draft-ietf-scim-core-schema-08.txt   draft-ietf-scim-core-schema-09.txt 
Network Working Group K. Grizzle Network Working Group K. Grizzle
Internet-Draft SailPoint Internet-Draft SailPoint
Intended status: Standards Track P. Hunt, Ed. Intended status: Standards Track P. Hunt, Ed.
Expires: February 12, 2015 Oracle Expires: March 2, 2015 Oracle
E. Wahlstroem E. Wahlstroem
Technology Nexus Nexus Technology
C. Mortimore C. Mortimore
Salesforce Salesforce
August 11, 2014 August 29, 2014
System for Cross-Domain Identity Management: Core Schema System for Cross-Domain Identity Management: Core Schema
draft-ietf-scim-core-schema-08 draft-ietf-scim-core-schema-09
Abstract Abstract
The System for Cross-Domain Identity Management (SCIM) specification The System for Cross-Domain Identity Management (SCIM) specifications
is designed to make managing user identity in cloud based are designed to make identity management in cloud based applications
applications and services easier. The specification suite builds and services easier. The specification suite builds upon experience
upon experience with existing schemas and deployments, placing with existing schemas and deployments, placing specific emphasis on
specific emphasis on simplicity of development and integration, while simplicity of development and integration, while applying existing
applying existing authentication, authorization, and privacy models. authentication, authorization, and privacy models. Its intent is to
Its intent is to reduce the cost and complexity of user management reduce the cost and complexity of user management operations by
operations by providing a common user schema and extension model, as providing a common user schema and extension model, as well as
well as binding documents to provide patterns for exchanging this binding documents to provide patterns for exchanging this schema
schema using standard protocols. In essence, make it fast, cheap, using HTTP protocol.
and easy to move identity in to, out of, and around the cloud.
This document provides a platform neutral schema and extension model This document provides a platform neutral schema and extension model
for representing users and groups in JSON format. This schema is for representing users and groups and other resource types in JSON
intended for exchange and use with cloud service providers. An HTTP format. This schema is intended for exchange and use with cloud
protocol binding document is also provided. service providers.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 12, 2015.
This Internet-Draft will expire on March 2, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 33 skipping to change at page 2, line 32
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation and Conventions . . . . . . . . . . 4 1.1. Requirements Notation and Conventions . . . . . . . . . . 4
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
2. SCIM Schema Structure . . . . . . . . . . . . . . . . . . . . 5 2. SCIM Schema Structure . . . . . . . . . . . . . . . . . . . . 5
2.1. Attribute Data Types . . . . . . . . . . . . . . . . . . 5 2.1. Attribute Data Types . . . . . . . . . . . . . . . . . . 5
2.1.1. String . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.1. String . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 6 2.1.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 6
2.1.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.7. Reference . . . . . . . . . . . . . . . . . . . . . . 7 2.1.7. Reference . . . . . . . . . . . . . . . . . . . . . . 7
2.1.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 7 2.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 7
2.3. Unassigned and Null Values . . . . . . . . . . . . . . . 8 2.3. Unassigned and Null Values . . . . . . . . . . . . . . . 8
3. Schema Extension Model . . . . . . . . . . . . . . . . . . . 8 3. Schema Extension Model . . . . . . . . . . . . . . . . . . . 8
3.1. Resource Type Extensions . . . . . . . . . . . . . . . . 8
3.2. Attribute Extensions . . . . . . . . . . . . . . . . . . 9
4. SCIM Core Schema . . . . . . . . . . . . . . . . . . . . . . 9 4. SCIM Core Schema . . . . . . . . . . . . . . . . . . . . . . 9
4.1. Common Schema Attributes . . . . . . . . . . . . . . . . 9 4.1. Common Schema Attributes . . . . . . . . . . . . . . . . 9
4.2. "schemas" Attribute . . . . . . . . . . . . . . . . . . . 10 4.2. "schemas" Attribute . . . . . . . . . . . . . . . . . . . 10
5. SCIM User Schema . . . . . . . . . . . . . . . . . . . . . . 10 5. SCIM User Schema . . . . . . . . . . . . . . . . . . . . . . 11
5.1. Singular Attributes . . . . . . . . . . . . . . . . . . . 11 5.1. Singular Attributes . . . . . . . . . . . . . . . . . . . 11
5.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 13 5.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 13
6. SCIM Enterprise User Schema Extension . . . . . . . . . . . . 15 6. SCIM Enterprise User Schema Extension . . . . . . . . . . . . 16
7. SCIM Group Schema . . . . . . . . . . . . . . . . . . . . . . 16 7. SCIM Group Schema . . . . . . . . . . . . . . . . . . . . . . 17
8. Service Provider Configuration Schema . . . . . . . . . . . . 16 8. Service Provider Configuration Schema . . . . . . . . . . . . 17
9. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 18 9. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 19
10. Schema Schema . . . . . . . . . . . . . . . . . . . . . . . . 19 10. Schema Schema . . . . . . . . . . . . . . . . . . . . . . . . 20
11. JSON Representation . . . . . . . . . . . . . . . . . . . . . 24 11. JSON Representation . . . . . . . . . . . . . . . . . . . . . 23
11.1. Minimal User Representation . . . . . . . . . . . . . . 24 11.1. Minimal User Representation . . . . . . . . . . . . . . 23
11.2. Full User Representation . . . . . . . . . . . . . . . . 24 11.2. Full User Representation . . . . . . . . . . . . . . . . 23
11.3. Enterprise User Extension Representation . . . . . . . . 27 11.3. Enterprise User Extension Representation . . . . . . . . 26
11.4. Group Representation . . . . . . . . . . . . . . . . . . 30 11.4. Group Representation . . . . . . . . . . . . . . . . . . 29
11.5. Service Provider Configuration Representation . . . . . 31 11.5. Service Provider Configuration Representation . . . . . 30
11.6. Resource Type Representation . . . . . . . . . . . . . . 32 11.6. Resource Type Representation . . . . . . . . . . . . . . 31
11.7. Schema Representation . . . . . . . . . . . . . . . . . 33 11.7. Schema Representation . . . . . . . . . . . . . . . . . 32
12. Security Considerations . . . . . . . . . . . . . . . . . . . 55 12. Security Considerations . . . . . . . . . . . . . . . . . . . 54
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54
13.1. New Registration of SCIM URN Sub-namespace . . . . . . . 55 13.1. New Registration of SCIM URN Sub-namespace . . . . . . . 54
13.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 55 13.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 54
13.2.1. Specification Template . . . . . . . . . . . . . . . 56 13.2.1. Specification Template . . . . . . . . . . . . . . . 55
13.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 58 13.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 57
13.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 58 13.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 57
13.3.1. Registration Procedure . . . . . . . . . . . . . . . 59 13.3.1. Registration Procedure . . . . . . . . . . . . . . . 58
13.3.2. Schema Registration Template . . . . . . . . . . . . 59 13.3.2. Schema Registration Template . . . . . . . . . . . . 58
13.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 60 13.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 59
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 61 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 60
14.1. Normative References . . . . . . . . . . . . . . . . . . 61 14.1. Normative References . . . . . . . . . . . . . . . . . . 60
14.2. Informative References . . . . . . . . . . . . . . . . . 62 14.2. Informative References . . . . . . . . . . . . . . . . . 61
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 62 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 61
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 63 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 62
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 64
1. Introduction and Overview 1. Introduction and Overview
While there are existing standards for describing and exchanging user While there are existing standards for describing and exchanging user
information, many of these standards can be difficult to implement information, many of these standards can be difficult to implement
and/or use; e.g., their wire protocols do not easily traverse and/or use; e.g., their wire protocols do not easily traverse
firewalls and/or are not easily layered onto existing web protocols. firewalls and/or are not easily layered onto existing web protocols.
