draft-ietf-scim-core-schema-17.txt   draft-ietf-scim-core-schema-18.txt 
Network Working Group P. Hunt, Ed. Network Working Group P. Hunt, Ed.
Internet-Draft Oracle Internet-Draft Oracle
Intended status: Standards Track K. Grizzle Intended status: Standards Track K. Grizzle
Expires: September 5, 2015 SailPoint Expires: October 26, 2015 SailPoint
E. Wahlstroem E. Wahlstroem
Nexus Technology Nexus Technology
C. Mortimore C. Mortimore
Salesforce Salesforce
March 4, 2015 April 24, 2015
System for Cross-Domain Identity Management: Core Schema System for Cross-Domain Identity Management: Core Schema
draft-ietf-scim-core-schema-17 draft-ietf-scim-core-schema-18
Abstract Abstract
The System for Cross-Domain Identity Management (SCIM) specifications The System for Cross-Domain Identity Management (SCIM) specifications
are designed to make identity management in cloud based applications are designed to make identity management in cloud based applications
and services easier. The specification suite builds upon experience and services easier. The specification suite builds upon experience
with existing schemas and deployments, placing specific emphasis on with existing schemas and deployments, placing specific emphasis on
simplicity of development and integration, while applying existing simplicity of development and integration, while applying existing
authentication, authorization, and privacy models. Its intent is to authentication, authorization, and privacy models. Its intent is to
reduce the cost and complexity of user management operations by reduce the cost and complexity of user management operations by
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 5, 2015. This Internet-Draft will expire on October 26, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 2, line 25
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation and Conventions . . . . . . . . . . 4 1.1. Requirements Notation and Conventions . . . . . . . . . . 4
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
2. SCIM Schema . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. SCIM Schema . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 6 2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 6
2.2. Attribute Data Types . . . . . . . . . . . . . . . . . . 6 2.2. Attribute Data Types . . . . . . . . . . . . . . . . . . 7
2.2.1. String . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.1. String . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 7 2.2.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 7 2.2.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 8
2.2.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.7. Reference . . . . . . . . . . . . . . . . . . . . . . 8 2.2.7. Reference . . . . . . . . . . . . . . . . . . . . . . 8
2.2.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Multi-valued Attributes . . . . . . . . . . . . . . . . . 9 2.3. Attribute Characteristics . . . . . . . . . . . . . . . . 9
2.4. Unassigned and Null Values . . . . . . . . . . . . . . . 9 2.4. Multi-valued Attributes . . . . . . . . . . . . . . . . . 10
3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 10 2.5. Unassigned and Null Values . . . . . . . . . . . . . . . 11
3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 12 3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 11
3.2. Defining New Resource Types . . . . . . . . . . . . . . . 13 3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 14
3.3. Attribute Extensions to Resources . . . . . . . . . . . . 13 3.2. Defining New Resource Types . . . . . . . . . . . . . . . 15
4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 14 3.3. Attribute Extensions to Resources . . . . . . . . . . . . 16
4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 14 4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 16
4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 14 4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 16
4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 17 4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 16
4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 19 4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 19
4.3. Enterprise User Schema Extension . . . . . . . . . . . . 20 4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 22
5. Service Provider Configuration Schema . . . . . . . . . . . . 21 4.3. Enterprise User Schema Extension . . . . . . . . . . . . 22
6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 23 5. Service Provider Configuration Schema . . . . . . . . . . . . 23
7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 24 6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 25
8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 27 7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 26
8.1. Minimal User Representation . . . . . . . . . . . . . . . 27 8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 30
8.2. Full User Representation . . . . . . . . . . . . . . . . 27 8.1. Minimal User Representation . . . . . . . . . . . . . . . 30
8.3. Enterprise User Extension Representation . . . . . . . . 30 8.2. Full User Representation . . . . . . . . . . . . . . . . 30
8.4. Group Representation . . . . . . . . . . . . . . . . . . 34 8.3. Enterprise User Extension Representation . . . . . . . . 33
8.5. Service Provider Configuration Representation . . . . . . 34 8.4. Group Representation . . . . . . . . . . . . . . . . . . 36
8.6. Resource Type Representation . . . . . . . . . . . . . . 36 8.5. Service Provider Configuration Representation . . . . . . 37
8.7. Schema Representation . . . . . . . . . . . . . . . . . . 36 8.6. Resource Type Representation . . . . . . . . . . . . . . 39
8.7.1. Resource Schema Representation . . . . . . . . . . . 37 8.7. Schema Representation . . . . . . . . . . . . . . . . . . 39
8.7.2. Service Provider Schema Representation . . . . . . . 59 8.7.1. Resource Schema Representation . . . . . . . . . . . 40
9. Security Considerations . . . . . . . . . . . . . . . . . . . 74 8.7.2. Service Provider Schema Representation . . . . . . . 62
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 75 9. Security Considerations . . . . . . . . . . . . . . . . . . . 77
10.1. New Registration of SCIM URN Sub-namespace . . . . . . . 75 9.1. Protocol . . . . . . . . . . . . . . . . . . . . . . . . 77
10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 75 9.2. Password and Other Sensitive Security Data . . . . . . . 77
10.2.1. Specification Template . . . . . . . . . . . . . . . 75 9.3. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 77
10.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 78 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 78
10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 78 10.1. Registration of SCIM URN Sub-namespace & SCIM Registry . 78
10.3.1. Registration Procedure . . . . . . . . . . . . . . . 78 10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 79
10.3.2. Schema Registration Template . . . . . . . . . . . . 79 10.2.1. Specification Template . . . . . . . . . . . . . . . 79
10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 79 10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 81
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 80 10.3.1. Registration Procedure . . . . . . . . . . . . . . . 81
11.1. Normative References . . . . . . . . . . . . . . . . . . 80 10.3.2. Schema Registration Template . . . . . . . . . . . . 82
11.2. Informative References . . . . . . . . . . . . . . . . . 81 10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 82
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 82 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 83
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 83 11.1. Normative References . . . . . . . . . . . . . . . . . . 83
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 86 11.2. Informative References . . . . . . . . . . . . . . . . . 84
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 85
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 86
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 90
1. Introduction and Overview 1. Introduction and Overview
While there are existing standards for describing and exchanging user While there are existing standards for describing and exchanging user
information, many of these standards can be difficult to implement information, many of these standards can be difficult to implement
and/or use; e.g., their wire protocols do not easily traverse and/or use; e.g., their wire protocols do not easily traverse
firewalls and/or are not easily layered onto existing web protocols. firewalls and/or are not easily layered onto existing web protocols.
As a result, many cloud providers implement non-standardized As a result, many cloud providers implement non-standardized
protocols for managing users within their services. This increases protocols for managing users within their services. This increases
both the cost and complexity associated with organizations adopting both the cost and complexity associated with organizations adopting
products and services from multiple cloud providers as they must products and services from multiple cloud providers as they must
perform redundant integration development. Similarly, cloud services perform redundant integration development. Similarly, cloud services
providers seeking to inter-operate with multiple application providers seeking to inter-operate with multiple application
marketplaces or cloud identity providers must be redundantly marketplaces or cloud identity providers would require pairwise
integrated. integration.
SCIM seeks to simplify this problem through a simple to implement SCIM seeks to simplify this problem through a simple to implement
specification suite that provides a common user schema and extension specification suite that provides a common user schema and extension
model, as well as binding documents to provide patterns for model, as well as a SCIM Protocol document, that defines exchanging
exchanging this schema via an HTTP based protocol. It draws this schema via an HTTP based protocol [I-D.ietf-scim-api]. [[RFC
inspiration and best practice, building upon existing user protocols Editor: This document an the companion scim-api document should be
and schemas from a wide variety of sources including, but not limited published together]] It draws inspiration and best practice, building
to, existing services exposed by cloud providers, PortableContacts, upon existing user protocols and schemas from a wide variety of
vCards, and LDAP directory services. sources including, but not limited to, existing services exposed by
cloud providers, PortableContacts [PortableContacts], vCards
[RFC6350], and LDAP directory services [RFC6350].
This document provides a JSON based schema and extension model for This document provides a JSON based schema and extension model for
representing users and groups, as well as service provider representing users and groups, as well as Service Provider
configuration. This schema is intended for exchange and use with configuration. This schema is intended for exchange and use with
cloud service providers and other cross-domain scenarios. An HTTP cloud service providers and other cross-domain scenarios.
protocol-binding document is provided separately.
1.1. Requirements Notation and Conventions 1.1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Throughout this document, values are quoted to indicate that they are Throughout this document, values are quoted to indicate that they are
to be taken literally. When using these values in protocol messages, to be taken literally. When using these values in protocol messages,
the quotes MUST NOT be used as part of the value. the quotes MUST NOT be used as part of the value.
skipping to change at page 4, line 34 skipping to change at page 4, line 38
readability reasons. readability reasons.
1.2. Definitions 1.2. Definitions
Service Provider Service Provider
An HTTP web application that provides identity information via the An HTTP web application that provides identity information via the
SCIM protocol. SCIM protocol.
Client Client
A website or application that uses the SCIM protocol to manage A website or application that uses the SCIM protocol to manage
identity data maintained by the service provider. The client identity data maintained by the service provider. The Client
initiates SCIM HTTP requests to a target service provider. initiates SCIM HTTP requests to a target service provider.
Provisioning Domain
A provisioning domain is an administrative domain external to the
domain of a Service Provider for legal or technical reasons. For
example, a SCIM Client in an enterprise (provisioning client)
communicates with a SCIM Service Provider that is owned or
controlled by a different legal entity.
Resource Type Resource Type
A type of a resource that is managed by a service provider. The A type of a resource that is managed by a service provider. The
resource type defines the resource name, endpoint URL, Schemas, resource type defines the resource name, endpoint URL, Schemas,
and other meta-data which indicate where a resource is managed and and other meta-data which indicate where a resource is managed and
how it is composed; e.g. "User" or "Group". how it is composed; e.g., "User" or "Group".
Resource Resource
A service provider managed artifact containing one or more A Service Provider managed artifact containing one or more
attributes. For example a "User" or "Group". attributes. For example a "User" or "Group".
Endpoint
An endpoint for a Service Provider is a defined base path relative
to the service providers Base URI (see definitions of
[I-D.ietf-scim-api]) over which SCIM operations MAY be performed
against SCIM resources. For example, assuming the Service
Provider Base URI is "https://example.com/": "User" resources may
be accessed at the "https://example.com/Users", or
"https://example.com/v2/Users" (when including protocol version,
see Section 3.13 [I-D.ietf-scim-api]) endpoint. Service provider
schemas MAY be returned from the "/Schemas" endpoint.
Schema Schema
A collection of attribute definitions that describe the contents A collection of attribute definitions that describe the contents
of an entire or partial resource; e.g. of an entire or partial resource; e.g.,
"urn:ietf:params:scim:schemas:core:2.0:User". The attribute "urn:ietf:params:scim:schemas:core:2.0:User". The attribute
definitions define the name of the attribute, and metadata such as definitions define the name of the attribute, and metadata such as
type (e.g. string, binary), cardinality (singular, multi, type (e.g., string, binary), cardinality (singular, multi,
complex), mutability, and returnability. complex), mutability, and returnability.
Singular Attribute Singular Attribute
A resource attribute that contains 0..1 values; e.g. A resource attribute that contains 0..1 values; e.g.,
"displayName". "displayName".
Multi-valued Attribute Multi-valued Attribute
A resource attribute that contains 0..n values; e.g. "emails". A resource attribute that contains 0..n values; e.g., "emails".
Simple Attribute Simple Attribute
A singular or multi-valued attribute whose value is a primitive; A singular or multi-valued attribute whose value is a primitive;
e.g. "String". e.g., "String". A simple attribute MAY not contain sub-
attributes.
Complex Attribute Complex Attribute
A singular or multi-valued attribute whose value is a composition A singular or multi-valued attribute whose value is a composition
of one or more simple attributes; e.g. "addresses" has the sub- of one or more simple attributes; e.g., "addresses" has the sub-
attributes "streetAddress", "locality", "postalCode", and attributes "streetAddress", "locality", "postalCode", and
"country". "country".
Sub-Attribute Sub-Attribute
A simple attribute that is contained within a complex attribute. A simple attribute that is contained within a complex attribute.
