draft-ietf-scim-core-schema-00.txt   draft-ietf-scim-core-schema-01.txt 
Network Working Group C. Mortimore, Ed. Network Working Group C. Mortimore, Ed.
Internet-Draft Salesforce Internet-Draft Salesforce
Intended status: Standards Track P. Harding Intended status: Standards Track P. Harding
Expires: February 28, 2013 P. Madsen Expires: October 17, 2013 P. Madsen
Ping Ping
T. Drake T. Drake
UnboundID UnboundID
August 27, 2012 April 15, 2013
System for Cross-Domain Identity Management: Core Schema System for Cross-Domain Identity Management: Core Schema
draft-ietf-scim-core-schema-00 draft-ietf-scim-core-schema-01
Abstract Abstract
The System for Cross-Domain Identity Management (SCIM) specification The System for Cross-Domain Identity Management (SCIM) specification
is designed to make managing user identity in cloud based is designed to make managing user identity in cloud based
applications and services easier. The specification suite builds applications and services easier. The specification suite builds
upon experience with existing schemas and deployments, placing upon experience with existing schemas and deployments, placing
specific emphasis on simplicity of development and integration, while specific emphasis on simplicity of development and integration, while
applying existing authentication, authorization, and privacy models. applying existing authentication, authorization, and privacy models.
Its intent is to reduce the cost and complexity of user management Its intent is to reduce the cost and complexity of user management
operations by providing a common user schema and extension model, as operations by providing a common user schema and extension model, as
well as binding documents to provide patterns for exchanging this well as binding documents to provide patterns for exchanging this
schema using standard protocols. In essence, make it fast, cheap, schema using standard protocols. In essence, make it fast, cheap,
and easy to move identity in to, out of, and around the cloud. and easy to move identity in to, out of, and around the cloud.
This document provides a platform neutral schema and extension model This document provides a platform neutral schema and extension model
for representing users and groups in JSON and XML formats. This for representing users and groups in JSON format. This schema is
schema is intended for exchange and use with cloud service providers. intended for exchange and use with cloud service providers.
Additional binding documents provide a standard REST API, SAML Additional binding documents provide a standard REST API, SAML
binding, and use cases. binding, and use cases.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 28, 2013. This Internet-Draft will expire on October 17, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Requirements Notation and Conventions . . . . . . . . . . . . 4 1. Requirements Notation and Conventions . . . . . . . . . . . . 4
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
3. SCIM Schema Structure . . . . . . . . . . . . . . . . . . . . 5 3. SCIM Schema Structure . . . . . . . . . . . . . . . . . . . . 5
3.1. Attribute Data Types . . . . . . . . . . . . . . . . . . . 6 3.1. Attribute Data Types . . . . . . . . . . . . . . . . . . . 5
3.1.1. String . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1.1. String . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 6 3.1.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 6 3.1.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 6 3.1.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.5. DateTime . . . . . . . . . . . . . . . . . . . . . . . 6 3.1.5. DateTime . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.6. Binary . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1.6. Binary . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.7. Complex . . . . . . . . . . . . . . . . . . . . . . . 7 3.1.7. Reference . . . . . . . . . . . . . . . . . . . . . . 7
3.1.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 7
3.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 7 3.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 7
4. Schema Extension Model . . . . . . . . . . . . . . . . . . . . 8 4. Schema Extension Model . . . . . . . . . . . . . . . . . . . . 8
5. SCIM Core Schema . . . . . . . . . . . . . . . . . . . . . . . 8 5. SCIM Core Schema . . . . . . . . . . . . . . . . . . . . . . . 9
5.1. Common Schema Attributes . . . . . . . . . . . . . . . . . 8 5.1. Common Schema Attributes . . . . . . . . . . . . . . . . . 9
5.2. "schemas" Attribute . . . . . . . . . . . . . . . . . . . 10 5.2. "schemas" Attribute . . . . . . . . . . . . . . . . . . . 10
6. SCIM User Schema . . . . . . . . . . . . . . . . . . . . . . . 10 6. SCIM User Schema . . . . . . . . . . . . . . . . . . . . . . . 10
6.1. Singular Attributes . . . . . . . . . . . . . . . . . . . 10 6.1. Singular Attributes . . . . . . . . . . . . . . . . . . . 10
6.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 12 6.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 12
7. SCIM Enterprise User Schema Extension . . . . . . . . . . . . 14 7. SCIM Enterprise User Schema Extension . . . . . . . . . . . . 15
8. SCIM Group Schema . . . . . . . . . . . . . . . . . . . . . . 15 8. SCIM Group Schema . . . . . . . . . . . . . . . . . . . . . . 15
9. Service Provider Configuration Schema . . . . . . . . . . . . 16 9. Service Provider Configuration Schema . . . . . . . . . . . . 16
10. Resource Schema . . . . . . . . . . . . . . . . . . . . . . . 18 10. Resource Schema . . . . . . . . . . . . . . . . . . . . . . . 18
11. JSON Representation . . . . . . . . . . . . . . . . . . . . . 20 11. JSON Representation . . . . . . . . . . . . . . . . . . . . . 20
11.1. Minimal User Representation . . . . . . . . . . . . . . . 20 11.1. Minimal User Representation . . . . . . . . . . . . . . . 20
11.2. Full User Representation . . . . . . . . . . . . . . . . . 20 11.2. Full User Representation . . . . . . . . . . . . . . . . . 20
11.3. Enterprise User Extension Representation . . . . . . . . . 23 11.3. Enterprise User Extension Representation . . . . . . . . . 23
11.4. Group Representation . . . . . . . . . . . . . . . . . . . 26 11.4. Group Representation . . . . . . . . . . . . . . . . . . . 26
11.5. Service Provider Configuration Representation . . . . . . 26 11.5. Service Provider Configuration Representation . . . . . . 27
11.6. Resource Schema Representation . . . . . . . . . . . . . . 28 11.6. Resource Schema Representation . . . . . . . . . . . . . . 28
12. XML Representation . . . . . . . . . . . . . . . . . . . . . . 32 12. Security Considerations . . . . . . . . . . . . . . . . . . . 32
12.1. Minimal Representation . . . . . . . . . . . . . . . . . . 32 13. Normative References . . . . . . . . . . . . . . . . . . . . . 32
12.2. Full Representation . . . . . . . . . . . . . . . . . . . 33 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 33
12.3. Enterprise User Extension Representation . . . . . . . . . 36 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33
12.4. Group Representation . . . . . . . . . . . . . . . . . . . 39
13. Security Considerations . . . . . . . . . . . . . . . . . . . 39
Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 39
14. Normative References . . . . . . . . . . . . . . . . . . . . . 40
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40
1. Requirements Notation and Conventions 1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] . document are to be interpreted as described in [RFC2119] .
