Move over SPML, Hello SCIM
Posted by Courion Corporation on Mon, Nov 21, 2011
On November 13, Courion announced its support for the Simple Cloud Identity Management (SCIM) specification. SCIM is a new standard that aims to simplify identity management (specifically provisioning activities) for cloud applications. Courion is supporting the SCIM initiative along with vendors such as Salesforce, Google, Ping Identity, VMware, Cisco, UnboundID, as well as many other cloud providers.
In his November 15th KuppingerCole blog, Dave Kearns talks about having a change of heart about SCIM. Said Dave, “Initially, I was opposed to SCIM – I thought that SPML could be moved forward to encompass cloud-based services relatively easily…I also had noted that no provisioning vendor had stepped forward to embrace SCIM. That’s now changed, as Courion announced their support earlier this month.” So what is SCIM? Simply, SCIM is focused on moving users (and their access) to, from and between cloud applications securely, quickly, and easily (or to say another way, it is used for the Create, Read, Update, Delete (CRUD) operations for identity and access.
SCIM gives cloud application providers a consistent and simple way to manage their identities in their cloud application as well as other clouds. It streamlines making connections to applications by emphasizing simplicity of development and integration. This reduces the cost and complexity of user management operations by providing standardization across cloud providers -- offering a simple, prescriptive, extensible standard for cloud provisioning actions.
So what about SPML? (Service Provisioning Markup Language) SPML is also a standard for performing CRUD operations on target systems. So why aren’t more vendors supporting SPML? SPML (now at version 2.0) was originally developed for the enterprise provisioning market. While many Identity Management vendors support sending and accepting SPML requests, few vendors of the target systems support SPML as their “API” for provisioning. As a result, most integrations from IAM vendors still use the API provided by the vendor (and those APIs vary greatly from vendor to vendor).
With a library of more than 350 connectors, Courion experiences the challenges of using wide and varied APIs to integrate with target systems. The benefits of SCIM appeal to us for all of the same reasons listed above. If SCIM gains traction (it’s currently in draft form), as an author of connectors, we’ll see benefits with the simplicity of integration and speed of delivery of the new connections.
So what have we done? In our initial prototypes we’ve made access requests from Courion products (consumers) to a SCIM endpoint and have found the development and integration work with SCIM to be very straightforward. The code is simple, performed well, and is network and firewall friendly. Our next project most will most likely be to flip the roles, turning Courion’s Connector Library into a SCIM endpoint with the potential of making 350+ systems targets via SCIM.