draft-ietf-scim-core-schema-14.txt   draft-ietf-scim-core-schema-15.txt 
Network Working Group P. Hunt, Ed. Network Working Group P. Hunt, Ed.
Internet-Draft Oracle Internet-Draft Oracle
Intended status: Standards Track K. Grizzle Intended status: Standards Track K. Grizzle
Expires: June 19, 2015 SailPoint Expires: August 3, 2015 SailPoint
E. Wahlstroem E. Wahlstroem
Nexus Technology Nexus Technology
C. Mortimore C. Mortimore
Salesforce Salesforce
December 16, 2014 January 30, 2015
System for Cross-Domain Identity Management: Core Schema System for Cross-Domain Identity Management: Core Schema
draft-ietf-scim-core-schema-14 draft-ietf-scim-core-schema-15
Abstract Abstract
The System for Cross-Domain Identity Management (SCIM) specifications The System for Cross-Domain Identity Management (SCIM) specifications
are designed to make identity management in cloud based applications are designed to make identity management in cloud based applications
and services easier. The specification suite builds upon experience and services easier. The specification suite builds upon experience
with existing schemas and deployments, placing specific emphasis on with existing schemas and deployments, placing specific emphasis on
simplicity of development and integration, while applying existing simplicity of development and integration, while applying existing
authentication, authorization, and privacy models. Its intent is to authentication, authorization, and privacy models. Its intent is to
reduce the cost and complexity of user management operations by reduce the cost and complexity of user management operations by
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 19, 2015. This Internet-Draft will expire on August 3, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation and Conventions . . . . . . . . . . 4 1.1. Requirements Notation and Conventions . . . . . . . . . . 4
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
2. SCIM Schema Data Types . . . . . . . . . . . . . . . . . . . 5 2. SCIM Schema Data Types . . . . . . . . . . . . . . . . . . . 5
2.1. Attribute Data Types . . . . . . . . . . . . . . . . . . 6 2.1. Attribute Data Types . . . . . . . . . . . . . . . . . . 6
2.1.1. String . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.1. String . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 7 2.1.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 7
2.1.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.7. Reference . . . . . . . . . . . . . . . . . . . . . . 7 2.1.7. Reference . . . . . . . . . . . . . . . . . . . . . . 7
2.1.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 8
2.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 8 2.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 8
2.3. Unassigned and Null Values . . . . . . . . . . . . . . . 8 2.3. Unassigned and Null Values . . . . . . . . . . . . . . . 9
3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 9 3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 9
3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 11 3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 12
3.2. Defining New Resource Types . . . . . . . . . . . . . . . 12 3.2. Defining New Resource Types . . . . . . . . . . . . . . . 13
3.3. Attribute Extensions to Resources . . . . . . . . . . . . 12 3.3. Attribute Extensions to Resources . . . . . . . . . . . . 13
4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 13 4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 14
4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 13 4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 14
4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 13 4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 14
4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 16 4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 17
4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 18 4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 19
4.3. Enterprise User Schema Extension . . . . . . . . . . . . 19 4.3. Enterprise User Schema Extension . . . . . . . . . . . . 20
5. Service Provider Configuration Schema . . . . . . . . . . . . 20 5. Service Provider Configuration Schema . . . . . . . . . . . . 21
6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 22 6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 23
7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 23 7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 24
8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 26 8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 27
8.1. Minimal User Representation . . . . . . . . . . . . . . . 26 8.1. Minimal User Representation . . . . . . . . . . . . . . . 27
8.2. Full User Representation . . . . . . . . . . . . . . . . 26 8.2. Full User Representation . . . . . . . . . . . . . . . . 27
8.3. Enterprise User Extension Representation . . . . . . . . 29 8.3. Enterprise User Extension Representation . . . . . . . . 30
8.4. Group Representation . . . . . . . . . . . . . . . . . . 32 8.4. Group Representation . . . . . . . . . . . . . . . . . . 33
