SCIM a NEW "LDAP" STANDARD

RFC 7644 - System for Cross-domain Identity Management: Protocol (ietf.org)
SO, i have been researching and reading alot about SSO recently, and with the same, we know some of the industry news and happening s that have been taking place.

We have Microsft Migrating their IDentify Platform to ENtra and many other happenings.

In this case, we have a new Standard for Directory management which everyone seems to be migrating into, and this is SCIM
SCIM: System for Cross-domain Identity Management

I am bringin this Discussion here because, its information everyone, i beleive the developers of Nethserver, as well as community memebrs will benefit from.

Considering NS8 is a new child and still in development process (not to say RC and releases cant happen without it)
its important i beleive to take note of these new happenings and changes happening in the indusctry.

as @Andy_Wismer has always stated, never put AD in the cloud, i think someone heard you and decided to implement a solution around the same.

From a security standpoint, it’s wise not to expose LDAP (Lightweight Directory Access Protocol) to the internet if you’re using Active Directory, OpenLDAP, FreeIPA or anything similar as your source of truth for authentication. SCIM fills a need for directory synchronization in a cloud-native world in which many companies aren’t hosting the software they use on their own servers.

So:

SCIM, or the System for Cross-domain Identity Management (opens new window)specification, is an open standard designed to manage user identity information. SCIM provides a defined schema for representing users and groups, and a RESTful API to run CRUD operations on those user and group resources.

The goal of SCIM is to securely automate the exchange of user identity data between your company’s cloud applications and any service providers, such as enterprise SaaS applications.

I have seen manay SSO solution implement SCIM in the past few couple of months, and i remembered we had a discussion here about implementing a SSO based Module for NEthserver.

these topics, discussed at length: Single sign-on (SSO)/Identity and access management (IAM) for Nethserver - Feature - NethServer Community

Authentik discusses here implementing : We need to talk about SCIM: More deviation than standard | authentik (goauthentik.io)
there are also other references available here on the same: Tutorial - Develop a SCIM endpoint for user provisioning to apps from Microsoft Entra ID | Microsoft Learn

What is SCIM and How Does it Work? | Ping Identity

Understanding SCIM | Okta Developer

WHile we have had the LEmonLdapNG from NS7 i dont see them supporting SCIM yet.

WOuld NEthserver be inclined to implement SCIM by default inot Nethserver, or would the dev team Implement an SSO Module that has the more advanced SSO functions and SCIM?

About single-sign-on, we recently evaluated Keycloak integration in NS8 and I can say it is in our plans for the future. We are now focused on the features needed to migrate from NS7.

PS: SCIM… I think @Tbaile was talking about it yesterday evening!

That sounds quite promising–it’d be nice to have an “official” SSO solution, though it’s unclear whether Keycloak supports SCIM. Though I wonder what SCIM brings to the table that existing standards like OIDC and SAML don’t.

i am curious regarding this, why not authentik, is there something in particular that KEycloack offers better than all the others.

either, better codebase, better community support, better interface, the programming language

integrations,

tutorials and so on.

taking a deep look a keycloack it lacks alot in a numbe rof those areas, plus its documentations… you might have to write others of your own…

not that i prefer authentik, i would actually prefer LLNG because thats wha ti was initally forced to adopt…

Well for Keycloak I already did a real test and seems viable, whilst I had a just a glance to Authentik docs. I’ll dive into Authentik too, before choosing the implementation.

If you have other candidates, please suggestions are welcome!

In any case we need AD/LDAP federation support, because users and groups are stored in a LDAP database in NS8!

PS: SCIM… I think @Tbaile was talking about it yesterday evening!

I was suggesting to implement an OAuth2 server to manage the same user in multiple applications, but this works too I guess!
The target is to have a single point of login for all the services within the cluster (even if some won’t work without a payment, see Mattermost).
I am delighted to see that SCIM is more api based and requires less manual commands to work, however we know that many infra people like to stick to the old-yet-functional things, so a certain amount of customization is needed to make this software bloom in popularity, especially in big environments

Ding ding ding! That’s exactly what SSO should do, and why (IMNSHO) NS ought to include it.

Not that I would understand what it’s all about… but to not have to reinvent the wheel completely, you could possibly build on an existing OSS implementation of SCIM.

idaas.nl: Features / SCIM 2.0

GoScim: Bulding Blocks / Docker

personify scim server: Doku

SKIM-SDK: Github

my 10ct, Marko

My take exactly as well, i think NS team could and should implement SCIM builtin onto Nethserver itself, that way, any other SSO solutions they choose to make use of be it KEycloack, LLNG or any other then SCIM is not part of the consideration, similarly, SCIM would very soon be a mature Enterpise grade SOlution similar to LDAP/AD

SO sure thing, Dev for the modern world consider having SCIM natively supported in NS.

SInce alot of ERP and CRM already supprot it, and its API based, would make for a very compelling business case as a SME server ENthserver

I would NEthserver for me and the numerous other organizations i work with to be the Universal Standard for user management, authentication and yata yata for their internal operations systems, a huge win for NS.

EDIT:

Wait, did i just read that SCIM can pull and push user data to PGSql, Mysql mongoDB databases, wow, that would be cool (unlimited pissibilities in applications integrations)

@oneitonitram

I still do not think this should be given ANY priority BEFORE Release!

