draft-ietf-scim-core-schema-22.txt   rfc7643.txt 
Network Working Group P. Hunt, Ed. Internet Engineering Task Force (IETF) P. Hunt, Ed.
Internet-Draft Oracle Request for Comments: 7643 Oracle
Intended status: Standards Track K. Grizzle Category: Standards Track K. Grizzle
Expires: December 10, 2015 SailPoint ISSN: 2070-1721 SailPoint
E. Wahlstroem E. Wahlstroem
Nexus Technology Nexus Technology
C. Mortimore C. Mortimore
Salesforce Salesforce
June 8, 2015 September 2015
System for Cross-Domain Identity Management: Core Schema System for Cross-domain Identity Management: Core Schema
draft-ietf-scim-core-schema-22
Abstract Abstract
The System for Cross-Domain Identity Management (SCIM) specifications The System for Cross-domain Identity Management (SCIM) specifications
are designed to make identity management in cloud based applications are designed to make identity management in cloud-based applications
and services easier. The specification suite builds upon experience and services easier. The specification suite builds upon experience
with existing schemas and deployments, placing specific emphasis on with existing schemas and deployments, placing specific emphasis on
simplicity of development and integration, while applying existing simplicity of development and integration, while applying existing
authentication, authorization, and privacy models. Its intent is to authentication, authorization, and privacy models. Its intent is to
reduce the cost and complexity of user management operations by reduce the cost and complexity of user management operations by
providing a common user schema and extension model, as well as providing a common user schema and extension model as well as binding
binding documents to provide patterns for exchanging this schema documents to provide patterns for exchanging this schema using HTTP.
using HTTP protocol.
This document provides a platform neutral schema and extension model This document provides a platform-neutral schema and extension model
for representing users and groups and other resource types in JSON for representing users and groups and other resource types in JSON
format. This schema is intended for exchange and use with cloud format. This schema is intended for exchange and use with cloud
service providers. service providers.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on December 10, 2015. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7643.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 1. Introduction and Overview .......................................3
1.1. Requirements Notation and Conventions . . . . . . . . . . 4 1.1. Requirements Notation and Conventions ......................4
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Definitions ................................................5
2. SCIM Schema . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. SCIM Schema .....................................................6
2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 7 2.1. Attributes .................................................7
2.2. Attribute Characteristics . . . . . . . . . . . . . . . . 7 2.2. Attribute Characteristics ..................................8
2.3. Attribute Data Types . . . . . . . . . . . . . . . . . . 8 2.3. Attribute Data Types .......................................8
2.3.1. String . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.1. String ..............................................9
2.3.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.2. Boolean .............................................9
2.3.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.3. Decimal ............................................10
2.3.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.4. Integer ............................................10
2.3.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 9 2.3.5. DateTime ...........................................10
2.3.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 9 2.3.6. Binary .............................................10
2.3.7. Reference . . . . . . . . . . . . . . . . . . . . . . 9 2.3.7. Reference ..........................................10
2.3.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 10 2.3.8. Complex ............................................11
2.4. Multi-valued Attributes . . . . . . . . . . . . . . . . . 10 2.4. Multi-Valued Attributes ...................................11
2.5. Unassigned and Null Values . . . . . . . . . . . . . . . 12 2.5. Unassigned and Null Values ................................13
3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 12 3. SCIM Resources .................................................13
3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 15 3.1. Common Attributes .........................................16
3.2. Defining New Resource Types . . . . . . . . . . . . . . . 16 3.2. Defining New Resource Types ...............................18
3.3. Attribute Extensions to Resources . . . . . . . . . . . . 17 3.3. Attribute Extensions to Resources .........................18
4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 17 4. SCIM Core Resources and Extensions .............................19
4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 17 4.1. "User" Resource Schema ....................................19
4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 17 4.1.1. Singular Attributes ................................19
4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 21 4.1.2. Multi-Valued Attributes ............................23
4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 23 4.2. "Group" Resource Schema ...................................25
4.3. Enterprise User Schema Extension . . . . . . . . . . . . 24 4.3. Enterprise User Schema Extension ..........................26
5. Service Provider Configuration Schema . . . . . . . . . . . . 25 5. Service Provider Configuration Schema ..........................27
6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 27 6. ResourceType Schema ............................................29
7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 28 7. Schema Definition ..............................................30
8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 31 8. JSON Representation ............................................34
8.1. Minimal User Representation . . . . . . . . . . . . . . . 31 8.1. Minimal User Representation ...............................34
8.2. Full User Representation . . . . . . . . . . . . . . . . 32 8.2. Full User Representation ..................................35
8.3. Enterprise User Extension Representation . . . . . . . . 35 8.3. Enterprise User Extension Representation ..................39
8.4. Group Representation . . . . . . . . . . . . . . . . . . 38 8.4. Group Representation ......................................43
8.5. Service Provider Configuration Representation . . . . . . 39 8.5. Service Provider Configuration Representation .............44
8.6. Resource Type Representation . . . . . . . . . . . . . . 41 8.6. Resource Type Representation ..............................46
8.7. Schema Representation . . . . . . . . . . . . . . . . . . 41 8.7. Schema Representation .....................................47
8.7.1. Resource Schema Representation . . . . . . . . . . . 42 8.7.1. Resource Schema Representation .....................47
8.7.2. Service Provider Schema Representation . . . . . . . 64 8.7.2. Service Provider Schema Representation .............74
9. Security Considerations . . . . . . . . . . . . . . . . . . . 79 9. Security Considerations ........................................92
9.1. Protocol . . . . . . . . . . . . . . . . . . . . . . . . 79 9.1. Protocol ..................................................92
9.2. Password and Other Sensitive Security Data . . . . . . . 79 9.2. Passwords and Other Sensitive Security Data ...............92
9.3. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 80 9.3. Privacy ...................................................92
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 81 10. IANA Considerations ...........................................94
10.1. Registration of SCIM URN Sub-namespace & SCIM Registry . 81 10.1. Registration of SCIM URN Sub-namespace and SCIM
10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 81 Registry .................................................94
10.2.1. Specification Template . . . . . . . . . . . . . . . 81 10.2. URN Sub-namespace for SCIM ...............................94
10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 84 10.2.1. Specification Template ............................95
10.3.1. Registration Procedure . . . . . . . . . . . . . . . 84 10.3. Registering SCIM Schemas .................................97
10.3.2. Schema Registration Template . . . . . . . . . . . . 85 10.3.1. Registration Procedure ............................97
10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 85 10.3.2. Schema Registration Template ......................98
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 86 10.4. Initial SCIM Schema Registry .............................99
11.1. Normative References . . . . . . . . . . . . . . . . . . 86 11. References ...................................................100
11.2. Informative References . . . . . . . . . . . . . . . . . 87 11.1. Normative References ....................................100
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 88 11.2. Informative References ..................................101
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 89 Acknowledgements .................................................103
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 93 Authors' Addresses ...............................................104
1. Introduction and Overview 1. Introduction and Overview
While there are existing standards for describing and exchanging user While there are existing standards for describing and exchanging user
information, many of these standards can be difficult to implement information, many of these standards can be difficult to implement
and/or use; e.g., their wire protocols do not easily traverse and/or use; e.g., their wire protocols do not easily traverse
firewalls and/or are not easily layered onto existing web protocols. firewalls and/or are not easily layered onto existing web protocols.
As a result, many cloud providers implement non-standardized As a result, many cloud providers implement non-standardized
protocols for managing users within their services. This increases protocols for managing users within their services. This increases
both the cost and complexity associated with organizations adopting both the cost and complexity associated with organizations adopting
products and services from multiple cloud providers as they must products and services from multiple cloud providers, as they must
perform redundant integration development. Similarly, cloud services perform redundant integration development. Similarly, cloud service
providers seeking to inter-operate with multiple application providers seeking to interoperate with multiple application
marketplaces or cloud identity providers would require pairwise marketplaces or cloud identity providers would require pairwise
integration. integration.
SCIM seeks to simplify this problem through a simple to implement SCIM seeks to simplify this problem through an easily implemented
specification suite that provides a common user schema and extension specification suite that provides a common user schema and extension
model, as well as a SCIM Protocol document, that defines exchanging model, as well as a SCIM protocol document that defines exchanging
this schema via an HTTP based protocol [I-D.ietf-scim-api]. [[RFC this schema via an HTTP-based protocol [RFC7644]. The SCIM
Editor: This document an the companion scim-api document should be specifications draw design input and feedback from existing
published together]] It draws inspiration and best practice, building identity-related protocols and schemas from a wide variety of sources
upon existing user protocols and schemas from a wide variety of including, but not limited to, existing services exposed by cloud
sources including, but not limited to, existing services exposed by providers, PortableContacts [PortableContacts], vCards [RFC6350], and
cloud providers, PortableContacts [PortableContacts], vCards Lightweight Directory Access Protocol (LDAP) directory services
[RFC6350], and Lightweight Directory Access Protocol (LDAP) directory [RFC4512].
services [RFC4512].
SCIM protocol is an application-level protocol for provisioning and The SCIM protocol is an application-level protocol for provisioning
managing identity data specified through SCIM schemas. The protocol and managing identity data specified through SCIM schemas. The
supports creation, modification, retrieval, and discovery of core protocol supports creation, modification, retrieval, and discovery of
identity resources such as Users and Groups, using a subset of the core identity resources such as Users and Groups, using a subset of
HTTP methods (GET for retrieval of resources, POST for creation, the HTTP methods (GET for retrieval of resources; POST for creation,
searching and bulk modification, PUT for attribute replacement within searching, and bulk modification; PUT for attribute replacement
resources, PATCH for partial update of attributes, and DELETE for within resources; PATCH for partial update of attributes; and DELETE
removing resources). for removing resources).
While the SCIM protocol and core schema specifications are intended While the SCIM protocol and core schema specifications are intended
to cover point-to-point scenarios, implementers and deployers should to cover point-to-point scenarios, implementers and deployers should
consider multi-hop and multi-party scenarios such as a service consider multi-hop and multi-party scenarios such as a service
provider acting as a general profile service for in-domain provider acting as a general profile service for in-domain
applications (e.g., a directory); as well as, scenarios where a applications (e.g., a directory), as well as scenarios where a
service provider in turn passes information to a 3rd party service service provider in turn passes information to a third-party service
provider either by acting as a SCIM client or as a SCIM service provider by acting as either a SCIM client or a SCIM service
provider. Implementers and deployers should consider carefully their provider. Implementers and deployers should carefully consider their
service level agreements and privacy agreements when distributing or service level agreements and privacy agreements when distributing or
propagating personal information (see also Privacy Considerations, propagating personal information (see Section 9.3).
Section 9.3).
This document provides a JSON based schema and extension model for This document provides a JSON-based schema and extension model for
representing users and groups, as well as service provider representing users and groups, as well as service provider
configuration. This schema is intended for exchange and use with configuration. This schema is intended for exchange and use with
cloud service providers and other cross-domain scenarios. cloud service providers and other cross-domain scenarios.
1.1. Requirements Notation and Conventions 1.1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
The key words "REQUIRED" and "OPTIONAL" are used throughout this The key words "REQUIRED" and "OPTIONAL" are used throughout this
document to indicate whether an attribute or schema element is document to indicate whether an attribute or schema element is
required or optional. These keywords may be used alone (e.g., required or optional. These key words may be used alone (e.g.,
"REQUIRED."), or in a sentence. If not specified, an attribute is "REQUIRED.") or in a sentence. If not specified, an attribute is
considered to be optional. considered to be optional.
The word "DEFAULT" as used in Section 7 indicates that a "keyword"
value for an attribute characteristic is the default behavior.
Throughout this document, values are quoted to indicate that they are Throughout this document, values are quoted to indicate that they are
to be taken literally. When using these values in protocol messages, to be taken literally. When using these values in protocol messages,
the quotes MUST NOT be used as part of the value. the quotes MUST NOT be used as part of the value.
Throughout this document all figures may contain spaces and extra Throughout this document, figures may contain spaces and extra line
line-wrapping for readability and space reasons. Similarly, some wrapping to improve readability and accommodate space limitations.
URI's contained within examples, have been shortened for space and Similarly, some URIs contained within examples have been shortened
readability reasons. for space and readability reasons.
1.2. Definitions 1.2. Definitions
Service Provider Service Provider
An HTTP web application that provides identity information via the An HTTP web application that provides identity information via the
SCIM protocol. SCIM protocol.
Client Client
A website or application that uses the SCIM protocol to manage A website or application that uses the SCIM protocol to manage
identity data maintained by the service provider. The client identity data maintained by the service provider. The client
skipping to change at page 5, line 30 skipping to change at page 5, line 34
Provisioning Domain Provisioning Domain
A provisioning domain is an administrative domain external to the A provisioning domain is an administrative domain external to the
domain of a service provider for legal or technical reasons. For domain of a service provider for legal or technical reasons. For
example, a SCIM client in an enterprise (provisioning client) example, a SCIM client in an enterprise (provisioning client)
communicates with a SCIM service provider that is owned or communicates with a SCIM service provider that is owned or
controlled by a different legal entity. controlled by a different legal entity.
Resource Type Resource Type
A type of a resource that is managed by a service provider. The A type of a resource that is managed by a service provider. The
resource type defines the resource name, endpoint URL, Schemas, resource type defines the resource name, endpoint URL, schemas,
and other meta-data which indicate where a resource is managed and and other metadata that indicate where a resource is managed and
how it is composed; e.g., "User" or "Group". how it is composed, e.g., "User" or "Group".
Resource Resource
A service provider managed artifact containing one or more An artifact that is managed by a service provider and that
attributes. For example a "User" or "Group". contains one or more attributes, e.g., "User" or "Group".
Endpoint Endpoint
An endpoint for a service provider is a defined base path relative An endpoint for a service provider is a defined base path relative
to the service providers Base URI (see definitions of to the service provider's Base URI (see Section 1.3 of [RFC7644]),
[I-D.ietf-scim-api]) over which SCIM operations may be performed over which SCIM operations may be performed against SCIM
against SCIM resources. For example, assuming the service resources. For example, assuming that the service provider's Base
provider Base URI is "https://example.com/": "User" resources may URI is "https://example.com/", "User" resources may be accessed at
be accessed at the "https://example.com/Users", or the "https://example.com/Users" or "https://example.com/v2/Users"
"https://example.com/v2/Users" (when including protocol version, endpoint (see Section 3.13 of [RFC7644] for details regarding
see Section 3.13 [I-D.ietf-scim-api]) endpoint. Service provider protocol versioning, e.g., 'v2'). Service provider schemas MAY be
schemas MAY be returned from the "/Schemas" endpoint. returned from the "/Schemas" endpoint.
Schema Schema
A collection of attribute definitions that describe the contents A collection of attribute definitions that describe the contents
of an entire or partial resource; e.g., of an entire or partial resource, e.g.,
"urn:ietf:params:scim:schemas:core:2.0:User". The attribute "urn:ietf:params:scim:schemas:core:2.0:User". The attribute
definitions define the name of the attribute, and metadata such as definitions specify the name of the attribute, and metadata such
type (e.g., string, binary), cardinality (singular, multi, as type (e.g., string, binary), cardinality (singular, multi,
complex), mutability, and returnability. complex), mutability, and returnability.
Singular Attribute Singular Attribute
A resource attribute that contains 0..1 values; e.g., A resource attribute that contains 0..1 values, e.g.,
"displayName". "displayName".
Multi-valued Attribute Multi-valued Attribute
A resource attribute that contains 0..n values; e.g., "emails". A resource attribute that contains 0..n values, e.g., "emails".
Simple Attribute Simple Attribute
A singular or multi-valued attribute whose value is a primitive; A singular or multi-valued attribute whose value is a primitive,
e.g., "String". A simple attribute MUST NOT contain sub- e.g., "String". A simple attribute MUST NOT contain
attributes. sub-attributes.
Complex Attribute Complex Attribute
A singular or multi-valued attribute whose value is a composition A singular or multi-valued attribute whose value is a composition
of one or more simple attributes; e.g., "addresses" has the sub- of one or more simple attributes; e.g., "addresses" has the
attributes "streetAddress", "locality", "postalCode", and sub-attributes "streetAddress", "locality", "postalCode", and
"country". "country".
Sub-Attribute Sub-Attribute
A simple attribute that is contained within a complex attribute. A simple attribute that is contained within a complex attribute.
2. SCIM Schema 2. SCIM Schema
A SCIM server provides a set of resources, the allowable contents of A SCIM server provides a set of resources, the allowable contents of
which are defined by a set of schema URIs and a resource type. which are defined by a set of schema URIs and a resource type.
SCIM's schema is not a document-centric one such as with SCIM's schema is not a document-centric one such as with
[XML-Schema]. Instead, SCIM's support of schema is attribute based [XML-Schema]. Instead, SCIM's support of schema is attribute based,
where each attribute may have different type, mutability, where each attribute may have different type, mutability,
cardinality, or returnability. validation of documents and messages cardinality, or returnability. Validation of documents and messages
is always performed, as specified by the SCIM specifications by an is always performed by an intended receiver, as specified by the SCIM
intended receiver. Validation is performed by the receiver in the specifications. Validation is performed by the receiver in the
context of a SCIM protocol request (see [I-D.ietf-scim-api]). For context of a SCIM protocol request (see [RFC7644]). For example, a
example, a SCIM service provider, upon receiving a request to replace SCIM service provider, upon receiving a request to replace an
an existing resource with a replacement JSON object, evaluates each existing resource with a replacement JSON object, evaluates each
asserted attribute based on its characteristics as defined in the asserted attribute based on its characteristics as defined in the
relevant schema (e.g., mutability) and decides which attributes may relevant schema (e.g., mutability) and decides which attributes may
be replaced or ignored. be replaced or ignored.
This specification provides a minimal core schema for representing This specification provides a minimal core schema for representing
users and groups (resources), encompassing common attributes found in users and groups (resources), encompassing common attributes found in
many existing deployments and schemas. In addition to the minimal many existing deployments and schemas. In addition to the minimal
core schema, this document also specifies a standardized means by core schema, this document also specifies a standardized means by
which service providers may extend schemas to define new resources which service providers may extend schemas to define new resources
and attributes in both standardized and service provider specific and attributes in both standardized and service-provider-specific
cases. cases.
Resources are categorized into common resource types such as "User" Resources are categorized into common resource types such as "User"
or "Group"). Collections of resources of the same type are usually or "Group". Collections of resources of the same type are usually
contained within the same "container" ("folder") endpoint. contained within the same "container" ("folder") endpoint.
2.1. Attributes 2.1. Attributes
A resource is a collection of attributes identified by one or more A resource is a collection of attributes identified by one or more
schemas. Minimally, an attribute consists of the attribute name and schemas. Minimally, an attribute consists of the attribute name and
at least one simple or complex value either of which may be multi- at least one simple or complex value, either of which may be
valued. For each attribute, SCIM schema defines the data type, multi-valued. For each attribute, a SCIM schema defines the data
plurality, mutability, and other distinguishing features of an type, plurality, mutability, and other distinguishing features of an
attribute. attribute.
Attribute names are case-insensitive and are often camel-cased (e.g., Attribute names are case insensitive and are often "camel-cased"
"camelCase"). SCIM resources are represented in JSON [RFC7159] and (e.g., "camelCase"). SCIM resources are represented in JSON
MUST specify schema via the "schemas" attribute per Section 3. [RFC7159] format and MUST specify schema via the "schemas" attribute
per Section 3.
Attribute names MUST conform to the following ABNF rules: Attribute names MUST conform to the following ABNF rules:
ATTRNAME = ALPHA *(nameChar) ATTRNAME = ALPHA *(nameChar)
nameChar = "$" / "-" / "_" / DIGIT / ALPHA nameChar = "$" / "-" / "_" / DIGIT / ALPHA
Figure 1: ABNF for Attribute Names Figure 1: ABNF for Attribute Names
The above rules (and other rules in this specification) use the "Core The above rules (and other rules in this specification) use the "Core
Rules" from ABNF, see Appendix B [RFC5234]. Unless otherwise Rules" from ABNF; see Appendix B of [RFC5234]. Unless otherwise
specified in this specification, all ABNF strings are case specified in this document, all ABNF strings are case insensitive and
insensitive and the character set for these strings is US-ASCII. For the character set for these strings is US-ASCII. For example, all
example, all attribute names defined by the above rule are case attribute names defined by the above rule are case insensitive.
insensitive.
When defining attribute names it should be noted that the hyphen When defining attribute names, it should be noted that the hyphen
("-") is not permitted in Javascript (and some other languages) ("-") is not permitted in JavaScript attribute names (or in attribute
attribute names. While there are no known issues within HTTP names for some other languages). While there are no known issues
protocol and JSON notation, attribute names containing hyphens may within HTTP protocol and JSON notation, attribute names containing
need to be escaped when declaring corresponding names of Javascript hyphens may need to be escaped when declaring corresponding names of
attributes. JavaScript attributes.
2.2. Attribute Characteristics 2.2. Attribute Characteristics
All attributes have a set of characteristics that describe their type
and handling by a service provider; full definitions may be found in
Section 7. The characteristics include:
o "required",
o "canonicalValues",
o "caseExact",
o "mutability",
o "returned",
o "uniqueness", and
o "referenceTypes".
If not otherwise stated in Section 7, SCIM attributes have the If not otherwise stated in Section 7, SCIM attributes have the
following characteristics: following characteristics:
o are OPTIONAL (is not REQUIRED). o "required" is "false" (i.e., not REQUIRED),
o have values that are case insensitive ("caseExact" is "false"), o "canonicalValues": none assigned (for example, the "type"
sub-attribute as described in Section 2.4),
o are modifiable ("mutability" is "readWrite"), o "caseExact" is "false" (i.e., case-insensitive),
o are returned in response to queries (returned by default), o "mutability" is "readWrite" (i.e., modifiable),
o have no canonical values (for example, the "type" sub-attribute in o "returned" is "default" (the attribute value is returned by
Section 2.4, default),
o are not unique ("uniqueness" is "none"), and, o "uniqueness" is "none" (has no uniqueness enforced), and
o of type string (Section 2.3.1). o "type" is "string" (Section 2.3.1).