2. SCIM Schema 2. SCIM Schema
A SCIM server provides a set of resources, the contents of which are A SCIM server provides a set of resources, the allowable contents of
defined by a set of schema URIs and a resource type. SCIM's schema which are defined by a set of schema URIs and a resource type.
is not a document-centric one such as with [XML-Schema]. Instead, SCIM's schema is not a document-centric one such as with
SCIM's support of schema is attribute based where each attribute may [XML-Schema]. Instead, SCIM's support of schema is attribute based
have different type, mutability, cardinality, or returnability. where each attribute may have different type, mutability,
alidation of documents and messages is always performed, as specified cardinality, or returnability. validation of documents and messages
by the SCIM specifications by an intended receiver. Validation is is always performed, as specified by the SCIM specifications by an
performed by the receiver in the context of a protocol request. For intended receiver. Validation is performed by the receiver in the
context of a SCIM protocol request (see [I-D.ietf-scim-api]). For
example, a SCIM service provider, upon receiving a request to replace example, a SCIM service provider, upon receiving a request to replace
an existing resource with a replacement JSON object, evaluates each an existing resource with a replacement JSON object, evaluates each
asserted attribute based on the attributed defined schema (e.g. asserted attribute based on its characteristics as defined in the
mutability) and decides which attributes may be replaced or ignored. relevant schema (e.g., mutability) and decides which attributes may
be replaced or ignored.
This specification provides a minimal core schema for representing This specification provides a minimal core schema for representing
users and groups (resources), encompassing common attributes found in users and groups (resources), encompassing common attributes found in
many existing deployments and schemas. In addition to the minimal many existing deployments and schemas. In addition to the minimal
core schema, this document also specifies a standardized means by core schema, this document also specifies a standardized means by
which service providers may extend schema to define new resources and which service providers may extend schemas to define new resources
attributes in both standardized and service provider specific cases. and attributes in both standardized and Service Provider specific
cases.
Resources are categorized into common resource types such as "User" Resources are categorized into common resource types such as "User"
or "Group"). Collections of resources of the same type are usually or "Group"). Collections of resources of the same type are usually
contained within the same "container" ("folder") endpoint. contained within the same "container" ("folder") endpoint.
2.1. Attributes 2.1. Attributes
A resource is a collection of attributes identified by one or more A resource is a collection of attributes identified by one or more
schemas. Minimally, an attribute consists of the attribute name and schemas. Minimally, an attribute consists of the attribute name and
at least one simple or complex value either of which may be multi- at least one simple or complex value either of which may be multi-
valued. For each attribute, SCIM schema defines the data type, valued. For each attribute, SCIM schema defines the data type,
plurality, mutability, and other distinguishing features of an plurality, mutability, and other distinguishing features of an
attribute. attribute.
Attribute names SHOULD be camel-cased (e.g. "camelCase"). SCIM Attribute names are case-insensitive and MAY be camel-cased (e.g.,
resources are represented in JSON [RFC7159] and MUST specify schema "camelCase"). SCIM resources are represented in JSON [RFC7159] and
via the "schemas" attribute per Section 3. MUST specify schema via the "schemas" attribute per Section 3.
Attribute names MUST conform to the following ABNF [RFC5234] rules: Attribute names MUST conform to the following ABNF rules:
ATTRNAME = ALPHA *(nameChar) ATTRNAME = ALPHA *(nameChar)
nameChar = "-" / "_" / DIGIT / ALPHA nameChar = "$" / "-" / "_" / DIGIT / ALPHA
Figure 1: ABNF for Attribute Names Figure 1: ABNF for Attribute Names
2.2. Attribute Data Types The above rules (and other rules in this specification) use the "Core
Rules" from ABNF, see Appendix B [RFC5234]. Unless otherwise
Attribute data types are derived from JSON [RFC7159] and unless specified in this specification, all ABNF strings are case
otherwise specified have the following characteristics (see Section 7 insensitive and the character set for these strings is US-ASCII. For
for attribute characteristic definitions): example, all attribute names defined by the above rule are case
insensitive.
o are OPTIONAL (is not required).
o are case insensitive ("caseExact" is "false"),
o are modifiable ("mutability" is "readWrite"),
o are returned in response to queries (returned by default),
o have no canonical values (e.g. type is "home" or "work"),
o are not unique ("uniqueness" is "none"), and,
o of type string (Section 2.2.1). 2.2. Attribute Data Types
The JSON format defines a limited set of data types, hence, where Attribute data types are derived from JSON [RFC7159]. The JSON
appropriate, alternate JSON representations derived from XML Schema format defines a limited set of data types, hence, where appropriate,
[XML-Schema] are defined below. SCIM extensions SHOULD NOT introduce alternate JSON representations derived from XML Schema [XML-Schema]
new data types. are defined below. SCIM extensions SHOULD NOT introduce new data
types.
The following is a table that maps the following data types, to SCIM The following is a table that maps the following data types, to SCIM
schema type and the underlying JSON data type: schema type and the underlying JSON data type:
+----------------+--------------------+-----------------------------+ +--------------+-----------------+----------------------------------+
| SCIM Data Type | SCIM Schema "type" | JSON Type | | SCIM Data | SCIM Schema | JSON Type |
+----------------+--------------------+-----------------------------+ | Type | "type" | |
| String | "string" | String per Sec. 7 [RFC7159] | +--------------+-----------------+----------------------------------+
| Boolean | "boolean" | Value per Sec. 3 [RFC7159] | | String | "string" | String per Sec. 7 [RFC7159] |
| Decimal | "decimal" | Number per Sec. 6 [RFC7159] | | Boolean | "boolean" | Value per Sec. 3 [RFC7159] |
| Integer | "integer" | Number per Sec. 6 [RFC7159] | | Decimal | "decimal" | Number per Sec. 6 [RFC7159] |
| DateTime | "dateTime" | String per Sec. 7 [RFC7159] | | Integer | "integer" | Number per Sec. 6 [RFC7159] |
| Binary | "string" | Base64 encoded String | | DateTime | "dateTime" | String per Sec. 7 [RFC7159] |
| Reference | "reference" | String per Sec. 7 [RFC7159] | | Binary | "binary" | Base64 encoded String per Sec. 7 |
| Complex | "complex" | Object per Sec. 4 [RFC7159] | | | | [RFC7159] |
+----------------+--------------------+-----------------------------+ | Reference | "reference" | String per Sec. 7 [RFC7159] |
| Complex | "complex" | Object per Sec. 4 [RFC7159] |
+--------------+-----------------+----------------------------------+
Table 1: SCIM Data Type to JSON Representation Table 1: SCIM Data Type to JSON Representation
2.2.1. String 2.2.1. String
A sequence of zero or more Unicode characters encoded using UTF-8 as A sequence of zero or more Unicode characters encoded using UTF-8 as
per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7 per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7
[RFC7159]. A "String" attribute MAY specify a required data format. [RFC7159]. A "String" attribute MAY specify a required data format.
Additionally, when "canonicalValues" is specified, service providers Additionally, when "canonicalValues" is specified, service providers
MAY restrict accepted values to the specified values. MAY restrict accepted values to the specified values.
skipping to change at page 7, line 49 skipping to change at page 8, line 20
2.2.4. Integer 2.2.4. Integer
A decimal number with no fractional digits. The JSON format is A decimal number with no fractional digits. The JSON format is
defined in Section 6 [RFC7159] with the additional constraint that defined in Section 6 [RFC7159] with the additional constraint that
the value MUST NOT contain fractional or exponent parts. An integer the value MUST NOT contain fractional or exponent parts. An integer
has no case sensitivity. has no case sensitivity.
2.2.5. DateTime 2.2.5. DateTime
A DateTime value (e.g. 2008-01-23T04:56:22Z). The attribute value A DateTime value (e.g., 2008-01-23T04:56:22Z). The attribute value
MUST be encoded as a valid xsd:dateTime as specified in Section 3.3.7 MUST be encoded as a valid xsd:dateTime as specified in Section 3.3.7
[XML-Schema]. A date-time has no case-sensitivity or uniqueness. [XML-Schema]. A date-time has no case-sensitivity or uniqueness.
Values represented in JSON MUST conform to the XML constraints above Values represented in JSON MUST conform to the XML constraints above
and are represented as a JSON String per Section 7 [RFC7159]. and are represented as a JSON String per Section 7 [RFC7159].
2.2.6. Binary 2.2.6. Binary
Arbitrary binary data. The attribute value MUST be encoded in base Arbitrary binary data. The attribute value MUST be encoded in base
64 encoding as specified in Section 4 [RFC4648]. In cases where a 64 encoding as specified in Section 4 [RFC4648]. In cases where a
URL-safe encoding is required, the attribute definition MAY specify URL-safe encoding is required, the attribute definition MAY specify
Base 64 URL encoding be used as per Section 5 [RFC4648]. Base 64 URL encoding be used as per Section 5 [RFC4648]. Unless
otherwise specified in the attribute definition, trailing padding
characters MAY be omitted ("=").
In JSON representation, the encoded values are represented as a JSON In JSON representation, the encoded values are represented as a JSON
String per Section 7 [RFC7159]. A binary is case-exact and has no String per Section 7 [RFC7159]. A binary is case-exact and has no
uniqueness. uniqueness.
2.2.7. Reference 2.2.7. Reference
The value is a URI for a resource. A resource MAY be a SCIM The value is a URI for a resource. A resource MAY be a SCIM
resource, an external link to a resource (e.g. a photo), or it may be resource, an external link to a resource (e.g., a photo), or it may
an identifier such as a URN. The value MUST be the absolute or be an identifier such as a URN. The value MUST be the absolute or
relative URI of the target resource. Relative URIs should be relative URI of the target resource. Relative URIs should be
resolved as specified in Section 5.2 [RFC3986]. However, the base resolved as specified in Section 5.2 [RFC3986]. However, the base
URI for relative URI resolution MUST include all URI components and URI for relative URI resolution MUST include all URI components and
path segments up to but not including the Endpoint URI (the SCIM path segments up to but not including the Endpoint URI (the SCIM
service provider root endpoint); e.g., the base URI for a request to Service Provider root endpoint); e.g., the base URI for a request to
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
would be "https://example.com/v2/" and the relative URI for this would be "https://example.com/v2/" and the relative URI for this
resource would be "Users/2819c223-7f76-453a-919d-413861904646". resource would be "Users/2819c223-7f76-453a-919d-413861904646".
In JSON representation, the URI value is represented as a JSON String In JSON representation, the URI value is represented as a JSON String
per Section 7 [RFC7159]. A reference is case-exact. A reference has per Section 7 [RFC7159]. A reference is case-exact. A reference has
a "referenceType" that indicates what types of resources may be a "referenceType" that indicates what types of resources may be
linked as per Section 7. linked as per Section 7.
Performing a GET operation on a reference URI MUST return the target Performing a GET operation on a reference URI MUST return the target
resource or an appropriate HTTP response code. The service provider resource or an appropriate HTTP response code. The Service Provider
MAY optionally choose to enforce referential integrity for reference MAY optionally choose to enforce referential integrity for reference
types referring to SCIM resources. types referring to SCIM resources.
By convention, a reference is commonly represented as a "$ref" sub- By convention, a reference is commonly represented as a "$ref" sub-
attribute in complex or multi-valued attributes, however this is attribute in complex or multi-valued attributes, however this is
OPTIONAL. OPTIONAL.
2.2.8. Complex 2.2.8. Complex
A singular or multi-valued attribute whose value is a composition of A singular or multi-valued attribute whose value is a composition of
one or more simple Attributes. The JSON format is defined in one or more simple attributes. The JSON format is defined in
Section 4 [RFC7159]. A complex attribute has no uniqueness or case Section 4 [RFC7159]. The order of the component attributes is not
sensitivity. significant. Servers and clients MUST NOT require or expect
attributes to be in any specific order when an object is either
generated or analyzed. A complex attribute has no uniqueness or case
sensitivity. A complex attribute MUST NOT contain sub-attributes
that have sub-attributes (i.e., that are complex).
2.3. Multi-valued Attributes 2.3. Attribute Characteristics
Multi-valued attributes contain a list of value or may contain sub- If not otherwise stated in Section 7, SCIM attributes have the
attributes and MAY also be considered complex attributes. The order following characteristics:
of values returned by the server SHOULD NOT be guaranteed. The sub-
attributes below are considered normative and when specified SHOULD
be used as defined.
type A label indicating the attribute's function; e.g., "work" or o are OPTIONAL (is not REQUIRED).
o are case insensitive ("caseExact" is "false"),
o are modifiable ("mutability" is "readWrite"),
o are returned in response to queries (returned by default),
o have no canonical values (for example, the "type" sub-attribute in
Section 2.4,
o are not unique ("uniqueness" is "none"), and,
o of type string (Section 2.2.1).
2.4. Multi-valued Attributes
Multi-valued attributes contain a list of elements using the JSON
array format defined in Section 5 of [RFC7159]. Elements can be
either
o primitive values, or
o objects with a set of sub-attributes and values, using the JSON
object format defined in Section 4 of [RFC7159], in which case
they MAY also be considered to be complex attributes. As with
complex attributes, the order of sub-attributes is not
significant. The pre-defined sub-attributes listed in this
section can be used with multi-valued attribute objects but these
sub-attributes should only be used with the meanings defined here.
