New IETF group aims to simplify provisioning users to cloud services

A provisioning working group gets its marching orders from the Internet Engineering Task Force and sets sites on creating a standard way to add and remove users from cloud-based services and applications.

The proposal for a new IETF working group that will create standards for provisioning and de-provisioning users to cloud services was officially approved Thursday by the Internet Engineering Task Force.

The System for Cross-domain Identity Management (SCIM) working group will work off the protocol formerly known as Simple Cloud Identity Management with the aim of standardizing common tasks related to user identity management for services and applications.

The group, formed in the IETF's Application Area, is chaired by Morteza Ansari, a principal engineer at Cisco, and Leif Johansson, who focuses on digital identity and federation for SUNET (the Swedish University Network) and the Swedish government.

The area director is Barry Leiba, a computer scientist who has been involved with the IETF since the mid-1990s.

"Yay, and here we go," Leiba said in a message sent to the working group's mailing list. Leiba also said there will be a SCIM session on the agenda at the next IETF meeting, which begins July 29 in Vancouver.

The working group will focus on standardize methods for creating, reading, searching, modifying, and deleting user identities and identity-related objects across administrative domains, according to its charter.

The group will use SCIM 1.0 as a starting point, which provide RESTful interfaces on top of HTTP. The group plans to finish its work in January 2014.

The working group specifically said it would not be defining any new authentication or authorization schemes.

Today, it can be difficult, and is often a manual process, to provision corporate users for services and applications residing on an external Web site. SCIM's intent is to create a fast, efficient and standard way for enterprises to provide access to cloud services.

Critics have attacked SCIM as too simplistic to be effective and claim it is repeating the sins of its forefather, the Service Provisioning Markup Language (SPML).

The working group's charter stipulates that SCIM will focus on schema definitions and discovery; operations to create, modify and delete uses; read/search; bulk operations and mappings between the IETF's inetOrgPerson LDAP object and the SCIM schema.

The development of SCIM began in late 2010 mostly among a small group of vendors that now includes Cisco, Google, Nexus, SailPoint,, Technology Nexus, VMware, UnboundID and Ping Identity. (Disclosure: Ping Identity is my employer).

Here's the group's timetable toward completion of the spec:

June 2012 - Initial adoption of SCIM core schema Aug. 2012 - Initial adoption of SCIM RESTful interface draft Nov. 2012 - Initial adoption of SCIM LDAP inetOrgPerson mapping draft Dec. 2012 - Snapshot version of SCIM use cases to IESG as Informational (possibly) Dec. 2012 - Proposal for client targeting of SCIM endpoints Feb. 2013 - SCIM core schema to IESG as Proposed Standard May 2013 - SCIM restful interface to IESG as Proposed Standard June 2013 - SCIM LDAP inetOrgPerson mapping to IESG as Informational July2013 - Initial adoption of SCIM SAML bindings draft Aug. 2013 - Client targeting of SCIM endpoints to IESG as Proposed Standard Sep. 2013 - Snapshot update of SCIM use cases as Informational (possibly) Nov. 2013 - SCIM SAML bindings to IESG as Proposed Standard Jan. 2014 - Work completed; discuss re-charter

See also: