draft-ietf-scim-core-schema-16.txt   draft-ietf-scim-core-schema-17.txt 
Network Working Group P. Hunt, Ed. Network Working Group P. Hunt, Ed.
Internet-Draft Oracle Internet-Draft Oracle
Intended status: Standards Track K. Grizzle Intended status: Standards Track K. Grizzle
Expires: August 8, 2015 SailPoint Expires: September 5, 2015 SailPoint
E. Wahlstroem E. Wahlstroem
Nexus Technology Nexus Technology
C. Mortimore C. Mortimore
Salesforce Salesforce
February 4, 2015 March 4, 2015
System for Cross-Domain Identity Management: Core Schema System for Cross-Domain Identity Management: Core Schema
draft-ietf-scim-core-schema-16 draft-ietf-scim-core-schema-17
Abstract Abstract
The System for Cross-Domain Identity Management (SCIM) specifications The System for Cross-Domain Identity Management (SCIM) specifications
are designed to make identity management in cloud based applications are designed to make identity management in cloud based applications
and services easier. The specification suite builds upon experience and services easier. The specification suite builds upon experience
with existing schemas and deployments, placing specific emphasis on with existing schemas and deployments, placing specific emphasis on
simplicity of development and integration, while applying existing simplicity of development and integration, while applying existing
authentication, authorization, and privacy models. Its intent is to authentication, authorization, and privacy models. Its intent is to
reduce the cost and complexity of user management operations by reduce the cost and complexity of user management operations by
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 8, 2015. This Internet-Draft will expire on September 5, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 2, line 25
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation and Conventions . . . . . . . . . . 4 1.1. Requirements Notation and Conventions . . . . . . . . . . 4
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
2. SCIM Schema Data Types . . . . . . . . . . . . . . . . . . . 5 2. SCIM Schema . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Attribute Data Types . . . . . . . . . . . . . . . . . . 6 2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.1. String . . . . . . . . . . . . . . . . . . . . . . . 6 2.2. Attribute Data Types . . . . . . . . . . . . . . . . . . 6
2.1.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.1. String . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 7 2.2.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 7
2.1.7. Reference . . . . . . . . . . . . . . . . . . . . . . 7 2.2.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.7. Reference . . . . . . . . . . . . . . . . . . . . . . 8
2.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 8 2.2.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 8
2.3. Unassigned and Null Values . . . . . . . . . . . . . . . 9 2.3. Multi-valued Attributes . . . . . . . . . . . . . . . . . 9
3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 9 2.4. Unassigned and Null Values . . . . . . . . . . . . . . . 9
3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 10
3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 12 3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 12
3.2. Defining New Resource Types . . . . . . . . . . . . . . . 13 3.2. Defining New Resource Types . . . . . . . . . . . . . . . 13
3.3. Attribute Extensions to Resources . . . . . . . . . . . . 13 3.3. Attribute Extensions to Resources . . . . . . . . . . . . 13
4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 14 4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 14
4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 14 4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 14
4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 14 4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 14
4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 17 4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 17
4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 19 4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 19
4.3. Enterprise User Schema Extension . . . . . . . . . . . . 20 4.3. Enterprise User Schema Extension . . . . . . . . . . . . 20
5. Service Provider Configuration Schema . . . . . . . . . . . . 21 5. Service Provider Configuration Schema . . . . . . . . . . . . 21
6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 23 6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 23
7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 24 7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 24
8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 27 8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 27
8.1. Minimal User Representation . . . . . . . . . . . . . . . 27 8.1. Minimal User Representation . . . . . . . . . . . . . . . 27
8.2. Full User Representation . . . . . . . . . . . . . . . . 27 8.2. Full User Representation . . . . . . . . . . . . . . . . 27
8.3. Enterprise User Extension Representation . . . . . . . . 30 8.3. Enterprise User Extension Representation . . . . . . . . 30
8.4. Group Representation . . . . . . . . . . . . . . . . . . 33 8.4. Group Representation . . . . . . . . . . . . . . . . . . 34
8.5. Service Provider Configuration Representation . . . . . . 34 8.5. Service Provider Configuration Representation . . . . . . 34
8.6. Resource Type Representation . . . . . . . . . . . . . . 36 8.6. Resource Type Representation . . . . . . . . . . . . . . 36
8.7. Schema Representation . . . . . . . . . . . . . . . . . . 36 8.7. Schema Representation . . . . . . . . . . . . . . . . . . 36
9. Security Considerations . . . . . . . . . . . . . . . . . . . 60 8.7.1. Resource Schema Representation . . . . . . . . . . . 37
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 8.7.2. Service Provider Schema Representation . . . . . . . 59
10.1. New Registration of SCIM URN Sub-namespace . . . . . . . 60 9. Security Considerations . . . . . . . . . . . . . . . . . . . 74
10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 61 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 75
10.2.1. Specification Template . . . . . . . . . . . . . . . 61 10.1. New Registration of SCIM URN Sub-namespace . . . . . . . 75
10.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 63 10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 75
10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 63 10.2.1. Specification Template . . . . . . . . . . . . . . . 75
10.3.1. Registration Procedure . . . . . . . . . . . . . . . 63 10.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 78
10.3.2. Schema Registration Template . . . . . . . . . . . . 64 10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 78
10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 65 10.3.1. Registration Procedure . . . . . . . . . . . . . . . 78
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 65 10.3.2. Schema Registration Template . . . . . . . . . . . . 79
11.1. Normative References . . . . . . . . . . . . . . . . . . 65 10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 79
11.2. Informative References . . . . . . . . . . . . . . . . . 66 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 80
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 67 11.1. Normative References . . . . . . . . . . . . . . . . . . 80
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 68 11.2. Informative References . . . . . . . . . . . . . . . . . 81
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 71 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 82
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 83
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 86
1. Introduction and Overview 1. Introduction and Overview
While there are existing standards for describing and exchanging user While there are existing standards for describing and exchanging user
information, many of these standards can be difficult to implement information, many of these standards can be difficult to implement
and/or use; e.g., their wire protocols do not easily traverse and/or use; e.g., their wire protocols do not easily traverse
firewalls and/or are not easily layered onto existing web protocols. firewalls and/or are not easily layered onto existing web protocols.
As a result, many cloud providers implement non-standardized As a result, many cloud providers implement non-standardized
protocols for managing users within their services. This increases protocols for managing users within their services. This increases
both the cost and complexity associated with organizations adopting both the cost and complexity associated with organizations adopting
skipping to change at page 4, line 45 skipping to change at page 4, line 48
A type of a resource that is managed by a service provider. The A type of a resource that is managed by a service provider. The
resource type defines the resource name, endpoint URL, Schemas, resource type defines the resource name, endpoint URL, Schemas,
and other meta-data which indicate where a resource is managed and and other meta-data which indicate where a resource is managed and
how it is composed; e.g. "User" or "Group". how it is composed; e.g. "User" or "Group".
Resource Resource
A service provider managed artifact containing one or more A service provider managed artifact containing one or more
attributes. For example a "User" or "Group". attributes. For example a "User" or "Group".
Schema Schema
A collection of Attribute Definitions that describe the contents A collection of attribute definitions that describe the contents
of an entire or partial resource; e.g. of an entire or partial resource; e.g.
"urn:ietf:params:scim:schemas:core:2.0:User". "urn:ietf:params:scim:schemas:core:2.0:User". The attribute
definitions define the name of the attribute, and metadata such as
type (e.g. string, binary), cardinality (singular, multi,
complex), mutability, and returnability.