The pre-defined set of sub-attributes for a multi-valued attribute
are:
type
A label indicating the attribute's function; e.g., "work" or
"home". "home".
primary A Boolean value indicating the 'primary' or preferred primary
attribute value for this attribute, e.g. the preferred mailing A Boolean value indicating the 'primary' or preferred attribute
address or the primary e-mail address. The primary attribute value for this attribute, e.g., the preferred mailing address or
value "true" MUST appear no more than once. the primary e-mail address. The primary attribute value "true"
MUST appear no more than once. If not specified, the value of
"primary" SHALL be assumed to be "false".
display A human readable name, primarily used for display purposes display
and has a mutability of "immutable". A human readable name, primarily used for display purposes and has
a mutability of "immutable".
value The attribute's significant value; e.g., the e-mail address, value
phone number, etc. The attribute's significant value; e.g., the e-mail address, phone
number, etc.
$ref The reference URI of the target resource, if the attribute is a $ref
The reference URI of the target resource, if the attribute is a
reference. reference.
When returning multi-valued attributes, service providers SHOULD When returning multi-valued attributes, service providers SHOULD
canonicalize the value returned, if appropriate (e.g. for e-mail canonicalize the value returned (e.g., by returning a value for the
addresses and URLs). Service providers MAY return the canonicalized sub-attribute "type" such as "home" or "work") when appropriate
value using the "display" sub-attribute and return the original value (e.g., for e-mail addresses and URLs).
using the "value" attribute.
Service providers MAY return the same value more than once with Service providers MAY return element objects with the same "value"
different types (e.g. the same e-mail address may used for work and sub-attribute more than once with a different "type" sub-attribute
home), but SHOULD NOT return the same (type, value) combination more (e.g., the same e-mail address may used for work and home), but
than once per Attribute, as this complicates processing by the SHOULD NOT return the same (type, value) combination more than once
Consumer. per attribute, as this complicates processing by the consumer.
2.4. Unassigned and Null Values When defining schema for multi-valued attributes, it is considered a
good practice to provide a type attribute that MAY be used for the
purpose of canonicalization of values. Further, in the schema
definition for an attribute MAY define the recommended canonical
values (see Section 7).
2.5. Unassigned and Null Values
Unassigned attributes, the null value, or empty array (in the case of Unassigned attributes, the null value, or empty array (in the case of
a multi-valued attribute) SHALL be considered to be equivalent in a multi-valued attribute) SHALL be considered to be equivalent in
"state". Assigning an attribute with the value "null" or an empty "state". Assigning an attribute with the value "null" or an empty
array (in the case of multi-valued attributes) has the effect of array (in the case of multi-valued attributes) has the effect of
making the attribute "unassigned". When a resource is expressed in making the attribute "unassigned". When a resource is expressed in
JSON form, unassigned attributes, though they are defined in schema, JSON form, unassigned attributes, though they are defined in schema,
MAY be omitted for compactness. MAY be omitted for compactness.
3. SCIM Resources 3. SCIM Resources
Each SCIM resource is a JSON object that has the following Each SCIM resource is a JSON object that has the following
components: components:
Resource Type Resource Type
Each resource (or JSON object) in SCIM has a resource type Each resource (or JSON object) in SCIM has a resource type
("meta.resourceType") that defines the resource's core attribute ("meta.resourceType", see Section 3.1) that defines the resource's
schema and any attribute extension schema as well as the endpoint core attribute schema and any attribute extension schema as well
where objects of the same type may be found. More information as the endpoint where objects of the same type may be found. More
about a resource MAY be found in its resourceType definition (see information about a resource MAY be found in its resourceType
Section 6). definition (see Section 6).
Schemas Attribute Schemas Attribute
The "schemas" attribute is a REQUIRED attribute that MUST be The "schemas" attribute is a REQUIRED attribute that MUST be
present and is an array of Strings containing URIs which are used present and is an array of Strings containing URIs which are used
to indicate the namespace of SCIM schema that defines the to indicate the namespaces of the SCIM schemas that define the
attributes present in the current JSON structure. It may be used attributes present in the current JSON structure. It may be used
by parsers to define the attributes present in the JSON structure by parsers to define the attributes present in the JSON structure
that is the body to an HTTP Request or Response. Each String that is the body to an HTTP Request or Response. Each String
value must be a unique URI. All representations of SCIM schema value must be a unique URI. All representations of SCIM schemas
MUST include a non-zero value array with value(s) of the URIs MUST include a non-empty array with value(s) of the URIs supported
supported by that representation. The schemas attribute for a by that representation. The schemas attribute for a resource MUST
resource MUST only contain values defined as "schema" and only contain values defined as "schema" and "schemaExtensions" for
"schemaExtensions" for the resource's "resourceType". Duplicate the resource's "resourceType". Duplicate values MUST NOT be
values MUST NOT be included. Value order is not specified and included. Value order is not specified and MUST NOT impact
MUST NOT impact behavior. behavior.
Common Attributes Common Attributes
Are attributes that are part of every SCIM resource regardless of Are attributes that are part of every SCIM resource regardless of
the value of the "schemas" attribute present in a JSON body. the value of the "schemas" attribute present in a JSON body.
These attributes are not defined in any particular schema, but These attributes are not defined in any particular schema, but
SHALL be assumed to be present in every resource regardless of the SHALL be assumed to be present in every resource regardless of the
value of the "schemas" attribute. See Section 3.1. value of the "schemas" attribute. See Section 3.1.
Core Attributes Core Attributes
A resource's core attributes are those attributes that sit at the A resource's core attributes are those attributes that sit at the
skipping to change at page 12, line 26 skipping to change at page 14, line 26
common attributes as part of the schema. The attribute common attributes as part of the schema. The attribute
characteristics listed here SHALL take precedence. characteristics listed here SHALL take precedence.
id id
A unique identifier for a SCIM resource as defined by the service A unique identifier for a SCIM resource as defined by the service
provider. Each representation of the resource MUST include a non- provider. Each representation of the resource MUST include a non-
empty "id" value. This identifier MUST be unique across the SCIM empty "id" value. This identifier MUST be unique across the SCIM
service provider's entire set of resources. It MUST be a stable, service provider's entire set of resources. It MUST be a stable,
non-reassignable identifier that does not change when the same non-reassignable identifier that does not change when the same
resource is returned in subsequent requests. The value of the resource is returned in subsequent requests. The value of the
"id" attribute is always issued by the service provider and MUST "id" attribute is always issued by the Service Provider and MUST
NOT be specified by the client. The string "bulkId" is a reserved NOT be specified by the client. The string "bulkId" is a reserved
keyword and MUST NOT be used within any unique identifier value. keyword and MUST NOT be used within any unique identifier value.
REQUIRED and has a mutability of "readOnly". See Section 9 for The attribute characteristics are "caseExact" as "true" and a
additional considerations regarding privacy. mutability of "readOnly". See Section 9 for additional
considerations regarding privacy.
externalId externalId
A String that is an identifier for the resource as defined by the A String that is an identifier for the resource as defined by the
provisioning client. The "externalId" may simplify identification provisioning client. The "externalId" may simplify identification
of a resource between the provisioning client and the service of a resource between the provisioning Client and the Service
provider by allowing the client to use a filter to locate the Provider by allowing the Client to use a filter to locate the
resource with an identifier from the provisioning domain, resource with an identifier from the provisioning domain,
obviating the need to store a local mapping between the obviating the need to store a local mapping between the
provisioning domain's identifier of the resource and the provisioning domain's identifier of the resource and the
identifier used by the service provider. Each resource MAY identifier used by the service provider. Each resource MAY
include a non-empty "externalId" value. The value of the include a non-empty "externalId" value. The value of the
"externalId" attribute is always issued by the provisioning client "externalId" attribute is always issued by the provisioning Client
and MUST NOT be specified by the service provider. The service and MUST NOT be specified by the service provider. The Service
provider MUST always interpret the externalId as scoped to the Provider MUST always interpret the externalId as scoped to the
client's tenant. While the server does not enforce uniqueness, it provisioning domain. While the server does not enforce
is assumed that the value's uniqueness is controlled by the client uniqueness, it is assumed that the value's uniqueness is
setting the value. See Section 9 for additional considerations controlled by the Client setting the value. See Section 9 for
regarding privacy. additional considerations regarding privacy. The attribute has
"caseExact" as "true" and has a mutability of "readWrite". The
attribute is OPTIONAL.
meta meta
A complex attribute containing resource metadata. All sub- A complex attribute containing resource metadata. All meta sub-
attributes are OPTIONAL and are asserted by the Service Provider: attributes are asserted by the Service Provider and SHALL be
ignored when provided by clients:
resourceType The name of the resource type of the resource. This resourceType The name of the resource type of the resource. This
attribute has mutability of "readOnly". attribute has mutability of "readOnly" and has "caseExact" as
"true". The attribute is REQUIRED when provided by the service
provider.
created The DateTime the resource was added to the service created The DateTime the resource was added to the service
provider. The attribute MUST be a DateTime. This attribute provider. The attribute MUST be a DateTime. This attribute
has mutability of "readOnly". has mutability of "readOnly".
lastModified The most recent DateTime the details of this lastModified The most recent DateTime the details of this
resource were updated at the service provider. If this resource were updated at the service provider. If this
resource has never been modified since its initial creation, resource has never been modified since its initial creation,
the value MUST be the same as the value of created. The the value MUST be the same as the value of created. The
attribute MUST be a DateTime and has mutability of "readOnly". attribute MUST be a DateTime and has mutability of "readOnly".
The attribute is REQUIRED when provided by the service
provider.
location The URI of the resource being returned. This value MUST location The URI of the resource being returned. This value MUST
be the same as the Location HTTP response header. The be the same as the "Content-Location" HTTP response header (see
attribute has mutability of "readOnly". Section 3.1.4.2 [RFC7231]). The attribute has mutability of
"readOnly". The attribute is REQUIRED when provided by the
service provider.
version The version of the resource being returned. This value version The version of the resource being returned. This value
must be the same as the ETag HTTP response header. The must be the same as the ETag HTTP response header (See Sections
attribute has mutability of "readOnly". 2.1 and 2.3 of [RFC7232]). The attribute has mutability of
"readOnly" and has "caseExact" as "true". The attribute is
OPTIONAL subject to the service provider's support for
versioning (see "Versioning Resources", Section 3.14
[I-D.ietf-scim-api]). If a Service Provider provides "version"
(entity-tag) for a representation and the generation of that
entity-tag does not satisfy all of the characteristics of a
strong validator (see Section 2.1, [RFC7232]), then the origin
server MUST mark the "version" (entity-tag) as weak by
prefixing its opaque value with "W/" (case-sensitive).
3.2. Defining New Resource Types 3.2. Defining New Resource Types
SCIM may be extended to define new classes of resources by defining a SCIM may be extended to define new classes of resources by defining a
resource type. Each resource type defines the name, endpoint, base resource type. Each resource type defines the name, endpoint, base
schema (the attributes), and any schema extensions registered for use schema (the attributes), and any schema extensions registered for use
with the resource type. In order to offer new types of resources, a with the resource type. In order to offer new types of resources, a
service provider defines the new resource type as specified in Service Provider defines the new resource type as specified in
Section 6and defines a schema representation (see Section 8.7). Section 6 and defines a schema representation (see Section 8.7).
3.3. Attribute Extensions to Resources 3.3. Attribute Extensions to Resources
SCIM allows resource types to have extensions in addition to their SCIM allows resource types to have extensions in addition to their
core schema. This is similar to how "ObjectClasses" used in LDAP. core schema. This is similar to how "ObjectClasses" are used in
However, unlike LDAP there is no inheritance model; all extensions LDAP. However, unlike LDAP there is no inheritance model; all
are additive (similar to LDAP Auxiliary Object Class [RFC4512] ). extensions are additive (similar to LDAP Auxiliary Object Class
Each "schemas" value indicates additive schema that may exist in a [RFC4512] ). Each value in the "schemas" attribute indicates
SCIM resource representation. The "schemas" attribute MUST contain additive schema that MAY exist in a SCIM resource representation.
at least one value which SHALL be the base schema for the resource. The "schemas" attribute MUST contain at least one value which SHALL
The "schemas" attribute MAY contain additional values indicating be the base schema for the resource. The "schemas" attribute MAY
extended schemas that are in use. Schema extensions SHOULD avoid contain additional values indicating extended schemas that are in
redefining any attributes defined in this specification and SHOULD use. Schema extensions SHOULD avoid redefining any attributes
follow conventions defined in this specification. Except for the defined in this specification and SHOULD follow conventions defined
base object schema, the schema extension URI SHALL be used as a JSON in this specification. Except for the base object schema, the schema
container to distinguish attributes belonging to the extension extension URI SHALL be used as a JSON container to distinguish
namespace from base schema attributes. See Figure 5 for an example attributes belonging to the extension namespace from base schema
JSON representation of an extended User. attributes. See Figure 5 for an example of the JSON representation
of an extended User.
