System for Cross-domain Identity Management (SCIM) is a specification for universal identity provisioning interface. Universal interfaces are, generally speaking, a good idea. However, I am quite skeptical about SCIM. Identity management interfaces may seem to be dead simple, yet they are notoriously hard to get right. Did SCIM get it right?
Identity management is all about creating accounts, isn’t it? All we need is to agree whether the right name for the attribute is username or login. Mix in some schema extension capabilities, wrap it all in a nice REST API and we are done. How hard can that be?
Turns out it is much harder than it seems. It is “we cannot get this right for almost 20 years” hard. The reasons for this are subtle and counter-intuitive. This is far beyond what can fit into a blog post. Therefore I have written it down in a longer article:
SCIM Troubles at docs.evolveum.com.
I have been in identity management since early 2000s. I have seen DSML, SPML1 and SPML2 that reinvented the LDAP wheel in XML. I have seen SCIM1 that reinvented the SPML wheel in JSON. Now we have SCIM2 and there are talks about SCIM3. I would like to say that now I have seen everything. But I’m quite sure that I haven’t. SCIM hype is rising and I’m afraid that there is more to come. However, there is still a chance that I’m wrong about SCIM. There is a chance that my past experiences influenced my judgement about current developments. If that is the case then please let me know where I’m wrong. I will try to re-consider my position.
Coincidentally, the moment as I was writing the SCIM article, I received news that there may be a contribution of SCIM gateway for midPoint quite soon. Even though I’m not exactly over-excited about SCIM, I’m quite happy about such contribution. I will let you know when it is published. This is going to be a very interesting experiment. We will see how SCIM really works with midPoint. Because it is engineering reality that matters, not some talks or blog posts. If there is enough interest in that SCIM gateway, we will even consider adopting it as midPoint core component. Let the community decide!
Truly said. We’ve been struggling to get our credentials system right from day one. Thanks for sharing such an informative post.