System for Cross-Domain Identity Management: Core Schema
draft-ietf-scim-core-schema-11
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7643.
|
|
---|---|---|---|
Authors | Phil Hunt , Kelly Grizzle , Erik Wahlstroem , Chuck Mortimore | ||
Last updated | 2014-10-09 (Latest revision 2014-10-06) | ||
Replaces | draft-scim-core-schema | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews | |||
Additional resources | Mailing list discussion | ||
Stream | WG state | In WG Last Call | |
Document shepherd | (None) | ||
IESG | IESG state | Became RFC 7643 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-ietf-scim-core-schema-11
Hunt, et al. Expires April 9, 2015 [Page 54] Internet-Draft draft-scim-core-schema-11 October 2014 "required" : false, "caseExact" : false, "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" }, { "name" : "displayName", "type" : "string", "multiValued" : false, "description" : "The displayName of the User's manager. OPTIONAL and READ-ONLY.", "required" : false, "caseExact" : false, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" } ], "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" } ], "meta" : { "resourceType" : "Schema", "created" : "2010-01-23T04:56:22Z", "lastModified" : "2014-02-04T00:00:00Z", "version" : "W/\"3694e05e9dff596\"", "location" : "https://example.com/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" } } ]} Figure 9: Eample Schema JSON Representation 9. Security Considerations The SCIM Core schema defines attributes that MAY contain personally identifiable information as well as other sensitive data. Aside from prohibiting password values in a SCIM response this specification does not provide any means or guarantee of confidentiality. In particular, attributes such as "id" and "externalId" are of particular concern as personally identifiable information that uniquely map to Users (because they are URIs). Where possible, it is suggested that service providers take the following remediations: Hunt, et al. Expires April 9, 2015 [Page 55] Internet-Draft draft-scim-core-schema-11 October 2014 o Assign and bind identifiers to specific tenants and/or clients. When mulitple tenants are able to reference the same resource, they should do so via separate identifiers (id or externalId). This ensures that separate domains linked to the same information may not perform identifier correlation. o In the case of "externalId", if multiple values are supported, use access control to restrict access to the client domain that assigned the "externalId" value. o Ensure that access to data is appropriately restricted to authorized parties with a need-to-know. o When persisted, the appropriate protection mechanisms are in place to restrict access by unauthorized parties including administrators or parties with access to backup data. It is important to note that these considerations are intentionally general in nature. Considerations relative to the access protocol are out of scope of the core-schema document and are addressed in other SCIM specifications. 10. IANA Considerations 10.1. New Registration of SCIM URN Sub-namespace IANA has created a registry for new IETF URN sub-namespaces, "urn:ietf:params:scim:", per [RFC3553]. The registration request is as follows: Per [RFC3553], IANA has registered a new URN sub-namespace, "urn:ietf:params:scim". o Registry name: scim o Specification: [this document] o Repository: [see Section 10.2] o Index value: values [see Section 10.2] 10.2. URN Sub-Namespace for SCIM SCIM schemas and SCIM messages utilize URIs to identify the schema in use or other relevant context. This section creates and registers an IETF URN Sub-namespace for use in the SCIM specifications and future extensions. Hunt, et al. Expires April 9, 2015 [Page 56] Internet-Draft draft-scim-core-schema-11 October 2014 10.2.1. Specification Template Namespace ID: The Namespace ID "scim" is requested. Registration Information: Version: 1 Date: [[insert final submission date]] Declared registrant of the namespace: Registering organization The Internet Engineering Task Force Designated contact A designated expert will monitor the SCIM public mailing list, "scim@ietf.org". Declaration of Syntactic Structure: The Namespace Specific String (NSS) of all URNs that use the "scim" NID shall have the following structure: urn:ietf:params:scim:{type}:{name}{:other} The keywords have the following meaning: type The entity type which is either "schemas" or "api". name A required US-ASCII string that conforms to the URN syntax requirements (see [RFC2141] ) and defines a major namespace of a schema used within SCIM (e.g. "core" in the case of SCIM Core Schema). The value MAY also be an industry name or organization name. other Any US-ASCII string that conforms to the URN syntax requirements (see [RFC2141] ) and defines the sub-namespace (which MAY be further broken down in namespaces delimited by colons) as needed to uniquely identify a schema. Relevant Ancillary Documentation: Hunt, et al. Expires April 9, 2015 [Page 57] Internet-Draft draft-scim-core-schema-11 October 2014 None Identifier Uniqueness Considerations: The designated contact shall be responsible for reviewing and enforcing uniqueness. Identifier Persistence Considerations: Once a name has been allocated it MUST NOT be re-allocated for a different purpose. The rules provided for assignments of values within a sub-namespace MUST be constructed so that the meaning of values cannot change. This registration mechanism is not appropriate for naming values whose meaning may change over time. As the SCIM specifications are updated and the SCIM protocol version is adjusted, a new registration will be made when significant changes are made. Example, "urn:ietf:params:scim:schemas:core:1.0 (externally defined, not previously registered)" and "urn:ietf:params:scim:schemas:core:2.0". Process of Identifier Assignment: Identifiers with namespace type "schema" (e.g. "urn:ietf:params:scim:schemas" ) are assigned after the review of the assigned contact via the SCIM public mailing list, "scim@ietf.org" as documented in Section 10.3. Namespaces with type "api" (e.g. "urn:ietf:params:scim:api" ) are reserved for IETF approved SCIM specifications. Namespaces with type "param" are reserved for future use. Process of Identifier Resolution: The namespace is not currently listed with a Resolution Discovery System (RDS), but nothing about the namespace prohibits the future definition of appropriate resolution methods or listing with an RDS. Rules for Lexical Equivalence: No special considerations; the rules for lexical equivalence specified in [RFC2141] apply. Conformance with URN Syntax: No special considerations. Hunt, et al. Expires April 9, 2015 [Page 58] Internet-Draft draft-scim-core-schema-11 October 2014 Validation Mechanism: None specified. Scope: Global. 10.2.2. Pre-Registered SCIM Schema Identifiers The following SCIM Identifiers are defined: urn:ietf:params:scim:schemas:core:2.0 SCIM Core Schema as specified in Section 4 and Section 10.4. urn:ietf:params:scim:schemas:extension:enterprise:2.0 Enterprise schema extensions as defined in Section 4.3 and Section 10.4. 10.3. Registering SCIM Schemas This section defines the process for registering new SCIM schemas with IANA. A schema URI is used as a value in the schemas attribute (Section 3) for the purpose of distinguishing extensions used in a SCIM resource. 10.3.1. Registration Procedure The IETF has created a mailing list, scim@ietf.org, which can be used for public discussion of SCIM schema proposals prior to registration. Use of the mailing list is strongly encouraged. The IESG has appointed a designated expert who will monitor the scim@ietf.org mailing list and review registrations. Registration of new schemas MUST be reviewed by the designated expert and published in an RFC. A Standards Track RFC is REQUIRED for the registration of new value data types that modify existing properties. A Standards Track RFC is also REQUIRED for registration of SCIM schema URIs that modify SCIM schema previously documented in a Standards Track RFC. The registration procedure begins when a completed registration template, defined in the sections below, is sent to scim@ietf.org and iana@iana.org. Within two weeks, the designated expert is expected to tell IANA and the submitter of the registration whether the registration is approved, approved with minor changes, or rejected Hunt, et al. Expires April 9, 2015 [Page 59] Internet-Draft draft-scim-core-schema-11 October 2014 with cause. When a registration is rejected with cause, it can be re-submitted if the concerns listed in the cause are addressed. Decisions made by the designated expert can be appealed to the IESG Applications Area Director, then to the IESG. They follow the normal appeals procedure for IESG decisions. Once the registration procedure concludes successfully, IANA creates or modifies the corresponding record in the SCIM schema registry. The completed registration template is discarded. An RFC specifying new schema URI MUST include the completed registration templates, which MAY be expanded with additional information. These completed templates are intended to go in the body of the document, not in the IANA Considerations section. The RFC SHOULD include any attributes defined. 