idnits 2.17.00 (12 Aug 2021) /tmp/idnits35285/draft-ietf-scim-core-schema-22.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 1 character in excess of 72. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Corrected use of RFC2119 words (e.g., MUST not to MUST NOT) -- The document date (June 8, 2015) is 2532 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: draft-ietf-scim-api has been published as RFC 7644 ** Obsolete normative reference: RFC 2141 (Obsoleted by RFC 8141) ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hunt, Ed. 3 Internet-Draft Oracle 4 Intended status: Standards Track K. Grizzle 5 Expires: December 10, 2015 SailPoint 6 E. Wahlstroem 7 Nexus Technology 8 C. Mortimore 9 Salesforce 10 June 8, 2015 12 System for Cross-Domain Identity Management: Core Schema 13 draft-ietf-scim-core-schema-22 15 Abstract 17 The System for Cross-Domain Identity Management (SCIM) specifications 18 are designed to make identity management in cloud based applications 19 and services easier. The specification suite builds upon experience 20 with existing schemas and deployments, placing specific emphasis on 21 simplicity of development and integration, while applying existing 22 authentication, authorization, and privacy models. Its intent is to 23 reduce the cost and complexity of user management operations by 24 providing a common user schema and extension model, as well as 25 binding documents to provide patterns for exchanging this schema 26 using HTTP protocol. 28 This document provides a platform neutral schema and extension model 29 for representing users and groups and other resource types in JSON 30 format. This schema is intended for exchange and use with cloud 31 service providers. 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at http://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on December 10, 2015. 50 Copyright Notice 52 Copyright (c) 2015 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 68 1.1. Requirements Notation and Conventions . . . . . . . . . . 4 69 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5 70 2. SCIM Schema . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 7 72 2.2. Attribute Characteristics . . . . . . . . . . . . . . . . 7 73 2.3. Attribute Data Types . . . . . . . . . . . . . . . . . . 8 74 2.3.1. String . . . . . . . . . . . . . . . . . . . . . . . 8 75 2.3.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 9 76 2.3.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 9 77 2.3.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 9 78 2.3.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 9 79 2.3.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 9 80 2.3.7. Reference . . . . . . . . . . . . . . . . . . . . . . 9 81 2.3.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 10 82 2.4. Multi-valued Attributes . . . . . . . . . . . . . . . . . 10 83 2.5. Unassigned and Null Values . . . . . . . . . . . . . . . 12 84 3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 12 85 3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 15 86 3.2. Defining New Resource Types . . . . . . . . . . . . . . . 16 87 3.3. Attribute Extensions to Resources . . . . . . . . . . . . 17 88 4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 17 89 4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 17 90 4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 17 91 4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 21 92 4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 23 93 4.3. Enterprise User Schema Extension . . . . . . . . . . . . 24 94 5. Service Provider Configuration Schema . . . . . . . . . . . . 25 95 6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 27 96 7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 28 97 8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 31 98 8.1. Minimal User Representation . . . . . . . . . . . . . . . 31 99 8.2. Full User Representation . . . . . . . . . . . . . . . . 32 100 8.3. Enterprise User Extension Representation . . . . . . . . 35 101 8.4. Group Representation . . . . . . . . . . . . . . . . . . 38 102 8.5. Service Provider Configuration Representation . . . . . . 39 103 8.6. Resource Type Representation . . . . . . . . . . . . . . 41 104 8.7. Schema Representation . . . . . . . . . . . . . . . . . . 41 105 8.7.1. Resource Schema Representation . . . . . . . . . . . 42 106 8.7.2. Service Provider Schema Representation . . . . . . . 64 107 9. Security Considerations . . . . . . . . . . . . . . . . . . . 79 108 9.1. Protocol . . . . . . . . . . . . . . . . . . . . . . . . 79 109 9.2. Password and Other Sensitive Security Data . . . . . . . 79 110 9.3. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 80 111 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 81 112 10.1. Registration of SCIM URN Sub-namespace & SCIM Registry . 81 113 10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 81 114 10.2.1. Specification Template . . . . . . . . . . . . . . . 81 115 10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 84 116 10.3.1. Registration Procedure . . . . . . . . . . . . . . . 84 117 10.3.2. Schema Registration Template . . . . . . . . . . . . 85 118 10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 85 119 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 86 120 11.1. Normative References . . . . . . . . . . . . . . . . . . 86 121 11.2. Informative References . . . . . . . . . . . . . . . . . 87 122 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 88 123 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 89 124 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 93 126 1. Introduction and Overview 128 While there are existing standards for describing and exchanging user 129 information, many of these standards can be difficult to implement 130 and/or use; e.g., their wire protocols do not easily traverse 131 firewalls and/or are not easily layered onto existing web protocols. 132 As a result, many cloud providers implement non-standardized 133 protocols for managing users within their services. This increases 134 both the cost and complexity associated with organizations adopting 135 products and services from multiple cloud providers as they must 136 perform redundant integration development. Similarly, cloud services 137 providers seeking to inter-operate with multiple application 138 marketplaces or cloud identity providers would require pairwise 139 integration. 141 SCIM seeks to simplify this problem through a simple to implement 142 specification suite that provides a common user schema and extension 143 model, as well as a SCIM Protocol document, that defines exchanging 144 this schema via an HTTP based protocol [I-D.ietf-scim-api]. [[RFC 145 Editor: This document an the companion scim-api document should be 146 published together]] It draws inspiration and best practice, building 147 upon existing user protocols and schemas from a wide variety of 148 sources including, but not limited to, existing services exposed by 149 cloud providers, PortableContacts [PortableContacts], vCards 150 [RFC6350], and Lightweight Directory Access Protocol (LDAP) directory 151 services [RFC4512]. 153 SCIM protocol is an application-level protocol for provisioning and 154 managing identity data specified through SCIM schemas. The protocol 155 supports creation, modification, retrieval, and discovery of core 156 identity resources such as Users and Groups, using a subset of the 157 HTTP methods (GET for retrieval of resources, POST for creation, 158 searching and bulk modification, PUT for attribute replacement within 159 resources, PATCH for partial update of attributes, and DELETE for 160 removing resources). 162 While the SCIM protocol and core schema specifications are intended 163 to cover point-to-point scenarios, implementers and deployers should 164 consider multi-hop and multi-party scenarios such as a service 165 provider acting as a general profile service for in-domain 166 applications (e.g., a directory); as well as, scenarios where a 167 service provider in turn passes information to a 3rd party service 168 provider either by acting as a SCIM client or as a SCIM service 169 provider. Implementers and deployers should consider carefully their 170 service level agreements and privacy agreements when distributing or 171 propagating personal information (see also Privacy Considerations, 172 Section 9.3). 174 This document provides a JSON based schema and extension model for 175 representing users and groups, as well as service provider 176 configuration. This schema is intended for exchange and use with 177 cloud service providers and other cross-domain scenarios. 179 1.1. Requirements Notation and Conventions 181 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 182 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 183 document are to be interpreted as described in [RFC2119]. 185 The key words "REQUIRED" and "OPTIONAL" are used throughout this 186 document to indicate whether an attribute or schema element is 187 required or optional. These keywords may be used alone (e.g., 188 "REQUIRED."), or in a sentence. If not specified, an attribute is 189 considered to be optional. 191 Throughout this document, values are quoted to indicate that they are 192 to be taken literally. When using these values in protocol messages, 193 the quotes MUST NOT be used as part of the value. 195 Throughout this document all figures may contain spaces and extra 196 line-wrapping for readability and space reasons. Similarly, some 197 URI's contained within examples, have been shortened for space and 198 readability reasons. 200 1.2. Definitions 202 Service Provider 203 An HTTP web application that provides identity information via the 204 SCIM protocol. 206 Client 207 A website or application that uses the SCIM protocol to manage 208 identity data maintained by the service provider. The client 209 initiates SCIM HTTP requests to a target service provider. 211 Provisioning Domain 212 A provisioning domain is an administrative domain external to the 213 domain of a service provider for legal or technical reasons. For 214 example, a SCIM client in an enterprise (provisioning client) 215 communicates with a SCIM service provider that is owned or 216 controlled by a different legal entity. 218 Resource Type 219 A type of a resource that is managed by a service provider. The 220 resource type defines the resource name, endpoint URL, Schemas, 221 and other meta-data which indicate where a resource is managed and 222 how it is composed; e.g., "User" or "Group". 224 Resource 225 A service provider managed artifact containing one or more 226 attributes. For example a "User" or "Group". 228 Endpoint 229 An endpoint for a service provider is a defined base path relative 230 to the service providers Base URI (see definitions of 231 [I-D.ietf-scim-api]) over which SCIM operations may be performed 232 against SCIM resources. For example, assuming the service 233 provider Base URI is "https://example.com/": "User" resources may 234 be accessed at the "https://example.com/Users", or 235 "https://example.com/v2/Users" (when including protocol version, 236 see Section 3.13 [I-D.ietf-scim-api]) endpoint. Service provider 237 schemas MAY be returned from the "/Schemas" endpoint. 239 Schema 240 A collection of attribute definitions that describe the contents 241 of an entire or partial resource; e.g., 242 "urn:ietf:params:scim:schemas:core:2.0:User". The attribute 243 definitions define the name of the attribute, and metadata such as 244 type (e.g., string, binary), cardinality (singular, multi, 245 complex), mutability, and returnability. 247 Singular Attribute 248 A resource attribute that contains 0..1 values; e.g., 249 "displayName". 251 Multi-valued Attribute 252 A resource attribute that contains 0..n values; e.g., "emails". 254 Simple Attribute 255 A singular or multi-valued attribute whose value is a primitive; 256 e.g., "String". A simple attribute MUST NOT contain sub- 257 attributes. 259 Complex Attribute 260 A singular or multi-valued attribute whose value is a composition 261 of one or more simple attributes; e.g., "addresses" has the sub- 262 attributes "streetAddress", "locality", "postalCode", and 263 "country". 265 Sub-Attribute 266 A simple attribute that is contained within a complex attribute. 268 2. SCIM Schema 270 A SCIM server provides a set of resources, the allowable contents of 271 which are defined by a set of schema URIs and a resource type. 272 SCIM's schema is not a document-centric one such as with 273 [XML-Schema]. Instead, SCIM's support of schema is attribute based 274 where each attribute may have different type, mutability, 275 cardinality, or returnability. validation of documents and messages 276 is always performed, as specified by the SCIM specifications by an 277 intended receiver. Validation is performed by the receiver in the 278 context of a SCIM protocol request (see [I-D.ietf-scim-api]). For 279 example, a SCIM service provider, upon receiving a request to replace 280 an existing resource with a replacement JSON object, evaluates each 281 asserted attribute based on its characteristics as defined in the 282 relevant schema (e.g., mutability) and decides which attributes may 283 be replaced or ignored. 285 This specification provides a minimal core schema for representing 286 users and groups (resources), encompassing common attributes found in 287 many existing deployments and schemas. In addition to the minimal 288 core schema, this document also specifies a standardized means by 289 which service providers may extend schemas to define new resources 290 and attributes in both standardized and service provider specific 291 cases. 293 Resources are categorized into common resource types such as "User" 294 or "Group"). Collections of resources of the same type are usually 295 contained within the same "container" ("folder") endpoint. 297 2.1. Attributes 299 A resource is a collection of attributes identified by one or more 300 schemas. Minimally, an attribute consists of the attribute name and 301 at least one simple or complex value either of which may be multi- 302 valued. For each attribute, SCIM schema defines the data type, 303 plurality, mutability, and other distinguishing features of an 304 attribute. 306 Attribute names are case-insensitive and are often camel-cased (e.g., 307 "camelCase"). SCIM resources are represented in JSON [RFC7159] and 308 MUST specify schema via the "schemas" attribute per Section 3. 310 Attribute names MUST conform to the following ABNF rules: 312 ATTRNAME = ALPHA *(nameChar) 313 nameChar = "$" / "-" / "_" / DIGIT / ALPHA 315 Figure 1: ABNF for Attribute Names 317 The above rules (and other rules in this specification) use the "Core 318 Rules" from ABNF, see Appendix B [RFC5234]. Unless otherwise 319 specified in this specification, all ABNF strings are case 320 insensitive and the character set for these strings is US-ASCII. For 321 example, all attribute names defined by the above rule are case 322 insensitive. 324 When defining attribute names it should be noted that the hyphen 325 ("-") is not permitted in Javascript (and some other languages) 326 attribute names. While there are no known issues within HTTP 327 protocol and JSON notation, attribute names containing hyphens may 328 need to be escaped when declaring corresponding names of Javascript 329 attributes. 331 2.2. Attribute Characteristics 333 If not otherwise stated in Section 7, SCIM attributes have the 334 following characteristics: 336 o are OPTIONAL (is not REQUIRED). 338 o have values that are case insensitive ("caseExact" is "false"), 340 o are modifiable ("mutability" is "readWrite"), 342 o are returned in response to queries (returned by default), 344 o have no canonical values (for example, the "type" sub-attribute in 345 Section 2.4, 347 o are not unique ("uniqueness" is "none"), and, 349 o of type string (Section 2.3.1). 351 2.3. Attribute Data Types 353 Attribute data types are derived from JSON [RFC7159]. The JSON 354 format defines a limited set of data types, hence, where appropriate, 355 alternate JSON representations derived from XML Schema [XML-Schema] 356 are defined below. SCIM extensions SHOULD NOT introduce new data 357 types. 359 The following is a table that maps the following data types, to SCIM 360 schema type and the underlying JSON data type: 362 +--------------+-----------------+----------------------------------+ 363 | SCIM Data | SCIM Schema | JSON Type | 364 | Type | "type" | | 365 +--------------+-----------------+----------------------------------+ 366 | String | "string" | String per Sec. 7 [RFC7159] | 367 | Boolean | "boolean" | Value per Sec. 3 [RFC7159] | 368 | Decimal | "decimal" | Number per Sec. 6 [RFC7159] | 369 | Integer | "integer" | Number per Sec. 6 [RFC7159] | 370 | DateTime | "dateTime" | String per Sec. 7 [RFC7159] | 371 | Binary | "binary" | Base64 encoded String per Sec. 7 | 372 | | | [RFC7159] | 373 | Reference | "reference" | String per Sec. 7 [RFC7159] | 374 | Complex | "complex" | Object per Sec. 4 [RFC7159] | 375 +--------------+-----------------+----------------------------------+ 377 Table 1: SCIM Data Type to JSON Representation 379 2.3.1. String 381 A sequence of zero or more Unicode characters encoded using UTF-8 as 382 per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7 383 [RFC7159]. A "String" attribute MAY specify a required data format. 