Singular Attribute Singular Attribute
A resource attribute that contains 0..1 values; e.g. A resource attribute that contains 0..1 values; e.g.
"displayName". "displayName".
Multi-valued Attribute Multi-valued Attribute
A resource attribute that contains 0..n values; e.g. "emails". A resource attribute that contains 0..n values; e.g. "emails".
Simple Attribute Simple Attribute
A singular or multi-valued attribute whose value is a primitive; A singular or multi-valued attribute whose value is a primitive;
e.g. "String". e.g. "String".
Complex Attribute Complex Attribute
A singular or multi-valued attribute whose value is a composition A singular or multi-valued attribute whose value is a composition
of one or more simple attributes; e.g. "addresses". of one or more simple attributes; e.g. "addresses" has the sub-
attributes "streetAddress", "locality", "postalCode", and
"country".
Sub-Attribute Sub-Attribute
A simple attribute contained within a complex attribute. A simple attribute that is contained within a complex attribute.
2. SCIM Schema Data Types 2. SCIM Schema
SCIM schema provides a minimal core schema for representing users and A SCIM server provides a set of resources, the contents of which are
groups (resources), encompassing common attributes found in many defined by a set of schema URIs and a resource type. SCIM's schema
existing deployments and schemas. In addition to the minimal core is not a document-centric one such as with [XML-Schema]. Instead,
schema, this document also specifies a standardized means by which SCIM's support of schema is attribute based where each attribute may
service providers may extend schema to define new resources and have different type, mutability, cardinality, or returnability.
alidation of documents and messages is always performed, as specified
by the SCIM specifications by an intended receiver. Validation is
performed by the receiver in the context of a protocol request. For
example, a SCIM service provider, upon receiving a request to replace
an existing resource with a replacement JSON object, evaluates each
asserted attribute based on the attributed defined schema (e.g.
mutability) and decides which attributes may be replaced or ignored.
This specification provides a minimal core schema for representing
users and groups (resources), encompassing common attributes found in
many existing deployments and schemas. In addition to the minimal
core schema, this document also specifies a standardized means by
which service providers may extend schema to define new resources and
attributes in both standardized and service provider specific cases. attributes in both standardized and service provider specific cases.
Resources are categorized into common resource types such as "User" Resources are categorized into common resource types such as "User"
or "Group"). Collections of resources of the same type are usually or "Group"). Collections of resources of the same type are usually
contained within the same "container" ("folder") endpoint. contained within the same "container" ("folder") endpoint.
2.1. Attributes
A resource is a collection of attributes identified by one or more A resource is a collection of attributes identified by one or more
schemas. Minimally, an attribute consists of the attribute name and schemas. Minimally, an attribute consists of the attribute name and
at least one simple or complex value either of which may be multi- at least one simple or complex value either of which may be multi-
valued. For each attribute, SCIM schema defines the data type, valued. For each attribute, SCIM schema defines the data type,
plurality, mutability, and other distinguishing features of an plurality, mutability, and other distinguishing features of an
attribute. attribute.
Attribute names SHOULD be camel-cased (e.g. "camelCase"). SCIM Attribute names SHOULD be camel-cased (e.g. "camelCase"). SCIM
resources are represented in JSON [RFC7159] and MUST specify schema resources are represented in JSON [RFC7159] and MUST specify schema
via the "schemas" attribute per Section 3. via the "schemas" attribute per Section 3.
Attribute names MUST conform to the following ABNF [RFC5234] rules: Attribute names MUST conform to the following ABNF [RFC5234] rules:
ATTRNAME = ALPHA *(nameChar) ATTRNAME = ALPHA *(nameChar)
nameChar = "-" / "_" / DIGIT / ALPHA nameChar = "-" / "_" / DIGIT / ALPHA
Figure 1: ABNF for Attribute Names Figure 1: ABNF for Attribute Names
2.1. Attribute Data Types 2.2. Attribute Data Types
Attribute data types are derived from JSON [RFC7159] and unless Attribute data types are derived from JSON [RFC7159] and unless
otherwise specified have the following characteristics (see Section 7 otherwise specified have the following characteristics (see Section 7
for attribute characteristic definitions): for attribute characteristic definitions):
o are OPTIONAL (is not required). o are OPTIONAL (is not required).
o are case insensitive (caseExact=false), o are case insensitive ("caseExact" is "false"),
o are modifiable (mutability is readWrite), o are modifiable ("mutability" is "readWrite"),
o are returned in response to queries (returned by default), o are returned in response to queries (returned by default),
o are not unique (uniqueness=none), and, o have no canonical values (e.g. type is "home" or "work"),
o of type String (Section 2.1.1). o are not unique ("uniqueness" is "none"), and,
o of type string (Section 2.2.1).
The JSON format defines a limited set of data types, hence, where The JSON format defines a limited set of data types, hence, where
appropriate, alternate JSON representations derived from XML Schema appropriate, alternate JSON representations derived from XML Schema
[XML-Schema] are defined below. SCIM extensions SHOULD NOT introduce [XML-Schema] are defined below. SCIM extensions SHOULD NOT introduce
new data types. new data types.
The following is a table that maps the following data types, to SCIM The following is a table that maps the following data types, to SCIM
schema type and the underlying JSON data type: schema type and the underlying JSON data type:
+----------------+--------------------+-----------------------------+ +----------------+--------------------+-----------------------------+
skipping to change at page 6, line 46 skipping to change at page 7, line 20
| Decimal | "decimal" | Number per Sec. 6 [RFC7159] | | Decimal | "decimal" | Number per Sec. 6 [RFC7159] |
| Integer | "integer" | Number per Sec. 6 [RFC7159] | | Integer | "integer" | Number per Sec. 6 [RFC7159] |
| DateTime | "dateTime" | String per Sec. 7 [RFC7159] | | DateTime | "dateTime" | String per Sec. 7 [RFC7159] |
| Binary | "string" | Base64 encoded String | | Binary | "string" | Base64 encoded String |
| Reference | "reference" | String per Sec. 7 [RFC7159] | | Reference | "reference" | String per Sec. 7 [RFC7159] |
| Complex | "complex" | Object per Sec. 4 [RFC7159] | | Complex | "complex" | Object per Sec. 4 [RFC7159] |
+----------------+--------------------+-----------------------------+ +----------------+--------------------+-----------------------------+
Table 1: SCIM Data Type to JSON Representation Table 1: SCIM Data Type to JSON Representation
2.1.1. String 2.2.1. String
A sequence of zero or more Unicode characters encoded using UTF-8 as A sequence of zero or more Unicode characters encoded using UTF-8 as
per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7 per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7
[RFC7159]. A "String" attribute MAY specify a required data format. [RFC7159]. A "String" attribute MAY specify a required data format.
Additionally, when canonical values are specified service providers Additionally, when "canonicalValues" is specified, service providers
SHOULD conform to those values if appropriate, but MAY provide MAY restrict accepted values to the specified values.
alternate "String" values to represent additional values.
2.1.2. Boolean 2.2.2. Boolean
The literal "true" or "false". The JSON format is defined in The literal "true" or "false". The JSON format is defined in
Section 3 [RFC7159]. Section 3 [RFC7159]. A boolean has no case sensitivity or
uniqueness.
2.1.3. Decimal 2.2.3. Decimal
A real number with at least one digit to the left and right of the A real number with at least one digit to the left and right of the
period. The JSON format is defined in Section 6 [RFC7159]. period. The JSON format is defined in Section 6 [RFC7159]. A
decimal has no case sensitivity.
