Almost exactly six years ago a group of Identerati convened to bemoan the sad state of affairs in identity management. At this point, the table had already been set for standards around authorization and authentication. SAML had been around for years, OAuth2 was starting to see widespread adoption, and OpenID Connect was the great new hope to free us from the chains of XML and make authorization on clients (especially mobile) much smoother. There was still a huge gap in the identity equation, though – how do I manage users and their access?! How do I create new accounts for users that join my organization? How do I manage what these users can access within an application? And importantly, how do I shut off a user’s access with the flip of a switch (think termination of a disgruntled employee)?
The current state of the art was that everyone with an application that had to deal with identities (and that would be pretty much everyone) rolled their own custom API. XML, SOAP, RPC, JSON, firstName vs. first_name … all bets were off about how this special little snowflake of an API worked. The only thing that you could count on while integrating with a new application is that it would look nothing like the one that you were integrating with last week.
From these auspicious beginnings SCIM was born, and I have spent the last six years working with some really smart folks to help bring this dream to fruition. In September of last year, three RFCs were released that answer the question “how do you SCIM?” (Yes – I just verbed “SCIM”). As with anything new, it has taken a time for people to catch on and start innovating with this new technology, but the momentum is starting to catch fire.
That brings us to today. At the Cloud Identity Summit in New Orleans, SailPoint is participating in the first-ever SCIM 2.0 interop event, putting our SCIM 2.0 server and SCIM 2.0 client to the test. The initial results are extremely encouraging! SailPoint will be joined by additional serious players including Google, Salesforce and others in the interop. There are also many other vendors that were unable to join the interop fun with SailPoint this time around, but are committed to SCIM as their identity management API like Facebook, Microsoft, Oracle and Cisco to name a few.
We are finally at the point where a true identity platform is no longer a dream. You can authenticate, authorize and manage identities in a consistent way. The effects will be huge. Costs of integrating new services into your infrastructure will go down dramatically. Not only will this be fast, it will also be cheap. Decide that you need to switch vendors for your ERP system? No problem. The communication to this system is abstracted through SCIM, so you can just point at the new ERP and be up and running in short order. What about the data that you had in the old ERP system? If both systems speak SCIM, you can just connect the two for a simple migration.
The last step in the equation is to make SCIM ubiquitous, and that’s where you come in. Some vendors are proud of their special little snowflake identity APIs, or just haven’t prioritized a standards-based approach to identity. Maybe they are happy to keep you locked in to their proprietary approach to identity, or maybe they are just unaware that there is a better alternative out there. Either way, this will end up costing you real time and money. When looking at new vendors, ask them whether they have a standards-based identity API, and if not, then why? If you are struggling with integrating an existing system into your identity environment, push the vendor to provide a SCIM-based API.
Things in identity-land look amazing compared to six years ago when this journey began. It’s clear that SCIM is now the de facto identity management API. Service providers large and small are creating SCIM servers and clients. Fortune 1000 companies are using SCIM as the basis for their internal identity management needs. SCIM toolkits and libraries are being released to make it even easier to get up and running. We have arrived – the eagle has landed.