384 Additionally, when "canonicalValues" is specified, service providers 385 MAY restrict accepted values to the specified values. 387 2.3.2. Boolean 389 The literal "true" or "false". The JSON format is defined in 390 Section 3 [RFC7159]. A boolean has no case sensitivity or 391 uniqueness. 393 2.3.3. Decimal 395 A real number with at least one digit to the left and right of the 396 period. The JSON format is defined in Section 6 [RFC7159]. A 397 decimal has no case sensitivity. 399 2.3.4. Integer 401 A whole number with no fractional digits or decimal. The JSON format 402 is defined in Section 6 [RFC7159] with the additional constraint that 403 the value MUST NOT contain fractional or exponent parts. An integer 404 has no case sensitivity. 406 2.3.5. DateTime 408 A DateTime value (e.g., 2008-01-23T04:56:22Z). The attribute value 409 MUST be encoded as a valid xsd:dateTime as specified in Section 3.3.7 410 [XML-Schema]and MUST include both a date and a time. A date-time has 411 no case-sensitivity or uniqueness. 413 Values represented in JSON MUST conform to the XML constraints above 414 and are represented as a JSON String per Section 7 [RFC7159]. 416 2.3.6. Binary 418 Arbitrary binary data. The attribute value MUST be encoded in base 419 64 encoding as specified in Section 4 [RFC4648]. In cases where a 420 URL-safe encoding is required, the attribute definition MAY specify 421 Base 64 URL encoding be used as per Section 5 [RFC4648]. Unless 422 otherwise specified in the attribute definition, trailing padding 423 characters MAY be omitted ("="). 425 In JSON representation, the encoded values are represented as a JSON 426 String per Section 7 [RFC7159]. A binary is case-exact and has no 427 uniqueness. 429 2.3.7. Reference 431 The value is a URI for a resource. A resource MAY be a SCIM 432 resource, an external link to a resource (e.g., a photo), or it may 433 be an identifier such as a URN. The value MUST be the absolute or 434 relative URI of the target resource. Relative URIs should be 435 resolved as specified in Section 5.2 [RFC3986]. However, the base 436 URI for relative URI resolution MUST include all URI components and 437 path segments up to but not including the Endpoint URI (the SCIM 438 service provider root endpoint); e.g., the base URI for a request to 439 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 440 would be "https://example.com/v2/" and the relative URI for this 441 resource would be "Users/2819c223-7f76-453a-919d-413861904646". 443 In JSON representation, the URI value is represented as a JSON String 444 per Section 7 [RFC7159]. A reference is case-exact. A reference has 445 a "referenceType" that indicates what types of resources may be 446 linked as per Section 7. 448 A reference URI MUST be to an HTTP addressable resource. An HTTP 449 client performing a GET operation on a reference URI MUST receive the 450 target resource or an appropriate HTTP response code. A SCIM service 451 provider MAY choose to enforce referential integrity for reference 452 types referring to SCIM resources. 454 By convention, a reference is commonly represented as a "$ref" sub- 455 attribute in complex or multi-valued attributes, however this is 456 OPTIONAL. 458 2.3.8. Complex 460 A singular or multi-valued attribute whose value is a composition of 461 one or more simple attributes. The JSON format is defined in 462 Section 4 of [RFC7159]. The order of the component attributes is not 463 significant. Servers and clients MUST NOT require or expect 464 attributes to be in any specific order when an object is either 465 generated or analyzed. A complex attribute has no uniqueness or case 466 sensitivity. A complex attribute MUST NOT contain sub-attributes 467 that have sub-attributes (i.e., that are complex). 469 2.4. Multi-valued Attributes 471 Multi-valued attributes contain a list of elements using the JSON 472 array format defined in Section 5 of [RFC7159]. Elements can be 473 either 475 o primitive values, or 477 o objects with a set of sub-attributes and values, using the JSON 478 object format defined in Section 4 of [RFC7159], in which case 479 they SHALL be considered to be complex attributes. As with 480 complex attributes, the order of sub-attributes is not 481 significant. The pre-defined sub-attributes listed in this 482 section can be used with multi-valued attribute objects but these 483 sub-attributes MUST be used with the meanings defined here. 485 If not otherwise defined, the default set of sub-attributes for a 486 multi-valued attribute are: 488 type 489 A label indicating the attribute's function; e.g., "work" or 490 "home". 492 primary 493 A Boolean value indicating the 'primary' or preferred attribute 494 value for this attribute, e.g., the preferred mailing address or 495 the primary e-mail address. The primary attribute value "true" 496 MUST appear no more than once. If not specified, the value of 497 "primary" SHALL be assumed to be "false". 499 display 500 A human readable name, primarily used for display purposes and has 501 a mutability of "immutable". 503 value 504 The attribute's significant value; e.g., the e-mail address, phone 505 number, etc. 507 $ref 508 The reference URI of a target resource, if the attribute is a 509 reference. URIs are canonicalized per Section 6.2 of [RFC3986]. 510 While the representation of a resource may vary in different SCIM 511 protocol API versions (see section 3.13 of [I-D.ietf-scim-api]), 512 URI's for SCIM resources with an API version SHALL be considered 513 comparable to one without a version or different version. For 514 example, "https://example.com/Users/12345" is equivalent to 515 "https://example.com/v2/Users/12345". 517 When returning multi-valued attributes, service providers SHOULD 518 canonicalize the value returned (e.g., by returning a value for the 519 sub-attribute "type" such as "home" or "work") when appropriate 520 (e.g., for e-mail addresses and URLs). 522 Service providers MAY return element objects with the same "value" 523 sub-attribute more than once with a different "type" sub-attribute 524 (e.g., the same e-mail address may used for work and home), but 525 SHOULD NOT return the same (type, value) combination more than once 526 per attribute, as this complicates processing by the consumer. 528 When defining schema for multi-valued attributes, it is considered a 529 good practice to provide a type attribute that MAY be used for the 530 purpose of canonicalization of values. In the schema definition for 531 an attribute, the service provider MAY define the recommended 532 canonical values (see Section 7). 534 2.5. Unassigned and Null Values 536 Unassigned attributes, the null value, or empty array (in the case of 537 a multi-valued attribute) SHALL be considered to be equivalent in 538 "state". Assigning an attribute with the value "null" or an empty 539 array (in the case of multi-valued attributes) has the effect of 540 making the attribute "unassigned". When a resource is expressed in 541 JSON form, unassigned attributes, though they are defined in schema, 542 MAY be omitted for compactness. 544 3. SCIM Resources 546 Each SCIM resource is a JSON object that has the following 547 components: 549 Resource Type 550 Each resource (or JSON object) in SCIM has a resource type 551 ("meta.resourceType", see Section 3.1) that defines the resource's 552 core attribute schema and any attribute extension schema as well 553 as the endpoint where objects of the same type may be found. More 554 information about a resource MAY be found in its resource type 555 definition (see Section 6). 557 Schemas Attribute 558 The "schemas" attribute is a REQUIRED attribute and is an array of 559 Strings containing URIs which are used to indicate the namespaces 560 of the SCIM schemas that define the attributes present in the 561 current JSON structure. The attribute may be used by parsers to 562 define the attributes present in the JSON structure that is the 563 body to an HTTP Request or Response. Each String value must be a 564 unique URI. All representations of SCIM schemas MUST include a 565 non-empty array with value(s) of the URIs supported by that 566 representation. The schemas attribute for a resource MUST only 567 contain values defined as "schema" and "schemaExtensions" for the 568 resource's defined "resourceType". Duplicate values MUST NOT be 569 included. Value order is not specified and MUST NOT impact 570 behavior. 572 Common Attributes 573 Are attributes that are part of every SCIM resource regardless of 574 the value of the "schemas" attribute present in a JSON body. 575 These attributes are not defined in any particular schema, but 576 SHALL be assumed to be present in every resource regardless of the 577 value of the "schemas" attribute. See Section 3.1. 579 Core Attributes 580 A resource's core attributes are those attributes that sit at the 581 top level of the JSON object together with the common attributes 582 (such as the resource "id"). The list of valid attributes is 583 specified by the resource's resource type "schema" attribute (see 584 Section 6). This same value is also present in the resource's 585 "schemas" attribute. 587 Extended Attributes 588 Extended schema attributes are specified by the resource's 589 resource type "schemaExtensions" attribute (see Section 6). 590 Unlike core attributes, extended attributes are kept in their own 591 sub-attribute namespace identified by the schema extension URI. 592 This avoids attribute name conflicts that may arise due to 593 conflicts from separate schema extensions. 595 The following example "User" contains the common attributes "id", 596 "externalId", and the complex attribute "meta" which contains the 597 sub-attribute "resourceType". The resource also contains core 598 attributes "userName", "name", as well as extended enterprise user 599 attributes "employeeNumber" and "costCenter" which are contained in 600 their own JSON sub-structure identified by their schema URI. Some 601 values have been omitted (...), shortened or spaced out for clarity. 603 { 604 "schemas": 605 [ "urn:ietf:params:scim:schemas:core:2.0:User", 606 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], 608 "id": "2819c223-7f76-453a-413861904646", 609 "externalId": "701984", 611 "userName": "bjensen@example.com", 612 "name": { 613 "formatted": "Ms. Barbara J Jensen III", 614 "familyName": "Jensen", 615 "givenName": "Barbara", 616 "middleName": "Jane", 617 "honorificPrefix": "Ms.", 618 "honorificSuffix": "III" 619 }, 620 ... 622 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { 623 "employeeNumber": "701984", 624 "costCenter": "4130", 625 ... 626 }, 628 "meta": { 629 "resourceType": "User", 630 "created": "2010-01-23T04:56:22Z", 631 "lastModified": "2011-05-13T04:42:34Z", 632 "version": "W\/\"3694e05e9dff591\"", 633 "location": 634 "https://example.com/v2/Users/2819c223-7f76-453a-413861904646" 635 } 636 } 638 Figure 2: Example JSON Resource Structure 640 3.1. Common Attributes 642 Each SCIM resource (Users, Groups, etc.) includes the following 643 common attributes. With the exception of "ServiceProviderConfig" and 644 "ResourceType" server discovery endpoints and their associated 645 resources, these attributes MUST be defined for all resources, 646 including any extended resource types. When accepted by a service 647 provider (e.g., after a SCIM create), the attributes "id" and "meta" 648 (and its associated sub-attributes) MUST be assigned values by the 649 service provider. Common attributes are considered to be part of 650 every base resource schema and do not use their own "schemas" URI. 652 For backwards compatibility reasons, some existing schema definitions 653 MAY list common attributes as part of the schema. The attribute 654 characteristics (see Section 2.2) listed here SHALL take precedence 655 over older definitiions that may be included in existing schemas. 657 id 658 A unique identifier for a SCIM resource as defined by the service 659 provider. Each representation of the resource MUST include a non- 660 empty "id" value. This identifier MUST be unique across the SCIM 661 service provider's entire set of resources. It MUST be a stable, 662 non-reassignable identifier that does not change when the same 663 resource is returned in subsequent requests. The value of the 664 "id" attribute is always issued by the service provider and MUST 665 NOT be specified by the client. The string "bulkId" is a reserved 666 keyword and MUST NOT be used within any unique identifier value. 667 The attribute characteristics are "caseExact" as "true" and a 668 mutability of "readOnly" and has a "returned" characteristic of 669 "always". See Section 9 for additional considerations regarding 670 privacy. 672 externalId 673 A String that is an identifier for the resource as defined by the 674 provisioning client. The "externalId" may simplify identification 675 of a resource between the provisioning client and the service 676 provider by allowing the client to use a filter to locate the 677 resource with an identifier from the provisioning domain, 678 obviating the need to store a local mapping between the 679 provisioning domain's identifier of the resource and the 680 identifier used by the service provider. Each resource MAY 681 include a non-empty "externalId" value. The value of the 682 "externalId" attribute is always issued by the provisioning client 683 and MUST NOT be specified by the service provider. The service 684 provider MUST always interpret the externalId as scoped to the 685 provisioning domain. While the server does not enforce 686 uniqueness, it is assumed that the value's uniqueness is 687 controlled by the client setting the value. See Section 9 for 688 additional considerations regarding privacy. The attribute has 689 "caseExact" as "true" and has a mutability of "readWrite". The 690 attribute is OPTIONAL. 692 meta 693 A complex attribute containing resource metadata. All meta sub- 694 attributes are assigned by the service provider (have "mutability" 695 of "readOnly") and all attributes have the characteristic 696 "returned" by "default". The attribute SHALL be ignored when 697 provided by clients: 699 resourceType The name of the resource type of the resource. This 700 attribute has mutability of "readOnly" and has "caseExact" as 701 "true". 703 created The DateTime the resource was added to the service 704 provider. The attribute MUST be a DateTime. 706 lastModified The most recent DateTime the details of this 707 resource were updated at the service provider. If this 708 resource has never been modified since its initial creation, 709 the value MUST be the same as the value of created. 711 location The URI of the resource being returned. This value MUST 712 be the same as the "Content-Location" HTTP response header (see 713 Section 3.1.4.2 [RFC7231]). 715 version The version of the resource being returned. This value 716 must be the same as the ETag HTTP response header (See Sections 717 2.1 and 2.3 of [RFC7232]). The attribute has "caseExact" as 718 "true". Service provider support for this attribute is 719 optional and subject to the service provider's support for 720 versioning (see "Versioning Resources", Section 3.14 721 [I-D.ietf-scim-api]). If a service provider provides "version" 722 (entity-tag) for a representation and the generation of that 723 entity-tag does not satisfy all of the characteristics of a 724 strong validator (see Section 2.1, [RFC7232]), then the origin 725 server MUST mark the "version" (entity-tag) as weak by 726 prefixing its opaque value with "W/" (case-sensitive). 728 3.2. Defining New Resource Types 730 SCIM may be extended to define new classes of resources by defining a 731 resource type. Each resource type defines the name, endpoint, base 732 schema (the attributes), and any schema extensions registered for use 733 with the resource type. In order to offer new types of resources, a 734 service provider defines the new resource type as specified in 735 Section 6 and defines a schema representation (see Section 8.7). 737 3.3. Attribute Extensions to Resources 739 SCIM allows resource types to have extensions in addition to their 740 core schema. This is similar to how "ObjectClasses" are used in LDAP 741 [RFC4512]. However, unlike LDAP there is no inheritance model; all 742 extensions are additive (similar to LDAP Auxiliary Object Class). 