draft-ietf-scim-core-schema-20.txt   draft-ietf-scim-core-schema-21.txt 
Network Working Group P. Hunt, Ed. Network Working Group P. Hunt, Ed.
Internet-Draft Oracle Internet-Draft Oracle
Intended status: Standards Track K. Grizzle Intended status: Standards Track K. Grizzle
Expires: November 13, 2015 SailPoint Expires: November 19, 2015 SailPoint
E. Wahlstroem E. Wahlstroem
Nexus Technology Nexus Technology
C. Mortimore C. Mortimore
Salesforce Salesforce
May 12, 2015 May 18, 2015
System for Cross-Domain Identity Management: Core Schema System for Cross-Domain Identity Management: Core Schema
draft-ietf-scim-core-schema-20 draft-ietf-scim-core-schema-21
Abstract Abstract
The System for Cross-Domain Identity Management (SCIM) specifications The System for Cross-Domain Identity Management (SCIM) specifications
are designed to make identity management in cloud based applications are designed to make identity management in cloud based applications
and services easier. The specification suite builds upon experience and services easier. The specification suite builds upon experience
with existing schemas and deployments, placing specific emphasis on with existing schemas and deployments, placing specific emphasis on
simplicity of development and integration, while applying existing simplicity of development and integration, while applying existing
authentication, authorization, and privacy models. Its intent is to authentication, authorization, and privacy models. Its intent is to
reduce the cost and complexity of user management operations by reduce the cost and complexity of user management operations by
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 13, 2015. This Internet-Draft will expire on November 19, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 30 skipping to change at page 2, line 30
Table of Contents Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation and Conventions . . . . . . . . . . 4 1.1. Requirements Notation and Conventions . . . . . . . . . . 4
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5
2. SCIM Schema . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. SCIM Schema . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 7 2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Attribute Characteristics . . . . . . . . . . . . . . . . 7 2.2. Attribute Characteristics . . . . . . . . . . . . . . . . 7
2.3. Attribute Data Types . . . . . . . . . . . . . . . . . . 8 2.3. Attribute Data Types . . . . . . . . . . . . . . . . . . 8
2.3.1. String . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.1. String . . . . . . . . . . . . . . . . . . . . . . . 8
2.3.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 9 2.3.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 9
2.3.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.7. Reference . . . . . . . . . . . . . . . . . . . . . . 9 2.3.7. Reference . . . . . . . . . . . . . . . . . . . . . . 9
2.3.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 10 2.3.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 10
2.4. Multi-valued Attributes . . . . . . . . . . . . . . . . . 10 2.4. Multi-valued Attributes . . . . . . . . . . . . . . . . . 10
2.5. Unassigned and Null Values . . . . . . . . . . . . . . . 12 2.5. Unassigned and Null Values . . . . . . . . . . . . . . . 12
3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 12 3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 12
3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 15 3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 15
3.2. Defining New Resource Types . . . . . . . . . . . . . . . 17 3.2. Defining New Resource Types . . . . . . . . . . . . . . . 16
3.3. Attribute Extensions to Resources . . . . . . . . . . . . 17 3.3. Attribute Extensions to Resources . . . . . . . . . . . . 17
4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 17 4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 17
4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 17 4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 17
4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 18 4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 17
4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 21 4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 21
4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 24 4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 23
4.3. Enterprise User Schema Extension . . . . . . . . . . . . 24 4.3. Enterprise User Schema Extension . . . . . . . . . . . . 24
5. Service Provider Configuration Schema . . . . . . . . . . . . 25 5. Service Provider Configuration Schema . . . . . . . . . . . . 25
6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 27 6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 27
7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 28 7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 28
8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 31 8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 31
8.1. Minimal User Representation . . . . . . . . . . . . . . . 31 8.1. Minimal User Representation . . . . . . . . . . . . . . . 31
8.2. Full User Representation . . . . . . . . . . . . . . . . 32 8.2. Full User Representation . . . . . . . . . . . . . . . . 32
8.3. Enterprise User Extension Representation . . . . . . . . 35 8.3. Enterprise User Extension Representation . . . . . . . . 35
8.4. Group Representation . . . . . . . . . . . . . . . . . . 38 8.4. Group Representation . . . . . . . . . . . . . . . . . . 38
8.5. Service Provider Configuration Representation . . . . . . 39 8.5. Service Provider Configuration Representation . . . . . . 39
skipping to change at page 4, line 24 skipping to change at page 4, line 24
identity resources such as Users and Groups, using a subset of the identity resources such as Users and Groups, using a subset of the
HTTP methods (GET for retrieval of resources, POST for creation, HTTP methods (GET for retrieval of resources, POST for creation,
searching and bulk modification, PUT for attribute replacement within searching and bulk modification, PUT for attribute replacement within
resources, PATCH for partial update of attributes, and DELETE for resources, PATCH for partial update of attributes, and DELETE for
removing resources). removing resources).
While the SCIM protocol and core schema specifications are intended While the SCIM protocol and core schema specifications are intended
to cover point-to-point scenarios, implementers and deployers should to cover point-to-point scenarios, implementers and deployers should
consider multi-hop and multi-party scenarios such as a service consider multi-hop and multi-party scenarios such as a service
provider acting as a general profile service for in-domain provider acting as a general profile service for in-domain
applications; as well as, scenarios where a service provider in turn applications (e.g., a directory); as well as, scenarios where a
passes information to a 3rd party service provider either by acting service provider in turn passes information to a 3rd party service
as a SCIM client or as a SCIM service provider. Implementers and provider either by acting as a SCIM client or as a SCIM service
deployers should consider carefully their service level agreements provider. Implementers and deployers should consider carefully their
and privacy agreements when distributing or propagating personal service level agreements and privacy agreements when distributing or
information (see also Privacy Considerations, Section 9.3). propagating personal information (see also Privacy Considerations,
Section 9.3).
This document provides a JSON based schema and extension model for This document provides a JSON based schema and extension model for
representing users and groups, as well as service provider representing users and groups, as well as service provider
configuration. This schema is intended for exchange and use with configuration. This schema is intended for exchange and use with
cloud service providers and other cross-domain scenarios. cloud service providers and other cross-domain scenarios.
1.1. Requirements Notation and Conventions 1.1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
The key words "REQUIRED" and "OPTIONAL" are used throughout this
document to indicate whether an attribute or schema element is
required or optional. These keywords may be used alone (e.g.,
"REQUIRED."), or in a sentence. If not specified, an attribute is
considered to be optional.
Throughout this document, values are quoted to indicate that they are Throughout this document, values are quoted to indicate that they are
to be taken literally. When using these values in protocol messages, to be taken literally. When using these values in protocol messages,
the quotes MUST NOT be used as part of the value. the quotes MUST NOT be used as part of the value.