Throughout this document, values are quoted to indicate that they are Throughout this document, values are quoted to indicate that they are
to be taken literally. When using these values in protocol messages, to be taken literally. When using these values in protocol messages,
the quotes MUST NOT be used as part of the value. the quotes MUST NOT be used as part of the value.
skipping to change at page 4, line 39 skipping to change at page 4, line 39
SCIM seeks to simplify this problem through a simple to implement SCIM seeks to simplify this problem through a simple to implement
specification suite that provides a common user schema and extension specification suite that provides a common user schema and extension
model, as well as binding documents to provide patterns for model, as well as binding documents to provide patterns for
exchanging this schema via a REST API. It draws inspiration and best exchanging this schema via a REST API. It draws inspiration and best
practice, building upon existing user APIs and schemas from a wide practice, building upon existing user APIs and schemas from a wide
variety of sources including, but not limited to, existing APIs variety of sources including, but not limited to, existing APIs
exposed by cloud providers, PortableContacts, and LDAP directory exposed by cloud providers, PortableContacts, and LDAP directory
services. services.
This document provides a platform neutral schema and extension model This document provides a platform neutral schema and extension model
for representing users and groups in JSON and XML formats. This for representing users and groups in JSON format. This schema is
schema is intended for exchange and use with cloud service providers. intended for exchange and use with cloud service providers.
Additional binding documents provide a standard REST API, SAML Additional binding documents provide a standard REST API, SAML
binding, and use cases. binding, and use cases.
2.1. Definitions 2.1. Definitions
Service Provider: A web application that provides identity Service Provider: A web application that provides identity
information via the SCIM protocol. information via the SCIM protocol.
Consumer: A website or application that uses the SCIM protocol to Consumer: A website or application that uses the SCIM protocol to
manage identity data maintained by the Service Provider. manage identity data maintained by the Service Provider.
skipping to change at page 5, line 44 skipping to change at page 5, line 44
at least one Simple or Complex value either of which may be Multi- at least one Simple or Complex value either of which may be Multi-
valued. SCIM schema defines the data type, plurality and other valued. SCIM schema defines the data type, plurality and other
distinguishing features of an attribute. Unless otherwise specified distinguishing features of an attribute. Unless otherwise specified
all attributes are modifiable by Consumers. Immutable (read-only) all attributes are modifiable by Consumers. Immutable (read-only)
attributes SHALL be specified as 'READ-ONLY' within the attribute attributes SHALL be specified as 'READ-ONLY' within the attribute
definition. Additionally, Service Providers MAY choose to make some definition. Additionally, Service Providers MAY choose to make some
or all Resource attributes immutable and SHOULD identify those or all Resource attributes immutable and SHOULD identify those
attributes via the associated Resource's schema endpoint attributes via the associated Resource's schema endpoint
(Section 5.2). (Section 5.2).
Both XML and JSON formats are defined. Resource and attribute names A JSON [1] (JavaScript Object Notation) format is defined. Attribute
MUST conform to XML naming rules;i.e., SCIM names MUST be valid XML names SHOULD be camelCased. SCIM resources represented in JSON MUST
names and SHOULD be camelCased. When marshalling or extending SCIM specify schema via the schemas attribute (Section 5.2).
resources in XML implementors MUST use the normative, SCIM, XML
schema (.xsd). SCIM resources represented in a schema-less format;
e.g., JSON, MUST specify schema via the schemas attribute
(Section 5.2).
3.1. Attribute Data Types 3.1. Attribute Data Types
Attribute data types are derived from XML schema [1] and unless Attribute data types are derived from JSON [2] and unless otherwise
otherwise specified are optional, modifiable by Consumers, and of specified are optional, modifiable by Consumers, and of type String
type String (Section 3.1.1). The JSON format defines a limited set (Section 3.1.1). The JSON format defines a limited set of data
of data types, hence, where appropriate, alternate JSON types, hence, where appropriate, alternate JSON representations
representations are defined below. SCIM extensions SHOULD not derived from XML schema [3] are defined below. SCIM extensions
introduce new data types. SHOULD not introduce new data types.
3.1.1. String 3.1.1. String
A sequence of characters as defined in section 3.2.1 of the XML A sequence of zero or more Unicode characters. The JSON format is
Schema Datatypes Specification. A String attribute MAY specify a defined in section 2.5 of RFC 4627. A String attribute MAY specify a
required data format. Additionally, when Canonical Values are required data format. Additionally, when Canonical Values are
specified Service Providers SHOULD conform to those values if specified Service Providers SHOULD conform to those values if
appropriate, but MAY provide alternate String values to represent appropriate, but MAY provide alternate String values to represent
additional values. additional values.
3.1.2. Boolean 3.1.2. Boolean
The literal "true" or "false" as specified in section 3.2.2 of the The literal "true" or "false". The JSON format is defined in section
XML Schema Datatypes Specification. 2.1 of RFC 4627.
3.1.3. Decimal 3.1.3. Decimal
A real number with at least one digit to the left and right of the A real number with at least one digit to the left and right of the
period as specified in section 3.2.3 of the XML Schema Datatypes period. The JSON format is defined in section 2.4 of RFC 4627.
Specification.
Values represented in JSON MUST conform to the XML constraints above
and are represented as a JSON Number [2].
3.1.4. Integer 3.1.4. Integer
A Decimal number with no fractional digits as defined in section A Decimal number with no fractional digits. The JSON format is
3.3.13 of the XML Schema Datatypes Specification. defined in section 2.4 of RFC 4627 with the additional constraint
that the value MUST NOT contain fractionial or exponent parts.
Values represented in JSON MUST conform to the XML constraints above
and are represented as a JSON Number [2].
3.1.5. DateTime 3.1.5. DateTime
A dateTime (e.g. 2008-01-23T04:56:22Z) as specified in section 3.2.7 A DateTime value (e.g. 2008-01-23T04:56:22Z). The attribute value
MUST be encoded as a valid xsd:dateTime as specified in section 3.2.7
of the XML Schema Datatypes Specification. of the XML Schema Datatypes Specification.
Values represented in JSON MUST conform to the XML constraints above Values represented in JSON MUST conform to the XML constraints above
and are represented as a JSON String [2]. and are represented as a JSON String.
3.1.6. Binary 3.1.6. Binary
The attribute value MUST be encoded as a valid xsd:base64Binary value Arbitrary binary data. The attribute value MUST be encoded as a
as specified in section 3.2.16 of the XML Schema Datatypes valid xsd:base64Binary as specified in section 3.2.16 of the XML
Specification. Schema Datatypes Specification.
Values represented in JSON MUST conform to the XML constraints above Values represented in JSON MUST conform to the XML constraints above
and are represented as a JSON String [2]. and are represented as a JSON String.
3.1.7. Complex 3.1.7. Reference
A Singular or Multi-valued Attribute whose value is a composition of A reference to a SCIM Resource. The value MUST be the absolute or
one or more Simple Attributes as specified in section 3.4 XML Schema relative URI of the target Resource. Relative URIs should be
Datatypes Specification. resolved as specified in section 5.2 of RFC 3986. The base URI for
relative URI resolution MUST include all URI components and path
segments up to but not including the Endpoint URI; e.g., the base URI
for a request to
https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646
would be https://example.com/v1/ and the relative URI for this
Resource would be Users/2819c223-7f76-453a-919d-413861904646.
JSON values are represented as JSON Objects [2]. Performing a GET operation on a reference URI MUST return the target
Resource or an appropriate HTTP response code. The Service Provider
MAY optionally choose to enforce referential integrity for
references.