2.3. Attribute Data Types 2.3. Attribute Data Types
Attribute data types are derived from JSON [RFC7159]. The JSON Attribute data types are derived from JSON [RFC7159]. The JSON
format defines a limited set of data types, hence, where appropriate, format defines a limited set of data types; hence, where appropriate,
alternate JSON representations derived from XML Schema [XML-Schema] alternate JSON representations derived from XML Schema [XML-Schema]
are defined below. SCIM extensions SHOULD NOT introduce new data are defined below. SCIM extensions SHOULD NOT introduce new data
types. types.
The following is a table that maps the following data types, to SCIM Table 1 maps the following SCIM data types to their corresponding
schema type and the underlying JSON data type: SCIM schema type and underlying JSON data type:
+--------------+-----------------+----------------------------------+ +-----------+-------------+-----------------------------------------+
| SCIM Data | SCIM Schema | JSON Type | | SCIM Data | SCIM Schema | JSON Type |
| Type | "type" | | | Type | "type" | |
+--------------+-----------------+----------------------------------+ +-----------+-------------+-----------------------------------------+
| String | "string" | String per Sec. 7 [RFC7159] | | String | "string" | String per Section 7 of [RFC7159] |
| Boolean | "boolean" | Value per Sec. 3 [RFC7159] | | | | |
| Decimal | "decimal" | Number per Sec. 6 [RFC7159] | | Boolean | "boolean" | Value per Section 3 of [RFC7159] |
| Integer | "integer" | Number per Sec. 6 [RFC7159] | | | | |
| DateTime | "dateTime" | String per Sec. 7 [RFC7159] | | Decimal | "decimal" | Number per Section 6 of [RFC7159] |
| Binary | "binary" | Base64 encoded String per Sec. 7 | | | | |
| | | [RFC7159] | | Integer | "integer" | Number per Section 6 of [RFC7159] |
| Reference | "reference" | String per Sec. 7 [RFC7159] | | | | |
| Complex | "complex" | Object per Sec. 4 [RFC7159] | | DateTime | "dateTime" | String per Section 7 of [RFC7159] |
+--------------+-----------------+----------------------------------+ | | | |
| Binary | "binary" | Binary value base64 encoded per Section |
| | | 4 of [RFC4648], or with URL and |
| | | filename safe alphabet URL per Section |
| | | 5 of [RFC4648] that is passed as a JSON |
| | | string per Section 7 of [RFC7159] |
| | | |
| Reference | "reference" | String per Section 7 of [RFC7159] |
| | | |
| Complex | "complex" | Object per Section 4 of [RFC7159] |
+-----------+-------------+-----------------------------------------+
Table 1: SCIM Data Type to JSON Representation Table 1: SCIM Data Type to JSON Representation
2.3.1. String 2.3.1. String
A sequence of zero or more Unicode characters encoded using UTF-8 as A sequence of zero or more Unicode characters encoded using UTF-8 as
per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7 per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7
[RFC7159]. A "String" attribute MAY specify a required data format. of [RFC7159]. An attribute with SCIM schema type "string" MAY
Additionally, when "canonicalValues" is specified, service providers specify a required data format. Additionally, when "canonicalValues"
MAY restrict accepted values to the specified values. is specified, service providers MAY restrict accepted values to the
specified values.
2.3.2. Boolean 2.3.2. Boolean
The literal "true" or "false". The JSON format is defined in The literal "true" or "false". The JSON format is defined in
Section 3 [RFC7159]. A boolean has no case sensitivity or Section 3 of [RFC7159]. A boolean has no case sensitivity or
uniqueness. uniqueness.
2.3.3. Decimal 2.3.3. Decimal
A real number with at least one digit to the left and right of the A real number with at least one digit to the left and right of the
period. The JSON format is defined in Section 6 [RFC7159]. A period. The JSON format is defined in Section 6 of [RFC7159]. A
decimal has no case sensitivity. decimal has no case sensitivity.
2.3.4. Integer 2.3.4. Integer
A whole number with no fractional digits or decimal. The JSON format A whole number with no fractional digits or decimal. The JSON format
is defined in Section 6 [RFC7159] with the additional constraint that is defined in Section 6 of [RFC7159], with the additional constraint
the value MUST NOT contain fractional or exponent parts. An integer that the value MUST NOT contain fractional or exponent parts. An
has no case sensitivity. integer has no case sensitivity.
2.3.5. DateTime 2.3.5. DateTime
A DateTime value (e.g., 2008-01-23T04:56:22Z). The attribute value A DateTime value (e.g., 2008-01-23T04:56:22Z). The attribute value
MUST be encoded as a valid xsd:dateTime as specified in Section 3.3.7 MUST be encoded as a valid xsd:dateTime as specified in Section 3.3.7
[XML-Schema]and MUST include both a date and a time. A date-time has of [XML-Schema] and MUST include both a date and a time. A date time
no case-sensitivity or uniqueness. format has no case sensitivity or uniqueness.
Values represented in JSON MUST conform to the XML constraints above Values represented in JSON format MUST conform to the XML constraints
and are represented as a JSON String per Section 7 [RFC7159]. above and are represented as a JSON string per Section 7 of
[RFC7159].
2.3.6. Binary 2.3.6. Binary
Arbitrary binary data. The attribute value MUST be encoded in base Arbitrary binary data. The attribute value MUST be base64 encoded as
64 encoding as specified in Section 4 [RFC4648]. In cases where a specified in Section 4 of [RFC4648]. In cases where a URL-safe
URL-safe encoding is required, the attribute definition MAY specify encoding is required, the attribute definition MAY specify that
Base 64 URL encoding be used as per Section 5 [RFC4648]. Unless base64 URL encoding be used as per Section 5 of [RFC4648]. Unless
otherwise specified in the attribute definition, trailing padding otherwise specified in the attribute definition, trailing padding
characters MAY be omitted ("="). characters MAY be omitted ("=").
In JSON representation, the encoded values are represented as a JSON In JSON representation, the encoded values are represented as a JSON
String per Section 7 [RFC7159]. A binary is case-exact and has no string per Section 7 of [RFC7159]. A binary is case exact and has no
uniqueness. uniqueness.
2.3.7. Reference 2.3.7. Reference
The value is a URI for a resource. A resource MAY be a SCIM A URI for a resource. A resource MAY be a SCIM resource, an external
resource, an external link to a resource (e.g., a photo), or it may link to a resource (e.g., a photo), or an identifier such as a URN.
be an identifier such as a URN. The value MUST be the absolute or The value MUST be the absolute or relative URI of the target
relative URI of the target resource. Relative URIs should be resource. Relative URIs should be resolved as specified in
resolved as specified in Section 5.2 [RFC3986]. However, the base Section 5.2 of [RFC3986]. However, the base URI for relative URI
URI for relative URI resolution MUST include all URI components and resolution MUST include all URI components and path segments up to,
path segments up to but not including the Endpoint URI (the SCIM but not including, the Endpoint URI (the SCIM service provider root
service provider root endpoint); e.g., the base URI for a request to endpoint); e.g., the base URI for a request to
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
would be "https://example.com/v2/" and the relative URI for this would be "https://example.com/v2/", and the relative URI for this
resource would be "Users/2819c223-7f76-453a-919d-413861904646". resource would be "Users/2819c223-7f76-453a-919d-413861904646".
In JSON representation, the URI value is represented as a JSON String In JSON representation, the URI value is represented as a JSON string
per Section 7 [RFC7159]. A reference is case-exact. A reference has per Section 7 of [RFC7159]. A reference is case exact. A reference
a "referenceType" that indicates what types of resources may be has a "referenceTypes" attribute that indicates what types of
linked as per Section 7. resources may be linked, as per Section 7 of this document.
A reference URI MUST be to an HTTP addressable resource. An HTTP A reference URI MUST be to an HTTP-addressable resource. An HTTP
client performing a GET operation on a reference URI MUST receive the client performing a GET operation on a reference URI MUST receive the
target resource or an appropriate HTTP response code. A SCIM service target resource or an appropriate HTTP response code. A SCIM service
provider MAY choose to enforce referential integrity for reference provider MAY choose to enforce referential integrity for reference
types referring to SCIM resources. types referring to SCIM resources.
By convention, a reference is commonly represented as a "$ref" sub- By convention, a reference is commonly represented as a "$ref"
attribute in complex or multi-valued attributes, however this is sub-attribute in complex or multi-valued attributes; however, this is
OPTIONAL. OPTIONAL.
2.3.8. Complex 2.3.8. Complex
A singular or multi-valued attribute whose value is a composition of A singular or multi-valued attribute whose value is a composition of
one or more simple attributes. The JSON format is defined in one or more simple attributes. The JSON format is defined in
Section 4 of [RFC7159]. The order of the component attributes is not Section 4 of [RFC7159]. The order of the component attributes is not
significant. Servers and clients MUST NOT require or expect significant. Servers and clients MUST NOT require or expect
attributes to be in any specific order when an object is either attributes to be in any specific order when an object is either
generated or analyzed. A complex attribute has no uniqueness or case generated or analyzed. A complex attribute has no uniqueness or case
sensitivity. A complex attribute MUST NOT contain sub-attributes sensitivity. A complex attribute MUST NOT contain sub-attributes
that have sub-attributes (i.e., that are complex). that have sub-attributes (i.e., that are complex).
2.4. Multi-valued Attributes 2.4. Multi-Valued Attributes
Multi-valued attributes contain a list of elements using the JSON Multi-valued attributes contain a list of elements using the JSON
array format defined in Section 5 of [RFC7159]. Elements can be array format defined in Section 5 of [RFC7159]. Elements can be
either either of the following:
o primitive values, or o primitive values, or
o objects with a set of sub-attributes and values, using the JSON o objects with a set of sub-attributes and values, using the JSON
object format defined in Section 4 of [RFC7159], in which case object format defined in Section 4 of [RFC7159], in which case
they SHALL be considered to be complex attributes. As with they SHALL be considered to be complex attributes. As with
complex attributes, the order of sub-attributes is not complex attributes, the order of sub-attributes is not
significant. The pre-defined sub-attributes listed in this significant. The predefined sub-attributes listed in this section
section can be used with multi-valued attribute objects but these can be used with multi-valued attribute objects, but these
sub-attributes MUST be used with the meanings defined here. sub-attributes MUST be used with the meanings defined here.
If not otherwise defined, the default set of sub-attributes for a If not otherwise defined, the default set of sub-attributes for a
multi-valued attribute are: multi-valued attribute is as follows:
type type
A label indicating the attribute's function; e.g., "work" or A label indicating the attribute's function, e.g., "work" or
"home". "home".
primary primary
A Boolean value indicating the 'primary' or preferred attribute A Boolean value indicating the 'primary' or preferred attribute
value for this attribute, e.g., the preferred mailing address or value for this attribute, e.g., the preferred mailing address or
the primary e-mail address. The primary attribute value "true" the primary email address. The primary attribute value "true"
MUST appear no more than once. If not specified, the value of MUST appear no more than once. If not specified, the value of
"primary" SHALL be assumed to be "false". "primary" SHALL be assumed to be "false".
display display
A human readable name, primarily used for display purposes and has A human-readable name, primarily used for display purposes and
a mutability of "immutable". having a mutability of "immutable".
value value
The attribute's significant value; e.g., the e-mail address, phone The attribute's significant value, e.g., email address, phone
number, etc. number.
$ref $ref
The reference URI of a target resource, if the attribute is a The reference URI of a target resource, if the attribute is a
reference. URIs are canonicalized per Section 6.2 of [RFC3986]. reference. URIs are canonicalized per Section 6.2 of [RFC3986].
While the representation of a resource may vary in different SCIM While the representation of a resource may vary in different SCIM
protocol API versions (see section 3.13 of [I-D.ietf-scim-api]), protocol API versions (see Section 3.13 of [RFC7644]), URIs for
URI's for SCIM resources with an API version SHALL be considered SCIM resources with an API version SHALL be considered comparable
comparable to one without a version or different version. For to URIs without a version or with a different version. For
example, "https://example.com/Users/12345" is equivalent to example, "https://example.com/Users/12345" is equivalent to
"https://example.com/v2/Users/12345". "https://example.com/v2/Users/12345".
When returning multi-valued attributes, service providers SHOULD When returning multi-valued attributes, service providers SHOULD
canonicalize the value returned (e.g., by returning a value for the canonicalize the value returned (e.g., by returning a value for the
sub-attribute "type" such as "home" or "work") when appropriate sub-attribute "type", such as "home" or "work") when appropriate
(e.g., for e-mail addresses and URLs). (e.g., for email addresses and URLs).
Service providers MAY return element objects with the same "value" Service providers MAY return element objects with the same "value"
sub-attribute more than once with a different "type" sub-attribute sub-attribute more than once with a different "type" sub-attribute
(e.g., the same e-mail address may used for work and home), but (e.g., the same email address may be used for work and home) but
SHOULD NOT return the same (type, value) combination more than once SHOULD NOT return the same (type, value) combination more than once
per attribute, as this complicates processing by the consumer. per attribute, as this complicates processing by the client.
When defining schema for multi-valued attributes, it is considered a When defining schema for multi-valued attributes, it is considered a
good practice to provide a type attribute that MAY be used for the good practice to provide a type attribute that MAY be used for the
purpose of canonicalization of values. In the schema definition for purpose of canonicalization of values. In the schema definition for
an attribute, the service provider MAY define the recommended an attribute, the service provider MAY define the recommended
canonical values (see Section 7). canonical values (see Section 7).
2.5. Unassigned and Null Values 2.5. Unassigned and Null Values
Unassigned attributes, the null value, or empty array (in the case of Unassigned attributes, the null value, or an empty array (in the case
a multi-valued attribute) SHALL be considered to be equivalent in of a multi-valued attribute) SHALL be considered to be equivalent in
"state". Assigning an attribute with the value "null" or an empty "state". Assigning an attribute with the value "null" or an empty
array (in the case of multi-valued attributes) has the effect of array (in the case of multi-valued attributes) has the effect of
making the attribute "unassigned". When a resource is expressed in making the attribute "unassigned". When a resource is expressed in
JSON form, unassigned attributes, though they are defined in schema, JSON format, unassigned attributes, although they are defined in
MAY be omitted for compactness. schema, MAY be omitted for compactness.
3. SCIM Resources 3. SCIM Resources
Each SCIM resource is a JSON object that has the following Each SCIM resource is a JSON object that has the following
components: components:
Resource Type Resource Type
Each resource (or JSON object) in SCIM has a resource type Each resource (or JSON object) in SCIM has a resource type
("meta.resourceType", see Section 3.1) that defines the resource's ("meta.resourceType"; see Section 3.1) that defines the resource's
core attribute schema and any attribute extension schema as well core attribute schema and any attribute extension schema, as well
as the endpoint where objects of the same type may be found. More as the endpoint where objects of the same type may be found. More
information about a resource MAY be found in its resource type information about a resource MAY be found in its resource type
definition (see Section 6). definition (see Section 6).
Schemas Attribute "Schemas" Attribute
The "schemas" attribute is a REQUIRED attribute and is an array of The "schemas" attribute is a REQUIRED attribute and is an array of
Strings containing URIs which are used to indicate the namespaces Strings containing URIs that are used to indicate the namespaces
of the SCIM schemas that define the attributes present in the of the SCIM schemas that define the attributes present in the
current JSON structure. The attribute may be used by parsers to current JSON structure. This attribute may be used by parsers to
define the attributes present in the JSON structure that is the define the attributes present in the JSON structure that is the
body to an HTTP Request or Response. Each String value must be a body to an HTTP request or response. Each String value must be a
unique URI. All representations of SCIM schemas MUST include a unique URI. All representations of SCIM schemas MUST include a
non-empty array with value(s) of the URIs supported by that non-empty array with value(s) of the URIs supported by that
representation. The schemas attribute for a resource MUST only representation. The "schemas" attribute for a resource MUST only
contain values defined as "schema" and "schemaExtensions" for the contain values defined as "schema" and "schemaExtensions" for the
resource's defined "resourceType". Duplicate values MUST NOT be resource's defined "resourceType". Duplicate values MUST NOT be
included. Value order is not specified and MUST NOT impact included. Value order is not specified and MUST NOT impact
behavior. behavior.
Common Attributes Common Attributes
Are attributes that are part of every SCIM resource regardless of A resource's common attributes are those attributes that are part
the value of the "schemas" attribute present in a JSON body. of every SCIM resource, regardless of the value of the "schemas"
These attributes are not defined in any particular schema, but attribute present in a JSON body. These attributes are not
SHALL be assumed to be present in every resource regardless of the defined in any particular schema but SHALL be assumed to be
value of the "schemas" attribute. See Section 3.1. present in every resource, regardless of the value of the
"schemas" attribute. See Section 3.1.
Core Attributes Core Attributes
A resource's core attributes are those attributes that sit at the A resource's core attributes are those attributes that sit at the
top level of the JSON object together with the common attributes top level of the JSON object together with the common attributes
(such as the resource "id"). The list of valid attributes is (such as the resource "id"). The list of valid attributes is
specified by the resource's resource type "schema" attribute (see specified by the resource's resource type "schema" attribute (see
Section 6). This same value is also present in the resource's Section 6). This same value is also present in the resource's
"schemas" attribute. "schemas" attribute.
Extended Attributes Extended Attributes
Extended schema attributes are specified by the resource's Extended schema attributes are specified by the resource's
resource type "schemaExtensions" attribute (see Section 6). resource type "schemaExtensions" attribute (see Section 6).
Unlike core attributes, extended attributes are kept in their own Unlike core attributes, extended attributes are kept in their own
sub-attribute namespace identified by the schema extension URI. sub-attribute namespace identified by the schema extension URI.
This avoids attribute name conflicts that may arise due to This avoids attribute name conflicts that may arise due to
conflicts from separate schema extensions. conflicts from separate schema extensions.
The following example "User" contains the common attributes "id", The following example "User" contains the common attributes "id" and
"externalId", and the complex attribute "meta" which contains the "externalId", as well as the complex attribute "meta", which contains
sub-attribute "resourceType". The resource also contains core the sub-attribute "resourceType". The resource also contains core
attributes "userName", "name", as well as extended enterprise user attributes "userName" and "name", as well as extended enterprise User
attributes "employeeNumber" and "costCenter" which are contained in attributes "employeeNumber" and "costCenter", which are contained in
their own JSON sub-structure identified by their schema URI. Some their own JSON substructure identified by their schema URI. Some
values have been omitted (...), shortened or spaced out for clarity. values have been omitted (...), shortened, or spaced out for clarity.
{ {
"schemas": "schemas":
[ "urn:ietf:params:scim:schemas:core:2.0:User", ["urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
"id": "2819c223-7f76-453a-413861904646", "id": "2819c223-7f76-453a-413861904646",
"externalId": "701984", "externalId": "701984",
"userName": "bjensen@example.com", "userName": "bjensen@example.com",
"name": { "name": {
"formatted": "Ms. Barbara J Jensen III", "formatted": "Ms. Barbara J Jensen, III",
"familyName": "Jensen", "familyName": "Jensen",
"givenName": "Barbara", "givenName": "Barbara",
"middleName": "Jane", "middleName": "Jane",
"honorificPrefix": "Ms.", "honorificPrefix": "Ms.",
"honorificSuffix": "III" "honorificSuffix": "III"
}, },
... ...
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "701984", "employeeNumber": "701984",
skipping to change at page 15, line 8 skipping to change at page 16, line 8
"location": "location":
"https://example.com/v2/Users/2819c223-7f76-453a-413861904646" "https://example.com/v2/Users/2819c223-7f76-453a-413861904646"
} }
} }
Figure 2: Example JSON Resource Structure Figure 2: Example JSON Resource Structure
3.1. Common Attributes 3.1. Common Attributes
Each SCIM resource (Users, Groups, etc.) includes the following Each SCIM resource (Users, Groups, etc.) includes the following
common attributes. With the exception of "ServiceProviderConfig" and common attributes. With the exception of the "ServiceProviderConfig"
"ResourceType" server discovery endpoints and their associated and "ResourceType" server discovery endpoints and their associated
resources, these attributes MUST be defined for all resources, resources, these attributes MUST be defined for all resources,
including any extended resource types. When accepted by a service including any extended resource types. When accepted by a service
provider (e.g., after a SCIM create), the attributes "id" and "meta" provider (e.g., after a SCIM create), the attributes "id" and "meta"
(and its associated sub-attributes) MUST be assigned values by the (and its associated sub-attributes) MUST be assigned values by the
service provider. Common attributes are considered to be part of service provider. Common attributes are considered to be part of
every base resource schema and do not use their own "schemas" URI. every base resource schema and do not use their own "schemas" URI.
