draft-ietf-scim-core-schema-19.txt   draft-ietf-scim-core-schema-20.txt 
Network Working Group P. Hunt, Ed. Network Working Group P. Hunt, Ed.
Internet-Draft Oracle Internet-Draft Oracle
Intended status: Standards Track K. Grizzle Intended status: Standards Track K. Grizzle
Expires: November 12, 2015 SailPoint Expires: November 13, 2015 SailPoint
E. Wahlstroem E. Wahlstroem
Nexus Technology Nexus Technology
C. Mortimore C. Mortimore
Salesforce Salesforce
May 11, 2015 May 12, 2015
System for Cross-Domain Identity Management: Core Schema System for Cross-Domain Identity Management: Core Schema
draft-ietf-scim-core-schema-19 draft-ietf-scim-core-schema-20
Abstract Abstract
The System for Cross-Domain Identity Management (SCIM) specifications The System for Cross-Domain Identity Management (SCIM) specifications
are designed to make identity management in cloud based applications are designed to make identity management in cloud based applications
and services easier. The specification suite builds upon experience and services easier. The specification suite builds upon experience
with existing schemas and deployments, placing specific emphasis on with existing schemas and deployments, placing specific emphasis on
simplicity of development and integration, while applying existing simplicity of development and integration, while applying existing
authentication, authorization, and privacy models. Its intent is to authentication, authorization, and privacy models. Its intent is to
reduce the cost and complexity of user management operations by reduce the cost and complexity of user management operations by
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 12, 2015. This Internet-Draft will expire on November 13, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation and Conventions . . . . . . . . . . 4 1.1. Requirements Notation and Conventions . . . . . . . . . . 4
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5
2. SCIM Schema . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. SCIM Schema . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 6 2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Attribute Characteristics . . . . . . . . . . . . . . . . 7 2.2. Attribute Characteristics . . . . . . . . . . . . . . . . 7
2.3. Attribute Data Types . . . . . . . . . . . . . . . . . . 8 2.3. Attribute Data Types . . . . . . . . . . . . . . . . . . 8
2.3.1. String . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.1. String . . . . . . . . . . . . . . . . . . . . . . . 8
2.3.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 8
2.3.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 9 2.3.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 9
2.3.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.7. Reference . . . . . . . . . . . . . . . . . . . . . . 9 2.3.7. Reference . . . . . . . . . . . . . . . . . . . . . . 9
2.3.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 10 2.3.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 10
2.4. Multi-valued Attributes . . . . . . . . . . . . . . . . . 10 2.4. Multi-valued Attributes . . . . . . . . . . . . . . . . . 10
2.5. Unassigned and Null Values . . . . . . . . . . . . . . . 11 2.5. Unassigned and Null Values . . . . . . . . . . . . . . . 12
3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 12 3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 12
3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 15 3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 15
3.2. Defining New Resource Types . . . . . . . . . . . . . . . 17 3.2. Defining New Resource Types . . . . . . . . . . . . . . . 17
3.3. Attribute Extensions to Resources . . . . . . . . . . . . 17 3.3. Attribute Extensions to Resources . . . . . . . . . . . . 17
4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 17 4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 17
4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 17 4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 17
4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 18 4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 18
4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 21 4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 21
4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 24 4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 24
4.3. Enterprise User Schema Extension . . . . . . . . . . . . 24 4.3. Enterprise User Schema Extension . . . . . . . . . . . . 24
skipping to change at page 4, line 20 skipping to change at page 4, line 20
SCIM protocol is an application-level protocol for provisioning and SCIM protocol is an application-level protocol for provisioning and
managing identity data specified through SCIM schemas. The protocol managing identity data specified through SCIM schemas. The protocol
supports creation, modification, retrieval, and discovery of core supports creation, modification, retrieval, and discovery of core
identity resources such as Users and Groups, using a subset of the identity resources such as Users and Groups, using a subset of the
HTTP methods (GET for retrieval of resources, POST for creation, HTTP methods (GET for retrieval of resources, POST for creation,
searching and bulk modification, PUT for attribute replacement within searching and bulk modification, PUT for attribute replacement within
resources, PATCH for partial update of attributes, and DELETE for resources, PATCH for partial update of attributes, and DELETE for
removing resources). removing resources).
While the SCIM protocol and core schema specifications are intended
to cover point-to-point scenarios, implementers and deployers should
consider multi-hop and multi-party scenarios such as a service
provider acting as a general profile service for in-domain
applications; as well as, scenarios where a service provider in turn
passes information to a 3rd party service provider either by acting
as a SCIM client or as a SCIM service provider. Implementers and
deployers should consider carefully their service level agreements
and privacy agreements when distributing or propagating personal
information (see also Privacy Considerations, Section 9.3).
This document provides a JSON based schema and extension model for This document provides a JSON based schema and extension model for
representing users and groups, as well as service provider representing users and groups, as well as service provider
configuration. This schema is intended for exchange and use with configuration. This schema is intended for exchange and use with
cloud service providers and other cross-domain scenarios. cloud service providers and other cross-domain scenarios.
1.1. Requirements Notation and Conventions 1.1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Throughout this document, values are quoted to indicate that they are Throughout this document, values are quoted to indicate that they are
to be taken literally. When using these values in protocol messages, to be taken literally. When using these values in protocol messages,
the quotes MUST NOT be used as part of the value. the quotes MUST NOT be used as part of the value.
Throughout this documents all figures MAY contain spaces and extra Throughout this document all figures MAY contain spaces and extra
line-wrapping for readability and space reasons. Similarly, some line-wrapping for readability and space reasons. Similarly, some
URI's contained within examples, have been shortened for space and URI's contained within examples, have been shortened for space and
readability reasons. readability reasons.
1.2. Definitions 1.2. Definitions
Service Provider Service Provider
An HTTP web application that provides identity information via the An HTTP web application that provides identity information via the
SCIM protocol. SCIM protocol.
skipping to change at page 86, line 27 skipping to change at page 86, line 27
SCIM Server Related Schema URIs SCIM Server Related Schema URIs
11. References 11. References
11.1. Normative References 11.1. Normative References
[I-D.ietf-scim-api] [I-D.ietf-scim-api]
Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C. Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C.
Mortimore, "System for Cross-Domain Identity Management: Mortimore, "System for Cross-Domain Identity Management:
Protocol", draft-ietf-scim-api-17 (work in progress), Protocol", draft-ietf-scim-api-18 (work in progress), May
April 2015. 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997.
[RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An
IETF URN Sub-namespace for Registered Protocol IETF URN Sub-namespace for Registered Protocol
Parameters", BCP 73, RFC 3553, June 2003. Parameters", BCP 73, RFC 3553, June 2003.
skipping to change at page 93, line 7 skipping to change at page 93, line 7
Clarified statements about sensitive and PII data Clarified statements about sensitive and PII data
Updated references to SCIM Protocol sections Updated references to SCIM Protocol sections
Made capitalization of 'client' and 'service provider' terms Made capitalization of 'client' and 'service provider' terms
consistent (lower case) consistent (lower case)
Corrected schema and examples to have singluar value for manager Corrected schema and examples to have singluar value for manager
attribute attribute
Draft 20 - PH - Additional clarification on multi-hop/3rd party, and
small nit in section 1.1
Authors' Addresses Authors' Addresses
Phil Hunt (editor) Phil Hunt (editor)
Oracle Corporation Oracle Corporation
Email: phil.hunt@yahoo.com Email: phil.hunt@yahoo.com
Kelly Grizzle Kelly Grizzle
SailPoint SailPoint
 End of changes. 12 change blocks. 
11 lines changed or deleted 25 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/