draft-ietf-scim-use-cases-04.txt   draft-ietf-scim-use-cases-05.txt 
SCIM WG P. Hunt SCIM WG P. Hunt
Internet-Draft Oracle Internet-Draft Oracle
Intended status: Informational B. Khasnabish Intended status: Informational B. Khasnabish
Expires: September 7, 2015 ZTE USA,Inc. Expires: September 25, 2015 ZTE USA,Inc.
A. Nadalin A. Nadalin
Microsoft Microsoft
K. Li K. LI, Ed.
Alibaba Group Alibaba Group
Z. Zeltsan Z. Zeltsan
Individual Individual
March 6, 2015 March 24, 2015
SCIM Use Cases System for Cross-domain Identity Management (SCIM) Definitions,
draft-ietf-scim-use-cases-04 Overview, and Flows
draft-ietf-scim-use-cases-05
Abstract Abstract
This document lists the user scenarios and use cases of System for This document provides definitions and an overview of the System for
Cross-domain Identity Management (SCIM). Cross-domain Identity Management (SCIM). It lays out the system's
models and flows, and includes user scenarios, use cases, and
requirements.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 7, 2015. This Internet-Draft will expire on September 25, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 34 skipping to change at page 2, line 37
2.3.3. CSP->CSP - Delete Identity (Push) . . . . . . . . . . 8 2.3.3. CSP->CSP - Delete Identity (Push) . . . . . . . . . . 8
2.3.4. CSP->CSP - SSO Trigger (Push) . . . . . . . . . . . . 8 2.3.4. CSP->CSP - SSO Trigger (Push) . . . . . . . . . . . . 8
2.3.5. CSP->CSP - SSO Trigger (Pull) . . . . . . . . . . . . 8 2.3.5. CSP->CSP - SSO Trigger (Pull) . . . . . . . . . . . . 8
2.3.6. CSP->CSP - Password Reset (Push) . . . . . . . . . . 9 2.3.6. CSP->CSP - Password Reset (Push) . . . . . . . . . . 9
2.4. Enterprise Cloud Subscriber to Cloud Service Provider 2.4. Enterprise Cloud Subscriber to Cloud Service Provider
Flows(ECS->CSP) . . . . . . . . . . . . . . . . . . . . . 9 Flows(ECS->CSP) . . . . . . . . . . . . . . . . . . . . . 9
2.4.1. ECS->CSP - Create Identity (Push) . . . . . . . . . . 9 2.4.1. ECS->CSP - Create Identity (Push) . . . . . . . . . . 9
2.4.2. ECS ->CSP - Update Identity (Push) . . . . . . . . . 9 2.4.2. ECS ->CSP - Update Identity (Push) . . . . . . . . . 9
2.4.3. ECS ->CSP - Delete Identity (Push) . . . . . . . . . 9 2.4.3. ECS ->CSP - Delete Identity (Push) . . . . . . . . . 9
2.4.4. ECS ->CSP - SSO Pull . . . . . . . . . . . . . . . . 10 2.4.4. ECS ->CSP - SSO Pull . . . . . . . . . . . . . . . . 10
3. SCIM use cases . . . . . . . . . . . . . . . . . . . . . . . 10 3. SCIM Use Cases . . . . . . . . . . . . . . . . . . . . . . . 10
3.1. Change of the ownership of a file . . . . . . . . . . . . 10 3.1. Change of the ownership of a file . . . . . . . . . . . . 10
3.2. Migration of the identities . . . . . . . . . . . . . . . 11 3.2. Migration of the identities . . . . . . . . . . . . . . . 11
3.3. Single Sign-On (SSO) Service . . . . . . . . . . . . . . 12 3.3. Single Sign-On (SSO) Service . . . . . . . . . . . . . . 12
3.4. Provisioning of the user accounts for a Community of 3.4. Provisioning of the user accounts for a Community of
Interest (CoI) . . . . . . . . . . . . . . . . . . . . . 13 Interest (CoI) . . . . . . . . . . . . . . . . . . . . . 13
3.5. Transfer of attributes to a relying party web site . . . 14 3.5. Transfer of attributes to a relying party web site . . . 14
3.6. Change notification . . . . . . . . . . . . . . . . . . . 15 3.6. Change notification . . . . . . . . . . . . . . . . . . . 15
4. Security considerations . . . . . . . . . . . . . . . . . . . 16 4. Security considerations . . . . . . . . . . . . . . . . . . . 16
5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 16 5. IANA considerations . . . . . . . . . . . . . . . . . . . . . 16
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.1. Normative References . . . . . . . . . . . . . . . . . . 17 7.1. Normative References . . . . . . . . . . . . . . . . . . 17
7.2. Informative References . . . . . . . . . . . . . . . . . 17 7.2. Informative References . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
This document describes the SCIM scenarios and use cases. It also This document provides the SCIM definitions, models, flows, scenarios
provides a list of the requirements derived from the use cases. The and use cases. It also provides a list of the requirements derived
document's objective is to help with understanding of the design and from the use cases. The document's objective is to help with
applicability of SCIM schema [I-D.ietf-scim-core-schema] and SCIM understanding of the design and applicability of SCIM schema
protocol [I-D.ietf-scim-api]. [I-D.ietf-scim-core-schema] and SCIM protocol [I-D.ietf-scim-api].
The following section provides the abbreviated descriptions of the
scenarios and use cases.
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] when they document are to be interpreted as described in [RFC2119] when they
appear in ALL CAPS. These words may also appear in this document in appear in ALL CAPS. These words may also appear in this document in
lower case as plain English words, absent their normative meanings. lower case as plain English words, absent their normative meanings.