For backwards compatibility reasons, some existing schema definitions For backward compatibility, some existing schema definitions MAY list
MAY list common attributes as part of the schema. The attribute common attributes as part of the schema. The attribute
characteristics (see Section 2.2) listed here SHALL take precedence characteristics (see Section 2.2) listed here SHALL take precedence
over older definitiions that may be included in existing schemas. over older definitions that may be included in existing schemas.
id id
A unique identifier for a SCIM resource as defined by the service A unique identifier for a SCIM resource as defined by the service
provider. Each representation of the resource MUST include a non- provider. Each representation of the resource MUST include a
empty "id" value. This identifier MUST be unique across the SCIM non-empty "id" value. This identifier MUST be unique across the
service provider's entire set of resources. It MUST be a stable, SCIM service provider's entire set of resources. It MUST be a
non-reassignable identifier that does not change when the same stable, non-reassignable identifier that does not change when the
resource is returned in subsequent requests. The value of the same resource is returned in subsequent requests. The value of
"id" attribute is always issued by the service provider and MUST the "id" attribute is always issued by the service provider and
NOT be specified by the client. The string "bulkId" is a reserved MUST NOT be specified by the client. The string "bulkId" is a
keyword and MUST NOT be used within any unique identifier value. reserved keyword and MUST NOT be used within any unique identifier
The attribute characteristics are "caseExact" as "true" and a value. The attribute characteristics are "caseExact" as "true", a
mutability of "readOnly" and has a "returned" characteristic of mutability of "readOnly", and a "returned" characteristic of
"always". See Section 9 for additional considerations regarding "always". See Section 9 for additional considerations regarding
privacy. privacy.
externalId externalId
A String that is an identifier for the resource as defined by the A String that is an identifier for the resource as defined by the
provisioning client. The "externalId" may simplify identification provisioning client. The "externalId" may simplify identification
of a resource between the provisioning client and the service of a resource between the provisioning client and the service
provider by allowing the client to use a filter to locate the provider by allowing the client to use a filter to locate the
resource with an identifier from the provisioning domain, resource with an identifier from the provisioning domain,
obviating the need to store a local mapping between the obviating the need to store a local mapping between the
provisioning domain's identifier of the resource and the provisioning domain's identifier of the resource and the
identifier used by the service provider. Each resource MAY identifier used by the service provider. Each resource MAY
include a non-empty "externalId" value. The value of the include a non-empty "externalId" value. The value of the
"externalId" attribute is always issued by the provisioning client "externalId" attribute is always issued by the provisioning client
and MUST NOT be specified by the service provider. The service and MUST NOT be specified by the service provider. The service
provider MUST always interpret the externalId as scoped to the provider MUST always interpret the externalId as scoped to the
provisioning domain. While the server does not enforce provisioning domain. While the server does not enforce
uniqueness, it is assumed that the value's uniqueness is uniqueness, it is assumed that the value's uniqueness is
controlled by the client setting the value. See Section 9 for controlled by the client setting the value. See Section 9 for
additional considerations regarding privacy. The attribute has additional considerations regarding privacy. This attribute has
"caseExact" as "true" and has a mutability of "readWrite". The "caseExact" as "true" and a mutability of "readWrite". This
attribute is OPTIONAL. attribute is OPTIONAL.
meta meta
A complex attribute containing resource metadata. All meta sub- A complex attribute containing resource metadata. All "meta"
attributes are assigned by the service provider (have "mutability" sub-attributes are assigned by the service provider (have a
of "readOnly") and all attributes have the characteristic "mutability" of "readOnly"), and all of these sub-attributes have
"returned" by "default". The attribute SHALL be ignored when a "returned" characteristic of "default". This attribute SHALL be
provided by clients: ignored when provided by clients. "meta" contains the following
sub-attributes:
resourceType The name of the resource type of the resource. This resourceType The name of the resource type of the resource. This
attribute has mutability of "readOnly" and has "caseExact" as attribute has a mutability of "readOnly" and "caseExact" as
"true". "true".
created The DateTime the resource was added to the service created The "DateTime" that the resource was added to the service
provider. The attribute MUST be a DateTime. provider. This attribute MUST be a DateTime.
lastModified The most recent DateTime the details of this lastModified The most recent DateTime that the details of this
resource were updated at the service provider. If this resource were updated at the service provider. If this
resource has never been modified since its initial creation, resource has never been modified since its initial creation,
the value MUST be the same as the value of created. the value MUST be the same as the value of "created".
location The URI of the resource being returned. This value MUST location The URI of the resource being returned. This value MUST
be the same as the "Content-Location" HTTP response header (see be the same as the "Content-Location" HTTP response header (see
Section 3.1.4.2 [RFC7231]). Section 3.1.4.2 of [RFC7231]).
version The version of the resource being returned. This value version The version of the resource being returned. This value
must be the same as the ETag HTTP response header (See Sections must be the same as the entity-tag (ETag) HTTP response header
2.1 and 2.3 of [RFC7232]). The attribute has "caseExact" as (see Sections 2.1 and 2.3 of [RFC7232]). This attribute has
"true". Service provider support for this attribute is "caseExact" as "true". Service provider support for this
optional and subject to the service provider's support for attribute is optional and subject to the service provider's
versioning (see "Versioning Resources", Section 3.14 support for versioning (see Section 3.14 of [RFC7644]). If a
[I-D.ietf-scim-api]). If a service provider provides "version" service provider provides "version" (entity-tag) for a
(entity-tag) for a representation and the generation of that representation and the generation of that entity-tag does not
entity-tag does not satisfy all of the characteristics of a satisfy all of the characteristics of a strong validator (see
strong validator (see Section 2.1, [RFC7232]), then the origin Section 2.1 of [RFC7232]), then the origin server MUST mark the
server MUST mark the "version" (entity-tag) as weak by "version" (entity-tag) as weak by prefixing its opaque value
prefixing its opaque value with "W/" (case-sensitive). with "W/" (case sensitive).
3.2. Defining New Resource Types 3.2. Defining New Resource Types
SCIM may be extended to define new classes of resources by defining a SCIM may be extended to define new classes of resources by defining a
resource type. Each resource type defines the name, endpoint, base resource type. Each resource type defines the name, endpoint, base
schema (the attributes), and any schema extensions registered for use schema (the attributes), and any schema extensions registered for use
with the resource type. In order to offer new types of resources, a with the resource type. In order to offer new types of resources, a
service provider defines the new resource type as specified in service provider defines the new resource type as specified in
Section 6 and defines a schema representation (see Section 8.7). Section 6 and defines a schema representation (see Section 8.7).
3.3. Attribute Extensions to Resources 3.3. Attribute Extensions to Resources
SCIM allows resource types to have extensions in addition to their SCIM allows resource types to have extensions in addition to their
core schema. This is similar to how "ObjectClasses" are used in LDAP core schema. This is similar to how "objectClasses" are used in LDAP
[RFC4512]. However, unlike LDAP there is no inheritance model; all [RFC4512]. However, unlike LDAP, there is no inheritance model; all
extensions are additive (similar to LDAP Auxiliary Object Class). extensions are additive (similar to the LDAP auxiliary object class).
Each value in the "schemas" attribute indicates additive schema that Each value in the "schemas" attribute indicates additive schema that
MAY exist in a SCIM resource representation. The "schemas" attribute MAY exist in a SCIM resource representation. The "schemas" attribute
MUST contain at least one value which SHALL be the base schema for MUST contain at least one value, which SHALL be the base schema for
the resource. The "schemas" attribute MAY contain additional values the resource. The "schemas" attribute MAY contain additional values
indicating extended schemas that are in use. Schema extensions indicating extended schemas that are in use. Schema extensions
SHOULD avoid redefining any attributes defined in this specification SHOULD avoid redefining any attributes defined in this specification
and SHOULD follow conventions defined in this specification. Except and SHOULD follow conventions defined in this specification. Except
for the base object schema, the schema extension URI SHALL be used as for the base object schema, the schema extension URI SHALL be used as
a JSON container to distinguish attributes belonging to the extension a JSON container to distinguish attributes belonging to the extension
namespace from base schema attributes. See Figure 5 for an example namespace from base schema attributes. See Figure 5, which is an
of the JSON representation of an extended User. example of the JSON representation of an enterprise User and is also
an example of a User with extended schema.
In order to determine which URI value in the "schemas" attribute is In order to determine which URI value in the "schemas" attribute is
the base schema and which is extended schema for any given resource, the base schema and which is an extended schema for any given
the resource's "resourceType" attribute value MAY be used to retrieve resource, the resource's "resourceType" attribute value MAY be used
the resource's "ResourceType" schema (see Section 6). See also, to retrieve the resource's "ResourceType" schema (see Section 6).
example "ResourceType" representation in Figure 8. See the "ResourceType" representation in Figure 8 for an example.
4. SCIM Core Resources and Extensions 4. SCIM Core Resources and Extensions
This section defines the default resources schemas present in a SCIM This section defines the default resource schemas present in a SCIM
server. SCIM is not exclusive to these resources, and may be server. SCIM is not exclusive to these resources and may be extended
extended to support other resource types (see Section 3.2). to support other resource types (see Section 3.2).
4.1. User Resource Schema 4.1. "User" Resource Schema
SCIM provides a resource type for "User" resources. The core schema SCIM provides a resource type for "User" resources. The core schema
for "User" is identified using the URI: for "User" is identified using the following schema URI:
"urn:ietf:params:scim:schemas:core:2.0:User". The following "urn:ietf:params:scim:schemas:core:2.0:User". The following
attributes are defined in addition to the core schema attributes: attributes are defined in addition to the core schema attributes:
4.1.1. Singular Attributes 4.1.1. Singular Attributes
userName userName
A service provider unique identifier for the user, typically used A service provider's unique identifier for the user, typically
by the user to directly authenticate to the service provider. used by the user to directly authenticate to the service provider.
Often displayed to the user as their unique identifier within the Often displayed to the user as their unique identifier within the
system (as opposed to "id" or "externalId", which are generally system (as opposed to "id" or "externalId", which are generally
opaque and not user-friendly identifiers). Each User MUST include opaque and not user-friendly identifiers). Each User MUST include
a non-empty userName value. This identifier MUST be unique across a non-empty userName value. This identifier MUST be unique across
the service provider's entire set of Users. The attribute is the service provider's entire set of Users. This attribute is
REQUIRED and is case-insensitive. REQUIRED and is case insensitive.
name name
The components of the user's name. Service providers MAY return The components of the user's name. Service providers MAY return
just the full name as a single string in the formatted sub- just the full name as a single string in the formatted
attribute, or they MAY return just the individual component sub-attribute, or they MAY return just the individual component
attributes using the other sub-attributes, or they MAY return attributes using the other sub-attributes, or they MAY return
both. If both variants are returned, they SHOULD be describing both. If both variants are returned, they SHOULD be describing
the same name, with the formatted name indicating how the the same name, with the formatted name indicating how the
component attributes should be combined. component attributes should be combined.
formatted The full name, including all middle names, titles, and formatted The full name, including all middle names, titles, and
suffixes as appropriate, formatted for display (e.g., "Ms. suffixes as appropriate, formatted for display (e.g.,
Barbara Jane Jensen, III." ). "Ms. Barbara Jane Jensen, III").
familyName The family name of the User, or last name in most familyName The family name of the User, or last name in most
Western languages (e.g., "Jensen" given the full name "Ms. Western languages (e.g., "Jensen" given the full name
Barbara Jane Jensen, III." ). "Ms. Barbara Jane Jensen, III").
givenName The given name of the User, or first name in most givenName The given name of the User, or first name in most
Western languages (e.g., "Barbara" given the full name "Ms. Western languages (e.g., "Barbara" given the full name
Barbara Jane Jensen, III." ). "Ms. Barbara Jane Jensen, III").
middleName The middle name(s) of the User (e.g., "Jane" given the middleName The middle name(s) of the User (e.g., "Jane" given the
full name "Ms. Barbara Jane Jensen, III." ). full name "Ms. Barbara Jane Jensen, III").
honorificPrefix The honorific prefix(es) of the User, or title in honorificPrefix The honorific prefix(es) of the User, or title in
most Western languages (e.g., "Ms." given the full name "Ms. most Western languages (e.g., "Ms." given the full name
Barbara Jane Jensen, III." ). "Ms. Barbara Jane Jensen, III").
honorificSuffix The honorific suffix(es) of the User, or suffix honorificSuffix The honorific suffix(es) of the User, or suffix
in most Western languages (e.g., "III." given the full name in most Western languages (e.g., "III" given the full name
"Ms. Barbara Jane Jensen, III." ). "Ms. Barbara Jane Jensen, III").
displayName displayName
The name of the user, suitable for display to end-users. Each The name of the user, suitable for display to end-users. Each
user returned MAY include a non-empty displayName value. The name user returned MAY include a non-empty displayName value. The name
SHOULD be the full name of the User being described if known SHOULD be the full name of the User being described, if known
(e.g., "Babs Jensen" or "Ms. Barbara J Jensen, III" ), but MAY be (e.g., "Babs Jensen" or "Ms. Barbara J Jensen, III") but MAY be a
a username or handle, if that is all that is available (e.g., username or handle, if that is all that is available (e.g.,
"bjensen" ). The value provided SHOULD be the primary textual "bjensen"). The value provided SHOULD be the primary textual
label by which this User is normally displayed by the service label by which this User is normally displayed by the service
provider when presenting it to end-users. provider when presenting it to end-users.
nickName nickName
The casual way to address the user in real life, e.g., "Bob" or The casual way to address the user in real life, e.g., "Bob" or
"Bobby" instead of "Robert". This attribute SHOULD NOT be used to "Bobby" instead of "Robert". This attribute SHOULD NOT be used to
represent a User's username (e.g., bjensen or mpepperidge). represent a User's username (e.g., bjensen or mpepperidge).
profileUrl profileUrl
A URI that is a uniform resource locator (as defined in A URI that is a uniform resource locator (as defined in
Section 1.1.3 [RFC3986]), that points to a location representing Section 1.1.3 of [RFC3986]) and that points to a location
the user's online profile (e.g. a web page). URIs are representing the user's online profile (e.g., a web page). URIs
canonicalized per Section 6.2 of [RFC3986]. are canonicalized per Section 6.2 of [RFC3986].
title title
The user's title, such as "Vice President". The user's title, such as "Vice President".
userType userType
Used to identify the organization to user relationship. Typical Used to identify the relationship between the organization and the
values used might be "Contractor", "Employee", "Intern", "Temp", user. Typical values used might be "Contractor", "Employee",
"External", and "Unknown" but any value may be used. "Intern", "Temp", "External", and "Unknown", but any value may be
used.
preferredLanguage preferredLanguage
Indicates the user's preferred written or spoken languages and is Indicates the user's preferred written or spoken languages and is
generally used for selecting a localized User interface. The generally used for selecting a localized user interface. The
value indicates the set of natural languages that are preferred. value indicates the set of natural languages that are preferred.
The format of the value is same as the Accept-Language header The format of the value is the same as the HTTP Accept-Language
field (not including "Accept-Language:") of HTTP and is specified header field (not including "Accept-Language:") and is specified
in Section 5.3.5 of [RFC7231]. The intent of this value is to in Section 5.3.5 of [RFC7231]. The intent of this value is to
enable cloud applications to perform matching of language tags enable cloud applications to perform matching of language tags
[RFC4647] to the user's language preferences regardless of what [RFC4647] to the user's language preferences, regardless of what
may be indicated by a user agent (which might be shared), or in a may be indicated by a user agent (which might be shared), or in an
non-user present interaction (such as in a delegated OAuth2 interaction that does not involve a user (such as in a delegated
[RFC6749] style interaction) where normal HTTP Accept-Language OAuth 2.0 [RFC6749] style interaction) where normal HTTP
header negotiation cannot take place. Accept-Language header negotiation cannot take place.
locale locale
Used to indicate the User's default location for purposes of Used to indicate the User's default location for purposes of
localizing items such as currency, date time format, numerical localizing such items as currency, date time format, or numerical
representations, etc. A valid value is a language tag as defined representations. A valid value is a language tag as defined in
in [RFC5646]. Computer languages are explicitly excluded. [RFC5646]. Computer languages are explicitly excluded.
A language tag is a sequence of one or more case-insensitive sub- A language tag is a sequence of one or more case-insensitive
tags, each separated by a hyphen character ("-", %x2D). For sub-tags, each separated by a hyphen character ("-", %x2D). For
backwards compatibility reasons, servers MAY accept tags separated backward compatibility, servers MAY accept tags separated by an
by an underscore character ("_", %5F). In most cases, a language underscore character ("_", %x5F). In most cases, a language tag
tag consists of a primary language sub-tag that identifies a broad consists of a primary language sub-tag that identifies a broad
family of related languages (e.g., "en" = English) which is family of related languages (e.g., "en" = English) and that is
optionally followed by a series of sub-tags that refine or narrow optionally followed by a series of sub-tags that refine or narrow
that language's range (e.g., "en-CA" = the variety of English as that language's range (e.g., "en-CA" = the variety of English as
communicated in Canada). Whitespace is not allowed within a communicated in Canada). Whitespace is not allowed within a
language tag. Example tags include: language tag. Example tags include:
fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN
See [RFC5646] for further information. See [RFC5646] for further information.
timezone timezone
The User's time zone in IANA Time Zone database format [RFC6557], The User's time zone, in IANA Time Zone database format [RFC6557],
also known as "Olson" timezone database format [Olson-TZ] ; For also known as the "Olson" time zone database format [Olson-TZ]
example: "America/Los_Angeles". (e.g., "America/Los_Angeles").
active active
A Boolean value indicating the user's administrative status. The A Boolean value indicating the user's administrative status. The
definitive meaning of this attribute is determined by the service definitive meaning of this attribute is determined by the service
provider. As a typical example, a value of true implies the user provider. As a typical example, a value of true implies that the
is able to login while a value of false implies the user's account user is able to log in, while a value of false implies that the
has been suspended. user's account has been suspended.
password password
This attribute is intended to be used as a means to set, replace, This attribute is intended to be used as a means to set, replace,
or compare (i.e., filter for equality) a password. The clear-text or compare (i.e., filter for equality) a password. The cleartext
value or the hashed value of a password SHALL NOT be returnable by value or the hashed value of a password SHALL NOT be returnable by
a service provider. If a service provider holds the value a service provider. If a service provider holds the value
locally, the value SHOULD be hashed. When a password is set or locally, the value SHOULD be hashed. When a password is set or
changed by the client, the clear text password SHOULD be processed changed by the client, the cleartext password SHOULD be processed
by the service provider as follows: by the service provider as follows:
* Prepares the clear text value for international language * Prepare the cleartext value for international language
comparison. See Section 7.7 of [I-D.ietf-scim-api]. comparison. See Section 7.8 of [RFC7644].
* Validates the value against server password policy. Note: the * Validate the value against server password policy. Note: The
definition and enforcment of password policy is beyond the definition and enforcement of password policy are beyond the
scope of this document. scope of this document.
* And, the value is encrypted (e.g., hashed). See Section 9.2 * Ensure that the value is encrypted (e.g., hashed). See
for acceptable hasing and encryption handling when storing or Section 9.2 for acceptable hashing and encryption handling when
persisting for provisioning workflow reasons. storing or persisting for provisioning workflow reasons.
A service provider that immediately passes the clear text value on A service provider that immediately passes the cleartext value on
to another system or programming interface, MUST pass the value to another system or programming interface MUST pass the value
directly over a secured connection (e.g., TLS). If the value directly over a secured connection (e.g., Transport Layer Security
needs to be temporarily persisted for a period of time (e.g., (TLS)). If the value needs to be temporarily persisted for a
because of a workflow) before provisioning, then the value MUST be period of time (e.g., because of a workflow) before provisioning,
protected by some method such as encryption. then the value MUST be protected by some method, such as
encryption.
Testing for an equality match MAY be supported if there is an Testing for an equality match MAY be supported if there is an
existing stored hashed value. When testing for equality, the existing stored hashed value. When testing for equality, the
service provider: service provider:
* Prepares the filter value for international language * Prepares the filter value for international language
comparison. See Section 7.7 of [I-D.ietf-scim-api]. comparison. See Section 7.8 of [RFC7644].
* The service provider generates the salted hash of the filter * Generates the salted hash of the filter value and tests for a
value and test for a match with the locally held value. match with the locally held value.
The mutability of the password attribute is "writeOnly" indicating The mutability of the password attribute is "writeOnly",
the value MUST NOT be returned by a service provider in any form indicating that the value MUST NOT be returned by a service
(the attribute characteristic "returned" is "never"). provider in any form (the attribute characteristic "returned" is
"never").
4.1.2. Multi-valued Attributes 4.1.2. Multi-Valued Attributes
The following multi-valued attributes are defined. The following multi-valued attributes are defined.
emails emails
E-mail addresses for the User. The value SHOULD be specified Email addresses for the User. The value SHOULD be specified
according to [RFC5321]. Service providers SHOULD canonicalize the according to [RFC5321]. Service providers SHOULD canonicalize the
value according to [RFC5321], e.g., "bjensen@example.com" instead value according to [RFC5321], e.g., "bjensen@example.com" instead
of "bjensen@EXAMPLE.COM". The "display" sub-attribute MAY be used of "bjensen@EXAMPLE.COM". The "display" sub-attribute MAY be used
to return the canonicalized representation of the e-mail value. to return the canonicalized representation of the email value.
