by Trey Drake, UnboundID ArchitectSimple Cloud Identity Management (SCIM) as a concept began at the 2010 Cloud Identity Summit, but truly came into being at IIW #12 (May 2011). Since then the SCIM working group has cranked out no less than 4 work-in-progress specifications, logged hours upon hours of teleconferences, completed weeks of spec editing and months of coding. The result? A core schema agreed upon by all, a REST API proven to be implementable across a variety of services and backends, and a set of specifications nearing completion. From my perspective, the spec is already enormously successful given the complexity of the problem and difficulties in developing a specification across a variety of stakeholders. With that said, the specifications and working group have encountered a number of myths that I thought could use some debunking, Myth Busters-style.
Myth #1 - The specification is not "open" – it’s been developed behind closed doors.
SCIM started at the Cloud ID Summit (an open conference), and the working group was kicked off publicly at IIW #12. SCIM is developed via a weekly public teleconference, and we utilize open mailing lists and pretty much every other open venue we can find. The proof is out there…take a look at the mailing list archive, IIW notes, demos at Cloud Identity Summit, etc. As with most specifications, there are fewer than a dozen active contributors, though at last count there were over 200 subscribers to the working group alias. Closed? Hardly. Be on the lookout for an IETF RFC soon.
Myth #1 - Busted
Myth #2 - The SCIM team is ignoring SPML.
Yes, we are, as are most SaaS providers and the vendors that feed them. After all, that's how SCIM came to be. SPML's enterprise-y protocol and lack of a concrete schema are its downfall. We’re choosing a different path.
Myth #2 - Confirmed
Myth #3 - The SCIM team is ignoring REST-PML.
True again. With that said, it’s due to the fact that REST-PML came into being after SCIM was well under way. Interestingly enough, I'm told the push for REST-PML is a result of SCIM. Perhaps they're ignoring us?
Myth #3 - Plausible
Myth #4 What the heck do "those guys" know about identity?
This one is just common sense. Can anyone really claim that Cisco, SalesForce, Google, Ping, UnboundID, SailPoint, TechnologyNexus and the rest of the working group don't know anything about identity management? It should be clear from the products and thought leadership developed by all of these companies that they have a strong background in identity management.
Myth #4 - Busted
Myth #5 - The SCIM working group is doing it wrong.
Well, I guess it depends on what the meaning of "it" is. The goal of SCIM is to ease the burden on Service Providers, Consumers, and integrators stuck with a myriad of proprietary protocols and data formats that, at the end of the day, simply push a user from point A to point B. Given that some of the largest SaaS providers on the planet are key spec contributors, implementers have already churned out working implementations, and people keep clamoring for the finished spec, I think we're on the right track.
Myth #5 – Busted