2.1.4. Integer 2.2.4. Integer
A decimal number with no fractional digits. The JSON format is A decimal number with no fractional digits. The JSON format is
defined in Section 6 [RFC7159] with the additional constraint that defined in Section 6 [RFC7159] with the additional constraint that
the value MUST NOT contain fractional or exponent parts. the value MUST NOT contain fractional or exponent parts. An integer
has no case sensitivity.
2.1.5. DateTime 2.2.5. DateTime
A DateTime value (e.g. 2008-01-23T04:56:22Z). The attribute value A DateTime value (e.g. 2008-01-23T04:56:22Z). The attribute value
MUST be encoded as a valid xsd:dateTime as specified in Section 3.2.7 MUST be encoded as a valid xsd:dateTime as specified in Section 3.3.7
[XML-Schema]. [XML-Schema]. A date-time has no case-sensitivity or uniqueness.
Values represented in JSON MUST conform to the XML constraints above Values represented in JSON MUST conform to the XML constraints above
and are represented as a JSON String per Section 7 [RFC7159]. and are represented as a JSON String per Section 7 [RFC7159].
2.1.6. Binary 2.2.6. Binary
Arbitrary binary data. The attribute value MUST be encoded as a Arbitrary binary data. The attribute value MUST be encoded in base
valid xsd:base64Binary as specified in Section 3.2.16 [XML-Schema]. 64 encoding as specified in Section 4 [RFC4648]. In cases where a
URL-safe encoding is required, the attribute definition MAY specify
Base 64 URL encoding be used as per Section 5 [RFC4648].
Values represented in JSON MUST conform to the XML constraints above In JSON representation, the encoded values are represented as a JSON
and are represented as a JSON String per Section 2.7 [RFC7159]. String per Section 7 [RFC7159]. A binary is case-exact and has no
uniqueness.
2.1.7. Reference 2.2.7. Reference
A reference to a SCIM resource. The value MUST be the absolute or The value is a URI for a resource. A resource MAY be a SCIM
resource, an external link to a resource (e.g. a photo), or it may be
an identifier such as a URN. The value MUST be the absolute or
relative URI of the target resource. Relative URIs should be relative URI of the target resource. Relative URIs should be
resolved as specified in Section 5.2 [RFC3986]. The base URI for resolved as specified in Section 5.2 [RFC3986]. However, the base
relative URI resolution MUST include all URI components and path URI for relative URI resolution MUST include all URI components and
segments up to but not including the Endpoint URI; e.g., the base URI path segments up to but not including the Endpoint URI (the SCIM
for a request to "https://example.com/v2/Users/2819c223-7f76-453a- service provider root endpoint); e.g., the base URI for a request to
919d-413861904646" would be "https://example.com/v2/" and the "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
relative URI for this resource would be "Users/2819c223-7f76-453a- would be "https://example.com/v2/" and the relative URI for this
919d-413861904646". resource would be "Users/2819c223-7f76-453a-919d-413861904646".
In JSON representation, the URI value is represented as a JSON String
per Section 7 [RFC7159]. A reference is case-exact. A reference has
a "referenceType" that indicates what types of resources may be
linked as per Section 7.
Performing a GET operation on a reference URI MUST return the target Performing a GET operation on a reference URI MUST return the target
resource or an appropriate HTTP response code. The service provider resource or an appropriate HTTP response code. The service provider
MAY optionally choose to enforce referential integrity for MAY optionally choose to enforce referential integrity for reference
references. types referring to SCIM resources.
By convention, a reference is commonly represented as a "$ref" sub- By convention, a reference is commonly represented as a "$ref" sub-
attribute in complex or multi-valued attributes, however this is attribute in complex or multi-valued attributes, however this is
OPTIONAL. OPTIONAL.
2.1.8. Complex 2.2.8. Complex
A singular or multi-valued attribute whose value is a composition of A singular or multi-valued attribute whose value is a composition of
one or more simple Attributes. The JSON format is defined in one or more simple Attributes. The JSON format is defined in
Section 4 [RFC7159]. Section 4 [RFC7159]. A complex attribute has no uniqueness or case
sensitivity.
2.2. Multi-valued Attributes 2.3. Multi-valued Attributes
Multi-valued attributes contain a list of value or may contain sub- Multi-valued attributes contain a list of value or may contain sub-
attributes and MAY also be considered complex attributes. The order attributes and MAY also be considered complex attributes. The order
of values returned by the server SHOULD NOT be guaranteed. The sub- of values returned by the server SHOULD NOT be guaranteed. The sub-
attributes below are considered normative and when specified SHOULD attributes below are considered normative and when specified SHOULD
be used as defined. be used as defined.
type A label indicating the attribute's function; e.g., "work" or type A label indicating the attribute's function; e.g., "work" or
"home". "home".
skipping to change at page 9, line 8 skipping to change at page 9, line 42
addresses and URLs). Service providers MAY return the canonicalized addresses and URLs). Service providers MAY return the canonicalized
value using the "display" sub-attribute and return the original value value using the "display" sub-attribute and return the original value
using the "value" attribute. using the "value" attribute.
Service providers MAY return the same value more than once with Service providers MAY return the same value more than once with
different types (e.g. the same e-mail address may used for work and different types (e.g. the same e-mail address may used for work and
home), but SHOULD NOT return the same (type, value) combination more home), but SHOULD NOT return the same (type, value) combination more
than once per Attribute, as this complicates processing by the than once per Attribute, as this complicates processing by the
Consumer. Consumer.
2.3. Unassigned and Null Values 2.4. Unassigned and Null Values
Unassigned attributes, the null value, or empty array (in the case of Unassigned attributes, the null value, or empty array (in the case of
a multi-valued attribute) SHALL be considered to be equivalent in a multi-valued attribute) SHALL be considered to be equivalent in
"state". Assigning an attribute with the value "null" or an empty "state". Assigning an attribute with the value "null" or an empty
array (in the case of multi-valued attributes) has the effect of array (in the case of multi-valued attributes) has the effect of
making the attribute "unassigned". When a resource is expressed in making the attribute "unassigned". When a resource is expressed in
JSON form, unassigned attributes, though they are defined in schema, JSON form, unassigned attributes, though they are defined in schema,
MAY be omitted for compactness. MAY be omitted for compactness.
3. SCIM Resources 3. SCIM Resources
skipping to change at page 17, line 15 skipping to change at page 17, line 15
any form. any form.
4.1.2. Multi-valued Attributes 4.1.2. Multi-valued Attributes
The following multi-valued attributes are defined. The following multi-valued attributes are defined.
emails emails
E-mail addresses for the User. The value SHOULD be specified E-mail addresses for the User. The value SHOULD be specified
according to [RFC5321]. Service providers SHOULD canonicalize the according to [RFC5321]. Service providers SHOULD canonicalize the
value according to [RFC5321], e.g. "bjensen@example.com" instead value according to [RFC5321], e.g. "bjensen@example.com" instead
of "bjensen@EXAMPLE.COM". Ths "display" sub-attribute MAY be used of "bjensen@EXAMPLE.COM". The "display" sub-attribute MAY be used
to return the canonicalized representation of the e-mail value. to return the canonicalized representation of the e-mail value.
Canonical type values of "work", "home", and "other". The "type" sub-attribute of contains values of "work", "home", and
"other", and MAY allow more types to be defined by the SCIM
clients.
phoneNumbers phoneNumbers
Phone numbers for the user. The value SHOULD be specified Phone numbers for the user. The value SHOULD be specified
according to the format in [RFC3966] e.g. 'tel:+1-201-555-0123'. according to the format in [RFC3966] e.g. 'tel:+1-201-555-0123'.