The "type" sub-attribute is used to provide a classification The "type" sub-attribute is used to provide a classification
meaningful to the (human) user. The user interface should meaningful to the (human) user. The user interface should
encourage the use of basic values of "work", "home", and "other", encourage the use of basic values of "work", "home", and "other"
and MAY allow additional type values to be used at the descretion and MAY allow additional type values to be used at the discretion
of SCIM clients. of SCIM clients.
phoneNumbers phoneNumbers
Phone numbers for the user. The value SHOULD be specified Phone numbers for the user. The value SHOULD be specified
according to the format in [RFC3966] e.g., 'tel:+1-201-555-0123'. according to the format defined in [RFC3966], e.g.,
Service providers SHOULD canonicalize the value according to 'tel:+1-201-555-0123'. Service providers SHOULD canonicalize the
[RFC3966] format, when appropriate. The "display" sub-attribute value according to [RFC3966] format, when appropriate. The
MAY be used to return the canonicalized representation of the "display" sub-attribute MAY be used to return the canonicalized
phone number value. The sub-attribute "type" often has typical representation of the phone number value. The sub-attribute
values of "work", "home", "mobile", "fax", "pager", and "other", "type" often has typical values of "work", "home", "mobile",
and MAY allow more types to be defined by the SCIM clients. "fax", "pager", and "other" and MAY allow more types to be defined
by the SCIM clients.
ims ims
Instant messaging address for the user. No official Instant messaging address for the user. No official
canonicalization rules exist for all instant messaging addresses, canonicalization rules exist for all instant messaging addresses,
but service providers SHOULD, when appropriate, remove all but service providers SHOULD, when appropriate, remove all
whitespace and convert the address to lowercase. The "type" sub- whitespace and convert the address to lowercase. The "type"
attribute SHOULD take one of the following values: "aim", "gtalk", sub-attribute SHOULD take one of the following values: "aim",
"icq", "xmpp", "msn", "skype", "qq", "yahoo", and "other", "gtalk", "icq", "xmpp", "msn", "skype", "qq", "yahoo", or "other"
representing currently popular IM services at the time of writing. (representing currently popular IM services at the time of this
Service providers MAY add further values if new IM services are writing). Service providers MAY add further values if new IM
introduced and MAY specify more detailed canonicalization rules services are introduced and MAY specify more detailed
for each possible value. canonicalization rules for each possible value.
photos photos
A URI that is a uniform resource locator (as defined in A URI that is a uniform resource locator (as defined in
Section 1.1.3 [RFC3986]) that points to a resource location Section 1.1.3 of [RFC3986]) that points to a resource location
representing the user's image. The resource MUST be a file (e.g., representing the user's image. The resource MUST be a file (e.g.,
a GIF, JPEG, or PNG image file) rather than a web page containing a GIF, JPEG, or PNG image file) rather than a web page containing
an image. Service providers MAY return the same image at an image. Service providers MAY return the same image in
different sizes, though it is recognized that no standard for different sizes, although it is recognized that no standard for
describing images of various sizes currently exists. Note that describing images of various sizes currently exists. Note that
this attribute SHOULD NOT be used to send down arbitrary photos this attribute SHOULD NOT be used to send down arbitrary photos
taken by this user, but specifically profile photos of the user taken by this user; instead, profile photos of the user that are
suitable for display when describing the user. Instead of the suitable for display when describing the user should be sent.
standard canonical values for type, this attribute defines the Instead of the standard canonical values for type, this attribute
following canonical values to represent popular photo sizes: defines the following canonical values to represent popular photo
"photo", "thumbnail". sizes: "photo" and "thumbnail".
addresses addresses
A physical mailing address for this user. Canonical type values A physical mailing address for this user. Canonical type values
of "work", "home", and "other". The value attribute is a complex of "work", "home", and "other". This attribute is a complex type
type with the following sub-attributes. All sub-attributes are with the following sub-attributes. All sub-attributes are
OPTIONAL. OPTIONAL.
formatted The full mailing address, formatted for display or use formatted The full mailing address, formatted for display or use
with a mailing label. This attribute MAY contain newlines. with a mailing label. This attribute MAY contain newlines.
streetAddress The full street address component, which may streetAddress The full street address component, which may
include house number, street name, P.O. box, and multi-line include house number, street name, P.O. box, and multi-line
extended street address information. This attribute MAY extended street address information. This attribute MAY
contain newlines. contain newlines.
locality The city or locality component. locality The city or locality component.
region The state or region component. region The state or region component.
postalCode The zipcode or postal code component. postalCode The zip code or postal code component.
country The country name component. When specified the value country The country name component. When specified, the value
MUST be in ISO 3166-1 alpha 2 "short" code format [ISO3166] ; MUST be in ISO 3166-1 "alpha-2" code format [ISO3166]; e.g.,
e.g., the United States and Sweden are "US" and "SE", the United States and Sweden are "US" and "SE", respectively.
respectively.
groups groups
A list of groups that the user belongs to, either thorough direct A list of groups to which the user belongs, either through direct
membership, nested groups, or dynamically calculated. The values membership, through nested groups, or dynamically calculated. The
are meant to enable expression of common group or role based values are meant to enable expression of common group-based or
access control models, although no explicit authorization model is role-based access control models, although no explicit
defined. It is intended that the semantics of group membership authorization model is defined. It is intended that the semantics
and any behavior or authorization granted as a result of of group membership and any behavior or authorization granted as a
membership are defined by the service provider. The canonical result of membership are defined by the service provider. The
types "direct" and "indirect" are defined to describe how the canonical types "direct" and "indirect" are defined to describe
group membership was derived. Direct group membership indicates how the group membership was derived. Direct group membership
the user is directly associated with the group and SHOULD indicate indicates that the user is directly associated with the group and
that clients may modify membership through the "Group" resource. SHOULD indicate that clients may modify membership through the
Indirect membership indicates user membership is transitive or "Group" resource. Indirect membership indicates that user
dynamic and implies that clients cannot modify indirect group membership is transitive or dynamic and implies that clients
membership through the "Group" resource but MAY modify direct cannot modify indirect group membership through the "Group"
group membership through the "Group" resource which may influence resource but MAY modify direct group membership through the
indirect memberships. If the SCIM service provider exposes a "Group" resource, which may influence indirect memberships. If
Group resource, the "value" sub-attribute MUST be the "id" and the the SCIM service provider exposes a "Group" resource, the "value"
"$ref" sub-attribute must be the URI of the corresponding "Group" sub-attribute MUST be the "id", and the "$ref" sub-attribute must
resources to which the user belongs. Since this attribute has a be the URI of the corresponding "Group" resources to which the
mutability of "readOnly", group membership changes MUST be applied user belongs. Since this attribute has a mutability of
via the Group Resource (Section 4.2). The attribute has a "readOnly", group membership changes MUST be applied via the
mutability of "readOnly". "Group" Resource (Section 4.2). This attribute has a mutability
of "readOnly".
entitlements entitlements
A list of entitlements for the user that represent a thing the A list of entitlements for the user that represent a thing the
user has. An entitlement may be an additional right to a thing, user has. An entitlement may be an additional right to a thing,
object, or service. No vocabulary or syntax is specified and object, or service. No vocabulary or syntax is specified; service
service providers and clients are expected to encode sufficient providers and clients are expected to encode sufficient
information in the value so as to accurately and without ambiguity information in the value so as to accurately and without ambiguity
determine what the user has access to. This value has no determine what the user has access to. This value has no
canonical types though type may be useful as a means to scope canonical types, although a type may be useful as a means to scope
entitlements. entitlements.
roles roles
A list of roles for the user that collectively represent who the A list of roles for the user that collectively represent who the
user is; e.g., "Student, Faculty". No vocabulary or syntax is user is, e.g., "Student", "Faculty". No vocabulary or syntax is
specified though it is expected that a role value is a String or specified, although it is expected that a role value is a String
label representing a collection of entitlements. This value has or label representing a collection of entitlements. This value
no canonical types. has no canonical types.
x509Certificates x509Certificates
A list of certificates associated with the resource (e.g., a A list of certificates associated with the resource (e.g., a
User). Each value contains exactly one DER encoded X.509 (see User). Each value contains exactly one DER-encoded X.509
Section 4 [RFC5280]), which MUST be base 64 encoded per Section 4 certificate (see Section 4 of [RFC5280]), which MUST be base64
[RFC4648]. A single value MUST NOT contain multiple certificates encoded per Section 4 of [RFC4648]. A single value MUST NOT
and so does not contain the encoding "SEQUENCE OF Certificate" in contain multiple certificates and so does not contain the encoding
any guise. "SEQUENCE OF Certificate" in any guise.
4.2. Group Resource Schema 4.2. "Group" Resource Schema
SCIM provides a schema for representing groups, identified using the SCIM provides a schema for representing groups, identified using the
following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group". following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group".
Group resources are meant to enable expression of common group or "Group" resources are meant to enable expression of common
role based access control models, although no explicit authorization group-based or role-based access control models, although no explicit
model is defined. It is intended that the semantics of group authorization model is defined. It is intended that the semantics of
membership and any behavior or authorization granted as a result of group membership, and any behavior or authorization granted as a
membership are defined by the service provider, and are considered result of membership, are defined by the service provider; these are
out of scope for this specification. considered out of scope for this specification.
The following singular attribute is defined in addition to the common The following singular attribute is defined in addition to the common
attributes defined in SCIM core schema: attributes defined in the SCIM core schema:
displayName displayName
A human readable name for the Group. REQUIRED. A human-readable name for the Group. REQUIRED.
The following multi-valued attribute is defined in addition to the The following multi-valued attribute is defined in addition to the
common attributes defined in SCIM Core Schema: common attributes defined in the SCIM core schema:
members members
A list of members of the Group. While values MAY be added or A list of members of the Group. While values MAY be added or
removed, sub-attributes of members are "immutable". The "value" removed, sub-attributes of members are "immutable". The "value"
sub-attribute contains the value of an "id" attribute of a SCIM sub-attribute contains the value of an "id" attribute of a SCIM
resource, and the "$ref" sub-attribute must be the URI of a SCIM resource, and the "$ref" sub-attribute must be the URI of a SCIM
resource such as a "User", or a "Group". The intention of the resource such as a "User", or a "Group". The intention of the
"Group" type is to allow the service provider to support nested "Group" type is to allow the service provider to support nested
groups. Service providers MAY require clients to provide a non- groups. Service providers MAY require clients to provide a
empty value by setting the "required" attribute characteristic of non-empty value by setting the "required" attribute characteristic
a sub-attribute of the "members" attribute in the "Group" resource of a sub-attribute of the "members" attribute in the "Group"
schema. resource schema.
4.3. Enterprise User Schema Extension 4.3. Enterprise User Schema Extension
The following SCIM extension defines attributes commonly used in The following SCIM extension defines attributes commonly used in
representing users that belong to, or act on behalf of a business or representing users that belong to, or act on behalf of, a business or
enterprise. The enterprise user extension is identified using the enterprise. The enterprise User extension is identified using the
following schema URI: following schema URI:
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User". "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User".
The following Singular Attributes are defined: The following singular attributes are defined:
employeeNumber employeeNumber
A string identifier, typically numeric or alpha-numeric, assigned A string identifier, typically numeric or alphanumeric, assigned
to a person, typically based on order of hire or association with to a person, typically based on order of hire or association with
an organization. an organization.
costCenter costCenter
Identifies the name of a cost center. Identifies the name of a cost center.
organization organization
Identifies the name of an organization. Identifies the name of an organization.
division division
skipping to change at page 25, line 17 skipping to change at page 27, line 17
providers to represent organizational hierarchy by referencing the providers to represent organizational hierarchy by referencing the
"id" attribute of another User. "id" attribute of another User.
value The "id" of the SCIM resource representing the user's value The "id" of the SCIM resource representing the user's
manager. RECOMMENDED. manager. RECOMMENDED.
$ref The URI of the SCIM resource representing the User's $ref The URI of the SCIM resource representing the User's
manager. RECOMMENDED. manager. RECOMMENDED.
displayName The displayName of the user's manager. This displayName The displayName of the user's manager. This
attribute is OPTIONAL and mutability is "readOnly". attribute is OPTIONAL, and mutability is "readOnly".
5. Service Provider Configuration Schema 5. Service Provider Configuration Schema
SCIM provides a schema for representing the service provider's SCIM provides a schema for representing the service provider's
configuration identified using the following schema URI: configuration, identified using the following schema URI:
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig".
The service provider configuration resource enables a service The service provider configuration resource enables a service
provider to discover SCIM specification features in a standardized provider to discover SCIM specification features in a standardized
form as well as provide additional implementation details to clients. form as well as provide additional implementation details to clients.
All attributes have a mutability of "readOnly". Unlike other core All attributes have a mutability of "readOnly". Unlike other core
resources, the "id" attribute is not required for the service resources, the "id" attribute is not required for the service
provider configuration resource. provider configuration resource.
The following Singular Attributes are defined in addition to the The following singular attributes are defined in addition to the
common attributes defined in Core Schema: common attributes defined in the core schema:
documentationUrl documentationUri
An HTTP addressable URL pointing to the service provider's human An HTTP-addressable URL pointing to the service provider's
consumable help documentation. OPTIONAL. human-consumable help documentation. OPTIONAL.
patch patch
A complex type that specifies PATCH configuration options. A complex type that specifies PATCH configuration options.
REQUIRED. See Section 3.5.2 [I-D.ietf-scim-api]. REQUIRED. See Section 3.5.2 of [RFC7644].
supported Boolean value specifying whether the operation is supported A Boolean value specifying whether or not the operation
supported. REQUIRED. is supported. REQUIRED.
bulk bulk
A complex type that specifies Bulk configuration options. See A complex type that specifies bulk configuration options. See
Section 3.7 [I-D.ietf-scim-api]. REQUIRED Section 3.7 of [RFC7644]. REQUIRED.
supported Boolean value specifying whether the operation is supported A Boolean value specifying whether or not the operation
supported. REQUIRED. is supported. REQUIRED.
maxOperations An integer value specifying the maximum number of maxOperations An integer value specifying the maximum number of
operations. REQUIRED. operations. REQUIRED.
maxPayloadSize An integer value specifying the maximum payload maxPayloadSize An integer value specifying the maximum payload
size in bytes. REQUIRED. size in bytes. REQUIRED.
filter filter
A complex type that specifies FILTER options. REQUIRED. See A complex type that specifies FILTER options. REQUIRED. See
Section 3.4.2.2 [I-D.ietf-scim-api]. Section 3.4.2.2 of [RFC7644].
supported Boolean value specifying whether the operation is supported A Boolean value specifying whether or not the operation
supported. REQUIRED. is supported. REQUIRED.
maxResults Integer value specifying the maximum number of maxResults An integer value specifying the maximum number of
resources returned in a response. REQUIRED. resources returned in a response. REQUIRED.
changePassword changePassword
A complex type that specifies Change Password configuration A complex type that specifies configuration options related to
options. REQUIRED. changing a password. REQUIRED.
supported Boolean value specifying whether the operation is supported A Boolean value specifying whether or not the operation
supported. REQUIRED. is supported. REQUIRED.
sort sort
A complex type that specifies Sort configuration options. A complex type that specifies Sort configuration options.
REQUIRED. REQUIRED.
supported Boolean value specifying whether sorting is supported. supported A Boolean value specifying whether or not sorting is
REQUIRED. supported. REQUIRED.
etag etag
A complex type that specifies Etag configuration options. A complex type that specifies ETag configuration options.
REQUIRED. REQUIRED.
supported Boolean value specifying whether the operation is supported A Boolean value specifying whether or not the operation
supported. REQUIRED. is supported. REQUIRED.
The following multi-valued attribute is defined in addition to the The following multi-valued attribute is defined in addition to the
common attributes defined in core schema: common attributes defined in the core schema:
authenticationSchemes authenticationSchemes
A complex type that specifies supported Authentication Scheme A multi-valued complex type that specifies supported
properties. This attribute defines the following canonical values authentication scheme properties. To enable seamless discovery of
to represent common schemes: "oauth", "oauth2", configurations, the service provider SHOULD, with the appropriate
"oauthbearertoken", "httpbasic", and "httpdigest". To enable security considerations, make the authenticationSchemes attribute
seamless discovery of configuration, the service provider SHOULD, publicly accessible without prior authentication. REQUIRED. The
with the appropriate security considerations, make the following sub-attributes are defined:
authenticationSchemes attribute publicly accessible without prior
authentication. REQUIRED.
name The common authentication scheme name; e.g., HTTP Basic. type The authentication scheme. This specification defines the
values "oauth", "oauth2", "oauthbearertoken", "httpbasic", and
"httpdigest". REQUIRED.
name The common authentication scheme name, e.g., HTTP Basic.
REQUIRED. REQUIRED.
description A description of the Authentication Scheme. description A description of the authentication scheme.
REQUIRED. REQUIRED.
specUrl An HTTP addressable URL pointing to the Authentication specUri An HTTP-addressable URL pointing to the authentication
Scheme's specification. OPTIONAL. scheme's specification. OPTIONAL.
documentationUrl An HTTP addressable URL pointing to the documentationUri An HTTP-addressable URL pointing to the
Authentication Scheme's usage documentation. OPTIONAL. authentication scheme's usage documentation. OPTIONAL.
6. ResourceType Schema 6. ResourceType Schema
The "ResourceType" schema specifies the meta-data about a resource The "ResourceType" schema specifies the metadata about a resource
type. Resource type resources are READ-ONLY and identified using the type. Resource type resources are READ-ONLY and identified using the
following schema URI: following schema URI:
"urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other "urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other
core resources, all attributes are REQUIRED unless otherwise core resources, all attributes are REQUIRED unless otherwise
specified. The "id" attribute is not required for the resource type specified. The "id" attribute is not required for the resource type
resource. resource.
The following Singular Attributes are defined: The following singular attributes are defined:
id id
The resource type's server unique id. Often this is the same The resource type's server unique id. This is often the same
value as the "name" attribute. OPTIONAL value as the "name" attribute. OPTIONAL.
name name
The resource type name. When applicable service providers MUST The resource type name. When applicable, service providers MUST
specify the name specified in the core schema specification; e.g., specify the name, e.g., "User" or "Group". This name is
"User" or "Group". This name is referenced by the referenced by the "meta.resourceType" attribute in all resources.
"meta.resourceType" attribute in all resources. REQUIRED. REQUIRED.
description description
The resource type's human readable description. When applicable The resource type's human-readable description. When applicable,
service providers MUST specify the description specified in the service providers MUST specify the description. OPTIONAL.
core schema specification. OPTIONAL.
endpoint endpoint
The resource type's HTTP addressable endpoint relative to the Base The resource type's HTTP-addressable endpoint relative to the Base
URL of the service provider; e.g., "Users". REQUIRED. URL of the service provider, e.g., "Users". REQUIRED.
schema schema
The resource type's primary/base schema URI; e.g., The resource type's primary/base schema URI, e.g.,
"urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal "urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal
to the "id" attribute of the associated "Schema" resource. to the "id" attribute of the associated "Schema" resource.
REQUIRED. REQUIRED.
schemaExtensions schemaExtensions
A list of URIs of the resource type's schema extensions. A list of URIs of the resource type's schema extensions.
OPTIONAL. OPTIONAL.
schema The URI of an extended schema; e.g., "urn:edu:2.0:Staff". schema The URI of an extended schema, e.g., "urn:edu:2.0:Staff".
This MUST be equal to the "id" attribute of a "Schema" This MUST be equal to the "id" attribute of a "Schema"
resource. REQUIRED. resource. REQUIRED.
required A Boolean value that specifies whether the schema required A Boolean value that specifies whether or not the schema
extension is required for the resource type. If true, a extension is required for the resource type. If true, a
resource of this type MUST include this schema extension and resource of this type MUST include this schema extension and
include any attributes declared as required in this schema also include any attributes declared as required in this schema
extension. If false, a resource of this type MAY omit this extension. If false, a resource of this type MAY omit this
schema extension. REQUIRED. schema extension. REQUIRED.
7. Schema Definition 7. Schema Definition
This section defines a way to specify the schema in use by resources This section defines a way to specify the schema in use by resources
available and accepted by a SCIM service provider. For each available and accepted by a SCIM service provider. For each
"schemas" URI value, this schema specifies the defined attribute(s) "schemas" URI value, this schema specifies the defined attribute(s)
and their characteristics (mutability, returnability, etc). For and their characteristics (mutability, returnability, etc). For
every schema URI used in a resource object, there is a corresponding every schema URI used in a resource object, there is a corresponding
"Schema" resource. "Schema" resources are not modifiable and their "Schema" resource. "Schema" resources are not modifiable, and their
associated attributes have a mutability of "readOnly". Except for associated attributes have a mutability of "readOnly". Except for
"id" (which is always returned), all attributes have "returned" "id" (which is always returned), all attributes have a "returned"
characteristic of "default". Unless otherwise specified, all schema characteristic of "default". Unless otherwise specified, all schema
attributes are case-insensitive. These resources have a "schemas" attributes are case insensitive. These resources have a "schemas"
attribute with the following schema URI: attribute with the following schema URI:
urn:ietf:params:scim:schemas:core:2.0:Schema urn:ietf:params:scim:schemas:core:2.0:Schema
Unlike other core resources the "Schema" resource MAY contain a Unlike other core resources, the "Schema" resource MAY contain a
complex object within a sub-attribute and all attributes are REQUIRED complex object within a sub-attribute, and all attributes are
unless otherwise specified. REQUIRED unless otherwise specified.
The following Singular Attributes are defined: The following singular attributes are defined:
id id
The unique URI of the schema. When applicable service providers The unique URI of the schema. When applicable, service providers
MUST specify the URI specified in the core schema specification; MUST specify the URI, e.g.,
e.g., "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most other
other schemas, which use some sort of a GUID for the "id", the schemas, which use some sort of Globally Unique Identifier (GUID)
schema "id" is a URI so that it can be registered and is portable for the "id", the schema "id" is a URI so that it can be
between different service providers and clients. REQUIRED. registered and is portable between different service providers and
clients. REQUIRED.
name name
The schema's human readable name. When applicable service The schema's human-readable name. When applicable, service
providers MUST specify the name specified in the core schema providers MUST specify the name, e.g., "User" or "Group".
specification; e.g., "User" or "Group". OPTIONAL. OPTIONAL.
description description
The schema's human readable description. When applicable service The schema's human-readable description. When applicable, service
providers MUST specify the description specified in the core providers MUST specify the description. OPTIONAL.
schema specification. OPTIONAL.