By convention, a reference is commonly represented as a "$ref" sub-
attribute in complex or multi-valued attributes, however this is
OPTIONAL.
3.1.8. Complex
A Singular or Multi-valued Attribute whose value is a composition of
one or more Simple Attributes. The JSON format is defined in section
2.2 of RFC 4627.
3.2. Multi-valued Attributes 3.2. Multi-valued Attributes
Multi-valued attributes are unordered lists of attributes. Each Multi-valued attributes are unordered lists of attributes. Each
attribute MAY contain Sub-Attributes and therefore multi-valued attribute MAY contain Sub-Attributes and therefore multi-valued
attributes may contain Complex Attributes. The below Sub-Attributes attributes may contain Complex Attributes. The below Sub-Attributes
are considered normative and when specified SHOULD be used as are considered normative and when specified SHOULD be used as
defined. defined.
type A label indicating the attribute's function; e.g., "work" or type A label indicating the attribute's function; e.g., "work" or
skipping to change at page 8, line 5 skipping to change at page 8, line 14
operation The operation to perform on the multi-valued attribute operation The operation to perform on the multi-valued attribute
during a PATCH request. The only valid value is "delete", which during a PATCH request. The only valid value is "delete", which
signifies that this instance should be removed from the Resource. signifies that this instance should be removed from the Resource.
value The attribute's significant value; e.g., the e-mail address, value The attribute's significant value; e.g., the e-mail address,
phone number, etc. Attributes that define a "value" sub-attribute phone number, etc. Attributes that define a "value" sub-attribute
MAY be alternately represented as a collection of primitive types. MAY be alternately represented as a collection of primitive types.
For example: For example:
{ {
"emails": [ "emails": [
{"value":"bjensen@example.com"}, {"value":"bjensen@example.com"},
{"value":"babs@example.com"} {"value":"babs@example.com"}
] ]
} }
May also be represented as: May also be represented as:
{ {
"emails": ["bjensen@example.com","babs@example.com"] "emails": ["bjensen@example.com","babs@example.com"]
} }
$ref The Reference of the target Resource, if the attribute is a
reference.
When returning multi-valued attributes, Service Providers SHOULD When returning multi-valued attributes, Service Providers SHOULD
canonicalize the value returned, if appropriate (e.g. for e-mail canonicalize the value returned, if appropriate (e.g. for e-mail
addresses and URLs). Providers MAY return the same value more than addresses and URLs). Providers MAY return the same value more than
once with different types (e.g. the same e-mail address may used for once with different types (e.g. the same e-mail address may used for
work and home), but SHOULD NOT return the same (type, value) work and home), but SHOULD NOT return the same (type, value)
combination more than once per Attribute, as this complicates combination more than once per Attribute, as this complicates
processing by the Consumer. processing by the Consumer.
4. Schema Extension Model 4. Schema Extension Model
SCIM schema follows an object extension model similar to SCIM schema follows an object extension model similar to
ObjectClasses used in LDAP. Unlike LDAP there is no inheritance ObjectClasses used in LDAP. Unlike LDAP there is no inheritance
model; all extensions are additive (similar to LDAP Auxiliary Object model; all extensions are additive (similar to LDAP Auxiliary Object
Classes [3]). Each value indicates additive schema that may exist in Classes [4]). Each value indicates additive schema that may exist in
a SCIM representation as specified by extensions not defined in this a SCIM representation as specified by extensions not defined in this
suite. Schema extensions MUST NOT redefine any attributes defined in suite. Schema extensions MUST NOT redefine any attributes defined in
this specification and SHOULD follow conventions defined in this this specification and SHOULD follow conventions defined in this
specification. Each schema extension must identify a URI used to specification. Each schema extension must identify a URI used to
identify the extension. XML MUST use XML namespaces and JSON formats identify the extension. The JSON format MUST use the "schemas"
MUST use the "schemas" attribute (Section 5.2) to distinguish attribute (Section 5.2) to distinguish extended resources and
extended resources and attributes. attributes.
5. SCIM Core Schema 5. SCIM Core Schema
5.1. Common Schema Attributes 5.1. Common Schema Attributes
Each SCIM Resource (Users, Groups, etc.) includes the below common Each SCIM Resource (Users, Groups, etc.) includes the below common
attributes. These attributes MUST be included in all Resources, attributes. These attributes MUST be included in all Resources,
including any extended Resource types. It is not necessary to including any extended Resource types. It is not necessary to
specify the schemas attribute if the Resource is fully defined in specify the schemas attribute if the Resource is fully defined in
this document as the core schema is implicitly included. this document as the core schema is implicitly included.
skipping to change at page 10, line 10 skipping to change at page 10, line 19
must be the same as the ETag HTTP response header. READ-ONLY. must be the same as the ETag HTTP response header. READ-ONLY.
attributes The names of the attributes to remove from the attributes The names of the attributes to remove from the
Resource during a PATCH operation. Resource during a PATCH operation.
5.2. "schemas" Attribute 5.2. "schemas" Attribute
SCIM supports resources of different types, with extensible schemas. SCIM supports resources of different types, with extensible schemas.
Each resource MUST be indicated using fully qualified URLs. Each resource MUST be indicated using fully qualified URLs.
Where a specific representation has existing support for expressing
schema, the traditional convention of that representation MUST be
applied. For example, when representing users using XML, XML
Namespace should be used.
When a representation does not explicitly provide support for When a representation does not explicitly provide support for
indicating a schema, such as JSON, a schemas attribute is used to indicating a schema, such as JSON, a schemas attribute is used to
indicate the version of SCIM schema as well as any schema extensions. indicate the version of SCIM schema as well as any schema extensions.
schemas The schemas attribute is an array of Strings which allows schemas The schemas attribute is an array of Strings which allows
introspection of the supported schema version for a SCIM introspection of the supported schema version for a SCIM
representation as well any schema extensions supported by that representation as well any schema extensions supported by that
representation. Each String value must be a unique URI. This representation. Each String value must be a unique URI. This
specification defines URIs for User, Group, and a standard specification defines URIs for User, Group, and a standard
"enterprise" extension. All representations of SCIM schema MUST "enterprise" extension. All representations of SCIM schema MUST
skipping to change at page 12, line 4 skipping to change at page 12, line 9
nickName The casual way to address the user in real life, e.g. nickName The casual way to address the user in real life, e.g.
"Bob" or "Bobby" instead of "Robert". This attribute SHOULD NOT "Bob" or "Bobby" instead of "Robert". This attribute SHOULD NOT
be used to represent a User's username (e.g. bjensen or be used to represent a User's username (e.g. bjensen or
mpepperidge). mpepperidge).
profileUrl A fully qualified URL to a page representing the User's profileUrl A fully qualified URL to a page representing the User's
online profile. online profile.
title The user's title, such as "Vice President." title The user's title, such as "Vice President."
userType Used to identify the organization to user relationship. userType Used to identify the organization to user relationship.
