companies including IBM/Tivoli Systems, PointOne Telecommunications and DBMX.