The following multi-valued attribute is defined: The following multi-valued attribute is defined:
attributes attributes
A complex type with the following set of sub-attributes that A complex type that defines service provider attributes and their
defines service provider attributes and their qualities: qualities via the following set of sub-attributes:
name The attribute's name. name The attribute's name.
type The attribute's data type. Valid values are: "string", type The attribute's data type. Valid values are "string",
"boolean", "decimal", "integer", "dateTime", "reference", and "boolean", "decimal", "integer", "dateTime", "reference", and
"complex". When an attribute is of type "complex", there "complex". When an attribute is of type "complex", there
SHOULD be a corresponding schema attribute "subAttributes" SHOULD be a corresponding schema attribute "subAttributes"
defined listing the sub-attribtues of the attribute. defined, listing the sub-attributes of the attribute.
subAttributes When an attribute is of type "complex", subAttributes When an attribute is of type "complex",
"subAttributes" defines set of sub-attributes. "subAttributes" "subAttributes" defines a set of sub-attributes.
has the same schema sub-attributes as "attributes". "subAttributes" has the same schema sub-attributes as
"attributes".
multiValued Boolean value indicating the attribute's plurality. multiValued A Boolean value indicating the attribute's plurality.
description The attribute's human readable description. When description The attribute's human-readable description. When
applicable service providers MUST specify the description applicable, service providers MUST specify the description.
specified in the core schema specification.
required A Boolean value that specifies if the attribute is required A Boolean value that specifies whether or not the
required. attribute is required.
canonicalValues A collection of suggested canonical values that canonicalValues A collection of suggested canonical values that
MAY be used. Example: "work" and"home". In some cases service MAY be used (e.g., "work" and "home"). In some cases, service
providers MAY choose to ignore unsupported values. The use of providers MAY choose to ignore unsupported values. OPTIONAL.
canonicalValues is OPTIONAL.
caseExact A Boolean value that specifies if the String attribute caseExact A Boolean value that specifies whether or not a string
is case sensitive. The server SHALL use case sensitivity when attribute is case sensitive. The server SHALL use case
evaluating filters. For attributes that are case exact, the sensitivity when evaluating filters. For attributes that are
server SHALL preserve case for any value submitted. If the case exact, the server SHALL preserve case for any value
attribute is case insensitive, the server MAY alter case for a submitted. If the attribute is case insensitive, the server
submitted value. Case sensitivity also impacts how attribute MAY alter case for a submitted value. Case sensitivity also
values MAY be compared against filter values (see section impacts how attribute values MAY be compared against filter
3.4.2.2 [I-D.ietf-scim-api]). values (see Section 3.4.2.2 of [RFC7644]).
mutability A single keyword indicating the circumstances under mutability A single keyword indicating the circumstances under
which the value of the attribute can be (re)defined: which the value of the attribute can be (re)defined:
readOnly The attribute SHALL NOT be modified. readOnly The attribute SHALL NOT be modified.
readWrite The attribute MAY be updated and read at any time. readWrite The attribute MAY be updated and read at any time.
This is default value. This is the default value.
immutable The attribute MAY be defined at resource creation immutable The attribute MAY be defined at resource creation
(e.g., POST) or at record replacement via request (e.g., a (e.g., POST) or at record replacement via a request (e.g., a
PUT). The attribute SHALL NOT be updated. PUT). The attribute SHALL NOT be updated.
writeOnly The attribute MAY be updated at any time. Attribute writeOnly The attribute MAY be updated at any time. Attribute
values SHALL NOT be returned (e.g., because the value is a values SHALL NOT be returned (e.g., because the value is a
stored hash). Note: an attribute with mutability of stored hash). Note: An attribute with a mutability of
"writeOnly" usually also has a returned setting of "never". "writeOnly" usually also has a returned setting of "never".
returned A single keyword that indicates when an attribute and returned A single keyword that indicates when an attribute and
associated values are returned in response to a GET request or associated values are returned in response to a GET request or
in response to a PUT, POST, or PATCH request. Valid keywords in response to a PUT, POST, or PATCH request. Valid keywords
are: are as follows:
always The attribute is always returned regardless of the always The attribute is always returned, regardless of the
contents of the "attributes" parameter. For example, "id" contents of the "attributes" parameter. For example, "id"
is always returned to identify a SCIM resource. is always returned to identify a SCIM resource.
never The attribute is never returned. This may occur because never The attribute is never returned. This may occur because
the original attribute value is not retained by the service the original attribute value (e.g., a hashed value) is not
provider (e.g., such as with a hashed value). A service retained by the service provider. A service provider MAY
provider MAY allow attributes to be used in a search filter. allow attributes to be used in a search filter.
default The attribute is returned by default in all SCIM default The attribute is returned by default in all SCIM
operation responses where attribute values are returned. If operation responses where attribute values are returned. If
the GET request "attributes" parameter is specified, the GET request "attributes" parameter is specified,
attribute values are only returned if the attribute is named attribute values are only returned if the attribute is named
in the attributes parameter. DEFAULT. in the "attributes" parameter. DEFAULT.
request The attribute is returned in response to any PUT, request The attribute is returned in response to any PUT,
POST, or PATCH operations if the attribute was specified by POST, or PATCH operations if the attribute was specified by
the client (for example, the attribute was modified). The the client (for example, the attribute was modified). The
attribute is returned in a SCIM query operation only if attribute is returned in a SCIM query operation only if
specified in the "attributes" parameter. specified in the "attributes" parameter.
uniqueness A single keyword value that specifies how the service uniqueness A single keyword value that specifies how the service
provider enforces uniqueness of attribute values. A server MAY provider enforces uniqueness of attribute values. A server MAY
reject an invalid value based on uniqueness by returning HTTP reject an invalid value based on uniqueness by returning HTTP
Response code 400 (Bad Request). A client MAY enforce response code 400 (Bad Request). A client MAY enforce
uniqueness on the client-side to a greater degree than the uniqueness on the client side to a greater degree than the
service provider enforces. For example, a client could make a service provider enforces. For example, a client could make a
value unique while the server has uniqueness of "none". Valid value unique while the server has uniqueness of "none". Valid
keywords are: keywords are as follows:
none The values are not intended to be unique in any way. none The values are not intended to be unique in any way.
DEFAULT. DEFAULT.
server The value SHOULD be unique within the context of the server The value SHOULD be unique within the context of the
current SCIM endpoint (or tenancy) and MAY be globally current SCIM endpoint (or tenancy) and MAY be globally
unique (e.g., a "username", email address, or other server unique (e.g., a "username", email address, or other
generated key or counter). No two resources on the same server-generated key or counter). No two resources on the
server SHOULD possess the same value. same server SHOULD possess the same value.
global The value SHOULD be globally unique (e.g., an email global The value SHOULD be globally unique (e.g., an email
address, a GUID, or other value). No two resources on any address, a GUID, or other value). No two resources on any
server SHOULD possess the same value. server SHOULD possess the same value.
referenceTypes A multi-valued array of JSON strings that indicate referenceTypes A multi-valued array of JSON strings that indicate
the SCIM resource types that may be referenced. Valid values the SCIM resource types that may be referenced. Valid values
are: are as follows:
+ A SCIM resource type (e.g., "User" or "Group"), + A SCIM resource type (e.g., "User" or "Group"),
+ "external" - indicating the resource is an external resource + "external" - indicating that the resource is an external
(e.g., such as a photo), or resource (e.g., a photo), or
+ "uri" - indicating that the reference is to a service + "uri" - indicating that the reference is to a service
endpoint or an identifier (e.g., such as a schema urn). endpoint or an identifier (e.g., a schema URN).
This attribute is only applicable for attributes that are of This attribute is only applicable for attributes that are of
type "reference" (Section 2.3.7). type "reference" (Section 2.3.7).
8. JSON Representation 8. JSON Representation
8.1. Minimal User Representation 8.1. Minimal User Representation
The following is a non-normative example of the minimal required SCIM The following is a non-normative example of the minimal required SCIM
representation in JSON format. representation in JSON format.
skipping to change at page 32, line 32 skipping to change at page 35, line 16
The following is a non-normative example of the fully populated SCIM The following is a non-normative example of the fully populated SCIM
representation in JSON format. representation in JSON format.
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "2819c223-7f76-453a-919d-413861904646", "id": "2819c223-7f76-453a-919d-413861904646",
"externalId": "701984", "externalId": "701984",
"userName": "bjensen@example.com", "userName": "bjensen@example.com",
"name": { "name": {
"formatted": "Ms. Barbara J Jensen III", "formatted": "Ms. Barbara J Jensen, III",
"familyName": "Jensen", "familyName": "Jensen",
"givenName": "Barbara", "givenName": "Barbara",
"middleName": "Jane", "middleName": "Jane",
"honorificPrefix": "Ms.", "honorificPrefix": "Ms.",
"honorificSuffix": "III" "honorificSuffix": "III"
}, },
"displayName": "Babs Jensen", "displayName": "Babs Jensen",
"nickName": "Babs", "nickName": "Babs",
"profileUrl": "https://login.example.com/bjensen", "profileUrl": "https://login.example.com/bjensen",
"emails": [ "emails": [
skipping to change at page 34, line 4 skipping to change at page 36, line 41
{ {
"value": "value":
"https://photos.example.com/profilephoto/72930000000Ccne/F", "https://photos.example.com/profilephoto/72930000000Ccne/F",
"type": "photo" "type": "photo"
}, },
{ {
"value": "value":
"https://photos.example.com/profilephoto/72930000000Ccne/T", "https://photos.example.com/profilephoto/72930000000Ccne/T",
"type": "thumbnail" "type": "thumbnail"
} }
], ],
"userType": "Employee", "userType": "Employee",
"title": "Tour Guide", "title": "Tour Guide",
"preferredLanguage":"en-US", "preferredLanguage": "en-US",
"locale": "en-US", "locale": "en-US",
"timezone": "America/Los_Angeles", "timezone": "America/Los_Angeles",
"active":true, "active":true,
"password":"t1meMa$heen", "password": "t1meMa$heen",
"groups": [ "groups": [
{ {
"value": "e9e30dba-f08f-4109-8486-d5c6a331660a", "value": "e9e30dba-f08f-4109-8486-d5c6a331660a",
"$ref": "$ref":
"https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
"display": "Tour Guides" "display": "Tour Guides"
}, },
{ {
"value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5",
"$ref": "$ref":
skipping to change at page 35, line 26 skipping to change at page 39, line 12
Figure 4: Example Full User JSON Representation Figure 4: Example Full User JSON Representation
8.3. Enterprise User Extension Representation 8.3. Enterprise User Extension Representation
The following is a non-normative example of the fully populated User The following is a non-normative example of the fully populated User
using the enterprise User extension in JSON format. using the enterprise User extension in JSON format.
{ {
"schemas": "schemas":
[ "urn:ietf:params:scim:schemas:core:2.0:User", ["urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
"id": "2819c223-7f76-453a-919d-413861904646", "id": "2819c223-7f76-453a-919d-413861904646",
"externalId": "701984", "externalId": "701984",
"userName": "bjensen@example.com", "userName": "bjensen@example.com",
"name": { "name": {
"formatted": "Ms. Barbara J Jensen III", "formatted": "Ms. Barbara J Jensen, III",
"familyName": "Jensen", "familyName": "Jensen",
"givenName": "Barbara", "givenName": "Barbara",
"middleName": "Jane", "middleName": "Jane",
"honorificPrefix": "Ms.", "honorificPrefix": "Ms.",
"honorificSuffix": "III" "honorificSuffix": "III"
}, },
"displayName": "Babs Jensen", "displayName": "Babs Jensen",
"nickName": "Babs", "nickName": "Babs",
"profileUrl": "https://login.example.com/bjensen", "profileUrl": "https://login.example.com/bjensen",
"emails": [ "emails": [
skipping to change at page 37, line 4 skipping to change at page 40, line 40
"photos": [ "photos": [
{ {
"value": "value":
"https://photos.example.com/profilephoto/72930000000Ccne/F", "https://photos.example.com/profilephoto/72930000000Ccne/F",
"type": "photo" "type": "photo"
}, },
{ {
"value": "value":
"https://photos.example.com/profilephoto/72930000000Ccne/T", "https://photos.example.com/profilephoto/72930000000Ccne/T",
"type": "thumbnail" "type": "thumbnail"
} }
], ],
"userType": "Employee", "userType": "Employee",
"title": "Tour Guide", "title": "Tour Guide",
"preferredLanguage":"en-US", "preferredLanguage": "en-US",
"locale": "en-US", "locale": "en-US",
"timezone": "America/Los_Angeles", "timezone": "America/Los_Angeles",
"active":true, "active":true,
"password":"t1meMa$heen", "password": "t1meMa$heen",
"groups": [ "groups": [
{ {
"value": "e9e30dba-f08f-4109-8486-d5c6a331660a", "value": "e9e30dba-f08f-4109-8486-d5c6a331660a",
"$ref": "../Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", "$ref": "../Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
"display": "Tour Guides" "display": "Tour Guides"
}, },
{ {
"value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5",
"$ref": "../Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5", "$ref": "../Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5",
"display": "Employees" "display": "Employees"
skipping to change at page 38, line 32 skipping to change at page 43, line 7
"version": "W\/\"3694e05e9dff591\"", "version": "W\/\"3694e05e9dff591\"",
"location": "location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
} }
} }
Figure 5: Example Enterprise User JSON Representation Figure 5: Example Enterprise User JSON Representation
8.4. Group Representation 8.4. Group Representation
The following is a non-normative example of SCIM Group representation The following is a non-normative example of the SCIM Group
in JSON format. representation in JSON format.
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"id": "e9e30dba-f08f-4109-8486-d5c6a331660a", "id": "e9e30dba-f08f-4109-8486-d5c6a331660a",
"displayName": "Tour Guides", "displayName": "Tour Guides",
"members": [ "members": [
{ {
"value": "2819c223-7f76-453a-919d-413861904646", "value": "2819c223-7f76-453a-919d-413861904646",
"$ref": "$ref":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646", "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
skipping to change at page 39, line 41 skipping to change at page 44, line 11
} }
Figure 6: Example Group JSON Representation Figure 6: Example Group JSON Representation
8.5. Service Provider Configuration Representation 8.5. Service Provider Configuration Representation
The following is a non-normative example of the SCIM service provider The following is a non-normative example of the SCIM service provider
configuration representation in JSON format. configuration representation in JSON format.
{ {
"schemas": [ "schemas":
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
], "documentationUri": "http://example.com/help/scim.html",
"documentationUrl":"http://example.com/help/scim.html",
"patch": { "patch": {
"supported":true "supported":true
}, },
"bulk": { "bulk": {
"supported":true, "supported":true,
"maxOperations":1000, "maxOperations":1000,
"maxPayloadSize":1048576 "maxPayloadSize":1048576
}, },
"filter": { "filter": {
"supported":true, "supported":true,
"maxResults": 200 "maxResults": 200
}, },
"changePassword" : { "changePassword": {
"supported":true "supported":true
}, },
"sort": { "sort": {
"supported":true "supported":true
}, },
"etag": { "etag": {
"supported":true "supported":true
}, },
"authenticationSchemes": [ "authenticationSchemes": [
{ {
"name": "OAuth Bearer Token", "name": "OAuth Bearer Token",
"description": "description":
"Authentication Scheme using the OAuth Bearer Token Standard", "Authentication scheme using the OAuth Bearer Token Standard",
"specUrl": "specUri": "http://www.rfc-editor.org/info/rfc6750",
"http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01", "documentationUri": "http://example.com/help/oauth.html",
"documentationUrl":"http://example.com/help/oauth.html", "type": "oauthbearertoken",
"type":"oauthbearertoken",
"primary": true "primary": true
}, },
{ {
"name": "HTTP Basic", "name": "HTTP Basic",
"description": "description":
"Authentication Scheme using the Http Basic Standard", "Authentication scheme using the HTTP Basic Standard",
"specUrl":"http://www.ietf.org/rfc/rfc2617.txt", "specUri": "http://www.rfc-editor.org/info/rfc2617",
"documentationUrl":"http://example.com/help/httpBasic.html", "documentationUri": "http://example.com/help/httpBasic.html",
"type":"httpbasic" "type": "httpbasic"
} }
], ],
"meta": { "meta": {
"location":"https://example.com/v2/ServiceProviderConfig", "location": "https://example.com/v2/ServiceProviderConfig",
"resourceType": "ServiceProviderConfig", "resourceType": "ServiceProviderConfig",
"created": "2010-01-23T04:56:22Z", "created": "2010-01-23T04:56:22Z",
"lastModified": "2011-05-13T04:42:34Z", "lastModified": "2011-05-13T04:42:34Z",
"version": "W\/\"3694e05e9dff594\"" "version": "W\/\"3694e05e9dff594\""
} }
} }
Figure 7: Example Service Provider Config JSON Representation Figure 7: Example Service Provider Configuration JSON Representation
8.6. Resource Type Representation 8.6. Resource Type Representation
The following is a non-normative example of the SCIM resource types The following is a non-normative example of the SCIM resource types
in JSON format. in JSON format.
[{ [{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
"id":"User", "id": "User",
"name":"User", "name": "User",
"endpoint": "/Users", "endpoint": "/Users",
"description": "User Account", "description": "User Account",
"schema": "urn:ietf:params:scim:schemas:core:2.0:User", "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"schemaExtensions": [ "schemaExtensions": [
{ {
"schema": "schema":
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"required": true "required": true
} }
], ],
"meta": { "meta": {
"location":"https://example.com/v2/ResourceTypes/User", "location": "https://example.com/v2/ResourceTypes/User",
"resourceType": "ResourceType" "resourceType": "ResourceType"
} }
}, },
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
"id":"Group", "id": "Group",
"name":"Group", "name": "Group",
"endpoint": "/Groups", "endpoint": "/Groups",
"description": "Group", "description": "Group",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group", "schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
"meta": { "meta": {
"location":"https://example.com/v2/ResourceTypes/Group", "location": "https://example.com/v2/ResourceTypes/Group",
"resourceType": "ResourceType" "resourceType": "ResourceType"
} }
}] }]
Figure 8: Example Resource Type JSON Representation Figure 8: Example Resource Type JSON Representation
8.7. Schema Representation 8.7. Schema Representation
The following sections provide representations of schemas for both The following sections provide representations of schemas for both
SCIM resources and service provider schemas. Note that the JSON SCIM resources and service provider schemas. Note that the JSON
representation has been modified for readability and to fit the representation has been modified for readability and to fit the
specification format. specification format.
8.7.1. Resource Schema Representation 8.7.1. Resource Schema Representation
The following is intended as an example of the SCIM Schema The following is intended as an example of the SCIM schema
representation in JSON format for SCIM resources. Where permitted representation in JSON format for SCIM resources. Where permitted,
individual values and schema MAY change. Included but not limited individual values and schema MAY change. This example includes
to, are schemas for User, Group, and enterprise user. schema representations for "User", "Group", and "EnterpriseUser";
other schema representations are possible.
[ [
{ {
"id" : "urn:ietf:params:scim:schemas:core:2.0:User", "id" : "urn:ietf:params:scim:schemas:core:2.0:User",
"name" : "User", "name" : "User",
"description" : "User Account", "description" : "User Account",
"attributes" : [ "attributes" : [
{ {
"name" : "userName", "name" : "userName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Unique identifier for the User typically used "description" : "Unique identifier for the User, typically
by the user to directly authenticate to the service provider. Each User used by the user to directly authenticate to the service provider.
MUST include a non-empty userName value. This identifier MUST be unique Each User MUST include a non-empty userName value. This identifier
across the Service Consumer's entire set of Users. REQUIRED", MUST be unique across the service provider's entire set of Users.
REQUIRED.",
"required" : true, "required" : true,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "server" "uniqueness" : "server"
}, },
{ {
"name" : "name", "name" : "name",
"type" : "complex", "type" : "complex",
"multiValued" : false, "multiValued" : false,
"description" : "The components of the user's real name. "description" : "The components of the user's real name.