As a result, many cloud providers implement non-standardized As a result, many cloud providers implement non-standardized
protocols for managing users within their services. This increases protocols for managing users within their services. This increases
both the cost and complexity associated with organizations adopting both the cost and complexity associated with organizations adopting
skipping to change at page 4, line 9 skipping to change at page 4, line 9
exchanging this schema via an HTTP based protocol. It draws exchanging this schema via an HTTP based protocol. It draws
inspiration and best practice, building upon existing user protocols inspiration and best practice, building upon existing user protocols
and schemas from a wide variety of sources including, but not limited and schemas from a wide variety of sources including, but not limited
to, existing services exposed by cloud providers, PortableContacts, to, existing services exposed by cloud providers, PortableContacts,
vCards, and LDAP directory services. vCards, and LDAP directory services.
This document provides a JSON based schema and extension model for This document provides a JSON based schema and extension model for
representing users and groups, as well as service provider representing users and groups, as well as service provider
configuration. This schema is intended for exchange and use with configuration. This schema is intended for exchange and use with
cloud service providers and other cross-domain scenarios. An HTTP cloud service providers and other cross-domain scenarios. An HTTP
protocol binding document is provided separately. protocol-binding document is provided separately.
1.1. Requirements Notation and Conventions 1.1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Throughout this document, values are quoted to indicate that they are Throughout this document, values are quoted to indicate that they are
to be taken literally. When using these values in protocol messages, to be taken literally. When using these values in protocol messages,
the quotes MUST NOT be used as part of the value. the quotes MUST NOT be used as part of the value.
1.2. Definitions 1.2. Definitions
Service Provider: An HTTP web application that provides identity Service Provider
information via the SCIM protocol. An HTTP web application that provides identity information via the
SCIM protocol.
Client: A website or application that uses the SCIM protocol to Client
manage identity data maintained by the service provider. The A website or application that uses the SCIM protocol to manage
client initiates SCIM HTTP requests to a target service provider. identity data maintained by the service provider. The client
initiates SCIM HTTP requests to a target service provider.
Resource: The service provider managed artifact containing one or Resource
more attributes; e.g., "User" or "Group". A service provider managed artifact containing one or more
attributes. For example a "User" or "Group".
Resource Type: A type of a resource that is managed by a service Resource Type
provider. The resource type defines the resource name, endpoint A type of a resource that is managed by a service provider. The
URL, Schemas, and other meta-data which indicate where a resource resource type defines the resource name, endpoint URL, Schemas,
is managed and how it is composed; e.g., "User" or "Group". and other meta-data which indicate where a resource is managed and
how it is composed; e.g. "User" or "Group".
Schema: A collection of Attribute Definitions that describe the Schema
contents of an entire or partial resource; e.g., A collection of Attribute Definitions that describe the contents
of an entire or partial resource; e.g.
"urn:ietf:params:scim:schemas:core:2.0:User". "urn:ietf:params:scim:schemas:core:2.0:User".
Singular Attribute: A resource attribute that contains 0..1 values; Singular Attribute
e.g., "displayName". A resource attribute that contains 0..1 values; e.g.
"displayName".
Multi-valued Attribute: A resource attribute that contains 0..n Multi-valued Attribute
values; e.g., "emails". A resource attribute that contains 0..n values; e.g. "emails".
Simple Attribute: A singular or multi-valued attribute whose value Simple Attribute
is a primitive; e.g., "String". A singular or multi-valued attribute whose value is a primitive;
e.g. "String".
Complex Attribute: A singular or multi-valued attribute whose value Complex Attribute
is a composition of one or more simple attributes; e.g., A singular or multi-valued attribute whose value is a composition
"addresses". of one or more simple attributes; e.g. "addresses".
Sub-Attribute: A simple attribute contained within a complex Sub-Attribute
attribute. A simple attribute contained within a complex attribute.
2. SCIM Schema Structure 2. SCIM Schema Structure
SCIM schema provides a minimal core schema for representing users and SCIM schema provides a minimal core schema for representing users and
groups (resources), encompassing common attributes found in many groups (resources), encompassing common attributes found in many
existing deployments and schemas. existing deployments and schemas. In addition to the minimal core
schema, this document also specifies a standardized means by which
service providers may extend schema to define new resources and
attributes in both standardized and service provider specific cases.
Resources are categorized into common resource types such as "User"
or "Group"). Collections of resources of the same type are usually
contained within the same "container" ("folder") endpoint.
A resource is a collection of attributes identified by one or more A resource is a collection of attributes identified by one or more
schemas. Minimally, an attribute consists of the attribute name and schemas. Minimally, an attribute consists of the attribute name and
at least one simple or complex value either of which may be multi- at least one simple or complex value either of which may be multi-
valued. SCIM schema defines the data type, plurality and other valued. For each attribute, SCIM schema defines the data type,
distinguishing features of an attribute. Unless otherwise specified plurality, mutability, and other distinguishing features of an
all attributes are modifiable by consumers. attribute.
Attribute names SHOULD be camelCased. SCIM resources are represented Attribute names SHOULD be camel-cased (e.g. "camelCase"). SCIM
in JSON [RFC7159] and MUST specify schema via the "schemas" attribute resources are represented in JSON [RFC7159] and MUST specify schema
per Section 4.2. via the "schemas" attribute per Section 4.2.
Attribute names MUST conform to the following ABNF [RFC5234] rules: Attribute names MUST conform to the following ABNF [RFC5234] rules:
ATTRNAME = ALPHA *(nameChar) ATTRNAME = ALPHA *(nameChar)
nameChar = "-" / "_" / DIGIT / ALPHA nameChar = "-" / "_" / DIGIT / ALPHA
Figure 1: ABNF for Attribute Names Figure 1: ABNF for Attribute Names
2.1. Attribute Data Types 2.1. Attribute Data Types
Attribute data types are derived from JSON [RFC7159] and unless Attribute data types are derived from JSON [RFC7159] and unless
otherwise specified have the following characteristics (see otherwise specified have the following characteristics (see
Section 10 for attribute characteristic definitions): Section 10 for attribute characteristic definitions):
are optional (is not required). o are optional (is not required).
are case insensitive (caseExact=false), o are case insensitive (caseExact=false),
are modifiable (mutability is readWrite), o are modifiable (mutability is readWrite),
are returned in response to queries (returned by default), o are returned in response to queries (returned by default),
are not unique (uniqueness=none), and, o are not unique (uniqueness=none), and,
of type String (Section 2.1.1). o of type String (Section 2.1.1).
The JSON format defines a limited set of data types, hence, where The JSON format defines a limited set of data types, hence, where
appropriate, alternate JSON representations derived from XML Schema appropriate, alternate JSON representations derived from XML Schema
[XML-Schema] are defined below. SCIM extensions SHOULD NOT introduce [XML-Schema] are defined below. SCIM extensions SHOULD NOT introduce
new data types. new data types.
2.1.1. String 2.1.1. String
A sequence of zero or more Unicode characters encoded using UTF-8 as A sequence of zero or more Unicode characters encoded using UTF-8 as
per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7 per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7
skipping to change at page 7, line 34 skipping to change at page 7, line 45
OPTIONAL. OPTIONAL.
2.1.8. Complex 2.1.8. Complex
A singular or multi-valued attribute whose value is a composition of A singular or multi-valued attribute whose value is a composition of
one or more simple Attributes. The JSON format is defined in one or more simple Attributes. The JSON format is defined in
Section 4 [RFC7159]. Section 4 [RFC7159].
2.2. Multi-valued Attributes 2.2. Multi-valued Attributes
Multi-valued attributes are unordered lists of attributes. Each Multi-valued attributes contain a list of value or may contain sub-
attribute MAY contain Sub-Attributes and therefore multi-valued attributes and MAY also be considered complex attributes. The order
attributes may contain complex attributes. The sub-attributes below of values returned by the server MAY NOT be guaranteed. The sub-
are considered normative and when specified SHOULD be used as attributes below are considered normative and when specified SHOULD
defined. be used as defined.
type A label indicating the attribute's function; e.g., "work" or type A label indicating the attribute's function; e.g., "work" or
"home". "home".
primary A boolean value indicating the 'primary' or preferred primary A Boolean value indicating the 'primary' or preferred
attribute value for this attribute, e.g. the preferred mailing attribute value for this attribute, e.g. the preferred mailing
address or primary e-mail address. The primary attribute value address or the primary e-mail address. The primary attribute
"true" MUST appear no more than once. value "true" MUST appear no more than once.
display A human readable name, primarily used for display purposes display A human readable name, primarily used for display purposes
and has a mutability of "immutable". and has a mutability of "immutable".
operation The operation to perform on the multi-valued attribute
during a PATCH request. The only valid value is "delete", which
signifies that this instance should be removed from the resource.
value The attribute's significant value; e.g., the e-mail address, value The attribute's significant value; e.g., the e-mail address,
phone number, etc. phone number, etc.
