Mike Kiser and Jen Schreiber

Beyond the immediate promise of the Shared Signals Framework in managing live sessions through CAEP events, an event-based approach offers a compelling path forward for addressing longer-term identity challenges. One such challenge is identity lifecycle management, or provisioning and deprovisioning.

Challenges of provisioning

Many underestimate the challenges of provisioning; for those who have not considered it, it may appear relatively simple on the outside. Much like watching a talented busker juggling on the streets of…oh, really any international city…say London, for no real reason other than the (most recent) interop held in that fine city.

Watching someone juggle looks easy, and starts relatively simple. A couple of balls fly into the air and bounce between the hands of the performer. Back and forth go the objects. The transfer seems simple, easy. And provisioning can, indeed, be like that: two discrete systems with fairly similar schemas and use cases (like an HR syncing into a local employee directory). But keep watching the busker…things rapidly get more complicated. Now instead of two objects, there are six or eight. The balls are exchanged for sticks, which are then set on fire. Now things aren't so simple or easy, are they? The real world of provisioning escalates in much the same way; as the number of systems proliferate, so do the interconnections that must be maintained. This soon becomes an intractable problem (even without setting it on fire).

In an effort to address the challenges of managing the lifecycle of an identity, the System for Cross-Domain Identity Management (SCIM) was created. While SCIM has seen some success in connecting identity repositories, the rise of event-based architectures points to the need for SCIM to move from transactional and bulk operations to an event-based and asynchronous approach that allows interconnected systems to share identity context and data in near real time.

The SCIM Profile for Security Event Tokens seeks to provide a pathway for SCIM in event-based architectures.

Playing off the standards

SCIM events employ existing standards to accomplish this goal, using the same format of Security Event Tokens as in CAEP and Risk Incident Sharing and Coordination (RISC) events. It's important to note that while SCIM Events may use the Shared Signals Framework as a transport layer, it does not require it. The juggler may be tossing objects in the air or water, they might be throwing clubs, rings, or balls. It’s all entertaining. SCIM events can be transported via push/pull over HTTP, streaming technologies like Kafka or Kinesis, webhooks, or SSF. The specification is agnostic. That said, the popularity of the Shared Signals Framework may make it a preferred option.

Syncing vs Notification: A diverse approach

With the adoption of an event-based approach, this iteration of SCIM allows for more than just a flow of updated information; while some systems may need and be able to process a

stream of events, others may prefer to be only notified of changes. In practice, this allows them to request only the changes that they're interested in on a secure back channel, saving effort and preserving privacy. Other systems may need to process asynchronously, dealing with this new information on their own, independent timeline. The standard allows for this customizable approach, making it flexible for a diverse set of architectures.

Benefits of real time SCIM events

The ability of SCIM Events to support real time provisioning is significant. Once adoption takes place and real-time updates can be shared within an enterprise system, zero standing privilege (and zero trust) becomes one step closer to a reality. Making changes in real time means that access is no longer permanent, it is provisioned as an identity requires it, and then removed once it is no longer needed.

SCIM events hold more promise than provisioning alone, by ingesting data from various sources in real time, a system finds its true security potential. An access policy that an organization wants to enforce needs current data and attributes. With input from SCIM events alongside CAEP and RISC as the sources of real-time information, the policy becomes as current as it can be.

Privacy from data minimization will greatly benefit with the adoption of SCIM events. Limiting data collection to only what is necessary is fundamental to privacy approaches. Minimal information SCIM events allows receivers to decide which attributes or resource lifecycle changes it can accept. Or, for a transmitter to restrict a receiving domain. Less data acquired translates to less risk for the organization.

Within a system, SCIM events can be used as a reaction to CAEP and RISC events. When these events relay that a session has been eliminated, the system can react to the underlying attributes data and to the accounts themselves to prevent future use.

Finally, an auditable record of everything that takes place within an organization is essential to prove compliance and risk detection within the enterprise. It is not enough to eliminate invalid sessions or adjust access and entitlements, all actions taken within a system must be recorded to ensure that it is "living by its own rules" and doing precisely what it claims to be doing. Thus, SCIM events enable not only provisioning in real time, but auditing and governance as well.

SCIM Events: A logical step

By adopting SCIM events, we move closer to addressing the long-term problem of provisioning: fragmented data stores, proprietary interfaces, and a disjointed approach to identity - the historical equivalent to juggling fire. But we achieve more than that as we move into this new paradigm: we gain real-time context for enhanced policy-based decision making. We bolster privacy-enhancing approaches to data minimization. We create concrete responses to CAEP and RISC events. And we do it all with an audit record that proves that we are moving closer to our goal - a world in which access is not available except when it is necessary.

In short, SCIM Events moves provisioning from a task that only seems simple into one that actually is. (The authors are still working on the other intractable problem: keeping five flaming bowling pins in the air simultaneously.)

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.