Skip to main content

System for Cross-Domain Identity Management: Core Schema
draft-ietf-scim-core-schema-11

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 7643.
Authors Phil Hunt , Kelly Grizzle , Erik Wahlstroem , Chuck Mortimore
Last updated 2014-10-09 (Latest revision 2014-10-06)
Replaces draft-scim-core-schema
RFC stream Internet Engineering Task Force (IETF)
Formats
Reviews
Additional resources Mailing list discussion
Stream WG state In WG Last Call
Document shepherd (None)
IESG IESG state Became RFC 7643 (Proposed Standard)
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-ietf-scim-core-schema-11
Hunt, et al.              Expires April 9, 2015                [Page 54]
Internet-Draft          draft-scim-core-schema-11           October 2014

            "required" : false,
            "caseExact" : false,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {
            "name" : "displayName",
            "type" : "string",
            "multiValued" : false,
            "description" : "The displayName of the User's manager.  OPTIONAL and READ-ONLY.",
            "required" : false,
            "caseExact" : false,
            "mutability" : "readOnly",
            "returned" : "default",
            "uniqueness" : "none"
          }
        ],
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }
    ],
    "meta" : {
      "resourceType" : "Schema",
      "created" : "2010-01-23T04:56:22Z",
      "lastModified" : "2014-02-04T00:00:00Z",
      "version" : "W/\"3694e05e9dff596\"",
      "location" : "https://example.com/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    }
  }
]}

                Figure 9: Eample Schema JSON Representation

9.  Security Considerations

   The SCIM Core schema defines attributes that MAY contain personally
   identifiable information as well as other sensitive data.  Aside from
   prohibiting password values in a SCIM response this specification
   does not provide any means or guarantee of confidentiality.

   In particular, attributes such as "id" and "externalId" are of
   particular concern as personally identifiable information that
   uniquely map to Users (because they are URIs).  Where possible, it is
   suggested that service providers take the following remediations:

Hunt, et al.              Expires April 9, 2015                [Page 55]
Internet-Draft          draft-scim-core-schema-11           October 2014

   o  Assign and bind identifiers to specific tenants and/or clients.
      When mulitple tenants are able to reference the same resource,
      they should do so via separate identifiers (id or externalId).
      This ensures that separate domains linked to the same information
      may not perform identifier correlation.

   o  In the case of "externalId", if multiple values are supported, use
      access control to restrict access to the client domain that
      assigned the "externalId" value.

   o  Ensure that access to data is appropriately restricted to
      authorized parties with a need-to-know.

   o  When persisted, the appropriate protection mechanisms are in place
      to restrict access by unauthorized parties including
      administrators or parties with access to backup data.

   It is important to note that these considerations are intentionally
   general in nature.  Considerations relative to the access protocol
   are out of scope of the core-schema document and are addressed in
   other SCIM specifications.

10.  IANA Considerations

10.1.  New Registration of SCIM URN Sub-namespace

   IANA has created a registry for new IETF URN sub-namespaces,
   "urn:ietf:params:scim:", per [RFC3553].  The registration request is
   as follows:

   Per [RFC3553], IANA has registered a new URN sub-namespace,
   "urn:ietf:params:scim".

   o  Registry name: scim

   o  Specification: [this document]

   o  Repository: [see Section 10.2]

   o  Index value: values [see Section 10.2]

10.2.  URN Sub-Namespace for SCIM

   SCIM schemas and SCIM messages utilize URIs to identify the schema in
   use or other relevant context.  This section creates and registers an
   IETF URN Sub-namespace for use in the SCIM specifications and future
   extensions.

Hunt, et al.              Expires April 9, 2015                [Page 56]
Internet-Draft          draft-scim-core-schema-11           October 2014

10.2.1.  Specification Template

   Namespace ID:

      The Namespace ID "scim" is requested.

   Registration Information:

      Version: 1

      Date: [[insert final submission date]]

   Declared registrant of the namespace:

      Registering organization
         The Internet Engineering Task Force

      Designated contact
         A designated expert will monitor the SCIM public mailing list,
         "scim@ietf.org".

   Declaration of Syntactic Structure:

      The Namespace Specific String (NSS) of all URNs that use the
      "scim" NID shall have the following structure:

   urn:ietf:params:scim:{type}:{name}{:other}

      The keywords have the following meaning:

      type
         The entity type which is either "schemas" or "api".

      name
         A required US-ASCII string that conforms to the URN syntax
         requirements (see [RFC2141] ) and defines a major namespace of
         a schema used within SCIM (e.g. "core" in the case of SCIM Core
         Schema).  The value MAY also be an industry name or
         organization name.

      other
         Any US-ASCII string that conforms to the URN syntax
         requirements (see [RFC2141] ) and defines the sub-namespace
         (which MAY be further broken down in namespaces delimited by
         colons) as needed to uniquely identify a schema.

