System for Cross-domain Identity Management for Access Control of SOA Services
Julkaisun pysyvä osoite on
System for Cross-domain Identity Management palveluiden pääsynhallintaan palvelupohjaisessa arkkitehtuurissa
Identity and Access Management systems are usually fundamental services in organizations. In Service-Oriented Architecture (SOA) they can be used to provide three different services: authentication, authorization and information about users and their access rights. For the latter, there has not been a widely used standard in SOA to provide user information to other services. System for Cross-domain Identity Management (SCIM) is a new emerging Representational state transfer (REST) based standard to help provision user information to cloud services. This Master Thesis discusses how SCIM can be used to provide user information to consuming services in a SOA based solution. The first part of the thesis studies what are the advantages and disadvantages using REST based solutions compared to SOAP based solutions. Based on a literary review, REST has better performance, measured by throughout put, and it is independent of data format. SOAP has the advantage of being very standardized and has mature tools and frameworks compared to REST. REST is more based on conventions than standards, so tools and frameworks behave differently which might lead to interoperability problems. The second part of the thesis focuses on whether SCIM can be used to provide user information service to consuming services. Three scenarios were designed and implemented in SCIM to find out whether the access right model of the SCIM is expressive enough and whether the resources defined by SCIM provide a required set of attributes. The presented scenarios have different requirements: the first one models internal access rights of an organization, the second scenario a use case in which an organization offers services to its customers and the third one a use case in which role based access rights are restricted to certain objects. The last two scenarios required extending the SCIM core resource schema. The models were tested in a proof-of-concept implementation and they were able to fulfill all the requirements. This indicates that SCIM can be used to implement user and user’s access right information service. To conclude, a five step process is presented that an organization can use to assess if SCIM is suitable for its use.