Throughout this document all figures MAY contain spaces and extra Throughout this document all figures may contain spaces and extra
line-wrapping for readability and space reasons. Similarly, some line-wrapping for readability and space reasons. Similarly, some
URI's contained within examples, have been shortened for space and URI's contained within examples, have been shortened for space and
readability reasons. readability reasons.
1.2. Definitions 1.2. Definitions
Service Provider Service Provider
An HTTP web application that provides identity information via the An HTTP web application that provides identity information via the
SCIM protocol. SCIM protocol.
skipping to change at page 5, line 36 skipping to change at page 5, line 41
and other meta-data which indicate where a resource is managed and and other meta-data which indicate where a resource is managed and
how it is composed; e.g., "User" or "Group". how it is composed; e.g., "User" or "Group".
Resource Resource
A service provider managed artifact containing one or more A service provider managed artifact containing one or more
attributes. For example a "User" or "Group". attributes. For example a "User" or "Group".
Endpoint Endpoint
An endpoint for a service provider is a defined base path relative An endpoint for a service provider is a defined base path relative
to the service providers Base URI (see definitions of to the service providers Base URI (see definitions of
[I-D.ietf-scim-api]) over which SCIM operations MAY be performed [I-D.ietf-scim-api]) over which SCIM operations may be performed
against SCIM resources. For example, assuming the service against SCIM resources. For example, assuming the service
provider Base URI is "https://example.com/": "User" resources may provider Base URI is "https://example.com/": "User" resources may
be accessed at the "https://example.com/Users", or be accessed at the "https://example.com/Users", or
"https://example.com/v2/Users" (when including protocol version, "https://example.com/v2/Users" (when including protocol version,
see Section 3.13 [I-D.ietf-scim-api]) endpoint. Service provider see Section 3.13 [I-D.ietf-scim-api]) endpoint. Service provider
schemas MAY be returned from the "/Schemas" endpoint. schemas MAY be returned from the "/Schemas" endpoint.
Schema Schema
A collection of attribute definitions that describe the contents A collection of attribute definitions that describe the contents
of an entire or partial resource; e.g., of an entire or partial resource; e.g.,
skipping to change at page 6, line 12 skipping to change at page 6, line 17
Singular Attribute Singular Attribute
A resource attribute that contains 0..1 values; e.g., A resource attribute that contains 0..1 values; e.g.,
"displayName". "displayName".
Multi-valued Attribute Multi-valued Attribute
A resource attribute that contains 0..n values; e.g., "emails". A resource attribute that contains 0..n values; e.g., "emails".
Simple Attribute Simple Attribute
A singular or multi-valued attribute whose value is a primitive; A singular or multi-valued attribute whose value is a primitive;
e.g., "String". A simple attribute MAY not contain sub- e.g., "String". A simple attribute MUST NOT contain sub-
attributes. attributes.
Complex Attribute Complex Attribute
A singular or multi-valued attribute whose value is a composition A singular or multi-valued attribute whose value is a composition
of one or more simple attributes; e.g., "addresses" has the sub- of one or more simple attributes; e.g., "addresses" has the sub-
attributes "streetAddress", "locality", "postalCode", and attributes "streetAddress", "locality", "postalCode", and
"country". "country".
Sub-Attribute Sub-Attribute
A simple attribute that is contained within a complex attribute. A simple attribute that is contained within a complex attribute.
skipping to change at page 7, line 14 skipping to change at page 7, line 20
2.1. Attributes 2.1. Attributes
A resource is a collection of attributes identified by one or more A resource is a collection of attributes identified by one or more
schemas. Minimally, an attribute consists of the attribute name and schemas. Minimally, an attribute consists of the attribute name and
at least one simple or complex value either of which may be multi- at least one simple or complex value either of which may be multi-
valued. For each attribute, SCIM schema defines the data type, valued. For each attribute, SCIM schema defines the data type,
plurality, mutability, and other distinguishing features of an plurality, mutability, and other distinguishing features of an
attribute. attribute.
Attribute names are case-insensitive and MAY be camel-cased (e.g., Attribute names are case-insensitive and are often camel-cased (e.g.,
"camelCase"). SCIM resources are represented in JSON [RFC7159] and "camelCase"). SCIM resources are represented in JSON [RFC7159] and
MUST specify schema via the "schemas" attribute per Section 3. MUST specify schema via the "schemas" attribute per Section 3.
Attribute names MUST conform to the following ABNF rules: Attribute names MUST conform to the following ABNF rules:
ATTRNAME = ALPHA *(nameChar) ATTRNAME = ALPHA *(nameChar)
nameChar = "$" / "-" / "_" / DIGIT / ALPHA nameChar = "$" / "-" / "_" / DIGIT / ALPHA
Figure 1: ABNF for Attribute Names Figure 1: ABNF for Attribute Names
The above rules (and other rules in this specification) use the "Core The above rules (and other rules in this specification) use the "Core
Rules" from ABNF, see Appendix B [RFC5234]. Unless otherwise Rules" from ABNF, see Appendix B [RFC5234]. Unless otherwise
specified in this specification, all ABNF strings are case specified in this specification, all ABNF strings are case
insensitive and the character set for these strings is US-ASCII. For insensitive and the character set for these strings is US-ASCII. For
example, all attribute names defined by the above rule are case example, all attribute names defined by the above rule are case
insensitive. insensitive.
When defining attribute names it should be noted that the hyphen When defining attribute names it should be noted that the hyphen
("-") is not permitted in Javascript (and some other languages) ("-") is not permitted in Javascript (and some other languages)
attribute names. While there are no known issues within HTTP attribute names. While there are no known issues within HTTP
protocol and JSON notation, attribute names containing hyphens MAY protocol and JSON notation, attribute names containing hyphens may
need to be escaped when declaring corresponding names of Javascript need to be escaped when declaring corresponding names of Javascript
attributes. attributes.
2.2. Attribute Characteristics 2.2. Attribute Characteristics
If not otherwise stated in Section 7, SCIM attributes have the If not otherwise stated in Section 7, SCIM attributes have the
following characteristics: following characteristics:
o are OPTIONAL (is not REQUIRED). o are OPTIONAL (is not REQUIRED).
o are case insensitive ("caseExact" is "false"), o have values that are case insensitive ("caseExact" is "false"),
o are modifiable ("mutability" is "readWrite"), o are modifiable ("mutability" is "readWrite"),
o are returned in response to queries (returned by default), o are returned in response to queries (returned by default),
o have no canonical values (for example, the "type" sub-attribute in o have no canonical values (for example, the "type" sub-attribute in
Section 2.4, Section 2.4,
o are not unique ("uniqueness" is "none"), and, o are not unique ("uniqueness" is "none"), and,
o of type string (Section 2.3.1). o of type string (Section 2.3.1).