In order to determine which "schemas" URI value is the base schema In order to determine which URI value in the "schemas" attribute is
and which is extended schema for any given resource, the resource's the base schema and which is extended schema for any given resource,
"resourceType" attribute value MAY be used to retrieve the resource's the resource's "resourceType" attribute value MAY be used to retrieve
"ResourceType" schema ( Section 6 ). See example "ResourceType" the resource's "ResourceType" schema ( Section 6 ). See example
representation in Figure 8. "ResourceType" representation in Figure 8.
4. SCIM Core Resources and Extensions 4. SCIM Core Resources and Extensions
This section defines the default resources schemas present in a SCIM This section defines the default resources schemas present in a SCIM
server. SCIM is not exclusive to these resources, and may be server. SCIM is not exclusive to these resources, and may be
extended to support other resource types (see Section 3.2). extended to support other resource types (see Section 3.2).
4.1. User Resource Schema 4.1. User Resource Schema
SCIM provides a resource type for "User" resources. The core schema SCIM provides a resource type for "User" resources. The core schema
for "User" is identified using the URI: for "User" is identified using the URI:
"urn:ietf:params:scim:schemas:core:2.0:User". The following "urn:ietf:params:scim:schemas:core:2.0:User". The following
attributes are defined in addition to the core schema attributes: attributes are defined in addition to the core schema attributes:
4.1.1. Singular Attributes 4.1.1. Singular Attributes
userName userName
A service provider unique identifier for the user, typically used A Service Provider unique identifier for the user, typically used
by the user to directly authenticate to the service provider. by the user to directly authenticate to the service provider.
Often displayed to the user as their unique identifier within the Often displayed to the user as their unique identifier within the
system (as opposed to "id" or "externalId", which are generally system (as opposed to "id" or "externalId", which are generally
opaque and not user-friendly identifiers). Each User MUST include opaque and not user-friendly identifiers). Each User MUST include
a non-empty userName value. This identifier MUST be unique across a non-empty userName value. This identifier MUST be unique across
the service provider's entire set of Users. RECOMMENDED. the service provider's entire set of Users. The attribute is
REQUIRED and is case-insensitive.
name name
The components of the user's real name. Service providers MAY The components of the user's real name. Service providers MAY
return just the full name as a single string in the formatted sub- return just the full name as a single string in the formatted sub-
attribute, or they MAY return just the individual component attribute, or they MAY return just the individual component
attributes using the other sub-attributes, or they MAY return attributes using the other sub-attributes, or they MAY return
both. If both variants are returned, they SHOULD be describing both. If both variants are returned, they SHOULD be describing
the same name, with the formatted name indicating how the the same name, with the formatted name indicating how the
component attributes should be combined. component attributes should be combined.
formatted The full name, including all middle names, titles, and formatted The full name, including all middle names, titles, and
suffixes as appropriate, formatted for display (e.g. "Ms. suffixes as appropriate, formatted for display (e.g., "Ms.
Barbara Jane Jensen, III." ). Barbara Jane Jensen, III." ).
familyName The family name of the User, or last name in most familyName The family name of the User, or last name in most
Western languages (e.g. "Jensen" given the full name "Ms. Western languages (e.g., "Jensen" given the full name "Ms.
Barbara Jane Jensen, III." ). Barbara Jane Jensen, III." ).
givenName The given name of the User, or first name in most givenName The given name of the User, or first name in most
Western languages (e.g. "Barbara" given the full name "Ms. Western languages (e.g., "Barbara" given the full name "Ms.
Barbara Jane Jensen, III." ). Barbara Jane Jensen, III." ).
middleName The middle name(s) of the User (e.g. "Jane" given the middleName The middle name(s) of the User (e.g., "Jane" given the
full name "Ms. Barbara Jane Jensen, III." ). full name "Ms. Barbara Jane Jensen, III." ).
honorificPrefix The honorific prefix(es) of the User, or title in honorificPrefix The honorific prefix(es) of the User, or title in
most Western languages (e.g. "Ms." given the full name "Ms. most Western languages (e.g., "Ms." given the full name "Ms.
Barbara Jane Jensen, III." ). Barbara Jane Jensen, III." ).
honorificSuffix The honorific suffix(es) of the User, or suffix honorificSuffix The honorific suffix(es) of the User, or suffix
in most Western languages (e.g. "III." given the full name in most Western languages (e.g., "III." given the full name
"Ms. Barbara Jane Jensen, III." ). "Ms. Barbara Jane Jensen, III." ).
displayName displayName
The name of the user, suitable for display to end-users. Each The name of the user, suitable for display to end-users. Each
user returned MAY include a non-empty displayName value. The name user returned MAY include a non-empty displayName value. The name
SHOULD be the full name of the User being described if known (e.g. SHOULD be the full name of the User being described if known
"Babs Jensen" or "Ms. Barbara J Jensen, III" ), but MAY be a (e.g., "Babs Jensen" or "Ms. Barbara J Jensen, III" ), but MAY be
username or handle, if that is all that is available (e.g. a username or handle, if that is all that is available (e.g.,
"bjensen" ). The value provided SHOULD be the primary textual "bjensen" ). The value provided SHOULD be the primary textual
label by which this User is normally displayed by the service label by which this User is normally displayed by the Service
provider when presenting it to end-users. Provider when presenting it to end-users.
nickName nickName
The casual way to address the user in real life, e.g. "Bob" or The casual way to address the user in real life, e.g., "Bob" or
"Bobby" instead of "Robert". This attribute SHOULD NOT be used to "Bobby" instead of "Robert". This attribute SHOULD NOT be used to
represent a User's username (e.g. bjensen or mpepperidge). represent a User's username (e.g., bjensen or mpepperidge).
profileUrl profileUrl
A fully qualified URL to a page representing the user's online A URI that is a uniform resource locator (as defined in
profile. Section 1.1.3 [RFC3986]), that points to a location representing
the user's online profile (e.g. a web page).
title title
The user's title, such as "Vice President". The user's title, such as "Vice President".
userType userType
Used to identify the organization to user relationship. Typical Used to identify the organization to user relationship. Typical
values used might be "Contractor", "Employee", "Intern", "Temp", values used might be "Contractor", "Employee", "Intern", "Temp",
"External", and "Unknown" but any value may be used. "External", and "Unknown" but any value may be used.
preferredLanguage preferredLanguage
skipping to change at page 17, line 4 skipping to change at page 19, line 27
provider. As a typical example, a value of true infers the user provider. As a typical example, a value of true infers the user
is able to login while a value of false implies the user's account is able to login while a value of false implies the user's account
has been suspended. has been suspended.
password password
The user's clear text password. This attribute is intended to be The user's clear text password. This attribute is intended to be
used as a means to specify an initial password when creating a new used as a means to specify an initial password when creating a new
User or to reset an existing User's password. Password policies User or to reset an existing User's password. Password policies
and the ability to update or set passwords are out of scope of and the ability to update or set passwords are out of scope of
this document. The mutability of this attribute is "writeOnly" this document. The mutability of this attribute is "writeOnly"
indicating the value MUST NOT be returned by a service provider in indicating the value MUST NOT be returned by a Service Provider in
any form. any form (the attribute characteristic "returned" is "never").
Please see Sections 7.5 and 7.6 [I-D.ietf-scim-api] for security
considerations regarding the handling of passwords.
4.1.2. Multi-valued Attributes 4.1.2. Multi-valued Attributes
The following multi-valued attributes are defined. The following multi-valued attributes are defined.
emails emails
E-mail addresses for the User. The value SHOULD be specified E-mail addresses for the User. The value SHOULD be specified
according to [RFC5321]. Service providers SHOULD canonicalize the according to [RFC5321]. Service providers SHOULD canonicalize the
value according to [RFC5321], e.g. "bjensen@example.com" instead value according to [RFC5321], e.g., "bjensen@example.com" instead
of "bjensen@EXAMPLE.COM". The "display" sub-attribute MAY be used of "bjensen@EXAMPLE.COM". The "display" sub-attribute MAY be used
to return the canonicalized representation of the e-mail value. to return the canonicalized representation of the e-mail value.
The "type" sub-attribute of contains values of "work", "home", and The "type" sub-attribute of contains values of "work", "home", and
"other", and MAY allow more types to be defined by the SCIM "other", and MAY allow more types to be defined by the SCIM
clients. clients.
phoneNumbers phoneNumbers
Phone numbers for the user. The value SHOULD be specified Phone numbers for the user. The value SHOULD be specified
according to the format in [RFC3966] e.g. 'tel:+1-201-555-0123'. according to the format in [RFC3966] e.g., 'tel:+1-201-555-0123'.
Service providers SHOULD canonicalize the value according to Service providers SHOULD canonicalize the value according to
[RFC3966] format, when appropriate. The "display" sub-attribute [RFC3966] format, when appropriate. The "display" sub-attribute
MAY be used to return the canonicalized representation of the MAY be used to return the canonicalized representation of the
phone number value. The sub-attribute "type" often has typical phone number value. The sub-attribute "type" often has typical
values of "work", "home", "mobile", "fax", "pager", and "other", values of "work", "home", "mobile", "fax", "pager", and "other",
and MAY allow more types to be defined by the SCIM clients. and MAY allow more types to be defined by the SCIM clients.
ims ims
Instant messaging address for the user. No official Instant messaging address for the user. No official
canonicalization rules exist for all instant messaging addresses, canonicalization rules exist for all instant messaging addresses,
but service providers SHOULD, when appropriate, remove all but service providers SHOULD, when appropriate, remove all
whitespace and convert the address to lowercase. The "type" whitespace and convert the address to lowercase. The "type"
attribute defines several "canonicalValues" to represent currently attribute defines several "canonicalValues" to represent currently
popular IM services: "aim", "gtalk", "icq", "xmpp", "msn", popular IM services: "aim", "gtalk", "icq", "xmpp", "msn",
"skype", "qq", "yahoo", and "other". "skype", "qq", "yahoo", and "other".
photos photos
URL of a photo of the User. The value SHOULD be a canonicalized A URI that is a uniform resource locator (as defined in
URL, and MUST point to an image file (e.g. a GIF, JPEG, or PNG Section 1.1.3 [RFC3986]) that points to a resource location
image file) rather than to a web page containing an image. representing the user's image. The resource MUST be a file (e.g.,
Service providers MAY return the same image at different sizes, a GIF, JPEG, or PNG image file) rather than a web page containing
though it is recognized that no standard for describing images of an image. Service providers MAY return the same image at
various sizes currently exists. Note that this attribute SHOULD different sizes, though it is recognized that no standard for
NOT be used to send down arbitrary photos taken by this user, but describing images of various sizes currently exists. Note that
specifically profile photos of the user suitable for display when this attribute SHOULD NOT be used to send down arbitrary photos
describing the user. Instead of the standard canonical values for taken by this user, but specifically profile photos of the user
type, this attribute defines the following canonical values to suitable for display when describing the user. Instead of the
represent popular photo sizes: "photo", "thumbnail". standard canonical values for type, this attribute defines the
following canonical values to represent popular photo sizes:
"photo", "thumbnail".
addresses addresses
A physical mailing address for this user. Canonical type values A physical mailing address for this user. Canonical type values
of "work", "home", and "other". The value attribute is a complex of "work", "home", and "other". The value attribute is a complex
type with the following sub-attributes. All sub-attributes are type with the following sub-attributes. All sub-attributes are
OPTIONAL. OPTIONAL.
formatted The full mailing address, formatted for display or use formatted The full mailing address, formatted for display or use
with a mailing label. This attribute MAY contain newlines. with a mailing label. This attribute MAY contain newlines.
skipping to change at page 18, line 46 skipping to change at page 21, line 26
and any behavior or authorization granted as a result of and any behavior or authorization granted as a result of
membership are defined by the service provider. The canonical membership are defined by the service provider. The canonical
types "direct" and "indirect" are defined to describe how the types "direct" and "indirect" are defined to describe how the
group membership was derived. Direct group membership indicates group membership was derived. Direct group membership indicates
the user is directly associated with the group and SHOULD indicate the user is directly associated with the group and SHOULD indicate
that clients may modify membership through the "Group" resource. that clients may modify membership through the "Group" resource.
