<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.miek.nl" -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" ipr="trust200902" docName="draft-schreiber-ipsie-scim-profile-00" submissionType="IETF" category="info" xml:lang="en" indexInclude="true">

<front>
<title abbrev="IPSIE SCIM">IPSIE SCIM 2.0 Profile</title><seriesInfo value="draft-schreiber-ipsie-scim-profile-00" stream="IETF" status="informational" name="Internet-Draft"/>
<author initials="J." surname="Schreiber" fullname="Jen Schreiber"><organization>Crowstrike</organization><address><postal><street/>
</postal><email>jwschreib@gmail.com</email>
</address></author><author initials="D." surname="Zollner" fullname="Danny Zollner"><organization>Okta</organization><address><postal><street/>
</postal><email>danny.zollner@okta.com</email>
</address></author><date/>
<area>Applications and Real-Time</area>
<workgroup>IPSIE</workgroup>
<keyword>scim</keyword>
<keyword>ipsie</keyword>
<keyword>provisioning</keyword>
<keyword>identity</keyword>
<keyword>oauth</keyword>

<abstract>
<t>This document defines a profile for SCIM 2.0 to meet the security and interoperability requirements for identity lifecycle management within enterprises. Within the context of SCIM, the profile establishes requirements for provisioning, account management, client authentication, and identity synchronization across three Account Lifecycle assurance levels: AL1 (User Deprovisioning), AL2 (User and Group Management), and AL3 (Role Management).</t>
</abstract>

</front>

<middle>

<section anchor="discussion-venues"><name>Discussion Venues</name>
<t>This note is to be removed before publishing as an RFC.</t>
<t>Source for this draft and an issue tracker can be found at
<eref target="https://github.com/jischr/ipsie-scim-al1-profile">https://github.com/jischr/ipsie-scim-al1-profile</eref>.</t>
</section>

<section anchor="introduction"><name>Introduction</name>
<t>This document defines the IPSIE SCIM 2.0 Profile for enterprise identity lifecycle management. It provides a clear reference for SCIM deployments that require a well-defined security baseline meeting best practices for interoperable enterprise identity management.</t>
<t>The profile is organized according to the three IPSIE Account Lifecycle assurance levels as defined in the IPSIE Levels specification:</t>

<ul spacing="compact">
<li><strong>AL1 - User Deprovisioning</strong>: The Application deprovisions users at the request of the Identity Service. This includes account deactivation and deletion.</li>
<li><strong>AL2 - User and Group Management</strong>: The Identity Service synchronizes user provisioning and group membership with the Application. The Application accepts creation and updates of user accounts and maps groups and their memberships to application roles and capabilities.</li>
<li><strong>AL3 - Role Management</strong>: The Application exposes its available roles to the Identity Service, enabling centralized role assignment and synchronization.</li>
</ul>
<t>Each level is cumulative: AL2 requirements extend AL1, and AL3 requirements extend AL2.</t>
<t>The profile addresses critical aspects of secure identity management, with particular emphasis on:</t>

<ul spacing="compact">
<li>Client authentication</li>
<li>Retrieve, add, and modify Users</li>
<li>Retrieve, add, and modify Groups</li>
<li>Synchronization of data from the Identity Service to the Application</li>
</ul>
<t>By adhering to this profile, organizations can implement SCIM-based integrations that meet stringent security requirements while ensuring interoperability across different implementations.</t>
</section>

<section anchor="conventions-and-definitions"><name>Conventions and Definitions</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>