   Relevant Ancillary Documentation:

Hunt, et al.              Expires April 9, 2015                [Page 57]
Internet-Draft          draft-scim-core-schema-11           October 2014

      None

   Identifier Uniqueness Considerations:

      The designated contact shall be responsible for reviewing and
      enforcing uniqueness.

   Identifier Persistence Considerations:

      Once a name has been allocated it MUST NOT be re-allocated for a
      different purpose.  The rules provided for assignments of values
      within a sub-namespace MUST be constructed so that the meaning of
      values cannot change.  This registration mechanism is not
      appropriate for naming values whose meaning may change over time.

      As the SCIM specifications are updated and the SCIM protocol
      version is adjusted, a new registration will be made when
      significant changes are made.  Example,
      "urn:ietf:params:scim:schemas:core:1.0 (externally defined, not
      previously registered)" and
      "urn:ietf:params:scim:schemas:core:2.0".

   Process of Identifier Assignment:

      Identifiers with namespace type "schema" (e.g.
      "urn:ietf:params:scim:schemas" ) are assigned after the review of
      the assigned contact via the SCIM public mailing list,
      "scim@ietf.org" as documented in Section 10.3.

      Namespaces with type "api" (e.g. "urn:ietf:params:scim:api" ) are
      reserved for IETF approved SCIM specifications.  Namespaces with
      type "param" are reserved for future use.

   Process of Identifier Resolution:

      The namespace is not currently listed with a Resolution Discovery
      System (RDS), but nothing about the namespace prohibits the future
      definition of appropriate resolution methods or listing with an
      RDS.

   Rules for Lexical Equivalence:

      No special considerations; the rules for lexical equivalence
      specified in [RFC2141] apply.

   Conformance with URN Syntax:

      No special considerations.

Hunt, et al.              Expires April 9, 2015                [Page 58]
Internet-Draft          draft-scim-core-schema-11           October 2014

   Validation Mechanism:

      None specified.

   Scope:

      Global.

10.2.2.  Pre-Registered SCIM Schema Identifiers

   The following SCIM Identifiers are defined:

   urn:ietf:params:scim:schemas:core:2.0

      SCIM Core Schema as specified in Section 4 and Section 10.4.

   urn:ietf:params:scim:schemas:extension:enterprise:2.0

      Enterprise schema extensions as defined in Section 4.3 and
      Section 10.4.

10.3.  Registering SCIM Schemas

   This section defines the process for registering new SCIM schemas
   with IANA.  A schema URI is used as a value in the schemas attribute
   (Section 3) for the purpose of distinguishing extensions used in a
   SCIM resource.

10.3.1.  Registration Procedure

   The IETF has created a mailing list, scim@ietf.org, which can be used
   for public discussion of SCIM schema proposals prior to registration.
   Use of the mailing list is strongly encouraged.  The IESG has
   appointed a designated expert who will monitor the scim@ietf.org
   mailing list and review registrations.

   Registration of new schemas MUST be reviewed by the designated expert
   and published in an RFC.  A Standards Track RFC is REQUIRED for the
   registration of new value data types that modify existing properties.
   A Standards Track RFC is also REQUIRED for registration of SCIM
   schema URIs that modify SCIM schema previously documented in a
   Standards Track RFC.

   The registration procedure begins when a completed registration
   template, defined in the sections below, is sent to scim@ietf.org and
   iana@iana.org.  Within two weeks, the designated expert is expected
   to tell IANA and the submitter of the registration whether the
   registration is approved, approved with minor changes, or rejected

Hunt, et al.              Expires April 9, 2015                [Page 59]
Internet-Draft          draft-scim-core-schema-11           October 2014

   with cause.  When a registration is rejected with cause, it can be
   re-submitted if the concerns listed in the cause are addressed.
   Decisions made by the designated expert can be appealed to the IESG
   Applications Area Director, then to the IESG.  They follow the normal
   appeals procedure for IESG decisions.

   Once the registration procedure concludes successfully, IANA creates
   or modifies the corresponding record in the SCIM schema registry.
   The completed registration template is discarded.

   An RFC specifying new schema URI MUST include the completed
   registration templates, which MAY be expanded with additional
   information.  These completed templates are intended to go in the
   body of the document, not in the IANA Considerations section.  The
   RFC SHOULD include any attributes defined.

10.3.2.  Schema Registration Template

   A SCIM schema URI is defined by completing the following template:

   Schema URI:  Schema URI: A unique URI for the SCIM schema extension.