743 Each value in the "schemas" attribute indicates additive schema that 744 MAY exist in a SCIM resource representation. The "schemas" attribute 745 MUST contain at least one value which SHALL be the base schema for 746 the resource. The "schemas" attribute MAY contain additional values 747 indicating extended schemas that are in use. Schema extensions 748 SHOULD avoid redefining any attributes defined in this specification 749 and SHOULD follow conventions defined in this specification. Except 750 for the base object schema, the schema extension URI SHALL be used as 751 a JSON container to distinguish attributes belonging to the extension 752 namespace from base schema attributes. See Figure 5 for an example 753 of the JSON representation of an extended User. 755 In order to determine which URI value in the "schemas" attribute is 756 the base schema and which is extended schema for any given resource, 757 the resource's "resourceType" attribute value MAY be used to retrieve 758 the resource's "ResourceType" schema (see Section 6). See also, 759 example "ResourceType" representation in Figure 8. 761 4. SCIM Core Resources and Extensions 763 This section defines the default resources schemas present in a SCIM 764 server. SCIM is not exclusive to these resources, and may be 765 extended to support other resource types (see Section 3.2). 767 4.1. User Resource Schema 769 SCIM provides a resource type for "User" resources. The core schema 770 for "User" is identified using the URI: 771 "urn:ietf:params:scim:schemas:core:2.0:User". The following 772 attributes are defined in addition to the core schema attributes: 774 4.1.1. Singular Attributes 776 userName 777 A service provider unique identifier for the user, typically used 778 by the user to directly authenticate to the service provider. 779 Often displayed to the user as their unique identifier within the 780 system (as opposed to "id" or "externalId", which are generally 781 opaque and not user-friendly identifiers). Each User MUST include 782 a non-empty userName value. This identifier MUST be unique across 783 the service provider's entire set of Users. The attribute is 784 REQUIRED and is case-insensitive. 786 name 787 The components of the user's name. Service providers MAY return 788 just the full name as a single string in the formatted sub- 789 attribute, or they MAY return just the individual component 790 attributes using the other sub-attributes, or they MAY return 791 both. If both variants are returned, they SHOULD be describing 792 the same name, with the formatted name indicating how the 793 component attributes should be combined. 795 formatted The full name, including all middle names, titles, and 796 suffixes as appropriate, formatted for display (e.g., "Ms. 797 Barbara Jane Jensen, III." ). 799 familyName The family name of the User, or last name in most 800 Western languages (e.g., "Jensen" given the full name "Ms. 801 Barbara Jane Jensen, III." ). 803 givenName The given name of the User, or first name in most 804 Western languages (e.g., "Barbara" given the full name "Ms. 805 Barbara Jane Jensen, III." ). 807 middleName The middle name(s) of the User (e.g., "Jane" given the 808 full name "Ms. Barbara Jane Jensen, III." ). 810 honorificPrefix The honorific prefix(es) of the User, or title in 811 most Western languages (e.g., "Ms." given the full name "Ms. 812 Barbara Jane Jensen, III." ). 814 honorificSuffix The honorific suffix(es) of the User, or suffix 815 in most Western languages (e.g., "III." given the full name 816 "Ms. Barbara Jane Jensen, III." ). 818 displayName 819 The name of the user, suitable for display to end-users. Each 820 user returned MAY include a non-empty displayName value. The name 821 SHOULD be the full name of the User being described if known 822 (e.g., "Babs Jensen" or "Ms. Barbara J Jensen, III" ), but MAY be 823 a username or handle, if that is all that is available (e.g., 824 "bjensen" ). The value provided SHOULD be the primary textual 825 label by which this User is normally displayed by the service 826 provider when presenting it to end-users. 828 nickName 829 The casual way to address the user in real life, e.g., "Bob" or 830 "Bobby" instead of "Robert". This attribute SHOULD NOT be used to 831 represent a User's username (e.g., bjensen or mpepperidge). 833 profileUrl 834 A URI that is a uniform resource locator (as defined in 835 Section 1.1.3 [RFC3986]), that points to a location representing 836 the user's online profile (e.g. a web page). URIs are 837 canonicalized per Section 6.2 of [RFC3986]. 839 title 840 The user's title, such as "Vice President". 842 userType 843 Used to identify the organization to user relationship. Typical 844 values used might be "Contractor", "Employee", "Intern", "Temp", 845 "External", and "Unknown" but any value may be used. 847 preferredLanguage 848 Indicates the user's preferred written or spoken languages and is 849 generally used for selecting a localized User interface. The 850 value indicates the set of natural languages that are preferred. 851 The format of the value is same as the Accept-Language header 852 field (not including "Accept-Language:") of HTTP and is specified 853 in Section 5.3.5 of [RFC7231]. The intent of this value is to 854 enable cloud applications to perform matching of language tags 855 [RFC4647] to the user's language preferences regardless of what 856 may be indicated by a user agent (which might be shared), or in a 857 non-user present interaction (such as in a delegated OAuth2 858 [RFC6749] style interaction) where normal HTTP Accept-Language 859 header negotiation cannot take place. 861 locale 862 Used to indicate the User's default location for purposes of 863 localizing items such as currency, date time format, numerical 864 representations, etc. A valid value is a language tag as defined 865 in [RFC5646]. Computer languages are explicitly excluded. 867 A language tag is a sequence of one or more case-insensitive sub- 868 tags, each separated by a hyphen character ("-", %x2D). For 869 backwards compatibility reasons, servers MAY accept tags separated 870 by an underscore character ("_", %5F). In most cases, a language 871 tag consists of a primary language sub-tag that identifies a broad 872 family of related languages (e.g., "en" = English) which is 873 optionally followed by a series of sub-tags that refine or narrow 874 that language's range (e.g., "en-CA" = the variety of English as 875 communicated in Canada). Whitespace is not allowed within a 876 language tag. Example tags include: 878 fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN 880 See [RFC5646] for further information. 882 timezone 883 The User's time zone in IANA Time Zone database format [RFC6557], 884 also known as "Olson" timezone database format [Olson-TZ] ; For 885 example: "America/Los_Angeles". 887 active 888 A Boolean value indicating the user's administrative status. The 889 definitive meaning of this attribute is determined by the service 890 provider. As a typical example, a value of true implies the user 891 is able to login while a value of false implies the user's account 892 has been suspended. 894 password 895 This attribute is intended to be used as a means to set, replace, 896 or compare (i.e., filter for equality) a password. The clear-text 897 value or the hashed value of a password SHALL NOT be returnable by 898 a service provider. If a service provider holds the value 899 locally, the value SHOULD be hashed. When a password is set or 900 changed by the client, the clear text password SHOULD be processed 901 by the service provider as follows: 903 * Prepares the clear text value for international language 904 comparison. See Section 7.7 of [I-D.ietf-scim-api]. 906 * Validates the value against server password policy. Note: the 907 definition and enforcment of password policy is beyond the 908 scope of this document. 910 * And, the value is encrypted (e.g., hashed). See Section 9.2 911 for acceptable hasing and encryption handling when storing or 912 persisting for provisioning workflow reasons. 914 A service provider that immediately passes the clear text value on 915 to another system or programming interface, MUST pass the value 916 directly over a secured connection (e.g., TLS). If the value 917 needs to be temporarily persisted for a period of time (e.g., 918 because of a workflow) before provisioning, then the value MUST be 919 protected by some method such as encryption. 921 Testing for an equality match MAY be supported if there is an 922 existing stored hashed value. When testing for equality, the 923 service provider: 925 * Prepares the filter value for international language 926 comparison. See Section 7.7 of [I-D.ietf-scim-api]. 928 * The service provider generates the salted hash of the filter 929 value and test for a match with the locally held value. 931 The mutability of the password attribute is "writeOnly" indicating 932 the value MUST NOT be returned by a service provider in any form 933 (the attribute characteristic "returned" is "never"). 935 4.1.2. Multi-valued Attributes 937 The following multi-valued attributes are defined. 939 emails 940 E-mail addresses for the User. The value SHOULD be specified 941 according to [RFC5321]. Service providers SHOULD canonicalize the 942 value according to [RFC5321], e.g., "bjensen@example.com" instead 943 of "bjensen@EXAMPLE.COM". The "display" sub-attribute MAY be used 944 to return the canonicalized representation of the e-mail value. 945 The "type" sub-attribute is used to provide a classification 946 meaningful to the (human) user. The user interface should 947 encourage the use of basic values of "work", "home", and "other", 948 and MAY allow additional type values to be used at the descretion 949 of SCIM clients. 951 phoneNumbers 952 Phone numbers for the user. The value SHOULD be specified 953 according to the format in [RFC3966] e.g., 'tel:+1-201-555-0123'. 954 Service providers SHOULD canonicalize the value according to 955 [RFC3966] format, when appropriate. The "display" sub-attribute 956 MAY be used to return the canonicalized representation of the 957 phone number value. The sub-attribute "type" often has typical 958 values of "work", "home", "mobile", "fax", "pager", and "other", 959 and MAY allow more types to be defined by the SCIM clients. 961 ims 962 Instant messaging address for the user. No official 963 canonicalization rules exist for all instant messaging addresses, 964 but service providers SHOULD, when appropriate, remove all 965 whitespace and convert the address to lowercase. The "type" sub- 966 attribute SHOULD take one of the following values: "aim", "gtalk", 967 "icq", "xmpp", "msn", "skype", "qq", "yahoo", and "other", 968 representing currently popular IM services at the time of writing. 969 Service providers MAY add further values if new IM services are 970 introduced and MAY specify more detailed canonicalization rules 971 for each possible value. 973 photos 974 A URI that is a uniform resource locator (as defined in 975 Section 1.1.3 [RFC3986]) that points to a resource location 976 representing the user's image. The resource MUST be a file (e.g., 977 a GIF, JPEG, or PNG image file) rather than a web page containing 978 an image. Service providers MAY return the same image at 979 different sizes, though it is recognized that no standard for 980 describing images of various sizes currently exists. Note that 981 this attribute SHOULD NOT be used to send down arbitrary photos 982 taken by this user, but specifically profile photos of the user 983 suitable for display when describing the user. Instead of the 984 standard canonical values for type, this attribute defines the 985 following canonical values to represent popular photo sizes: 986 "photo", "thumbnail". 988 addresses 989 A physical mailing address for this user. Canonical type values 990 of "work", "home", and "other". The value attribute is a complex 991 type with the following sub-attributes. All sub-attributes are 992 OPTIONAL. 994 formatted The full mailing address, formatted for display or use 995 with a mailing label. This attribute MAY contain newlines. 997 streetAddress The full street address component, which may 998 include house number, street name, P.O. box, and multi-line 999 extended street address information. This attribute MAY 1000 contain newlines. 1002 locality The city or locality component. 1004 region The state or region component. 1006 postalCode The zipcode or postal code component. 1008 country The country name component. When specified the value 1009 MUST be in ISO 3166-1 alpha 2 "short" code format [ISO3166] ; 1010 e.g., the United States and Sweden are "US" and "SE", 1011 respectively. 1013 groups 1014 A list of groups that the user belongs to, either thorough direct 1015 membership, nested groups, or dynamically calculated. The values 1016 are meant to enable expression of common group or role based 1017 access control models, although no explicit authorization model is 1018 defined. It is intended that the semantics of group membership 1019 and any behavior or authorization granted as a result of 1020 membership are defined by the service provider. The canonical 1021 types "direct" and "indirect" are defined to describe how the 1022 group membership was derived. Direct group membership indicates 1023 the user is directly associated with the group and SHOULD indicate 1024 that clients may modify membership through the "Group" resource. 1025 Indirect membership indicates user membership is transitive or 1026 dynamic and implies that clients cannot modify indirect group 1027 membership through the "Group" resource but MAY modify direct 1028 group membership through the "Group" resource which may influence 1029 indirect memberships. If the SCIM service provider exposes a 1030 Group resource, the "value" sub-attribute MUST be the "id" and the 1031 "$ref" sub-attribute must be the URI of the corresponding "Group" 1032 resources to which the user belongs. Since this attribute has a 1033 mutability of "readOnly", group membership changes MUST be applied 1034 via the Group Resource (Section 4.2). The attribute has a 1035 mutability of "readOnly". 1037 entitlements 1038 A list of entitlements for the user that represent a thing the 1039 user has. An entitlement may be an additional right to a thing, 1040 object, or service. No vocabulary or syntax is specified and 1041 service providers and clients are expected to encode sufficient 1042 information in the value so as to accurately and without ambiguity 1043 determine what the user has access to. This value has no 1044 canonical types though type may be useful as a means to scope 1045 entitlements. 1047 roles 1048 A list of roles for the user that collectively represent who the 1049 user is; e.g., "Student, Faculty". No vocabulary or syntax is 1050 specified though it is expected that a role value is a String or 1051 label representing a collection of entitlements. This value has 1052 no canonical types. 1054 x509Certificates 1055 A list of certificates associated with the resource (e.g., a 1056 User). Each value contains exactly one DER encoded X.509 (see 1057 Section 4 [RFC5280]), which MUST be base 64 encoded per Section 4 1058 [RFC4648]. A single value MUST NOT contain multiple certificates 1059 and so does not contain the encoding "SEQUENCE OF Certificate" in 1060 any guise. 1062 4.2. Group Resource Schema 1064 SCIM provides a schema for representing groups, identified using the 1065 following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group". 1067 Group resources are meant to enable expression of common group or 1068 role based access control models, although no explicit authorization 1069 model is defined. It is intended that the semantics of group 1070 membership and any behavior or authorization granted as a result of 1071 membership are defined by the service provider, and are considered 1072 out of scope for this specification. 1074 The following singular attribute is defined in addition to the common 1075 attributes defined in SCIM core schema: 1077 displayName 1078 A human readable name for the Group. REQUIRED. 1080 The following multi-valued attribute is defined in addition to the 1081 common attributes defined in SCIM Core Schema: 1083 members 1084 A list of members of the Group. While values MAY be added or 1085 removed, sub-attributes of members are "immutable". The "value" 1086 sub-attribute contains the value of an "id" attribute of a SCIM 1087 resource, and the "$ref" sub-attribute must be the URI of a SCIM 1088 resource such as a "User", or a "Group". The intention of the 1089 "Group" type is to allow the service provider to support nested 1090 groups. Service providers MAY require clients to provide a non- 1091 empty value by setting the "required" attribute characteristic of 1092 a sub-attribute of the "members" attribute in the "Group" resource 1093 schema. 1095 4.3. Enterprise User Schema Extension 1097 The following SCIM extension defines attributes commonly used in 1098 representing users that belong to, or act on behalf of a business or 1099 enterprise. The enterprise user extension is identified using the 1100 following schema URI: 1101 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User". 