draft-ietf-scim-core-schema-13.txt   draft-ietf-scim-core-schema-14.txt 
Network Working Group P. Hunt, Ed. Network Working Group P. Hunt, Ed.
Internet-Draft Oracle Internet-Draft Oracle
Intended status: Standards Track K. Grizzle Intended status: Standards Track K. Grizzle
Expires: May 18, 2015 SailPoint Expires: June 19, 2015 SailPoint
E. Wahlstroem E. Wahlstroem
Nexus Technology Nexus Technology
C. Mortimore C. Mortimore
Salesforce Salesforce
November 14, 2014 December 16, 2014
System for Cross-Domain Identity Management: Core Schema System for Cross-Domain Identity Management: Core Schema
draft-ietf-scim-core-schema-13 draft-ietf-scim-core-schema-14
Abstract Abstract
The System for Cross-Domain Identity Management (SCIM) specifications The System for Cross-Domain Identity Management (SCIM) specifications
are designed to make identity management in cloud based applications are designed to make identity management in cloud based applications
and services easier. The specification suite builds upon experience and services easier. The specification suite builds upon experience
with existing schemas and deployments, placing specific emphasis on with existing schemas and deployments, placing specific emphasis on
simplicity of development and integration, while applying existing simplicity of development and integration, while applying existing
authentication, authorization, and privacy models. Its intent is to authentication, authorization, and privacy models. Its intent is to
reduce the cost and complexity of user management operations by reduce the cost and complexity of user management operations by
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 18, 2015. This Internet-Draft will expire on June 19, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 9 skipping to change at page 3, line 9
6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 22 6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 22
7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 23 7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 23
8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 26 8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 26
8.1. Minimal User Representation . . . . . . . . . . . . . . . 26 8.1. Minimal User Representation . . . . . . . . . . . . . . . 26
8.2. Full User Representation . . . . . . . . . . . . . . . . 26 8.2. Full User Representation . . . . . . . . . . . . . . . . 26
8.3. Enterprise User Extension Representation . . . . . . . . 29 8.3. Enterprise User Extension Representation . . . . . . . . 29
8.4. Group Representation . . . . . . . . . . . . . . . . . . 32 8.4. Group Representation . . . . . . . . . . . . . . . . . . 32
8.5. Service Provider Configuration Representation . . . . . . 33 8.5. Service Provider Configuration Representation . . . . . . 33
8.6. Resource Type Representation . . . . . . . . . . . . . . 35 8.6. Resource Type Representation . . . . . . . . . . . . . . 35
8.7. Schema Representation . . . . . . . . . . . . . . . . . . 35 8.7. Schema Representation . . . . . . . . . . . . . . . . . . 35
9. Security Considerations . . . . . . . . . . . . . . . . . . . 58 9. Security Considerations . . . . . . . . . . . . . . . . . . . 59
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59
10.1. New Registration of SCIM URN Sub-namespace . . . . . . . 59 10.1. New Registration of SCIM URN Sub-namespace . . . . . . . 59
10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 59 10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 60
10.2.1. Specification Template . . . . . . . . . . . . . . . 60 10.2.1. Specification Template . . . . . . . . . . . . . . . 60
10.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 62 10.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 62
10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 62 10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 62
10.3.1. Registration Procedure . . . . . . . . . . . . . . . 62 10.3.1. Registration Procedure . . . . . . . . . . . . . . . 62
10.3.2. Schema Registration Template . . . . . . . . . . . . 63 10.3.2. Schema Registration Template . . . . . . . . . . . . 63
10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 63 10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 64
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 64 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 64
11.1. Normative References . . . . . . . . . . . . . . . . . . 64 11.1. Normative References . . . . . . . . . . . . . . . . . . 64
11.2. Informative References . . . . . . . . . . . . . . . . . 65 11.2. Informative References . . . . . . . . . . . . . . . . . 65
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 66 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 66
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 66 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 67
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69
1. Introduction and Overview 1. Introduction and Overview
While there are existing standards for describing and exchanging user While there are existing standards for describing and exchanging user
information, many of these standards can be difficult to implement information, many of these standards can be difficult to implement
and/or use; e.g., their wire protocols do not easily traverse and/or use; e.g., their wire protocols do not easily traverse
firewalls and/or are not easily layered onto existing web protocols. firewalls and/or are not easily layered onto existing web protocols.
As a result, many cloud providers implement non-standardized As a result, many cloud providers implement non-standardized
protocols for managing users within their services. This increases protocols for managing users within their services. This increases
skipping to change at page 35, line 7 skipping to change at page 35, line 7
"created": "2010-01-23T04:56:22Z", "created": "2010-01-23T04:56:22Z",
"lastModified": "2011-05-13T04:42:34Z", "lastModified": "2011-05-13T04:42:34Z",
"version": "W\/\"3694e05e9dff594\"" "version": "W\/\"3694e05e9dff594\""
} }
} }
Figure 7: Example Service Provider Config JSON Representation Figure 7: Example Service Provider Config JSON Representation
8.6. Resource Type Representation 8.6. Resource Type Representation
The following is a non-normative example of the SCIM resource type The following is a non-normative example of the SCIM resource types
representation in JSON format. in JSON format.
