... | ... | @@ -2333,3 +2333,36 @@ https://lemonldap-ng.org/ |
|
|
[FreeIPA]: https://www.freeipa.org/
|
|
|
[Keycloak]: https://www.keycloak.org/
|
|
|
[LDAP synchronization connector]: https://lsc-project.org/doku.php
|
|
|
|
|
|
### SCIM
|
|
|
|
|
|
LDAP is a "open, vendor-neutral, industry standard application
|
|
|
protocol for accessing and maintaining distributed directory
|
|
|
information services over an Internet Protocol (IP) network"
|
|
|
([Wikipedia](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)). That's quite a mouthful but concretely, many systems
|
|
|
have used LDAP as a single source of truth for authentication, relying
|
|
|
on it as an external user database (to simplify).
|
|
|
|
|
|
But that's only one way to do centralized authentication, and some
|
|
|
folks are reconsidering that approach altogether. A recent player in
|
|
|
there is the [SCIM standard](https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management): "System for Cross-domain Identity
|
|
|
Management (SCIM) is a standard for automating the exchange of user
|
|
|
identity information between identity domains, or IT systems"
|
|
|
([Wikipedia](https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management)). Again quoting Wikipedia:
|
|
|
|
|
|
> One example might be that as a company onboards new employees and
|
|
|
> separates from existing employees, they are added and removed from
|
|
|
> the company's electronic employee directory. SCIM could be used to
|
|
|
> automatically add/delete (or, provision/de-provision) accounts for
|
|
|
> those users in external systems such as Google Workspace, Office
|
|
|
> 365, or Salesforce.com. Then, a new user account would exist in the
|
|
|
> external systems for each new employee, and the user accounts for
|
|
|
> former employees might no longer exist in those systems.
|
|
|
|
|
|
In other words, instead of treating the user database as an external
|
|
|
database, SCIM synchronizes that database to all systems which still
|
|
|
retain their own specific user database. This is great because it
|
|
|
removes the authentication system as a single point of failure.
|
|
|
|
|
|
SCIM is standardized as [RFC7643](https://www.rfc-editor.org/rfc/rfc7643.html) and is built on top of REST with
|
|
|
data formatted as JSON or XML. |