   Schema Name:  A descriptive name of the schema extension (e.g.
      Generic Device)

   Intended or Associated Resource Type:  A value defining the resource
      type (e.g.  "Device").

   Purpose:  A description of the purpose of the extension and/or its
      intended use.

   Single-value Attributes:  A list and description of single-valued
      attributes defined including complex attributes.

   Multi-valued Attributes:  A list and description of multi-valued
      attributes defined including complex attributes.

10.4.  Initial SCIM Schema Registry

   The IANA has created and will maintain the following registries for
   SCIM schema URIs with pointers to appropriate reference documents.
   Note: the Schema URI broken into two lines for readability.

Hunt, et al.              Expires April 9, 2015                [Page 60]
Internet-Draft          draft-scim-core-schema-11           October 2014

   +-----------------------------------+-----------------+-------------+
   | Schema URI                        | Name            | Reference   |
   +-----------------------------------+-----------------+-------------+
   | urn:ietf:params:scim:schemas:     | User Resource   | See Section |
   | core:2.0:User                     |                 | 4.1         |
   | urn:ietf:params:scim:schemas:     | Enterprise User | See Section |
   | extension:enterprise:2.0:User     | Extension       | 4.3         |
   | urn:ietf:params:scim:schemas:     | Group Resource  | See Section |
   | core:2.0:Group                    |                 | 4.2         |
   +-----------------------------------+-----------------+-------------+

                    SCIM Schema URIs for Data Resources

   +-----------------------------------+-------------------+-----------+
   | Schema URI                        | Name              | Reference |
   +-----------------------------------+-------------------+-----------+
   | urn:ietf:params:scim:schemas:     | Service Provider  | See       |
   | core:2.0:ServiceProviderConfig    | Configuration     | Section 5 |
   |                                   | Schema            |           |
   | urn:ietf:params:scim:schemas:     | Resource Type     | See       |
   | core:2.0:ResourceType             | Config            | Section 6 |
   | urn:ietf:params:scim:schemas:     | Schema            | See       |
   | core:2.0:Schema                   | Definitions       | Section 7 |
   |                                   | Schema            |           |
   +-----------------------------------+-------------------+-----------+

                      SCIM Server Related Schema URIs

11.  References

11.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2141]  Moats, R., "URN Syntax", RFC 2141, May 1997.

   [RFC3553]  Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An
              IETF URN Sub-namespace for Registered Protocol
              Parameters", BCP 73, RFC 3553, June 2003.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, November 2003.

   [RFC3966]  Schulzrinne, H., "The tel URI for Telephone Numbers", RFC
              3966, December 2004.

Hunt, et al.              Expires April 9, 2015                [Page 61]
Internet-Draft          draft-scim-core-schema-11           October 2014

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66, RFC
              3986, January 2005.

   [RFC4647]  Phillips, A. and M. Davis, "Matching of Language Tags",
              BCP 47, RFC 4647, September 2006.

   [RFC5234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234, January 2008.

   [RFC5646]  Phillips, A. and M. Davis, "Tags for Identifying
              Languages", BCP 47, RFC 5646, September 2009.

   [RFC6557]  Lear, E. and P. Eggert, "Procedures for Maintaining the
              Time Zone Database", BCP 175, RFC 6557, February 2012.

   [RFC7159]  Bray, T., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, March 2014.

   [RFC7231]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
              (HTTP/1.1): Semantics and Content", RFC 7231, June 2014.

   [XML-Schema]
              Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes
              Second Edition", October 2004.

11.2.  Informative References

   [ISO3166]  "ISO 3166:1988 (E/F) - Codes for the representation of
              names of countries - The International Organization for
              Standardization, 3rd edition", 08 1988.

   [ISO639-2]
              ISO 639.2 Registration Authority, "ISO639-2: Codes for the
              Representation of Names of Languages", July 2013.

   [Olson-TZ]
              "Sources for Time Zone and Daylight Saving Time Data", .

   [PortableContacts]
              Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only",
              August 2008.

   [RFC2277]  Alvestrand, H., "IETF Policy on Character Sets and
              Languages", BCP 18, RFC 2277, January 1998.

Hunt, et al.              Expires April 9, 2015                [Page 62]
Internet-Draft          draft-scim-core-schema-11           October 2014

   [RFC4512]  Zeilenga, K., "Lightweight Directory Access Protocol
              (LDAP): Directory Information Models", RFC 4512, June
              2006.

   [RFC6749]  Hardt, D., "The OAuth 2.0 Authorization Framework", RFC
              6749, October 2012.

