--- 1/draft-ietf-scim-core-schema-07.txt 2014-08-11 12:14:31.484132755 -0700 +++ 2/draft-ietf-scim-core-schema-08.txt 2014-08-11 12:14:31.632136388 -0700 @@ -1,23 +1,23 @@ Network Working Group K. Grizzle Internet-Draft SailPoint Intended status: Standards Track P. Hunt, Ed. -Expires: February 2, 2015 Oracle +Expires: February 12, 2015 Oracle E. Wahlstroem Technology Nexus C. Mortimore Salesforce - August 1, 2014 + August 11, 2014 System for Cross-Domain Identity Management: Core Schema - draft-ietf-scim-core-schema-07 + draft-ietf-scim-core-schema-08 Abstract The System for Cross-Domain Identity Management (SCIM) specification is designed to make managing user identity in cloud based applications and services easier. The specification suite builds upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. Its intent is to reduce the cost and complexity of user management @@ -38,21 +38,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on February 2, 2015. + This Internet-Draft will expire on February 12, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -94,33 +94,34 @@ 11. JSON Representation . . . . . . . . . . . . . . . . . . . . . 24 11.1. Minimal User Representation . . . . . . . . . . . . . . 24 11.2. Full User Representation . . . . . . . . . . . . . . . . 24 11.3. Enterprise User Extension Representation . . . . . . . . 27 11.4. Group Representation . . . . . . . . . . . . . . . . . . 30 11.5. Service Provider Configuration Representation . . . . . 31 11.6. Resource Type Representation . . . . . . . . . . . . . . 32 11.7. Schema Representation . . . . . . . . . . . . . . . . . 33 12. Security Considerations . . . . . . . . . . . . . . . . . . . 55 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55 - 13.1. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 55 - 13.1.1. Specification Template . . . . . . . . . . . . . . . 55 - 13.1.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 58 - 13.2. Registering SCIM Schemas . . . . . . . . . . . . . . . . 58 - 13.2.1. Registration Procedure . . . . . . . . . . . . . . . 58 - 13.2.2. Schema Registration Template . . . . . . . . . . . . 59 - 13.3. Initial SCIM Schema Registry . . . . . . . . . . . . . . 59 - 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 60 - 14.1. Normative References . . . . . . . . . . . . . . . . . . 60 - 14.2. Informative References . . . . . . . . . . . . . . . . . 61 + 13.1. New Registration of SCIM URN Sub-namespace . . . . . . . 55 + 13.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 55 + 13.2.1. Specification Template . . . . . . . . . . . . . . . 56 + 13.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 58 + 13.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 58 + 13.3.1. Registration Procedure . . . . . . . . . . . . . . . 59 + 13.3.2. Schema Registration Template . . . . . . . . . . . . 59 + 13.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 60 + 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 61 + 14.1. Normative References . . . . . . . . . . . . . . . . . . 61 + 14.2. Informative References . . . . . . . . . . . . . . . . . 62 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 62 - Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 62 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 64 + Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 63 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 65 1. Introduction and Overview While there are existing standards for describing and exchanging user information, many of these standards can be difficult to implement and/or use; e.g., their wire protocols do not easily traverse firewalls and/or are not easily layered onto existing web protocols. As a result, many cloud providers implement non-standardized protocols for managing users within their services. This increases both the cost and complexity associated with organizations adopting @@ -167,21 +168,21 @@ Resource: The service provider managed artifact containing one or more attributes; e.g., "User" or "Group". Resource Type: A type of a resource that is managed by a service provider. The resource type defines the resource name, endpoint URL, Schemas, and other meta-data which indicate where a resource is managed and how it is composed; e.g., "User" or "Group". Schema: A collection of Attribute Definitions that describe the contents of an entire or partial resource; e.g., - "urn:scim:schemas:core:2.0:User". + "urn:ietf:params:scim:schemas:core:2.0:User". Singular Attribute: A resource attribute that contains 0..1 values; e.g., "displayName". Multi-valued Attribute: A resource attribute that contains 0..n values; e.g., "emails". Simple Attribute: A singular or multi-valued attribute whose value is a primitive; e.g., "String". @@ -457,23 +457,23 @@ MUST include a non-zero value array with value(s) of the URIs supported by that representation. The schemas attribute for a resource MUST only contain values defined as "schema" and "schemaExtensions" for the resource's resource type. Duplicate values MUST NOT be included. Value order is not specified and MUST not impact behavior. REQUIRED. 