$ref The reference URI of the target resource, if the attribute is a $ref The reference URI of the target resource, if the attribute is a
reference. reference.
When returning multi-valued attributes, service providers SHOULD When returning multi-valued attributes, service providers SHOULD
canonicalize the value returned, if appropriate (e.g. for e-mail canonicalize the value returned, if appropriate (e.g. for e-mail
addresses and URLs). Service providers MAY return the same value addresses and URLs). Service providers MAY return the same value
more than once with different types (e.g. the same e-mail address may more than once with different types (e.g. the same e-mail address may
used for work and home), but SHOULD NOT return the same (type, value) used for work and home), but SHOULD NOT return the same (type, value)
combination more than once per Attribute, as this complicates combination more than once per Attribute, as this complicates
processing by the Consumer. processing by the Consumer.
2.3. Unassigned and Null Values 2.3. Unassigned and Null Values
Unassigned attributes, the null value, or empty array (in the case of Unassigned attributes, the null value, or empty array (in the case of
a multi-valued attribute) SHALL be considered to be equivalent in a multi-valued attribute) SHALL be considered to be equivalent in
"state". Assigning an attribute with the value "null" or an empty "state". Assigning an attribute with the value "null" or an empty
array (in the case of multi-valued attributes) has the effect of array (in the case of multi-valued attributes) has the effect of
making the attribute "unassigned". When an resource is expressed in making the attribute "unassigned". When a resource is expressed in
JSON form, unassigned attributes, though they are defined in schema, JSON form, unassigned attributes, though they are defined in schema,
MAY be omitted for compactness. MAY be omitted for compactness.
3. Schema Extension Model 3. Schema Extension Model
SCIM schema follows an object extension model similar to SCIM supports two types of extensions: Resource Types and Attribute
ObjectClasses used in LDAP. Unlike LDAP there is no inheritance extensions. New resources allow new objects to be defined, while
model; all extensions are additive (similar to LDAP Auxiliary Object attribute extensions allow for new classes of attributes to be added
Class [RFC4512] ). Each "schemas" value indicates additive schema to an existing resource type. For example, the enterprise user
that may exist in a SCIM resource representation. The "schemas" extension defines additional attributes for a "User" resource type.
attribute MUST contain at least one value which SHALL be the base
schema for the resource. The "schemas" attribute MAY contain 3.1. Resource Type Extensions
additional values indicating extended schemas that are in use.
Schema extensions SHOULD NOT redefine any attributes defined in this Each resource type supported by a SCIM service provider defines the
specification and SHOULD follow conventions defined in this types name, endpoint, base schema (the attributes), and any schema
specification. Except for the base object schema, the schema extensions registered for use with the resource type. In order to
extension URI SHALL be used as a JSON container to distinguish offer new types of resources, a service provider defines the new
attributes belonging to the extension namespace from base schema resource type as specified in Section 9.
attributes. See Figure 4 for an example JSON representation of an
extended User. 3.2. Attribute Extensions
SCIM allows resource types to have extensions in addition to their
core schema. This is similar to how "ObjectClasses" used in LDAP.
However, unlike LDAP there is no inheritance model; all extensions
are additive (similar to LDAP Auxiliary Object Class [RFC4512] ).
Each "schemas" value indicates additive schema that may exist in a
SCIM resource representation. The "schemas" attribute MUST contain
at least one value which SHALL be the base schema for the resource.
The "schemas" attribute MAY contain additional values indicating
extended schemas that are in use. Schema extensions SHOULD avoid
redefining any attributes defined in this specification and SHOULD
follow conventions defined in this specification. Except for the
base object schema, the schema extension URI SHALL be used as a JSON
container to distinguish attributes belonging to the extension
namespace from base schema attributes. See Figure 4 for an example
JSON representation of an extended User.
In order to determine which "schemas" URI value is the base schema In order to determine which "schemas" URI value is the base schema
and which is extended schema for any given resource, the resource's and which is extended schema for any given resource, the resource's
"resourceType" attribute value MAY be used to retrieve the resource's "resourceType" attribute value MAY be used to retrieve the resource's
"ResourceType" schema ( Section 9 ). See example "ResourceType" "ResourceType" schema ( Section 9 ). See example "ResourceType"
representation in Figure 7. representation in Figure 7.
4. SCIM Core Schema 4. SCIM Core Schema
4.1. Common Schema Attributes 4.1. Common Schema Attributes
Each SCIM resource (Users, Groups, etc.) includes the following Each SCIM resource (Users, Groups, etc.) includes the following
common attributes. These attributes MUST be included in all common attributes. With the exception of "ServiceProviderConfig" and
resources, including any extended resource types. Common attributes "ResourceType" server discovery endpoints and their associated
are considered to be part of every base resource schema and do not resources, these attributes MUST be included in all resources,
use their own schemas URI and SHALL not be considered schema including any extended resource types. Common attributes are
extensions. considered to be part of every base resource schema and do not use
their own schemas URI and SHALL not be considered schema extensions.
id A unique identifier for a SCIM resource as defined by the service id
A unique identifier for a SCIM resource as defined by the service
provider. Each representation of the resource MUST include a non- provider. Each representation of the resource MUST include a non-
empty "id" value. This identifier MUST be unique across the empty "id" value. This identifier MUST be unique across the SCIM
service provider's entire set of resources. It MUST be a stable, service provider's entire set of resources. It MUST be a stable,
non-reassignable identifier that does not change when the same non-reassignable identifier that does not change when the same
resource is returned in subsequent requests. The value of the resource is returned in subsequent requests. The value of the
"id" attribute is always issued by the service provider and MUST "id" attribute is always issued by the service provider and MUST
NOT be specified by the client. The string "bullkId" is a NOT be specified by the client. The string "bulkId" is a reserved
reserved keyword and MUST NOT be used within any unique identifier keyword and MUST NOT be used within any unique identifier value.
value. REQUIRED and has a mutability of "readOnly". REQUIRED and has a mutability of "readOnly".
externalId An identifier for the resource as defined by the client. externalId
The "externalId" may simplify identification of the resource An identifier for the resource as defined by the client. The
between client and service provider by allowing the client to use "externalId" may simplify identification of the resource between
a filter to locate the resource with its own identifier, obviating client and service provider by allowing the client to use a filter
the need to store a local mapping between the local identifier of to locate the resource with its own identifier, obviating the need
the resource and the identifier used by the service provider. to store a local mapping between the local identifier of the
Each resource MAY include a non-empty externalId value. The value resource and the identifier used by the service provider. Each
of the "externalId" attribute is always issued by the client and resource MAY include a non-empty "externalId" value. The value of
can never be specified by the service provider. The service the "externalId" attribute is always issued by the client and can
provider MUST always interpret the externalId as scoped to the never be specified by the service provider. The service provider
client's tenant. MUST always interpret the externalId as scoped to the client's
tenant.
meta A complex attribute containing resource metadata. All sub- meta
A complex attribute containing resource metadata. All sub-
attributes are OPTIONAL attributes are OPTIONAL
resourceType The name of the resource type of the resource. This resourceType The name of the resource type of the resource. This
attribute has mutability of "readOnly". attribute has mutability of "readOnly".
created The DateTime the resource was added to the service created The DateTime the resource was added to the service
provider. The attribute MUST be a DateTime. This attribute provider. The attribute MUST be a DateTime. This attribute
has mutability of "readOnly". has mutability of "readOnly".
lastModified The most recent DateTime the details of this lastModified The most recent DateTime the details of this
skipping to change at page 10, line 21 skipping to change at page 10, line 45
location The URI of the resource being returned. This value MUST location The URI of the resource being returned. This value MUST
be the same as the Location HTTP response header. The be the same as the Location HTTP response header. The
attribute has mutability of "readOnly". attribute has mutability of "readOnly".
version The version of the resource being returned. This value version The version of the resource being returned. This value
must be the same as the ETag HTTP response header. The must be the same as the ETag HTTP response header. The
attribute has mutability of "readOnly". attribute has mutability of "readOnly".