8.5. Service Provider Configuration Representation . . . . . . 33 8.5. Service Provider Configuration Representation . . . . . . 34
8.6. Resource Type Representation . . . . . . . . . . . . . . 35 8.6. Resource Type Representation . . . . . . . . . . . . . . 36
8.7. Schema Representation . . . . . . . . . . . . . . . . . . 35 8.7. Schema Representation . . . . . . . . . . . . . . . . . . 36
9. Security Considerations . . . . . . . . . . . . . . . . . . . 59 9. Security Considerations . . . . . . . . . . . . . . . . . . . 60
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60
10.1. New Registration of SCIM URN Sub-namespace . . . . . . . 59 10.1. New Registration of SCIM URN Sub-namespace . . . . . . . 60
10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 60 10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 61
10.2.1. Specification Template . . . . . . . . . . . . . . . 60 10.2.1. Specification Template . . . . . . . . . . . . . . . 61
10.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 62 10.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 63
10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 62 10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 63
10.3.1. Registration Procedure . . . . . . . . . . . . . . . 62 10.3.1. Registration Procedure . . . . . . . . . . . . . . . 63
10.3.2. Schema Registration Template . . . . . . . . . . . . 63 10.3.2. Schema Registration Template . . . . . . . . . . . . 64
10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 64 10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 65
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 64 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 65
11.1. Normative References . . . . . . . . . . . . . . . . . . 64 11.1. Normative References . . . . . . . . . . . . . . . . . . 65
11.2. Informative References . . . . . . . . . . . . . . . . . 65 11.2. Informative References . . . . . . . . . . . . . . . . . 66
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 66 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 67
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 67 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 68
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 70
1. Introduction and Overview 1. Introduction and Overview
While there are existing standards for describing and exchanging user While there are existing standards for describing and exchanging user
information, many of these standards can be difficult to implement information, many of these standards can be difficult to implement
and/or use; e.g., their wire protocols do not easily traverse and/or use; e.g., their wire protocols do not easily traverse
firewalls and/or are not easily layered onto existing web protocols. firewalls and/or are not easily layered onto existing web protocols.
As a result, many cloud providers implement non-standardized As a result, many cloud providers implement non-standardized
protocols for managing users within their services. This increases protocols for managing users within their services. This increases
both the cost and complexity associated with organizations adopting both the cost and complexity associated with organizations adopting
skipping to change at page 6, line 28 skipping to change at page 6, line 28
o are not unique (uniqueness=none), and, o are not unique (uniqueness=none), and,
o of type String (Section 2.1.1). o of type String (Section 2.1.1).
The JSON format defines a limited set of data types, hence, where The JSON format defines a limited set of data types, hence, where
appropriate, alternate JSON representations derived from XML Schema appropriate, alternate JSON representations derived from XML Schema
[XML-Schema] are defined below. SCIM extensions SHOULD NOT introduce [XML-Schema] are defined below. SCIM extensions SHOULD NOT introduce
new data types. new data types.
The following is a table that maps the following data types, to SCIM
schema type and the underlying JSON data type:
+----------------+--------------------+-----------------------------+
| SCIM Data Type | SCIM Schema "type" | JSON Type |
+----------------+--------------------+-----------------------------+
| String | "string" | String per Sec. 7 [RFC7159] |
| Boolean | "boolean" | Value per Sec. 3 [RFC7159] |
| Decimal | "decimal" | Number per Sec. 6 [RFC7159] |
| Integer | "integer" | Number per Sec. 6 [RFC7159] |
| DateTime | "dateTime" | String per Sec. 7 [RFC7159] |
| Binary | "string" | Base64 encoded String |
| Reference | "reference" | String per Sec. 7 [RFC7159] |
| Complex | "complex" | Object per Sec. 4 [RFC7159] |
+----------------+--------------------+-----------------------------+
Table 1: SCIM Data Type to JSON Representation
2.1.1. String 2.1.1. String
A sequence of zero or more Unicode characters encoded using UTF-8 as A sequence of zero or more Unicode characters encoded using UTF-8 as
per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7 per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7
[RFC7159]. A "String" attribute MAY specify a required data format. [RFC7159]. A "String" attribute MAY specify a required data format.