2.3. Attribute Data Types 2.3. Attribute Data Types
Attribute data types are derived from JSON [RFC7159]. The JSON Attribute data types are derived from JSON [RFC7159]. The JSON
skipping to change at page 9, line 13 skipping to change at page 9, line 19
uniqueness. uniqueness.
2.3.3. Decimal 2.3.3. Decimal
A real number with at least one digit to the left and right of the A real number with at least one digit to the left and right of the
period. The JSON format is defined in Section 6 [RFC7159]. A period. The JSON format is defined in Section 6 [RFC7159]. A
decimal has no case sensitivity. decimal has no case sensitivity.
2.3.4. Integer 2.3.4. Integer
A decimal number with no fractional digits. The JSON format is A whole number with no fractional digits or decimal. The JSON format
defined in Section 6 [RFC7159] with the additional constraint that is defined in Section 6 [RFC7159] with the additional constraint that
the value MUST NOT contain fractional or exponent parts. An integer the value MUST NOT contain fractional or exponent parts. An integer
has no case sensitivity. has no case sensitivity.
2.3.5. DateTime 2.3.5. DateTime
A DateTime value (e.g., 2008-01-23T04:56:22Z). The attribute value A DateTime value (e.g., 2008-01-23T04:56:22Z). The attribute value
MUST be encoded as a valid xsd:dateTime as specified in Section 3.3.7 MUST be encoded as a valid xsd:dateTime as specified in Section 3.3.7
[XML-Schema]. A date-time has no case-sensitivity or uniqueness. [XML-Schema]and MUST include both a date and a time. A date-time has
no case-sensitivity or uniqueness.
Values represented in JSON MUST conform to the XML constraints above Values represented in JSON MUST conform to the XML constraints above
and are represented as a JSON String per Section 7 [RFC7159]. and are represented as a JSON String per Section 7 [RFC7159].
2.3.6. Binary 2.3.6. Binary
Arbitrary binary data. The attribute value MUST be encoded in base Arbitrary binary data. The attribute value MUST be encoded in base
64 encoding as specified in Section 4 [RFC4648]. In cases where a 64 encoding as specified in Section 4 [RFC4648]. In cases where a
URL-safe encoding is required, the attribute definition MAY specify URL-safe encoding is required, the attribute definition MAY specify
Base 64 URL encoding be used as per Section 5 [RFC4648]. Unless Base 64 URL encoding be used as per Section 5 [RFC4648]. Unless
skipping to change at page 10, line 10 skipping to change at page 10, line 17
service provider root endpoint); e.g., the base URI for a request to service provider root endpoint); e.g., the base URI for a request to
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
would be "https://example.com/v2/" and the relative URI for this would be "https://example.com/v2/" and the relative URI for this
resource would be "Users/2819c223-7f76-453a-919d-413861904646". resource would be "Users/2819c223-7f76-453a-919d-413861904646".
In JSON representation, the URI value is represented as a JSON String In JSON representation, the URI value is represented as a JSON String
per Section 7 [RFC7159]. A reference is case-exact. A reference has per Section 7 [RFC7159]. A reference is case-exact. A reference has
a "referenceType" that indicates what types of resources may be a "referenceType" that indicates what types of resources may be
linked as per Section 7. linked as per Section 7.
Performing a GET operation on a reference URI MUST return the target A reference URI MUST be to an HTTP addressable resource. An HTTP
resource or an appropriate HTTP response code. The service provider client performing a GET operation on a reference URI MUST receive the
MAY optionally choose to enforce referential integrity for reference target resource or an appropriate HTTP response code. A SCIM service
provider MAY choose to enforce referential integrity for reference
types referring to SCIM resources. types referring to SCIM resources.
By convention, a reference is commonly represented as a "$ref" sub- By convention, a reference is commonly represented as a "$ref" sub-
attribute in complex or multi-valued attributes, however this is attribute in complex or multi-valued attributes, however this is
OPTIONAL. OPTIONAL.
2.3.8. Complex 2.3.8. Complex
A singular or multi-valued attribute whose value is a composition of A singular or multi-valued attribute whose value is a composition of
one or more simple attributes. The JSON format is defined in one or more simple attributes. The JSON format is defined in
Section 4 [RFC7159]. The order of the component attributes is not Section 4 of [RFC7159]. The order of the component attributes is not
significant. Servers and clients MUST NOT require or expect significant. Servers and clients MUST NOT require or expect
attributes to be in any specific order when an object is either attributes to be in any specific order when an object is either
generated or analyzed. A complex attribute has no uniqueness or case generated or analyzed. A complex attribute has no uniqueness or case
sensitivity. A complex attribute MUST NOT contain sub-attributes sensitivity. A complex attribute MUST NOT contain sub-attributes
that have sub-attributes (i.e., that are complex). that have sub-attributes (i.e., that are complex).
2.4. Multi-valued Attributes 2.4. Multi-valued Attributes
Multi-valued attributes contain a list of elements using the JSON Multi-valued attributes contain a list of elements using the JSON
array format defined in Section 5 of [RFC7159]. Elements can be array format defined in Section 5 of [RFC7159]. Elements can be
either either
o primitive values, or o primitive values, or
o objects with a set of sub-attributes and values, using the JSON o objects with a set of sub-attributes and values, using the JSON
object format defined in Section 4 of [RFC7159], in which case object format defined in Section 4 of [RFC7159], in which case
they MAY also be considered to be complex attributes. As with they SHALL be considered to be complex attributes. As with
complex attributes, the order of sub-attributes is not complex attributes, the order of sub-attributes is not
significant. The pre-defined sub-attributes listed in this significant. The pre-defined sub-attributes listed in this
section can be used with multi-valued attribute objects but these section can be used with multi-valued attribute objects but these
sub-attributes MUST be used with the meanings defined here. sub-attributes MUST be used with the meanings defined here.
The pre-defined set of sub-attributes for a multi-valued attribute If not otherwise defined, the default set of sub-attributes for a
are: multi-valued attribute are:
type type
A label indicating the attribute's function; e.g., "work" or A label indicating the attribute's function; e.g., "work" or
"home". "home".
primary primary
A Boolean value indicating the 'primary' or preferred attribute A Boolean value indicating the 'primary' or preferred attribute
value for this attribute, e.g., the preferred mailing address or value for this attribute, e.g., the preferred mailing address or
the primary e-mail address. The primary attribute value "true" the primary e-mail address. The primary attribute value "true"
MUST appear no more than once. If not specified, the value of MUST appear no more than once. If not specified, the value of
skipping to change at page 11, line 23 skipping to change at page 11, line 32
A human readable name, primarily used for display purposes and has A human readable name, primarily used for display purposes and has
a mutability of "immutable". a mutability of "immutable".
value value
The attribute's significant value; e.g., the e-mail address, phone The attribute's significant value; e.g., the e-mail address, phone
number, etc. number, etc.