<section anchor="terminology"><name>Terminology</name>
<t>SCIM</t>
<blockquote><t>The System for Cross-domain Identity Management as defined in <xref target="RFC7643"/> and <xref target="RFC7644"/></t>
</blockquote><t>SCIM Client</t>
<blockquote><t>An application that uses the SCIM protocol to access or manage identity data maintained by the SCIM service provider (SP). The client initiates SCIM HTTP requests to a SCIM service provider. To clarify the relationship in terms of identity management, the Identity Provider (IdP) is the SCIM Client and initiates requests to the SP, which is the SCIM Server.</t>
</blockquote><t>SCIM Server (also referred to as SCIM Service Provider)</t>
<blockquote><t>An HTTP web application that provides identity information via the SCIM protocol. To clarify the relationship in terms of identity management, the SP is the SCIM Server and receives the requests from the IdP, which is the SCIM Client.</t>
</blockquote><t>Role</t>
<blockquote><t>A set of permissions.  Any user or account within the same role receives the predefined ability to access a resource and/or perform an action.</t>
</blockquote><t>Identity Service or Identity Provider (IdP)</t>
<blockquote><t>Acts as the SCIM client, initiating all provisioning, updates, and deprovisioning operations.</t>
</blockquote><t>Application</t>
<blockquote><t>Acts as the SCIM server or service provider, hosting SCIM endpoints and processing all provisioning requests.</t>
</blockquote><t>Note: When SCIM is applied to the context of IPSIE, the Identity Service acts as the SCIM client and the Application acts as the SCIM service provider. The document will use the Role terms below for consistency across IPSIE Profiles.</t>
</section>
</section>

<section anchor="shared-prerequisites"><name>Shared Prerequisites</name>
<t>The following requirements apply to all assurance levels defined in this profile.</t>

<section anchor="authn-authz"><name>Authentication and Authorization</name>
<t>The Identity Service and Application MUST use OAuth 2.0 <xref target="RFC6749"/> for authentication and authorization of all SCIM (HTTP) requests.</t>
<blockquote><t><strong>Editor's Note:</strong> This section should be expanded and may need to reference the IPSIE Session Lifecycle 1 (SL1) profile.</t>
</blockquote><t>The following requirements ensure consistent and secure handling of access tokens and authorization server configuration:</t>

<ul spacing="compact">
<li>OAuth 2.0 interactions MUST use the client_credentials grant type with JWT Client Authentication as defined in <xref target="RFC7523"/> section 2.2.</li>
<li>The Identity Provider SHALL acquire an access token and present that token in the {Authorization: Bearer} header on all subsequent SCIM requests.</li>
<li>The Identity Service MUST authenticate to the Application's OAuth 2.0 authorization server using HTTP Basic authentication in the Authorization request header. Transmission of client credentials (e.g., client_assertion, client_secret) in the HTTP request body is prohibited.</li>
<li>The Access Token MUST include the "scim" scope and not grant broader permissions.</li>
<li>Both the Application and the Identity Service MUST expose OAuth Authorization Server metadata as defined in <xref target="RFC8414"/>. The Application's metadata document MUST include a "token_endpoint" value identifying its OAuth 2.0 token endpoint. The Identity Service's metadata document MUST include a "jwks_uri" so that the Application can retrieve the Identity Service's public keys and validate the signatures of JWTs it issues.</li>
</ul>
</section>

<section anchor="scim-interoperability-requirements"><name>SCIM Interoperability Requirements</name>

<ul spacing="compact">
<li>Implementations conforming to this profile MUST also conform to the SCIM 2.0 Interoperability Profile <xref target="I-D.zollner-scim-interop-profile"/>. The requirements of this profile supplement and extend those of the SCIM 2.0 Interoperability Profile.</li>
<li>The Identity Service SHALL implement the required functionality of a SCIM client as defined in <xref target="RFC7643"/> and <xref target="RFC7644"/>.</li>
<li>The Application SHALL implement the required functionality of a SCIM service provider as defined in <xref target="RFC7643"/> and <xref target="RFC7644"/>.</li>
<li>Local modifications to Users or Groups in the Application are prohibited.</li>
</ul>
</section>

<section anchor="performance-and-efficiency"><name>Performance and Efficiency</name>