5. SCIM User Schema SCIM provides a schema for representing Users, identified using the - following URI: "urn:scim:schemas:core:2.0:User". The following - attributes are defined in addition to those attributes defined in - SCIM Core Schema: + following URI: "urn:ietf:params:scim:schemas:core:2.0:User". The + following attributes are defined in addition to those attributes + defined in SCIM Core Schema: 5.1. Singular Attributes userName Unique identifier for the user, typically used by the user to directly authenticate to the service provider. Often displayed to the user as their unique identifier within the system (as opposed to id or externalId, which are generally opaque and not user-friendly identifiers). Each User MUST include a non-empty userName value. This identifier MUST be unique across the client's entire set of Users. RECOMMENDED. @@ -684,21 +684,21 @@ x509Certificates A list of certificates issued to the User. Values are Binary (Section 2.1.6) and DER encoded x509. This value has NO canonical types. 6. SCIM Enterprise User Schema Extension The following SCIM extension defines attributes commonly used in representing users that belong to, or act on behalf of a business or enterprise. The enterprise user extension is identified using the following schema URI: - "urn:scim:schemas:extension:enterprise:2.0:User". + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User". The following Singular Attributes are defined: employeeNumber Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization. costCenter Identifies the name of a cost center. organization Identifies the name of an organization. @@ -716,21 +716,21 @@ $ref The URI of the SCIM resource representing the User's manager. RECOMMENDED. displayName The displayName of the user's manager. This attribute is OPTIONAL and mutability is "readOnly". 7. SCIM Group Schema SCIM provides a schema for representing groups, identified using the - following schema URI: "urn:scim:schemas:core:2.0:Group". + following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group". Group resources are meant to enable expression of common group or role based access control models, although no explicit authorization model is defined. It is intended that the semantics of group membership and any behavior or authorization granted as a result of membership are defined by the service provider are considered out of scope for this specification. The following singular attribute is defined in addition to the common attributes defined in SCIM core schema: @@ -747,21 +747,21 @@ a "Group". The intention of the "Group" type is to allow the service provider to support nested groups. Service providers MAY require clients to provide a non-empty members value based on the "required" sub attribute of the "members" attribute in the "Group" resource schema. 8. Service Provider Configuration Schema SCIM provides a schema for representing the service provider's configuration identified using the following schema URI: - "urn:scim:schemas:core:2.0:ServiceProviderConfig" + "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" The service provider configuration resource enables a service provider to discovery of SCIM specification features in a standardized form as well as provide additional implementation details to clients. All attributes are READ-ONLY (a mutability of "readOnly" ). Unlike other core resources, the "id" attribute is not required for the service provider configuration resource. The following Singular Attributes are defined in addition to the common attributes defined in Core Schema: @@ -833,77 +833,79 @@ specUrl A HTTP addressable URL pointing to the Authentication Scheme's specification. OPTIONAL. documentationUrl A HTTP addressable URL pointing to the Authentication Scheme's usage documentation. OPTIONAL. 