1103 The following Singular Attributes are defined: 1105 employeeNumber 1106 A string identifier, typically numeric or alpha-numeric, assigned 1107 to a person, typically based on order of hire or association with 1108 an organization. 1110 costCenter 1111 Identifies the name of a cost center. 1113 organization 1114 Identifies the name of an organization. 1116 division 1117 Identifies the name of a division. 1119 department 1120 Identifies the name of a department. 1122 manager 1123 The user's manager. A complex type that optionally allows service 1124 providers to represent organizational hierarchy by referencing the 1125 "id" attribute of another User. 1127 value The "id" of the SCIM resource representing the user's 1128 manager. RECOMMENDED. 1130 $ref The URI of the SCIM resource representing the User's 1131 manager. RECOMMENDED. 1133 displayName The displayName of the user's manager. This 1134 attribute is OPTIONAL and mutability is "readOnly". 1136 5. Service Provider Configuration Schema 1138 SCIM provides a schema for representing the service provider's 1139 configuration identified using the following schema URI: 1140 "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" 1142 The service provider configuration resource enables a service 1143 provider to discover SCIM specification features in a standardized 1144 form as well as provide additional implementation details to clients. 1145 All attributes have a mutability of "readOnly". Unlike other core 1146 resources, the "id" attribute is not required for the service 1147 provider configuration resource. 1149 The following Singular Attributes are defined in addition to the 1150 common attributes defined in Core Schema: 1152 documentationUrl 1153 An HTTP addressable URL pointing to the service provider's human 1154 consumable help documentation. OPTIONAL. 1156 patch 1157 A complex type that specifies PATCH configuration options. 1158 REQUIRED. See Section 3.5.2 [I-D.ietf-scim-api]. 1160 supported Boolean value specifying whether the operation is 1161 supported. REQUIRED. 1163 bulk 1164 A complex type that specifies Bulk configuration options. See 1165 Section 3.7 [I-D.ietf-scim-api]. REQUIRED 1167 supported Boolean value specifying whether the operation is 1168 supported. REQUIRED. 1170 maxOperations An integer value specifying the maximum number of 1171 operations. REQUIRED. 1173 maxPayloadSize An integer value specifying the maximum payload 1174 size in bytes. REQUIRED. 1176 filter 1177 A complex type that specifies FILTER options. REQUIRED. See 1178 Section 3.4.2.2 [I-D.ietf-scim-api]. 1180 supported Boolean value specifying whether the operation is 1181 supported. REQUIRED. 1183 maxResults Integer value specifying the maximum number of 1184 resources returned in a response. REQUIRED. 1186 changePassword 1187 A complex type that specifies Change Password configuration 1188 options. REQUIRED. 1190 supported Boolean value specifying whether the operation is 1191 supported. REQUIRED. 1193 sort 1194 A complex type that specifies Sort configuration options. 1195 REQUIRED. 1197 supported Boolean value specifying whether sorting is supported. 1198 REQUIRED. 1200 etag 1201 A complex type that specifies Etag configuration options. 1202 REQUIRED. 1204 supported Boolean value specifying whether the operation is 1205 supported. REQUIRED. 1207 The following multi-valued attribute is defined in addition to the 1208 common attributes defined in core schema: 1210 authenticationSchemes 1211 A complex type that specifies supported Authentication Scheme 1212 properties. This attribute defines the following canonical values 1213 to represent common schemes: "oauth", "oauth2", 1214 "oauthbearertoken", "httpbasic", and "httpdigest". To enable 1215 seamless discovery of configuration, the service provider SHOULD, 1216 with the appropriate security considerations, make the 1217 authenticationSchemes attribute publicly accessible without prior 1218 authentication. REQUIRED. 1220 name The common authentication scheme name; e.g., HTTP Basic. 1221 REQUIRED. 1223 description A description of the Authentication Scheme. 1224 REQUIRED. 1226 specUrl An HTTP addressable URL pointing to the Authentication 1227 Scheme's specification. OPTIONAL. 1229 documentationUrl An HTTP addressable URL pointing to the 1230 Authentication Scheme's usage documentation. OPTIONAL. 1232 6. ResourceType Schema 1234 The "ResourceType" schema specifies the meta-data about a resource 1235 type. Resource type resources are READ-ONLY and identified using the 1236 following schema URI: 1237 "urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other 1238 core resources, all attributes are REQUIRED unless otherwise 1239 specified. The "id" attribute is not required for the resource type 1240 resource. 1242 The following Singular Attributes are defined: 1244 id 1245 The resource type's server unique id. Often this is the same 1246 value as the "name" attribute. OPTIONAL 1248 name 1249 The resource type name. When applicable service providers MUST 1250 specify the name specified in the core schema specification; e.g., 1251 "User" or "Group". This name is referenced by the 1252 "meta.resourceType" attribute in all resources. REQUIRED. 1254 description 1255 The resource type's human readable description. When applicable 1256 service providers MUST specify the description specified in the 1257 core schema specification. OPTIONAL. 1259 endpoint 1260 The resource type's HTTP addressable endpoint relative to the Base 1261 URL of the service provider; e.g., "Users". REQUIRED. 1263 schema 1264 The resource type's primary/base schema URI; e.g., 1265 "urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal 1266 to the "id" attribute of the associated "Schema" resource. 1267 REQUIRED. 1269 schemaExtensions 1270 A list of URIs of the resource type's schema extensions. 1271 OPTIONAL. 1273 schema The URI of an extended schema; e.g., "urn:edu:2.0:Staff". 1274 This MUST be equal to the "id" attribute of a "Schema" 1275 resource. REQUIRED. 1277 required A Boolean value that specifies whether the schema 1278 extension is required for the resource type. If true, a 1279 resource of this type MUST include this schema extension and 1280 include any attributes declared as required in this schema 1281 extension. If false, a resource of this type MAY omit this 1282 schema extension. REQUIRED. 1284 7. Schema Definition 1286 This section defines a way to specify the schema in use by resources 1287 available and accepted by a SCIM service provider. For each 1288 "schemas" URI value, this schema specifies the defined attribute(s) 1289 and their characteristics (mutability, returnability, etc). For 1290 every schema URI used in a resource object, there is a corresponding 1291 "Schema" resource. "Schema" resources are not modifiable and their 1292 associated attributes have a mutability of "readOnly". Except for 1293 "id" (which is always returned), all attributes have "returned" 1294 characteristic of "default". Unless otherwise specified, all schema 1295 attributes are case-insensitive. These resources have a "schemas" 1296 attribute with the following schema URI: 1298 urn:ietf:params:scim:schemas:core:2.0:Schema 1300 Unlike other core resources the "Schema" resource MAY contain a 1301 complex object within a sub-attribute and all attributes are REQUIRED 1302 unless otherwise specified. 1304 The following Singular Attributes are defined: 1306 id 1307 The unique URI of the schema. When applicable service providers 1308 MUST specify the URI specified in the core schema specification; 1309 e.g., "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most 1310 other schemas, which use some sort of a GUID for the "id", the 1311 schema "id" is a URI so that it can be registered and is portable 1312 between different service providers and clients. REQUIRED. 1314 name 1315 The schema's human readable name. When applicable service 1316 providers MUST specify the name specified in the core schema 1317 specification; e.g., "User" or "Group". OPTIONAL. 1319 description 1320 The schema's human readable description. When applicable service 1321 providers MUST specify the description specified in the core 1322 schema specification. OPTIONAL. 1324 The following multi-valued attribute is defined: 1326 attributes 1327 A complex type with the following set of sub-attributes that 1328 defines service provider attributes and their qualities: 1330 name The attribute's name. 1332 type The attribute's data type. Valid values are: "string", 1333 "boolean", "decimal", "integer", "dateTime", "reference", and 1334 "complex". When an attribute is of type "complex", there 1335 SHOULD be a corresponding schema attribute "subAttributes" 1336 defined listing the sub-attribtues of the attribute. 1338 subAttributes When an attribute is of type "complex", 1339 "subAttributes" defines set of sub-attributes. "subAttributes" 1340 has the same schema sub-attributes as "attributes". 1342 multiValued Boolean value indicating the attribute's plurality. 1344 description The attribute's human readable description. When 1345 applicable service providers MUST specify the description 1346 specified in the core schema specification. 1348 required A Boolean value that specifies if the attribute is 1349 required. 1351 canonicalValues A collection of suggested canonical values that 1352 MAY be used. Example: "work" and"home". In some cases service 1353 providers MAY choose to ignore unsupported values. The use of 1354 canonicalValues is OPTIONAL. 1356 caseExact A Boolean value that specifies if the String attribute 1357 is case sensitive. The server SHALL use case sensitivity when 1358 evaluating filters. For attributes that are case exact, the 1359 server SHALL preserve case for any value submitted. If the 1360 attribute is case insensitive, the server MAY alter case for a 1361 submitted value. Case sensitivity also impacts how attribute 1362 values MAY be compared against filter values (see section 1363 3.4.2.2 [I-D.ietf-scim-api]). 1365 mutability A single keyword indicating the circumstances under 1366 which the value of the attribute can be (re)defined: 1368 readOnly The attribute SHALL NOT be modified. 1370 readWrite The attribute MAY be updated and read at any time. 1371 This is default value. 1373 immutable The attribute MAY be defined at resource creation 1374 (e.g., POST) or at record replacement via request (e.g., a 1375 PUT). The attribute SHALL NOT be updated. 1377 writeOnly The attribute MAY be updated at any time. Attribute 1378 values SHALL NOT be returned (e.g., because the value is a 1379 stored hash). Note: an attribute with mutability of 1380 "writeOnly" usually also has a returned setting of "never". 1382 returned A single keyword that indicates when an attribute and 1383 associated values are returned in response to a GET request or 1384 in response to a PUT, POST, or PATCH request. Valid keywords 1385 are: 1387 always The attribute is always returned regardless of the 1388 contents of the "attributes" parameter. For example, "id" 1389 is always returned to identify a SCIM resource. 1391 never The attribute is never returned. This may occur because 1392 the original attribute value is not retained by the service 1393 provider (e.g., such as with a hashed value). A service 1394 provider MAY allow attributes to be used in a search filter. 1396 default The attribute is returned by default in all SCIM 1397 operation responses where attribute values are returned. If 1398 the GET request "attributes" parameter is specified, 1399 attribute values are only returned if the attribute is named 1400 in the attributes parameter. DEFAULT. 1402 request The attribute is returned in response to any PUT, 1403 POST, or PATCH operations if the attribute was specified by 1404 the client (for example, the attribute was modified). The 1405 attribute is returned in a SCIM query operation only if 1406 specified in the "attributes" parameter. 1408 uniqueness A single keyword value that specifies how the service 1409 provider enforces uniqueness of attribute values. A server MAY 1410 reject an invalid value based on uniqueness by returning HTTP 1411 Response code 400 (Bad Request). A client MAY enforce 1412 uniqueness on the client-side to a greater degree than the 1413 service provider enforces. For example, a client could make a 1414 value unique while the server has uniqueness of "none". Valid 1415 keywords are: 1417 none The values are not intended to be unique in any way. 1418 DEFAULT. 1420 server The value SHOULD be unique within the context of the 1421 current SCIM endpoint (or tenancy) and MAY be globally 1422 unique (e.g., a "username", email address, or other server 1423 generated key or counter). No two resources on the same 1424 server SHOULD possess the same value. 1426 global The value SHOULD be globally unique (e.g., an email 1427 address, a GUID, or other value). No two resources on any 1428 server SHOULD possess the same value. 1430 referenceTypes A multi-valued array of JSON strings that indicate 1431 the SCIM resource types that may be referenced. Valid values 1432 are: 1434 + A SCIM resource type (e.g., "User" or "Group"), 1436 + "external" - indicating the resource is an external resource 1437 (e.g., such as a photo), or 1439 + "uri" - indicating that the reference is to a service 1440 endpoint or an identifier (e.g., such as a schema urn). 1442 This attribute is only applicable for attributes that are of 1443 type "reference" (Section 2.3.7). 1445 8. JSON Representation 1447 8.1. Minimal User Representation 1449 The following is a non-normative example of the minimal required SCIM 1450 representation in JSON format. 1452 { 1453 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], 1454 "id": "2819c223-7f76-453a-919d-413861904646", 1455 "userName": "bjensen@example.com", 1456 "meta": { 1457 "resourceType": "User", 1458 "created": "2010-01-23T04:56:22Z", 1459 "lastModified": "2011-05-13T04:42:34Z", 1460 "version": "W\/\"3694e05e9dff590\"", 1461 "location": 1462 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1463 } 1464 } 1466 Figure 3: Example Minimal User JSON Representation 1468 8.2. Full User Representation 1470 The following is a non-normative example of the fully populated SCIM 1471 representation in JSON format. 1473 { 1474 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], 1475 "id": "2819c223-7f76-453a-919d-413861904646", 1476 "externalId": "701984", 1477 "userName": "bjensen@example.com", 1478 "name": { 1479 "formatted": "Ms. Barbara J Jensen III", 1480 "familyName": "Jensen", 1481 "givenName": "Barbara", 1482 "middleName": "Jane", 1483 "honorificPrefix": "Ms.", 1484 "honorificSuffix": "III" 1485 }, 1486 "displayName": "Babs Jensen", 1487 "nickName": "Babs", 1488 "profileUrl": "https://login.example.com/bjensen", 1489 "emails": [ 1490 { 1491 "value": "bjensen@example.com", 1492 "type": "work", 1493 "primary": true 1494 }, 1495 { 1496 "value": "babs@jensen.org", 1497 "type": "home" 1498 } 1499 ], 1500 "addresses": [ 1501 { 1502 "type": "work", 1503 "streetAddress": "100 Universal City Plaza", 1504 "locality": "Hollywood", 1505 "region": "CA", 1506 "postalCode": "91608", 1507 "country": "USA", 1508 "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA", 1509 "primary": true 1510 }, 1511 { 1512 "type": "home", 1513 "streetAddress": "456 Hollywood Blvd", 1514 "locality": "Hollywood", 1515 "region": "CA", 1516 "postalCode": "91608", 1517 "country": "USA", 1518 "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA" 1519 } 1520 ], 1521 "phoneNumbers": [ 1522 { 1523 "value": "555-555-5555", 1524 "type": "work" 1525 }, 1526 { 1527 "value": "555-555-4444", 1528 "type": "mobile" 1529 } 1530 ], 1531 "ims": [ 1532 { 1533 "value": "someaimhandle", 1534 "type": "aim" 1535 } 1536 ], 1537 "photos": [ 1538 { 1539 "value": 1540 "https://photos.example.com/profilephoto/72930000000Ccne/F", 1541 "type": "photo" 1542 }, 1543 { 1544 "value": 1545 "https://photos.example.com/profilephoto/72930000000Ccne/T", 1546 "type": "thumbnail" 1547 } 1549 ], 1550 "userType": "Employee", 1551 "title": "Tour Guide", 1552 "preferredLanguage":"en-US", 1553 "locale": "en-US", 1554 "timezone": "America/Los_Angeles", 1555 "active":true, 1556 "password":"t1meMa$heen", 1557 "groups": [ 1558 { 1559 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1560 "$ref": 1561 "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 1562 "display": "Tour Guides" 1563 }, 1564 { 1565 "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", 1566 "$ref": 1567 "https://example.com/v2/Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5", 1568 "display": "Employees" 1569 }, 1570 { 1571 "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1572 "$ref": 1573 "https://example.com/v2/Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1574 "display": "US Employees" 1575 } 1576 ], 1577 "x509Certificates": [ 1578 { 1579 "value": 1580 "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx 1581 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD 1582 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa 1583 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl 1584 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw 1585 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B 1586 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc 1587 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i 1588 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ 1589 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3 1590 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr 1591 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV 1592 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp 1593 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU 1594 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt 1595 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R 1596 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1 1597 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=" 1598 } 1599 ], 1600 "meta": { 1601 "resourceType": "User", 1602 "created": "2010-01-23T04:56:22Z", 1603 "lastModified": "2011-05-13T04:42:34Z", 1604 "version": "W\/\"a330bc54f0671c9\"", 1605 "location": 1606 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1607 } 1608 } 1610 Figure 4: Example Full User JSON Representation 1612 8.3. Enterprise User Extension Representation 1614 The following is a non-normative example of the fully populated User 1615 using the enterprise User extension in JSON format. 