Providers MAY return just the full name as a single string in the Providers MAY return just the full name as a single string in the
formatted sub-attribute, or they MAY return just the individual formatted sub-attribute, or they MAY return just the individual
component attributes using the other sub-attributes, or they MAY return component attributes using the other sub-attributes, or they MAY
both. If both variants are returned, they SHOULD be describing the same return both. If both variants are returned, they SHOULD be
name, with the formatted name indicating how the component attributes describing the same name, with the formatted name indicating how the
should be combined.", component attributes should be combined.",
"required" : false, "required" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "formatted", "name" : "formatted",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The full name, including all middle names, "description" : "The full name, including all middle
titles, and suffixes as appropriate, formatted for display (e.g., Ms. names, titles, and suffixes as appropriate, formatted for display
Barbara J Jensen, III.).", (e.g., 'Ms. Barbara J Jensen, III').",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "familyName", "name" : "familyName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The family name of the User, or Last Name "description" : "The family name of the User, or
in most Western languages (e.g. Jensen given the full name Ms. Barbara J last name in most Western languages (e.g., 'Jensen' given the full
Jensen, III.).", name 'Ms. Barbara J Jensen, III').",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "givenName", "name" : "givenName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The given name of the User, or First Name "description" : "The given name of the User, or
in most Western languages (e.g. Barbara given the full name Ms. Barbara first name in most Western languages (e.g., 'Barbara' given the
J Jensen, III.).", full name 'Ms. Barbara J Jensen, III').",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "middleName", "name" : "middleName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The middle name(s) of the User (e.g. Robert "description" : "The middle name(s) of the User
given the full name Ms. Barbara J Jensen, III.).", (e.g., 'Jane' given the full name 'Ms. Barbara J Jensen, III').",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "honorificPrefix", "name" : "honorificPrefix",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The honorific prefix(es) of the User, or "description" : "The honorific prefix(es) of the User, or
title in most Western languages (e.g., 'Ms.' given the full name
Title in most Western languages (e.g., Ms. given the full name Ms. 'Ms. Barbara J Jensen, III').",
Barbara J Jensen, III.).",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "honorificSuffix", "name" : "honorificSuffix",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The honorific suffix(es) of the User, or "description" : "The honorific suffix(es) of the User, or
Suffix in most Western languages (e.g., III. given the full name Ms. suffix in most Western languages (e.g., 'III' given the full name
Barbara J Jensen, III.).", 'Ms. Barbara J Jensen, III').",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "displayName", "name" : "displayName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The name of the User, suitable for display to "description" : "The name of the User, suitable for display
end-users. The name SHOULD be the full name of the User being described to end-users. The name SHOULD be the full name of the User being
if known", described, if known.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "nickName", "name" : "nickName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The casual way to address the user in real "description" : "The casual way to address the user in real
life, e.g.'Bob' or 'Bobby' instead of 'Robert'. This attribute life, e.g., 'Bob' or 'Bobby' instead of 'Robert'. This attribute
SHOULD NOT be used to represent a User's username (e.g., bjensen or SHOULD NOT be used to represent a User's username (e.g., 'bjensen' or
mpepperidge)", 'mpepperidge').",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "profileUrl", "name" : "profileUrl",
"type" : "reference", "type" : "reference",
"referenceTypes" : ["external"], "referenceTypes" : ["external"],
"multiValued" : false, "multiValued" : false,
"description" : "A fully qualified URL to a page representing "description" : "A fully qualified URL pointing to a page
the User's online profile", representing the User's online profile.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "title", "name" : "title",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The user's title, such as \"Vice President.\"", "description" : "The user's title, such as
\"Vice President.\"",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "userType", "name" : "userType",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Used to identify the organization to user "description" : "Used to identify the relationship between
relationship. Typical values used might be 'Contractor', 'Employee', the organization and the user. Typical values used might be
'Intern', 'Temp', 'External', and 'Unknown' but any value may be 'Contractor', 'Employee', 'Intern', 'Temp', 'External', and
used.", 'Unknown', but any value may be used.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "preferredLanguage", "name" : "preferredLanguage",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Indicates the User's preferred written or "description" : "Indicates the User's preferred written or
spoken language. Generally used for selecting a localized user
spoken language. Generally used for selecting a localized User interface; e.g., 'en_US' specifies the language English and country
interface. e.g., 'en_US' specifies the language English and country
US.", US.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "locale", "name" : "locale",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Used to indicate the User's default location "description" : "Used to indicate the User's default location
for purposes of localizing items such as currency, date time format, for purposes of localizing items such as currency, date time format, or
numerical representations, etc.", numerical representations.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "timezone", "name" : "timezone",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The User's time zone in the 'Olson' timezone "description" : "The User's time zone in the 'Olson' time zone
database format; e.g.,'America/Los_Angeles'", database format, e.g., 'America/Los_Angeles'.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "active", "name" : "active",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the User's "description" : "A Boolean value indicating the User's
administrative status.", administrative status.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "password", "name" : "password",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The User's clear text password. This attribute "description" : "The User's cleartext password. This
is intended to be used as a means to specify an initial password when attribute is intended to be used as a means to specify an initial
creating a new User or to reset an existing User's password.", password when creating a new User or to reset an existing User's
password.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "writeOnly", "mutability" : "writeOnly",
"returned" : "never", "returned" : "never",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "emails", "name" : "emails",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "E-mail addresses for the user. The value SHOULD "description" : "Email addresses for the user. The value
be canonicalized by the Service Provider, e.g., bjensen@example.com SHOULD be canonicalized by the service provider, e.g.,
instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and 'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'.
other.", Canonical type values of 'work', 'home', and 'other'.",
"required" : false, "required" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "E-mail addresses for the user. The value "description" : "Email addresses for the user. The value
SHOULD be canonicalized by the Service Provider, e.g. SHOULD be canonicalized by the service provider, e.g.,
bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type 'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'.
values of work, home, and other.", Canonical type values of 'work', 'home', and 'other'.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A human readable name, primarily used for "description" : "A human-readable name, primarily used
display purposes. READ-ONLY.", for display purposes. READ-ONLY.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A label indicating the attribute's "description" : "A label indicating the attribute's
function; e.g., 'work' or 'home'.", function, e.g., 'work' or 'home'.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [ "canonicalValues" : [
"work", "work",
"home", "home",
"other" "other"
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary'
preferred attribute value for this attribute, e.g., the preferred mailing or preferred attribute value for this attribute, e.g., the preferred
address or primary e-mail address. The primary attribute value 'true' mailing address or primary email address. The primary attribute
MUST appear no more than once.", value 'true' MUST appear no more than once.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "phoneNumbers", "name" : "phoneNumbers",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "Phone numbers for the User. The value SHOULD "description" : "Phone numbers for the User. The value
be canonicalized by the Service Provider according to format in RFC3966 SHOULD be canonicalized by the service provider according to the
e.g., 'tel:+1-201-555-0123'. Canonical Type values of work, home, format specified in RFC 3966, e.g., 'tel:+1-201-555-0123'.
mobile, fax, pager and other.", Canonical type values of 'work', 'home', 'mobile', 'fax', 'pager',
and 'other'.",
"required" : false, "required" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Phone number of the User", "description" : "Phone number of the User.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A human readable name, primarily used for "description" : "A human-readable name, primarily used
display purposes. READ-ONLY.", for display purposes. READ-ONLY.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A label indicating the attribute's "description" : "A label indicating the attribute's
function; e.g., 'work' or 'home' or 'mobile' etc.", function, e.g., 'work', 'home', 'mobile'.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [ "canonicalValues" : [
"work", "work",
"home", "home",
"mobile", "mobile",
"fax", "fax",
"pager", "pager",
"other" "other"
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary'
preferred attribute value for this attribute, e.g., the preferred phone or preferred attribute value for this attribute, e.g., the preferred
number or primary phone number. The primary attribute value 'true' MUST phone number or primary phone number. The primary attribute value
appear no more than once.", 'true' MUST appear no more than once.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "ims", "name" : "ims",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "Instant messaging addresses for the User.", "description" : "Instant messaging addresses for the User.",
"required" : false, "required" : false,
skipping to change at page 50, line 31 skipping to change at page 57, line 26
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A human readable name, primarily used for "description" : "A human-readable name, primarily used
display purposes. READ-ONLY.", for display purposes. READ-ONLY.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A label indicating the attribute's "description" : "A label indicating the attribute's
function; e.g., 'aim', 'gtalk', 'mobile' etc.", function, e.g., 'aim', 'gtalk', 'xmpp'.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [ "canonicalValues" : [
"aim", "aim",
"gtalk", "gtalk",
"icq", "icq",
"xmpp", "xmpp",
"msn", "msn",
"skype", "skype",
"qq", "qq",
"yahoo" "yahoo"
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary'
preferred attribute value for this attribute, e.g., the preferred or preferred attribute value for this attribute, e.g., the preferred
messenger or primary messenger. The primary attribute value 'true' MUST messenger or primary messenger. The primary attribute value 'true'
appear no more than once.", MUST appear no more than once.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "photos", "name" : "photos",
skipping to change at page 51, line 51 skipping to change at page 59, line 27
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A human readable name, primarily used for "description" : "A human-readable name, primarily used
for display purposes. READ-ONLY.",
display purposes. READ-ONLY.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A label indicating the attribute's "description" : "A label indicating the attribute's
function; e.g., 'photo' or 'thumbnail'.", function, i.e., 'photo' or 'thumbnail'.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [ "canonicalValues" : [
"photo", "photo",
"thumbnail" "thumbnail"
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary'
preferred attribute value for this attribute, e.g., the preferred photo or preferred attribute value for this attribute, e.g., the preferred
or thumbnail. The primary attribute value 'true' MUST appear no more photo or thumbnail. The primary attribute value 'true' MUST appear
than once.", no more than once.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "addresses", "name" : "addresses",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A physical mailing address for this User, as "description" : "A physical mailing address for this User.
described in (address Element). Canonical Type Values of work, home, and Canonical type values of 'work', 'home', and 'other'. This attribute
other. The value attribute is a complex type with the following is a complex type with the following sub-attributes.",
sub-attributes.",
"required" : false, "required" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "formatted", "name" : "formatted",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The full mailing address, formatted for "description" : "The full mailing address, formatted for
display or use with a mailing label. This attribute MAY contain display or use with a mailing label. This attribute MAY contain
newlines.", newlines.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "streetAddress", "name" : "streetAddress",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The full street address component, which "description" : "The full street address component,
may include house number, street name, PO BOX, and multi-line extended which may include house number, street name, P.O. box, and multi-line
street address information. This attribute MAY contain newlines.", extended street address information. This attribute MAY contain
newlines.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "locality", "name" : "locality",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
skipping to change at page 54, line 4 skipping to change at page 62, line 14
{ {
"name" : "region", "name" : "region",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The state or region component.", "description" : "The state or region component.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "postalCode", "name" : "postalCode",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The zipcode or postal code component.", "description" : "The zip code or postal code component.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "country", "name" : "country",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
skipping to change at page 54, line 33 skipping to change at page 63, line 9
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A label indicating the attribute's "description" : "A label indicating the attribute's
function; e.g., 'work' or 'home'.", function, e.g., 'work' or 'home'.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [ "canonicalValues" : [
"work", "work",
"home", "home",
"other" "other"
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "groups", "name" : "groups",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A list of groups that the user belongs to, "description" : "A list of groups to which the user belongs,
either thorough direct membership, nested groups, or dynamically either through direct membership, through nested groups, or
calculated", dynamically calculated.",
"required" : false, "required" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The identifier of the User's group.", "description" : "The identifier of the User's group.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
skipping to change at page 55, line 29 skipping to change at page 64, line 12
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "reference", "type" : "reference",
"referenceTypes" : [ "referenceTypes" : [
"User", "User",
"Group" "Group"
], ],
"multiValued" : false, "multiValued" : false,
"description" : "The URI of the corresponding Group "description" : "The URI of the corresponding 'Group'
resource to which the user belongs", resource to which the user belongs.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A human readable name, primarily used "description" : "A human-readable name, primarily used
for display purposes. READ-ONLY.", for display purposes. READ-ONLY.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A label indicating the attribute's "description" : "A label indicating the attribute's
function; e.g., 'direct' or 'indirect'.", function, e.g., 'direct' or 'indirect'.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [ "canonicalValues" : [
"direct", "direct",
"indirect" "indirect"
], ],
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
skipping to change at page 56, line 44 skipping to change at page 65, line 27
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A human readable name, primarily used "description" : "A human-readable name, primarily used
for display purposes. READ-ONLY.", for display purposes. READ-ONLY.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
skipping to change at page 57, line 20 skipping to change at page 66, line 8
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary'
preferred attribute value for this attribute. The primary attribute or preferred attribute value for this attribute. The primary
value 'true' MUST appear no more than once.", attribute value 'true' MUST appear no more than once.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "roles", "name" : "roles",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A list of roles for the User that collectively "description" : "A list of roles for the User that
represent who the User is; e.g., 'Student', 'Faculty'.", collectively represent who the User is, e.g., 'Student', 'Faculty'.",
"required" : false, "required" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The value of a role.", "description" : "The value of a role.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A human readable name, primarily used for "description" : "A human-readable name, primarily used
display purposes. READ-ONLY.", for display purposes. READ-ONLY.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
skipping to change at page 58, line 31 skipping to change at page 67, line 21
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [], "canonicalValues" : [],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary'
preferred attribute value for this attribute. The primary attribute or preferred attribute value for this attribute. The primary
value 'true' MUST appear no more than once.", attribute value 'true' MUST appear no more than once.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "x509Certificates", "name" : "x509Certificates",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A list of certificates issued to the User.", "description" : "A list of certificates issued to the User.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "binary", "type" : "binary",
"multiValued" : false, "multiValued" : false,
"description" : "The value of a X509 certificate.", "description" : "The value of an X.509 certificate.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "display", "name" : "display",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A human readable name, primarily used "description" : "A human-readable name, primarily used
for display purposes. READ-ONLY.", for display purposes. READ-ONLY.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
skipping to change at page 59, line 42 skipping to change at page 68, line 33
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [], "canonicalValues" : [],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "primary", "name" : "primary",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or "description" : "A Boolean value indicating the 'primary'
preferred attribute value for this attribute. The primary attribute or preferred attribute value for this attribute. The primary
value 'true' MUST appear no more than once.", attribute value 'true' MUST appear no more than once.",
"required" : false, "required" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default" "returned" : "default"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User" "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
} }
}, },
{ {
"id" : "urn:ietf:params:scim:schemas:core:2.0:Group", "id" : "urn:ietf:params:scim:schemas:core:2.0:Group",
skipping to change at page 60, line 22 skipping to change at page 69, line 13
}, },
{ {
"id" : "urn:ietf:params:scim:schemas:core:2.0:Group", "id" : "urn:ietf:params:scim:schemas:core:2.0:Group",
"name" : "Group", "name" : "Group",
"description" : "Group", "description" : "Group",
"attributes" : [ "attributes" : [
{ {
"name" : "displayName", "name" : "displayName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Human readable name for the Group. REQUIRED.", "description" : "A human-readable name for the Group.
REQUIRED.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "members", "name" : "members",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
skipping to change at page 61, line 4 skipping to change at page 70, line 10
"mutability" : "immutable", "mutability" : "immutable",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "reference", "type" : "reference",
"referenceTypes" : [ "referenceTypes" : [
"User", "User",
"Group" "Group"
], ],
"multiValued" : false, "multiValued" : false,
"description" : "The URI of the corresponding to the member "description" : "The URI corresponding to a SCIM resource
resource of this Group.", that is a member of this Group.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "immutable", "mutability" : "immutable",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A label indicating the type of resource; "description" : "A label indicating the type of resource,
e.g., 'User' or 'Group'.", e.g., 'User' or 'Group'.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"canonicalValues" : [ "canonicalValues" : [
"User", "User",
"Group" "Group"
], ],
"mutability" : "immutable", "mutability" : "immutable",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
skipping to change at page 61, line 51 skipping to change at page 71, line 13
}, },
{ {
"id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"name" : "EnterpriseUser", "name" : "EnterpriseUser",
"description" : "Enterprise User", "description" : "Enterprise User",
"attributes" : [ "attributes" : [
{ {
"name" : "employeeNumber", "name" : "employeeNumber",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Numeric or alphanumeric identifier assigned to "description" : "Numeric or alphanumeric identifier assigned
a person, typically based on order of hire or association with an to a person, typically based on order of hire or association with an
organization.", organization.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "costCenter", "name" : "costCenter",
"type" : "string", "type" : "string",
skipping to change at page 63, line 11 skipping to change at page 72, line 30
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "manager", "name" : "manager",
"type" : "complex", "type" : "complex",
"multiValued" : false, "multiValued" : false,
"description" : "The User's manager. A complex type that "description" : "The User's manager. A complex type that
optionally allows Service Providers to represent organizational optionally allows service providers to represent organizational
hierarchy by referencing the 'id' attribute of another User.", hierarchy by referencing the 'id' attribute of another User.",
"required" : false, "required" : false,
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The id of the SCIM resource representing "description" : "The id of the SCIM resource representing
the User's manager. REQUIRED.", the User's manager. REQUIRED.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "reference", "type" : "reference",
"referenceTypes" : [ "referenceTypes" : [
"User" "User"
], ],
"multiValued" : false, "multiValued" : false,
"description" : "The URI of the SCIM resource representing "description" : "The URI of the SCIM resource
the User's manager. REQUIRED.", representing the User's manager. REQUIRED.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "displayName", "name" : "displayName",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
skipping to change at page 64, line 24 skipping to change at page 74, line 7
"location" : "location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" "/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
} }
} }
] ]
Figure 9: Example JSON Representation for Resource Schema Figure 9: Example JSON Representation for Resource Schema
8.7.2. Service Provider Schema Representation 8.7.2. Service Provider Schema Representation
The following is a representation of the SCIM Schema for the fixed The following is a representation of the SCIM schema for the fixed
service provider schemas: ServiceProviderConfig, ResourceType, and service provider schemas: ServiceProviderConfig, ResourceType, and
Schema. Schema.
[ [
{ {
"id" : "id" :
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig", "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
"name" : "Service Provider Configuration", "name" : "Service Provider Configuration",
"description" : "Schema for representing the service provider's "description" : "Schema for representing the service provider's
configuration", configuration",
"attributes" : [ "attributes" : [
{ {
"name" : "documentationUri", "name" : "documentationUri",
"type" : "reference", "type" : "reference",
"referenceTypes" : ["external"], "referenceTypes" : ["external"],
"multiValued" : false, "multiValued" : false,
"description" : "An HTTP addressable URL pointing to the service "description" : "An HTTP-addressable URL pointing to the
provider's human consumable help documentation.", service provider's human-consumable help documentation.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "patch", "name" : "patch",
"type" : "complex", "type" : "complex",
"multiValued" : false, "multiValued" : false,
"description" : "A complex type that specifies PATCH "description" : "A complex type that specifies PATCH
configuration options.", configuration options.",
"required" : true, "required" : true,
"returned" : "default", "returned" : "default",
"mutability" : "readOnly", "mutability" : "readOnly",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "supported", "name" : "supported",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "Boolean value specifying whether the "description" : "A Boolean value specifying whether or not
operation is supported.", the operation is supported.",
"required" : true, "required" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
} }
] ]
}, },
{ {
"name" : "bulk", "name" : "bulk",
"type" : "complex", "type" : "complex",
"multiValued" : false, "multiValued" : false,
"description" : "A complex type that specifies BULK "description" : "A complex type that specifies bulk
configuration options.", configuration options.",
"required" : true, "required" : true,
"returned" : "default", "returned" : "default",
"mutability" : "readOnly", "mutability" : "readOnly",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "supported", "name" : "supported",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "Boolean value specifying whether the "description" : "A Boolean value specifying whether or not
operation is supported.", the operation is supported.",
"required" : true, "required" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "maxOperations", "name" : "maxOperations",
"type" : "integer", "type" : "integer",
"multiValued" : false, "multiValued" : false,
"description" : "An integer value specifying the maximum "description" : "An integer value specifying the maximum
number of operations.", number of operations.",
skipping to change at page 66, line 23 skipping to change at page 76, line 32
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
] ]
}, },
{ {
"name" : "filter", "name" : "filter",
"type" : "complex", "type" : "complex",
"multiValued" : false, "multiValued" : false,
"description" : "A complex type that specifies FILTER options.", "description" : "A complex type that specifies
FILTER options.",
"required" : true, "required" : true,
"returned" : "default", "returned" : "default",
"mutability" : "readOnly", "mutability" : "readOnly",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "supported", "name" : "supported",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "Boolean value specifying whether the "description" : "A Boolean value specifying whether or not
operation is supported.", the operation is supported.",
"required" : true, "required" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "maxResults", "name" : "maxResults",
"type" : "integer", "type" : "integer",
"multiValued" : false, "multiValued" : false,
"description" : "Integer value specifying the maximum number "description" : "An integer value specifying the maximum
of resources returned in a response.", number of resources returned in a response.",
"required" : true, "required" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
] ]
}, },
{ {
"name" : "changePassword", "name" : "changePassword",
"type" : "complex", "type" : "complex",
"multiValued" : false, "multiValued" : false,
"description" : "A complex type that specifies change password "description" : "A complex type that specifies configuration
options.", options related to changing a password.",
"required" : true, "required" : true,
"returned" : "default", "returned" : "default",
"mutability" : "readOnly", "mutability" : "readOnly",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "supported", "name" : "supported",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "Boolean value specifying whether the "description" : "A Boolean value specifying whether or not
operation is supported.", the operation is supported.",
"required" : true, "required" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
} }
] ]
}, },
{ {
"name" : "sort", "name" : "sort",
"type" : "complex", "type" : "complex",
"multiValued" : false, "multiValued" : false,
"description" : "A complex type that specifies sort result "description" : "A complex type that specifies sort result
options.", options.",
"required" : true, "required" : true,
"returned" : "default", "returned" : "default",
"mutability" : "readOnly", "mutability" : "readOnly",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "supported", "name" : "supported",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "Boolean value specifying whether the "description" : "A Boolean value specifying whether or not
operation is supported.", the operation is supported.",
"required" : true, "required" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
} }
] ]
}, },
{ {
"name" : "authenticationSchemes", "name" : "authenticationSchemes",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A complex type that specifies supported "description" : "A complex type that specifies supported
Authentication Scheme properties.", authentication scheme properties.",
"required" : true, "required" : true,
"returned" : "default", "returned" : "default",
"mutability" : "readOnly", "mutability" : "readOnly",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "name", "name" : "name",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The common authentication scheme name; "description" : "The common authentication scheme name,
e.g., HTTP Basic.", e.g., HTTP Basic.",
"required" : true, "required" : true,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "description", "name" : "description",
"type" : "string", "type" : "string",
skipping to change at page 68, line 38 skipping to change at page 79, line 21
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "specUri", "name" : "specUri",
"type" : "reference", "type" : "reference",
"referenceTypes" : ["external"], "referenceTypes" : ["external"],
"multiValued" : false, "multiValued" : false,
"description" : "An HTTP addressable URL pointing to the "description" : "An HTTP-addressable URL pointing to the
Authentication Scheme's specification.", authentication scheme's specification.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "documentationUri", "name" : "documentationUri",
"type" : "reference", "type" : "reference",
"referenceTypes" : ["external"], "referenceTypes" : ["external"],
"multiValued" : false, "multiValued" : false,
"description" : "An HTTP addressable URL pointing to the "description" : "An HTTP-addressable URL pointing to the
Authentication Scheme's usage documentation.", authentication scheme's usage documentation.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
] ]
} }
] ]
}, },
{ {
"id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType", "id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
"name" : "ResourceType", "name" : "ResourceType",
"description" : "Specifies the schema that describes a SCIM Resource "description" : "Specifies the schema that describes a SCIM
Type", resource type",
"attributes" : [ "attributes" : [
{ {
"name" : "id", "name" : "id",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The resource type's server unique id. May be "description" : "The resource type's server unique id.