Indirect membership indicates user membership is transitive or Indirect membership indicates user membership is transitive or
dynamic and implies that clients cannot modify indirect group dynamic and implies that clients cannot modify indirect group
membership through the "Group" resource but MAY modify direct membership through the "Group" resource but MAY modify direct
group membership through the "Group" resource which MAY influence group membership through the "Group" resource which MAY influence
indirect memberships. If the SCIM service provider exposes a indirect memberships. If the SCIM Service Provider exposes a
Group resource, the "value" sub-attribute MUST be the "id" and the Group resource, the "value" sub-attribute MUST be the "id" and the
"$ref" sub-attribute must be the URI of the corresponding "Group" "$ref" sub-attribute must be the URI of the corresponding "Group"
resources to which the user belongs. Since this attribute has a resources to which the user belongs. Since this attribute has a
mutability of "readOnly", group membership changes MUST be applied mutability of "readOnly", group membership changes MUST be applied
via the Group Resource (Section 4.2). The attribute has a via the Group Resource (Section 4.2). The attribute has a
mutability of "readOnly". mutability of "readOnly".
entitlements entitlements
A list of entitlements for the user that represent a thing the A list of entitlements for the user that represent a thing the
user has. An entitlement MAY be an additional right to a thing, user has. An entitlement MAY be an additional right to a thing,
object, or service. No vocabulary or syntax is specified and object, or service. No vocabulary or syntax is specified and
service providers and clients are expected to encode sufficient service providers and clients are expected to encode sufficient
information in the value so as to accurately and without ambiguity information in the value so as to accurately and without ambiguity
determine what the user has access to. This value has NO determine what the user has access to. This value has no
canonical types though type may be useful as a means to scope canonical types though type may be useful as a means to scope
entitlements. entitlements.
roles roles
A list of roles for the user that collectively represent who the A list of roles for the user that collectively represent who the
user is; e.g., "Student, Faculty". No vocabulary or syntax is user is; e.g., "Student, Faculty". No vocabulary or syntax is
specified though it is expected that a role value is a String or specified though it is expected that a role value is a String or
label representing a collection of entitlements. This value has label representing a collection of entitlements. This value has
NO canonical types. no canonical types.
x509Certificates x509Certificates
A list of certificates associated with the resource (e.g. a User). A list of certificates associated with the resource (e.g., a
Each certificate is a DER encoded X.509 (see Section 4 [RFC5280]), User). Each certificate is a DER encoded X.509 (see Section 4
which MUST be base 64 encoded per Section 4 [RFC4648]. [RFC5280]), which MUST be base 64 encoded per Section 4 [RFC4648].
4.2. Group Resource Schema 4.2. Group Resource Schema
SCIM provides a schema for representing groups, identified using the SCIM provides a schema for representing groups, identified using the
following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group". following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group".
Group resources are meant to enable expression of common group or Group resources are meant to enable expression of common group or
role based access control models, although no explicit authorization role based access control models, although no explicit authorization
model is defined. It is intended that the semantics of group model is defined. It is intended that the semantics of group
membership and any behavior or authorization granted as a result of membership and any behavior or authorization granted as a result of
membership are defined by the service provider are considered out of membership are defined by the service provider, and are considered
scope for this specification. out of scope for this specification.
The following singular attribute is defined in addition to the common The following singular attribute is defined in addition to the common
attributes defined in SCIM core schema: attributes defined in SCIM core schema:
displayName displayName
A human readable name for the Group. REQUIRED. A human readable name for the Group. REQUIRED.
The following multi-valued attribute is defined in addition to the The following multi-valued attribute is defined in addition to the
common attributes defined in SCIM Core Schema: common attributes defined in SCIM Core Schema:
members members
A list of members of the Group. While values MAY be added or A list of members of the Group. While values MAY be added or
removed, sub-attributes of members are "immutable". The "value" removed, sub-attributes of members are "immutable". The "value"
sub-attribute must be the "id" and the "$ref" sub-attribute must sub-attribute must be the "id" and the "$ref" sub-attribute must
be the URI of a SCIM resource, either a "User", or a "Group". The be the URI of a SCIM resource, either a "User", or a "Group". The
intention of the "Group" type is to allow the service provider to intention of the "Group" type is to allow the Service Provider to
support nested groups. Service providers MAY require clients to support nested groups. Service providers MAY require clients to
provide a non-empty members value based on the "required" sub provide a non-empty members value based on the "required" sub
attribute of the "members" attribute in the "Group" resource attribute of the "members" attribute in the "Group" resource
schema. schema.
4.3. Enterprise User Schema Extension 4.3. Enterprise User Schema Extension
The following SCIM extension defines attributes commonly used in The following SCIM extension defines attributes commonly used in
representing users that belong to, or act on behalf of a business or representing users that belong to, or act on behalf of a business or
enterprise. The enterprise user extension is identified using the enterprise. The enterprise user extension is identified using the
following schema URI: following schema URI:
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User". "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User".
The following Singular Attributes are defined: The following Singular Attributes are defined:
employeeNumber employeeNumber
Numeric or alphanumeric identifier assigned to a person, typically A string identifier, typically numeric or alpha-numeric, assigned
based on order of hire or association with an organization. to a person, typically based on order of hire or association with
an organization.
costCenter costCenter
Identifies the name of a cost center. Identifies the name of a cost center.
organization organization
Identifies the name of an organization. Identifies the name of an organization.
division division
Identifies the name of a division. Identifies the name of a division.
skipping to change at page 21, line 11 skipping to change at page 23, line 40
displayName The displayName of the user's manager. This displayName The displayName of the user's manager. This
attribute is OPTIONAL and mutability is "readOnly". attribute is OPTIONAL and mutability is "readOnly".
5. Service Provider Configuration Schema 5. Service Provider Configuration Schema
SCIM provides a schema for representing the service provider's SCIM provides a schema for representing the service provider's
configuration identified using the following schema URI: configuration identified using the following schema URI:
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
The service provider configuration resource enables a service The Service Provider configuration resource enables a Service
provider to discover SCIM specification features in a standardized Provider to discover SCIM specification features in a standardized
form as well as provide additional implementation details to clients. form as well as provide additional implementation details to clients.
All attributes have a mutability of "readOnly". Unlike other core All attributes have a mutability of "readOnly". Unlike other core
resources, the "id" attribute is not required for the service resources, the "id" attribute is not required for the Service
provider configuration resource. Provider configuration resource.
The following Singular Attributes are defined in addition to the The following Singular Attributes are defined in addition to the
common attributes defined in Core Schema: common attributes defined in Core Schema:
documentationUrl documentationUrl
An HTTP addressable URL pointing to the service provider's human An HTTP addressable URL pointing to the service provider's human
consumable help documentation. consumable help documentation.
patch patch
A complex type that specifies PATCH configuration options. A complex type that specifies PATCH configuration options.
REQUIRED. REQUIRED. See Section 3.5.2 [I-D.ietf-scim-api].
supported Boolean value specifying whether the operation is supported Boolean value specifying whether the operation is
supported. REQUIRED. supported. REQUIRED.
bulk bulk
A complex type that specifies BULK configuration options. A complex type that specifies Bulk configuration options.
REQUIRED REQUIRED
supported Boolean value specifying whether the operation is supported Boolean value specifying whether the operation is
supported. REQUIRED. supported. REQUIRED. See Section 3.7 [I-D.ietf-scim-api].
maxOperations An integer value specifying the maximum number of maxOperations An integer value specifying the maximum number of
operations. REQUIRED. operations. REQUIRED.
maxPayloadSize An integer value specifying the maximum payload maxPayloadSize An integer value specifying the maximum payload
size in bytes. REQUIRED. size in bytes. REQUIRED.
filter filter
A complex type that specifies FILTER options. REQUIRED. A complex type that specifies FILTER options. REQUIRED. See
Section 3.4.2.2 [I-D.ietf-scim-api].
supported Boolean value specifying whether the operation is supported Boolean value specifying whether the operation is
supported. REQUIRED. supported. REQUIRED.
maxResults Integer value specifying the maximum number of maxResults Integer value specifying the maximum number of
resources returned in a response. REQUIRED. resources returned in a response. REQUIRED.
changePassword changePassword
A complex type that specifies Change Password configuration A complex type that specifies Change Password configuration
options. REQUIRED. options. REQUIRED.
skipping to change at page 22, line 34 skipping to change at page 25, line 18
supported. REQUIRED. supported. REQUIRED.
The following multi-valued attribute is defined in addition to the The following multi-valued attribute is defined in addition to the
common attributes defined in core schema: common attributes defined in core schema:
authenticationSchemes authenticationSchemes
A complex type that specifies supported Authentication Scheme A complex type that specifies supported Authentication Scheme
properties. This attribute defines the following canonical values properties. This attribute defines the following canonical values
to represent common schemes: "oauth", "oauth2", to represent common schemes: "oauth", "oauth2",
"oauthbearertoken", "httpbasic", and "httpdigest". To enable "oauthbearertoken", "httpbasic", and "httpdigest". To enable
seamless discovery of configuration, the service provider SHOULD, seamless discovery of configuration, the Service Provider SHOULD,
with the appropriate security considerations, make the with the appropriate security considerations, make the
authenticationSchemes attribute publicly accessible without prior authenticationSchemes attribute publicly accessible without prior
authentication. REQUIRED. authentication. REQUIRED.
name The common authentication scheme name; e.g., HTTP Basic. name The common authentication scheme name; e.g., HTTP Basic.
REQUIRED. REQUIRED.
description A description of the Authentication Scheme. description A description of the Authentication Scheme.
REQUIRED. REQUIRED.
skipping to change at page 23, line 34 skipping to change at page 26, line 16
"User" or "Group". This name is referenced by the "User" or "Group". This name is referenced by the
"meta.resourceType" attribute in all resources. "meta.resourceType" attribute in all resources.
description description
The resource type's human readable description. When applicable The resource type's human readable description. When applicable
service providers MUST specify the description specified in the service providers MUST specify the description specified in the
core schema specification. core schema specification.
endpoint endpoint
The resource type's HTTP addressable endpoint relative to the Base The resource type's HTTP addressable endpoint relative to the Base
URL; e.g., "/Users". URL of the service provider; e.g., "Users".
schema schema
The resource type's primary/base schema URI; e.g., The resource type's primary/base schema URI; e.g.,
"urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal "urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal
to the "id" attribute of the associated "Schema" resource. to the "id" attribute of the associated "Schema" resource.
schemaExtensions schemaExtensions
A list of URIs of the resource type's schema extensions. A list of URIs of the resource type's schema extensions.
OPTIONAL. OPTIONAL.
skipping to change at page 24, line 47 skipping to change at page 27, line 32
description description
The schema's human readable description. When applicable service The schema's human readable description. When applicable service
providers MUST specify the description specified in the core providers MUST specify the description specified in the core
schema specification. OPTIONAL. schema specification. OPTIONAL.
The following multi-valued attribute is defined: The following multi-valued attribute is defined:
attributes attributes
A complex type with the following set of sub-attributes that A complex type with the following set of sub-attributes that
defines service provider attributes and their qualities: defines Service Provider attributes and their qualities:
name The attribute's name. name The attribute's name.
type The attribute's data type. Valid values are: "string", type The attribute's data type. Valid values are: "string",
"boolean", "decimal", "integer", "dateTime", "reference", and "boolean", "decimal", "integer", "dateTime", "reference", and
"complex". When an attribute is of type "complex", there "complex". When an attribute is of type "complex", there
SHOULD be a corresponding schema attribute "subAttributes" SHOULD be a corresponding schema attribute "subAttributes"
defined listing the sub-attribtues of the attribute. defined listing the sub-attribtues of the attribute.
subAttributes When an attribute is of type "complex", subAttributes When an attribute is of type "complex",
skipping to change at page 25, line 24 skipping to change at page 28, line 8
multiValued Boolean value indicating the attribute's plurality. multiValued Boolean value indicating the attribute's plurality.
description The attribute's human readable description. When description The attribute's human readable description. When
applicable service providers MUST specify the description applicable service providers MUST specify the description
specified in the core schema specification. specified in the core schema specification.
required A Boolean value that specifies if the attribute is required A Boolean value that specifies if the attribute is
required. required.
canonicalValues A collection of canonical values. When canonicalValues A collection of suggested canonical values that
applicable service providers MUST specify the canonical types MAY be used. Example: "work" and"home". In some cases service
specified in the core schema specification; e.g., "work", providers MAY choose to ignore unsupported values. The use of
"home". OPTIONAL. canonicalValues is OPTIONAL.
caseExact A Boolean value that specifies if the String attribute caseExact A Boolean value that specifies if the String attribute
is case sensitive. The server SHALL use case sensitivity when is case sensitive. The server SHALL use case sensitivity when
evaluating filters. For attributes that are case exact, the evaluating filters. For attributes that are case exact, the
server SHALL preserve case for any value submitted. If the server SHALL preserve case for any value submitted. If the
attribute is case insensitive, the server MAY alter case for a attribute is case insensitive, the server MAY alter case for a
submitted value. submitted value. Case sensitivity also impacts how attribute
values MAY be compared against filter values (see section
3.4.2.2 [I-D.ietf-scim-api]).
mutability A single keyword indicating what types of mutability A single keyword indicating the circumstances under
modifications an attribute MAY accept as follows: which the value of the attribute can be (re)defined:
readOnly The attribute SHALL NOT be modified. readOnly The attribute SHALL NOT be modified.
readWrite The attribute MAY be updated and read at any time. readWrite The attribute MAY be updated and read at any time.