$ref $ref
The reference URI of a target resource, if the attribute is a The reference URI of a target resource, if the attribute is a
reference. URIs are canonicalized per Section 6.2 of [RFC3986]. reference. URIs are canonicalized per Section 6.2 of [RFC3986].
While the representation of a resource MAY vary in different SCIM While the representation of a resource may vary in different SCIM
protocol API versions (see section 3.13 of [I-D.ietf-scim-api]), protocol API versions (see section 3.13 of [I-D.ietf-scim-api]),
URI's for SCIM resources with an API version SHALL be considered URI's for SCIM resources with an API version SHALL be considered
comparable to one without a version or different version. For comparable to one without a version or different version. For
example, "https://example.com/Users/12345" is equivalent to example, "https://example.com/Users/12345" is equivalent to
"https://example.com/v2/Users/12345". "https://example.com/v2/Users/12345".
When returning multi-valued attributes, service providers SHOULD When returning multi-valued attributes, service providers SHOULD
canonicalize the value returned (e.g., by returning a value for the canonicalize the value returned (e.g., by returning a value for the
sub-attribute "type" such as "home" or "work") when appropriate sub-attribute "type" such as "home" or "work") when appropriate
(e.g., for e-mail addresses and URLs). (e.g., for e-mail addresses and URLs).
Service providers MAY return element objects with the same "value" Service providers MAY return element objects with the same "value"
sub-attribute more than once with a different "type" sub-attribute sub-attribute more than once with a different "type" sub-attribute
(e.g., the same e-mail address may used for work and home), but (e.g., the same e-mail address may used for work and home), but
SHOULD NOT return the same (type, value) combination more than once SHOULD NOT return the same (type, value) combination more than once
per attribute, as this complicates processing by the consumer. per attribute, as this complicates processing by the consumer.
When defining schema for multi-valued attributes, it is considered a When defining schema for multi-valued attributes, it is considered a
good practice to provide a type attribute that MAY be used for the good practice to provide a type attribute that MAY be used for the
purpose of canonicalization of values. Further, in the schema purpose of canonicalization of values. In the schema definition for
definition for an attribute MAY define the recommended canonical an attribute, the service provider MAY define the recommended
values (see Section 7). canonical values (see Section 7).
2.5. Unassigned and Null Values 2.5. Unassigned and Null Values
Unassigned attributes, the null value, or empty array (in the case of Unassigned attributes, the null value, or empty array (in the case of
a multi-valued attribute) SHALL be considered to be equivalent in a multi-valued attribute) SHALL be considered to be equivalent in
"state". Assigning an attribute with the value "null" or an empty "state". Assigning an attribute with the value "null" or an empty
array (in the case of multi-valued attributes) has the effect of array (in the case of multi-valued attributes) has the effect of
making the attribute "unassigned". When a resource is expressed in making the attribute "unassigned". When a resource is expressed in
JSON form, unassigned attributes, though they are defined in schema, JSON form, unassigned attributes, though they are defined in schema,
MAY be omitted for compactness. MAY be omitted for compactness.
skipping to change at page 12, line 25 skipping to change at page 12, line 31
3. SCIM Resources 3. SCIM Resources
Each SCIM resource is a JSON object that has the following Each SCIM resource is a JSON object that has the following
components: components:
Resource Type Resource Type
Each resource (or JSON object) in SCIM has a resource type Each resource (or JSON object) in SCIM has a resource type
("meta.resourceType", see Section 3.1) that defines the resource's ("meta.resourceType", see Section 3.1) that defines the resource's
core attribute schema and any attribute extension schema as well core attribute schema and any attribute extension schema as well
as the endpoint where objects of the same type may be found. More as the endpoint where objects of the same type may be found. More
information about a resource MAY be found in its resourceType information about a resource MAY be found in its resource type
definition (see Section 6). definition (see Section 6).
Schemas Attribute Schemas Attribute
The "schemas" attribute is a REQUIRED attribute that MUST be The "schemas" attribute is a REQUIRED attribute and is an array of
present and is an array of Strings containing URIs which are used Strings containing URIs which are used to indicate the namespaces
to indicate the namespaces of the SCIM schemas that define the of the SCIM schemas that define the attributes present in the
attributes present in the current JSON structure. It may be used current JSON structure. The attribute may be used by parsers to
by parsers to define the attributes present in the JSON structure define the attributes present in the JSON structure that is the
that is the body to an HTTP Request or Response. Each String body to an HTTP Request or Response. Each String value must be a
value must be a unique URI. All representations of SCIM schemas unique URI. All representations of SCIM schemas MUST include a
MUST include a non-empty array with value(s) of the URIs supported non-empty array with value(s) of the URIs supported by that
by that representation. The schemas attribute for a resource MUST representation. The schemas attribute for a resource MUST only
only contain values defined as "schema" and "schemaExtensions" for contain values defined as "schema" and "schemaExtensions" for the
the resource's "resourceType". Duplicate values MUST NOT be resource's defined "resourceType". Duplicate values MUST NOT be
included. Value order is not specified and MUST NOT impact included. Value order is not specified and MUST NOT impact
behavior. behavior.
Common Attributes Common Attributes
Are attributes that are part of every SCIM resource regardless of Are attributes that are part of every SCIM resource regardless of
the value of the "schemas" attribute present in a JSON body. the value of the "schemas" attribute present in a JSON body.
These attributes are not defined in any particular schema, but These attributes are not defined in any particular schema, but
SHALL be assumed to be present in every resource regardless of the SHALL be assumed to be present in every resource regardless of the
value of the "schemas" attribute. See Section 3.1. value of the "schemas" attribute. See Section 3.1.
skipping to change at page 15, line 15 skipping to change at page 15, line 15
3.1. Common Attributes 3.1. Common Attributes
Each SCIM resource (Users, Groups, etc.) includes the following Each SCIM resource (Users, Groups, etc.) includes the following
common attributes. With the exception of "ServiceProviderConfig" and common attributes. With the exception of "ServiceProviderConfig" and
"ResourceType" server discovery endpoints and their associated "ResourceType" server discovery endpoints and their associated
resources, these attributes MUST be defined for all resources, resources, these attributes MUST be defined for all resources,
including any extended resource types. When accepted by a service including any extended resource types. When accepted by a service
provider (e.g., after a SCIM create), the attributes "id" and "meta" provider (e.g., after a SCIM create), the attributes "id" and "meta"
(and its associated sub-attributes) MUST be assigned values by the (and its associated sub-attributes) MUST be assigned values by the
service provider. Common attributes are considered to be part of service provider. Common attributes are considered to be part of
every base resource schema and do not use their own schemas URI and every base resource schema and do not use their own "schemas" URI.
SHALL NOT be considered schema extensions.