Typical values used might be "Contractor", "Employee", "Intern", Typical values used might be "Contractor", "Employee", "Intern",
"Temp", "External", and "Unknown" but any value may be used. "Temp", "External", and "Unknown" but any value may be used.
preferredLanguage Indicates the User's preferred written or spoken preferredLanguage Indicates the User's preferred written or spoken
language. Generally used for selecting a localized User language. Generally used for selecting a localized User
interface. Valid values are concatenation of the ISO 639-1 two interface. Valid values are concatenation of the ISO 639-1 two
letter language code [4], an underscore, and the ISO 3166-1 2 letter language code [5], an underscore, and the ISO 3166-1 2
letter country code [5]; e.g., 'en_US' specifies the language letter country code [6]; e.g., 'en_US' specifies the language
English and country US. English and country US.
locale Used to indicate the User's default location for purposes of locale Used to indicate the User's default location for purposes of
localizing items such as currency, date time format, numerical localizing items such as currency, date time format, numerical
representations, etc. A locale value is a concatenation of the representations, etc. A locale value is a concatenation of the
ISO 639-1 two letter language code [4], an underscore, and the ISO ISO 639-1 two letter language code [5], an underscore, and the ISO
3166-1 2 letter country code [5]; e.g., 'en_US' specifies the 3166-1 2 letter country code [6]; e.g., 'en_US' specifies the
language English and country US. language English and country US.
timezone The User's time zone in the "Olson" timezone database timezone The User's time zone in the "Olson" timezone database
format [6]; e.g.,'America/Los_Angeles'. format [7]; e.g.,'America/Los_Angeles'.
active A Boolean value indicating the User's administrative status. active A Boolean value indicating the User's administrative status.
The definitive meaning of this attribute is determined by the The definitive meaning of this attribute is determined by the
Service Provider though a value of true infers the User is, for Service Provider though a value of true infers the User is, for
example, able to login while a value of false implies the User's example, able to login while a value of false implies the User's
account has been suspended. account has been suspended.
password The User's clear text password. This attribute is intended password The User's clear text password. This attribute is intended
to be used as a means to specify an initial password when creating to be used as a means to specify an initial password when creating
a new User or to reset an existing User's password. No accepted a new User or to reset an existing User's password. No accepted
skipping to change at page 12, line 49 skipping to change at page 13, line 7
The following multi-valued attributes are defined. The following multi-valued attributes are defined.
emails E-mail addresses for the User. The value SHOULD be emails E-mail addresses for the User. The value SHOULD be
canonicalized by the Service Provider, e.g. bjensen@example.com canonicalized by the Service Provider, e.g. bjensen@example.com
instead of bjensen@EXAMPLE.COM. Canonical Type values of work, instead of bjensen@EXAMPLE.COM. Canonical Type values of work,
home, and other. home, and other.
phoneNumbers Phone numbers for the User. The value SHOULD be phoneNumbers Phone numbers for the User. The value SHOULD be
canonicalized by the Service Provider according to format in canonicalized by the Service Provider according to format in
RFC3966 [7] e.g. 'tel:+1-201-555-0123'. Canonical Type values of RFC3966 [8] e.g. 'tel:+1-201-555-0123'. Canonical Type values of
work, home, mobile, fax, pager and other. work, home, mobile, fax, pager and other.
ims Instant messaging address for the User. No official ims Instant messaging address for the User. No official
canonicalization rules exist for all instant messaging addresses, canonicalization rules exist for all instant messaging addresses,
but Service Providers SHOULD, when appropriate, remove all but Service Providers SHOULD, when appropriate, remove all
whitespace and convert the address to lowercase. Instead of the whitespace and convert the address to lowercase. Instead of the
standard Canonical Values for type, this attribute defines the standard Canonical Values for type, this attribute defines the
following Canonical Values to represent currently popular IM following Canonical Values to represent currently popular IM
services: aim, gtalk, icq, xmpp, msn, skype, qq, and yahoo. services: aim, gtalk, icq, xmpp, msn, skype, qq, and yahoo.
skipping to change at page 13, line 46 skipping to change at page 14, line 6
extended street address information. This attribute MAY extended street address information. This attribute MAY
contain newlines. contain newlines.
locality The city or locality component. locality The city or locality component.
region The state or region component. region The state or region component.
postalCode The zipcode or postal code component. postalCode The zipcode or postal code component.
country The country name component. When specified the value country The country name component. When specified the value
MUST be in ISO 3166-1 alpha 2 "short" code format [5]; e.g., MUST be in ISO 3166-1 alpha 2 "short" code format [6]; e.g.,
the United States and Sweden are "US" and "SE", respectively. the United States and Sweden are "US" and "SE", respectively.
groups A list of groups that the user belongs to, either thorough groups A list of groups that the user belongs to, either thorough
direct membership, nested groups, or dynamically calculated. The direct membership, nested groups, or dynamically calculated. The
values are meant to enable expression of common group or role values are meant to enable expression of common group or role
based access control models, although no explicit authorization based access control models, although no explicit authorization
model is defined. It is intended that the semantics of group model is defined. It is intended that the semantics of group
membership and any behavior or authorization granted as a result membership and any behavior or authorization granted as a result
of membership are defined by the Service Provider. The Canonical of membership are defined by the Service Provider. The Canonical
types "direct" and "indirect" are defined to describe how the types "direct" and "indirect" are defined to describe how the
group membership was derived. Direct group membership indicates group membership was derived. Direct group membership indicates
the User is directly associated with the group and SHOULD indicate the User is directly associated with the group and SHOULD indicate
that Consumers may modify membership through the Group Resource. that Consumers may modify membership through the Group Resource.
Indirect membership indicates User membership is transitive or Indirect membership indicates User membership is transitive or
dynamic and implies that Consumers cannot modify indirect group dynamic and implies that Consumers cannot modify indirect group
membership through the Group resource but MAY modify direct group membership through the Group resource but MAY modify direct group
membership through the Group resource which MAY influence indirect membership through the Group resource which MAY influence indirect
memberships. If the SCIM Service Provider exposes a Group memberships. If the SCIM Service Provider exposes a Group
resource, the value MUST be the "id" attribute of the resource, the "value" sub-attribute MUST be the "id" and the
corresponding Group resources to which the user belongs. Since "$ref" sub-attribute must be the URI of the corresponding Group
this attribute is read-only, group membership changes MUST be resources to which the user belongs. Since this attribute is
applied via the Group Resource (Section 8). READ-ONLY. read-only, group membership changes MUST be applied via the Group
Resource (Section 8). READ-ONLY.
entitlements A list of entitlements for the User that represent a entitlements A list of entitlements for the User that represent a
thing the User has. That is, an entitlement is an additional thing the User has. That is, an entitlement is an additional
right to a thing, object or service. No vocabulary or syntax is right to a thing, object or service. No vocabulary or syntax is
specified and Service Providers/Consumers are expected to encode specified and Service Providers/Consumers are expected to encode
sufficient information in the value so as to accurately and sufficient information in the value so as to accurately and
without ambiguity determine what the User has access to. This without ambiguity determine what the User has access to. This
value has NO canonical types though type may be useful as a means value has NO canonical types though type may be useful as a means
to scope entitlements. to scope entitlements.
skipping to change at page 15, line 26 skipping to change at page 15, line 33
department Identifies the name of a department. department Identifies the name of a department.
manager The User's manager. A complex type that optionally allows manager The User's manager. A complex type that optionally allows
Service Providers to represent organizational hierarchy by Service Providers to represent organizational hierarchy by
referencing the "id" attribute of another User. referencing the "id" attribute of another User.
managerId The id of the SCIM resource representing the User's managerId The id of the SCIM resource representing the User's
manager. REQUIRED. manager. REQUIRED.