DEFAULT. DEFAULT.
immutable The attribute MAY be defined at resource creation immutable The attribute MAY be defined at resource creation
(e.g. POST) or at record replacement via request (e.g. a (e.g., POST) or at record replacement via request (e.g., a
PUT). The attribute SHALL NOT be updated. PUT). The attribute SHALL NOT be updated.
writeOnly The attribute MAY be updated at any time. Attribute writeOnly The attribute MAY be updated at any time. Attribute
values SHALL NOT be returned (e.g. because the value is a values SHALL NOT be returned (e.g., because the value is a
stored hash). Note: an attribute with mutability of stored hash). Note: an attribute with mutability of
"writeOnly" usually also has a returned setting of "never". "writeOnly" usually also has a returned setting of "never".
returned A single keyword that indicates when an attribute and returned A single keyword that indicates when an attribute and
associated values are returned in response to a GET request or associated values are returned in response to a GET request or
in response to a PUT, POST, or PATCH request. Valid keywords in response to a PUT, POST, or PATCH request. Valid keywords
are: are:
always The attribute is always returned regardless of the always The attribute is always returned regardless of the
contents of the "attributes" parameter. For example, "id" contents of the "attributes" parameter. For example, "id"
is always returned to identify a SCIM resource. is always returned to identify a SCIM resource.
never The attribute is never returned. This may occur because never The attribute is never returned. This may occur because
the original attribute value is not retained by the service the original attribute value is not retained by the Service
provider (e.g. such as with a hashed value). A service Provider (e.g., such as with a hashed value). A Service
provider MAY allow attributes to be used in a search filter. Provider MAY allow attributes to be used in a search filter.
default The attribute is returned by default in all SCIM default The attribute is returned by default in all SCIM
operation responses where attribute values are returned. If operation responses where attribute values are returned. If
the GET request "attributes" parameter is specified, the GET request "attributes" parameter is specified,
attribute values are only returned if the attribute is named attribute values are only returned if the attribute is named
in the attributes parameter. DEFAULT. in the attributes parameter. DEFAULT.
request The attribute is returned in response to any PUT, request The attribute is returned in response to any PUT,
POST, or PATCH operations if the attribute was specified by POST, or PATCH operations if the attribute was specified by
the client (for example, the attribute was modified). The the Client (for example, the attribute was modified). The
attribute is returned in a SCIM query operation only if attribute is returned in a SCIM query operation only if
specified in the "attributes" parameter. specified in the "attributes" parameter.
uniqueness A single keyword value that specifies how the service uniqueness A single keyword value that specifies how the Service
provider enforces uniqueness of attribute values. A server MAY Provider enforces uniqueness of attribute values. A server MAY
reject an invalid value based on uniqueness by returning HTTP reject an invalid value based on uniqueness by returning HTTP
Response code 400 (Bad Request). A client MAY enforce Response code 400 (Bad Request). A Client MAY enforce
uniqueness on the client-side to a greater degree than the uniqueness on the client-side to a greater degree than the
service provider enforces. For example, a client could make a Service Provider enforces. For example, a Client could make a
value unique while the server has uniqueness of "none". Valid value unique while the server has uniqueness of "none". Valid
keywords are: keywords are:
none The values are not intended to be unique in any way. none The values are not intended to be unique in any way.
DEFAULT. DEFAULT.
server The value SHOULD be unique within the context of the server The value SHOULD be unique within the context of the
current SCIM endpoint (or tenancy) and MAY be globally current SCIM endpoint (or tenancy) and MAY be globally
unique (e.g. a "username", email address, or other server unique (e.g., a "username", email address, or other server
generated key or counter). No two resources on the same generated key or counter). No two resources on the same
server SHOULD possess the same value. server SHOULD possess the same value.
global The value SHOULD be globally unique (e.g. an email global The value SHOULD be globally unique (e.g., an email
address, a GUID, or other value). No two resources on any address, a GUID, or other value). No two resources on any
server SHOULD possess the same value. server SHOULD possess the same value.
referenceTypes A multi-valued array of JSON strings that indicate referenceTypes A multi-valued array of JSON strings that indicate
the SCIM resource types that may be referenced. Valid values the SCIM resource types that may be referenced. Valid values
are: are:
+ A SCIM resource type (e.g. "User" or "Group"), + A SCIM resource type (e.g., "User" or "Group"),
+ "external" - indicating the resource is an external resource + "external" - indicating the resource is an external resource
(e.g. such as a photo), or (e.g., such as a photo), or
+ "uri" - indicating that the reference is to a service + "uri" - indicating that the reference is to a service
endpoint or an identifier (e.g. such as a schema urn). endpoint or an identifier (e.g., such as a schema urn).
This attribute is only applicable for attributes that are of This attribute is only applicable for attributes that are of
type "reference" (Section 2.2.7). type "reference" (Section 2.2.7).
8. JSON Representation 8. JSON Representation
8.1. Minimal User Representation 8.1. Minimal User Representation
The following is a non-normative example of the minimal required SCIM The following is a non-normative example of the minimal required SCIM
representation in JSON format. representation in JSON format.
skipping to change at page 34, line 42 skipping to change at page 37, line 37
"version": "W\/\"3694e05e9dff592\"", "version": "W\/\"3694e05e9dff592\"",
"location": "location":
"https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a" "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a"
} }
} }
Figure 6: Example Group JSON Representation Figure 6: Example Group JSON Representation
8.5. Service Provider Configuration Representation 8.5. Service Provider Configuration Representation
The following is a non-normative example of the SCIM service provider The following is a non-normative example of the SCIM Service Provider
configuration representation in JSON format. configuration representation in JSON format.
{ {
"schemas": [ "schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
], ],
"documentationUrl":"http://example.com/help/scim.html", "documentationUrl":"http://example.com/help/scim.html",
"patch": { "patch": {
"supported":true "supported":true
}, },
skipping to change at page 36, line 47 skipping to change at page 39, line 47
"location":"https://example.com/v2/ResourceTypes/Group", "location":"https://example.com/v2/ResourceTypes/Group",
"resourceType": "ResourceType" "resourceType": "ResourceType"
} }
}] }]
Figure 8: Example Resource Type JSON Representation Figure 8: Example Resource Type JSON Representation
8.7. Schema Representation 8.7. Schema Representation
The following sections provide representations of schemas for both The following sections provide representations of schemas for both
SCIM resources and service provider schemas. Note that the JSON SCIM resources and Service Provider schemas. Note that the JSON
representation has been modified for readability and to fit the representation has been modified for readability and to fit the
specification format. specification format.
8.7.1. Resource Schema Representation 8.7.1. Resource Schema Representation
The following is intended as an example of the SCIM Schema The following is intended as an example of the SCIM Schema
representation in JSON format for SCIM resources. Where permitted representation in JSON format for SCIM resources. Where permitted
individual values and schema MAY change. Included but not limited individual values and schema MAY change. Included but not limited
to, are schemas for User, Group, and enterprise user. to, are schemas for User, Group, and enterprise user.
skipping to change at page 37, line 50 skipping to change at page 40, line 50
both. If both variants are returned, they SHOULD be describing the same both. If both variants are returned, they SHOULD be describing the same
name, with the formatted name indicating how the component attributes name, with the formatted name indicating how the component attributes
should be combined.", should be combined.",
"required" : false, "required" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "formatted", "name" : "formatted",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The full name, including all middle names, "description" : "The full name, including all middle names,
titles, and suffixes as appropriate, formatted for display (e.g. Ms. titles, and suffixes as appropriate, formatted for display (e.g., Ms.
Barbara J Jensen, III.).", Barbara J Jensen, III.).",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "familyName", "name" : "familyName",
"type" : "string", "type" : "string",
skipping to change at page 39, line 5 skipping to change at page 42, line 5
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "honorificPrefix", "name" : "honorificPrefix",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The honorific prefix(es) of the User, or "description" : "The honorific prefix(es) of the User, or
Title in most Western languages (e.g. Ms. given the full name Ms. Title in most Western languages (e.g., Ms. given the full name Ms.
Barbara J Jensen, III.).", Barbara J Jensen, III.).",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "honorificSuffix", "name" : "honorificSuffix",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The honorific suffix(es) of the User, or "description" : "The honorific suffix(es) of the User, or
Suffix in most Western languages (e.g. III. given the full name Ms. Suffix in most Western languages (e.g., III. given the full name Ms.
Barbara J Jensen, III.).", Barbara J Jensen, III.).",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
skipping to change at page 39, line 50 skipping to change at page 42, line 50
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "nickName", "name" : "nickName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The casual way to address the user in real "description" : "The casual way to address the user in real
life, e.g.'Bob' or 'Bobby' instead of 'Robert'. This attribute life, e.g.'Bob' or 'Bobby' instead of 'Robert'. This attribute
SHOULD NOT be used to represent a User's username (e.g. bjensen or SHOULD NOT be used to represent a User's username (e.g., bjensen or
mpepperidge)", mpepperidge)",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "profileUrl", "name" : "profileUrl",
"type" : "reference", "type" : "reference",
skipping to change at page 42, line 18 skipping to change at page 45, line 18
"caseExact" : false, "caseExact" : false,
"mutability" : "writeOnly", "mutability" : "writeOnly",
"returned" : "never", "returned" : "never",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "emails", "name" : "emails",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "E-mail addresses for the user. The value SHOULD "description" : "E-mail addresses for the user. The value SHOULD
be canonicalized by the Service Provider, e.g. bjensen@example.com be canonicalized by the Service Provider, e.g., bjensen@example.com
instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and
other.", other.",
"required" : false, "required" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "E-mail addresses for the user. The value "description" : "E-mail addresses for the user. The value
SHOULD be canonicalized by the Service Provider, e.g. SHOULD be canonicalized by the Service Provider, e.g.
skipping to change at page 43, line 23 skipping to change at page 46, line 23
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary' or
preferred attribute value for this attribute, e.g. the preferred mailing preferred attribute value for this attribute, e.g., the preferred mailing
address or primary e-mail address. The primary attribute value 'true' address or primary e-mail address. The primary attribute value 'true'
MUST appear no more than once.", MUST appear no more than once.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "phoneNumbers", "name" : "phoneNumbers",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "Phone numbers for the User. The value SHOULD "description" : "Phone numbers for the User. The value SHOULD
be canonicalized by the Service Provider according to format in RFC3966 be canonicalized by the Service Provider according to format in RFC3966
e.g. 'tel:+1-201-555-0123'. Canonical Type values of work, home, e.g., 'tel:+1-201-555-0123'. Canonical Type values of work, home,
mobile, fax, pager and other.", mobile, fax, pager and other.",
"required" : false, "required" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Phone number of the User", "description" : "Phone number of the User",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
skipping to change at page 44, line 45 skipping to change at page 47, line 45
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary' or
preferred attribute value for this attribute, e.g. the preferred phone preferred attribute value for this attribute, e.g., the preferred phone
number or primary phone number. The primary attribute value 'true' MUST number or primary phone number. The primary attribute value 'true' MUST
appear no more than once.", appear no more than once.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
skipping to change at page 46, line 17 skipping to change at page 49, line 17
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary' or
preferred attribute value for this attribute, e.g. the preferred preferred attribute value for this attribute, e.g., the preferred
messenger or primary messenger. The primary attribute value 'true' MUST messenger or primary messenger. The primary attribute value 'true' MUST
appear no more than once.", appear no more than once.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
}, },
skipping to change at page 47, line 33 skipping to change at page 50, line 33
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary' or
preferred attribute value for this attribute, e.g. the preferred photo preferred attribute value for this attribute, e.g., the preferred photo
or thumbnail. The primary attribute value 'true' MUST appear no more or thumbnail. The primary attribute value 'true' MUST appear no more
than once.", than once.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
}, },
skipping to change at page 50, line 15 skipping to change at page 53, line 15
"description" : "A list of groups that the user belongs to, "description" : "A list of groups that the user belongs to,
either thorough direct membership, nested groups, or dynamically either thorough direct membership, nested groups, or dynamically
calculated", calculated",
"required" : false, "required" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The identifier of the User's group.", "description" : "The identifier of the User's group.",
"readOnly" : false,
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "reference", "type" : "reference",
"referenceTypes" : [ "referenceTypes" : [
"User", "User",
"Group" "Group"
], ],
"multiValued" : false, "multiValued" : false,
"description" : "The URI of the corresponding Group "description" : "The URI of the corresponding Group
resource to which the user belongs", resource to which the user belongs",
"readOnly" : false,
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A human readable name, primarily used "description" : "A human readable name, primarily used
for display purposes. READ-ONLY.", for display purposes. READ-ONLY.",
"readOnly" : true,
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A label indicating the attribute's "description" : "A label indicating the attribute's
function; e.g., 'direct' or 'indirect'.", function; e.g., 'direct' or 'indirect'.",
"readOnly" : false,
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [ "canonicalValues" : [
"direct", "direct",
"indirect" "indirect"
], ],
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
skipping to change at page 59, line 30 skipping to change at page 62, line 25
"/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" "/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
} }
} }
] ]
Figure 9: Example JSON Representation for Resource Schema Figure 9: Example JSON Representation for Resource Schema
8.7.2. Service Provider Schema Representation 8.7.2. Service Provider Schema Representation
The following is a representation of the SCIM Schema for the fixed The following is a representation of the SCIM Schema for the fixed
service provider schemas: ServiceProviderConfig, ResourceType, and Service Provider schemas: ServiceProviderConfig, ResourceType, and
Schema. Schema.