For backwards compatibility reasons, some existing schema MAY list For backwards compatibility reasons, some existing schema definitions
common attributes as part of the schema. The attribute MAY list common attributes as part of the schema. The attribute
characteristics listed here SHALL take precedence. characteristics (see Section 2.2) listed here SHALL take precedence
over older definitiions that may be included in existing schemas.
id id
A unique identifier for a SCIM resource as defined by the service A unique identifier for a SCIM resource as defined by the service
provider. Each representation of the resource MUST include a non- provider. Each representation of the resource MUST include a non-
empty "id" value. This identifier MUST be unique across the SCIM empty "id" value. This identifier MUST be unique across the SCIM
service provider's entire set of resources. It MUST be a stable, service provider's entire set of resources. It MUST be a stable,
non-reassignable identifier that does not change when the same non-reassignable identifier that does not change when the same
resource is returned in subsequent requests. The value of the resource is returned in subsequent requests. The value of the
"id" attribute is always issued by the service provider and MUST "id" attribute is always issued by the service provider and MUST
NOT be specified by the client. The string "bulkId" is a reserved NOT be specified by the client. The string "bulkId" is a reserved
keyword and MUST NOT be used within any unique identifier value. keyword and MUST NOT be used within any unique identifier value.
The attribute characteristics are "caseExact" as "true" and a The attribute characteristics are "caseExact" as "true" and a
mutability of "readOnly". See Section 9 for additional mutability of "readOnly" and has a "returned" characteristic of
considerations regarding privacy. "always". See Section 9 for additional considerations regarding
privacy.
externalId externalId
A String that is an identifier for the resource as defined by the A String that is an identifier for the resource as defined by the
provisioning client. The "externalId" may simplify identification provisioning client. The "externalId" may simplify identification
of a resource between the provisioning client and the service of a resource between the provisioning client and the service
provider by allowing the client to use a filter to locate the provider by allowing the client to use a filter to locate the
resource with an identifier from the provisioning domain, resource with an identifier from the provisioning domain,
obviating the need to store a local mapping between the obviating the need to store a local mapping between the
provisioning domain's identifier of the resource and the provisioning domain's identifier of the resource and the
identifier used by the service provider. Each resource MAY identifier used by the service provider. Each resource MAY
skipping to change at page 16, line 9 skipping to change at page 16, line 10
provider MUST always interpret the externalId as scoped to the provider MUST always interpret the externalId as scoped to the
provisioning domain. While the server does not enforce provisioning domain. While the server does not enforce
uniqueness, it is assumed that the value's uniqueness is uniqueness, it is assumed that the value's uniqueness is
controlled by the client setting the value. See Section 9 for controlled by the client setting the value. See Section 9 for
additional considerations regarding privacy. The attribute has additional considerations regarding privacy. The attribute has
"caseExact" as "true" and has a mutability of "readWrite". The "caseExact" as "true" and has a mutability of "readWrite". The
attribute is OPTIONAL. attribute is OPTIONAL.
meta meta
A complex attribute containing resource metadata. All meta sub- A complex attribute containing resource metadata. All meta sub-
attributes are asserted by the service provider and SHALL be attributes are assigned by the service provider (have "mutability"
ignored when provided by clients: of "readOnly") and all attributes have the characteristic
"returned" by "default". The attribute SHALL be ignored when
provided by clients:
resourceType The name of the resource type of the resource. This resourceType The name of the resource type of the resource. This
attribute has mutability of "readOnly" and has "caseExact" as attribute has mutability of "readOnly" and has "caseExact" as
"true". The attribute is REQUIRED when provided by the service "true".
provider.
created The DateTime the resource was added to the service created The DateTime the resource was added to the service
provider. The attribute MUST be a DateTime. This attribute provider. The attribute MUST be a DateTime.
has mutability of "readOnly".
lastModified The most recent DateTime the details of this lastModified The most recent DateTime the details of this
resource were updated at the service provider. If this resource were updated at the service provider. If this
resource has never been modified since its initial creation, resource has never been modified since its initial creation,
the value MUST be the same as the value of created. The the value MUST be the same as the value of created.
attribute MUST be a DateTime and has mutability of "readOnly".
The attribute is REQUIRED when provided by the service
provider.
location The URI of the resource being returned. This value MUST location The URI of the resource being returned. This value MUST
be the same as the "Content-Location" HTTP response header (see be the same as the "Content-Location" HTTP response header (see
Section 3.1.4.2 [RFC7231]). The attribute has mutability of Section 3.1.4.2 [RFC7231]).
"readOnly". The attribute is REQUIRED when provided by the
service provider.
version The version of the resource being returned. This value version The version of the resource being returned. This value
must be the same as the ETag HTTP response header (See Sections must be the same as the ETag HTTP response header (See Sections
2.1 and 2.3 of [RFC7232]). The attribute has mutability of 2.1 and 2.3 of [RFC7232]). The attribute has "caseExact" as
"readOnly" and has "caseExact" as "true". The attribute is "true". Service provider support for this attribute is
OPTIONAL subject to the service provider's support for optional and subject to the service provider's support for
versioning (see "Versioning Resources", Section 3.14 versioning (see "Versioning Resources", Section 3.14
[I-D.ietf-scim-api]). If a service provider provides "version" [I-D.ietf-scim-api]). If a service provider provides "version"
(entity-tag) for a representation and the generation of that (entity-tag) for a representation and the generation of that
entity-tag does not satisfy all of the characteristics of a entity-tag does not satisfy all of the characteristics of a
strong validator (see Section 2.1, [RFC7232]), then the origin strong validator (see Section 2.1, [RFC7232]), then the origin
server MUST mark the "version" (entity-tag) as weak by server MUST mark the "version" (entity-tag) as weak by
prefixing its opaque value with "W/" (case-sensitive). prefixing its opaque value with "W/" (case-sensitive).
3.2. Defining New Resource Types 3.2. Defining New Resource Types
skipping to change at page 17, line 35 skipping to change at page 17, line 26
SHOULD avoid redefining any attributes defined in this specification SHOULD avoid redefining any attributes defined in this specification
and SHOULD follow conventions defined in this specification. Except and SHOULD follow conventions defined in this specification. Except
for the base object schema, the schema extension URI SHALL be used as for the base object schema, the schema extension URI SHALL be used as
a JSON container to distinguish attributes belonging to the extension a JSON container to distinguish attributes belonging to the extension
namespace from base schema attributes. See Figure 5 for an example namespace from base schema attributes. See Figure 5 for an example
of the JSON representation of an extended User. of the JSON representation of an extended User.
In order to determine which URI value in the "schemas" attribute is In order to determine which URI value in the "schemas" attribute is
the base schema and which is extended schema for any given resource, the base schema and which is extended schema for any given resource,
the resource's "resourceType" attribute value MAY be used to retrieve the resource's "resourceType" attribute value MAY be used to retrieve
the resource's "ResourceType" schema ( Section 6 ). See example the resource's "ResourceType" schema (see Section 6). See also,
"ResourceType" representation in Figure 8. example "ResourceType" representation in Figure 8.