Additionally, when canonical values are specified service providers Additionally, when canonical values are specified service providers
SHOULD conform to those values if appropriate, but MAY provide SHOULD conform to those values if appropriate, but MAY provide
alternate "String" values to represent additional values. alternate "String" values to represent additional values.
2.1.2. Boolean 2.1.2. Boolean
skipping to change at page 38, line 51 skipping to change at page 39, line 51
SHOULD NOT be used to represent a User's username (e.g. bjensen or SHOULD NOT be used to represent a User's username (e.g. bjensen or
mpepperidge)", mpepperidge)",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "profileUrl", "name" : "profileUrl",
"type" : "string", "type" : "reference",
"multiValued" : false, "multiValued" : false,
"description" : "A fully qualified URL to a page representing "description" : "A fully qualified URL to a page representing
the User's online profile", the User's online profile",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
skipping to change at page 45, line 42 skipping to change at page 46, line 42
{ {
"name" : "photos", "name" : "photos",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "URLs of photos of the User.", "description" : "URLs of photos of the User.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "binary",
"multiValued" : false, "multiValued" : false,
"description" : "URL of a photo of the User.", "description" : "URL of a photo of the User.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
skipping to change at page 49, line 34 skipping to change at page 50, line 34
"description" : "The identifier of the User's group.", "description" : "The identifier of the User's group.",
"readOnly" : false, "readOnly" : false,
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "string", "type" : "reference",
"multiValued" : false, "multiValued" : false,
"description" : "The URI of the corresponding Group "description" : "The URI of the corresponding Group
resource to which the user belongs", resource to which the user belongs",
"readOnly" : false, "readOnly" : false,
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
skipping to change at page 53, line 23 skipping to change at page 54, line 23
{ {
"name" : "x509Certificates", "name" : "x509Certificates",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A list of certificates issued to the User.", "description" : "A list of certificates issued to the User.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "binary",
"multiValued" : false, "multiValued" : false,
"description" : "The value of a X509 certificate.", "description" : "The value of a X509 certificate.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
skipping to change at page 55, line 27 skipping to change at page 56, line 27
"multiValued" : false, "multiValued" : false,
"description" : "Identifier of the member of this Group.", "description" : "Identifier of the member of this Group.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "immutable", "mutability" : "immutable",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "string", "type" : "reference",
"multiValued" : false, "multiValued" : false,
"description" : "The URI of the corresponding to the member "description" : "The URI of the corresponding to the member
resource of this Group.", resource of this Group.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "immutable", "mutability" : "immutable",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
skipping to change at page 58, line 9 skipping to change at page 59, line 9
"description" : "The id of the SCIM resource representing "description" : "The id of the SCIM resource representing
the User's manager. REQUIRED.", the User's manager. REQUIRED.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "string", "type" : "reference",
"multiValued" : false, "multiValued" : false,
"description" : "The URI of the SCIM resource representing "description" : "The URI of the SCIM resource representing
the User's manager. REQUIRED.", the User's manager. REQUIRED.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
skipping to change at page 69, line 42 skipping to change at page 70, line 42
phoneNumber & emails canonicalization phoneNumber & emails canonicalization
Draft 14 - PH - Nits / Corrections Draft 14 - PH - Nits / Corrections
Corrected JSON structure for example Schema (removed outer {} Corrected JSON structure for example Schema (removed outer {}
around array of schemas). around array of schemas).
Added example Group resource type to example of resource types in Added example Group resource type to example of resource types in
JSON JSON
Draft 15 - PH - Corrected schema in sec 7 to use defined types from
sec 2.1
Authors' Addresses Authors' Addresses
Phil Hunt (editor) Phil Hunt (editor)
Oracle Corporation Oracle Corporation
Email: phil.hunt@yahoo.com Email: phil.hunt@yahoo.com
Kelly Grizzle Kelly Grizzle
SailPoint SailPoint
Email: kelly.grizzle@sailpoint.com Email: kelly.grizzle@sailpoint.com
 End of changes. 17 change blocks. 
52 lines changed or deleted 73 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/