9. ResourceType Schema The "ResourceType" schema specifies the meta-data about a resource type. Resource type resources are READ-ONLY and identified using the - following schema URI: "urn:scim:schemas:core:2.0:ResourceType". - Unlike other core resources, all attributes are REQUIRED unless - otherwise specified. The "id" attribute is not required for the - resource type resource. + following schema URI: + "urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other + core resources, all attributes are REQUIRED unless otherwise + specified. The "id" attribute is not required for the resource type + resource. The following Singular Attributes are defined: id The resource type's server unique id. Often this is the same value as the "name" attribute. OPTIONAL name The resource type name. When applicable service providers MUST specify the name specified in the core schema specification; e.g., "User" or "Group". This name is referenced by the "meta.resourceType" attribute in all resources. description The resource type's human readable description. When applicable service providers MUST specify the description specified in the core schema specification. endpoint The resource type's HTTP addressable endpoint relative to the Base URL; e.g., "/Users". schema The resource type's primary schema URI; e.g., - "urn:scim:schemas:core:2.0:User". This MUST be equal to the "id" - attribute of the associated "Schema" resource. + "urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal + to the "id" attribute of the associated "Schema" resource. schemaExtensions A list of URIs of the resource type's schema extensions. OPTIONAL. schema The URI of an extended schema; e.g., "urn:edu:2.0:Staff". This MUST be equal to the "id" attribute of a "Schema" resource. REQUIRED. required A Boolean value that specifies whether the schema extension is required for the resource type. If true, a resource of this type MUST include this schema extension and include any attributes declared as required in this schema extension. If false, a resource of this type MAY omit this schema extension. REQUIRED. 10. Schema Schema The "Schema" schema specifies the attribute(s) and meta-data that constitute a "Schema" resource. Schema resources have mutability of "readOnly" and identified using the following URI: - "urn:scim:schemas:core:2.0:Schema". Unlike other core resources the - "Schema" resource MAY contain a complex object within a sub-attribute - and all attributes are REQUIRED unless otherwise specified. + "urn:ietf:params:scim:schemas:core:2.0:Schema". Unlike other core + resources the "Schema" resource MAY contain a complex object within a + sub-attribute and all attributes are REQUIRED unless otherwise + specified. The following Singular Attributes are defined: id The unique URI of the schema. When applicable service providers MUST specify the URI specified in the core schema specification; - e.g., "urn:scim:schemas:core:2.0:User". Unlike most other - schemas, which use some sort of a GUID for the "id", the schema - "id" is a URI so that it can be registered and is portable between - different service providers and clients. + e.g., "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most + other schemas, which use some sort of a GUID for the "id", the + schema "id" is a URI so that it can be registered and is portable + between different service providers and clients. name The schema's human readable name. When applicable service providers MUST specify the name specified in the core schema specification; e.g., "User" or "Group". OPTIONAL. description The schema's human readable description. When applicable service providers MUST specify the description specified in the core schema specification. OPTIONAL. The following multi-valued attribute is defined: @@ -1096,41 +1098,41 @@ any server SHOULD possess the same value. 