At the moment, I see exactly 2 users interested in the discussion on the “pro” side

NS8 does not “need” an included SSO besides AD/LDAP, which have existed since early NS days…

Nice to have, sure, but only AFTER NS8 is released!

And: SCIM is NOT a “Standard” yet, wheras SAML and ODIC can be considered “standards”.

My 2 cents
Andy

This statement just proves how little understanding for the “behind the scenes” issues and problems exist.

You are aware of the major difference between any Relational Database and say LDAP/AD (AD is based on LDAP, basically a propreitary version of LDAP).?

Relational Databases are not “multi value capable” like LDAP/AD are.

A simple example:
If a database has a field for a telephone number, that’s the ONLY place a telephone number can be used sensibly. Same goes eg for e-mail address.

If you want / need additional numbers or email addresses stored, you need multiple fields, eg for private / business / mobile etc.

Any LDAP based structure are generally “multi valued”, no special programming or structuring is needed.
Fields like e-mail and telephone can accept several valuse.

This basically means any such 2 way sync CAN and WILL entail data loss, unless specific rules are made for the translation of fields, retainment of data etc… These need to be done individually for each sync to a database. MongoDB is more flexible, especially for retainment, than a rrelational database.

Note:

I’d still like to emphasize: I’m absolutly NOT against SCIM being included in NS8. But I’ld like to see NS8 released first with more or less full migration capabilities for anything possible under NS7 and NS8 from the standard Software Center.

Documentation must also be more or less complete, especially for Migration this is VERY lacking!
As a good example, NS7 needed a seperate IP for the AD, there is no word what about this IP in the mirgation (or elsewhere AFAIK) under
https://ns8.nethserver.org/en/latest/migration.html
But also no word under File Server.
There no statements WHAT needs to be migrated in DNS entries for the AD to continue working…
An AD is not like any other application in NS8, it is a single source for Authentification,and a component of file server.
If not stating what must be activated and where, the same for deactivated leaves two identical ADs running? Mine wasn’t deactivated on NS7…
This is not really good!

Still soooo much missing!

My 2 cents
Andy

i did not say it must be done before release, but a consideration of course.

i guess you dont really follow tech news do you, SCIM is much bigger,and even Microsft themselves are migrating to that with thei ENTRA from the AD/LDAP standard,

Micrososft, Okta and others seem to disagree with your assessment on this one

you seem to be confusing SAMLD and OIDC with what SCIM stands for, its not there to replace SAML and OIDC< but to compliment them,

SCIM is trying ti achieve what AD/LDAP was unable to acheive for the moderm CLoud first approach of soltuions and industry, you cant have AD on the open web, but you can have SCIM.

they share the same shemas, in a number fo cases with AD?LDAP and this is API based, so that, any software developer can implement in their software.

this makes it easy to have users bidirectional sync something that LDAP struggled with alot

@Andy_Wismer kindly do abit more research on this it will really help in this regard, no need to bash me on this case,

read here: wouter29 / personify-scim-server — Bitbucket

and if you would like, i can compile a list of over 10 links stating the 2 way syn nature of SCIM

IF you read this articles: We need to talk about SCIM: More deviation than standard | authentik (goauthentik.io) @Andy_Wismer you will come to the realsisation that SCIM support data sync both Inward and Outward, thats why it has CLients and Servers.

a client can update the records and similarly the server can do so as well.

if i have an ERP solution utilizing SCIM, if a user changes or updates their Email address on the CRM interface, the same will be pushed to SCIM via the provided API and update all relevant accordingly, if that’s supported.

I have been researching SSO for Software implementation use cases, and not merely for login and logout, so i can confidently disapprove you in these cases, while my learnings and lessons are not full prove and complete, i will continue adding to my knowledge to achieve the cases i need for whatever it is we are building.

I respect you have years of industry experience on AD and Ldap, and various INdustry standards you have gathred over the year, but hey, IT is ever changing and growing, some things that seem great years ago, might not be the best way movng forward anymore.

This is why Nethserver team is currently goign the container route, because thats where the industry is headed towards.

Dont get me wrong, i appreciate anything new in tech that makes my life easier, and i for one i am tring to reduce complexities in a significant number of solutions we have built for our local clients, in the area of authentication.

i think the container thing solves this problem

I said it’s NOT a standard YET, and I stand by that!
You need to really look around if you want to buy an enterprise printer already supporting SCIM…

'nuff said!

My 2 cents
Andy

You think! Great for you!

But is it documented anywhere?

Sorry, but this doesn’t work for any relational databases like PostgreSQL MariaDB, MS-SQL, DB2 or Oracle. At least not yet or out of the box.

So it’s not yet worth a “Wow”!

documentation for new software will always Lag behind, just be patient on this front kindly…

especially when features keep getitng added ad pthers removed(not seen the removal bit eyt in NS8)

for now will cut the dev some slack, till say RC2 when we really defintely need the docs

Great for you, but I’ve been doing that for over 30 years now, and I’m a little more current than ypou are in this as to research!

For me, it’s not wishfull thinking, but what works and is available!

why would a database require that, in the context for which you are putting it.

look at how Microsft implements its SSO, its just to login, but if your eon teams or poutlook or whatever, you are abe to update some user profile content without being taken to your microsft profile account,
that is what i am taking about.

but still if you go to your miscrosoft profile acocunt, you wull be able to get the same

Shows you did not have the foresight to integrate that from the beginning!