4.2. "schemas" Attribute 4.2. "schemas" Attribute
SCIM supports resources of different types, with extensible schemas. The "schemas" attribute is a REQUIRED attribute and is an array of
Each resource MUST be indicated using fully qualified URLs. Strings containing URIs which are used to indicate the namespace of
SCIM schema as well as any schema extensions that together defines
A "schemas" attribute contains URIs which are used to indicate the the attributes in a resource. Each String value must be a unique
namespace and version of SCIM schema as well as any schema URI. All representations of SCIM schema MUST include a non-zero
extensions. The first value SHALL indicate the base schema for the value array with value(s) of the URIs supported by that
resource. representation. The schemas attribute for a resource MUST only
contain values defined as "schema" and "schemaExtensions" for the
schemas The schemas attribute is an array of Strings which allows resource's "resourceType". Duplicate values MUST NOT be included.
introspection of the supported schema version for a SCIM Value order is not specified and MUST not impact behavior.
representation as well any schema extensions supported by that
representation. Each String value must be a unique URI. This
specification defines URIs for User, Group, and a standard
enterprise-user extension. All representations of SCIM schema
MUST include a non-zero value array with value(s) of the URIs
supported by that representation. The schemas attribute for a
resource MUST only contain values defined as "schema" and
"schemaExtensions" for the resource's resource type. Duplicate
values MUST NOT be included. Value order is not specified and
MUST not impact behavior. REQUIRED.
5. SCIM User Schema 5. SCIM User Schema
SCIM provides a schema for representing Users, identified using the SCIM provides a resource type for "User" resources. The core schema
following URI: "urn:ietf:params:scim:schemas:core:2.0:User". The for "User" is identified using the URI:
following attributes are defined in addition to those attributes "urn:ietf:params:scim:schemas:core:2.0:User". The following
defined in SCIM Core Schema: attributes are defined in addition to the core schema attributes:
5.1. Singular Attributes 5.1. Singular Attributes
userName Unique identifier for the user, typically used by the user userName
to directly authenticate to the service provider. Often displayed A service provider unique identifier for the user, typically used
to the user as their unique identifier within the system (as by the user to directly authenticate to the service provider.
opposed to id or externalId, which are generally opaque and not Often displayed to the user as their unique identifier within the
user-friendly identifiers). Each User MUST include a non-empty system (as opposed to id or externalId, which are generally opaque
userName value. This identifier MUST be unique across the and not user-friendly identifiers). Each User MUST include a non-
client's entire set of Users. RECOMMENDED. empty userName value. This identifier MUST be unique across the
service provider's entire set of Users. RECOMMENDED.
name The components of the user's real name. Service providers MAY name
The components of the user's real name. Service providers MAY
return just the full name as a single string in the formatted sub- return just the full name as a single string in the formatted sub-
attribute, or they MAY return just the individual component attribute, or they MAY return just the individual component
attributes using the other sub-attributes, or they MAY return attributes using the other sub-attributes, or they MAY return
both. If both variants are returned, they SHOULD be describing both. If both variants are returned, they SHOULD be describing
the same name, with the formatted name indicating how the the same name, with the formatted name indicating how the
component attributes should be combined. component attributes should be combined.
formatted The full name, including all middle names, titles, and formatted The full name, including all middle names, titles, and
suffixes as appropriate, formatted for display (e.g. "Ms. suffixes as appropriate, formatted for display (e.g. "Ms.
Barbara Jane Jensen, III." ). Barbara Jane Jensen, III." ).
skipping to change at page 11, line 46 skipping to change at page 12, line 9
full name "Ms. Barbara Jane Jensen, III." ). full name "Ms. Barbara Jane Jensen, III." ).
honorificPrefix The honorific prefix(es) of the User, or title in honorificPrefix The honorific prefix(es) of the User, or title in
most Western languages (e.g. "Ms." given the full name "Ms. most Western languages (e.g. "Ms." given the full name "Ms.
Barbara Jane Jensen, III." ). Barbara Jane Jensen, III." ).
honorificSuffix The honorific suffix(es) of the User, or suffix honorificSuffix The honorific suffix(es) of the User, or suffix
in most Western languages (e.g. "III." given the full name in most Western languages (e.g. "III." given the full name
"Ms. Barbara Jane Jensen, III." ). "Ms. Barbara Jane Jensen, III." ).
displayName The name of the user, suitable for display to end-users. displayName
Each user returned MAY include a non-empty displayName value. The The name of the user, suitable for display to end-users. Each
name SHOULD be the full name of the User being described if known user returned MAY include a non-empty displayName value. The name
(e.g. "Babs Jensen" or "Ms. Barbara J Jensen, III" ), but MAY be SHOULD be the full name of the User being described if known (e.g.
a username or handle, if that is all that is available (e.g. "Babs Jensen" or "Ms. Barbara J Jensen, III" ), but MAY be a
username or handle, if that is all that is available (e.g.
"bjensen" ). The value provided SHOULD be the primary textual "bjensen" ). The value provided SHOULD be the primary textual
label by which this User is normally displayed by the service label by which this User is normally displayed by the service
provider when presenting it to end-users. provider when presenting it to end-users.
nickName The casual way to address the user in real life, e.g. nickName
"Bob" or "Bobby" instead of "Robert". This attribute SHOULD NOT The casual way to address the user in real life, e.g. "Bob" or
be used to represent a User's username (e.g. bjensen or "Bobby" instead of "Robert". This attribute SHOULD NOT be used to
mpepperidge). represent a User's username (e.g. bjensen or mpepperidge).
profileUrl A fully qualified URL to a page representing the user's profileUrl
online profile. A fully qualified URL to a page representing the user's online
profile.
title The user's title, such as "Vice President". title
The user's title, such as "Vice President".
userType Used to identify the organization to user relationship. userType
Typical values used might be "Contractor", "Employee", "Intern", Used to identify the organization to user relationship. Typical
"Temp", "External", and "Unknown" but any value may be used. values used might be "Contractor", "Employee", "Intern", "Temp",
"External", and "Unknown" but any value may be used.
preferredLanguage Indicates the user's preferred written or spoken preferredLanguage
languages and is generally used for selecting a localized User Indicates the user's preferred written or spoken languages and is
interface. The value indicates the set of natural languages that generally used for selecting a localized User interface. The
are preferred. The format of the value is same as the Accept- value indicates the set of natural languages that are preferred.
Language header field (not including "Accept-Language:") of HTTP The format of the value is same as the Accept-Language header
and is specified in Section 5.3.5 of [RFC7231]. The intent of field (not including "Accept-Language:") of HTTP and is specified
this value is to enable cloud applications to perform matching of in Section 5.3.5 of [RFC7231]. The intent of this value is to
language tags [RFC4647] to the user's language preferences enable cloud applications to perform matching of language tags
regardless of what may be indicated by a user agent (which might [RFC4647] to the user's language preferences regardless of what
be shared), or in a non-user present interaction (such as in a may be indicated by a user agent (which might be shared), or in a
delegated OAuth2 [RFC6749] style interaction) where normal HTTP non-user present interaction (such as in a delegated OAuth2
Accept-Language header negotiation cannot take place. [RFC6749] style interaction) where normal HTTP Accept-Language
header negotiation cannot take place.
locale Used to indicate the User's default location for purposes of locale
Used to indicate the User's default location for purposes of
localizing items such as currency, date time format, numerical localizing items such as currency, date time format, numerical
representations, etc. A valid value is a language tag as defined representations, etc. A valid value is a language tag as defined
in [RFC5646]. Computer languages are explicitly excluded. in [RFC5646]. Computer languages are explicitly excluded.