the same as the 'name' attribute.", May be the same as the 'name' attribute.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "name", "name" : "name",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The resource type name. When applicable service "description" : "The resource type name. When applicable,
providers MUST specify the name specified in the core schema service providers MUST specify the name, e.g., 'User'.",
specification; e.g., User",
"required" : true, "required" : true,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "description", "name" : "description",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The resource type's human readable description. "description" : "The resource type's human-readable
When applicable service providers MUST specify the description description. When applicable, service providers MUST
specified in the core schema specification.", specify the description.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "endpoint", "name" : "endpoint",
"type" : "reference", "type" : "reference",
"referenceTypes" : ["uri"], "referenceTypes" : ["uri"],
"multiValued" : false, "multiValued" : false,
"description" : "The resource type's HTTP addressable endpoint "description" : "The resource type's HTTP-addressable
relative to the Base URL; e.g., /Users", endpoint relative to the Base URL, e.g., '/Users'.",
"required" : true, "required" : true,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "schema", "name" : "schema",
"type" : "reference", "type" : "reference",
"referenceTypes" : ["uri"], "referenceTypes" : ["uri"],
"multiValued" : false, "multiValued" : false,
"description" : "The resource types primary/base schema URI", "description" : "The resource type's primary/base schema
URI.",
"required" : true, "required" : true,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "schemaExtensions", "name" : "schemaExtensions",
"type" : "complex", "type" : "complex",
"multiValued" : false, "multiValued" : false,
"description" : "A list of URIs of the resource type's schema "description" : "A list of URIs of the resource type's schema
extensions", extensions.",
"required" : true, "required" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "schema", "name" : "schema",
"type" : "reference", "type" : "reference",
"referenceTypes" : ["uri"], "referenceTypes" : ["uri"],
"multiValued" : false, "multiValued" : false,
"description" : "The URI of a schema extension.", "description" : "The URI of a schema extension.",
"required" : true, "required" : true,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "required", "name" : "required",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A Boolean value that specifies whether the "description" : "A Boolean value that specifies whether
schema extension is required for the resource type. If or not the schema extension is required for the
true, a resource of this type MUST include this schema resource type. If true, a resource of this type MUST
extension and include any attributes declared as required include this schema extension and also include any
in this schema extension. If false, a resource of this attributes declared as required in this schema extension.
type MAY omit this schema extension.", If false, a resource of this type MAY omit this schema
extension.",
"required" : true, "required" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
} }
] ]
} }
] ]
}, },
{ {
"id" : "urn:ietf:params:scim:schemas:core:2.0:Schema", "id" : "urn:ietf:params:scim:schemas:core:2.0:Schema",
"name" : "Schema", "name" : "Schema",
"description" : "Specifies the schema that describes a SCIM Schema", "description" : "Specifies the schema that describes a
SCIM schema",
"attributes" : [ "attributes" : [
{ {
"name" : "id", "name" : "id",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The unique URI of the schema. When applicable "description" : "The unique URI of the schema.
service providers MUST specify the URI specified in the core When applicable, service providers MUST specify the URI.",
schema specification",
"required" : true, "required" : true,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "name", "name" : "name",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The schema's human readable name. When "description" : "The schema's human-readable name. When
applicable service providers MUST specify the name specified applicable, service providers MUST specify the name,
in the core schema specification; e.g., User", e.g., 'User'.",
"required" : true, "required" : true,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "description", "name" : "description",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The schema's human readable name. When "description" : "The schema's human-readable name. When
applicable service providers MUST specify the name specified applicable, service providers MUST specify the name,
in the core schema specification; e.g., User", e.g., 'User'.",
"required" : false, "required" : false,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "attributes", "name" : "attributes",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "A complex attribute that includes the "description" : "A complex attribute that includes the
attributes of a schema", attributes of a schema.",
"required" : true, "required" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "name", "name" : "name",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The attribute's name", "description" : "The attribute's name.",
"required" : true, "required" : true,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The attribute's data type. Valid values "description" : "The attribute's data type.
include: 'string', 'complex', 'boolean', 'decimal', Valid values include 'string', 'complex', 'boolean',
'integer', 'dateTime', 'reference'. ", 'decimal', 'integer', 'dateTime', 'reference'.",
"required" : true, "required" : true,
"canonicalValues" : [ "canonicalValues" : [
"string", "string",
"complex", "complex",
"boolean", "boolean",
"decimal", "decimal",
"integer", "integer",
"dateTime", "dateTime",
"reference" "reference"
], ],
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "multiValued", "name" : "multiValued",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "Boolean indicating an attribute's "description" : "A Boolean value indicating an
plurality.", attribute's plurality.",
"required" : true, "required" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "description", "name" : "description",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A human readable description of the "description" : "A human-readable description of the
attribute.", attribute.",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "required", "name" : "required",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A boolean indicating if the attribute "description" : "A boolean value indicating whether or
is required.", not the attribute is required.",
"required" : false, "required" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "canonicalValues", "name" : "canonicalValues",
"type" : "string", "type" : "string",
"multiValued" : true, "multiValued" : true,
"description" : "A collection of canonical values. When "description" : "A collection of canonical values. When
applicable service providers MUST specify the canonical applicable, service providers MUST specify the
types specified in the core schema specification; e.g., canonical types, e.g., 'work', 'home'.",
'work', 'home'.",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "caseExact", "name" : "caseExact",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "Indicates if a string attribute is "description" : "A Boolean value indicating whether or
case-sensitive.", not a string attribute is case sensitive.",
"required" : false, "required" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "mutability", "name" : "mutability",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Indicates if an attribute is modifiable.", "description" : "Indicates whether or not an attribute
is modifiable.",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none", "uniqueness" : "none",
"canonicalValues" : [ "canonicalValues" : [
"readOnly", "readOnly",
"readWrite", "readWrite",
"immutable", "immutable",
"writeOnly" "writeOnly"
] ]
}, },
{ {
"name" : "returned", "name" : "returned",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Indicates when an attribute is returned in "description" : "Indicates when an attribute is returned
a response (e.g., to a query).", in a response (e.g., to a query).",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none", "uniqueness" : "none",
"canonicalValues" : [ "canonicalValues" : [
"always", "always",
"never", "never",
"default", "default",
"request" "request"
skipping to change at page 75, line 35 skipping to change at page 87, line 25
"none", "none",
"server", "server",
"global" "global"
] ]
}, },
{ {
"name" : "referenceTypes", "name" : "referenceTypes",
"type" : "string", "type" : "string",
"multiValued" : true, "multiValued" : true,
"description" : "Used only with an attribute of type "description" : "Used only with an attribute of type
'reference'. Specifies a SCIM resourceType that a 'reference'. Specifies a SCIM resourceType that a
reference attribute MAY refer to. e.g., User", reference attribute MAY refer to, e.g., 'User'.",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "subAttributes", "name" : "subAttributes",
"type" : "complex", "type" : "complex",
"multiValued" : true, "multiValued" : true,
"description" : "Used to define the sub-attributes of a "description" : "Used to define the sub-attributes of a
complex attribute", complex attribute.",
"required" : false, "required" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "name", "name" : "name",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The attribute's name", "description" : "The attribute's name.",
"required" : true, "required" : true,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "type", "name" : "type",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "The attribute's data type. Valid values "description" : "The attribute's data type.
include: 'string', 'complex', 'boolean', 'decimal', Valid values include 'string', 'complex', 'boolean',
'integer', 'dateTime', 'reference'. ", 'decimal', 'integer', 'dateTime', 'reference'.",
"required" : true, "required" : true,
"caseExact" : false, "caseExact" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none", "uniqueness" : "none",
"canonicalValues" : [ "canonicalValues" : [
"string", "string",
"complex", "complex",
"boolean", "boolean",
"decimal", "decimal",
"integer", "integer",
"dateTime", "dateTime",
"reference" "reference"
] ]
}, },
{ {
"name" : "multiValued", "name" : "multiValued",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "Boolean indicating an attribute's "description" : "A Boolean value indicating an
plurality.", attribute's plurality.",
"required" : true, "required" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "description", "name" : "description",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "A human readable description of the "description" : "A human-readable description of the
attribute.", attribute.",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "required", "name" : "required",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "A boolean indicating if the attribute "description" : "A boolean value indicating whether or
is required.", not the attribute is required.",
"required" : false, "required" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "canonicalValues", "name" : "canonicalValues",
"type" : "string", "type" : "string",
"multiValued" : true, "multiValued" : true,
"description" : "A collection of canonical values. When "description" : "A collection of canonical values. When
applicable service providers MUST specify the applicable, service providers MUST specify the
canonical types specified in the core schema canonical types, e.g., 'work', 'home'.",
specification; e.g., 'work', 'home'.",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "caseExact", "name" : "caseExact",
"type" : "boolean", "type" : "boolean",
"multiValued" : false, "multiValued" : false,
"description" : "Indicates if a string attribute is "description" : "A Boolean value indicating whether or
case-sensitive.", not a string attribute is case sensitive.",
"required" : false, "required" : false,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default" "returned" : "default"
}, },
{ {
"name" : "mutability", "name" : "mutability",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Indicates if an attribute is "description" : "Indicates whether or not an
modifiable.", attribute is modifiable.",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none", "uniqueness" : "none",
"canonicalValues" : [ "canonicalValues" : [
"readOnly", "readOnly",
"readWrite", "readWrite",
"immutable", "immutable",
"writeOnly" "writeOnly"
skipping to change at page 79, line 7 skipping to change at page 91, line 25
"none", "none",
"server", "server",
"global" "global"
] ]
}, },
{ {
"name" : "referenceTypes", "name" : "referenceTypes",
"type" : "string", "type" : "string",
"multiValued" : false, "multiValued" : false,
"description" : "Used only with an attribute of type "description" : "Used only with an attribute of type
'reference'. Specifies a SCIM resourceType that a 'reference'. Specifies a SCIM resourceType that a
reference attribute MAY refer to. e.g., 'User'", reference attribute MAY refer to, e.g., 'User'.",
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
] ]
} }
] ]
} }
] ]
} }
] ]
Figure 10: Representation of Fixed ServiceProvider Endpoint Schemas Figure 10: Representation of Fixed Service Provider Endpoint Schemas
9. Security Considerations 9. Security Considerations
9.1. Protocol 9.1. Protocol
SCIM data is intended to be exchanged using SCIM Protocol. It is SCIM data is intended to be exchanged using the SCIM protocol. It is
important when handling data to implement the security considerations important when handling data to implement the security considerations
outlined in Section 7 of [I-D.ietf-scim-api]. outlined in Section 7 of [RFC7644].
9.2. Password and Other Sensitive Security Data 9.2. Passwords and Other Sensitive Security Data
Passwords and other attributes related to security credentials are of Passwords and other attributes related to security credentials are of
extreme sensitive nature and require special handling when an extremely sensitive nature and require special handling when
transmitted or stored. While SCIM Protocol uses clear-text passwords transmitted or stored. While the SCIM protocol uses cleartext
for setting and equality testing purposes, password values MUST NOT passwords for value assignment and equality-testing purposes,
be stored in clear-text form. password values MUST NOT be stored in cleartext form.
Administrators should undertake industry best practices to protect Administrators should undertake industry best practices to protect
the storage of credentials and in particular SHOULD follow the storage of credentials and in particular SHOULD follow
recommendations outlines in Section 5.1.4.1 [RFC6819]. These recommendations outlined in Section 5.1.4.1 of [RFC6819]. These
requirements include but are not limited to: requirements include, but are not limited to, the following:
o Provide injection attack counter measures (e.g., by validating all o Provide injection attack countermeasures (e.g., by validating all
inputs and parameters), inputs and parameters);
o No cleartext storage of credentials, o Credentials should not be stored in cleartext form;
o Store credentials using an encrypted protection mechanism (e.g.
hashing), and o Store credentials using an encrypted protection mechanism (e.g.,
hashing); and
o Where possible, avoid passwords as the sole form of o Where possible, avoid passwords as the sole form of
authentication, and consider use of asymmetric cryptography based authentication, and consider using credentials that are based on
credentials. asymmetric cryptography.
9.3. Privacy 9.3. Privacy
The SCIM Core schema defines attributes that are sensitive and may be The SCIM core schema defines attributes that are sensitive and may be
considered personally identifying information (PII). These privacy considered personally identifying information (PII). These privacy
considerations should be considered for extensions as well as the considerations should be considered for extensions as well as the
schema defined in this specification. schema defined in this specification.
For the purposes of this specification personally identifying For the purposes of this specification, PII is defined as any
information is defined as any attribute that may be used as a unique attribute that may be used as a unique key to identify a person
key to identify a person (e.g., User). Since other information may (e.g., "User"). Since other information may be used in combination
be used in combination to identify an individual, all attributes in to identify an individual, all attributes in SCIM are considered
SCIM are considered "sensitive" personal information. Consult "sensitive" personal information. Consult regional jurisdictions to
regional jurisdictions to see if there are special considerations for see if there are special considerations for the handling of personal
the handling of personal and PII information. information (e.g., PII).
Information should be shared on an as-needed basis. A SCIM client Information should be shared on an as-needed basis. A SCIM client
should limit information to what it believes a service provider should limit information to what it believes a service provider
requires, and a SCIM service provider, should only accept information requires, and a SCIM service provider should only accept information
it needs. Clients and service providers should take into it needs. Clients and service providers should take into
consideration that personal information is being conveyed across consideration that personal information is being conveyed across
technical (e.g., protocol and applications), administrative (e.g. technical (e.g., protocol and applications), administrative (e.g.,
organizational, corporate), and jurisdictional boundaries. In organizational, corporate), and jurisdictional boundaries. In
particular information security and privacy must be considered. particular, information security and privacy must be considered.
Security service level agreements for the handling of these Security service level agreements for the handling of these
attributes are beyond the scope of this document, but are to be attributes are beyond the scope of this document but are to be
carefully considered by implementers and deploying organizations. carefully considered by implementers and deploying organizations.
Please see the Privacy Considerations section of [I-D.ietf-scim-api], Please see the Privacy Considerations section of [RFC7644] for more
for more protocol specific considerations for handling of SCIM protocol-specific considerations regarding the handling of SCIM
information. information.
SCIM defines attributes such as "id" and "externalId" and SCIM SCIM defines attributes such as "id", "externalId", and SCIM resource
resource URIs which causes new PII information to be generated which URIs, which cause new PII to be generated; this information is
is important to the way SCIM protocol identifies and locates important to the way that the SCIM protocol identifies and locates
resources. Where possible, it is suggested that service providers resources. Where possible, it is suggested that service providers
take the following remediations: take the following remediations:
o Where possible, assign and bind identifiers to specific tenants o Where possible, assign and bind identifiers to specific tenants
and/or clients. When multiple tenants are able to reference the and/or clients. When multiple tenants are able to reference the
same resource, they should do so via separate identifiers (id or same resource, they should do so via separate identifiers (id or
externalId). This ensures that separate domains linked to the externalId). This ensures that separate domains linked to the
same information can not perform identifier correlation. same information cannot perform identifier correlation.
o In the case of "externalId", if multiple values are supported, use o In the case of "externalId", if multiple values are supported, use
access control to restrict access to the client domain that access control to restrict access to the client domain that
assigned the "externalId" value. assigned the "externalId" value.
o Ensure that access to data is appropriately restricted to o Ensure that access to data is appropriately restricted to
authorized parties with a need-to-know. authorized parties with a "need to know".
o When persisted, the appropriate protection mechanisms are in place o When persisted, ensure that the appropriate protection mechanisms
to restrict access by unauthorized parties including are in place to restrict access by unauthorized parties, including
administrators or parties with access to backup data. administrators or parties with access to backup data.
10. IANA Considerations 10. IANA Considerations
10.1. Registration of SCIM URN Sub-namespace & SCIM Registry 10.1. Registration of SCIM URN Sub-namespace and SCIM Registry
IANA is requested to add an entry to the 'IETF URN Sub-namespace for IANA has added an entry to the "IETF URN Sub-namespace for Registered
Registered Protocol Parameter Identifiers' registry and create a sub- Protocol Parameter Identifiers" registry and created a sub-namespace
namespace for the Registered Parameter Identifier as per [RFC3553]: for the Registered Parameter Identifier as per [RFC3553]:
"urn:ietf:params:scim". "urn:ietf:params:scim".
To manage this sub-namespace, IANA is requested to create the "SCIM" To manage this sub-namespace, IANA has created the "System for
Registry which shall be used to manage entries within the Cross-domain Identity Management (SCIM) Schema URIs" registry, which
"urn:ietf:params:scim" namespace. The registry description is as is used to manage entries within the "urn:ietf:params:scim"
follows: namespace. The registry description is as follows:
o Registry name: SCIM o Registry name: SCIM
o Specification: [this document] o Specification: this document (RFC 7643)
o Repository: [see Section 10.2] o Repository: See Section 10.2
o Index value: values [see Section 10.2] o Index value: See Section 10.2
10.2. URN Sub-Namespace for SCIM 10.2. URN Sub-namespace for SCIM
SCIM schemas and SCIM messages utilize URIs to identify the schema in SCIM schemas and SCIM messages utilize URIs to identify the schema in
use or other relevant context. This section creates and registers an use or other relevant context. This section creates and registers an
IETF URN Sub-namespace for use in the SCIM specifications and future IETF URN Sub-namespace for use in the SCIM specifications and future
extensions. extensions.
10.2.1. Specification Template 10.2.1. Specification Template
Namespace ID: Namespace ID:
The Namespace ID "scim" is requested. The Namespace ID "scim" has been assigned.
Registration Information: Registration Information:
Version: 1 Version: 1
Date: [[insert final submission date]] Date: 2015-06-22
Declared registrant of the namespace: Declared registrant of the namespace:
Registering organization Registering organization
The Internet Engineering Task Force The Internet Engineering Task Force
Designated contact Designated contact
A designated expert will monitor the SCIM public mailing list, A designated expert will monitor the SCIM public mailing list,
"scim@ietf.org". "scim@ietf.org".
Declaration of Syntactic Structure: Declaration of Syntactic Structure:
The Namespace Specific String (NSS) of all URNs that use the The Namespace Specific String (NSS) of all URNs that use the
"scim" NID shall have the following structure: "scim" Namespace ID shall have the following structure:
urn:ietf:params:scim:{type}:{name}{:other} urn:ietf:params:scim:{type}:{name}{:other}
The keywords have the following meaning: The keywords have the following meaning:
type type
The entity type which is either "schemas" or "api". The entity type, which is either "schemas" or "api".
name name
A required US-ASCII string that conforms to the URN syntax A required US-ASCII string that conforms to the URN syntax
requirements (see [RFC2141] ) and defines a major namespace of requirements (see [RFC2141]) and defines a major namespace of a
a schema used within SCIM (e.g., "core", which is reserved for schema used within SCIM (e.g., "core", which is reserved for
SCIM specifications). The value MAY also be an industry name SCIM specifications). The value MAY also be an industry name
or organization name. or organization name.
other other
Any US-ASCII string that conforms to the URN syntax Any US-ASCII string that conforms to the URN syntax
requirements (see [RFC2141] ) and defines the sub-namespace requirements (see [RFC2141]) and defines the sub-namespace
(which MAY be further broken down in namespaces delimited by (which MAY be further broken down in namespaces delimited by
colons) as needed to uniquely identify a schema. colons) as needed to uniquely identify a schema.
Relevant Ancillary Documentation: Relevant Ancillary Documentation:
None None
Identifier Uniqueness Considerations: Identifier Uniqueness Considerations:
The designated contact shall be responsible for reviewing and The designated contact shall be responsible for reviewing and
enforcing uniqueness. enforcing uniqueness.
Identifier Persistence Considerations: Identifier Persistence Considerations:
Once a name has been allocated it MUST NOT be re-allocated for a Once a name has been allocated, it MUST NOT be reallocated for a
different purpose. The rules provided for assignments of values different purpose. The rules provided for assignments of values
within a sub-namespace MUST be constructed so that the meaning of within a sub-namespace MUST be constructed so that the meanings of
values cannot change. This registration mechanism is not values cannot change. This registration mechanism is not
appropriate for naming values whose meaning may change over time. appropriate for naming values whose meanings may change over time.
As the SCIM specifications are updated and the SCIM protocol As the SCIM specifications are updated and the SCIM protocol
version is adjusted, a new registration will be made when version is adjusted, a new registration will be made when
significant changes are made. Example, significant changes are made -- for example,
"urn:ietf:params:scim:schemas:core:1.0 (externally defined, not "urn:ietf:params:scim:schemas:core:1.0 (externally defined, not
previously registered)" and previously registered)" and
"urn:ietf:params:scim:schemas:core:2.0". "urn:ietf:params:scim:schemas:core:2.0".
Process of Identifier Assignment: Process of Identifier Assignment:
Identifiers with namespace type "schema" (e.g., Identifiers with namespace type "schema" (e.g.,
"urn:ietf:params:scim:schemas" ) are assigned after the review of "urn:ietf:params:scim:schemas") are assigned after the review of
the assigned contact via the SCIM public mailing list, the assigned contact via the SCIM public mailing list,
"scim@ietf.org" as documented in Section 10.3. "scim@ietf.org", as documented in Section 10.3.
Namespaces with type "api" (e.g., "urn:ietf:params:scim:api") and Namespaces with type "api" (e.g., "urn:ietf:params:scim:api") and
"param" (e.g., "urn:ietf:params:scim:param" ) are reserved for "param" (e.g., "urn:ietf:params:scim:param") are reserved for
IETF approved SCIM specifications. IETF-approved SCIM specifications.