11. JSON Representation 11.1. Minimal User Representation The following is a non-normative example of the minimal required SCIM representation in JSON format. { - "schemas": ["urn:scim:schemas:core:2.0:User"], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "userName": "bjensen@example.com", "meta": { "resourceType": "User", "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W\/\"3694e05e9dff590\"", "location": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" } } Figure 2: Example Minimal User JSON Representation 11.2. Full User Representation The following is a non-normative example of the fully populated SCIM representation in JSON format. { - "schemas": ["urn:scim:schemas:core:2.0:User"], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "701984", "userName": "bjensen@example.com", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara", "middleName": "Jane", "honorificPrefix": "Ms.", "honorificSuffix": "III" @@ -1254,22 +1256,22 @@ Figure 3: Example Full User JSON Representation 11.3. Enterprise User Extension Representation The following is a non-normative example of the fully populated User using the enterprise User extension in JSON format. { "schemas": - [ "urn:scim:schemas:core:2.0:User", - "urn:scim:schemas:extension:enterprise:2.0:User"], + [ "urn:ietf:params:scim:schemas:core:2.0:User", + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], "id": "2819c223-7f76-453a-919d-413861904646", "externalId": "701984", "userName": "bjensen@example.com", "name": { "formatted": "Ms. Barbara J Jensen III", "familyName": "Jensen", "givenName": "Barbara", "middleName": "Jane", "honorificPrefix": "Ms.", "honorificSuffix": "III" @@ -1375,21 +1377,21 @@ DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=" } ], - "urn:scim:schemas:extension:enterprise:2.0:User": { + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984", "costCenter": "4130", "organization": "Universal Studios", "division": "Theme Park", "department": "Tour Operations", "manager": { "managerId": "26118915-6090-4610-87e4-49d8ca9f808d", "$ref": "/Users/26118915-6090-4610-87e4-49d8ca9f808d", "displayName": "John Smith" } @@ -1404,21 +1406,21 @@ } Figure 4: Example Enterprise User JSON Representation 11.4. Group Representation The following is a non-normative example of SCIM Group representation in JSON format. { - "schemas": ["urn:scim:schemas:core:2.0:Group"], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], "id": "e9e30dba-f08f-4109-8486-d5c6a331660a", "displayName": "Tour Guides", "members": [ { "value": "2819c223-7f76-453a-919d-413861904646", "$ref": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646", "display": "Babs Jensen" }, { "value": "902c246b-6245-4190-8e05-00816be7344a", @@ -1436,21 +1438,21 @@ } Figure 5: Example Group JSON Representation 11.5. Service Provider Configuration Representation The following is a non-normative example of the SCIM service provider configuration representation in JSON format. { - "schemas": ["urn:scim:schemas:core:2.0:ServiceProviderConfig"], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"], "documentationUrl":"http://example.com/help/scim.html", "patch": { "supported":true }, "bulk": { "supported":true, "maxOperations":1000, "maxPayloadSize":1048576 }, "filter": { @@ -1493,29 +1495,29 @@ } Figure 6: Example Service Provider Config JSON Representation 11.6. Resource Type Representation The following is a non-normative example of the SCIM resource type representation in JSON format. { - "schemas": ["urn:scim:schemas:core:2.0:ResourceType"], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], "id":"User", "name":"User", "endpoint": "/Users", "description": "Core User", - "schema": "urn:scim:schemas:core:2.0:User", + "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "schemaExtensions": [ { - "schema": "urn:scim:schemas:extension:enterprise:2.0:User", + "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "required": true } ], "meta": { "location":"https://example.com/v2/ResourceTypes/User", "resourceType": "ResourceType", "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W\/\"3694e05e9dff595\"" } @@ -1525,21 +1527,21 @@ 11.7. Schema Representation The following is intended as normative example of the SCIM Schema representation in JSON format. Where permitted individual values and schema MAY change. Included but not limited to, are schemas for User, Group, and enterprise user. {[ { - "id" : "urn:scim:schemas:core:2.0:User", + "id" : "urn:ietf:params:scim:schemas:core:2.0:User", "name" : "User", "description" : "Core User", "attributes" : [ { "name" : "id", "type" : "string", "multiValued" : false, "description" : "Unique identifier for the SCIM resource as defined by the Service Provider. Each representation of the resource MUST include a non-empty id value. This identifier MUST be unique across the Service Provider's entire set of resources. It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests. The value of the id attribute is always issued by the Service Provider and MUST never be specified by the Service