4. SCIM Core Resources and Extensions 4. SCIM Core Resources and Extensions
This section defines the default resources schemas present in a SCIM This section defines the default resources schemas present in a SCIM
server. SCIM is not exclusive to these resources, and may be server. SCIM is not exclusive to these resources, and may be
extended to support other resource types (see Section 3.2). extended to support other resource types (see Section 3.2).
4.1. User Resource Schema 4.1. User Resource Schema
SCIM provides a resource type for "User" resources. The core schema SCIM provides a resource type for "User" resources. The core schema
skipping to change at page 18, line 18 skipping to change at page 18, line 6
A service provider unique identifier for the user, typically used A service provider unique identifier for the user, typically used
by the user to directly authenticate to the service provider. by the user to directly authenticate to the service provider.
Often displayed to the user as their unique identifier within the Often displayed to the user as their unique identifier within the
system (as opposed to "id" or "externalId", which are generally system (as opposed to "id" or "externalId", which are generally
opaque and not user-friendly identifiers). Each User MUST include opaque and not user-friendly identifiers). Each User MUST include
a non-empty userName value. This identifier MUST be unique across a non-empty userName value. This identifier MUST be unique across
the service provider's entire set of Users. The attribute is the service provider's entire set of Users. The attribute is
REQUIRED and is case-insensitive. REQUIRED and is case-insensitive.
name name
The components of the user's real name. Service providers MAY The components of the user's name. Service providers MAY return
return just the full name as a single string in the formatted sub- just the full name as a single string in the formatted sub-
attribute, or they MAY return just the individual component attribute, or they MAY return just the individual component
attributes using the other sub-attributes, or they MAY return attributes using the other sub-attributes, or they MAY return
both. If both variants are returned, they SHOULD be describing both. If both variants are returned, they SHOULD be describing
the same name, with the formatted name indicating how the the same name, with the formatted name indicating how the
component attributes should be combined. component attributes should be combined.
formatted The full name, including all middle names, titles, and formatted The full name, including all middle names, titles, and
suffixes as appropriate, formatted for display (e.g., "Ms. suffixes as appropriate, formatted for display (e.g., "Ms.
Barbara Jane Jensen, III." ). Barbara Jane Jensen, III." ).
skipping to change at page 20, line 24 skipping to change at page 20, line 13
See [RFC5646] for further information. See [RFC5646] for further information.
timezone timezone
The User's time zone in IANA Time Zone database format [RFC6557], The User's time zone in IANA Time Zone database format [RFC6557],
also known as "Olson" timezone database format [Olson-TZ] ; For also known as "Olson" timezone database format [Olson-TZ] ; For
example: "America/Los_Angeles". example: "America/Los_Angeles".
active active
A Boolean value indicating the user's administrative status. The A Boolean value indicating the user's administrative status. The
definitive meaning of this attribute is determined by the service definitive meaning of this attribute is determined by the service
provider. As a typical example, a value of true infers the user provider. As a typical example, a value of true implies the user
is able to login while a value of false implies the user's account is able to login while a value of false implies the user's account
has been suspended. has been suspended.
password password
This attribute is intended to be used as a means to set, replace, This attribute is intended to be used as a means to set, replace,
or compare (i.e., filter for equality) a password. The clear-text or compare (i.e., filter for equality) a password. The clear-text
value or the hashed value of a password SHALL NOT be returnable by value or the hashed value of a password SHALL NOT be returnable by
a service provider. If a service provider holds the value a service provider. If a service provider holds the value
locally, the value SHOULD be hashed. When a password is set or locally, the value SHOULD be hashed. When a password is set or
changed, the clear text password SHOULD be: changed by the client, the clear text password SHOULD be processed
by the service provider as follows:
* Prepared for international language comparison. See * Prepares the clear text value for international language
Section 7.7 of [I-D.ietf-scim-api]. comparison. See Section 7.7 of [I-D.ietf-scim-api].
* Validated against server password policy. Note: the definition * Validates the value against server password policy. Note: the
and enforcment of password policy is beyond the scope of this definition and enforcment of password policy is beyond the
document. scope of this document.
* And, is hashed or encrypted. See Section 9.2 for acceptable * And, the value is encrypted (e.g., hashed). See Section 9.2
hasing and encryption handling when storing or persisting for for acceptable hasing and encryption handling when storing or
provisioning workflow reasons. persisting for provisioning workflow reasons.
A service provider that immediately passes the value on to another A service provider that immediately passes the clear text value on
system or programming interface, MAY pass the value directly over to another system or programming interface, MUST pass the value
a secured connection (e.g., TLS). If the value needs to be directly over a secured connection (e.g., TLS). If the value
temporarily persisted for a period of time (e.g., because of a needs to be temporarily persisted for a period of time (e.g.,
workflow) before provisioning, then the value MUST be protected by because of a workflow) before provisioning, then the value MUST be
some method such as encryption. protected by some method such as encryption.
Testing for an equality match MAY be supported if there is an Testing for an equality match MAY be supported if there is an
existing stored hashed value. When testing for equality, the existing stored hashed value. When testing for equality, the
service provider: service provider:
* Prepares the filter value for international language * Prepares the filter value for international language
comparison. See Section 7.7 of [I-D.ietf-scim-api]. comparison. See Section 7.7 of [I-D.ietf-scim-api].
* The service provider generates the salted hash of the filter * The service provider generates the salted hash of the filter
value and test for a match with the locally held value. value and test for a match with the locally held value.
skipping to change at page 23, line 18 skipping to change at page 23, line 5
defined. It is intended that the semantics of group membership defined. It is intended that the semantics of group membership
and any behavior or authorization granted as a result of and any behavior or authorization granted as a result of
membership are defined by the service provider. The canonical membership are defined by the service provider. The canonical
types "direct" and "indirect" are defined to describe how the types "direct" and "indirect" are defined to describe how the
group membership was derived. Direct group membership indicates group membership was derived. Direct group membership indicates
the user is directly associated with the group and SHOULD indicate the user is directly associated with the group and SHOULD indicate
that clients may modify membership through the "Group" resource. that clients may modify membership through the "Group" resource.
