]> Microsoft

danny@zollnerd.com

Okta

uvartak@okta.com

IETF SCIM Internet-Draft SCIM The System for Cross-domain Identity Management (SCIM) protocol schema, defined in RFC defines the complex core schema attributes "roles" and "entitlements". For both of these concepts, frequently only a predetermined set of values are accepted by a SCIM service provider. The values that are accepted may vary per customer or tenant based on customizable configuration in the service provider's application or based on other criteria such as what services have been purchased or resources associated with entitlements. This document defines an extension to the SCIM 2.0 standard to allow SCIM service providers to represent available data pertaining to SCIM resources, roles and entitlements so that SCIM clients can consume this information and provide easier management of SCIM resources, role and entitlement assignments. Discussion Venues Discussion of this document takes place on the System for Cross-domain Identity Management Working Group mailing list (scim@ietf.org), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction The System for Cross-domain Identity Management (SCIM) protocol's schema RFC defines the complex core schema attributes "roles" and "entitlements". For both of these concepts, frequently only a predetermined set of values are accepted by a SCIM service provider. Available roles and entitlements may change based on a variety of factors, such as what features are enabled or what customizations have been made in a specific instance of a multi-tenant application. Moreover roles and entitlements may be associated with specific SCIM resources within the SCIM server. The core SCIM 2.0 RFC documents (, and ) do not provide a method for retrieving the available roles or entitlements and the resources associated with roles or entitlements as part of the SCIM 2.0 standard. In order to allow for SCIM clients to reduce predictable errors when interacting with SCIM service providers, this document aims to provide a method for SCIM service providers to provide data on what roles and/or entitlements are available, the association between roles and/or entitlements and specific resources so that SCIM clients can consume this data to more efficiently manage resources between directories.

Consuming Roles and Entitlements with SCIM Clients When a SCIM service provider publishes role and entitlement definitions, SCIM clients can consume them efficiently. The process generally follows these steps:

1. Check Provider Support: Check the ServiceProviderConfig Extension for support for roles and entitlements and the resources associated with roles or entitlements.
2. Discover ResourceTypes: Query the /ResourceTypes endpoint to discover which standard and custom role and entitlement resource types are supported.
3. Discover schemas for ResourceTypes: Fetch the corresponding schemas from the /Schemas endpoint, matching them with the ResourceType URNs.
4. Consume resource-specific endpoints to retrieve the actual supported values for these defined resource types.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Roles and Entitlements The Roles and Entitlements SCIM Extension consists of two new resource types, /Roles and /Entitlements, as well as accompanying ServiceProviderConfig details to advertise support for this extension. In addition to the new resource types, service providers can use schema extensions to publish custom entitlements.

ServiceProviderConfig Extension SCIM endpoints that have implemented one or both of the endpoints from this extension MUST advertise which elements are implemented in the ServiceProviderConfig endpoint as defined:

Role Resource Schema The /Role resource type has a schema consisting of most of the attributes defined for the User resource's complex attribute "roles" in , as well as an additional "supported" attribute so that SCIM service providers can indicate if the role is currently enabled and intended for use in their service. The following singular attributes are defined: Additionally, the following multi-valued attributes are defined:

Entitlement Resource Schema The /Entitlement resource type has a schema consisting of most of the attributes defined for the User resource's complex attribute "entitlements" in , as well as an additional "supported" attribute so that SCIM service providers can indicate if the entitlement is currently enabled and intended for use in their service. The following singular attributes are defined: Additionally, the following multi-valued attributes are defined:

Schema samples

Role <base>/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Role Sample schema for a Role property

Entitlement <base>/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Entitlement Sample schema for entitlement property

Sample Roles and Entitlements resource endpoints

Retrieving all Roles GET /Roles

Retrieving all entitlements GET /Entitlements

Sample user representation with role and entitlement ~~~

References Normative References The System for Cross-domain Identity Management (SCIM) specifications are designed to make identity management in cloud-based applications and services easier. The specification suite builds upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. Its intent is to reduce the cost and complexity of user management operations by providing a common user schema and extension model as well as binding documents to provide patterns for exchanging this schema using HTTP. This document provides a platform-neutral schema and extension model for representing users and groups and other resource types in JSON format. This schema is intended for exchange and use with cloud service providers. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document provides definitions and an overview of the System for Cross-domain Identity Management (SCIM). It lays out the system's concepts, models, and flows, and it includes user scenarios, use cases, and requirements. The System for Cross-domain Identity Management (SCIM) specification is an HTTP-based protocol that makes managing identities in multi-domain scenarios easier to support via a standardized service. Examples include, but are not limited to, enterprise-to-cloud service providers and inter-cloud scenarios. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. SCIM's intent is to reduce the cost and complexity of user management operations by providing a common user schema, an extension model, and a service protocol defined by this document.

IANA Considerations (To-Do)

Change Log -01

• Added root schema definition for Role and Entitlements properties
• Added id attribute to allow service providers to uniquely identify roles and entitlements
• Defines custom namespace for SPs to define their own schema extensions
• Added examples of requests and responses
• Added Unmesh Vartak as co-author
• Using schema version 2.0 for roles and entitlements schemas: urn:ietf:params:scim:schemas:core:2.0:Role and urn:ietf:params:scim:schemas:core:2.0:Entitlement

-00

• Adopted by SCIM WG

Acknowledgments TODO acknowledge.