A language tag is a sequence of one or more case-insensitive sub- A language tag is a sequence of one or more case-insensitive sub-
tags, each separated by a hyphen character ("-", %x2D). For tags, each separated by a hyphen character ("-", %x2D). For
backwards compatibility reasons, servers MAY accept tags separated backwards compatibility reasons, servers MAY accept tags separated
by an underscore character ("_", %5F). In most cases, a language by an underscore character ("_", %5F). In most cases, a language
tag consists of a primary language sub-tag that identifies a broad tag consists of a primary language sub-tag that identifies a broad
family of related languages (e.g., "en" = English) which is family of related languages (e.g., "en" = English) which is
optionally followed by a series of sub-tags that refine or narrow optionally followed by a series of sub-tags that refine or narrow
that language's range (e.g., "en-CA" = the variety of English as that language's range (e.g., "en-CA" = the variety of English as
communicated in Canada). Whitespace is not allowed within a communicated in Canada). Whitespace is not allowed within a
language tag. Example tags include: language tag. Example tags include:
fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN
See [RFC5646] for further information. See [RFC5646] for further information.
timezone The User's time zone in IANA Time Zone database format timezone
[RFC6557], also known as "Olson" timezone database format The User's time zone in IANA Time Zone database format [RFC6557],
[Olson-TZ] ; For example: "America/Los_Angeles". also known as "Olson" timezone database format [Olson-TZ] ; For
example: "America/Los_Angeles".
active A Boolean value indicating the user's administrative status. active
The definitive meaning of this attribute is determined by the A Boolean value indicating the user's administrative status. The
service provider. As a typical example, a value of true infers definitive meaning of this attribute is determined by the service
the user is able to login while a value of false implies the provider. As a typical example, a value of true infers the user
user's account has been suspended. is able to login while a value of false implies the user's account
has been suspended.
password The user's clear text password. This attribute is intended password
to be used as a means to specify an initial password when creating The user's clear text password. This attribute is intended to be
a new User or to reset an existing User's password. Password used as a means to specify an initial password when creating a new
policies and the ability to update or set passwords are out of User or to reset an existing User's password. Password policies
scope of this document. The mutability of this attribute is and the ability to update or set passwords are out of scope of
"writeOnly" indicating the value MUST NOT be returned by a service this document. The mutability of this attribute is "writeOnly"
provider in any form. indicating the value MUST NOT be returned by a service provider in
any form.
5.2. Multi-valued Attributes 5.2. Multi-valued Attributes
The following multi-valued attributes are defined. The following multi-valued attributes are defined.
emails E-mail addresses for the User. The value SHOULD be emails
canonicalized by the service provider, e.g. "bjensen@example.com" E-mail addresses for the User. The value SHOULD be canonicalized
instead of "bjensen@EXAMPLE.COM". Canonical type values of by the service provider, e.g. "bjensen@example.com" instead of
"work", "home", and "other". "bjensen@EXAMPLE.COM". Canonical type values of "work", "home",
and "other".
phoneNumbers Phone numbers for the user. The value SHOULD be phoneNumbers
canonicalized by the service provider according to format in Phone numbers for the user. The value SHOULD be canonicalized by
[RFC3966] e.g. 'tel:+1-201-555-0123'. Canonical type values of the service provider according to format in [RFC3966] e.g.
"work", "home", "mobile", "fax", "pager", and "other". 'tel:+1-201-555-0123'. Canonical type values of "work", "home",
"mobile", "fax", "pager", and "other".
ims Instant messaging address for the user. No official ims
Instant messaging address for the user. No official
canonicalization rules exist for all instant messaging addresses, canonicalization rules exist for all instant messaging addresses,
but service providers SHOULD, when appropriate, remove all but service providers SHOULD, when appropriate, remove all
whitespace and convert the address to lowercase. Instead of the whitespace and convert the address to lowercase. Instead of the
standard canonical values for type, this attribute defines the standard canonical values for type, this attribute defines the
following canonical values to represent currently popular IM following canonical values to represent currently popular IM
services: "aim", "gtalk", "icq", "xmpp", "msn", "skype", "qq", services: "aim", "gtalk", "icq", "xmpp", "msn", "skype", "qq",
"yahoo", and "other". "yahoo", and "other".
photos URL of a photo of the User. The value SHOULD be a photos
canonicalized URL, and MUST point to an image file (e.g. a GIF, URL of a photo of the User. The value SHOULD be a canonicalized
JPEG, or PNG image file) rather than to a web page containing an URL, and MUST point to an image file (e.g. a GIF, JPEG, or PNG
image. Service providers MAY return the same image at different image file) rather than to a web page containing an image.
sizes, though it is recognized that no standard for describing Service providers MAY return the same image at different sizes,
images of various sizes currently exists. Note that this though it is recognized that no standard for describing images of
attribute SHOULD NOT be used to send down arbitrary photos taken various sizes currently exists. Note that this attribute SHOULD
by this user, but specifically profile photos of the user suitable NOT be used to send down arbitrary photos taken by this user, but
for display when describing the user. Instead of the standard specifically profile photos of the user suitable for display when
canonical values for type, this attribute defines the following describing the user. Instead of the standard canonical values for
canonical values to represent popular photo sizes: "photo", type, this attribute defines the following canonical values to
"thumbnail". represent popular photo sizes: "photo", "thumbnail".
addresses A physical mailing address for this user. Canonical type addresses
values of "work", "home", and "other". The value attribute is a A physical mailing address for this user. Canonical type values
complex type with the following sub-attributes. All sub- of "work", "home", and "other". The value attribute is a complex
attributes are OPTIONAL. type with the following sub-attributes. All sub-attributes are
OPTIONAL.
formatted The full mailing address, formatted for display or use formatted The full mailing address, formatted for display or use
with a mailing label. This attribute MAY contain newlines. with a mailing label. This attribute MAY contain newlines.
streetAddress The full street address component, which may streetAddress The full street address component, which may
include house number, street name, P.O. box, and multi-line include house number, street name, P.O. box, and multi-line
extended street address information. This attribute MAY extended street address information. This attribute MAY
contain newlines. contain newlines.
locality The city or locality component. locality The city or locality component.
region The state or region component. region The state or region component.
postalCode The zipcode or postal code component. postalCode The zipcode or postal code component.
country The country name component. When specified the value country The country name component. When specified the value
MUST be in ISO 3166-1 alpha 2 "short" code format [ISO3166] ; MUST be in ISO 3166-1 alpha 2 "short" code format [ISO3166] ;
e.g., the United States and Sweden are "US" and "SE", e.g., the United States and Sweden are "US" and "SE",
respectively. respectively.
groups A list of groups that the user belongs to, either thorough groups
direct membership, nested groups, or dynamically calculated. The A list of groups that the user belongs to, either thorough direct
values are meant to enable expression of common group or role membership, nested groups, or dynamically calculated. The values
based access control models, although no explicit authorization are meant to enable expression of common group or role based
model is defined. It is intended that the semantics of group access control models, although no explicit authorization model is
membership and any behavior or authorization granted as a result defined. It is intended that the semantics of group membership
of membership are defined by the service provider. The canonical and any behavior or authorization granted as a result of
membership are defined by the service provider. The canonical
types "direct" and "indirect" are defined to describe how the types "direct" and "indirect" are defined to describe how the
group membership was derived. Direct group membership indicates group membership was derived. Direct group membership indicates
the user is directly associated with the group and SHOULD indicate the user is directly associated with the group and SHOULD indicate
that clients may modify membership through the "Group" resource. that clients may modify membership through the "Group" resource.