<ul spacing="compact">
<li>The Application MUST enforce rate limits on all SCIM endpoints and must respond with appropriate headers, such as "429 Too Many Requests" and "Retry-After," when limits are exceeded.</li>
<li>The Application MUST support at least 25 SCIM requests per second. This requirement is per-tenant for multi-tenant (B2B SaaS, etc.) applications.</li>
<li>The Application and the Identity Service MUST support the SCIM /Bulk endpoint defined in <xref target="RFC7643"/> section 3.7.</li>
<li>The Application MUST support PATCH requests that update multiple attributes within a single request.</li>
<li>The Identity Service SHOULD optimize its SCIM request logic to minimize the number of SCIM requests made for each resource in a short period of time. As an example, a single PATCH request containing multiple attribute updates should be made rather than updating each attribute in a separate PATCH request.</li>
<li>The Identity Service SHOULD use the SCIM /Bulk endpoint when it plans to make changes to more than 100 SCIM resources in a 5 minute period.</li>
</ul>
</section>
</section>

<section anchor="al1-user-deprovisioning"><name>AL1: User Deprovisioning</name>
<t>AL1 requires the Application to deprovision users at the request of the Identity Service. The Identity Service can suspend, archive, delete, or otherwise deprovision accounts at the Application.</t>

<section anchor="deactivate-or-reactivate-user-patch-users-id"><name>Deactivate or Reactivate User (PATCH /Users/{id})</name>
<t>Changes to the user activation status, such deactivation and reactivation, are performed by the SCIM operation PATCH /Users/{id}</t>
<t>The Identity Service SHOULD propagate user deactivation events to the Application within 5 minutes of the user being deactivated.</t>
<t>The Application SHOULD respond to user deactivation events by revoking the ability for the user to continue accessing the Application, including the revocation of currently active sessions. Session revocation mechanisms are outside the scope of this profile. Revocation SHOULD occur within 5 minutes of receiving the deactivation request.</t>
<t>When a user account is deactivated, all access mechanisms and authorizations associated with that account MUST also be deactivated. This includes, but is not limited to:</t>

<ul spacing="compact">
<li>Web sessions</li>
<li>API tokens</li>
<li>Refresh tokens</li>
<li>Personal access tokens</li>
<li>SSH keys associated with the user</li>
<li>Device-based authentication credentials</li>
</ul>
<t>The Application MUST allow reactivation of a deactivated user.</t>
</section>

<section anchor="delete-user-delete-users-id"><name>Delete User (DELETE /Users/{id})</name>
<t>Applications MAY allow users to be deleted via the SCIM operation DELETE /Users/{id}.</t>
<t>After a user is deleted, the Application MUST allow the creation of a new user with the same username.</t>
<blockquote><t><strong>Editor's Note:</strong> Need to clarify implications for maintaining user data and avoiding conflicts when recreating users with the same username.</t>
</blockquote></section>

<section anchor="get-user-by-id-get-users-id"><name>Get User By ID (GET /Users/{id})</name>
<t>The Application MUST support retrieving a single user by ID via the SCIM operation GET /Users/{id}.</t>
</section>

<section anchor="list-users-by-alternate-identifier-get-users"><name>List Users By Alternate Identifier (GET /Users?)</name>
<t>The Application MUST support the following filter expressions:</t>

<ul spacing="compact">
<li>username eq {username}</li>
<li>externalId eq {externalId}</li>
<li>emails[value eq {email}]</li>
<li>emails[type eq "work" and value eq {email}]</li>
</ul>
</section>
</section>

<section anchor="al2-user-and-group-management"><name>AL2: User and Group Management</name>
<t>AL2 extends AL1. In addition to deprovisioning, the Identity Service synchronizes user provisioning and group membership with the Application. The Application MUST accept creation and updates of user accounts from the Identity Service and MUST prohibit local account creation for users managed by the Identity Service. The Application MUST support mapping Identity Service groups to local Application roles and capabilities.</t>