$ref The URI of the SCIM resource representing the User's
manager. REQUIRED.
displayName The displayName of the User's manager. OPTIONAL and displayName The displayName of the User's manager. OPTIONAL and
READ-ONLY. READ-ONLY.
8. SCIM Group Schema 8. SCIM Group Schema
SCIM provides a schema for representing groups, identified using the SCIM provides a schema for representing groups, identified using the
following URI: 'urn:scim:schemas:core:1.0'. following URI: 'urn:scim:schemas:core:1.0'.
Group resources are meant to enable expression of common Group or Group resources are meant to enable expression of common Group or
role based access control models, although no explicit authorization role based access control models, although no explicit authorization
skipping to change at page 16, line 6 skipping to change at page 16, line 12
The following Singular Attribute is defined in addition to the common The following Singular Attribute is defined in addition to the common
attributes defined in SCIM Core Schema: attributes defined in SCIM Core Schema:
displayName A human readable name for the Group. REQUIRED. displayName A human readable name for the Group. REQUIRED.
The following multi-valued attribute is defined in addition to the The following multi-valued attribute is defined in addition to the
common attributes defined in SCIM Core Schema: common attributes defined in SCIM Core Schema:
members A list of members of the Group. Canonical Types "User" and members A list of members of the Group. Canonical Types "User" and
"Group" are READ-ONLY. The value must be the "id" of a SCIM "Group" are READ-ONLY. The "value" sub-attribute must be the "id"
resource, either a User, or a Group. The intention of the Group and the "$ref" sub-attribute must be the URI of a SCIM resource,
type is to allow the Service Provider to support nested Groups. either a User, or a Group. The intention of the Group type is to
Service Providers MAY require Consumers to provide a non-empty allow the Service Provider to support nested Groups. Service
members value based on the "required" sub attribute of the Providers MAY require Consumers to provide a non-empty members
"members" attribute in Group Resource Schema. value based on the "required" sub attribute of the "members"
attribute in Group Resource Schema.
9. Service Provider Configuration Schema 9. Service Provider Configuration Schema
SCIM provides a schema for representing the Service Provider's SCIM provides a schema for representing the Service Provider's
configuration identified using the following URI: configuration identified using the following URI:
'urn:scim:schemas:core:1.0' 'urn:scim:schemas:core:1.0'
The Service Provider Configuration Resource enables a Service The Service Provider Configuration Resource enables a Service
Provider to expose its compliance with the SCIM specification in a Provider to expose its compliance with the SCIM specification in a
standardized form as well as provide additional implementation standardized form as well as provide additional implementation
skipping to change at page 17, line 31 skipping to change at page 17, line 37
supported Boolean value specifying whether sorting is supported. supported Boolean value specifying whether sorting is supported.
REQUIRED. REQUIRED.
etag A complex type that specifies Etag configuration options. etag A complex type that specifies Etag configuration options.
REQUIRED. REQUIRED.
supported Boolean value specifying whether the operation is supported Boolean value specifying whether the operation is
supported. REQUIRED. supported. REQUIRED.
xmlDataFormat A complex type that specifies whether the XML data
format is supported. REQUIRED.
supported Boolean value specifying whether the operation is
supported. REQUIRED.
The following multi-valued attribute is defined in addition to the The following multi-valued attribute is defined in addition to the
common attributes defined in Core Schema: common attributes defined in Core Schema:
authenticationSchemes A complex type that specifies supported authenticationSchemes A complex type that specifies supported
Authentication Scheme properties. Instead of the standard Authentication Scheme properties. Instead of the standard
Canonical Values for type, this attribute defines the following Canonical Values for type, this attribute defines the following
Canonical Values to represent common schemes: oauth, oauth2, Canonical Values to represent common schemes: oauth, oauth2,
oauthbearertoken, httpbasic, and httpdigest. To enable seamless oauthbearertoken, httpbasic, and httpdigest. To enable seamless
discovery of configuration, the Service Provider SHOULD, with the discovery of configuration, the Service Provider SHOULD, with the
appropriate security considerations, make the appropriate security considerations, make the
skipping to change at page 19, line 9 skipping to change at page 19, line 9
attributes A complex type that specifies the set of Resource attributes A complex type that specifies the set of Resource
attributes. attributes.
name The attribute's name. name The attribute's name.
type The attribute's data type; e.g., String. type The attribute's data type; e.g., String.
multiValued Boolean value indicating the attribute's plurality. multiValued Boolean value indicating the attribute's plurality.
multiValuedAttributeChildName String value specifying the child
XML element name; e.g., the 'emails' attribute value is
'email', 'phoneNumbers', is 'phoneNumber'. REQUIRED when the
multiValued attribute value is true otherwise this attribute
MUST be omitted.
description The attribute's human readable description. When description The attribute's human readable description. When
applicable Service Providers MUST specify the description applicable Service Providers MUST specify the description
specified in the core schema specification. specified in the core schema specification.
schema The attribute's associated schema; e.g., schema The attribute's associated schema; e.g.,
urn:scim:schemas:core:1.0. urn:scim:schemas:core:1.0.
readOnly A Boolean value that specifies if the attribute is readOnly A Boolean value that specifies if the attribute is
mutable. mutable.
required A Boolean value that specifies if the attribute is required A Boolean value that specifies if the attribute is
required. required.
caseExact A Boolean value that specifies if the String attribute caseExact A Boolean value that specifies if the String attribute
is case sensitive. is case sensitive.
referenceTypes The names of the Resources that may be referenced;
e.g., User. This is only applicable for attributes that are of
the "reference" data type.
The following multi-valued attributes are defined. There are The following multi-valued attributes are defined. There are
no canonical type values defined and the primary value serves no canonical type values defined and the primary value serves
no useful purpose. no useful purpose.
subAttributes A list specifying the contained attributes. subAttributes A list specifying the contained attributes.
OPTIONAL. OPTIONAL.
name The attribute's name. name The attribute's name.
type The attribute's data type; e.g., String. type The attribute's data type; e.g., String.
skipping to change at page 20, line 8 skipping to change at page 20, line 8
readOnly A Boolean value that specifies if the attribute is readOnly A Boolean value that specifies if the attribute is
mutable. mutable.
required A Boolean value that specifies if the attribute is required A Boolean value that specifies if the attribute is
required. required.
caseExact A Boolean value that specifies if the String caseExact A Boolean value that specifies if the String
attribute is case sensitive. attribute is case sensitive.
referenceTypes The names of the Resources that may be
referenced; e.g., User. This is only applicable for
attributes that are of the "reference" data type.
canonicalValues A collection of canonical values. When canonicalValues A collection of canonical values. When
applicable Service Providers MUST specify the canonical applicable Service Providers MUST specify the canonical
types specified in the core schema specification; types specified in the core schema specification;
e.g.,"work","home". OPTIONAL. e.g.,"work","home". OPTIONAL.