Service providers SHOULD canonicalize the value according to Service providers SHOULD canonicalize the value according to
[RFC3966] format, when appropriate. The "display" sub-attribute [RFC3966] format, when appropriate. The "display" sub-attribute
MAY be used to return the canonicalized representation of the MAY be used to return the canonicalized representation of the
phone number value. Canonical type values of "work", "home", phone number value. The sub-attribute "type" often has typical
"mobile", "fax", "pager", and "other". values of "work", "home", "mobile", "fax", "pager", and "other",
and MAY allow more types to be defined by the SCIM clients.
ims ims
Instant messaging address for the user. No official Instant messaging address for the user. No official
canonicalization rules exist for all instant messaging addresses, canonicalization rules exist for all instant messaging addresses,
but service providers SHOULD, when appropriate, remove all but service providers SHOULD, when appropriate, remove all
whitespace and convert the address to lowercase. Instead of the whitespace and convert the address to lowercase. The "type"
standard canonical values for type, this attribute defines the attribute defines several "canonicalValues" to represent currently
following canonical values to represent currently popular IM popular IM services: "aim", "gtalk", "icq", "xmpp", "msn",
services: "aim", "gtalk", "icq", "xmpp", "msn", "skype", "qq", "skype", "qq", "yahoo", and "other".
"yahoo", and "other".
photos photos
URL of a photo of the User. The value SHOULD be a canonicalized URL of a photo of the User. The value SHOULD be a canonicalized
URL, and MUST point to an image file (e.g. a GIF, JPEG, or PNG URL, and MUST point to an image file (e.g. a GIF, JPEG, or PNG
image file) rather than to a web page containing an image. image file) rather than to a web page containing an image.
Service providers MAY return the same image at different sizes, Service providers MAY return the same image at different sizes,
though it is recognized that no standard for describing images of though it is recognized that no standard for describing images of
various sizes currently exists. Note that this attribute SHOULD various sizes currently exists. Note that this attribute SHOULD
NOT be used to send down arbitrary photos taken by this user, but NOT be used to send down arbitrary photos taken by this user, but
specifically profile photos of the user suitable for display when specifically profile photos of the user suitable for display when
skipping to change at page 19, line 23 skipping to change at page 19, line 23
entitlements. entitlements.
roles roles
A list of roles for the user that collectively represent who the A list of roles for the user that collectively represent who the
user is; e.g., "Student, Faculty". No vocabulary or syntax is user is; e.g., "Student, Faculty". No vocabulary or syntax is
specified though it is expected that a role value is a String or specified though it is expected that a role value is a String or
label representing a collection of entitlements. This value has label representing a collection of entitlements. This value has
NO canonical types. NO canonical types.
x509Certificates x509Certificates
A list of certificates issued to the User. Values are Binary A list of certificates associated with the resource (e.g. a User).
(Section 2.1.6) and DER encoded x509. This value has NO canonical Each certificate is a DER encoded X.509 (see Section 4 [RFC5280]),
types. which MUST be base 64 encoded per Section 4 [RFC4648].
4.2. Group Resource Schema 4.2. Group Resource Schema
SCIM provides a schema for representing groups, identified using the SCIM provides a schema for representing groups, identified using the
following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group". following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group".
Group resources are meant to enable expression of common group or Group resources are meant to enable expression of common group or
role based access control models, although no explicit authorization role based access control models, although no explicit authorization
model is defined. It is intended that the semantics of group model is defined. It is intended that the semantics of group
membership and any behavior or authorization granted as a result of membership and any behavior or authorization granted as a result of
skipping to change at page 21, line 12 skipping to change at page 21, line 12
displayName The displayName of the user's manager. This displayName The displayName of the user's manager. This
attribute is OPTIONAL and mutability is "readOnly". attribute is OPTIONAL and mutability is "readOnly".
5. Service Provider Configuration Schema 5. Service Provider Configuration Schema
SCIM provides a schema for representing the service provider's SCIM provides a schema for representing the service provider's
configuration identified using the following schema URI: configuration identified using the following schema URI:
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
The service provider configuration resource enables a service The service provider configuration resource enables a service
provider to discovery of SCIM specification features in a provider to discover SCIM specification features in a standardized
standardized form as well as provide additional implementation form as well as provide additional implementation details to clients.
details to clients. All attributes are READ-ONLY (a mutability of All attributes have a mutability of "readOnly". Unlike other core
"readOnly" ). Unlike other core resources, the "id" attribute is not resources, the "id" attribute is not required for the service
required for the service provider configuration resource. provider configuration resource.
The following Singular Attributes are defined in addition to the The following Singular Attributes are defined in addition to the
common attributes defined in Core Schema: common attributes defined in Core Schema:
documentationUrl documentationUrl
An HTTP addressable URL pointing to the service provider's human An HTTP addressable URL pointing to the service provider's human
consumable help documentation. consumable help documentation.
patch patch
A complex type that specifies PATCH configuration options. A complex type that specifies PATCH configuration options.
skipping to change at page 22, line 45 skipping to change at page 22, line 45
with the appropriate security considerations, make the with the appropriate security considerations, make the
authenticationSchemes attribute publicly accessible without prior authenticationSchemes attribute publicly accessible without prior
authentication. REQUIRED. authentication. REQUIRED.
name The common authentication scheme name; e.g., HTTP Basic. name The common authentication scheme name; e.g., HTTP Basic.
REQUIRED. REQUIRED.
description A description of the Authentication Scheme. description A description of the Authentication Scheme.
REQUIRED. REQUIRED.
specUrl A HTTP addressable URL pointing to the Authentication specUrl An HTTP addressable URL pointing to the Authentication
Scheme's specification. OPTIONAL. Scheme's specification. OPTIONAL.
documentationUrl A HTTP addressable URL pointing to the documentationUrl An HTTP addressable URL pointing to the
Authentication Scheme's usage documentation. OPTIONAL. Authentication Scheme's usage documentation. OPTIONAL.
6. ResourceType Schema 6. ResourceType Schema
The "ResourceType" schema specifies the meta-data about a resource The "ResourceType" schema specifies the meta-data about a resource
type. Resource type resources are READ-ONLY and identified using the type. Resource type resources are READ-ONLY and identified using the
following schema URI: following schema URI:
"urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other "urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other
core resources, all attributes are REQUIRED unless otherwise core resources, all attributes are REQUIRED unless otherwise
specified. The "id" attribute is not required for the resource type specified. The "id" attribute is not required for the resource type
skipping to change at page 25, line 6 skipping to change at page 25, line 6
The following multi-valued attribute is defined: The following multi-valued attribute is defined:
attributes attributes
A complex type with the following set of sub-attributes that A complex type with the following set of sub-attributes that
defines service provider attributes and their qualities: defines service provider attributes and their qualities:
name The attribute's name. name The attribute's name.
type The attribute's data type. Valid values are: "string", type The attribute's data type. Valid values are: "string",
"complex", and "boolean". When an attribute is of type "boolean", "decimal", "integer", "dateTime", "reference", and
"complex", there SHOULD be a corresponding schema attribute "complex". When an attribute is of type "complex", there
"subAttributes" defined listing the sub-attribtues of the SHOULD be a corresponding schema attribute "subAttributes"
attribute. defined listing the sub-attribtues of the attribute.
subAttributes When an attribute is of type "complex", subAttributes When an attribute is of type "complex",
"subAttributes" defines set of sub-attributes. "subAttributes" "subAttributes" defines set of sub-attributes. "subAttributes"
has the same schema sub-attributes as "attributes". has the same schema sub-attributes as "attributes".
multiValued Boolean value indicating the attribute's plurality. multiValued Boolean value indicating the attribute's plurality.