Appendix A.  Acknowledgements

   The editors would like to acknowledge the contribution and work of
   the past draft editors:

      Chuck Mortimore, Salesforce

      Patrick Harding, Ping

      Paul Madsen, Ping

      Trey Drake, UnboundID

   The SCIM Community would like to thank the following people for the
   work they've done in the research, formulation, drafting, editing,
   and support of this specification.

      Morteza Ansari (morteza.ansari@cisco.com)

      Sidharth Choudhury (schoudhury@salesforce.com)

      Samuel Erdtman (samuel@erdtman.se)

      Kelly Grizzle (kelly.grizzle@sailpoint.com)

      Chris Phillips (cjphillips@gmail.com)

      Erik Wahlstroem (erik@wahlstromstekniska.se)

      Phil Hunt (phil.hunt@yahoo.com)

   Special thanks to Joeseph Smarr, who's excellent work on the Portable
   Contacts Specification [PortableContacts] provided a basis for the
   SCIM schema structure and text.

Appendix B.  Change Log

   [[This section to be removed prior to publication as an RFC]]

   Draft 02 - KG - Addition of schema extensibility

Hunt, et al.              Expires April 9, 2015                [Page 63]
Internet-Draft          draft-scim-core-schema-11           October 2014

   Draft 03 - PH - Revisions based on following tickets:

      09 - Attribute uniquenes

      10 - Returnability of attributes

      35 - Attribute mutability (replaces readOnly)

      52 - Minor textual changes

      53 - Standard use of term client (some was consumer)

      56 - Make manager attribute consistent with other $ref attrs

      58 - Add optional id to ResourceType objects for consistency

      59 - Fix capitalization per IETF editor practices

      60 - Changed <eref> tags to normal <xref> and <reference> tags

   Draft 04 - PH - Revisions based on the following tickets:

      43 - Drop short-hand notation for complex multi-valued attributes

      61 - Specify attribute name limitations

      62 - Fix 'mutability' normative language

      63 - Fix incorrect EnterpriseUser schema reference

      68 - Update JSON references from RFC4627 to RFC7159

      71 - Made corrections to language tags in compliance with BCP47 /
      RFC5646

   Draft 05 - PH - Revisions based on the following tickets

      23 - Clarified that the server is not required to preserve case
      for case insensitive strings

      41 - Add IANA considerations

      72 - Added text to indicate UTF-8 is default and mandatory
      encoding format per BCP18

      - Typo corrections and removed some redundant text

   Draft 06 - PH - Revisions based on the following tickets

Hunt, et al.              Expires April 9, 2015                [Page 64]
Internet-Draft          draft-scim-core-schema-11           October 2014

      63 - Corrected enterprise user URI in 14.2 and section 7, URI
      namespace changes due to ticket #41

      66 - Updated reference to final HTTP/1.1 drafts (RFC 7230)

      41 - Add IANA considerations

      - Removed redundant text (e.g.  SAML binding, replaced REST with
      HTTP)

      - Reordered introduction, definitions and notation sections to
      follow typical format

      - meta.attributes removed due to new PURGE command in draft 04 (no
      longer used)

   Draft 07 - PH - Edits and revisions

      - Dropped use of the term API in favour of HTTP protocol or just
      protocol.

      - Clarified meaning of null and unassigned

   Draft 08 - PH - Revised IANA namespace to urn:ietf:params:scim per
   RFC3553

   Draft 09 - PH - Editorial revisions and clarifications

      Removed duplicate text from Schema Schema section

      Removed "operation" attribute from Multi-valued Attribute sub-
      attribute definitions.  This was used in the old PATCH command and
      is no longer valid.

      Revised some layout to make indentation and definition of
      attributes more clear (added vspace elements)

   Draft 10 - PH - Editorial revisions

      Simplified namespace definition for urn:ietf:params:scim

      Clarified "schemas" attribute as representing the JSON body schema
      in an HTTP Req/Resp

      Reduced use of confusing term "core" in "Core User" and "Core
      Group"

      Added clarifications and security considerations for externalId

Hunt, et al.              Expires April 9, 2015                [Page 65]
Internet-Draft          draft-scim-core-schema-11           October 2014

      Re-worded descriptions SCIM schema extension model (sec 3) and
      core schema (sec 4) for improved clarity

   Draft 11 - PH - Clarification to definition of externalId

Authors' Addresses

   Phil Hunt (editor)
   Oracle Corporation

   Email: phil.hunt@yahoo.com

   Kelly Grizzle
   SailPoint

   Email: kelly.grizzle@sailpoint.com

   Erik Wahlstroem
   Nexus Technology

   Email: erik.wahlstrom@nexusgroup.com

   Chuck Mortimore
   Salesforce.com

   Email: cmortimore@salesforce.com

Hunt, et al.              Expires April 9, 2015                [Page 66]