11. JSON Representation 11. JSON Representation
11.1. Minimal User Representation 11.1. Minimal User Representation
The following is a non-normative example of the minimal required SCIM The following is a non-normative example of the minimal required SCIM
skipping to change at page 22, line 20 skipping to change at page 22, line 25
], ],
"userType": "Employee", "userType": "Employee",
"title": "Tour Guide", "title": "Tour Guide",
"preferredLanguage":"en_US", "preferredLanguage":"en_US",
"locale": "en_US", "locale": "en_US",
"timezone": "America/Los_Angeles", "timezone": "America/Los_Angeles",
"active":true, "active":true,
"password":"t1meMa$heen", "password":"t1meMa$heen",
"groups": [ "groups": [
{ {
"display": "Tour Guides", "value": "e9e30dba-f08f-4109-8486-d5c6a331660a",
"value": "00300000005N2Y6AA" "$ref": "https://example.com/v1/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
"display": "Tour Guides"
}, },
{ {
"display": "Employees", "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5",
"value": "00300000005N34H78" "$ref": "https://example.com/v1/Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5",
"display": "Employees"
}, },
{ {
"display": "US Employees", "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7",
"value": "00300000005N98YT1" "$ref": "https://example.com/v1/Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7",
"display": "US Employees"
} }
], ],
"x509Certificates": [ "x509Certificates": [
{ {
"value": "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx "value": "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD
VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa
MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl
eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw
IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
skipping to change at page 25, line 8 skipping to change at page 25, line 16
"userType": "Employee", "userType": "Employee",
"title": "Tour Guide", "title": "Tour Guide",
"preferredLanguage":"en_US", "preferredLanguage":"en_US",
"locale": "en_US", "locale": "en_US",
"timezone": "America/Los_Angeles", "timezone": "America/Los_Angeles",
"active":true, "active":true,
"password":"t1meMa$heen", "password":"t1meMa$heen",
"groups": [ "groups": [
{ {
"value": "e9e30dba-f08f-4109-8486-d5c6a331660a", "value": "e9e30dba-f08f-4109-8486-d5c6a331660a",
"$ref": "/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
"display": "Tour Guides" "display": "Tour Guides"
}, },
{ {
"value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5",
"$ref": "/Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5",
"display": "Employees" "display": "Employees"
}, },
{ {
"value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7",
"$ref": "/Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7",
"display": "US Employees" "display": "US Employees"
} }
], ],
"x509Certificates": [ "x509Certificates": [
{ {
"value": "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx "value": "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD
VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa
MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl
eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw
skipping to change at page 25, line 49 skipping to change at page 26, line 11
} }
], ],
"urn:scim:schemas:extension:enterprise:1.0": { "urn:scim:schemas:extension:enterprise:1.0": {
"employeeNumber": "701984", "employeeNumber": "701984",
"costCenter": "4130", "costCenter": "4130",
"organization": "Universal Studios", "organization": "Universal Studios",
"division": "Theme Park", "division": "Theme Park",
"department": "Tour Operations", "department": "Tour Operations",
"manager": { "manager": {
"managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "managerId": "26118915-6090-4610-87e4-49d8ca9f808d",
"$ref": "/Users/26118915-6090-4610-87e4-49d8ca9f808d",
"displayName": "John Smith" "displayName": "John Smith"
} }
}, },
"meta": { "meta": {
"created": "2010-01-23T04:56:22Z", "created": "2010-01-23T04:56:22Z",
"lastModified": "2011-05-13T04:42:34Z", "lastModified": "2011-05-13T04:42:34Z",
"version": "W\/\"3694e05e9dff591\"", "version": "W\/\"3694e05e9dff591\"",
"location": "https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646" "location": "https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646"
} }
} }
11.4. Group Representation 11.4. Group Representation
The following is a non-normative example of SCIM Group representation The following is a non-normative example of SCIM Group representation
in JSON format. in JSON format.
{ {
"schemas": ["urn:scim:schemas:core:1.0"], "schemas": ["urn:scim:schemas:core:1.0"],
"id": "e9e30dba-f08f-4109-8486-d5c6a331660a", "id": "e9e30dba-f08f-4109-8486-d5c6a331660a",
"displayName": "Tour Guides", "displayName": "Tour Guides",
"members": [ "members": [
{ {
"value": "2819c223-7f76-453a-919d-413861904646", "value": "2819c223-7f76-453a-919d-413861904646",
"display": "Babs Jensen" "$ref": "https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646",
}, "display": "Babs Jensen"
{ },
"value": "902c246b-6245-4190-8e05-00816be7344a", {
"display": "Mandy Pepperidge" "value": "902c246b-6245-4190-8e05-00816be7344a",
} "$ref": "https://example.com/v1/Users/902c246b-6245-4190-8e05-00816be7344a",
] "display": "Mandy Pepperidge"
} }
]
}
11.5. Service Provider Configuration Representation 11.5. Service Provider Configuration Representation
The following is a non-normative example of the SCIM Service Provider The following is a non-normative example of the SCIM Service Provider
Configuration representation in JSON format. Configuration representation in JSON format.
{ {
"schemas": ["urn:scim:schemas:core:1.0"], "schemas": ["urn:scim:schemas:core:1.0"],
"documentationUrl":"http://example.com/help/scim.html", "documentationUrl":"http://example.com/help/scim.html",
"patch": { "patch": {
"supported":true "supported":true
skipping to change at page 27, line 29 skipping to change at page 27, line 33
}, },
"changePassword" : { "changePassword" : {
"supported":true "supported":true
}, },
"sort": { "sort": {
"supported":true "supported":true
}, },
"etag": { "etag": {
"supported":true "supported":true
}, },
"xmlDataFormat": {
"supported":true
},
"authenticationSchemes": [ "authenticationSchemes": [
{ {
"name": "OAuth Bearer Token", "name": "OAuth Bearer Token",
"description": "Authentication Scheme using the OAuth Bearer Token Standard", "description": "Authentication Scheme using the OAuth Bearer Token Standard",
"specUrl":"http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01", "specUrl":"http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01",
"documentationUrl":"http://example.com/help/oauth.html", "documentationUrl":"http://example.com/help/oauth.html",
"type":"oauthbearertoken", "type":"oauthbearertoken",
"primary": true "primary": true
}, },
{ {
skipping to change at page 29, line 48 skipping to change at page 29, line 48
"readOnly":false, "readOnly":false,
"required":false, "required":false,
"caseExact":false "caseExact":false
} }
] ]
}, },
{ {
"name":"emails", "name":"emails",
"type":"complex", "type":"complex",
"multiValued":true, "multiValued":true,
"multiValuedAttributeChildName":"email",
"description":"E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g. bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.", "description":"E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g. bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
"schema":"urn:scim:schemas:core:1.0", "schema":"urn:scim:schemas:core:1.0",
"readOnly":false, "readOnly":false,
"required":false, "required":false,
"caseExact":false, "caseExact":false,
"subAttributes":[ "subAttributes":[
{ {
"name":"value", "name":"value",
"type":"string", "type":"string",
"multiValued":false, "multiValued":false,
skipping to change at page 30, line 49 skipping to change at page 30, line 48
"description":"A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g. the preferred mailing address or primary e-mail address. The primary attribute value 'true' MUST appear no more than once.", "description":"A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g. the preferred mailing address or primary e-mail address. The primary attribute value 'true' MUST appear no more than once.",
"readOnly":false, "readOnly":false,
"required":false, "required":false,
"caseExact":false "caseExact":false
} }
}, },
{ {
"name":"addresses", "name":"addresses",
"type":"complex", "type":"complex",
"multiValued":true, "multiValued":true,
"multiValuedAttributeChildName":"address",
"description":"A physical mailing address for this User, as described in (address Element). Canonical Type Values of work, home, and other. The value attribute is a complex type with the following sub-attributes.", "description":"A physical mailing address for this User, as described in (address Element). Canonical Type Values of work, home, and other. The value attribute is a complex type with the following sub-attributes.",
"schema":"urn:scim:schemas:core:1.0", "schema":"urn:scim:schemas:core:1.0",
"readOnly":false, "readOnly":false,
"required":false, "required":false,
"caseExact":false, "caseExact":false,
"subAttributes":[ "subAttributes":[
{ {
"name":"formatted", "name":"formatted",
"type":"string", "type":"string",
"multiValued":false, "multiValued":false,
skipping to change at page 32, line 40 skipping to change at page 32, line 37
"multiValued":false, "multiValued":false,
"description":"Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization.", "description":"Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization.",
"schema":"urn:scim:schemas:extension:enterprise:1.0", "schema":"urn:scim:schemas:extension:enterprise:1.0",
"readOnly":false, "readOnly":false,
"required":false, "required":false,
"caseExact":false "caseExact":false
} }
] ]
} }
12. XML Representation 12. Security Considerations
12.1. Minimal Representation
The following is a non-normative example of the minimal required SCIM
User representation in XML format.