description The attribute's human readable description. When description The attribute's human readable description. When
applicable service providers MUST specify the description applicable service providers MUST specify the description
specified in the core schema specification. specified in the core schema specification.
skipping to change at page 27, line 5 skipping to change at page 27, line 5
server The value SHOULD be unique within the context of the server The value SHOULD be unique within the context of the
current SCIM endpoint (or tenancy) and MAY be globally current SCIM endpoint (or tenancy) and MAY be globally
unique (e.g. a "username", email address, or other server unique (e.g. a "username", email address, or other server
generated key or counter). No two resources on the same generated key or counter). No two resources on the same
server SHOULD possess the same value. server SHOULD possess the same value.
global The value SHOULD be globally unique (e.g. an email global The value SHOULD be globally unique (e.g. an email
address, a GUID, or other value). No two resources on any address, a GUID, or other value). No two resources on any
server SHOULD possess the same value. server SHOULD possess the same value.
referenceTypes The names of the resource types that may be referenceTypes A multi-valued array of JSON strings that indicate
referenced; e.g., "User". This is only applicable for the SCIM resource types that may be referenced. Valid values
attributes that are of the "reference" Section 2.1.7 data type. are:
+ A SCIM resource type (e.g. "User" or "Group"),
+ "external" - indicating the resource is an external resource
(e.g. such as a photo), or
+ "uri" - indicating that the reference is to a service
endpoint or an identifier (e.g. such as a schema urn).
This attribute is only applicable for attributes that are of
type "reference" (Section 2.2.7).
8. JSON Representation 8. JSON Representation
8.1. Minimal User Representation 8.1. Minimal User Representation
The following is a non-normative example of the minimal required SCIM The following is a non-normative example of the minimal required SCIM
representation in JSON format. representation in JSON format.
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
skipping to change at page 36, line 46 skipping to change at page 36, line 46
"meta": { "meta": {
"location":"https://example.com/v2/ResourceTypes/Group", "location":"https://example.com/v2/ResourceTypes/Group",
"resourceType": "ResourceType" "resourceType": "ResourceType"
} }
}] }]
Figure 8: Example Resource Type JSON Representation Figure 8: Example Resource Type JSON Representation
8.7. Schema Representation 8.7. Schema Representation
The following is intended as normative example of the SCIM Schema The following sections provide representations of schemas for both
representation in JSON format. Where permitted individual values and SCIM resources and service provider schemas. Note that the JSON
schema MAY change. Included but not limited to, are schemas for representation has been modified for readability and to fit the
User, Group, and enterprise user. specification format.
8.7.1. Resource Schema Representation
The following is intended as an example of the SCIM Schema
representation in JSON format for SCIM resources. Where permitted
individual values and schema MAY change. Included but not limited
to, are schemas for User, Group, and enterprise user.
[ [
{ {
"id" : "urn:ietf:params:scim:schemas:core:2.0:User", "id" : "urn:ietf:params:scim:schemas:core:2.0:User",
"name" : "User", "name" : "User",
"description" : "User Account", "description" : "User Account",
"attributes" : [ "attributes" : [
{ {
"name" : "userName", "name" : "userName",
"type" : "string", "type" : "string",
skipping to change at page 37, line 34 skipping to change at page 37, line 44
"type" : "complex", "type" : "complex",
"multiValued" : false, "multiValued" : false,
"description" : "The components of the user's real name. "description" : "The components of the user's real name.
Providers MAY return just the full name as a single string in the Providers MAY return just the full name as a single string in the
formatted sub-attribute, or they MAY return just the individual formatted sub-attribute, or they MAY return just the individual
component attributes using the other sub-attributes, or they MAY return component attributes using the other sub-attributes, or they MAY return
both. If both variants are returned, they SHOULD be describing the same both. If both variants are returned, they SHOULD be describing the same
name, with the formatted name indicating how the component attributes name, with the formatted name indicating how the component attributes
should be combined.", should be combined.",
"required" : false, "required" : false,
"caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "formatted", "name" : "formatted",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The full name, including all middle names, "description" : "The full name, including all middle names,
titles, and suffixes as appropriate, formatted for display (e.g. Ms. titles, and suffixes as appropriate, formatted for display (e.g. Ms.
Barbara J Jensen, III.).", Barbara J Jensen, III.).",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
skipping to change at page 39, line 40 skipping to change at page 39, line 49
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "nickName", "name" : "nickName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The casual way to address the user in real "description" : "The casual way to address the user in real
life, e.g. "Bob" or "Bobby" instead of "Robert". This attribute life, e.g.'Bob' or 'Bobby' instead of 'Robert'. This attribute
SHOULD NOT be used to represent a User's username (e.g. bjensen or SHOULD NOT be used to represent a User's username (e.g. bjensen or
mpepperidge)", mpepperidge)",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "profileUrl", "name" : "profileUrl",
"type" : "reference", "type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false, "multiValued" : false,
"description" : "A fully qualified URL to a page representing "description" : "A fully qualified URL to a page representing
the User's online profile", the User's online profile",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
skipping to change at page 40, line 29 skipping to change at page 40, line 38
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "userType", "name" : "userType",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Used to identify the organization to user "description" : "Used to identify the organization to user
relationship. Typical values used might be "Contractor", "Employee", relationship. Typical values used might be 'Contractor', 'Employee',
"Intern", "Temp", "External", and "Unknown" but any value may be 'Intern', 'Temp', 'External', and 'Unknown' but any value may be
used ", used.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "preferredLanguage", "name" : "preferredLanguage",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
skipping to change at page 41, line 21 skipping to change at page 41, line 31
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "timezone", "name" : "timezone",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The User's time zone in the "Olson" timezone "description" : "The User's time zone in the 'Olson' timezone
database format; e.g.,'America/Los_Angeles'", database format; e.g.,'America/Los_Angeles'",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "active", "name" : "active",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the User's "description" : "A Boolean value indicating the User's
administrative status.", administrative status.",
"required" : false, "required" : false,
"caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
}, },
{ {
"name" : "password", "name" : "password",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The User's clear text password. This attribute "description" : "The User's clear text password. This attribute
is intended to be used as a means to specify an initial password when is intended to be used as a means to specify an initial password when
creating a new User or to reset an existing User's password.", creating a new User or to reset an existing User's password.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
skipping to change at page 42, line 15 skipping to change at page 42, line 22
}, },
{ {
"name" : "emails", "name" : "emails",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "E-mail addresses for the user. The value SHOULD "description" : "E-mail addresses for the user. The value SHOULD
be canonicalized by the Service Provider, e.g. bjensen@example.com be canonicalized by the Service Provider, e.g. bjensen@example.com
instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and
other.", other.",
"required" : false, "required" : false,
"caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "E-mail addresses for the user. The value "description" : "E-mail addresses for the user. The value
SHOULD be canonicalized by the Service Provider, e.g. SHOULD be canonicalized by the Service Provider, e.g.
bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type
values of work, home, and other.", values of work, home, and other.",
"required" : false, "required" : false,
skipping to change at page 43, line 21 skipping to change at page 43, line 27
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary' or
preferred attribute value for this attribute, e.g. the preferred mailing preferred attribute value for this attribute, e.g. the preferred mailing
address or primary e-mail address. The primary attribute value 'true' address or primary e-mail address. The primary attribute value 'true'
MUST appear no more than once.", MUST appear no more than once.",
"required" : false, "required" : false,
"caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "phoneNumbers", "name" : "phoneNumbers",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "Phone numbers for the User. The value SHOULD "description" : "Phone numbers for the User. The value SHOULD
be canonicalized by the Service Provider according to format in RFC3966 be canonicalized by the Service Provider according to format in RFC3966
e.g. 'tel:+1-201-555-0123'. Canonical Type values of work, home, e.g. 'tel:+1-201-555-0123'. Canonical Type values of work, home,
mobile, fax, pager and other.", mobile, fax, pager and other.",
"required" : false, "required" : false,
"caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Phone number of the User", "description" : "Phone number of the User",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
skipping to change at page 44, line 47 skipping to change at page 44, line 49
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary' or
preferred attribute value for this attribute, e.g. the preferred phone preferred attribute value for this attribute, e.g. the preferred phone
number or primary phone number. The primary attribute value 'true' MUST number or primary phone number. The primary attribute value 'true' MUST
appear no more than once.", appear no more than once.",
"required" : false, "required" : false,
"caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
}, },
{ {
"name" : "ims", "name" : "ims",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "Instant messaging addresses for the User.", "description" : "Instant messaging addresses for the User.",
"required" : false, "required" : false,
"caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Instant messaging address for the User.", "description" : "Instant messaging address for the User.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
skipping to change at page 46, line 22 skipping to change at page 46, line 21
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary' or
preferred attribute value for this attribute, e.g. the preferred preferred attribute value for this attribute, e.g. the preferred
messenger or primary messenger. The primary attribute value 'true' MUST messenger or primary messenger. The primary attribute value 'true' MUST
appear no more than once.", appear no more than once.",
"required" : false, "required" : false,
"caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
}, },
{ {
"name" : "photos", "name" : "photos",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "URLs of photos of the User.", "description" : "URLs of photos of the User.",
"required" : false, "required" : false,
"caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "reference", "type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false, "multiValued" : false,
"description" : "URL of a photo of the User.", "description" : "URL of a photo of the User.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
skipping to change at page 47, line 40 skipping to change at page 47, line 37
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary' or
preferred attribute value for this attribute, e.g. the preferred photo preferred attribute value for this attribute, e.g. the preferred photo
or thumbnail. The primary attribute value 'true' MUST appear no more or thumbnail. The primary attribute value 'true' MUST appear no more
than once.", than once.",
"required" : false, "required" : false,
"caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
}, },
{ {
"name" : "addresses", "name" : "addresses",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A physical mailing address for this User, as "description" : "A physical mailing address for this User, as
described in (address Element). Canonical Type Values of work, home, and described in (address Element). Canonical Type Values of work, home, and
other. The value attribute is a complex type with the following other. The value attribute is a complex type with the following
sub-attributes.", sub-attributes.",
"required" : false, "required" : false,
"caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "formatted", "name" : "formatted",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The full mailing address, formatted for "description" : "The full mailing address, formatted for
display or use with a mailing label. This attribute MAY contain display or use with a mailing label. This attribute MAY contain
newlines.", newlines.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
skipping to change at page 50, line 18 skipping to change at page 50, line 9
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "groups", "name" : "groups",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A list of groups that the user belongs to, "description" : "A list of groups that the user belongs to,
either thorough direct membership, nested groups, or dynamically either thorough direct membership, nested groups, or dynamically
calculated", calculated",
"required" : false, "required" : false,
"caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The identifier of the User's group.", "description" : "The identifier of the User's group.",
"readOnly" : false, "readOnly" : false,
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "reference", "type" : "reference",
"referenceTypes" : [
"User",
"Group"
],
"multiValued" : false, "multiValued" : false,
"description" : "The URI of the corresponding Group "description" : "The URI of the corresponding Group
resource to which the user belongs", resource to which the user belongs",
"readOnly" : false, "readOnly" : false,
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
skipping to change at page 51, line 28 skipping to change at page 51, line 23
"canonicalValues" : [ "canonicalValues" : [
"direct", "direct",
"indirect" "indirect"
], ],
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
], ],
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
}, },
{ {
"name" : "entitlements", "name" : "entitlements",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A list of entitlements for the User that "description" : "A list of entitlements for the User that
represent a thing the User has.", represent a thing the User has.",
"required" : false, "required" : false,
"caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The value of an entitlement.", "description" : "The value of an entitlement.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
skipping to change at page 52, line 23 skipping to change at page 52, line 16
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A label indicating the attribute's "description" : "A label indicating the attribute's
function.", function.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary' or
preferred attribute value for this attribute. The primary attribute preferred attribute value for this attribute. The primary attribute
value 'true' MUST appear no more than once.", value 'true' MUST appear no more than once.",
"required" : false, "required" : false,
"caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
}, },
{ {
"name" : "roles", "name" : "roles",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A list of roles for the User that collectively "description" : "A list of roles for the User that collectively
represent who the User is; e.g., 'Student', 'Faculty'.", represent who the User is; e.g., 'Student', 'Faculty'.",
"required" : false, "required" : false,
"caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The value of a role.", "description" : "The value of a role.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
skipping to change at page 53, line 51 skipping to change at page 53, line 39
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary' or
preferred attribute value for this attribute. The primary attribute preferred attribute value for this attribute. The primary attribute
value 'true' MUST appear no more than once.", value 'true' MUST appear no more than once.",
"required" : false, "required" : false,
"caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
}, },
{ {
"name" : "x509Certificates", "name" : "x509Certificates",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A list of certificates issued to the User.", "description" : "A list of certificates issued to the User.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
skipping to change at page 55, line 17 skipping to change at page 54, line 50
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary' or
preferred attribute value for this attribute. The primary attribute preferred attribute value for this attribute. The primary attribute
value 'true' MUST appear no more than once.", value 'true' MUST appear no more than once.",
"required" : false, "required" : false,
"caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"created" : "2010-01-23T04:56:22Z",
"lastModified" : "2014-02-04T00:00:00Z",
"version" : "W/\"3694e05e9dff596\"",
"location" : "location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User" "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
} }
}, },
{ {
"id" : "urn:ietf:params:scim:schemas:core:2.0:Group", "id" : "urn:ietf:params:scim:schemas:core:2.0:Group",
"name" : "Group", "name" : "Group",
"description" : "Group", "description" : "Group",
"attributes" : [ "attributes" : [
{ {
skipping to change at page 56, line 4 skipping to change at page 55, line 32
{ {
"name" : "displayName", "name" : "displayName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Human readable name for the Group. REQUIRED.", "description" : "Human readable name for the Group. REQUIRED.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "members", "name" : "members",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A list of members of the Group.", "description" : "A list of members of the Group.",
"required" : false, "required" : false,
"caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Identifier of the member of this Group.", "description" : "Identifier of the member of this Group.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "immutable", "mutability" : "immutable",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "reference", "type" : "reference",
"referenceTypes" : [
"User",
"Group"
],
"multiValued" : false, "multiValued" : false,
"description" : "The URI of the corresponding to the member "description" : "The URI of the corresponding to the member
resource of this Group.", resource of this Group.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "immutable", "mutability" : "immutable",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
skipping to change at page 57, line 4 skipping to change at page 56, line 34
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [ "canonicalValues" : [
"User", "User",
"Group" "Group"
], ],
"mutability" : "immutable", "mutability" : "immutable",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"created" : "2010-01-23T04:56:22Z",
"lastModified" : "2014-02-04T00:00:00Z",
"version" : "W/\"3694e05e9dff596\"",
"location" : "location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group" "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group"
} }
}, },
{ {
"id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"name" : "EnterpriseUser", "name" : "EnterpriseUser",
"description" : "Enterprise User", "description" : "Enterprise User",
"attributes" : [ "attributes" : [
{ {
"name" : "employeeNumber", "name" : "employeeNumber",
"type" : "string", "type" : "string",
skipping to change at page 58, line 39 skipping to change at page 58, line 17
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "manager", "name" : "manager",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "The User's manager. A complex type that "description" : "The User's manager. A complex type that
optionally allows Service Providers to represent organizational optionally allows Service Providers to represent organizational
hierarchy by referencing the "id" attribute of another User.", hierarchy by referencing the 'id' attribute of another User.",
"required" : false, "required" : false,
"caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The id of the SCIM resource representing "description" : "The id of the SCIM resource representing
the User's manager. REQUIRED.", the User's manager. REQUIRED.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "reference", "type" : "reference",
"referenceTypes" : [
"User"
],
"multiValued" : false, "multiValued" : false,
"description" : "The URI of the SCIM resource representing "description" : "The URI of the SCIM resource representing
the User's manager. REQUIRED.", the User's manager. REQUIRED.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
skipping to change at page 59, line 24 skipping to change at page 59, line 4
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "displayName", "name" : "displayName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The displayName of the User's manager. "description" : "The displayName of the User's manager.