Here is a list of acronyms and abbreviations used in this document: Here is a list of acronyms and abbreviations used in this document:
skipping to change at page 10, line 18 skipping to change at page 10, line 18
2.4.4. ECS ->CSP - SSO Pull 2.4.4. ECS ->CSP - SSO Pull
In this scenario an Enterprise Cloud Subscriber (ECS-1) maintains a In this scenario an Enterprise Cloud Subscriber (ECS-1) maintains a
service with a Cloud Service Provider (CSP-1). No accounts are service with a Cloud Service Provider (CSP-1). No accounts are
created or exchanged in advance. However, rather than pre- created or exchanged in advance. However, rather than pre-
provisioning accounts from ECS-1 to CSP-1, CSP-1 waits for a service provisioning accounts from ECS-1 to CSP-1, CSP-1 waits for a service
access request from the Cloud Service User (CSU-1) under the control access request from the Cloud Service User (CSU-1) under the control
domain of ECS-1, before issuing an account Pull request to ECS-1. domain of ECS-1, before issuing an account Pull request to ECS-1.
3. SCIM use cases 3. SCIM Use Cases
This section lists the SCIM use cases. This section lists the SCIM use cases.
3.1. Change of the ownership of a file 3.1. Change of the ownership of a file
Description: Description:
Bob - an employee of the company SomeEnterprise - creates a file, Bob - an employee of the company SomeEnterprise - creates a file,
which is located at the cloud provided by SomeCSP. After Bob leaves which is located at the cloud provided by SomeCSP. After Bob leaves
SomeEnterprise, SomeCSP on a request from SomeEnterprise terminates SomeEnterprise, SomeCSP on a request from SomeEnterprise terminates
skipping to change at page 16, line 34 skipping to change at page 16, line 34
interest. interest.
Requirements: Requirements:
B must be able at an appropriate time to subsequently contact B must be able at an appropriate time to subsequently contact
directory service A and retrieve just the subset of changes of directory service A and retrieve just the subset of changes of
interest to B. interest to B.
4. Security considerations 4. Security considerations
Authentication and authorization must be guaranteed for the SCIM
operations, to ensure that only authenticated entity can perform the
SCIM requests and the requested SCIM operations are authorized.
SCIM resources (e.g., Users and Groups) can contain sensitive SCIM resources (e.g., Users and Groups) can contain sensitive
information. Therefore, authentication and authorization must be information. Thus, data confidentiality MUST be guaranteed at the
guaranteed for the SCIM operations. transport layer.
Also, private information of the SCIM resources must be kept Detailed security considerations are specified in section 7 of SCIM
confidential and protected. protocol [I-D.ietf-scim-api] and section 9 of SCIM schema
[I-D.ietf-scim-core-schema].
5. IANA considerations 5. IANA considerations
This Internet Draft includes no request to IANA. This Internet Draft includes no request to IANA.
6. Acknowledgements 6. Acknowledgements
Authors would like to thank Ray Counterman, Richard Fiekowsky and Authors would like to thank Ray Counterman, Richard Fiekowsky, Bert
Bert Greevenbosch for their reviews and comments. Greevenbosch, Barry Leiba, Kelly Grizzle, Dapeng Liu and Jun Li for
their reviews and comments.
Also thanks to Darran Rolls and Patrick Harding, the SCIM user Also thanks to Darran Rolls and Patrick Harding, the SCIM user
scenarios section is taken from them. scenarios section is taken from them.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
7.2. Informative References 7.2. Informative References
[I-D.ietf-scim-api] [I-D.ietf-scim-api]
Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C. Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C.
Mortimore, "System for Cross-Domain Identity Management: Mortimore, "System for Cross-Domain Identity Management:
Protocol", draft-ietf-scim-api-15 (work in progress), Protocol", draft-ietf-scim-api-16 (work in progress),
February 2015. March 2015.
[I-D.ietf-scim-core-schema] [I-D.ietf-scim-core-schema]
Hunt, P., Grizzle, K., Wahlstroem, E., and C. Mortimore, Hunt, P., Grizzle, K., Wahlstroem, E., and C. Mortimore,
"System for Cross-Domain Identity Management: Core "System for Cross-Domain Identity Management: Core
Schema", draft-ietf-scim-core-schema-17 (work in Schema", draft-ietf-scim-core-schema-17 (work in
progress), March 2015. progress), March 2015.
Authors' Addresses Authors' Addresses
Phil Hunt Phil Hunt
skipping to change at page 17, line 38 skipping to change at page 18, line 4
Phil Hunt Phil Hunt
Oracle Oracle
Email: phil.hunt@oracle.com Email: phil.hunt@oracle.com
Bhumip Khasnabish Bhumip Khasnabish
ZTE USA,Inc. ZTE USA,Inc.
Phone: +001-781-752-8003 Phone: +001-781-752-8003
Email: vumip1@gmail.com, bhumip.khasnabish@zteusa.com Email: vumip1@gmail.com, bhumip.khasnabish@zteusa.com
Anthony Nadalin Anthony Nadalin
Microsoft Microsoft
Email: tonynad@microsoft.com Email: tonynad@microsoft.com
Kepeng LI
Kepeng LI (editor)
Alibaba Group Alibaba Group
Wenyixi Road, Yuhang District Wenyixi Road, Yuhang District
Hangzhou, Zhejiang 311121 Hangzhou, Zhejiang 311121
China China
Email: kepeng.lkp@alibaba-inc.com Email: kepeng.lkp@alibaba-inc.com
Zachary Zeltsan Zachary Zeltsan
Individual Individual
 End of changes. 17 change blocks. 
29 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/