<User xmlns="urn:scim:schemas:core:1.0"> The SCIM Core schema contains personally identifiable information as
<id>2819c223-7f76-453a-919d-413861904646</id> well as other sensitive data. Aside from prohibiting password values
<userName>bjensen@example.com</userName> in a SCIM response this specification does not provide any means or
guarantee of confidentiality.
</User> 13. Normative References
12.2. Full Representation [PortableContacts]
Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only",
August 2008.
The following is a non-normative example of the fully populated SCIM [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
representation in XML format. Requirement Levels", BCP 14, RFC 2119, March 1997.
<User xmlns="urn:scim:schemas:core:1.0"> [1] <http://json.org>
<id>2819c223-7f76-453a-919d-413861904646</id>
<externalId>701984</externalId>
<userName>bjensen@example.com</userName>
<name>
<formatted>Ms. Babs J Jensen III</formatted>
<familyName>Jensen</familyName>
<givenName>Barbara</givenName>
<middleName>Jane</middleName>
<honorificPrefix>Ms.</honorificPrefix>
<honorificSuffix>III</honorificSuffix>
</name>
<displayName>Babs Jensen</displayName>
<nickName>Babs</nickName>
<profileUrl>https://login.example.com/bjensen</profileUrl>
<emails>
<email>
<value>bjensen@example.com</value>
<type>work</type>
<primary>true</primary>
</email>
<email>
<value>babs@jensen.com</value>
<type>home</type>
</email>
</emails>
<addresses>
<address>
<formatted>100 Universal City Plaza\nHollywood, CA 91608 USA</formatted>
<streetAddress>100 Universal City Plaza</streetAddress>
<locality>Hollywood</locality>
<region>CA</region>
<postalCode>91608</postalCode>
<country>USA</country>
<type>work</type>
<primary>true</primary>
</address>
<address>
<formatted>456 Hollywood Blvd\nHollywood, CA 91608 USA</formatted>
<streetAddress>456 Hollywood Blvd</streetAddress>
<locality>San Francisco</locality>
<region>CA</region>
<postalCode>91608</postalCode>
<country>USA</country>
<type>home</type>
</address>
</addresses>
<phoneNumbers>
<phoneNumber>
<value>555-555-5555</value>
<type>work</type>
</phoneNumber>
<phoneNumber>
<value>555-555-4444</value>
<type>mobile</type>
</phoneNumber>
</phoneNumbers>
<ims>
<im>
<value>someaimhandle</value>
<type>aim</type>
</im>
</ims>
<photos>
<photo>
<value>https://photos.example.com/profilephoto/72930000000Ccne/F</value>
<type>photo</type>
</photo>
<photo>
<value>https://photos.example.com/profilephoto/72930000000Ccne/T</value>
<type>thumbnail</type>
</photo>
</photos>
<userType>Employee</userType>
<title>Tour Guide</title>
<preferredLanguage>en_US</preferredLanguage>
<locale>en_US</locale>
<timezone>America/Los_Angeles</timezone>
<active>true</active>
<password>t1meMa$heen</password>
<groups>
<group>
<value>e9e30dba-f08f-4109-8486-d5c6a331660a</value>
<display>Tour Guides</display>
</group>
<group>
<value>6d1a1088-3a56-4371-8e3b-6d48d67493ec</value>
<display>Employees</display>
</group>
<group>
<value>5fd998b9-d2bd-479c-991b-6790537608dc</value>
<display>US Employees</display>
</group>
</groups>
<roles>
<role>
<value>administrator</value>
</role>
</roles>
<entitlements>
<entitlement>
<value>delete users</value>
</entitlement>
</entitlements>
<x509Certificates>
<x509Certificate>
<value>
MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD
VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa
MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl
eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw
IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc
1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i
PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ
zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3
DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr
SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV
HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU
dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt
Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R
C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1
+GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=
</value>
</x509Certificate>
</x509Certificates>
<meta>
<created>2010-01-23T04:56:22Z</created>
<lastModified>2011-05-13T04:42:34Z</lastModified>
<version>W/"a330bc54f0671c9"</version>
<location>https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646</location>
</meta>
</User>
12.3. Enterprise User Extension Representation
The following is a non-normative example of the fully populated User [2] <http://tools.ietf.org/html/rfc4627>
using the enterprise User extension in XML format.