Indirect membership indicates user membership is transitive or Indirect membership indicates user membership is transitive or
dynamic and implies that clients cannot modify indirect group dynamic and implies that clients cannot modify indirect group
membership through the "Group" resource but MAY modify direct membership through the "Group" resource but MAY modify direct
group membership through the "Group" resource which MAY influence group membership through the "Group" resource which MAY influence
indirect memberships. If the SCIM service provider exposes a indirect memberships. If the SCIM service provider exposes a
Group resource, the "value" sub-attribute MUST be the "id" and the Group resource, the "value" sub-attribute MUST be the "id" and the
"$ref" sub-attribute must be the URI of the corresponding "Group" "$ref" sub-attribute must be the URI of the corresponding "Group"
resources to which the user belongs. Since this attribute has a resources to which the user belongs. Since this attribute has a
mutability of "readOnly", group membership changes MUST be applied mutability of "readOnly", group membership changes MUST be applied
via the Group Resource (Section 7). The attribute has a via the Group Resource (Section 7). The attribute has a
mutability of "readOnly". mutability of "readOnly".
entitlements A list of entitlements for the user that represent a entitlements
thing the user has. An entitlement MAY be an additional right to A list of entitlements for the user that represent a thing the
a thing, object, or service. No vocabulary or syntax is specified user has. An entitlement MAY be an additional right to a thing,
and service providers and clients are expected to encode object, or service. No vocabulary or syntax is specified and
sufficient information in the value so as to accurately and service providers and clients are expected to encode sufficient
without ambiguity determine what the user has access to. This information in the value so as to accurately and without ambiguity
value has NO canonical types though type may be useful as a means determine what the user has access to. This value has NO
to scope entitlements. canonical types though type may be useful as a means to scope
entitlements.
roles A list of roles for the user that collectively represent who roles
the user is; e.g., "Student, Faculty". No vocabulary or syntax is A list of roles for the user that collectively represent who the
user is; e.g., "Student, Faculty". No vocabulary or syntax is
specified though it is expected that a role value is a String or specified though it is expected that a role value is a String or
label representing a collection of entitlements. This value has label representing a collection of entitlements. This value has
NO canonical types. NO canonical types.
x509Certificates A list of certificates issued to the User. Values x509Certificates
are Binary (Section 2.1.6) and DER encoded x509. This value has A list of certificates issued to the User. Values are Binary
NO canonical types. (Section 2.1.6) and DER encoded x509. This value has NO canonical
types.
6. SCIM Enterprise User Schema Extension 6. SCIM Enterprise User Schema Extension
The following SCIM extension defines attributes commonly used in The following SCIM extension defines attributes commonly used in
representing users that belong to, or act on behalf of a business or representing users that belong to, or act on behalf of a business or
enterprise. The enterprise user extension is identified using the enterprise. The enterprise user extension is identified using the
following schema URI: following schema URI:
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User". "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User".
The following Singular Attributes are defined: The following Singular Attributes are defined:
employeeNumber Numeric or alphanumeric identifier assigned to a employeeNumber
person, typically based on order of hire or association with an Numeric or alphanumeric identifier assigned to a person, typically
organization. based on order of hire or association with an organization.
costCenter Identifies the name of a cost center. costCenter
Identifies the name of a cost center.
organization Identifies the name of an organization. organization
Identifies the name of an organization.
division Identifies the name of a division. division
Identifies the name of a division.
department Identifies the name of a department. department
Identifies the name of a department.
manager The user's manager. A complex type that optionally allows manager
service providers to represent organizational hierarchy by The user's manager. A complex type that optionally allows service
referencing the "id" attribute of another User. providers to represent organizational hierarchy by referencing the
"id" attribute of another User.
value The "id" of the SCIM resource representing the user's value The "id" of the SCIM resource representing the user's
manager. RECOMMENDED. manager. RECOMMENDED.
$ref The URI of the SCIM resource representing the User's $ref The URI of the SCIM resource representing the User's
manager. RECOMMENDED. manager. RECOMMENDED.
displayName The displayName of the user's manager. This displayName The displayName of the user's manager. This
attribute is OPTIONAL and mutability is "readOnly". attribute is OPTIONAL and mutability is "readOnly".
skipping to change at page 16, line 33 skipping to change at page 17, line 20
Group resources are meant to enable expression of common group or Group resources are meant to enable expression of common group or
role based access control models, although no explicit authorization role based access control models, although no explicit authorization
model is defined. It is intended that the semantics of group model is defined. It is intended that the semantics of group
membership and any behavior or authorization granted as a result of membership and any behavior or authorization granted as a result of
membership are defined by the service provider are considered out of membership are defined by the service provider are considered out of
scope for this specification. scope for this specification.
The following singular attribute is defined in addition to the common The following singular attribute is defined in addition to the common
attributes defined in SCIM core schema: attributes defined in SCIM core schema:
displayName A human readable name for the Group. REQUIRED. displayName
A human readable name for the Group. REQUIRED.
The following multi-valued attribute is defined in addition to the The following multi-valued attribute is defined in addition to the
common attributes defined in SCIM Core Schema: common attributes defined in SCIM Core Schema:
members A list of members of the Group. While values MAY be added members
or removed, sub-attributes of members are "immutable". The A list of members of the Group. While values MAY be added or
"value" sub-attribute must be the "id" and the "$ref" sub- removed, sub-attributes of members are "immutable". The "value"
attribute must be the URI of a SCIM resource, either a "User", or sub-attribute must be the "id" and the "$ref" sub-attribute must
a "Group". The intention of the "Group" type is to allow the be the URI of a SCIM resource, either a "User", or a "Group". The
service provider to support nested groups. Service providers MAY intention of the "Group" type is to allow the service provider to
require clients to provide a non-empty members value based on the support nested groups. Service providers MAY require clients to
"required" sub attribute of the "members" attribute in the "Group" provide a non-empty members value based on the "required" sub
resource schema. attribute of the "members" attribute in the "Group" resource
schema.
8. Service Provider Configuration Schema 8. Service Provider Configuration Schema
SCIM provides a schema for representing the service provider's SCIM provides a schema for representing the service provider's
configuration identified using the following schema URI: configuration identified using the following schema URI:
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
The service provider configuration resource enables a service The service provider configuration resource enables a service
provider to discovery of SCIM specification features in a provider to discovery of SCIM specification features in a
standardized form as well as provide additional implementation standardized form as well as provide additional implementation
details to clients. All attributes are READ-ONLY (a mutability of details to clients. All attributes are READ-ONLY (a mutability of
"readOnly" ). Unlike other core resources, the "id" attribute is not "readOnly" ). Unlike other core resources, the "id" attribute is not
required for the service provider configuration resource. required for the service provider configuration resource.
The following Singular Attributes are defined in addition to the The following Singular Attributes are defined in addition to the
common attributes defined in Core Schema: common attributes defined in Core Schema:
skipping to change at page 17, line 14 skipping to change at page 18, line 5
The service provider configuration resource enables a service The service provider configuration resource enables a service
provider to discovery of SCIM specification features in a provider to discovery of SCIM specification features in a
standardized form as well as provide additional implementation standardized form as well as provide additional implementation
details to clients. All attributes are READ-ONLY (a mutability of details to clients. All attributes are READ-ONLY (a mutability of
"readOnly" ). Unlike other core resources, the "id" attribute is not "readOnly" ). Unlike other core resources, the "id" attribute is not
required for the service provider configuration resource. required for the service provider configuration resource.
The following Singular Attributes are defined in addition to the The following Singular Attributes are defined in addition to the
common attributes defined in Core Schema: common attributes defined in Core Schema:
documentationUrl An HTTP addressable URL pointing to the service documentationUrl
provider's human consumable help documentation. An HTTP addressable URL pointing to the service provider's human
consumable help documentation.
patch A complex type that specifies PATCH configuration options. patch
A complex type that specifies PATCH configuration options.
REQUIRED. REQUIRED.
supported Boolean value specifying whether the operation is supported Boolean value specifying whether the operation is
supported. REQUIRED. supported. REQUIRED.
bulk A complex type that specifies BULK configuration options. bulk
A complex type that specifies BULK configuration options.