OPTIONAL and READ-ONLY.", OPTIONAL and READ-ONLY.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default"
"uniqueness" : "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"created" : "2010-01-23T04:56:22Z",
"lastModified" : "2014-02-04T00:00:00Z",
"version" : "W/\"3694e05e9dff596\"",
"location" : "location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" "/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
} }
} }
] ]
Figure 9: Example Schema JSON Representation Figure 9: Example JSON Representation for Resource Schema
8.7.2. Service Provider Schema Representation
The following is a representation of the SCIM Schema for the fixed
service provider schemas: ServiceProviderConfig, ResourceType, and
Schema.
[
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
"name" : "Service Provider Configuration",
"description" : "Schema for representing the service provider's
configuration",
"attributes" : [
{
"name" : "documentationUri",
"type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false,
"description" : "An HTTP addressable URL pointing to the service
provider's human consumable help documentation.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "patch",
"type" : "complex",
"multiValued" : false,
"description" : "A complex type that specifies PATCH
configuration options.",
"required" : true,
"returned" : "default",
"mutability" : "readOnly",
"subAttributes" : [
{
"name" : "supported",
"type" : "boolean",
"multiValued" : false,
"description" : "Boolean value specifying whether the
operation is supported.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default"
}
]
},
{
"name" : "bulk",
"type" : "complex",
"multiValued" : false,
"description" : "A complex type that specifies BULK
configuration options.",
"required" : true,
"returned" : "default",
"mutability" : "readOnly",
"subAttributes" : [
{
"name" : "supported",
"type" : "boolean",
"multiValued" : false,
"description" : "Boolean value specifying whether the
operation is supported.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "maxOperations",
"type" : "integer",
"multiValued" : false,
"description" : "An integer value specifying the maximum
number of operations.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "maxPayloadSize",
"type" : "integer",
"multiValued" : false,
"description" : "An integer value specifying the maximum
payload size in bytes.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"name" : "filter",
"type" : "complex",
"multiValued" : false,
"description" : "A complex type that specifies FILTER options.",
"required" : true,
"returned" : "default",
"mutability" : "readOnly",
"subAttributes" : [
{
"name" : "supported",
"type" : "boolean",
"multiValued" : false,
"description" : "Boolean value specifying whether the
operation is supported.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "maxResults",
"type" : "integer",
"multiValued" : false,
"description" : "Integer value specifying the maximum number
of resources returned in a response.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"name" : "changePassword",
"type" : "complex",
"multiValued" : false,
"description" : "A complex type that specifies change password
options.",
"required" : true,
"returned" : "default",
"mutability" : "readOnly",
"subAttributes" : [
{
"name" : "supported",
"type" : "boolean",
"multiValued" : false,
"description" : "Boolean value specifying whether the
operation is supported.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default"
}
]
},
{
"name" : "sort",
"type" : "complex",
"multiValued" : false,
"description" : "A complex type that specifies sort result
options.",
"required" : true,
"returned" : "default",
"mutability" : "readOnly",
"subAttributes" : [
{
"name" : "supported",
"type" : "boolean",
"multiValued" : false,
"description" : "Boolean value specifying whether the
operation is supported.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default"
}
]
},
{
"name" : "authenticationSchemes",
"type" : "complex",
"multiValued" : true,
"description" : "A complex type that specifies supported
Authentication Scheme properties.",
"required" : true,
"returned" : "default",
"mutability" : "readOnly",
"subAttributes" : [
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "The common authentication scheme name;
e.g., HTTP Basic.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "A description of the authentication
scheme.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "specUri",
"type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false,
"description" : "An HTTP addressable URL pointing to the
Authentication Scheme's specification.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "documentationUri",
"type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false,
"description" : "An HTTP addressable URL pointing to the
Authentication Scheme's usage documentation.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
}
]
}
]
},
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
"name" : "ResourceType",
"description" : "Specifies the schema that describes a SCIM Resource
Type",
"attributes" : [
{
"name" : "id",
"type" : "string",
"multiValued" : false,
"description" : "The resource type's server unique id. May be
the same as the 'name' attribute.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "The resource type name. When applicable service
providers MUST specify the name specified in the core schema
specification; e.g., User",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "The resource type's human readable description.