Consumer. REQUIRED.", "required" : true, "caseExact" : false, @@ -2351,25 +2353,25 @@ "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" } ], "meta" : { "resourceType" : "Schema", "created" : "2010-01-23T04:56:22Z", "lastModified" : "2014-02-04T00:00:00Z", "version" : "W/\"3694e05e9dff596\"", - "location" : "https://example.com/v2/Schemas/urn:scim:schemas:core:2.0:User" + "location" : "https://example.com/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User" } }, { - "id" : "urn:scim:schemas:core:2.0:Group", + "id" : "urn:ietf:params:scim:schemas:core:2.0:Group", "name" : "Group", "description" : "Core Group", "attributes" : [ { "name" : "id", "type" : "string", "multiValued" : false, "description" : "Unique identifier for the SCIM resource as defined by the Service Provider. Each representation of the resource MUST include a non-empty id value. This identifier MUST be unique across the Service Provider's entire set of resources. It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests. The value of the id attribute is always issued by the Service Provider and MUST never be specified by the Service Consumer. REQUIRED.", "required" : true, "caseExact" : false, @@ -2448,25 +2450,25 @@ "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" } ], "meta" : { "resourceType" : "Schema", "created" : "2010-01-23T04:56:22Z", "lastModified" : "2014-02-04T00:00:00Z", "version" : "W/\"3694e05e9dff596\"", - "location" : "https://example.com/v2/Schemas/urn:scim:schemas:core:2.0:Group" + "location" : "https://example.com/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group" } }, { - "id" : "urn:scim:schemas:extension:enterprise:2.0:User", + "id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "name" : "EnterpriseUser", "description" : "Enterprise User", "attributes" : [ { "name" : "employeeNumber", "type" : "string", "multiValued" : false, "description" : "Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization.", "required" : false, "caseExact" : false, @@ -2563,44 +2565,61 @@ "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" } ], "meta" : { "resourceType" : "Schema", "created" : "2010-01-23T04:56:22Z", "lastModified" : "2014-02-04T00:00:00Z", "version" : "W/\"3694e05e9dff596\"", - "location" : "https://example.com/v2/Schemas/urn:scim:schemas:extension:enterprise:2.0:User" + "location" : "https://example.com/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" } } ]} Figure 8: Eample Schema JSON Representation 12. Security Considerations The SCIM Core schema contains personally identifiable information as well as other sensitive data. Aside from prohibiting password values in a SCIM response this specification does not provide any means or guarantee of confidentiality. 13. IANA Considerations -13.1. URN Sub-Namespace for SCIM +13.1. New Registration of SCIM URN Sub-namespace + + IANA has created a registry for new IETF URN sub-namespaces, + "urn:ietf:params:scim:", per [RFC3553]. The registration request is + as follows: + + Per [RFC3553], IANA has registered a new URN sub-namespace, + "urn:ietf:params:scim". + + o Registry name: scim + + o Specification: [this document] + + o Repository: [see Section 13.2] + + o Index value: values [see Section 13.2] + +13.2. URN Sub-Namespace for SCIM SCIM schemas and SCIM messages utilize URIs to identify the schema in use or other relevant context. This section creates and registers an IETF URN Sub-namespace for use in the SCIM specifications and future extensions. -13.1.1. Specification Template +13.2.1. Specification Template Namespace ID: The Namespace ID "scim" is requested. Registration Information: Version: 1 Date: [[insert final submission date]] @@ -2612,48 +2631,48 @@ Designated contact A designated expert will monitor the SCIM public mailing list, "scim@ietf.org". Declaration of Syntactic Structure: The Namespace Specific String (NSS) of all URNs that use the "scim" NID shall have the following structure: - urn:scim:{type}:{name}{:subName}:{version}{:className}{:resourceType} + urn:ietf:params:scim:{type}:{name}{:sName}:{vers}{:class}{:resType} The keywords have the following meaning: type - An entity type (e.g. "schemas", "api", or "param" ). + The entity type which is either "schemas" or "api". name A required US-ASCII string that conforms to the URN syntax requirements (see [RFC2141] ) and defines a major namespace of object used within SCIM (e.g. "core", "extension" ). The name - "extension" MUST be used when the