--- 1/draft-ietf-scim-core-schema-13.txt 2014-12-16 13:14:52.293000139 -0800 +++ 2/draft-ietf-scim-core-schema-14.txt 2014-12-16 13:14:52.417003176 -0800 @@ -1,23 +1,23 @@ Network Working Group P. Hunt, Ed. Internet-Draft Oracle Intended status: Standards Track K. Grizzle -Expires: May 18, 2015 SailPoint +Expires: June 19, 2015 SailPoint E. Wahlstroem Nexus Technology C. Mortimore Salesforce - November 14, 2014 + December 16, 2014 System for Cross-Domain Identity Management: Core Schema - draft-ietf-scim-core-schema-13 + draft-ietf-scim-core-schema-14 Abstract The System for Cross-Domain Identity Management (SCIM) specifications are designed to make identity management in cloud based applications and services easier. The specification suite builds upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. Its intent is to reduce the cost and complexity of user management operations by @@ -38,21 +38,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on May 18, 2015. + This Internet-Draft will expire on June 19, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -93,35 +93,35 @@ 6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 22 7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 23 8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 26 8.1. Minimal User Representation . . . . . . . . . . . . . . . 26 8.2. Full User Representation . . . . . . . . . . . . . . . . 26 8.3. Enterprise User Extension Representation . . . . . . . . 29 8.4. Group Representation . . . . . . . . . . . . . . . . . . 32 8.5. Service Provider Configuration Representation . . . . . . 33 8.6. Resource Type Representation . . . . . . . . . . . . . . 35 8.7. Schema Representation . . . . . . . . . . . . . . . . . . 35 - 9. Security Considerations . . . . . . . . . . . . . . . . . . . 58 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 59 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 10.1. New Registration of SCIM URN Sub-namespace . . . . . . . 59 - 10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 59 + 10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 60 10.2.1. Specification Template . . . . . . . . . . . . . . . 60 10.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 62 10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 62 10.3.1. Registration Procedure . . . . . . . . . . . . . . . 62 10.3.2. Schema Registration Template . . . . . . . . . . . . 63 - 10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 63 + 10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 64 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 64 11.1. Normative References . . . . . . . . . . . . . . . . . . 64 11.2. Informative References . . . . . . . . . . . . . . . . . 65 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 66 - Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 66 + Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69 1. Introduction and Overview While there are existing standards for describing and exchanging user information, many of these standards can be difficult to implement and/or use; e.g., their wire protocols do not easily traverse firewalls and/or are not easily layered onto existing web protocols. As a result, many cloud providers implement non-standardized protocols for managing users within their services. This increases @@ -1605,56 +1605,65 @@ "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W\/\"3694e05e9dff594\"" } } Figure 7: Example Service Provider Config JSON Representation 8.6. Resource Type Representation - The following is a non-normative example of the SCIM resource type - representation in JSON format. + The following is a non-normative example of the SCIM resource types + in JSON format. - { + [{ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], "id":"User", "name":"User", "endpoint": "/Users", "description": "User Account", "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "schemaExtensions": [ { "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "required": true } ], "meta": { "location":"https://example.com/v2/ResourceTypes/User", - "resourceType": "ResourceType", - "created": "2010-01-23T04:56:22Z", - "lastModified": "2011-05-13T04:42:34Z", - "version": "W\/\"3694e05e9dff595\"" + "resourceType": "ResourceType" } + }, + { + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], + "id":"Group", + "name":"Group", + "endpoint": "/Groups", + "description": "Group", + "schema": "urn:ietf:params:scim:schemas:core:2.0:Group", + "meta": { + "location":"https://example.com/v2/ResourceTypes/Group", + "resourceType": "ResourceType" } + }] Figure 8: Example Resource Type JSON Representation 8.7. Schema Representation The following is intended as normative example of the SCIM Schema representation in JSON format. Where permitted individual values and schema MAY change. Included but not limited to, are schemas for User, Group, and enterprise user. -{[ +[ { "id" : "urn:ietf:params:scim:schemas:core:2.0:User", "name" : "User", "description" : "User Account", "attributes" : [ { "name" : "userName", "type" : "string", "multiValued" : false, "description" : "Unique identifier for the User typically used @@ -2742,23 +2753,23 @@ ], "meta" : { "resourceType" : "Schema", "created" : "2010-01-23T04:56:22Z", "lastModified" : "2014-02-04T00:00:00Z", "version" : "W/\"3694e05e9dff596\"", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" } } -]} +] - Figure 9: Eample Schema JSON Representation + Figure 9: Example Schema JSON Representation 9. Security Considerations The SCIM Core schema defines attributes that MAY contain personally identifiable information as well as other sensitive data. Aside from prohibiting password values in a SCIM response this specification does not provide any means or guarantee of confidentiality. In particular, attributes such as "id" and "externalId" are of particular concern as personally identifiable information that @@ -3252,27 +3262,34 @@ value and make multi-valued Corrected sec 8.7, make members multi-valued in JSON Added missing definition for subattributes in sec 7, Schema Definition Draft 13 - PH - Correctings NITS to externalId example and clarified phoneNumber & emails canonicalization + Draft 14 - PH - Nits / Corrections + + Corrected JSON structure for example Schema (removed outer {} + around array of schemas). + + Added example Group resource type to example of resource types in + JSON + Authors' Addresses Phil Hunt (editor) Oracle Corporation Email: phil.hunt@yahoo.com - Kelly Grizzle SailPoint Email: kelly.grizzle@sailpoint.com Erik Wahlstroem Nexus Technology Email: erik.wahlstrom@nexusgroup.com