1617 { 1618 "schemas": 1619 [ "urn:ietf:params:scim:schemas:core:2.0:User", 1620 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], 1621 "id": "2819c223-7f76-453a-919d-413861904646", 1622 "externalId": "701984", 1623 "userName": "bjensen@example.com", 1624 "name": { 1625 "formatted": "Ms. Barbara J Jensen III", 1626 "familyName": "Jensen", 1627 "givenName": "Barbara", 1628 "middleName": "Jane", 1629 "honorificPrefix": "Ms.", 1630 "honorificSuffix": "III" 1631 }, 1632 "displayName": "Babs Jensen", 1633 "nickName": "Babs", 1634 "profileUrl": "https://login.example.com/bjensen", 1635 "emails": [ 1636 { 1637 "value": "bjensen@example.com", 1638 "type": "work", 1639 "primary": true 1640 }, 1641 { 1642 "value": "babs@jensen.org", 1643 "type": "home" 1644 } 1646 ], 1647 "addresses": [ 1648 { 1649 "streetAddress": "100 Universal City Plaza", 1650 "locality": "Hollywood", 1651 "region": "CA", 1652 "postalCode": "91608", 1653 "country": "USA", 1654 "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA", 1655 "type": "work", 1656 "primary": true 1657 }, 1658 { 1659 "streetAddress": "456 Hollywood Blvd", 1660 "locality": "Hollywood", 1661 "region": "CA", 1662 "postalCode": "91608", 1663 "country": "USA", 1664 "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA", 1665 "type": "home" 1666 } 1667 ], 1668 "phoneNumbers": [ 1669 { 1670 "value": "555-555-5555", 1671 "type": "work" 1672 }, 1673 { 1674 "value": "555-555-4444", 1675 "type": "mobile" 1676 } 1677 ], 1678 "ims": [ 1679 { 1680 "value": "someaimhandle", 1681 "type": "aim" 1682 } 1683 ], 1684 "photos": [ 1685 { 1686 "value": 1687 "https://photos.example.com/profilephoto/72930000000Ccne/F", 1688 "type": "photo" 1689 }, 1690 { 1691 "value": 1692 "https://photos.example.com/profilephoto/72930000000Ccne/T", 1693 "type": "thumbnail" 1695 } 1696 ], 1697 "userType": "Employee", 1698 "title": "Tour Guide", 1699 "preferredLanguage":"en-US", 1700 "locale": "en-US", 1701 "timezone": "America/Los_Angeles", 1702 "active":true, 1703 "password":"t1meMa$heen", 1704 "groups": [ 1705 { 1706 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1707 "$ref": "../Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 1708 "display": "Tour Guides" 1709 }, 1710 { 1711 "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", 1712 "$ref": "../Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5", 1713 "display": "Employees" 1714 }, 1715 { 1716 "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1717 "$ref": "../Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1718 "display": "US Employees" 1719 } 1720 ], 1721 "x509Certificates": [ 1722 { 1723 "value": 1724 "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx 1725 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD 1726 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa 1727 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl 1728 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw 1729 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B 1730 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc 1731 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i 1732 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ 1733 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3 1734 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr 1735 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV 1736 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp 1737 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU 1738 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt 1739 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R 1740 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1 1741 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=" 1742 } 1744 ], 1745 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { 1746 "employeeNumber": "701984", 1747 "costCenter": "4130", 1748 "organization": "Universal Studios", 1749 "division": "Theme Park", 1750 "department": "Tour Operations", 1751 "manager": { 1752 "value": "26118915-6090-4610-87e4-49d8ca9f808d", 1753 "$ref": "../Users/26118915-6090-4610-87e4-49d8ca9f808d", 1754 "displayName": "John Smith" 1755 } 1756 }, 1757 "meta": { 1758 "resourceType": "User", 1759 "created": "2010-01-23T04:56:22Z", 1760 "lastModified": "2011-05-13T04:42:34Z", 1761 "version": "W\/\"3694e05e9dff591\"", 1762 "location": 1763 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1764 } 1765 } 1767 Figure 5: Example Enterprise User JSON Representation 1769 8.4. Group Representation 1771 The following is a non-normative example of SCIM Group representation 1772 in JSON format. 1774 { 1775 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], 1776 "id": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1777 "displayName": "Tour Guides", 1778 "members": [ 1779 { 1780 "value": "2819c223-7f76-453a-919d-413861904646", 1781 "$ref": 1782 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646", 1783 "display": "Babs Jensen" 1784 }, 1785 { 1786 "value": "902c246b-6245-4190-8e05-00816be7344a", 1787 "$ref": 1788 "https://example.com/v2/Users/902c246b-6245-4190-8e05-00816be7344a", 1789 "display": "Mandy Pepperidge" 1790 } 1791 ], 1792 "meta": { 1793 "resourceType": "Group", 1794 "created": "2010-01-23T04:56:22Z", 1795 "lastModified": "2011-05-13T04:42:34Z", 1796 "version": "W\/\"3694e05e9dff592\"", 1797 "location": 1798 "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a" 1799 } 1800 } 1802 Figure 6: Example Group JSON Representation 1804 8.5. Service Provider Configuration Representation 1806 The following is a non-normative example of the SCIM service provider 1807 configuration representation in JSON format. 1809 { 1810 "schemas": [ 1811 "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" 1812 ], 1813 "documentationUrl":"http://example.com/help/scim.html", 1814 "patch": { 1815 "supported":true 1816 }, 1817 "bulk": { 1818 "supported":true, 1819 "maxOperations":1000, 1820 "maxPayloadSize":1048576 1821 }, 1822 "filter": { 1823 "supported":true, 1824 "maxResults": 200 1825 }, 1826 "changePassword" : { 1827 "supported":true 1828 }, 1829 "sort": { 1830 "supported":true 1831 }, 1832 "etag": { 1833 "supported":true 1834 }, 1835 "authenticationSchemes": [ 1836 { 1837 "name": "OAuth Bearer Token", 1838 "description": 1839 "Authentication Scheme using the OAuth Bearer Token Standard", 1840 "specUrl": 1841 "http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01", 1842 "documentationUrl":"http://example.com/help/oauth.html", 1843 "type":"oauthbearertoken", 1844 "primary": true 1845 }, 1846 { 1847 "name": "HTTP Basic", 1848 "description": 1849 "Authentication Scheme using the Http Basic Standard", 1850 "specUrl":"http://www.ietf.org/rfc/rfc2617.txt", 1851 "documentationUrl":"http://example.com/help/httpBasic.html", 1852 "type":"httpbasic" 1853 } 1854 ], 1855 "meta": { 1856 "location":"https://example.com/v2/ServiceProviderConfig", 1857 "resourceType": "ServiceProviderConfig", 1858 "created": "2010-01-23T04:56:22Z", 1859 "lastModified": "2011-05-13T04:42:34Z", 1860 "version": "W\/\"3694e05e9dff594\"" 1861 } 1862 } 1864 Figure 7: Example Service Provider Config JSON Representation 1866 8.6. Resource Type Representation 1868 The following is a non-normative example of the SCIM resource types 1869 in JSON format. 1871 [{ 1872 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], 1873 "id":"User", 1874 "name":"User", 1875 "endpoint": "/Users", 1876 "description": "User Account", 1877 "schema": "urn:ietf:params:scim:schemas:core:2.0:User", 1878 "schemaExtensions": [ 1879 { 1880 "schema": 1881 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", 1882 "required": true 1883 } 1884 ], 1885 "meta": { 1886 "location":"https://example.com/v2/ResourceTypes/User", 1887 "resourceType": "ResourceType" 1888 } 1889 }, 1890 { 1891 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], 1892 "id":"Group", 1893 "name":"Group", 1894 "endpoint": "/Groups", 1895 "description": "Group", 1896 "schema": "urn:ietf:params:scim:schemas:core:2.0:Group", 1897 "meta": { 1898 "location":"https://example.com/v2/ResourceTypes/Group", 1899 "resourceType": "ResourceType" 1900 } 1901 }] 1903 Figure 8: Example Resource Type JSON Representation 1905 8.7. Schema Representation 1907 The following sections provide representations of schemas for both 1908 SCIM resources and service provider schemas. Note that the JSON 1909 representation has been modified for readability and to fit the 1910 specification format. 1912 8.7.1. Resource Schema Representation 1914 The following is intended as an example of the SCIM Schema 1915 representation in JSON format for SCIM resources. Where permitted 1916 individual values and schema MAY change. Included but not limited 1917 to, are schemas for User, Group, and enterprise user. 1919 [ 1920 { 1921 "id" : "urn:ietf:params:scim:schemas:core:2.0:User", 1922 "name" : "User", 1923 "description" : "User Account", 1924 "attributes" : [ 1925 { 1926 "name" : "userName", 1927 "type" : "string", 1928 "multiValued" : false, 1929 "description" : "Unique identifier for the User typically used 1930 by the user to directly authenticate to the service provider. Each User 1931 MUST include a non-empty userName value. This identifier MUST be unique 1932 across the Service Consumer's entire set of Users. REQUIRED", 1933 "required" : true, 1934 "caseExact" : false, 1935 "mutability" : "readWrite", 1936 "returned" : "default", 1937 "uniqueness" : "server" 1938 }, 1939 { 1940 "name" : "name", 1941 "type" : "complex", 1942 "multiValued" : false, 1943 "description" : "The components of the user's real name. 1944 Providers MAY return just the full name as a single string in the 1945 formatted sub-attribute, or they MAY return just the individual 1946 component attributes using the other sub-attributes, or they MAY return 1947 both. If both variants are returned, they SHOULD be describing the same 1948 name, with the formatted name indicating how the component attributes 1949 should be combined.", 1950 "required" : false, 1951 "subAttributes" : [ 1952 { 1953 "name" : "formatted", 1954 "type" : "string", 1955 "multiValued" : false, 1956 "description" : "The full name, including all middle names, 1957 titles, and suffixes as appropriate, formatted for display (e.g., Ms. 1958 Barbara J Jensen, III.).", 1959 "required" : false, 1960 "caseExact" : false, 1961 "mutability" : "readWrite", 1962 "returned" : "default", 1963 "uniqueness" : "none" 1964 }, 1965 { 1966 "name" : "familyName", 1967 "type" : "string", 1968 "multiValued" : false, 1969 "description" : "The family name of the User, or Last Name 1970 in most Western languages (e.g. Jensen given the full name Ms. Barbara J 1971 Jensen, III.).", 1972 "required" : false, 1973 "caseExact" : false, 1974 "mutability" : "readWrite", 1975 "returned" : "default", 1976 "uniqueness" : "none" 1977 }, 1978 { 1979 "name" : "givenName", 1980 "type" : "string", 1981 "multiValued" : false, 1982 "description" : "The given name of the User, or First Name 1983 in most Western languages (e.g. Barbara given the full name Ms. Barbara 1984 J Jensen, III.).", 1985 "required" : false, 1986 "caseExact" : false, 1987 "mutability" : "readWrite", 1988 "returned" : "default", 1989 "uniqueness" : "none" 1990 }, 1991 { 1992 "name" : "middleName", 1993 "type" : "string", 1994 "multiValued" : false, 1995 "description" : "The middle name(s) of the User (e.g. Robert 1996 given the full name Ms. Barbara J Jensen, III.).", 1997 "required" : false, 1998 "caseExact" : false, 1999 "mutability" : "readWrite", 2000 "returned" : "default", 2001 "uniqueness" : "none" 2002 }, 2003 { 2004 "name" : "honorificPrefix", 2005 "type" : "string", 2006 "multiValued" : false, 2007 "description" : "The honorific prefix(es) of the User, or 2009 Title in most Western languages (e.g., Ms. given the full name Ms. 2010 Barbara J Jensen, III.).", 2011 "required" : false, 2012 "caseExact" : false, 2013 "mutability" : "readWrite", 2014 "returned" : "default", 2015 "uniqueness" : "none" 2016 }, 2017 { 2018 "name" : "honorificSuffix", 2019 "type" : "string", 2020 "multiValued" : false, 2021 "description" : "The honorific suffix(es) of the User, or 2022 Suffix in most Western languages (e.g., III. given the full name Ms. 2023 Barbara J Jensen, III.).", 2024 "required" : false, 2025 "caseExact" : false, 2026 "mutability" : "readWrite", 2027 "returned" : "default", 2028 "uniqueness" : "none" 2029 } 2030 ], 2031 "mutability" : "readWrite", 2032 "returned" : "default", 2033 "uniqueness" : "none" 2034 }, 2035 { 2036 "name" : "displayName", 2037 "type" : "string", 2038 "multiValued" : false, 2039 "description" : "The name of the User, suitable for display to 2040 end-users. The name SHOULD be the full name of the User being described 2041 if known", 2042 "required" : false, 2043 "caseExact" : false, 2044 "mutability" : "readWrite", 2045 "returned" : "default", 2046 "uniqueness" : "none" 2047 }, 2048 { 2049 "name" : "nickName", 2050 "type" : "string", 2051 "multiValued" : false, 2052 "description" : "The casual way to address the user in real 2053 life, e.g.'Bob' or 'Bobby' instead of 'Robert'. This attribute 2054 SHOULD NOT be used to represent a User's username (e.g., bjensen or 2055 mpepperidge)", 2056 "required" : false, 2057 "caseExact" : false, 2058 "mutability" : "readWrite", 2059 "returned" : "default", 2060 "uniqueness" : "none" 2061 }, 2062 { 2063 "name" : "profileUrl", 2064 "type" : "reference", 2065 "referenceTypes" : ["external"], 2066 "multiValued" : false, 2067 "description" : "A fully qualified URL to a page representing 2068 the User's online profile", 2069 "required" : false, 2070 "caseExact" : false, 2071 "mutability" : "readWrite", 2072 "returned" : "default", 2073 "uniqueness" : "none" 2074 }, 2075 { 2076 "name" : "title", 2077 "type" : "string", 2078 "multiValued" : false, 2079 "description" : "The user's title, such as \"Vice President.