When applicable service providers MUST specify the description
specified in the core schema specification.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "endpoint",
"type" : "reference",
"referenceTypes" : ["uri"],
"multiValued" : false,
"description" : "The resource type's HTTP addressable endpoint
relative to the Base URL; e.g., /Users",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "schema",
"type" : "reference",
"referenceTypes" : ["uri"],
"multiValued" : false,
"description" : "The resource types primary/base schema URI",
"required" : true,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "schemaExtensions",
"type" : "complex",
"multiValued" : false,
"description" : "A list of URIs of the resource type's schema
extensions",
"required" : true,
"mutability" : "readOnly",
"returned" : "default",
"subAttributes" : [
{
"name" : "schema",
"type" : "reference",
"referenceTypes" : ["uri"],
"multiValued" : false,
"description" : "The URI of a schema extension.",
"required" : true,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "required",
"type" : "boolean",
"multiValued" : false,
"description" : "A Boolean value that specifies whether the
schema extension is required for the resource type. If
true, a resource of this type MUST include this schema
extension and include any attributes declared as required
in this schema extension. If false, a resource of this
type MAY omit this schema extension.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default"
}
]
}
]
},
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:Schema",
"name" : "Schema",
"description" : "Specifies the schema that describes a SCIM Schema",
"attributes" : [
{
"name" : "id",
"type" : "string",
"multiValued" : false,
"description" : "The unique URI of the schema. When applicable
service providers MUST specify the URI specified in the core
schema specification",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "The schema's human readable name. When
applicable service providers MUST specify the name specified
in the core schema specification; e.g., User",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "The schema's human readable name. When
applicable service providers MUST specify the name specified
in the core schema specification; e.g., User",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "attributes",
"type" : "complex",
"multiValued" : true,
"description" : "A complex attribute that includes the
attributes of a schema",
"required" : true,
"mutability" : "readOnly",
"returned" : "default",
"subAttributes" : [
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "The attribute's name",
"required" : true,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "type",
"type" : "string",
"multiValued" : false,
"description" : "The attribute's data type. Valid values
include: 'string', 'complex', 'boolean', 'decimal',
'integer', 'dateTime', 'reference'. ",
"required" : true,
"canonicalValues" : [
"string",
"complex",
"boolean",
"decimal",
"integer",
"dateTime",
"reference"
],
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "multiValued",
"type" : "boolean",
"multiValued" : false,
"description" : "Boolean indicating an attribute's
plurality.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "A human readable description of the
attribute.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "required",
"type" : "boolean",
"multiValued" : false,
"description" : "A boolean indicating if the attribute
is required.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "canonicalValues",
"type" : "string",
"multiValued" : true,
"description" : "A collection of canonical values. When
applicable service providers MUST specify the canonical
types specified in the core schema specification; e.g.,
'work', 'home'.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "caseExact",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates if a string attribute is
case-sensitive.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "mutability",
"type" : "string",
"multiValued" : false,
"description" : "Indicates if an attribute is modifiable.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none",
"canonicalValues" : [
"readOnly",
"readWrite",
"immutable",
"writeOnly"
]
},
{
"name" : "returned",
"type" : "string",
"multiValued" : false,
"description" : "Indicates when an attribute is returned in
a response (e.g. to a query).",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none",
"canonicalValues" : [
"always",
"never",
"default",
"request"
]
},
{
"name" : "uniqueness",
"type" : "string",
"multiValued" : false,
"description" : "Indicates how unique a value must be.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none",
"canonicalValues" : [
"none",
"server",
"global"
]
},
{
"name" : "referenceTypes",
"type" : "string",
"multiValued" : true,
"description" : "Used only with an attribute of type
'reference'. Specifies a SCIM resourceType that a
reference attribute MAY refer to. E.g. User",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "subAttributes",
"type" : "complex",
"multiValued" : true,
"description" : "Used to define the sub-attributes of a
complex attribute",
"required" : false,
"mutability" : "readOnly",
"returned" : "default",
"subAttributes" : [
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "The attribute's name",
"required" : true,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "type",
"type" : "string",
"multiValued" : false,
"description" : "The attribute's data type. Valid values
include: 'string', 'complex', 'boolean', 'decimal',
'integer', 'dateTime', 'reference'. ",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none",
"canonicalValues" : [
"string",
"complex",
"boolean",
"decimal",
"integer",
"dateTime",
"reference"
]
},
{
"name" : "multiValued",
"type" : "boolean",
"multiValued" : false,
"description" : "Boolean indicating an attribute's
plurality.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "A human readable description of the
attribute.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "required",
"type" : "boolean",
"multiValued" : false,
"description" : "A boolean indicating if the attribute
is required.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "canonicalValues",
"type" : "string",
"multiValued" : true,
"description" : "A collection of canonical values. When
applicable service providers MUST specify the
canonical types specified in the core schema
specification; e.g., 'work', 'home'.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "caseExact",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates if a string attribute is
case-sensitive.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "mutability",
"type" : "string",
"multiValued" : false,
"description" : "Indicates if an attribute is
modifiable.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none",
"canonicalValues" : [
"readOnly",
"readWrite",
"immutable",
"writeOnly"
]
},
{
"name" : "returned",
"type" : "string",
"multiValued" : false,
"description" : "Indicates when an attribute is
returned in a response (e.g. to a query).",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none",
"canonicalValues" : [
"always",
"never",
"default",
"request"
]
},
{
"name" : "uniqueness",
"type" : "string",
"multiValued" : false,
"description" : "Indicates how unique a value must be.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none",
"canonicalValues" : [
"none",
"server",
"global"
]
},
{
"name" : "referenceTypes",
"type" : "string",
"multiValued" : false,
"description" : "Used only with an attribute of type
'reference'. Specifies a SCIM resourceType that a
reference attribute MAY refer to. E.g. 'User'",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
}
]
}
]
}
]
}
]
Figure 10: Representation of Fixed ServiceProvider Endpoint Schemas
9. Security Considerations 9. Security Considerations
The SCIM Core schema defines attributes that MAY contain personally The SCIM Core schema defines attributes that MAY contain personally
identifiable information as well as other sensitive data. Aside from identifiable information as well as other sensitive data. Aside from
prohibiting password values in a SCIM response this specification prohibiting password values in a SCIM response this specification
does not provide any means or guarantee of confidentiality. does not provide any means or guarantee of confidentiality.
In particular, attributes such as "id" and "externalId" are of In particular, attributes such as "id" and "externalId" are of
particular concern as personally identifiable information that particular concern as personally identifiable information that
skipping to change at page 66, line 18 skipping to change at page 81, line 12
[RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC
3966, December 2004. 3966, December 2004.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC Resource Identifier (URI): Generic Syntax", STD 66, RFC
3986, January 2005. 3986, January 2005.
[RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags", [RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags",
BCP 47, RFC 4647, September 2006. BCP 47, RFC 4647, September 2006.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008. Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
October 2008. October 2008.
[RFC5646] Phillips, A. and M. Davis, "Tags for Identifying [RFC5646] Phillips, A. and M. Davis, "Tags for Identifying
Languages", BCP 47, RFC 5646, September 2009. Languages", BCP 47, RFC 5646, September 2009.
[RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the
Time Zone Database", BCP 175, RFC 6557, February 2012. Time Zone Database", BCP 175, RFC 6557, February 2012.
[RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data
skipping to change at page 67, line 13 skipping to change at page 82, line 13
Languages", BCP 18, RFC 2277, January 1998. Languages", BCP 18, RFC 2277, January 1998.
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): Directory Information Models", RFC 4512, June (LDAP): Directory Information Models", RFC 4512, June
2006. 2006.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC
6749, October 2012. 6749, October 2012.
[XML-Schema] [XML-Schema]
Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes Peterson, D., Gao, S., Malhotra, A., Sperberg-McQueen, C.,
Second Edition", October 2004. and H. Thompson, "XML Schema Definition Language (XSD) 1.1
Part 2: Datatypes", April 2012.
Appendix A. Acknowledgements Appendix A. Acknowledgements
The editors would like to acknowledge the contribution and work of The editors would like to acknowledge the contribution and work of
the past draft editors: the past draft editors:
Chuck Mortimore, Salesforce Chuck Mortimore, Salesforce
Patrick Harding, Ping Patrick Harding, Ping
skipping to change at page 71, line 5 skipping to change at page 85, line 48
Added example Group resource type to example of resource types in Added example Group resource type to example of resource types in
JSON JSON
Draft 15 - PH - Corrected schema in sec 7 to use defined types from Draft 15 - PH - Corrected schema in sec 7 to use defined types from
sec 2.1 sec 2.1
Draft 16 - PH - Corrected photo.value from "type":"binary" to Draft 16 - PH - Corrected photo.value from "type":"binary" to
"type":"reference" (should be a URL) "type":"reference" (should be a URL)
Draft 17 - PH - Changes as follows:
Updated reference for XML-Schema to the 5 April 2012 XML Schema
1.1 draft
Added clarifications on attribute characteristics and Schema usage
Added schema in section 8.7 for Schema, ServiceProviderConfig, and
ResourceType
Fixed nit in service provider config.
Clarified binary attribute may be base 64 or base 64 url encoding
per RFC4648. x509certificates are now base64 encoded.
Clarified x509certificates values are DER certificates that are
then base64 encoded
Corrected "reference" attribute to use the "referenceTypes" meta-
attribute that says what type of reference an attribute is.
Authors' Addresses Authors' Addresses
Phil Hunt (editor) Phil Hunt (editor)
Oracle Corporation Oracle Corporation
Email: phil.hunt@yahoo.com Email: phil.hunt@yahoo.com
Kelly Grizzle Kelly Grizzle
SailPoint SailPoint
 End of changes. 110 change blocks. 
187 lines changed or deleted 968 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/