REQUIRED REQUIRED
supported Boolean value specifying whether the operation is supported Boolean value specifying whether the operation is
supported. REQUIRED. supported. REQUIRED.
maxOperations An integer value specifying the maximum number of maxOperations An integer value specifying the maximum number of
operations. REQUIRED. operations. REQUIRED.
maxPayloadSize An integer value specifying the maximum payload maxPayloadSize An integer value specifying the maximum payload
size in bytes. REQUIRED. size in bytes. REQUIRED.
filter A complex type that specifies FILTER options. REQUIRED. filter
A complex type that specifies FILTER options. REQUIRED.
supported Boolean value specifying whether the operation is supported Boolean value specifying whether the operation is
supported. REQUIRED. supported. REQUIRED.
maxResults Integer value specifying the maximum number of maxResults Integer value specifying the maximum number of
resources returned in a response. REQUIRED. resources returned in a response. REQUIRED.
changePassword A complex type that specifies Change Password changePassword
configuration options. REQUIRED. A complex type that specifies Change Password configuration
options. REQUIRED.
supported Boolean value specifying whether the operation is supported Boolean value specifying whether the operation is
supported. REQUIRED. supported. REQUIRED.
sort A complex type that specifies Sort configuration options. sort
A complex type that specifies Sort configuration options.
REQUIRED. REQUIRED.
supported Boolean value specifying whether sorting is supported. supported Boolean value specifying whether sorting is supported.
REQUIRED. REQUIRED.
etag A complex type that specifies Etag configuration options. etag
A complex type that specifies Etag configuration options.
REQUIRED. REQUIRED.
supported Boolean value specifying whether the operation is supported Boolean value specifying whether the operation is
supported. REQUIRED. supported. REQUIRED.
The following multi-valued attribute is defined in addition to the The following multi-valued attribute is defined in addition to the
common attributes defined in core schema: common attributes defined in core schema:
authenticationSchemes A complex type that specifies supported authenticationSchemes
Authentication Scheme properties. This attribute defines the A complex type that specifies supported Authentication Scheme
following canonical values to represent common schemes: "oauth", properties. This attribute defines the following canonical values
"oauth2", "oauthbearertoken", "httpbasic", and "httpdigest". To to represent common schemes: "oauth", "oauth2",
enable seamless discovery of configuration, the service provider "oauthbearertoken", "httpbasic", and "httpdigest". To enable
SHOULD, with the appropriate security considerations, make the seamless discovery of configuration, the service provider SHOULD,
with the appropriate security considerations, make the
authenticationSchemes attribute publicly accessible without prior authenticationSchemes attribute publicly accessible without prior
authentication. REQUIRED. authentication. REQUIRED.
name The common authentication scheme name; e.g., HTTP Basic. name The common authentication scheme name; e.g., HTTP Basic.
REQUIRED. REQUIRED.
description A description of the Authentication Scheme. description A description of the Authentication Scheme.
REQUIRED. REQUIRED.
specUrl A HTTP addressable URL pointing to the Authentication specUrl A HTTP addressable URL pointing to the Authentication
skipping to change at page 18, line 50 skipping to change at page 19, line 47
The "ResourceType" schema specifies the meta-data about a resource The "ResourceType" schema specifies the meta-data about a resource
type. Resource type resources are READ-ONLY and identified using the type. Resource type resources are READ-ONLY and identified using the
following schema URI: following schema URI:
"urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other "urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other
core resources, all attributes are REQUIRED unless otherwise core resources, all attributes are REQUIRED unless otherwise
specified. The "id" attribute is not required for the resource type specified. The "id" attribute is not required for the resource type
resource. resource.
The following Singular Attributes are defined: The following Singular Attributes are defined:
id The resource type's server unique id. Often this is the same id
The resource type's server unique id. Often this is the same
value as the "name" attribute. OPTIONAL value as the "name" attribute. OPTIONAL
name The resource type name. When applicable service providers MUST name
The resource type name. When applicable service providers MUST
specify the name specified in the core schema specification; e.g., specify the name specified in the core schema specification; e.g.,
"User" or "Group". This name is referenced by the "User" or "Group". This name is referenced by the
"meta.resourceType" attribute in all resources. "meta.resourceType" attribute in all resources.
description The resource type's human readable description. When description
applicable service providers MUST specify the description The resource type's human readable description. When applicable
specified in the core schema specification. service providers MUST specify the description specified in the
core schema specification.
endpoint The resource type's HTTP addressable endpoint relative to endpoint
the Base URL; e.g., "/Users". The resource type's HTTP addressable endpoint relative to the Base
URL; e.g., "/Users".
schema The resource type's primary schema URI; e.g., schema
The resource type's primary/base schema URI; e.g.,
"urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal "urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal
to the "id" attribute of the associated "Schema" resource. to the "id" attribute of the associated "Schema" resource.
schemaExtensions A list of URIs of the resource type's schema schemaExtensions
extensions. OPTIONAL. A list of URIs of the resource type's schema extensions.
OPTIONAL.
schema The URI of an extended schema; e.g., "urn:edu:2.0:Staff". schema The URI of an extended schema; e.g., "urn:edu:2.0:Staff".
This MUST be equal to the "id" attribute of a "Schema" This MUST be equal to the "id" attribute of a "Schema"
resource. REQUIRED. resource. REQUIRED.
required A Boolean value that specifies whether the schema required A Boolean value that specifies whether the schema
extension is required for the resource type. If true, a extension is required for the resource type. If true, a
resource of this type MUST include this schema extension and resource of this type MUST include this schema extension and
include any attributes declared as required in this schema include any attributes declared as required in this schema
extension. If false, a resource of this type MAY omit this extension. If false, a resource of this type MAY omit this
schema extension. REQUIRED. schema extension. REQUIRED.
10. Schema Schema 10. Schema Schema
The "Schema" schema specifies the attribute(s) and meta-data that The "Schema" schema specifies the attribute(s) and meta-data that
constitute a "Schema" resource. Schema resources have mutability of constitute a "Schema" resource. Schema resources have mutability of
"readOnly" and identified using the following URI: "readOnly" and identified using the following URI:
"urn:ietf:params:scim:schemas:core:2.0:Schema". Unlike other core
resources the "Schema" resource MAY contain a complex object within a urn:ietf:params:scim:schemas:core:2.0:Schema
sub-attribute and all attributes are REQUIRED unless otherwise
specified. Unlike other core resources the "Schema" resource MAY contain a
complex object within a sub-attribute and all attributes are REQUIRED
unless otherwise specified.
The following Singular Attributes are defined: The following Singular Attributes are defined:
id The unique URI of the schema. When applicable service providers id The unique URI of the schema. When applicable service providers
MUST specify the URI specified in the core schema specification; MUST specify the URI specified in the core schema specification;
e.g., "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most e.g., "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most
other schemas, which use some sort of a GUID for the "id", the other schemas, which use some sort of a GUID for the "id", the
schema "id" is a URI so that it can be registered and is portable schema "id" is a URI so that it can be registered and is portable
between different service providers and clients. between different service providers and clients.
name The schema's human readable name. When applicable service name The schema's human readable name. When applicable service
providers MUST specify the name specified in the core schema providers MUST specify the name specified in the core schema
specification; e.g., "User" or "Group". OPTIONAL. specification; e.g., "User" or "Group". OPTIONAL.
description The schema's human readable description. When description The schema's human readable description. When
applicable service providers MUST specify the description applicable service providers MUST specify the description
specified in the core schema specification. OPTIONAL. specified in the core schema specification. OPTIONAL.