\"", 2080 "required" : false, 2081 "caseExact" : false, 2082 "mutability" : "readWrite", 2083 "returned" : "default", 2084 "uniqueness" : "none" 2085 }, 2086 { 2087 "name" : "userType", 2088 "type" : "string", 2089 "multiValued" : false, 2090 "description" : "Used to identify the organization to user 2091 relationship. Typical values used might be 'Contractor', 'Employee', 2092 'Intern', 'Temp', 'External', and 'Unknown' but any value may be 2093 used.", 2094 "required" : false, 2095 "caseExact" : false, 2096 "mutability" : "readWrite", 2097 "returned" : "default", 2098 "uniqueness" : "none" 2099 }, 2100 { 2101 "name" : "preferredLanguage", 2102 "type" : "string", 2103 "multiValued" : false, 2104 "description" : "Indicates the User's preferred written or 2106 spoken language. Generally used for selecting a localized User 2107 interface. e.g., 'en_US' specifies the language English and country 2108 US.", 2109 "required" : false, 2110 "caseExact" : false, 2111 "mutability" : "readWrite", 2112 "returned" : "default", 2113 "uniqueness" : "none" 2114 }, 2115 { 2116 "name" : "locale", 2117 "type" : "string", 2118 "multiValued" : false, 2119 "description" : "Used to indicate the User's default location 2120 for purposes of localizing items such as currency, date time format, 2121 numerical representations, etc.", 2122 "required" : false, 2123 "caseExact" : false, 2124 "mutability" : "readWrite", 2125 "returned" : "default", 2126 "uniqueness" : "none" 2127 }, 2128 { 2129 "name" : "timezone", 2130 "type" : "string", 2131 "multiValued" : false, 2132 "description" : "The User's time zone in the 'Olson' timezone 2133 database format; e.g.,'America/Los_Angeles'", 2134 "required" : false, 2135 "caseExact" : false, 2136 "mutability" : "readWrite", 2137 "returned" : "default", 2138 "uniqueness" : "none" 2139 }, 2140 { 2141 "name" : "active", 2142 "type" : "boolean", 2143 "multiValued" : false, 2144 "description" : "A Boolean value indicating the User's 2145 administrative status.", 2146 "required" : false, 2147 "mutability" : "readWrite", 2148 "returned" : "default" 2149 }, 2150 { 2151 "name" : "password", 2152 "type" : "string", 2153 "multiValued" : false, 2154 "description" : "The User's clear text password. This attribute 2155 is intended to be used as a means to specify an initial password when 2156 creating a new User or to reset an existing User's password.", 2157 "required" : false, 2158 "caseExact" : false, 2159 "mutability" : "writeOnly", 2160 "returned" : "never", 2161 "uniqueness" : "none" 2162 }, 2163 { 2164 "name" : "emails", 2165 "type" : "complex", 2166 "multiValued" : true, 2167 "description" : "E-mail addresses for the user. The value SHOULD 2168 be canonicalized by the Service Provider, e.g., bjensen@example.com 2169 instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and 2170 other.", 2171 "required" : false, 2172 "subAttributes" : [ 2173 { 2174 "name" : "value", 2175 "type" : "string", 2176 "multiValued" : false, 2177 "description" : "E-mail addresses for the user. The value 2178 SHOULD be canonicalized by the Service Provider, e.g. 2179 bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type 2180 values of work, home, and other.", 2181 "required" : false, 2182 "caseExact" : false, 2183 "mutability" : "readWrite", 2184 "returned" : "default", 2185 "uniqueness" : "none" 2186 }, 2187 { 2188 "name" : "display", 2189 "type" : "string", 2190 "multiValued" : false, 2191 "description" : "A human readable name, primarily used for 2192 display purposes. READ-ONLY.", 2193 "required" : false, 2194 "caseExact" : false, 2195 "mutability" : "readWrite", 2196 "returned" : "default", 2197 "uniqueness" : "none" 2198 }, 2199 { 2200 "name" : "type", 2201 "type" : "string", 2202 "multiValued" : false, 2203 "description" : "A label indicating the attribute's 2204 function; e.g., 'work' or 'home'.", 2205 "required" : false, 2206 "caseExact" : false, 2207 "canonicalValues" : [ 2208 "work", 2209 "home", 2210 "other" 2211 ], 2212 "mutability" : "readWrite", 2213 "returned" : "default", 2214 "uniqueness" : "none" 2215 }, 2216 { 2217 "name" : "primary", 2218 "type" : "boolean", 2219 "multiValued" : false, 2220 "description" : "A Boolean value indicating the 'primary' or 2221 preferred attribute value for this attribute, e.g., the preferred mailing 2222 address or primary e-mail address. The primary attribute value 'true' 2223 MUST appear no more than once.", 2224 "required" : false, 2225 "mutability" : "readWrite", 2226 "returned" : "default" 2227 } 2228 ], 2229 "mutability" : "readWrite", 2230 "returned" : "default", 2231 "uniqueness" : "none" 2232 }, 2233 { 2234 "name" : "phoneNumbers", 2235 "type" : "complex", 2236 "multiValued" : true, 2237 "description" : "Phone numbers for the User. The value SHOULD 2238 be canonicalized by the Service Provider according to format in RFC3966 2239 e.g., 'tel:+1-201-555-0123'. Canonical Type values of work, home, 2240 mobile, fax, pager and other.", 2241 "required" : false, 2242 "subAttributes" : [ 2243 { 2244 "name" : "value", 2245 "type" : "string", 2246 "multiValued" : false, 2247 "description" : "Phone number of the User", 2248 "required" : false, 2249 "caseExact" : false, 2250 "mutability" : "readWrite", 2251 "returned" : "default", 2252 "uniqueness" : "none" 2253 }, 2254 { 2255 "name" : "display", 2256 "type" : "string", 2257 "multiValued" : false, 2258 "description" : "A human readable name, primarily used for 2259 display purposes. READ-ONLY.", 2260 "required" : false, 2261 "caseExact" : false, 2262 "mutability" : "readWrite", 2263 "returned" : "default", 2264 "uniqueness" : "none" 2265 }, 2266 { 2267 "name" : "type", 2268 "type" : "string", 2269 "multiValued" : false, 2270 "description" : "A label indicating the attribute's 2271 function; e.g., 'work' or 'home' or 'mobile' etc.", 2272 "required" : false, 2273 "caseExact" : false, 2274 "canonicalValues" : [ 2275 "work", 2276 "home", 2277 "mobile", 2278 "fax", 2279 "pager", 2280 "other" 2281 ], 2282 "mutability" : "readWrite", 2283 "returned" : "default", 2284 "uniqueness" : "none" 2285 }, 2286 { 2287 "name" : "primary", 2288 "type" : "boolean", 2289 "multiValued" : false, 2290 "description" : "A Boolean value indicating the 'primary' or 2291 preferred attribute value for this attribute, e.g., the preferred phone 2292 number or primary phone number. The primary attribute value 'true' MUST 2293 appear no more than once.", 2294 "required" : false, 2295 "mutability" : "readWrite", 2296 "returned" : "default" 2297 } 2299 ], 2300 "mutability" : "readWrite", 2301 "returned" : "default" 2302 }, 2303 { 2304 "name" : "ims", 2305 "type" : "complex", 2306 "multiValued" : true, 2307 "description" : "Instant messaging addresses for the User.", 2308 "required" : false, 2309 "subAttributes" : [ 2310 { 2311 "name" : "value", 2312 "type" : "string", 2313 "multiValued" : false, 2314 "description" : "Instant messaging address for the User.", 2315 "required" : false, 2316 "caseExact" : false, 2317 "mutability" : "readWrite", 2318 "returned" : "default", 2319 "uniqueness" : "none" 2320 }, 2321 { 2322 "name" : "display", 2323 "type" : "string", 2324 "multiValued" : false, 2325 "description" : "A human readable name, primarily used for 2326 display purposes. READ-ONLY.", 2327 "required" : false, 2328 "caseExact" : false, 2329 "mutability" : "readWrite", 2330 "returned" : "default", 2331 "uniqueness" : "none" 2332 }, 2333 { 2334 "name" : "type", 2335 "type" : "string", 2336 "multiValued" : false, 2337 "description" : "A label indicating the attribute's 2338 function; e.g., 'aim', 'gtalk', 'mobile' etc.", 2339 "required" : false, 2340 "caseExact" : false, 2341 "canonicalValues" : [ 2342 "aim", 2343 "gtalk", 2344 "icq", 2345 "xmpp", 2346 "msn", 2347 "skype", 2348 "qq", 2349 "yahoo" 2350 ], 2351 "mutability" : "readWrite", 2352 "returned" : "default", 2353 "uniqueness" : "none" 2354 }, 2355 { 2356 "name" : "primary", 2357 "type" : "boolean", 2358 "multiValued" : false, 2359 "description" : "A Boolean value indicating the 'primary' or 2360 preferred attribute value for this attribute, e.g., the preferred 2361 messenger or primary messenger. The primary attribute value 'true' MUST 2362 appear no more than once.", 2363 "required" : false, 2364 "mutability" : "readWrite", 2365 "returned" : "default" 2366 } 2367 ], 2368 "mutability" : "readWrite", 2369 "returned" : "default" 2370 }, 2371 { 2372 "name" : "photos", 2373 "type" : "complex", 2374 "multiValued" : true, 2375 "description" : "URLs of photos of the User.", 2376 "required" : false, 2377 "subAttributes" : [ 2378 { 2379 "name" : "value", 2380 "type" : "reference", 2381 "referenceTypes" : ["external"], 2382 "multiValued" : false, 2383 "description" : "URL of a photo of the User.", 2384 "required" : false, 2385 "caseExact" : false, 2386 "mutability" : "readWrite", 2387 "returned" : "default", 2388 "uniqueness" : "none" 2389 }, 2390 { 2391 "name" : "display", 2392 "type" : "string", 2393 "multiValued" : false, 2394 "description" : "A human readable name, primarily used for 2396 display purposes. READ-ONLY.", 2397 "required" : false, 2398 "caseExact" : false, 2399 "mutability" : "readWrite", 2400 "returned" : "default", 2401 "uniqueness" : "none" 2402 }, 2403 { 2404 "name" : "type", 2405 "type" : "string", 2406 "multiValued" : false, 2407 "description" : "A label indicating the attribute's 2408 function; e.g., 'photo' or 'thumbnail'.", 2409 "required" : false, 2410 "caseExact" : false, 2411 "canonicalValues" : [ 2412 "photo", 2413 "thumbnail" 2414 ], 2415 "mutability" : "readWrite", 2416 "returned" : "default", 2417 "uniqueness" : "none" 2418 }, 2419 { 2420 "name" : "primary", 2421 "type" : "boolean", 2422 "multiValued" : false, 2423 "description" : "A Boolean value indicating the 'primary' or 2424 preferred attribute value for this attribute, e.g., the preferred photo 2425 or thumbnail. The primary attribute value 'true' MUST appear no more 2426 than once.", 2427 "required" : false, 2428 "mutability" : "readWrite", 2429 "returned" : "default" 2430 } 2431 ], 2432 "mutability" : "readWrite", 2433 "returned" : "default" 2434 }, 2435 { 2436 "name" : "addresses", 2437 "type" : "complex", 2438 "multiValued" : true, 2439 "description" : "A physical mailing address for this User, as 2440 described in (address Element). Canonical Type Values of work, home, and 2441 other. The value attribute is a complex type with the following 2442 sub-attributes.", 2443 "required" : false, 2444 "subAttributes" : [ 2445 { 2446 "name" : "formatted", 2447 "type" : "string", 2448 "multiValued" : false, 2449 "description" : "The full mailing address, formatted for 2450 display or use with a mailing label. This attribute MAY contain 2451 newlines.", 2452 "required" : false, 2453 "caseExact" : false, 2454 "mutability" : "readWrite", 2455 "returned" : "default", 2456 "uniqueness" : "none" 2457 }, 2458 { 2459 "name" : "streetAddress", 2460 "type" : "string", 2461 "multiValued" : false, 2462 "description" : "The full street address component, which 2463 may include house number, street name, PO BOX, and multi-line extended 2464 street address information. This attribute MAY contain newlines.", 2465 "required" : false, 2466 "caseExact" : false, 2467 "mutability" : "readWrite", 2468 "returned" : "default", 2469 "uniqueness" : "none" 2470 }, 2471 { 2472 "name" : "locality", 2473 "type" : "string", 2474 "multiValued" : false, 2475 "description" : "The city or locality component.", 2476 "required" : false, 2477 "caseExact" : false, 2478 "mutability" : "readWrite", 2479 "returned" : "default", 2480 "uniqueness" : "none" 2481 }, 2482 { 2483 "name" : "region", 2484 "type" : "string", 2485 "multiValued" : false, 2486 "description" : "The state or region component.", 2487 "required" : false, 2488 "caseExact" : false, 2489 "mutability" : "readWrite", 2490 "returned" : "default", 2491 "uniqueness" : "none" 2493 }, 2494 { 2495 "name" : "postalCode", 2496 "type" : "string", 2497 "multiValued" : false, 2498 "description" : "The zipcode or postal code component.", 2499 "required" : false, 2500 "caseExact" : false, 2501 "mutability" : "readWrite", 2502 "returned" : "default", 2503 "uniqueness" : "none" 2504 }, 2505 { 2506 "name" : "country", 2507 "type" : "string", 2508 "multiValued" : false, 2509 "description" : "The country name component.", 2510 "required" : false, 2511 "caseExact" : false, 2512 "mutability" : "readWrite", 2513 "returned" : "default", 2514 "uniqueness" : "none" 2515 }, 2516 { 2517 "name" : "type", 2518 "type" : "string", 2519 "multiValued" : false, 2520 "description" : "A label indicating the attribute's 2521 function; e.g., 'work' or 'home'.", 2522 "required" : false, 2523 "caseExact" : false, 2524 "canonicalValues" : [ 2525 "work", 2526 "home", 2527 "other" 2528 ], 2529 "mutability" : "readWrite", 2530 "returned" : "default", 2531 "uniqueness" : "none" 2532 } 2533 ], 2534 "mutability" : "readWrite", 2535 "returned" : "default", 2536 "uniqueness" : "none" 2537 }, 2538 { 2539 "name" : "groups", 2540 "type" : "complex", 2541 "multiValued" : true, 2542 "description" : "A list of groups that the user belongs to, 2543 either thorough direct membership, nested groups, or dynamically 2544 calculated", 2545 "required" : false, 2546 "subAttributes" : [ 2547 { 2548 "name" : "value", 2549 "type" : "string", 2550 "multiValued" : false, 2551 "description" : "The identifier of the User's group.", 2552 "required" : false, 2553 "caseExact" : false, 2554 "mutability" : "readOnly", 2555 "returned" : "default", 2556 "uniqueness" : "none" 2557 }, 2558 { 2559 "name" : "$ref", 2560 "type" : "reference", 2561 "referenceTypes" : [ 2562 "User", 2563 "Group" 2564 ], 2565 "multiValued" : false, 2566 "description" : "The URI of the corresponding Group 2567 resource to which the user belongs", 2568 "required" : false, 2569 "caseExact" : false, 2570 "mutability" : "readOnly", 2571 "returned" : "default", 2572 "uniqueness" : "none" 2573 }, 2574 { 2575 "name" : "display", 2576 "type" : "string", 2577 "multiValued" : false, 2578 "description" : "A human readable name, primarily used 2579 for display purposes. READ-ONLY.", 2580 "required" : false, 2581 "caseExact" : false, 2582 "mutability" : "readOnly", 2583 "returned" : "default", 2584 "uniqueness" : "none" 2585 }, 2586 { 2587 "name" : "type", 2588 "type" : "string", 2589 "multiValued" : false, 2590 "description" : "A label indicating the attribute's 2591 function; e.g., 'direct' or 'indirect'.", 2592 "required" : false, 2593 "caseExact" : false, 2594 "canonicalValues" : [ 2595 "direct", 2596 "indirect" 2597 ], 2598 "mutability" : "readOnly", 2599 "returned" : "default", 2600 "uniqueness" : "none" 2601 } 2602 ], 2603 "mutability" : "readOnly", 2604 "returned" : "default" 2605 }, 2606 { 2607 "name" : "entitlements", 2608 "type" : "complex", 2609 "multiValued" : true, 2610 "description" : "A list of entitlements for the User that 2611 represent a thing the User has.", 2612 "required" : false, 2613 "subAttributes" : [ 2614 { 2615 "name" : "value", 2616 "type" : "string", 2617 "multiValued" : false, 2618 "description" : "The value of an entitlement.", 2619 "required" : false, 2620 "caseExact" : false, 2621 "mutability" : "readWrite", 2622 "returned" : "default", 2623 "uniqueness" : "none" 2624 }, 2625 { 2626 "name" : "display", 2627 "type" : "string", 2628 "multiValued" : false, 2629 "description" : "A human readable name, primarily used 2630 for display purposes. READ-ONLY.", 2631 "required" : false, 2632 "caseExact" : false, 2633 "mutability" : "readWrite", 2634 "returned" : "default", 2635 "uniqueness" : "none" 2636 }, 2637 { 2638 "name" : "type", 2639 "type" : "string", 2640 "multiValued" : false, 2641 "description" : "A label indicating the attribute's 2642 function.", 2643 "required" : false, 2644 "caseExact" : false, 2645 "mutability" : "readWrite", 2646 "returned" : "default", 2647 "uniqueness" : "none" 2648 }, 2649 { 2650 "name" : "primary", 2651 "type" : "boolean", 2652 "multiValued" : false, 2653 "description" : "A Boolean value indicating the 'primary' or 2654 preferred attribute value for this attribute. The primary attribute 2655 value 'true' MUST appear no more than once.", 2656 "required" : false, 2657 "mutability" : "readWrite", 2658 "returned" : "default" 2659 } 2660 ], 2661 "mutability" : "readWrite", 2662 "returned" : "default" 2663 }, 2664 { 2665 "name" : "roles", 2666 "type" : "complex", 2667 "multiValued" : true, 2668 "description" : "A list of roles for the User that collectively 2669 represent who the User is; e.g., 'Student', 'Faculty'.", 2670 "required" : false, 2671 "subAttributes" : [ 2672 { 2673 "name" : "value", 2674 "type" : "string", 2675 "multiValued" : false, 2676 "description" : "The value of a role.", 2677 "required" : false, 2678 "caseExact" : false, 2679 "mutability" : "readWrite", 2680 "returned" : "default", 2681 "uniqueness" : "none" 2682 }, 2683 { 2684 "name" : "display", 2685 "type" : "string", 2686 "multiValued" : false, 2687 "description" : "A human readable name, primarily used for 2688 display purposes. READ-ONLY.", 2689 "required" : false, 2690 "caseExact" : false, 2691 "mutability" : "readWrite", 2692 "returned" : "default", 2693 "uniqueness" : "none" 2694 }, 2695 { 2696 "name" : "type", 2697 "type" : "string", 2698 "multiValued" : false, 2699 "description" : "A label indicating the attribute's 2700 function.", 2701 "required" : false, 2702 "caseExact" : false, 2703 "canonicalValues" : [], 2704 "mutability" : "readWrite", 2705 "returned" : "default", 2706 "uniqueness" : "none" 2707 }, 2708 { 2709 "name" : "primary", 2710 "type" : "boolean", 2711 "multiValued" : false, 2712 "description" : "A Boolean value indicating the 'primary' or 2713 preferred attribute value for this attribute. The primary attribute 2714 value 'true' MUST appear no more than once.", 2715 "required" : false, 2716 "mutability" : "readWrite", 2717 "returned" : "default" 2718 } 2719 ], 2720 "mutability" : "readWrite", 2721 "returned" : "default" 2722 }, 2723 { 2724 "name" : "x509Certificates", 2725 "type" : "complex", 2726 "multiValued" : true, 2727 "description" : "A list of certificates issued to the User.", 2728 "required" : false, 2729 "caseExact" : false, 2730 "subAttributes" : [ 2731 { 2732 "name" : "value", 2733 "type" : "binary", 2734 "multiValued" : false, 2735 "description" : "The value of a X509 certificate.", 2736 "required" : false, 2737 "caseExact" : false, 2738 "mutability" : "readWrite", 2739 "returned" : "default", 2740 "uniqueness" : "none" 2741 }, 2742 { 2743 "name" : "display", 2744 "type" : "string", 2745 "multiValued" : false, 2746 "description" : "A human readable name, primarily used 2747 for display purposes. READ-ONLY.", 2748 "required" : false, 2749 "caseExact" : false, 2750 "mutability" : "readWrite", 2751 "returned" : "default", 2752 "uniqueness" : "none" 2753 }, 2754 { 2755 "name" : "type", 2756 "type" : "string", 2757 "multiValued" : false, 2758 "description" : "A label indicating the attribute's 2759 function.", 2760 "required" : false, 2761 "caseExact" : false, 2762 "canonicalValues" : [], 2763 "mutability" : "readWrite", 2764 "returned" : "default", 2765 "uniqueness" : "none" 2766 }, 2767 { 2768 "name" : "primary", 2769 "type" : "boolean", 2770 "multiValued" : false, 2771 "description" : "A Boolean value indicating the 'primary' or 2772 preferred attribute value for this attribute. The primary attribute 2773 value 'true' MUST appear no more than once.", 2774 "required" : false, 2775 "mutability" : "readWrite", 2776 "returned" : "default" 2777 } 2778 ], 2779 "mutability" : "readWrite", 2780 "returned" : "default" 2782 } 2783 ], 2784 "meta" : { 2785 "resourceType" : "Schema", 2786 "location" : 2787 "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User" 2788 } 2789 }, 2790 { 2791 "id" : "urn:ietf:params:scim:schemas:core:2.0:Group", 2792 "name" : "Group", 2793 "description" : "Group", 2794 "attributes" : [ 2795 { 2796 "name" : "displayName", 2797 "type" : "string", 2798 "multiValued" : false, 2799 "description" : "Human readable name for the Group. REQUIRED.", 2800 "required" : false, 2801 "caseExact" : false, 2802 "mutability" : "readWrite", 2803 "returned" : "default", 2804 "uniqueness" : "none" 2805 }, 2806 { 2807 "name" : "members", 2808 "type" : "complex", 2809 "multiValued" : true, 2810 "description" : "A list of members of the Group.", 2811 "required" : false, 2812 "subAttributes" : [ 2813 { 2814 "name" : "value", 2815 "type" : "string", 2816 "multiValued" : false, 2817 "description" : "Identifier of the member of this Group.", 2818 "required" : false, 2819 "caseExact" : false, 2820 "mutability" : "immutable", 2821 "returned" : "default", 2822 "uniqueness" : "none" 2823 }, 2824 { 2825 "name" : "$ref", 2826 "type" : "reference", 2827 "referenceTypes" : [ 2828 "User", 2829 "Group" 2831 ], 2832 "multiValued" : false, 2833 "description" : "The URI of the corresponding to the member 2834 resource of this Group.", 2835 "required" : false, 2836 "caseExact" : false, 2837 "mutability" : "immutable", 2838 "returned" : "default", 2839 "uniqueness" : "none" 2840 }, 2841 { 2842 "name" : "type", 2843 "type" : "string", 2844 "multiValued" : false, 2845 "description" : "A label indicating the type of resource; 2846 e.g., 'User' or 'Group'.", 2847 "required" : false, 2848 "caseExact" : false, 2849 "canonicalValues" : [ 2850 "User", 2851 "Group" 2852 ], 2853 "mutability" : "immutable", 2854 "returned" : "default", 2855 "uniqueness" : "none" 2856 } 2857 ], 2858 "mutability" : "readWrite", 2859 "returned" : "default" 2860 } 2861 ], 2862 "meta" : { 2863 "resourceType" : "Schema", 2864 "location" : 2865 "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group" 2866 } 2867 }, 2868 { 2869 "id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", 2870 "name" : "EnterpriseUser", 2871 "description" : "Enterprise User", 2872 "attributes" : [ 2873 { 2874 "name" : "employeeNumber", 2875 "type" : "string", 2876 "multiValued" : false, 2877 "description" : "Numeric or alphanumeric identifier assigned to 2878 a person, typically based on order of hire or association with an 2879 organization.", 2880 "required" : false, 2881 "caseExact" : false, 2882 "mutability" : "readWrite", 2883 "returned" : "default", 2884 "uniqueness" : "none" 2885 }, 2886 { 2887 "name" : "costCenter", 2888 "type" : "string", 2889 "multiValued" : false, 2890 "description" : "Identifies the name of a cost center.", 2891 "required" : false, 2892 "caseExact" : false, 2893 "mutability" : "readWrite", 2894 "returned" : "default", 2895 "uniqueness" : "none" 2896 }, 2897 { 2898 "name" : "organization", 2899 "type" : "string", 2900 "multiValued" : false, 2901 "description" : "Identifies the name of an organization.", 2902 "required" : false, 2903 "caseExact" : false, 2904 "mutability" : "readWrite", 2905 "returned" : "default", 2906 "uniqueness" : "none" 2907 }, 2908 { 2909 "name" : "division", 2910 "type" : "string", 2911 "multiValued" : false, 2912 "description" : "Identifies the name of a division.", 2913 "required" : false, 2914 "caseExact" : false, 2915 "mutability" : "readWrite", 2916 "returned" : "default", 2917 "uniqueness" : "none" 2918 }, 2919 { 2920 "name" : "department", 2921 "type" : "string", 2922 "multiValued" : false, 2923 "description" : "Identifies the name of a department.", 2924 "required" : false, 2925 "caseExact" : false, 2926 "mutability" : "readWrite", 2927 "returned" : "default", 2928 "uniqueness" : "none" 2929 }, 2930 { 2931 "name" : "manager", 2932 "type" : "complex", 2933 "multiValued" : false, 2934 "description" : "The User's manager. A complex type that 2935 optionally allows Service Providers to represent organizational 2936 hierarchy by referencing the 'id' attribute of another User.", 2937 "required" : false, 2938 "subAttributes" : [ 2939 { 2940 "name" : "value", 2941 "type" : "string", 2942 "multiValued" : false, 2943 "description" : "The id of the SCIM resource representing 2944 the User's manager. REQUIRED.", 2945 "required" : false, 2946 "caseExact" : false, 2947 "mutability" : "readWrite", 2948 "returned" : "default", 2949 "uniqueness" : "none" 2950 }, 2951 { 2952 "name" : "$ref", 2953 "type" : "reference", 2954 "referenceTypes" : [ 2955 "User" 2956 ], 2957 "multiValued" : false, 2958 "description" : "The URI of the SCIM resource representing 2959 the User's manager. REQUIRED.", 2960 "required" : false, 2961 "caseExact" : false, 2962 "mutability" : "readWrite", 2963 "returned" : "default", 2964 "uniqueness" : "none" 2965 }, 2966 { 2967 "name" : "displayName", 2968 "type" : "string", 2969 "multiValued" : false, 2970 "description" : "The displayName of the User's manager. 2971 OPTIONAL and READ-ONLY.", 2972 "required" : false, 2973 "caseExact" : false, 2974 "mutability" : "readOnly", 2975 "returned" : "default", 2976 "uniqueness" : "none" 2977 } 2978 ], 2979 "mutability" : "readWrite", 2980 "returned" : "default" 2981 } 2982 ], 2983 "meta" : { 2984 "resourceType" : "Schema", 2985 "location" : 2986 "/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" 2987 } 2988 } 2989 ] 2991 Figure 9: Example JSON Representation for Resource Schema 2993 8.7.2. Service Provider Schema Representation 2995 The following is a representation of the SCIM Schema for the fixed 2996 service provider schemas: ServiceProviderConfig, ResourceType, and 2997 Schema. 2999 [ 3000 { 3001 "id" : 3002 "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig", 3003 "name" : "Service Provider Configuration", 3004 "description" : "Schema for representing the service provider's 3005 configuration", 3006 "attributes" : [ 3007 { 3008 "name" : "documentationUri", 3009 "type" : "reference", 3010 "referenceTypes" : ["external"], 3011 "multiValued" : false, 3012 "description" : "An HTTP addressable URL pointing to the service 3013 provider's human consumable help documentation.", 3014 "required" : false, 3015 "caseExact" : false, 3016 "mutability" : "readOnly", 3017 "returned" : "default", 3018 "uniqueness" : "none" 3019 }, 3020 { 3021 "name" : "patch", 3022 "type" : "complex", 3023 "multiValued" : false, 3024 "description" : "A complex type that specifies PATCH 3025 configuration options.", 3026 "required" : true, 3027 "returned" : "default", 3028 "mutability" : "readOnly", 3029 "subAttributes" : [ 3030 { 3031 "name" : "supported", 3032 "type" : "boolean", 3033 "multiValued" : false, 3034 "description" : "Boolean value specifying whether the 3035 operation is supported.", 3036 "required" : true, 3037 "mutability" : "readOnly", 3038 "returned" : "default" 3039 } 3040 ] 3041 }, 3042 { 3043 "name" : "bulk", 3044 "type" : "complex", 3045 "multiValued" : false, 3046 "description" : "A complex type that specifies BULK 3047 configuration options.", 3048 "required" : true, 3049 "returned" : "default", 3050 "mutability" : "readOnly", 3051 "subAttributes" : [ 3052 { 3053 "name" : "supported", 3054 "type" : "boolean", 3055 "multiValued" : false, 3056 "description" : "Boolean value specifying whether the 3057 operation is supported.", 3058 "required" : true, 3059 "mutability" : "readOnly", 3060 "returned" : "default" 3061 }, 3062 { 3063 "name" : "maxOperations", 3064 "type" : "integer", 3065 "multiValued" : false, 3066 "description" : "An integer value specifying the maximum 3067 number of operations.", 3068 "required" : true, 3069 "mutability" : "readOnly", 3070 "returned" : "default", 3071 "uniqueness" : "none" 3072 }, 3073 { 3074 "name" : "maxPayloadSize", 3075 "type" : "integer", 3076 "multiValued" : false, 3077 "description" : "An integer value specifying the maximum 3078 payload size in bytes.", 3079 "required" : true, 3080 "mutability" : "readOnly", 3081 "returned" : "default", 3082 "uniqueness" : "none" 3083 } 3084 ] 3085 }, 3086 { 3087 "name" : "filter", 3088 "type" : "complex", 3089 "multiValued" : false, 3090 "description" : "A complex type that specifies FILTER options.", 3091 "required" : true, 3092 "returned" : "default", 3093 "mutability" : "readOnly", 3094 "subAttributes" : [ 3095 { 3096 "name" : "supported", 3097 "type" : "boolean", 3098 "multiValued" : false, 3099 "description" : "Boolean value specifying whether the 3100 operation is supported.", 3101 "required" : true, 3102 "mutability" : "readOnly", 3103 "returned" : "default" 3104 }, 3105 { 3106 "name" : "maxResults", 3107 "type" : "integer", 3108 "multiValued" : false, 3109 "description" : "Integer value specifying the maximum number 3110 of resources returned in a response.", 3111 "required" : true, 3112 "mutability" : "readOnly", 3113 "returned" : "default", 3114 "uniqueness" : "none" 3115 } 3116 ] 3117 }, 3118 { 3119 "name" : "changePassword", 3120 "type" : "complex", 3121 "multiValued" : false, 3122 "description" : "A complex type that specifies change password 3123 options.", 3124 "required" : true, 3125 "returned" : "default", 3126 "mutability" : "readOnly", 3127 "subAttributes" : [ 3128 { 3129 "name" : "supported", 3130 "type" : "boolean", 3131 "multiValued" : false, 3132 "description" : "Boolean value specifying whether the 3133 operation is supported.", 3134 "required" : true, 3135 "mutability" : "readOnly", 3136 "returned" : "default" 3137 } 3138 ] 3139 }, 3140 { 3141 "name" : "sort", 3142 "type" : "complex", 3143 "multiValued" : false, 3144 "description" : "A complex type that specifies sort result 3145 options.", 3146 "required" : true, 3147 "returned" : "default", 3148 "mutability" : "readOnly", 3149 "subAttributes" : [ 3150 { 3151 "name" : "supported", 3152 "type" : "boolean", 3153 "multiValued" : false, 3154 "description" : "Boolean value specifying whether the 3155 operation is supported.", 3156 "required" : true, 3157 "mutability" : "readOnly", 3158 "returned" : "default" 3159 } 3160 ] 3161 }, 3162 { 3163 "name" : "authenticationSchemes", 3164 "type" : "complex", 3165 "multiValued" : true, 3166 "description" : "A complex type that specifies supported 3167 Authentication Scheme properties.", 3168 "required" : true, 3169 "returned" : "default", 3170 "mutability" : "readOnly", 3171 "subAttributes" : [ 3172 { 3173 "name" : "name", 3174 "type" : "string", 3175 "multiValued" : false, 3176 "description" : "The common authentication scheme name; 3177 e.g., HTTP Basic.", 3178 "required" : true, 3179 "caseExact" : false, 3180 "mutability" : "readOnly", 3181 "returned" : "default", 3182 "uniqueness" : "none" 3183 }, 3184 { 3185 "name" : "description", 3186 "type" : "string", 3187 "multiValued" : false, 3188 "description" : "A description of the authentication 3189 scheme.", 3190 "required" : true, 3191 "caseExact" : false, 3192 "mutability" : "readOnly", 3193 "returned" : "default", 3194 "uniqueness" : "none" 3195 }, 3196 { 3197 "name" : "specUri", 3198 "type" : "reference", 3199 "referenceTypes" : ["external"], 3200 "multiValued" : false, 3201 "description" : "An HTTP addressable URL pointing to the 3202 Authentication Scheme's specification.", 3203 "required" : false, 3204 "caseExact" : false, 3205 "mutability" : "readOnly", 3206 "returned" : "default", 3207 "uniqueness" : "none" 3208 }, 3209 { 3210 "name" : "documentationUri", 3211 "type" : "reference", 3212 "referenceTypes" : ["external"], 3213 "multiValued" : false, 3214 "description" : "An HTTP addressable URL pointing to the 3215 Authentication Scheme's usage documentation.", 3216 "required" : false, 3217 "caseExact" : false, 3218 "mutability" : "readOnly", 3219 "returned" : "default", 3220 "uniqueness" : "none" 3221 } 3222 ] 3223 } 3224 ] 3225 }, 3226 { 3227 "id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType", 3228 "name" : "ResourceType", 3229 "description" : "Specifies the schema that describes a SCIM Resource 3230 Type", 3231 "attributes" : [ 3232 { 3233 "name" : "id", 3234 "type" : "string", 3235 "multiValued" : false, 3236 "description" : "The resource type's server unique id. May be 3237 the same as the 'name' attribute.", 3238 "required" : false, 3239 "caseExact" : false, 3240 "mutability" : "readOnly", 3241 "returned" : "default", 3242 "uniqueness" : "none" 3243 }, 3244 { 3245 "name" : "name", 3246 "type" : "string", 3247 "multiValued" : false, 3248 "description" : "The resource type name. When applicable service 3249 providers MUST specify the name specified in the core schema 3250 specification; e.g., User", 3251 "required" : true, 3252 "caseExact" : false, 3253 "mutability" : "readOnly", 3254 "returned" : "default", 3255 "uniqueness" : "none" 3256 }, 3257 { 3258 "name" : "description", 3259 "type" : "string", 3260 "multiValued" : false, 3261 "description" : "The resource type's human readable description. 3262 When applicable service providers MUST specify the description 3263 specified in the core schema specification.", 3264 "required" : false, 3265 "caseExact" : false, 3266 "mutability" : "readOnly", 3267 "returned" : "default", 3268 "uniqueness" : "none" 3269 }, 3270 { 3271 "name" : "endpoint", 3272 "type" : "reference", 3273 "referenceTypes" : ["uri"], 3274 "multiValued" : false, 3275 "description" : "The resource type's HTTP addressable endpoint 3276 relative to the Base URL; e.g., /Users", 3277 "required" : true, 3278 "caseExact" : false, 3279 "mutability" : "readOnly", 3280 "returned" : "default", 3281 "uniqueness" : "none" 3282 }, 3283 { 3284 "name" : "schema", 3285 "type" : "reference", 3286 "referenceTypes" : ["uri"], 3287 "multiValued" : false, 3288 "description" : "The resource types primary/base schema URI", 3289 "required" : true, 3290 "caseExact" : true, 3291 "mutability" : "readOnly", 3292 "returned" : "default", 3293 "uniqueness" : "none" 3294 }, 3295 { 3296 "name" : "schemaExtensions", 3297 "type" : "complex", 3298 "multiValued" : false, 3299 "description" : "A list of URIs of the resource type's schema 3300 extensions", 3301 "required" : true, 3302 "mutability" : "readOnly", 3303 "returned" : "default", 3304 "subAttributes" : [ 3305 { 3306 "name" : "schema", 3307 "type" : "reference", 3308 "referenceTypes" : ["uri"], 3309 "multiValued" : false, 3310 "description" : "The URI of a schema extension.", 3311 "required" : true, 3312 "caseExact" : true, 3313 "mutability" : "readOnly", 3314 "returned" : "default", 3315 "uniqueness" : "none" 3316 }, 3317 { 3318 "name" : "required", 3319 "type" : "boolean", 3320 "multiValued" : false, 3321 "description" : "A Boolean value that specifies whether the 3322 schema extension is required for the resource type. If 3323 true, a resource of this type MUST include this schema 3324 extension and include any attributes declared as required 3325 in this schema extension. If false, a resource of this 3326 type MAY omit this schema extension.", 3327 "required" : true, 3328 "mutability" : "readOnly", 3329 "returned" : "default" 3330 } 3331 ] 3332 } 3333 ] 3334 }, 3335 { 3336 "id" : "urn:ietf:params:scim:schemas:core:2.0:Schema", 3337 "name" : "Schema", 3338 "description" : "Specifies the schema that describes a SCIM Schema", 3339 "attributes" : [ 3340 { 3341 "name" : "id", 3342 "type" : "string", 3343 "multiValued" : false, 3344 "description" : "The unique URI of the schema. When applicable 3345 service providers MUST specify the URI specified in the core 3346 schema specification", 3347 "required" : true, 3348 "caseExact" : false, 3349 "mutability" : "readOnly", 3350 "returned" : "default", 3351 "uniqueness" : "none" 3352 }, 3353 { 3354 "name" : "name", 3355 "type" : "string", 3356 "multiValued" : false, 3357 "description" : "The schema's human readable name. When 3358 applicable service providers MUST specify the name specified 3359 in the core schema specification; e.g., User", 3360 "required" : true, 3361 "caseExact" : false, 3362 "mutability" : "readOnly", 3363 "returned" : "default", 3364 "uniqueness" : "none" 3365 }, 3366 { 3367 "name" : "description", 3368 "type" : "string", 3369 "multiValued" : false, 3370 "description" : "The schema's human readable name. When 3371 applicable service providers MUST specify the name specified 3372 in the core schema specification; e.g., User", 3373 "required" : false, 3374 "caseExact" : false, 3375 "mutability" : "readOnly", 3376 "returned" : "default", 