<User xmlns="urn:scim:schemas:core:1.0" xmlns:enterprise="urn:scim:schemas:extension:enterprise:1.0"> [3] <http://www.w3.org/TR/xmlschema-2/>
<id>2819c223-7f76-453a-919d-413861904646</id>
<externalId>701984</externalId>
<userName>bjensen@example.com</userName>
<name>
<formatted>Ms. Babs J Jensen III</formatted>
<familyName>Jensen</familyName>
<givenName>Barbara</givenName>
<middleName>Jane</middleName>
<honorificPrefix>Ms.</honorificPrefix>
<honorificSuffix>III</honorificSuffix>
</name>
<displayName>Babs Jensen</displayName>
<nickName>Babs</nickName>
<profileUrl>https://login.example.com/bjensen</profileUrl>
<title>Tour Guide</title>
<userType>Employee</userType>
<preferredLanguage>en_US</preferredLanguage>
<locale>en_US</locale>
<timezone>America/Los_Angeles</timezone>
<active>true</active>
<password>t1meMa$heen</password>
<emails>
<email>
<value>bjensen@example.com</value>
<type>work</type>
<primary>true</primary>
</email>
<email>
<value>babs@jensen.com/value>
<type>home</type>
</email>
</emails>
<addresses>
<address>
<formatted>100 Universal City Plaza\nHollywood, CA 91608 USA</formatted>
<streetAddress>100 Universal City Plaza</streetAddress>
<locality>Hollywood</locality>
<region>CA</region>
<postalCode>91608</postalCode>
<country>USA</country>
<type>work</type>
<primary>true</primary>
</address>
<address>
<formatted>456 Hollywood Blvd\nHollywood, CA 91608 USA</formatted>
<streetAddress>456 Hollywood Blvd</streetAddress>
<locality>San Francisco</locality>
<region>CA</region>
<postalCode>91608</postalCode>
<country>USA</country>
<type="home">
</address>
</addresses>
<phoneNumbers>
<phoneNumber>
<value>555-555-5555</value>
<type>work</type>
</phoneNumber>
<phoneNumber>
<value>555-555-4444</value>
<type>mobile</type>
</phoneNumber>
</phoneNumbers>
<ims>
<im>
<value>someaimhandle</value>
<type>aim</type>
</im>
</ims>
<photos>
<photo>
<value>https://photos.example.com/profilephoto/72930000000Ccne/F</value>
<type>photo></type>
</photo>
<photo>
<value>https://photos.example.com/profilephoto/72930000000Ccne/T</value>
<type>thumbnail></type>
</photo>
</photos>
<groups>
<group>
<display>Tour Guides</display>
<value>00300000005N2Y6AA</value>
</group>
<group>
<display>Employees</display>
<value>00300000005N34H78</value>
</group>
<group>
<display>US Employees</display>
<value>00300000005N98YT1</value>
</group>
</groups>
<roles>
<role>
<value>administrator</value>
</role>
</roles>
<entitlements>
<entitlement>
<value>delete users</value>
</entitlement>
</entitlements>
<x509Certificates>
<x509Certificate>
<value>
MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD
VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa
MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl
eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw
IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc
1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i
PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ
zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3
DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr
SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV
HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU
dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt
Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R
C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1
+GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=
</value>
</x509Certificate>
</x509Certificates>
<enterprise:employeeNumber>701984</enterprise:employeeNumber>
<enterprise:manager>
<enterprise:managerId>902c246b-6245-4190-8e05-00816be7344a</enterprise:managerId>
<enterprise:displayName>Mandy Pepperidge</enterprise:displayName>
</enterprise:manager>
<enterprise:costCenter>4130</enterprise:costCenter>
<enterprise:organization>Universal Studios</enterprise:organization>
<enterprise:division>Theme Park</enterprise:division>
<enterprise:department>Tour Operations</enterprise:department>
<meta>
<created>2010-01-23T04:56:22Z</created>
<lastModified>2011-05-13T04:42:34Z</lastModified>
<version>W/"3694e05e9dff591"</version>
<location>https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646</location>
</meta>
</User>
12.4. Group Representation [4] <http://tools.ietf.org/html/rfc4512>
The following is a non-normative example of a SCIM Group [5] <http://www.loc.gov/standards/iso639-2/php/code_list.php>
representation in XML format.
<Group xmlns="urn:scim:schemas:core:1.0"> [6] <http://www.iso.org/iso/country_codes/iso_3166_code_lists/
<id>2819c223-7f76-453a-919d-413861904646</id> country_names_and_code_elements.htm>
<displayName>Tour Guides</displayName>
<members>
<member>
<value>902c246b-6245-4190-8e05-00816be7344a</value>
<display>Babs Jensen</display>
</member>
<member>
<value>902c246b-6245-4190-8e05-00816be7344a</value>
<display>Mandy Pepperidge</display>
</member>
</members>
</Group>
13. Security Considerations [7] <http://www.twinsun.com/tz/tz-link.htm>
The SCIM Core schema contains personally identifiable information as [8] <http://tools.ietf.org/html/rfc3966>
well as other sensitive data. Aside from prohibiting password values
in a SCIM response this specification does not provide any means or
guarantee of confidentiality.
Appendix A. Contributors Appendix A. Contributors
The SCIM Community would like to thank the following people for the The SCIM Community would like to thank the following people for the
work they've done in the research, formulation, drafting, editing, work they've done in the research, formulation, drafting, editing,
and support of this specification. and support of this specification.
Morteza Ansari (morteza.ansari@cisco.com) Morteza Ansari (morteza.ansari@cisco.com)
Sidharth Choudhury (schoudhury@salesforce.com) Sidharth Choudhury (schoudhury@salesforce.com)
Samuel Erdtman (samuel@erdtman.se) Samuel Erdtman (samuel@erdtman.se)
Kelly Grizzle (kelly.grizzle@sailpoint.com) Kelly Grizzle (kelly.grizzle@sailpoint.com)
Chris Phillips (cjphillips@gmail.com) Chris Phillips (cjphillips@gmail.com)
Erik Wahlstroem (erik.wahlstrom@nexussafe.com) Erik Wahlstroem (erik.wahlstrom@nexussafe.com)
skipping to change at page 40, line 18 skipping to change at page 34, line 5
Kelly Grizzle (kelly.grizzle@sailpoint.com) Kelly Grizzle (kelly.grizzle@sailpoint.com)
Chris Phillips (cjphillips@gmail.com) Chris Phillips (cjphillips@gmail.com)
Erik Wahlstroem (erik.wahlstrom@nexussafe.com) Erik Wahlstroem (erik.wahlstrom@nexussafe.com)
Special thanks to Joeseph Smarr, who's excellent work on the Portable Special thanks to Joeseph Smarr, who's excellent work on the Portable
Contacts Specification [PortableContacts] provided a basis for the Contacts Specification [PortableContacts] provided a basis for the
SCIM schema structure and text. SCIM schema structure and text.
14. Normative References
[PortableContacts]
Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only",
August 2008.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[1] <http://www.w3.org/TR/xmlschema-2/>
[2] <http://www.json.org/>
[3] <http://tools.ietf.org/html/rfc4512>
[4] <http://www.loc.gov/standards/iso639-2/php/code_list.php>
[5] <http://www.iso.org/iso/country_codes/iso_3166_code_lists/
country_names_and_code_elements.htm>
[6] <http://www.twinsun.com/tz/tz-link.htm>
[7] <http://tools.ietf.org/html/rfc3966>
Authors' Addresses Authors' Addresses
Chuck Mortimore (editor) Chuck Mortimore (editor)
Salesforce.com Salesforce.com
Email: cmortimore@salesforce.com Email: cmortimore@salesforce.com
Patrick Harding Patrick Harding
Ping Identity Ping Identity
Email: pharding@pingidentity.com Email: pharding@pingidentity.com
Paul Madsen Paul Madsen
Ping Identity Ping Identity
Email: pmadsen@pingidentity.com Email: pmadsen@pingidentity.com
 End of changes. 71 change blocks. 
478 lines changed or deleted 168 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/