<section anchor="user-provisioning"><name>User Provisioning</name>
<t>Requirements for user provisioning operations are defined in this section.</t>

<section anchor="schema"><name>Schema</name>
<t>The Application MUST include the following attributes in the User schema:</t>

<ul spacing="compact">
<li>userName</li>
<li>displayName</li>
<li>active</li>
</ul>
<t>Additionally, the "externalId" attribute defined as optional in the "common" resource schema in <xref target="RFC7643"/> MUST be supported by the Application.</t>
</section>

<section anchor="passwords-and-other-credentials"><name>Passwords and other credentials</name>
<t>The Application MUST NOT support the "password" attribute.</t>
<t>The Identity Service MUST NOT include the "password" attribute in any SCIM requests.</t>
<t>A user resource may have various credentials or similar data associated with them. This includes passwords, password hashes, private keys, and multi-factor authentication data such as Time-Based One-Time Password (TOTP) seeds. The Application MUST NOT define attributes containing credentials in custom schemas. The Identity Service MUST NOT send values for user credentials in any SCIM requests.</t>
</section>

<section anchor="create-user-post-users"><name>Create User (POST /Users)</name>
<t>The Identity Service and the Application MUST support user creation via POST /Users.</t>
</section>

<section anchor="update-user-patch-users-id"><name>Update User (PATCH /Users/{id})</name>
<t>The Identity Service and the Application MUST support updating a user's attribute values via the SCIM operation PATCH /Users/{id}.</t>
</section>

<section anchor="get-all-users-get-users"><name>Get All Users (GET /Users)</name>
<t>The Application MUST support retrieval of all users via the SCIM operation GET /Users.</t>
<t>The Application SHOULD avoid returning more than 1,000 users per page. Support for cursor-based pagination by the Application is RECOMMENDED.</t>
</section>
</section>

<section anchor="group-provisioning-operations"><name>Group Provisioning Operations</name>
<t>Requirements for group provisioning operations are defined in this section. The Application MAY implement support for groups and MUST follow the below requirements if it does.</t>

<section anchor="schema-1"><name>Schema</name>
<t>The Application MUST include the following attributes in the Group schema:</t>

<ul spacing="compact">
<li>displayName</li>
<li>members</li>
</ul>
<t>Additionally, the "externalId" attribute defined as optional in the "common" resource schema in <xref target="RFC7643"/> MUST be supported by the Application.</t>
<t>The Application SHOULD NOT allow multiple groups to have the same value for the "displayName" attribute".</t>
<t>The Identity Service SHOULD use a unique value for the "displayName" attribute.</t>
</section>

<section anchor="create-group-post-groups"><name>Create Group (POST /Groups)</name>
<t>The Identity Service and the Application MUST support group creation via POST /Groups.</t>
<t>The Application MUST allow groups to be created with zero members.</t>
</section>

<section anchor="get-all-groups-get-groups"><name>Get All Groups (GET /Groups)</name>
<t>The Application MUST support retrieval of all groups via the SCIM operation GET /Groups.</t>
<t>The Identity Service SHOULD include excludedAttributes=members in the HTTP URI when listing all groups.</t>
</section>

<section anchor="get-group-by-id-get-group-id"><name>Get Group By ID (GET /Group/{id})</name>
<t>The Application MUST support retrieving a single group by ID via the SCIM operation GET /Groups/{id}.</t>
</section>

<section anchor="list-groups-by-alternate-identifier-get-groups"><name>List Groups By Alternate Identifier (GET /Groups?)</name>
<t>The Application MUST support the following filter expressions for groups:</t>

<ul spacing="compact">
<li>displayName eq {displayName}</li>
<li>externalId eq {externalId}</li>
<li>members[value eq {memberId}]</li>
</ul>
</section>