10.3.2. Schema Registration Template A SCIM schema URI is defined by completing the following template: Schema URI: Schema URI: A unique URI for the SCIM schema extension. Schema Name: A descriptive name of the schema extension (e.g. Generic Device) Intended or Associated Resource Type: A value defining the resource type (e.g. "Device"). Purpose: A description of the purpose of the extension and/or its intended use. Single-value Attributes: A list and description of single-valued attributes defined including complex attributes. Multi-valued Attributes: A list and description of multi-valued attributes defined including complex attributes. 10.4. Initial SCIM Schema Registry The IANA has created and will maintain the following registries for SCIM schema URIs with pointers to appropriate reference documents. Note: the Schema URI broken into two lines for readability. Hunt, et al. Expires April 9, 2015 [Page 60] Internet-Draft draft-scim-core-schema-11 October 2014 +-----------------------------------+-----------------+-------------+ | Schema URI | Name | Reference | +-----------------------------------+-----------------+-------------+ | urn:ietf:params:scim:schemas: | User Resource | See Section | | core:2.0:User | | 4.1 | | urn:ietf:params:scim:schemas: | Enterprise User | See Section | | extension:enterprise:2.0:User | Extension | 4.3 | | urn:ietf:params:scim:schemas: | Group Resource | See Section | | core:2.0:Group | | 4.2 | +-----------------------------------+-----------------+-------------+ SCIM Schema URIs for Data Resources +-----------------------------------+-------------------+-----------+ | Schema URI | Name | Reference | +-----------------------------------+-------------------+-----------+ | urn:ietf:params:scim:schemas: | Service Provider | See | | core:2.0:ServiceProviderConfig | Configuration | Section 5 | | | Schema | | | urn:ietf:params:scim:schemas: | Resource Type | See | | core:2.0:ResourceType | Config | Section 6 | | urn:ietf:params:scim:schemas: | Schema | See | | core:2.0:Schema | Definitions | Section 7 | | | Schema | | +-----------------------------------+-------------------+-----------+ SCIM Server Related Schema URIs 11. References 11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An IETF URN Sub-namespace for Registered Protocol Parameters", BCP 73, RFC 3553, June 2003. [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003. [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC 3966, December 2004. Hunt, et al. Expires April 9, 2015 [Page 61] Internet-Draft draft-scim-core-schema-11 October 2014 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. [RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags", BCP 47, RFC 4647, September 2006. [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. [RFC5646] Phillips, A. and M. Davis, "Tags for Identifying Languages", BCP 47, RFC 5646, September 2009. [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the Time Zone Database", BCP 175, RFC 6557, February 2012. [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 7159, March 2014. [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, June 2014. [XML-Schema] Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes Second Edition", October 2004. 11.2. Informative References [ISO3166] "ISO 3166:1988 (E/F) - Codes for the representation of names of countries - The International Organization for Standardization, 3rd edition", 08 1988. [ISO639-2] ISO 639.2 Registration Authority, "ISO639-2: Codes for the Representation of Names of Languages", July 2013. [Olson-TZ] "Sources for Time Zone and Daylight Saving Time Data", . [PortableContacts] Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only", August 2008. [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and Languages", BCP 18, RFC 2277, January 1998. Hunt, et al. Expires April 9, 2015 [Page 62] Internet-Draft draft-scim-core-schema-11 October 2014 [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006. [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, October 2012. Appendix A. Acknowledgements The editors would like to acknowledge the contribution and work of the past draft editors: Chuck Mortimore, Salesforce Patrick Harding, Ping Paul Madsen, Ping Trey Drake, UnboundID The SCIM Community would like to thank the following people for the work they've done in the research, formulation, drafting, editing, and support of this specification. Morteza Ansari (morteza.ansari@cisco.com) Sidharth Choudhury (schoudhury@salesforce.com) Samuel Erdtman (samuel@erdtman.se) Kelly Grizzle (kelly.grizzle@sailpoint.com) Chris Phillips (cjphillips@gmail.com) Erik Wahlstroem (erik@wahlstromstekniska.se) Phil Hunt (phil.hunt@yahoo.com) Special thanks to Joeseph Smarr, who's excellent work on the Portable Contacts Specification [PortableContacts] provided a basis for the SCIM schema structure and text. Appendix B. Change Log [[This section to be removed prior to publication as an RFC]] Draft 02 - KG - Addition of schema extensibility Hunt, et al. Expires April 9, 2015 [Page 63] Internet-Draft draft-scim-core-schema-11 October 2014 Draft 03 - PH - Revisions based on following tickets: 09 - Attribute uniquenes 10 - Returnability of attributes 35 - Attribute mutability (replaces readOnly) 52 - Minor textual changes 53 - Standard use of term client (some was consumer) 56 - Make manager attribute consistent with other $ref attrs 58 - Add optional id to ResourceType objects for consistency 59 - Fix capitalization per IETF editor practices 60 - Changed <eref> tags to normal <xref> and <reference> tags Draft 04 - PH - Revisions based on the following tickets: 43 - Drop short-hand notation for complex multi-valued attributes 61 - Specify attribute name limitations 62 - Fix 'mutability' normative language 63 - Fix incorrect EnterpriseUser schema reference 68 - Update JSON references from RFC4627 to RFC7159 71 - Made corrections to language tags in compliance with BCP47 / RFC5646 Draft 05 - PH - Revisions based on the following tickets 23 - Clarified that the server is not required to preserve case for case insensitive strings 41 - Add IANA considerations 72 - Added text to indicate UTF-8 is default and mandatory encoding format per BCP18 - Typo corrections and removed some redundant text Draft 06 - PH - Revisions based on the following tickets Hunt, et al. Expires April 9, 2015 [Page 64] Internet-Draft draft-scim-core-schema-11 October 2014 63 - Corrected enterprise user URI in 14.2 and section 7, URI namespace changes due to ticket #41 66 - Updated reference to final HTTP/1.1 drafts (RFC 7230) 41 - Add IANA considerations - Removed redundant text (e.g. SAML binding, replaced REST with HTTP) - Reordered introduction, definitions and notation sections to follow typical format - meta.attributes removed due to new PURGE command in draft 04 (no longer used) Draft 07 - PH - Edits and revisions - Dropped use of the term API in favour of HTTP protocol or just protocol. - Clarified meaning of null and unassigned Draft 08 - PH - Revised IANA namespace to urn:ietf:params:scim per RFC3553 Draft 09 - PH - Editorial revisions and clarifications Removed duplicate text from Schema Schema section Removed "operation" attribute from Multi-valued Attribute sub- attribute definitions. This was used in the old PATCH command and is no longer valid. Revised some layout to make indentation and definition of attributes more clear (added vspace elements) Draft 10 - PH - Editorial revisions Simplified namespace definition for urn:ietf:params:scim Clarified "schemas" attribute as representing the JSON body schema in an HTTP Req/Resp Reduced use of confusing term "core" in "Core User" and "Core Group" Added clarifications and security considerations for externalId Hunt, et al. Expires April 9, 2015 [Page 65] Internet-Draft draft-scim-core-schema-11 October 2014 Re-worded descriptions SCIM schema extension model (sec 3) and core schema (sec 4) for improved clarity Draft 11 - PH - Clarification to definition of externalId Authors' Addresses Phil Hunt (editor) Oracle Corporation Email: phil.hunt@yahoo.com Kelly Grizzle SailPoint Email: kelly.grizzle@sailpoint.com Erik Wahlstroem Nexus Technology Email: erik.wahlstrom@nexusgroup.com Chuck Mortimore Salesforce.com Email: cmortimore@salesforce.com Hunt, et al. Expires April 9, 2015 [Page 66]