Indirect membership indicates user membership is transitive or Indirect membership indicates user membership is transitive or
dynamic and implies that clients cannot modify indirect group dynamic and implies that clients cannot modify indirect group
membership through the "Group" resource but MAY modify direct membership through the "Group" resource but MAY modify direct
group membership through the "Group" resource which MAY influence group membership through the "Group" resource which may influence
indirect memberships. If the SCIM service provider exposes a indirect memberships. If the SCIM service provider exposes a
Group resource, the "value" sub-attribute MUST be the "id" and the Group resource, the "value" sub-attribute MUST be the "id" and the
"$ref" sub-attribute must be the URI of the corresponding "Group" "$ref" sub-attribute must be the URI of the corresponding "Group"
resources to which the user belongs. Since this attribute has a resources to which the user belongs. Since this attribute has a
mutability of "readOnly", group membership changes MUST be applied mutability of "readOnly", group membership changes MUST be applied
via the Group Resource (Section 4.2). The attribute has a via the Group Resource (Section 4.2). The attribute has a
mutability of "readOnly". mutability of "readOnly".
entitlements entitlements
A list of entitlements for the user that represent a thing the A list of entitlements for the user that represent a thing the
user has. An entitlement MAY be an additional right to a thing, user has. An entitlement may be an additional right to a thing,
object, or service. No vocabulary or syntax is specified and object, or service. No vocabulary or syntax is specified and
service providers and clients are expected to encode sufficient service providers and clients are expected to encode sufficient
information in the value so as to accurately and without ambiguity information in the value so as to accurately and without ambiguity
determine what the user has access to. This value has no determine what the user has access to. This value has no
canonical types though type may be useful as a means to scope canonical types though type may be useful as a means to scope
entitlements. entitlements.
roles roles
A list of roles for the user that collectively represent who the A list of roles for the user that collectively represent who the
user is; e.g., "Student, Faculty". No vocabulary or syntax is user is; e.g., "Student, Faculty". No vocabulary or syntax is
specified though it is expected that a role value is a String or specified though it is expected that a role value is a String or
label representing a collection of entitlements. This value has label representing a collection of entitlements. This value has
no canonical types. no canonical types.
x509Certificates x509Certificates
A list of certificates associated with the resource (e.g., a A list of certificates associated with the resource (e.g., a
User). Each certificate is a DER encoded X.509 (see Section 4 User). Each value contains exactly one DER encoded X.509 (see
[RFC5280]), which MUST be base 64 encoded per Section 4 [RFC4648]. Section 4 [RFC5280]), which MUST be base 64 encoded per Section 4
[RFC4648]. A single value MUST NOT contain multiple certificates
and so does not contain the encoding "SEQUENCE OF Certificate" in
any guise.
4.2. Group Resource Schema 4.2. Group Resource Schema
SCIM provides a schema for representing groups, identified using the SCIM provides a schema for representing groups, identified using the
following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group". following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group".
Group resources are meant to enable expression of common group or Group resources are meant to enable expression of common group or
role based access control models, although no explicit authorization role based access control models, although no explicit authorization
model is defined. It is intended that the semantics of group model is defined. It is intended that the semantics of group
membership and any behavior or authorization granted as a result of membership and any behavior or authorization granted as a result of
skipping to change at page 25, line 47 skipping to change at page 25, line 35
form as well as provide additional implementation details to clients. form as well as provide additional implementation details to clients.
All attributes have a mutability of "readOnly". Unlike other core All attributes have a mutability of "readOnly". Unlike other core
resources, the "id" attribute is not required for the service resources, the "id" attribute is not required for the service
provider configuration resource. provider configuration resource.
The following Singular Attributes are defined in addition to the The following Singular Attributes are defined in addition to the
common attributes defined in Core Schema: common attributes defined in Core Schema:
documentationUrl documentationUrl
An HTTP addressable URL pointing to the service provider's human An HTTP addressable URL pointing to the service provider's human
consumable help documentation. consumable help documentation. OPTIONAL.
patch patch
A complex type that specifies PATCH configuration options. A complex type that specifies PATCH configuration options.
REQUIRED. See Section 3.5.2 [I-D.ietf-scim-api]. REQUIRED. See Section 3.5.2 [I-D.ietf-scim-api].
supported Boolean value specifying whether the operation is supported Boolean value specifying whether the operation is
supported. REQUIRED. supported. REQUIRED.
bulk bulk
A complex type that specifies Bulk configuration options. See A complex type that specifies Bulk configuration options. See
skipping to change at page 27, line 50 skipping to change at page 27, line 39
The following Singular Attributes are defined: The following Singular Attributes are defined:
id id
The resource type's server unique id. Often this is the same The resource type's server unique id. Often this is the same
value as the "name" attribute. OPTIONAL value as the "name" attribute. OPTIONAL
name name
The resource type name. When applicable service providers MUST The resource type name. When applicable service providers MUST
specify the name specified in the core schema specification; e.g., specify the name specified in the core schema specification; e.g.,
"User" or "Group". This name is referenced by the "User" or "Group". This name is referenced by the
"meta.resourceType" attribute in all resources. "meta.resourceType" attribute in all resources. REQUIRED.
description description
The resource type's human readable description. When applicable The resource type's human readable description. When applicable
service providers MUST specify the description specified in the service providers MUST specify the description specified in the
core schema specification. core schema specification. OPTIONAL.
endpoint endpoint
The resource type's HTTP addressable endpoint relative to the Base The resource type's HTTP addressable endpoint relative to the Base
URL of the service provider; e.g., "Users". URL of the service provider; e.g., "Users". REQUIRED.
schema schema
The resource type's primary/base schema URI; e.g., The resource type's primary/base schema URI; e.g.,
"urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal "urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal
to the "id" attribute of the associated "Schema" resource. to the "id" attribute of the associated "Schema" resource.
REQUIRED.
schemaExtensions schemaExtensions
A list of URIs of the resource type's schema extensions. A list of URIs of the resource type's schema extensions.
OPTIONAL. OPTIONAL.
schema The URI of an extended schema; e.g., "urn:edu:2.0:Staff". schema The URI of an extended schema; e.g., "urn:edu:2.0:Staff".
This MUST be equal to the "id" attribute of a "Schema" This MUST be equal to the "id" attribute of a "Schema"
resource. REQUIRED. resource. REQUIRED.
required A Boolean value that specifies whether the schema required A Boolean value that specifies whether the schema
skipping to change at page 28, line 39 skipping to change at page 28, line 31
extension. If false, a resource of this type MAY omit this extension. If false, a resource of this type MAY omit this
schema extension. REQUIRED. schema extension. REQUIRED.
7. Schema Definition 7. Schema Definition
This section defines a way to specify the schema in use by resources This section defines a way to specify the schema in use by resources
available and accepted by a SCIM service provider. For each available and accepted by a SCIM service provider. For each
"schemas" URI value, this schema specifies the defined attribute(s) "schemas" URI value, this schema specifies the defined attribute(s)
and their characteristics (mutability, returnability, etc). For and their characteristics (mutability, returnability, etc). For
every schema URI used in a resource object, there is a corresponding every schema URI used in a resource object, there is a corresponding
"Schema" resource. "Schema" resources have mutability of "readOnly" "Schema" resource. "Schema" resources are not modifiable and their
and are identified using the following schema URI: associated attributes have a mutability of "readOnly". Except for
"id" (which is always returned), all attributes have "returned"
characteristic of "default". Unless otherwise specified, all schema
attributes are case-insensitive. These resources have a "schemas"
attribute with the following schema URI:
urn:ietf:params:scim:schemas:core:2.0:Schema urn:ietf:params:scim:schemas:core:2.0:Schema
Unlike other core resources the "Schema" resource MAY contain a Unlike other core resources the "Schema" resource MAY contain a
complex object within a sub-attribute and all attributes are REQUIRED complex object within a sub-attribute and all attributes are REQUIRED
unless otherwise specified. unless otherwise specified.