<section anchor="update-group-patch-group-id"><name>Update Group (PATCH /Group/{id})</name>
<t>The Identity Service and the Application MUST support updating a group's attribute values via the SCIM operation PATCH /Groups/{id}.</t>
<t>The Application MUST support the inclusion of at least 50 add or remove operations on the "members" attribute in a single PATCH request.</t>
<t>The Identity Service SHOULD compile multiple changes to the "members" attribute into a single PATCH request.</t>
</section>
</section>
</section>

<section anchor="al3-role-management"><name>AL3: Role Management</name>
<t>AL3 extends AL2. The Application exposes its available roles to the Identity Service, enabling centralized role assignment and synchronization. The Identity Service maps Application roles to users and synchronizes those assignments back to the Application.</t>
<blockquote><t><strong>Editor's Note:</strong> AL3 requirements are not yet defined in this draft. Requirements will be added in a future revision.</t>
</blockquote></section>

<section anchor="security-considerations"><name>Security Considerations</name>
<t>For SCIM security considerations, see <xref target="RFC7643"/> and <xref target="RFC7644"/></t>
<t>Additionally, the following requirements are included to address security considerations.</t>

<ul spacing="compact">
<li><strong>Error Handling</strong>: Error responses SHALL use the SCIM error format and SHALL NOT leak internal details.</li>
<li><strong>Replay Resistance</strong>: Access tokens SHALL expire and nonces SHALL be validated to prevent replay.</li>
<li><strong>Auditing</strong>: All SCIM requests resulting in the creation, deletion, or modification of a SCIM resource SHALL be logged for audit and troubleshooting.</li>
<li><strong>Rate Limiting</strong>: All endpoints SHALL enforce rate limiting and must respond with "429 Too Many Requests" when limits are exceeded.</li>
</ul>
</section>

<section anchor="iana-considerations"><name>IANA Considerations</name>
<t>This document has no IANA actions.</t>
</section>

<section anchor="compliance-statement"><name>Compliance Statement</name>
<t>Implementation of all mandatory requirements at each level results in a SCIM 2.0 deployment satisfying the corresponding IPSIE Account Lifecycle assurance level.</t>

<ul>
<li><t><strong>AL1 (User Deprovisioning)</strong></t>

<ul spacing="compact">
<li><strong>Identity Service (SCIM client)</strong>: SHALL initiate deactivation and deletion operations for Users and SHALL adhere to the security considerations above.</li>
<li><strong>Application (SCIM service provider)</strong>: SHALL support PATCH /Users/{id} for deactivation and reactivation, SHALL support DELETE /Users/{id}, SHALL prevent local modifications outside of SCIM, SHALL enforce OAuth 2.0 JWT Profile for Authentication <xref target="RFC7523"/>, and SHALL adhere to the security considerations above.</li>
</ul></li>
<li><t><strong>AL2 (User and Group Management)</strong> — requires AL1</t>

<ul spacing="compact">
<li><strong>Identity Service (SCIM client)</strong>: SHALL initiate all CRUD operations for Users and Groups and SHALL adhere to the security considerations above.</li>
<li><strong>Application (SCIM service provider)</strong>: SHALL host all SCIM endpoints with full support for User provisioning, and if supported, Group provisioning; SHALL prevent local modifications outside of SCIM; SHALL enforce OAuth 2.0 JWT Profile for Authentication <xref target="RFC7523"/>; and SHALL adhere to the security considerations above.</li>
</ul></li>
<li><t><strong>AL3 (Role Management)</strong> — requires AL2</t>

<ul spacing="compact">
<li>Requirements to be defined in a future revision.</li>
</ul></li>
</ul>
<t>By conforming to this profile at the appropriate level, implementations will achieve a consistent, secure, and interoperable baseline for enterprise identity lifecycle management.</t>
</section>

</middle>

<back>
<references><name>Normative References</name>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.zollner-scim-interop-profile.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6749.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7523.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7643.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7644.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8414.xml"/>
</references>

</back>

</rfc>