{ [{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
"id":"User", "id":"User",
"name":"User", "name":"User",
"endpoint": "/Users", "endpoint": "/Users",
"description": "User Account", "description": "User Account",
"schema": "urn:ietf:params:scim:schemas:core:2.0:User", "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"schemaExtensions": [ "schemaExtensions": [
{ {
"schema": "schema":
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"required": true "required": true
} }
], ],
"meta": { "meta": {
"location":"https://example.com/v2/ResourceTypes/User", "location":"https://example.com/v2/ResourceTypes/User",
"resourceType": "ResourceType", "resourceType": "ResourceType"
"created": "2010-01-23T04:56:22Z",
"lastModified": "2011-05-13T04:42:34Z",
"version": "W\/\"3694e05e9dff595\""
} }
} },
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
"id":"Group",
"name":"Group",
"endpoint": "/Groups",
"description": "Group",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
"meta": {
"location":"https://example.com/v2/ResourceTypes/Group",
"resourceType": "ResourceType"
}
}]
Figure 8: Example Resource Type JSON Representation Figure 8: Example Resource Type JSON Representation
8.7. Schema Representation 8.7. Schema Representation
The following is intended as normative example of the SCIM Schema The following is intended as normative example of the SCIM Schema
representation in JSON format. Where permitted individual values and representation in JSON format. Where permitted individual values and
schema MAY change. Included but not limited to, are schemas for schema MAY change. Included but not limited to, are schemas for
User, Group, and enterprise user. User, Group, and enterprise user.
{[ [
{ {
"id" : "urn:ietf:params:scim:schemas:core:2.0:User", "id" : "urn:ietf:params:scim:schemas:core:2.0:User",
"name" : "User", "name" : "User",
"description" : "User Account", "description" : "User Account",
"attributes" : [ "attributes" : [
{ {
"name" : "userName", "name" : "userName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Unique identifier for the User typically used "description" : "Unique identifier for the User typically used
skipping to change at page 58, line 37 skipping to change at page 58, line 46
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"created" : "2010-01-23T04:56:22Z", "created" : "2010-01-23T04:56:22Z",
"lastModified" : "2014-02-04T00:00:00Z", "lastModified" : "2014-02-04T00:00:00Z",
"version" : "W/\"3694e05e9dff596\"", "version" : "W/\"3694e05e9dff596\"",
"location" : "location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" "/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
} }
} }
]} ]
Figure 9: Eample Schema JSON Representation Figure 9: Example Schema JSON Representation
9. Security Considerations 9. Security Considerations
The SCIM Core schema defines attributes that MAY contain personally The SCIM Core schema defines attributes that MAY contain personally
identifiable information as well as other sensitive data. Aside from identifiable information as well as other sensitive data. Aside from
prohibiting password values in a SCIM response this specification prohibiting password values in a SCIM response this specification
does not provide any means or guarantee of confidentiality. does not provide any means or guarantee of confidentiality.
In particular, attributes such as "id" and "externalId" are of In particular, attributes such as "id" and "externalId" are of
particular concern as personally identifiable information that particular concern as personally identifiable information that
skipping to change at page 69, line 24 skipping to change at page 69, line 34
value and make multi-valued value and make multi-valued
Corrected sec 8.7, make members multi-valued in JSON Corrected sec 8.7, make members multi-valued in JSON
Added missing definition for subattributes in sec 7, Schema Added missing definition for subattributes in sec 7, Schema
Definition Definition
Draft 13 - PH - Correctings NITS to externalId example and clarified Draft 13 - PH - Correctings NITS to externalId example and clarified
phoneNumber & emails canonicalization phoneNumber & emails canonicalization
Draft 14 - PH - Nits / Corrections
Corrected JSON structure for example Schema (removed outer {}
around array of schemas).
Added example Group resource type to example of resource types in
JSON
Authors' Addresses Authors' Addresses
Phil Hunt (editor) Phil Hunt (editor)
Oracle Corporation Oracle Corporation
Email: phil.hunt@yahoo.com Email: phil.hunt@yahoo.com
Kelly Grizzle Kelly Grizzle
SailPoint SailPoint
Email: kelly.grizzle@sailpoint.com Email: kelly.grizzle@sailpoint.com
Erik Wahlstroem Erik Wahlstroem
Nexus Technology Nexus Technology
Email: erik.wahlstrom@nexusgroup.com Email: erik.wahlstrom@nexusgroup.com
 End of changes. 17 change blocks. 
20 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/