[ [
{ {
"id" : "id" :
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig", "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
"name" : "Service Provider Configuration", "name" : "Service Provider Configuration",
"description" : "Schema for representing the service provider's "description" : "Schema for representing the service provider's
configuration", configuration",
"attributes" : [ "attributes" : [
skipping to change at page 70, line 5 skipping to change at page 72, line 49
"readWrite", "readWrite",
"immutable", "immutable",
"writeOnly" "writeOnly"
] ]
}, },
{ {
"name" : "returned", "name" : "returned",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Indicates when an attribute is returned in "description" : "Indicates when an attribute is returned in
a response (e.g. to a query).", a response (e.g., to a query).",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none", "uniqueness" : "none",
"canonicalValues" : [ "canonicalValues" : [
"always", "always",
"never", "never",
"default", "default",
"request" "request"
skipping to change at page 70, line 40 skipping to change at page 73, line 36
"server", "server",
"global" "global"
] ]
}, },
{ {
"name" : "referenceTypes", "name" : "referenceTypes",
"type" : "string", "type" : "string",
"multiValued" : true, "multiValued" : true,
"description" : "Used only with an attribute of type "description" : "Used only with an attribute of type
'reference'. Specifies a SCIM resourceType that a 'reference'. Specifies a SCIM resourceType that a
reference attribute MAY refer to. E.g. User", reference attribute MAY refer to. e.g., User",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "subAttributes", "name" : "subAttributes",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
skipping to change at page 73, line 25 skipping to change at page 76, line 22
"readWrite", "readWrite",
"immutable", "immutable",
"writeOnly" "writeOnly"
] ]
}, },
{ {
"name" : "returned", "name" : "returned",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Indicates when an attribute is "description" : "Indicates when an attribute is
returned in a response (e.g. to a query).", returned in a response (e.g., to a query).",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none", "uniqueness" : "none",
"canonicalValues" : [ "canonicalValues" : [
"always", "always",
"never", "never",
"default", "default",
"request" "request"
skipping to change at page 74, line 4 skipping to change at page 76, line 49
"description" : "Indicates how unique a value must be.", "description" : "Indicates how unique a value must be.",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none", "uniqueness" : "none",
"canonicalValues" : [ "canonicalValues" : [
"none", "none",
"server", "server",
"global" "global"
] ]
}, },
{ {
"name" : "referenceTypes", "name" : "referenceTypes",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Used only with an attribute of type "description" : "Used only with an attribute of type
'reference'. Specifies a SCIM resourceType that a 'reference'. Specifies a SCIM resourceType that a
reference attribute MAY refer to. E.g. 'User'", reference attribute MAY refer to. e.g., 'User'",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
] ]
} }
] ]
} }
] ]
} }
] ]
Figure 10: Representation of Fixed ServiceProvider Endpoint Schemas Figure 10: Representation of Fixed ServiceProvider Endpoint Schemas
9. Security Considerations 9. Security Considerations
9.1. Protocol
SCIM data is intended to be exchanged using SCIM Protocol. It is
important when handling data to implement the security considerations
outlined in Section 7 of [I-D.ietf-scim-api].
9.2. Password and Other Sensitive Security Data
Passwords and other attributes related to security credentials are of
extreme sensitive nature and require special handling when
transmitted or stored. See Sections 7.5 and 7.6 of
[I-D.ietf-scim-api] regarding guidelines on how to store and compare
password values.
9.3. Privacy
The SCIM Core schema defines attributes that MAY contain personally The SCIM Core schema defines attributes that MAY contain personally
identifiable information as well as other sensitive data. Aside from identifying information as well as other sensitive data. These
prohibiting password values in a SCIM response this specification privacy considerations should be considered for extensions as well as
does not provide any means or guarantee of confidentiality. the schema defined in this specification
In particular, attributes such as "id" and "externalId" are of In particular, attributes such as "id" and "externalId" are of
particular concern as personally identifiable information that particular concern as personally identifiable information that
uniquely map to Users (because they are URIs). Where possible, it is uniquely map to Users (because they are URIs). Where possible, it is
suggested that service providers take the following remediations: suggested that service providers take the following remediations:
o Assign and bind identifiers to specific tenants and/or clients. o Assign and bind identifiers to specific tenants and/or clients.
When mulitple tenants are able to reference the same resource, When multiple tenants are able to reference the same resource,
they should do so via separate identifiers (id or externalId). they should do so via separate identifiers (id or externalId).
This ensures that separate domains linked to the same information This ensures that separate domains linked to the same information
can not perform identifier correlation. can not perform identifier correlation.
o In the case of "externalId", if multiple values are supported, use o In the case of "externalId", if multiple values are supported, use
access control to restrict access to the client domain that access control to restrict access to the Client domain that
assigned the "externalId" value. assigned the "externalId" value.
o Ensure that access to data is appropriately restricted to o Ensure that access to data is appropriately restricted to
authorized parties with a need-to-know. authorized parties with a need-to-know.
o When persisted, the appropriate protection mechanisms are in place o When persisted, the appropriate protection mechanisms are in place
to restrict access by unauthorized parties including to restrict access by unauthorized parties including
administrators or parties with access to backup data. administrators or parties with access to backup data.
It is important to note that these considerations are intentionally Clients and Service Providers should take into consideration that
general in nature. Considerations relative to the access protocol personal information is being conveyed across technical (e.g.,
are out of scope of the core-schema document and are addressed in protocol and applications), administrative (e.g. organizational,
other SCIM specifications. corporate), and jurisdictional boundaries. In particular information
security and privacy must be considered.
10. IANA Considerations 10. IANA Considerations
10.1. New Registration of SCIM URN Sub-namespace 10.1. Registration of SCIM URN Sub-namespace & SCIM Registry
IANA has created a registry for new IETF URN sub-namespaces,
"urn:ietf:params:scim:", per [RFC3553]. The registration request is
as follows:
Per [RFC3553], IANA has registered a new URN sub-namespace, IANA is requested to add an entry to the 'IETF URN Sub-namespace for
Registered Protocol Parameter Identifiers' registry and create a sub-
namespace for the Registered Parameter Identifier as per [RFC3553]:
"urn:ietf:params:scim". "urn:ietf:params:scim".
o Registry name: scim To manage this sub-namespace, IANA is requested to create the "SCIM"
Registry which shall be used to manage entries within the
"urn:ietf:params:scim" namespace. The registry description is as
follows:
o Registry name: SCIM
o Specification: [this document] o Specification: [this document]
o Repository: [see Section 10.2] o Repository: [see Section 10.2]
o Index value: values [see Section 10.2] o Index value: values [see Section 10.2]
10.2. URN Sub-Namespace for SCIM 10.2. URN Sub-Namespace for SCIM
SCIM schemas and SCIM messages utilize URIs to identify the schema in SCIM schemas and SCIM messages utilize URIs to identify the schema in
skipping to change at page 76, line 30 skipping to change at page 79, line 48
urn:ietf:params:scim:{type}:{name}{:other} urn:ietf:params:scim:{type}:{name}{:other}
The keywords have the following meaning: The keywords have the following meaning:
type type
The entity type which is either "schemas" or "api". The entity type which is either "schemas" or "api".
name name
A required US-ASCII string that conforms to the URN syntax A required US-ASCII string that conforms to the URN syntax
requirements (see [RFC2141] ) and defines a major namespace of requirements (see [RFC2141] ) and defines a major namespace of
a schema used within SCIM (e.g. "core" in the case of SCIM Core a schema used within SCIM (e.g., "core", which is reserved for
Schema). The value MAY also be an industry name or SCIM specifications). The value MAY also be an industry name
organization name. or organization name.
other other
Any US-ASCII string that conforms to the URN syntax Any US-ASCII string that conforms to the URN syntax
requirements (see [RFC2141] ) and defines the sub-namespace requirements (see [RFC2141] ) and defines the sub-namespace
(which MAY be further broken down in namespaces delimited by (which MAY be further broken down in namespaces delimited by
colons) as needed to uniquely identify a schema. colons) as needed to uniquely identify a schema.
Relevant Ancillary Documentation: Relevant Ancillary Documentation:
None None
skipping to change at page 77, line 20 skipping to change at page 80, line 35
As the SCIM specifications are updated and the SCIM protocol As the SCIM specifications are updated and the SCIM protocol
version is adjusted, a new registration will be made when version is adjusted, a new registration will be made when
significant changes are made. Example, significant changes are made. Example,
"urn:ietf:params:scim:schemas:core:1.0 (externally defined, not "urn:ietf:params:scim:schemas:core:1.0 (externally defined, not
previously registered)" and previously registered)" and
"urn:ietf:params:scim:schemas:core:2.0". "urn:ietf:params:scim:schemas:core:2.0".
Process of Identifier Assignment: Process of Identifier Assignment:
Identifiers with namespace type "schema" (e.g. Identifiers with namespace type "schema" (e.g.,
"urn:ietf:params:scim:schemas" ) are assigned after the review of "urn:ietf:params:scim:schemas" ) are assigned after the review of
the assigned contact via the SCIM public mailing list, the assigned contact via the SCIM public mailing list,
"scim@ietf.org" as documented in Section 10.3. "scim@ietf.org" as documented in Section 10.3.
Namespaces with type "api" (e.g. "urn:ietf:params:scim:api" ) are Namespaces with type "api" (e.g., "urn:ietf:params:scim:api") and
reserved for IETF approved SCIM specifications. Namespaces with "param" (e.g., "urn:ietf:params:scim:param" ) are reserved for
type "param" are reserved for future use. IETF approved SCIM specifications.
Process of Identifier Resolution: Process of Identifier Resolution:
The namespace is not currently listed with a Resolution Discovery The namespace is not currently listed with a Resolution Discovery
System (RDS), but nothing about the namespace prohibits the future System (RDS), but nothing about the namespace prohibits the future
definition of appropriate resolution methods or listing with an definition of appropriate resolution methods or listing with an
RDS. RDS.
Rules for Lexical Equivalence: Rules for Lexical Equivalence:
skipping to change at page 78, line 5 skipping to change at page 81, line 20
No special considerations. No special considerations.
Validation Mechanism: Validation Mechanism:
None specified. None specified.
Scope: Scope:
Global. Global.
10.2.2. Pre-Registered SCIM Schema Identifiers
The following SCIM Identifiers are defined:
urn:ietf:params:scim:schemas:core:2.0
SCIM Core Schema as specified in Section 4 and Section 10.4.
urn:ietf:params:scim:schemas:extension:enterprise:2.0
Enterprise schema extensions as defined in Section 4.3 and
Section 10.4.
10.3. Registering SCIM Schemas 10.3. Registering SCIM Schemas
This section defines the process for registering new SCIM schemas This section defines the process for registering new SCIM schemas
with IANA. A schema URI is used as a value in the schemas attribute with IANA in the "SCIM" registry (see Section 10.1). A schema URI is
(Section 3) for the purpose of distinguishing extensions used in a used as a value in the schemas attribute (Section 3) for the purpose
SCIM resource. of distinguishing extensions used in a SCIM resource.
10.3.1. Registration Procedure 10.3.1. Registration Procedure
The IETF has created a mailing list, scim@ietf.org, which can be used The IETF has created a mailing list, scim@ietf.org, which can be used
for public discussion of SCIM schema proposals prior to registration. for public discussion of SCIM schema proposals prior to registration.
Use of the mailing list is strongly encouraged. The IESG has Use of the mailing list is strongly encouraged. The IESG has
appointed a designated expert who will monitor the scim@ietf.org appointed a designated expert who will monitor the scim@ietf.org
mailing list and review registrations. mailing list and review registrations.