Process of Identifier Resolution: Process of Identifier Resolution:
The namespace is not currently listed with a Resolution Discovery The namespace is not currently listed with a Resolution Discovery
System (RDS), but nothing about the namespace prohibits the future System (RDS), but nothing about the namespace prohibits the future
definition of appropriate resolution methods or listing with an definition of appropriate resolution methods or listing with an
RDS. RDS.
Rules for Lexical Equivalence: Rules for Lexical Equivalence:
skipping to change at page 84, line 10 skipping to change at page 97, line 20
None specified. None specified.
Scope: Scope:
Global. Global.
10.3. Registering SCIM Schemas 10.3. Registering SCIM Schemas
This section defines the process for registering new SCIM schemas This section defines the process for registering new SCIM schemas
with IANA in the "SCIM" registry (see Section 10.1). A schema URI is with IANA in the "System for Cross-domain Identity Management (SCIM)
used as a value in the schemas attribute (Section 3) for the purpose Schema URIs" registry (see Section 10.1). A schema URI is used as a
of distinguishing extensions used in a SCIM resource. value in the "schemas" attribute (Section 3) for the purpose of
distinguishing extensions used in a SCIM resource.
10.3.1. Registration Procedure 10.3.1. Registration Procedure
The IETF has created a mailing list, scim@ietf.org, which can be used The IETF has created a mailing list, scim@ietf.org, which can be used
for public discussion of SCIM schema proposals prior to registration. for public discussion of SCIM schema proposals prior to registration.
Use of the mailing list is strongly encouraged. The IESG has Use of the mailing list is strongly encouraged. The IESG has
appointed a designated expert who will monitor the scim@ietf.org appointed a designated expert [RFC5226] who will monitor the
mailing list and review registrations. scim@ietf.org mailing list and review registrations.
Registration of new "core" (e.g. in the namespace Registration of new "core" schemas (e.g., in the namespace
"urn:ietf:params:scim:schemas:core") and "API" schemas (e.g., in the "urn:ietf:params:scim:schemas:core") and "API" schemas (e.g., in the
namespace "urn:ietf:params:scim:api") MUST be reviewed by the namespace "urn:ietf:params:scim:api") MUST be reviewed by the
designated expert and published in an RFC. An RFC is REQUIRED for designated expert and published in an RFC. An RFC is REQUIRED for
the registration of new value data types that modify existing the registration of new value data types that modify existing
properties. An RFC is also REQUIRED for registration of SCIM schema properties. An RFC is also REQUIRED for registration of SCIM schema
URIs that modify SCIM schema previously documented in a existing RFC. URIs that modify SCIM schema previously documented in an existing
URN's within the "urn:ietf:params:scim", but outside the above RFC. URNs within "urn:ietf:params:scim" but outside the above
namespaces MAY be registered with a simple review (e.g. check for namespaces MAY be registered with a simple review (e.g., check for
SPAM) by the designated expert on a first-come-first-served basis. spam) by the designated expert on a first-come-first-served basis.
The registration procedure begins when a completed registration The registration procedure begins when a completed registration
template, defined in the sections below, is sent to scim@ietf.org and template, defined in the sections below, is sent to scim@ietf.org and
iana@iana.org. Within two weeks, the designated expert is expected iana@iana.org. Within two weeks, the designated expert is expected
to tell IANA and the submitter of the registration whether the to tell IANA and the submitter of the registration whether the
registration is approved, approved with minor changes, or rejected registration is approved, approved with minor changes, or rejected
with cause. When a registration is rejected with cause, it can be with cause. When a registration is rejected with cause, it can be
re-submitted if the concerns listed in the cause are addressed. resubmitted if the concerns listed in the cause are addressed.
Decisions made by the designated expert can be appealed to the IESG Decisions made by the designated expert can be appealed to the IESG
Applications Area Director, then to the IESG. They follow the normal Applications Area Director, then to the IESG. They follow the normal
appeals procedure for IESG decisions. appeals procedure for IESG decisions.
Once the registration procedure concludes successfully, IANA creates Once the registration procedure concludes successfully, IANA creates
or modifies the corresponding record in the SCIM schema registry. or modifies the corresponding record in the SCIM schema registry.
The completed registration template is discarded. The completed registration template is discarded.
An RFC specifying new schema URI MUST include the completed An RFC specifying one or more new schema URIs MUST include the
registration templates, which MAY be expanded with additional completed registration templates, which MAY be expanded with
information. These completed templates are intended to go in the additional information. These completed templates are intended to go
body of the document, not in the IANA Considerations section. The in the body of the document, not in the IANA Considerations section.
RFC SHOULD include any attributes defined. The RFC SHOULD include any attributes defined.
10.3.2. Schema Registration Template 10.3.2. Schema Registration Template
A SCIM schema URI is defined by completing the following template: A SCIM schema URI is defined by completing the following template:
Schema URI: Schema URI: A unique URI for the SCIM schema extension. Schema URI: A unique URI for the SCIM schema extension.
Schema Name: A descriptive name of the schema extension (e.g., Schema Name: A descriptive name of the schema extension (e.g.,
Generic Device) "Generic Device").
Intended or Associated Resource Type: A value defining the resource Intended or Associated Resource Type: A value defining the resource
type (e.g., "Device"). type (e.g., "Device").
Purpose: A description of the purpose of the extension and/or its Purpose: A description of the purpose of the extension and/or its
intended use. intended use.
Single-value Attributes: A list and description of single-valued Single-value Attributes: A list and description of single-valued
attributes defined including complex attributes. attributes defined, including complex attributes.
Multi-valued Attributes: A list and description of multi-valued Multi-valued Attributes: A list and description of multi-valued
attributes defined including complex attributes. attributes defined, including complex attributes.
10.4. Initial SCIM Schema Registry 10.4. Initial SCIM Schema Registry
The IANA is requested to populate the "SCIM" registry with the The IANA has populated the "System for Cross-domain Identity
following registries for SCIM schema URIs with pointers to Management (SCIM) Schema URIs" registry with the following registries
appropriate reference documents. Note: the Schema URI broken into for SCIM schema URIs, with pointers to appropriate reference
two lines for readability. documents. Note: The schema URIs listed below are broken into two
lines for readability.
+-----------------------------------+-----------------+-------------+ +-----------------------------------+-----------------+-------------+
| Schema URI | Name | Reference | | Schema URI | Name | Reference |
+-----------------------------------+-----------------+-------------+ +-----------------------------------+-----------------+-------------+
| urn:ietf:params:scim:schemas: | User Resource | See Section | | urn:ietf:params:scim:schemas: | User Resource | See Section |
| core:2.0:User | | 4.1 | | core:2.0:User | | 4.1 |
| | | |
| urn:ietf:params:scim:schemas: | Enterprise User | See Section | | urn:ietf:params:scim:schemas: | Enterprise User | See Section |
| extension:enterprise:2.0:User | Extension | 4.3 | | extension:enterprise:2.0:User | Extension | 4.3 |
| | | |
| urn:ietf:params:scim:schemas: | Group Resource | See Section | | urn:ietf:params:scim:schemas: | Group Resource | See Section |
| core:2.0:Group | | 4.2 | | core:2.0:Group | | 4.2 |
+-----------------------------------+-----------------+-------------+ +-----------------------------------+-----------------+-------------+
SCIM Schema URIs for Data Resources SCIM Schema URIs for Data Resources
+-----------------------------------+-------------------+-----------+ +-----------------------------------+-------------------+-----------+
| Schema URI | Name | Reference | | Schema URI | Name | Reference |
+-----------------------------------+-------------------+-----------+ +-----------------------------------+-------------------+-----------+
| urn:ietf:params:scim:schemas: | Service Provider | See | | urn:ietf:params:scim:schemas: | Service Provider | See |
| core:2.0:ServiceProviderConfig | Configuration | Section 5 | | core:2.0:ServiceProviderConfig | Configuration | Section 5 |
| | Schema | | | | Schema | |
| | | |
| urn:ietf:params:scim:schemas: | Resource Type | See | | urn:ietf:params:scim:schemas: | Resource Type | See |
| core:2.0:ResourceType | Config | Section 6 | | core:2.0:ResourceType | Configuration | Section 6 |
| | | |
| urn:ietf:params:scim:schemas: | Schema | See | | urn:ietf:params:scim:schemas: | Schema | See |
| core:2.0:Schema | Definitions | Section 7 | | core:2.0:Schema | Definitions | Section 7 |
| | Schema | | | | Schema | |
+-----------------------------------+-------------------+-----------+ +-----------------------------------+-------------------+-----------+
SCIM Server Related Schema URIs SCIM Server-Related Schema URIs
11. References 11. References
11.1. Normative References 11.1. Normative References
[I-D.ietf-scim-api]
Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C.
Mortimore, "System for Cross-Domain Identity Management:
Protocol", draft-ietf-scim-api-19 (work in progress), May
2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. [RFC2141] Moats, R., "URN Syntax", RFC 2141, DOI 10.17487/RFC2141,
May 1997, <http://www.rfc-editor.org/info/rfc2141>.
[RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne,
IETF URN Sub-namespace for Registered Protocol "An IETF URN Sub-namespace for Registered Protocol
Parameters", BCP 73, RFC 3553, June 2003. Parameters", BCP 73, RFC 3553, DOI 10.17487/RFC3553,
June 2003, <http://www.rfc-editor.org/info/rfc3553>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of
10646", STD 63, RFC 3629, November 2003. ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629,
November 2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers",
3966, December 2004. RFC 3966, DOI 10.17487/RFC3966, December 2004,
<http://www.rfc-editor.org/info/rfc3966>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC Resource Identifier (URI): Generic Syntax", STD 66,
3986, January 2005. RFC 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>.
[RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags", [RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags",
BCP 47, RFC 4647, September 2006. BCP 47, RFC 4647, DOI 10.17487/RFC4647, September 2006,
<http://www.rfc-editor.org/info/rfc4647>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<http://www.rfc-editor.org/info/rfc4648>.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for
Specifications: ABNF", STD 68, RFC 5234, January 2008. Syntax Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/ RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<http://www.rfc-editor.org/info/rfc5280>.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
October 2008. DOI 10.17487/RFC5321, October 2008,
<http://www.rfc-editor.org/info/rfc5321>.
[RFC5646] Phillips, A. and M. Davis, "Tags for Identifying [RFC5646] Phillips, A., Ed., and M. Davis, Ed., "Tags for
Languages", BCP 47, RFC 5646, September 2009. Identifying Languages", BCP 47, RFC 5646,
DOI 10.17487/RFC5646, September 2009,
<http://www.rfc-editor.org/info/rfc5646>.
[RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the
Time Zone Database", BCP 175, RFC 6557, February 2012. Time Zone Database", BCP 175, RFC 6557,
DOI 10.17487/RFC6557, February 2012,
<http://www.rfc-editor.org/info/rfc6557>.
[RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, March 2014. Interchange Format", RFC 7159, DOI 10.17487/RFC7159,
March 2014, <http://www.rfc-editor.org/info/rfc7159>.
[RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol [RFC7231] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
(HTTP/1.1): Semantics and Content", RFC 7231, June 2014. Transfer Protocol (HTTP/1.1): Semantics and Content",
RFC 7231, DOI 10.17487/RFC7231, June 2014,
<http://www.rfc-editor.org/info/rfc7231>.
[RFC7232] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol [RFC7232] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
(HTTP/1.1): Conditional Requests", RFC 7232, June 2014. Transfer Protocol (HTTP/1.1): Conditional Requests",
RFC 7232, DOI 10.17487/RFC7232, June 2014,
<http://www.rfc-editor.org/info/rfc7232>.
[RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
and C. Mortimore, "System for Cross-domain Identity
Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
September 2015, <http://www.rfc-editor.org/info/rfc7644>.
11.2. Informative References 11.2. Informative References
[ISO3166] "ISO 3166:1988 (E/F) - Codes for the representation of [ISO3166] International Organization for Standardization, "Codes for
names of countries - The International Organization for the representation of names of countries and their
Standardization, 3rd edition", 08 1988. subdivisions - Part 1: Country codes", ISO 3166-1:2013,
November 2013, <http://www.iso.org>.
[Olson-TZ] [Olson-TZ] Internet Assigned Numbers Authority, "IANA Time Zone
Internet Assigned Numbers Authority, "IANA Time Zone Database", <https://www.iana.org/time-zones>.
Database".
[PortableContacts] [PortableContacts]
Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only", Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only",
August 2008. August 2008,
<http://www.portablecontacts.net/draft-spec.html>.
[RFC2277] Alvestrand, H., "IETF Policy on Character Sets and [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and
Languages", BCP 18, RFC 2277, January 1998. Languages", BCP 18, RFC 2277, DOI 10.17487/RFC2277,
January 1998, <http://www.rfc-editor.org/info/rfc2277>.
[RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol [RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
(LDAP): Directory Information Models", RFC 4512, June (LDAP): Directory Information Models", RFC 4512,
2006. DOI 10.17487/RFC4512, June 2006,
<http://www.rfc-editor.org/info/rfc4512>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[RFC6350] Perreault, S., "vCard Format Specification", RFC 6350, [RFC6350] Perreault, S., "vCard Format Specification", RFC 6350,
August 2011. DOI 10.17487/RFC6350, August 2011,
<http://www.rfc-editor.org/info/rfc6350>.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
6749, October 2012. RFC 6749, DOI 10.17487/RFC6749, October 2012,
<http://www.rfc-editor.org/info/rfc6749>.
[RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
January 2013. DOI 10.17487/RFC6819, January 2013,
<http://www.rfc-editor.org/info/rfc6819>.
[XML-Schema] [XML-Schema]
Peterson, D., Gao, S., Malhotra, A., Sperberg-McQueen, C., Peterson, D., Gao, S., Malhotra, A., Sperberg-McQueen, C.,
and H. Thompson, "XML Schema Definition Language (XSD) 1.1 and H. Thompson, "XML Schema Definition Language (XSD) 1.1
Part 2: Datatypes", April 2012. Part 2: Datatypes", April 2012,
<http://www.w3.org/TR/xmlschema11-2/>.
Appendix A. Acknowledgements Acknowledgements
The editors would like to acknowledge the contribution and work of The editor would like to acknowledge the contribution and work of the
the past draft editors: editors of draft versions of this document:
Chuck Mortimore, Salesforce Chuck Mortimore, Salesforce
Patrick Harding, Ping Patrick Harding, Ping
Paul Madsen, Ping Paul Madsen, Ping
Trey Drake, UnboundID Trey Drake, UnboundID
The SCIM Community would like to thank the following people for the The SCIM Community would like to thank the following people for the
skipping to change at page 88, line 51 skipping to change at page 103, line 32
Morteza Ansari (morteza.ansari@cisco.com) Morteza Ansari (morteza.ansari@cisco.com)
Sidharth Choudhury (schoudhury@salesforce.com) Sidharth Choudhury (schoudhury@salesforce.com)
Samuel Erdtman (samuel@erdtman.se) Samuel Erdtman (samuel@erdtman.se)
Kelly Grizzle (kelly.grizzle@sailpoint.com) Kelly Grizzle (kelly.grizzle@sailpoint.com)
Chris Phillips (cjphillips@gmail.com) Chris Phillips (cjphillips@gmail.com)
Erik Wahlstroem (erik@wahlstromstekniska.se) Erik Wahlstroem (erik.wahlstrom@nexusgroup.com)
Phil Hunt (phil.hunt@yahoo.com) Phil Hunt (phil.hunt@yahoo.com)
Special thanks to Joeseph Smarr, who's excellent work on the Portable Special thanks to Joseph Smarr, whose excellent work on the Portable
Contacts Specification [PortableContacts] provided a basis for the Contacts Specification [PortableContacts] provided a basis for the
SCIM schema structure and text. SCIM schema structure and text.
Appendix B. Change Log
[[This section to be removed prior to publication as an RFC]]
Draft 02 - KG - Addition of schema extensibility
Draft 03 - PH - Revisions based on following tickets:
09 - Attribute uniquenes
10 - Returnability of attributes
35 - Attribute mutability (replaces readOnly)
52 - Minor textual changes
53 - Standard use of term client (some was consumer)
56 - Make manager attribute consistent with other $ref attrs
58 - Add optional id to ResourceType objects for consistency
59 - Fix capitalization per IETF editor practices
60 - Changed <eref> tags to normal <xref> and <reference> tags
Draft 04 - PH - Revisions based on the following tickets:
43 - Drop short-hand notation for complex multi-valued attributes
61 - Specify attribute name limitations
62 - Fix 'mutability' normative language
63 - Fix incorrect EnterpriseUser schema reference
68 - Update JSON references from RFC4627 to RFC7159
71 - Made corrections to language tags in compliance with BCP47 /
RFC5646
Draft 05 - PH - Revisions based on the following tickets
23 - Clarified that the server is not required to preserve case
for case insensitive strings
41 - Add IANA considerations
72 - Added text to indicate UTF-8 is default and mandatory
encoding format per BCP18
- Typo corrections and removed some redundant text
Draft 06 - PH - Revisions based on the following tickets
63 - Corrected enterprise user URI in 14.2 and section 7, URI
namespace changes due to ticket #41
66 - Updated reference to final HTTP/1.1 drafts (RFC 7230)
41 - Add IANA considerations
- Removed redundant text (e.g., SAML binding, replaced REST with
HTTP)
- Reordered introduction, definitions and notation sections to
follow typical format
- meta.attributes removed due to new PURGE command in draft 04 (no
longer used)
Draft 07 - PH - Edits and revisions
- Dropped use of the term API in favour of HTTP protocol or just
protocol.
- Clarified meaning of null and unassigned
Draft 08 - PH - Revised IANA namespace to urn:ietf:params:scim per
RFC3553
Draft 09 - PH - Editorial revisions and clarifications
Removed duplicate text from Schema Schema section
Removed "operation" attribute from Multi-valued Attribute sub-
attribute definitions. This was used in the old PATCH command and
is no longer valid.
Revised some layout to make indentation and definition of
attributes more clear (added vspace elements)
Draft 10 - PH - Editorial revisions
Simplified namespace definition for urn:ietf:params:scim
Clarified "schemas" attribute as representing the JSON body schema
in an HTTP Req/Resp
Reduced use of confusing term "core" in "Core User" and "Core
Group"
Added clarifications and security considerations for externalId
Re-worded descriptions SCIM schema extension model (sec 3) and
core schema (sec 4) for improved clarity
Draft 11 - PH - Clarification to definition of externalId
Draft 12 - PH - Nits / Corrections
Corrected use of RFC2119 words (e.g., MUST not to MUST NOT)
Corrected JSON examples to be 72 characters or less per line
Corrected enterprise User manager attribute to use sub-attribute
value and make multi-valued
Corrected sec 8.7, make members multi-valued in JSON
Added missing definition for subattributes in sec 7, Schema
Definition
Draft 13 - PH - Correctings NITS to externalId example and clarified
phoneNumber & emails canonicalization
Draft 14 - PH - Nits / Corrections
Corrected JSON structure for example Schema (removed outer {}
around array of schemas).
Added example Group resource type to example of resource types in
JSON
Draft 15 - PH - Corrected schema in sec 7 to use defined types from
sec 2.1
Draft 16 - PH - Corrected photo.value from "type":"binary" to
"type":"reference" (should be a URL)
Draft 17 - PH - Changes as follows:
Updated reference for XML-Schema to the 5 April 2012 XML Schema
1.1 draft
Added clarifications on attribute characteristics and Schema usage
Added schema in section 8.7 for Schema, ServiceProviderConfig, and
ResourceType
Fixed nit in service provider config.
Clarified binary attribute may be base 64 or base 64 url encoding
per RFC4648. x509certificates are now base64 encoded.
Clarified x509certificates values are DER certificates that are
then base64 encoded
Corrected "reference" attribute to use the "referenceTypes" meta-
attribute that says what type of reference an attribute is.
Draft 18 - PH - Comments from GenART and IANA review
General Edits and Nits after Gen-ART and IANA review
Add references to SCIM API protocol document where appropriate
Added clarifications and privacy considerations to security
considerations
Clarified IANA section to create new "SCIM" registry
Removed out-of-date "readOnly" attribute from Group schema
(replaced a long time ago by "mutability").
Draft 19 - PH - Comments from IESG review
Additional Gen-Art edits (type canonicalization, moved attribute
types section, etc
Added clarification on password use of clear text and hashing
Clarified statements about sensitive and PII data
Updated references to SCIM Protocol sections
Made capitalization of 'client' and 'service provider' terms
consistent (lower case)
Corrected schema and examples to have singluar value for manager
attribute
Draft 20 - PH - Additional clarification on multi-hop/3rd party, and
small nit in section 1.1
Draft 21 - PH - IESG feedback from draft 20 (Ben, Stephen, Benoit)
Reduced use of normative MAY for statements of fact
Corrected MAYs that were intended to imply MUST or SHALL (e.g.
TLS MUST be used).
Added notation definition for REQUIRED and OPTIONAL
Redefined Integer so as not to conflict with decimal
Clarified a reference URI must be a valid HTTP addressable URI
Clarified attribute characteristics for meta attribute
Dropped use of "real" in definition of name as no real name policy
was implied.
Re-worded/improved readability of password definition
At request of Stephen Farrell, clarified x509certificate values
contain only one certificate.
Other typos and nits
Draft 22 - PH - Clarified sub-attribute definition of Group "members"
attribute
Authors' Addresses Authors' Addresses
Phil Hunt (editor) Phil Hunt (editor)
Oracle Corporation Oracle Corporation
Email: phil.hunt@yahoo.com Email: phil.hunt@yahoo.com
Kelly Grizzle Kelly Grizzle
SailPoint SailPoint
 End of changes. 439 change blocks. 
1238 lines changed or deleted 1088 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/