Saturday, July 10, 2021

Launching and a new Independent Identity

It has been a while since I last blogged. I had found myself writing on Oracle's platform and this blog took a back seat. Now that I am truly independent, I am blogging again! 

To date, the focus of this blog has been an independent view on standards and the protocols that make Identity systems work. Going forward, I will continue to comment on standards but I will also bring new content around open source.

During the COVID shutdown, I got motivated to get back into development and started working on a new from the ground up SCIM server. I was fascinated by Kubernetes and the idea of building my own bare metal cluster. I settled on a half dozen Raspberry Pis and bought a PicoCluster kit. This became the motivator to do more...

Independent Identity is incorporated with the goal of building independent open source projects in support of SCIM and other Identity related standards. Rather than just help enterprise customers, I hope to work with application developers who are trying to figure out how best, to adopt support for protocols like SCIM.

Introducing i2scim!

The first Independent Identity project is "i2scim". i2scim is my take on a full-feature modern SCIM server. Years ago, SCIM was envisioned by SFDC, Oracle, Ping Identity, SailPoint and many many others as the answer to how to handle identity management in an open RESTful way.  After years of collaboration, in September 2015, as the editor, I was very happy see RFC7643 and RFC7644 be published signalling a common method for provisioning accounts was now availble. Since then, there has been wide adoption by service providers. However, application developers looking to implement SCIM provisioning have been slow to support SCIM. SCIM's database like feature have been seen as both powerful and intimidating. My goal is to make i2scim more accessible. A configure and go approach where the core engine just becomes part of an application's data platform.'s is a high-performance, lightweight SCIMv2 server for Kubernetes environments using a small Docker image (178Mb in 0.5.0-Alpha). i2scim supports configurable schema and resource types. No more hard coded Java classes for resources. i2scim defines a provider interface which allows it to be adapted to different databases and APIs. The current version includes support for Mongo Database clusters and an in-memory database. 

Key i2scim features:

  • Full SCIMv2 protocol support with Bulk support coming.
  • Supports HTTP HEAD and HTTP Conditional requests (RFC7232)
  • Uses the Quarkus (1.13.6 Final) platform for fast startups, lightweight stack, and performance
    • Quarkus SmallRye JWT (Jose4J) support 
    • Quarkus SmallRye JWT / OAuth support
    • Quarkus SmallRye Health DevOps support 
    • Jackson Serializer
  • Mongo Database support exploits Mongo's native JSON document engine providing full SCIM support for Mongo Clusters.
  • Extension points
    • IScimProvider interface allows i2scim to be enhanced work against other databases and APIs
    • IEventHandler enables the ability to send and receive asynchronous events
    • IVirtualValue enables values that are mapped, or calculated
  • Configurable schema using JSON configuration files (supplied via K8S configMap) to define the objects types (ResourceTypes) and their composition (schema).
  • Security
    • JSON based RBAC Access Control configuration evolved from LDAP ACI model
    • Bearer token support with Quarkus SmallRye JWT (RFC7523)
    • Basic Auth (RFC7617) authenticating against SCIM users
    • Secure password storage using PBKDF2 (Password Based Key Derivation Function 2) with salt and pepper hash for FIPS 140 compliance.
  • Docker images (amd64 and arm64) available with K8S Yaml deployment templates.
  • More to come!
The current release is 0.5.0-Alpha and is a preview release intended to gather interest and begin building community. PR requests welcome!


1 comment:

Travis Spencer said...

Great to hear from you again, Phil. Nice project and initiative.

Another thing that would help move SCIM forward IMO is a test suite that can verify how well all these SCIM servers adhere to the spec.

Post a Comment