Registration of new schemas MUST be reviewed by the designated expert Registration of new "core" (e.g. in the namespace
and published in an RFC. A Standards Track RFC is REQUIRED for the "urn:ietf:params:scim:schemas:core") and "API" schemas (e.g., in the
registration of new value data types that modify existing properties. namespace "urn:ietf:params:scim:api") MUST be reviewed by the
A Standards Track RFC is also REQUIRED for registration of SCIM designated expert and published in an RFC. An RFC is REQUIRED for
schema URIs that modify SCIM schema previously documented in a the registration of new value data types that modify existing
Standards Track RFC. properties. An RFC is also REQUIRED for registration of SCIM schema
URIs that modify SCIM schema previously documented in a existing RFC.
URN's within the "urn:ietf:params:scim", but outside the above
namespaces MAY be registered with a simple review (e.g. check for
SPAM) by the designated expert on a first-come-first-served basis.
The registration procedure begins when a completed registration The registration procedure begins when a completed registration
template, defined in the sections below, is sent to scim@ietf.org and template, defined in the sections below, is sent to scim@ietf.org and
iana@iana.org. Within two weeks, the designated expert is expected iana@iana.org. Within two weeks, the designated expert is expected
to tell IANA and the submitter of the registration whether the to tell IANA and the submitter of the registration whether the
registration is approved, approved with minor changes, or rejected registration is approved, approved with minor changes, or rejected
with cause. When a registration is rejected with cause, it can be with cause. When a registration is rejected with cause, it can be
re-submitted if the concerns listed in the cause are addressed. re-submitted if the concerns listed in the cause are addressed.
Decisions made by the designated expert can be appealed to the IESG Decisions made by the designated expert can be appealed to the IESG
Applications Area Director, then to the IESG. They follow the normal Applications Area Director, then to the IESG. They follow the normal
appeals procedure for IESG decisions. appeals procedure for IESG decisions.
Once the registration procedure concludes successfully, IANA creates Once the registration procedure concludes successfully, IANA creates
or modifies the corresponding record in the SCIM schema registry. or modifies the corresponding record in the SCIM schema registry.
The completed registration template is discarded. The completed registration template is discarded.
An RFC specifying new schema URI MUST include the completed An RFC specifying new schema URI MUST include the completed
registration templates, which MAY be expanded with additional registration templates, which MAY be expanded with additional
skipping to change at page 79, line 21 skipping to change at page 82, line 25
information. These completed templates are intended to go in the information. These completed templates are intended to go in the
body of the document, not in the IANA Considerations section. The body of the document, not in the IANA Considerations section. The
RFC SHOULD include any attributes defined. RFC SHOULD include any attributes defined.
10.3.2. Schema Registration Template 10.3.2. Schema Registration Template
A SCIM schema URI is defined by completing the following template: A SCIM schema URI is defined by completing the following template:
Schema URI: Schema URI: A unique URI for the SCIM schema extension. Schema URI: Schema URI: A unique URI for the SCIM schema extension.
Schema Name: A descriptive name of the schema extension (e.g. Schema Name: A descriptive name of the schema extension (e.g.,
Generic Device) Generic Device)
Intended or Associated Resource Type: A value defining the resource Intended or Associated Resource Type: A value defining the resource
type (e.g. "Device"). type (e.g., "Device").
Purpose: A description of the purpose of the extension and/or its Purpose: A description of the purpose of the extension and/or its
intended use. intended use.
Single-value Attributes: A list and description of single-valued Single-value Attributes: A list and description of single-valued
attributes defined including complex attributes. attributes defined including complex attributes.
Multi-valued Attributes: A list and description of multi-valued Multi-valued Attributes: A list and description of multi-valued
attributes defined including complex attributes. attributes defined including complex attributes.
10.4. Initial SCIM Schema Registry 10.4. Initial SCIM Schema Registry
The IANA has created and will maintain the following registries for The IANA is requested to populate the "SCIM" registry with the
SCIM schema URIs with pointers to appropriate reference documents. following registries for SCIM schema URIs with pointers to
Note: the Schema URI broken into two lines for readability. appropriate reference documents. Note: the Schema URI broken into
two lines for readability.
+-----------------------------------+-----------------+-------------+ +-----------------------------------+-----------------+-------------+
| Schema URI | Name | Reference | | Schema URI | Name | Reference |
+-----------------------------------+-----------------+-------------+ +-----------------------------------+-----------------+-------------+
| urn:ietf:params:scim:schemas: | User Resource | See Section | | urn:ietf:params:scim:schemas: | User Resource | See Section |
| core:2.0:User | | 4.1 | | core:2.0:User | | 4.1 |
| urn:ietf:params:scim:schemas: | Enterprise User | See Section | | urn:ietf:params:scim:schemas: | Enterprise User | See Section |
| extension:enterprise:2.0:User | Extension | 4.3 | | extension:enterprise:2.0:User | Extension | 4.3 |
| urn:ietf:params:scim:schemas: | Group Resource | See Section | | urn:ietf:params:scim:schemas: | Group Resource | See Section |
| core:2.0:Group | | 4.2 | | core:2.0:Group | | 4.2 |
skipping to change at page 80, line 37 skipping to change at page 83, line 37
| core:2.0:Schema | Definitions | Section 7 | | core:2.0:Schema | Definitions | Section 7 |
| | Schema | | | | Schema | |
+-----------------------------------+-------------------+-----------+ +-----------------------------------+-------------------+-----------+
SCIM Server Related Schema URIs SCIM Server Related Schema URIs
11. References 11. References
11.1. Normative References 11.1. Normative References
[I-D.ietf-scim-api]
Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C.
Mortimore, "System for Cross-Domain Identity Management:
Protocol", draft-ietf-scim-api-16 (work in progress),
March 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997.
[RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An
IETF URN Sub-namespace for Registered Protocol IETF URN Sub-namespace for Registered Protocol
Parameters", BCP 73, RFC 3553, June 2003. Parameters", BCP 73, RFC 3553, June 2003.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
skipping to change at page 81, line 38 skipping to change at page 84, line 44
[RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the
Time Zone Database", BCP 175, RFC 6557, February 2012. Time Zone Database", BCP 175, RFC 6557, February 2012.
[RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, March 2014. Interchange Format", RFC 7159, March 2014.
[RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
(HTTP/1.1): Semantics and Content", RFC 7231, June 2014. (HTTP/1.1): Semantics and Content", RFC 7231, June 2014.
[RFC7232] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
(HTTP/1.1): Conditional Requests", RFC 7232, June 2014.
11.2. Informative References 11.2. Informative References
[ISO3166] "ISO 3166:1988 (E/F) - Codes for the representation of [ISO3166] "ISO 3166:1988 (E/F) - Codes for the representation of
names of countries - The International Organization for names of countries - The International Organization for
Standardization, 3rd edition", 08 1988. Standardization, 3rd edition", 08 1988.
[Olson-TZ] [Olson-TZ]
"Sources for Time Zone and Daylight Saving Time Data", . Internet Assigned Numbers Authority, "IANA Time Zone
Database".
[PortableContacts] [PortableContacts]
Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only", Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only",
August 2008. August 2008.
[RFC2277] Alvestrand, H., "IETF Policy on Character Sets and [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and
Languages", BCP 18, RFC 2277, January 1998. Languages", BCP 18, RFC 2277, January 1998.
[RFC4511] Sermersheim, J., "Lightweight Directory Access Protocol
(LDAP): The Protocol", RFC 4511, June 2006.
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): Directory Information Models", RFC 4512, June (LDAP): Directory Information Models", RFC 4512, June
2006. 2006.
[RFC6350] Perreault, S., "vCard Format Specification", RFC 6350,
August 2011.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC
6749, October 2012. 6749, October 2012.
[XML-Schema] [XML-Schema]
Peterson, D., Gao, S., Malhotra, A., Sperberg-McQueen, C., Peterson, D., Gao, S., Malhotra, A., Sperberg-McQueen, C.,
and H. Thompson, "XML Schema Definition Language (XSD) 1.1 and H. Thompson, "XML Schema Definition Language (XSD) 1.1
Part 2: Datatypes", April 2012. Part 2: Datatypes", April 2012.
Appendix A. Acknowledgements Appendix A. Acknowledgements
skipping to change at page 83, line 21 skipping to change at page 86, line 36
Draft 03 - PH - Revisions based on following tickets: Draft 03 - PH - Revisions based on following tickets:
09 - Attribute uniquenes 09 - Attribute uniquenes
10 - Returnability of attributes 10 - Returnability of attributes
35 - Attribute mutability (replaces readOnly) 35 - Attribute mutability (replaces readOnly)
52 - Minor textual changes 52 - Minor textual changes
53 - Standard use of term client (some was consumer) 53 - Standard use of term Client (some was consumer)
56 - Make manager attribute consistent with other $ref attrs 56 - Make manager attribute consistent with other $ref attrs
58 - Add optional id to ResourceType objects for consistency 58 - Add optional id to ResourceType objects for consistency
59 - Fix capitalization per IETF editor practices 59 - Fix capitalization per IETF editor practices
60 - Changed <eref> tags to normal <xref> and <reference> tags 60 - Changed <eref> tags to normal <xref> and <reference> tags
Draft 04 - PH - Revisions based on the following tickets: Draft 04 - PH - Revisions based on the following tickets:
skipping to change at page 84, line 18 skipping to change at page 87, line 34
Draft 06 - PH - Revisions based on the following tickets Draft 06 - PH - Revisions based on the following tickets
63 - Corrected enterprise user URI in 14.2 and section 7, URI 63 - Corrected enterprise user URI in 14.2 and section 7, URI
namespace changes due to ticket #41 namespace changes due to ticket #41
66 - Updated reference to final HTTP/1.1 drafts (RFC 7230) 66 - Updated reference to final HTTP/1.1 drafts (RFC 7230)
41 - Add IANA considerations 41 - Add IANA considerations
- Removed redundant text (e.g. SAML binding, replaced REST with - Removed redundant text (e.g., SAML binding, replaced REST with
HTTP) HTTP)
- Reordered introduction, definitions and notation sections to - Reordered introduction, definitions and notation sections to
follow typical format follow typical format
- meta.attributes removed due to new PURGE command in draft 04 (no - meta.attributes removed due to new PURGE command in draft 04 (no
longer used) longer used)
Draft 07 - PH - Edits and revisions Draft 07 - PH - Edits and revisions
skipping to change at page 85, line 19 skipping to change at page 88, line 34
Added clarifications and security considerations for externalId Added clarifications and security considerations for externalId
Re-worded descriptions SCIM schema extension model (sec 3) and Re-worded descriptions SCIM schema extension model (sec 3) and
core schema (sec 4) for improved clarity core schema (sec 4) for improved clarity
Draft 11 - PH - Clarification to definition of externalId Draft 11 - PH - Clarification to definition of externalId
Draft 12 - PH - Nits / Corrections Draft 12 - PH - Nits / Corrections
Corrected use of RFC2119 words (e.g. MUST not to MUST NOT) Corrected use of RFC2119 words (e.g., MUST not to MUST NOT)
Corrected JSON examples to be 72 characters or less per line Corrected JSON examples to be 72 characters or less per line
Corrected enterprise User manager attribute to use sub-attribute Corrected enterprise User manager attribute to use sub-attribute
value and make multi-valued value and make multi-valued
Corrected sec 8.7, make members multi-valued in JSON Corrected sec 8.7, make members multi-valued in JSON
Added missing definition for subattributes in sec 7, Schema Added missing definition for subattributes in sec 7, Schema
Definition Definition
skipping to change at page 86, line 20 skipping to change at page 89, line 37
Clarified binary attribute may be base 64 or base 64 url encoding Clarified binary attribute may be base 64 or base 64 url encoding
per RFC4648. x509certificates are now base64 encoded. per RFC4648. x509certificates are now base64 encoded.
Clarified x509certificates values are DER certificates that are Clarified x509certificates values are DER certificates that are
then base64 encoded then base64 encoded
Corrected "reference" attribute to use the "referenceTypes" meta- Corrected "reference" attribute to use the "referenceTypes" meta-
attribute that says what type of reference an attribute is. attribute that says what type of reference an attribute is.
Draft 18 - PH - Comments from GenART and IANA review
General Edits and Nits after Gen-ART and IANA review
Add references to SCIM API protocol document where appropriate
Added clarifications and privacy considerations to security
considerations
Clarified IANA section to create new "SCIM" registry
Removed out-of-date "readOnly" attribute from Group schema
(replaced a long time ago by "mutability").
Authors' Addresses Authors' Addresses
Phil Hunt (editor) Phil Hunt (editor)
Oracle Corporation Oracle Corporation
Email: phil.hunt@yahoo.com Email: phil.hunt@yahoo.com
Kelly Grizzle Kelly Grizzle
SailPoint SailPoint
 End of changes. 161 change blocks. 
363 lines changed or deleted 497 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/