registered schema it refers - to is intended to be used as an extension to another schema. + "extension" MAY be used when the registered schema it refers to + is intended to be used as an extension to another schema. An optional US-ASCII string that conforms to the URN syntax requirements (see [RFC2141] ) and defines a sub-class of object - used within SCIM (e.g. "enterprise", "extension" ). + used within SCIM (e.g. "enterprise"). - version + vers The first SCIM protocol version number where the URN is valid (e.g. "2.0" ). - className + class An optional US-ASCII string that conforms to the URN syntax requirements (see [RFC2141] ) and defines a major class of object used within SCIM. - resourceType + resType An optional US-ASCII string that conforms to the URN syntax requirements (see [RFC2141] ) and typically is used when referring to a resource type within SCIM (e.g. User). Relevant Ancillary Documentation: None Identifier Uniqueness Considerations: @@ -2664,32 +2683,34 @@ Once a name has been allocated it MUST NOT be re-allocated for a different purpose. The rules provided for assignments of values within a sub-namespace MUST be constructed so that the meaning of values cannot change. This registration mechanism is not appropriate for naming values whose meaning may change over time. As the SCIM specifications are updated and the SCIM protocol version is adjusted, a new registration will be made when significant changes are made. Example, - "urn:scim:schemas:core:1.0" and "urn:scim:schemas:core:2.0". + "urn:ietf:params:scim:schemas:core:1.0 (externally defined, not + previously registered)" and + "urn:ietf:params:scim:schemas:core:2.0". Process of Identifier Assignment: - Identifiers with namespace type "schema" (e.g. "urn:scim:schemas" - ) are assigned after the review of the assigned contact via the - SCIM public mailing list, "scim@ietf.org" as documented in - Section 13.2. + Identifiers with namespace type "schema" (e.g. + "urn:ietf:params:scim:schemas" ) are assigned after the review of + the assigned contact via the SCIM public mailing list, + "scim@ietf.org" as documented in Section 13.3. - Namespaces with type "api" (e.g. "urn:scim:api" ) are reserved for - IETF approved SCIM specifications. Namespaces with type "param" - are reserved for future use. + Namespaces with type "api" (e.g. "urn:ietf:params:scim:api" ) are + reserved for IETF approved SCIM specifications. Namespaces with + type "param" are reserved for future use. Process of Identifier Resolution: The namespace is not currently listed with a Resolution Discovery System (RDS), but nothing about the namespace prohibits the future definition of appropriate resolution methods or listing with an RDS. Rules for Lexical Equivalence: @@ -2701,41 +2722,41 @@ No special considerations. Validation Mechanism: None specified. Scope: Global. -13.1.2. Pre-Registered SCIM Schema Identifiers +13.2.2. Pre-Registered SCIM Schema Identifiers The following SCIM Identifiers are defined: - urn:scim:schemas:core:2.0 + urn:ietf:params:scim:schemas:core:2.0 - SCIM Core Schema as specified in Section 4 and Section 13.3. + SCIM Core Schema as specified in Section 4 and Section 13.4. - urn:scim:schemas:extension:enterprise:2.0 + urn:ietf:params:scim:schemas:extension:enterprise:2.0 Enterprise schema extensions as defined in Section 6 and - Section 13.3. + Section 13.4. -13.2. Registering SCIM Schemas +13.3. Registering SCIM Schemas This section defines the process for registering new SCIM schemas with IANA. A schema URI is used as a value in the schemas attribute ( Section 4.2 ) for the purpose of distinguishing extensions used in a SCIM resource. -13.2.1. Registration Procedure +13.3.1. Registration Procedure The IETF has created a mailing list, scim@ietf.org, which can be used for public discussion of SCIM schema proposals prior to registration. Use of the mailing list is strongly encouraged. The IESG has appointed a designated expert who will monitor the scim@ietf.org mailing list and review registrations. Registration of new schemas MUST be reviewed by the designated expert and published in an RFC. A Standards Track RFC is REQUIRED for the registration of new value data types that modify existing properties. @@ -2757,85 +2778,96 @@ Once the registration procedure concludes successfully, IANA creates or modifies the corresponding record in the SCIM schema registry. The completed registration template is discarded. An RFC specifying new