SCIM 全称 System for Cross-domain Identity Management,主要用于多租户的云应用身份管理。
概览
SCIM 2.0建立在一个对象模型上,所有SCIM对象都继承Resource,它有id,externalId和meta属性,RFC7643定义了扩展公共属性的User,Group和EnterpriseUser。
示例用户
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"externalId":"bjensen",
"meta":{
"resourceType": "User",
"created":"2011-08-01T18:29:49.793Z",
"lastModified":"2011-08-01T18:29:49.793Z",
"location":"https://example.com/v2/Users/2819c223...",
"version":"W/"f250dd84f0671c3""
},
"name":{
"formatted": "Ms. Barbara J Jensen, III",
"familyName": "Jensen",
"givenName": "Barbara",
"middleName": "Jane",
"honorificPrefix": "Ms.",
"honorificSuffix": "III"
},
"userName":"bjensen",
"phoneNumbers":[
{
"value":"555-555-8377",
"type":"work"
}
],
"emails":[
{
"value":"bjensen@example.com",
"type":"work",
"primary": true
}
]
}
上述用户属性并没有全部列出来,不过从这个示例中可以发现,资源的属性包括
1、简单属性,如userName,只是一个单一的值;
2、复杂属性,如name, 它的内部还有多个子属性;
3、多值属性,如phoneNumbers,一个User资源包含多个phoneNumber
操作
对资源的操作,SCIM提供了一套REST API,包含丰富但简单的操作集,支持从修改特定用户的特定属性到进行批量更新的所有内容:
- 创建(create): POST https://example.com/{v}/{resource}
- 读取 (read): GET https://example.com/{v}/{resource}/{id}
- 替换 (replace): PUT https://example.com/{v}/{resource}/{id}
- 删除 (delete):DELETE https://example.com/{v}/{resource}/{id}
- 更新 (update): PATCH https://example.com/{v}/{resource}/{id}
- 搜索 (search): GET https://example.com/{v}/{resource}?filter = {attribute} {op} {value}&sortBy = {attributeName}&sortOrder = {ascending | downcending}
- 批量(bulk): POST https://example.com/{v}/Bulk
规范说明
SCIM 2.0 于2015年9月在IETF下发布,主要包含三个RFC文件,即:RFC7642,RFC7643和RFC7644 ;
- RFC7643 - SCIM:核心模式(Core Schema)
提供平台基础架构(用户和组)和扩展模型。
- RFC7644 - SCIM:协议(Protocol)
SCIM协议是用于在Web上提供和管理身份数据的应用级REST协议。
- RFC7642 - SCIM:定义,概述,概念和要求(Definitions, Overview, Concepts, and Requirements)
本文档列出了跨域身份管理系统(SCIM)的用户场景和使用案例。
参考网址:http://www.simplecloud.info/