The following Singular Attributes are defined: The following Singular Attributes are defined:
id id
The unique URI of the schema. When applicable service providers The unique URI of the schema. When applicable service providers
MUST specify the URI specified in the core schema specification; MUST specify the URI specified in the core schema specification;
e.g., "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most e.g., "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most
other schemas, which use some sort of a GUID for the "id", the other schemas, which use some sort of a GUID for the "id", the
schema "id" is a URI so that it can be registered and is portable schema "id" is a URI so that it can be registered and is portable
between different service providers and clients. between different service providers and clients. REQUIRED.
name name
The schema's human readable name. When applicable service The schema's human readable name. When applicable service
providers MUST specify the name specified in the core schema providers MUST specify the name specified in the core schema
specification; e.g., "User" or "Group". OPTIONAL. specification; e.g., "User" or "Group". OPTIONAL.
description description
The schema's human readable description. When applicable service The schema's human readable description. When applicable service
providers MUST specify the description specified in the core providers MUST specify the description specified in the core
schema specification. OPTIONAL. schema specification. OPTIONAL.
skipping to change at page 30, line 20 skipping to change at page 30, line 16
submitted value. Case sensitivity also impacts how attribute submitted value. Case sensitivity also impacts how attribute
values MAY be compared against filter values (see section values MAY be compared against filter values (see section
3.4.2.2 [I-D.ietf-scim-api]). 3.4.2.2 [I-D.ietf-scim-api]).
mutability A single keyword indicating the circumstances under mutability A single keyword indicating the circumstances under
which the value of the attribute can be (re)defined: which the value of the attribute can be (re)defined:
readOnly The attribute SHALL NOT be modified. readOnly The attribute SHALL NOT be modified.
readWrite The attribute MAY be updated and read at any time. readWrite The attribute MAY be updated and read at any time.
DEFAULT. This is default value.
immutable The attribute MAY be defined at resource creation immutable The attribute MAY be defined at resource creation
(e.g., POST) or at record replacement via request (e.g., a (e.g., POST) or at record replacement via request (e.g., a
PUT). The attribute SHALL NOT be updated. PUT). The attribute SHALL NOT be updated.
writeOnly The attribute MAY be updated at any time. Attribute writeOnly The attribute MAY be updated at any time. Attribute
values SHALL NOT be returned (e.g., because the value is a values SHALL NOT be returned (e.g., because the value is a
stored hash). Note: an attribute with mutability of stored hash). Note: an attribute with mutability of
"writeOnly" usually also has a returned setting of "never". "writeOnly" usually also has a returned setting of "never".
skipping to change at page 80, line 19 skipping to change at page 80, line 19
credentials. credentials.
9.3. Privacy 9.3. Privacy
The SCIM Core schema defines attributes that are sensitive and may be The SCIM Core schema defines attributes that are sensitive and may be
considered personally identifying information (PII). These privacy considered personally identifying information (PII). These privacy
considerations should be considered for extensions as well as the considerations should be considered for extensions as well as the
schema defined in this specification. schema defined in this specification.
For the purposes of this specification personally identifying For the purposes of this specification personally identifying
information is defined as any attribute that MAY be used as a unique information is defined as any attribute that may be used as a unique
key to identify a person (e.g., User). Since other information MAY key to identify a person (e.g., User). Since other information may
be used in combination to identify an individual, all attributes in be used in combination to identify an individual, all attributes in
SCIM are considered "sensitive" personal information. Consult SCIM are considered "sensitive" personal information. Consult
regional jurisdictions to see if there are special considerations for regional jurisdictions to see if there are special considerations for
the handling of personal and PII information. the handling of personal and PII information.
Information should be shared on an as-needed basis. A SCIM client Information should be shared on an as-needed basis. A SCIM client
should limit information to what it believes a service provider should limit information to what it believes a service provider
requires, and a SCIM service provider, should only accept information requires, and a SCIM service provider, should only accept information
it needs. Clients and service providers should take into it needs. Clients and service providers should take into
consideration that personal information is being conveyed across consideration that personal information is being conveyed across
skipping to change at page 86, line 27 skipping to change at page 86, line 27
SCIM Server Related Schema URIs SCIM Server Related Schema URIs
11. References 11. References
11.1. Normative References 11.1. Normative References
[I-D.ietf-scim-api] [I-D.ietf-scim-api]
Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C. Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C.
Mortimore, "System for Cross-Domain Identity Management: Mortimore, "System for Cross-Domain Identity Management:
Protocol", draft-ietf-scim-api-18 (work in progress), May Protocol", draft-ietf-scim-api-19 (work in progress), May
2015. 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997.
[RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An
IETF URN Sub-namespace for Registered Protocol IETF URN Sub-namespace for Registered Protocol
Parameters", BCP 73, RFC 3553, June 2003. Parameters", BCP 73, RFC 3553, June 2003.
skipping to change at page 93, line 10 skipping to change at page 93, line 10
Updated references to SCIM Protocol sections Updated references to SCIM Protocol sections
Made capitalization of 'client' and 'service provider' terms Made capitalization of 'client' and 'service provider' terms
consistent (lower case) consistent (lower case)
Corrected schema and examples to have singluar value for manager Corrected schema and examples to have singluar value for manager
attribute attribute
Draft 20 - PH - Additional clarification on multi-hop/3rd party, and Draft 20 - PH - Additional clarification on multi-hop/3rd party, and
small nit in section 1.1 small nit in section 1.1
Draft 21 - PH - IESG feedback from draft 20 (Ben, Stephen, Benoit)
Reduced use of normative MAY for statements of fact
Corrected MAYs that were intended to imply MUST or SHALL (e.g.
TLS MUST be used).
Added notation definition for REQUIRED and OPTIONAL
Redefined Integer so as not to conflict with decimal
Clarified a reference URI must be a valid HTTP addressable URI
Clarified attribute characteristics for meta attribute
Dropped use of "real" in definition of name as no real name policy
was implied.
Re-worded/improved readability of password definition
At request of Stephen Farrell, clarified x509certificate values
contain only one certificate.
Other typos and nits
Authors' Addresses Authors' Addresses
Phil Hunt (editor) Phil Hunt (editor)
Oracle Corporation Oracle Corporation
Email: phil.hunt@yahoo.com Email: phil.hunt@yahoo.com
Kelly Grizzle Kelly Grizzle
SailPoint SailPoint
 End of changes. 58 change blocks. 
104 lines changed or deleted 144 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/