schema URI MUST include the completed registration templates, which MAY be expanded with additional information. These completed templates are intended to go in the body of the document, not in the IANA Considerations section. The RFC SHOULD include any attributes defined. -13.2.2. Schema Registration Template +13.3.2. Schema Registration Template A SCIM schema URI is defined by completing the following template: Schema URI: Schema URI: A unique URI for the SCIM schema extension. Schema Name: A descriptive name of the schema extension (e.g. Generic Device) Intended or Associated Resource Type: A value defining the resource type (e.g. "Device"). Purpose: A description of the purpose of the extension and/or its intended use. Single-value Attributes: A list and description of single-valued attributes defined including complex attributes. Multi-valued Attributes: A list and description of multi-valued attributes defined including complex attributes. -13.3. Initial SCIM Schema Registry +13.4. Initial SCIM Schema Registry The IANA has created and will maintain the following registries for SCIM schema URIs with pointers to appropriate reference documents. - +-------------------------------------------+-----------+-----------+ - | Schema URI | Name | Reference | - +-------------------------------------------+-----------+-----------+ - | urn:scim:schemas:core:2.0:User | User | See | - | | Resource | Section 5 | - | urn:scim:schemas:extension:enterprise:2.0 | Enterpris | See | - | :User | e User | Section 6 | - | | Extension | | - | urn:scim:schemas:core:2.0:Group | Group | See | - | | Resource | Section 7 | - +-------------------------------------------+-----------+-----------+ + +----------------------------------------------+---------+----------+ + | Schema URI | Name | Referenc | + | | | e | + +----------------------------------------------+---------+----------+ + | urn:ietf:params:scim:schemas:core:2.0:User | User Re | See | + | | source | Section | + | | | 5 | + | urn:ietf:params:scim:schemas:extension:enter | Enterpr | See | + | prise:2.0:User | ise | Section | + | | User Ex | 6 | + | | tension | | + | urn:ietf:params:scim:schemas:core:2.0:Group | Group R | See | + | | esource | Section | + | | | 7 | + +----------------------------------------------+---------+----------+ SCIM Schema URIs for Data Resources - +-----------------------------------------+-------------+-----------+ - | Schema URI | Name | Reference | - +-----------------------------------------+-------------+-----------+ - | urn:scim:schemas:core:2.0:ServiceProvid | Service | See | - | erConfig | Provider Co | Section 8 | - | | nfiguration | | + +--------------------------------------------+-----------+----------+ + | Schema URI | Name | Referenc | + | | | e | + +--------------------------------------------+-----------+----------+ + | urn:ietf:params:scim:schemas:core:2.0:Serv | Service | See | + | iceProviderConfig | Provider | Section | + | | Configura | 8 | + | | tion | | | | Schema | | - | urn:scim:schemas:core:2.0:ResourceType | Resource | See | - | | Type Config | Section 9 | - | urn:scim:schemas:core:2.0:Schema | Schema | See | - | | Definitions | Section | + | urn:ietf:params:scim:schemas:core:2.0:Reso | Resource | See | + | urceType | Type | Section | + | | Config | 9 | + | urn:ietf:params:scim:schemas:core:2.0:Sche | Schema De | See | + | ma | finitions | Section | | | Schema | 10 | - +-----------------------------------------+-------------+-----------+ + +--------------------------------------------+-----------+----------+ SCIM Server Related Schema URIs 14. References 14.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. + [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An + IETF URN Sub-namespace for Registered Protocol + Parameters", BCP 73, RFC 3553, June 2003. + [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003. [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC 3966, December 2004. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. @@ -2992,20 +3024,23 @@ - meta.attributes removed due to new PURGE command in draft 04 (no longer used) Draft 07 - PH - Edits and revisions - Dropped use of the term API in favour of HTTP protocol or just protocol. - Clarified meaning of null and unassigned + Draft 08 - PH - Revised IANA namespace to urn:ietf:params:scim per + RFC3553 + Authors' Addresses Kelly Grizzle SailPoint Email: kelly.grizzle@sailpoint.com Phil Hunt (editor) Oracle Corporation