The following multi-valued attribute is defined: The following multi-valued attribute is defined:
attributes A complex type that specifies the set of resource attributes
attributes. A complex type with the following set of sub-attributes that
defines service provider attributes and their qualities:
name The attribute's name. name The attribute's name.
type The attribute's data type; e.g., "String". type The attribute's data type; e.g., "String".
multiValued Boolean value indicating the attribute's plurality. multiValued Boolean value indicating the attribute's plurality.
description The attribute's human readable description. When description The attribute's human readable description. When
applicable service providers MUST specify the description applicable service providers MUST specify the description
specified in the core schema specification. specified in the core schema specification.
required A Boolean value that specifies if the attribute is required A Boolean value that specifies if the attribute is
required. required.
canonicalValues A collection of canonical values. When
applicable service providers MUST specify the canonical types
specified in the core schema specification; e.g., "work",
"home". OPTIONAL.
caseExact A Boolean value that specifies if the String attribute caseExact A Boolean value that specifies if the String attribute
is case sensitive. The server SHALL use case sensitivity when is case sensitive. The server SHALL use case sensitivity when
evaluating filters. For attributes that are case exact, the evaluating filters. For attributes that are case exact, the
server SHALL preserve case for any value submitted. If the server SHALL preserve case for any value submitted. If the
attribute is case insensitive, the server MAY alter case for a attribute is case insensitive, the server MAY alter case for a
submitted value. submitted value.
mutability A single keyword indicating what types of mutability A single keyword indicating what types of
modifications an attribute MAY accept as follows: modifications an attribute MAY accept as follows:
skipping to change at page 22, line 13 skipping to change at page 23, line 22
server SHOULD possess the same value. server SHOULD possess the same value.
global The value SHOULD be globally unique (e.g. an email global The value SHOULD be globally unique (e.g. an email
address, a GUID, or other value). No two resources on any address, a GUID, or other value). No two resources on any
server SHOULD possess the same value. server SHOULD possess the same value.
referenceTypes The names of the resource types that may be referenceTypes The names of the resource types that may be
referenced; e.g., "User". This is only applicable for referenced; e.g., "User". This is only applicable for
attributes that are of the "reference" Section 2.1.7 data type. attributes that are of the "reference" Section 2.1.7 data type.
The following multi-valued attributes are defined. There are
no canonical type values defined and the primary value serves
no useful purpose.
name The attribute's name.
type The attribute's data type; e.g., String.
description The attribute's human readable description. When
applicable service providers MUST specify the description
specified in the core schema specification.
required A Boolean value that specifies if the attribute is
required.
caseExact A Boolean value that specifies if the String
attribute is case sensitive.
referenceTypes The names of the resource types that may be
referenced; e.g., User. This is only applicable for
attributes that are of the "reference" Section 2.1.7 data
type.
canonicalValues A collection of canonical values. When
applicable service providers MUST specify the canonical
types specified in the core schema specification; e.g.,
"work", "home". OPTIONAL.
mutability A single keyword indicating what types of
modifications an attribute MAY accept as follows:
readOnly The attribute MAY NOT be modified.
readWrite The attribute MAY be updated and read at any
time. DEFAULT.
immutable The attribute MAY be defined at resource creation
(e.g. POST) or at record replacement via request (e.g. a
PUT). The attribute MAY NOT be updated.
writeOnly The attribute MAY be updated at any time.
Attribute values MAY NOT be returned (e.g. because the
value is a stored hash). Note: an attribute with
mutability of "writeOnly" usually also has a returned
setting of "never".
returned A single keyword that indicates when an attribute and
associated values are returned in response to a GET request
or in response to a PUT, POST, or PATCH request. Valid
keywords are:
always The attribute is always returned regardless of the
contents of the "attributes" parameter. For example,
"id" is always returned to identify a SCIM resource.
never The attribute is never returned. This may occur
because the original attribute value is not retained by
the service provider (e.g. such as with a hashed value).
A service provider MAY allow attributes to be used in a
search filter.
default The attribute is returned by default in all SCIM
operation responses where attribute values are returned.
If the GET request "attributes" parameter is specified,
attribute values are only returned if the attribute is
named in the attributes parameter. DEFAULT.
request The attribute is returned in response to any PUT,
POST, or PATCH operations if the attribute was specified
by the client (for example, the attribute was modified).
The attribute is returned in a SCIM query operation only
if specified in the "attributes" parameter.
uniqueness A single keyword value that specifies how the
service provider enforces uniqueness of attribute values. A
server MAY reject an invalid value based on uniqueness by
returning HTTP Response code 400 (Bad Request). A client
MAY enforce uniqueness on the client-side to a greater
degree than the service provider enforces. For example, a
client could make a value unique while the server has
uniqueness of "none". Valid keywords are:
none The values are not intended to be unique in any way.
DEFAULT.
server The value SHOULD be unique within the context of the
current SCIM endpoint (or tenancy) but MAY not be
globally unique (e.g. a "username", email address, or
other server generated key or counter). No two resources
on the same server SHOULD possess the same value.
global The value SHOULD be globally unique (e.g. an email
address, a GUID, or other value). No two resources on
any server SHOULD possess the same value.
11. JSON Representation 11. JSON Representation
11.1. Minimal User Representation 11.1. Minimal User Representation
The following is a non-normative example of the minimal required SCIM The following is a non-normative example of the minimal required SCIM
representation in JSON format. representation in JSON format.
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "2819c223-7f76-453a-919d-413861904646", "id": "2819c223-7f76-453a-919d-413861904646",
skipping to change at page 63, line 27 skipping to change at page 62, line 27
Morteza Ansari (morteza.ansari@cisco.com) Morteza Ansari (morteza.ansari@cisco.com)
Sidharth Choudhury (schoudhury@salesforce.com) Sidharth Choudhury (schoudhury@salesforce.com)
Samuel Erdtman (samuel@erdtman.se) Samuel Erdtman (samuel@erdtman.se)
Kelly Grizzle (kelly.grizzle@sailpoint.com) Kelly Grizzle (kelly.grizzle@sailpoint.com)
Chris Phillips (cjphillips@gmail.com) Chris Phillips (cjphillips@gmail.com)
Erik Wahlstroem (erik.wahlstrom@nexussafe.com) Erik Wahlstroem (erik@wahlstromstekniska.se)
Phil Hunt (phil.hunt@yahoo.com) Phil Hunt (phil.hunt@yahoo.com)
Special thanks to Joeseph Smarr, who's excellent work on the Portable Special thanks to Joeseph Smarr, who's excellent work on the Portable
Contacts Specification [PortableContacts] provided a basis for the Contacts Specification [PortableContacts] provided a basis for the
SCIM schema structure and text. SCIM schema structure and text.
Appendix B. Change Log Appendix B. Change Log
[[This section to be removed prior to publication as an RFC]] [[This section to be removed prior to publication as an RFC]]
skipping to change at page 65, line 20 skipping to change at page 64, line 20
Draft 07 - PH - Edits and revisions Draft 07 - PH - Edits and revisions
- Dropped use of the term API in favour of HTTP protocol or just - Dropped use of the term API in favour of HTTP protocol or just
protocol. protocol.
- Clarified meaning of null and unassigned - Clarified meaning of null and unassigned
Draft 08 - PH - Revised IANA namespace to urn:ietf:params:scim per Draft 08 - PH - Revised IANA namespace to urn:ietf:params:scim per
RFC3553 RFC3553
Draft 09 - PH - Editorial revisions and clarifications
Removed duplicate text from Schema Schema section
Removed "operation" attribute from Multi-valued Attribute sub-
attribute definitions. This was used in the old PATCH command and
is no longer valid.
Revised some layout to make indentation and definition of
attributes more clear (added vspace elements)
Authors' Addresses Authors' Addresses
Kelly Grizzle Kelly Grizzle
SailPoint SailPoint
Email: kelly.grizzle@sailpoint.com Email: kelly.grizzle@sailpoint.com
Phil Hunt (editor) Phil Hunt (editor)
Oracle Corporation Oracle Corporation
Email: phil.hunt@yahoo.com Email: phil.hunt@yahoo.com
Erik Wahlstroem Erik Wahlstroem
Technology Nexus Nexus Technology
Email: erik.wahlstrom@nexussafe.com
Email: erik.wahlstrom@nexusgroup.com
Chuck Mortimore Chuck Mortimore
Salesforce.com Salesforce.com
Email: cmortimore@salesforce.com Email: cmortimore@salesforce.com
 End of changes. 97 change blocks. 
408 lines changed or deleted 394 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/