3377 "uniqueness" : "none" 3378 }, 3379 { 3380 "name" : "attributes", 3381 "type" : "complex", 3382 "multiValued" : true, 3383 "description" : "A complex attribute that includes the 3384 attributes of a schema", 3385 "required" : true, 3386 "mutability" : "readOnly", 3387 "returned" : "default", 3388 "subAttributes" : [ 3389 { 3390 "name" : "name", 3391 "type" : "string", 3392 "multiValued" : false, 3393 "description" : "The attribute's name", 3394 "required" : true, 3395 "caseExact" : true, 3396 "mutability" : "readOnly", 3397 "returned" : "default", 3398 "uniqueness" : "none" 3399 }, 3400 { 3401 "name" : "type", 3402 "type" : "string", 3403 "multiValued" : false, 3404 "description" : "The attribute's data type. Valid values 3405 include: 'string', 'complex', 'boolean', 'decimal', 3406 'integer', 'dateTime', 'reference'. ", 3408 "required" : true, 3409 "canonicalValues" : [ 3410 "string", 3411 "complex", 3412 "boolean", 3413 "decimal", 3414 "integer", 3415 "dateTime", 3416 "reference" 3417 ], 3418 "caseExact" : false, 3419 "mutability" : "readOnly", 3420 "returned" : "default", 3421 "uniqueness" : "none" 3422 }, 3423 { 3424 "name" : "multiValued", 3425 "type" : "boolean", 3426 "multiValued" : false, 3427 "description" : "Boolean indicating an attribute's 3428 plurality.", 3429 "required" : true, 3430 "mutability" : "readOnly", 3431 "returned" : "default" 3432 }, 3433 { 3434 "name" : "description", 3435 "type" : "string", 3436 "multiValued" : false, 3437 "description" : "A human readable description of the 3438 attribute.", 3439 "required" : false, 3440 "caseExact" : true, 3441 "mutability" : "readOnly", 3442 "returned" : "default", 3443 "uniqueness" : "none" 3444 }, 3445 { 3446 "name" : "required", 3447 "type" : "boolean", 3448 "multiValued" : false, 3449 "description" : "A boolean indicating if the attribute 3450 is required.", 3451 "required" : false, 3452 "mutability" : "readOnly", 3453 "returned" : "default" 3454 }, 3455 { 3456 "name" : "canonicalValues", 3457 "type" : "string", 3458 "multiValued" : true, 3459 "description" : "A collection of canonical values. When 3460 applicable service providers MUST specify the canonical 3461 types specified in the core schema specification; e.g., 3462 'work', 'home'.", 3463 "required" : false, 3464 "caseExact" : true, 3465 "mutability" : "readOnly", 3466 "returned" : "default", 3467 "uniqueness" : "none" 3468 }, 3469 { 3470 "name" : "caseExact", 3471 "type" : "boolean", 3472 "multiValued" : false, 3473 "description" : "Indicates if a string attribute is 3474 case-sensitive.", 3475 "required" : false, 3476 "mutability" : "readOnly", 3477 "returned" : "default" 3478 }, 3479 { 3480 "name" : "mutability", 3481 "type" : "string", 3482 "multiValued" : false, 3483 "description" : "Indicates if an attribute is modifiable.", 3484 "required" : false, 3485 "caseExact" : true, 3486 "mutability" : "readOnly", 3487 "returned" : "default", 3488 "uniqueness" : "none", 3489 "canonicalValues" : [ 3490 "readOnly", 3491 "readWrite", 3492 "immutable", 3493 "writeOnly" 3494 ] 3495 }, 3496 { 3497 "name" : "returned", 3498 "type" : "string", 3499 "multiValued" : false, 3500 "description" : "Indicates when an attribute is returned in 3501 a response (e.g., to a query).", 3502 "required" : false, 3503 "caseExact" : true, 3504 "mutability" : "readOnly", 3505 "returned" : "default", 3506 "uniqueness" : "none", 3507 "canonicalValues" : [ 3508 "always", 3509 "never", 3510 "default", 3511 "request" 3512 ] 3513 }, 3514 { 3515 "name" : "uniqueness", 3516 "type" : "string", 3517 "multiValued" : false, 3518 "description" : "Indicates how unique a value must be.", 3519 "required" : false, 3520 "caseExact" : true, 3521 "mutability" : "readOnly", 3522 "returned" : "default", 3523 "uniqueness" : "none", 3524 "canonicalValues" : [ 3525 "none", 3526 "server", 3527 "global" 3528 ] 3529 }, 3530 { 3531 "name" : "referenceTypes", 3532 "type" : "string", 3533 "multiValued" : true, 3534 "description" : "Used only with an attribute of type 3535 'reference'. Specifies a SCIM resourceType that a 3536 reference attribute MAY refer to. e.g., User", 3537 "required" : false, 3538 "caseExact" : true, 3539 "mutability" : "readOnly", 3540 "returned" : "default", 3541 "uniqueness" : "none" 3542 }, 3543 { 3544 "name" : "subAttributes", 3545 "type" : "complex", 3546 "multiValued" : true, 3547 "description" : "Used to define the sub-attributes of a 3548 complex attribute", 3549 "required" : false, 3550 "mutability" : "readOnly", 3551 "returned" : "default", 3552 "subAttributes" : [ 3553 { 3554 "name" : "name", 3555 "type" : "string", 3556 "multiValued" : false, 3557 "description" : "The attribute's name", 3558 "required" : true, 3559 "caseExact" : true, 3560 "mutability" : "readOnly", 3561 "returned" : "default", 3562 "uniqueness" : "none" 3563 }, 3564 { 3565 "name" : "type", 3566 "type" : "string", 3567 "multiValued" : false, 3568 "description" : "The attribute's data type. Valid values 3569 include: 'string', 'complex', 'boolean', 'decimal', 3570 'integer', 'dateTime', 'reference'. ", 3571 "required" : true, 3572 "caseExact" : false, 3573 "mutability" : "readOnly", 3574 "returned" : "default", 3575 "uniqueness" : "none", 3576 "canonicalValues" : [ 3577 "string", 3578 "complex", 3579 "boolean", 3580 "decimal", 3581 "integer", 3582 "dateTime", 3583 "reference" 3584 ] 3585 }, 3586 { 3587 "name" : "multiValued", 3588 "type" : "boolean", 3589 "multiValued" : false, 3590 "description" : "Boolean indicating an attribute's 3591 plurality.", 3592 "required" : true, 3593 "mutability" : "readOnly", 3594 "returned" : "default" 3595 }, 3596 { 3597 "name" : "description", 3598 "type" : "string", 3599 "multiValued" : false, 3600 "description" : "A human readable description of the 3601 attribute.", 3602 "required" : false, 3603 "caseExact" : true, 3604 "mutability" : "readOnly", 3605 "returned" : "default", 3606 "uniqueness" : "none" 3607 }, 3608 { 3609 "name" : "required", 3610 "type" : "boolean", 3611 "multiValued" : false, 3612 "description" : "A boolean indicating if the attribute 3613 is required.", 3614 "required" : false, 3615 "mutability" : "readOnly", 3616 "returned" : "default" 3617 }, 3618 { 3619 "name" : "canonicalValues", 3620 "type" : "string", 3621 "multiValued" : true, 3622 "description" : "A collection of canonical values. When 3623 applicable service providers MUST specify the 3624 canonical types specified in the core schema 3625 specification; e.g., 'work', 'home'.", 3626 "required" : false, 3627 "caseExact" : true, 3628 "mutability" : "readOnly", 3629 "returned" : "default", 3630 "uniqueness" : "none" 3631 }, 3632 { 3633 "name" : "caseExact", 3634 "type" : "boolean", 3635 "multiValued" : false, 3636 "description" : "Indicates if a string attribute is 3637 case-sensitive.", 3638 "required" : false, 3639 "mutability" : "readOnly", 3640 "returned" : "default" 3641 }, 3642 { 3643 "name" : "mutability", 3644 "type" : "string", 3645 "multiValued" : false, 3646 "description" : "Indicates if an attribute is 3647 modifiable.", 3649 "required" : false, 3650 "caseExact" : true, 3651 "mutability" : "readOnly", 3652 "returned" : "default", 3653 "uniqueness" : "none", 3654 "canonicalValues" : [ 3655 "readOnly", 3656 "readWrite", 3657 "immutable", 3658 "writeOnly" 3659 ] 3660 }, 3661 { 3662 "name" : "returned", 3663 "type" : "string", 3664 "multiValued" : false, 3665 "description" : "Indicates when an attribute is 3666 returned in a response (e.g., to a query).", 3667 "required" : false, 3668 "caseExact" : true, 3669 "mutability" : "readOnly", 3670 "returned" : "default", 3671 "uniqueness" : "none", 3672 "canonicalValues" : [ 3673 "always", 3674 "never", 3675 "default", 3676 "request" 3677 ] 3678 }, 3679 { 3680 "name" : "uniqueness", 3681 "type" : "string", 3682 "multiValued" : false, 3683 "description" : "Indicates how unique a value must be.", 3684 "required" : false, 3685 "caseExact" : true, 3686 "mutability" : "readOnly", 3687 "returned" : "default", 3688 "uniqueness" : "none", 3689 "canonicalValues" : [ 3690 "none", 3691 "server", 3692 "global" 3693 ] 3694 }, 3695 { 3696 "name" : "referenceTypes", 3697 "type" : "string", 3698 "multiValued" : false, 3699 "description" : "Used only with an attribute of type 3700 'reference'. Specifies a SCIM resourceType that a 3701 reference attribute MAY refer to. e.g., 'User'", 3702 "required" : false, 3703 "caseExact" : true, 3704 "mutability" : "readOnly", 3705 "returned" : "default", 3706 "uniqueness" : "none" 3707 } 3708 ] 3709 } 3710 ] 3711 } 3712 ] 3713 } 3714 ] 3716 Figure 10: Representation of Fixed ServiceProvider Endpoint Schemas 3718 9. Security Considerations 3720 9.1. Protocol 3722 SCIM data is intended to be exchanged using SCIM Protocol. It is 3723 important when handling data to implement the security considerations 3724 outlined in Section 7 of [I-D.ietf-scim-api]. 3726 9.2. Password and Other Sensitive Security Data 3728 Passwords and other attributes related to security credentials are of 3729 extreme sensitive nature and require special handling when 3730 transmitted or stored. While SCIM Protocol uses clear-text passwords 3731 for setting and equality testing purposes, password values MUST NOT 3732 be stored in clear-text form. 3734 Administrators should undertake industry best practices to protect 3735 the storage of credentials and in particular SHOULD follow 3736 recommendations outlines in Section 5.1.4.1 [RFC6819]. These 3737 requirements include but are not limited to: 3739 o Provide injection attack counter measures (e.g., by validating all 3740 inputs and parameters), 3742 o No cleartext storage of credentials, 3743 o Store credentials using an encrypted protection mechanism (e.g. 3744 hashing), and 3746 o Where possible, avoid passwords as the sole form of 3747 authentication, and consider use of asymmetric cryptography based 3748 credentials. 3750 9.3. Privacy 3752 The SCIM Core schema defines attributes that are sensitive and may be 3753 considered personally identifying information (PII). These privacy 3754 considerations should be considered for extensions as well as the 3755 schema defined in this specification. 3757 For the purposes of this specification personally identifying 3758 information is defined as any attribute that may be used as a unique 3759 key to identify a person (e.g., User). Since other information may 3760 be used in combination to identify an individual, all attributes in 3761 SCIM are considered "sensitive" personal information. Consult 3762 regional jurisdictions to see if there are special considerations for 3763 the handling of personal and PII information. 3765 Information should be shared on an as-needed basis. A SCIM client 3766 should limit information to what it believes a service provider 3767 requires, and a SCIM service provider, should only accept information 3768 it needs. Clients and service providers should take into 3769 consideration that personal information is being conveyed across 3770 technical (e.g., protocol and applications), administrative (e.g. 3771 organizational, corporate), and jurisdictional boundaries. In 3772 particular information security and privacy must be considered. 3774 Security service level agreements for the handling of these 3775 attributes are beyond the scope of this document, but are to be 3776 carefully considered by implementers and deploying organizations. 3778 Please see the Privacy Considerations section of [I-D.ietf-scim-api], 3779 for more protocol specific considerations for handling of SCIM 3780 information. 3782 SCIM defines attributes such as "id" and "externalId" and SCIM 3783 resource URIs which causes new PII information to be generated which 3784 is important to the way SCIM protocol identifies and locates 3785 resources. Where possible, it is suggested that service providers 3786 take the following remediations: 3788 o Where possible, assign and bind identifiers to specific tenants 3789 and/or clients. When multiple tenants are able to reference the 3790 same resource, they should do so via separate identifiers (id or 3791 externalId). This ensures that separate domains linked to the 3792 same information can not perform identifier correlation. 3794 o In the case of "externalId", if multiple values are supported, use 3795 access control to restrict access to the client domain that 3796 assigned the "externalId" value. 3798 o Ensure that access to data is appropriately restricted to 3799 authorized parties with a need-to-know. 3801 o When persisted, the appropriate protection mechanisms are in place 3802 to restrict access by unauthorized parties including 3803 administrators or parties with access to backup data. 3805 10. IANA Considerations 3807 10.1. Registration of SCIM URN Sub-namespace & SCIM Registry 3809 IANA is requested to add an entry to the 'IETF URN Sub-namespace for 3810 Registered Protocol Parameter Identifiers' registry and create a sub- 3811 namespace for the Registered Parameter Identifier as per [RFC3553]: 3812 "urn:ietf:params:scim". 3814 To manage this sub-namespace, IANA is requested to create the "SCIM" 3815 Registry which shall be used to manage entries within the 3816 "urn:ietf:params:scim" namespace. The registry description is as 3817 follows: 3819 o Registry name: SCIM 3821 o Specification: [this document] 3823 o Repository: [see Section 10.2] 3825 o Index value: values [see Section 10.2] 3827 10.2. URN Sub-Namespace for SCIM 3829 SCIM schemas and SCIM messages utilize URIs to identify the schema in 3830 use or other relevant context. This section creates and registers an 3831 IETF URN Sub-namespace for use in the SCIM specifications and future 3832 extensions. 3834 10.2.1. Specification Template 3836 Namespace ID: 3838 The Namespace ID "scim" is requested. 3840 Registration Information: 3842 Version: 1 3844 Date: [[insert final submission date]] 3846 Declared registrant of the namespace: 3848 Registering organization 3849 The Internet Engineering Task Force 3851 Designated contact 3852 A designated expert will monitor the SCIM public mailing list, 3853 "scim@ietf.org". 3855 Declaration of Syntactic Structure: 3857 The Namespace Specific String (NSS) of all URNs that use the 3858 "scim" NID shall have the following structure: 3860 urn:ietf:params:scim:{type}:{name}{:other} 3862 The keywords have the following meaning: 3864 type 3865 The entity type which is either "schemas" or "api". 3867 name 3868 A required US-ASCII string that conforms to the URN syntax 3869 requirements (see [RFC2141] ) and defines a major namespace of 3870 a schema used within SCIM (e.g., "core", which is reserved for 3871 SCIM specifications). The value MAY also be an industry name 3872 or organization name. 3874 other 3875 Any US-ASCII string that conforms to the URN syntax 3876 requirements (see [RFC2141] ) and defines the sub-namespace 3877 (which MAY be further broken down in namespaces delimited by 3878 colons) as needed to uniquely identify a schema. 3880 Relevant Ancillary Documentation: 3882 None 3884 Identifier Uniqueness Considerations: 3886 The designated contact shall be responsible for reviewing and 3887 enforcing uniqueness. 3889 Identifier Persistence Considerations: 3891 Once a name has been allocated it MUST NOT be re-allocated for a 3892 different purpose. The rules provided for assignments of values 3893 within a sub-namespace MUST be constructed so that the meaning of 3894 values cannot change. This registration mechanism is not 3895 appropriate for naming values whose meaning may change over time. 3897 As the SCIM specifications are updated and the SCIM protocol 3898 version is adjusted, a new registration will be made when 3899 significant changes are made. Example, 3900 "urn:ietf:params:scim:schemas:core:1.0 (externally defined, not 3901 previously registered)" and 3902 "urn:ietf:params:scim:schemas:core:2.0". 3904 Process of Identifier Assignment: 3906 Identifiers with namespace type "schema" (e.g., 3907 "urn:ietf:params:scim:schemas" ) are assigned after the review of 3908 the assigned contact via the SCIM public mailing list, 3909 "scim@ietf.org" as documented in Section 10.3. 3911 Namespaces with type "api" (e.g., "urn:ietf:params:scim:api") and 3912 "param" (e.g., "urn:ietf:params:scim:param" ) are reserved for 3913 IETF approved SCIM specifications. 3915 Process of Identifier Resolution: 3917 The namespace is not currently listed with a Resolution Discovery 3918 System (RDS), but nothing about the namespace prohibits the future 3919 definition of appropriate resolution methods or listing with an 3920 RDS. 3922 Rules for Lexical Equivalence: 3924 No special considerations; the rules for lexical equivalence 3925 specified in [RFC2141] apply. 3927 Conformance with URN Syntax: 3929 No special considerations. 3931 Validation Mechanism: 3933 None specified. 3935 Scope: 3937 Global. 3939 10.3. Registering SCIM Schemas 3941 This section defines the process for registering new SCIM schemas 3942 with IANA in the "SCIM" registry (see Section 10.1). A schema URI is 3943 used as a value in the schemas attribute (Section 3) for the purpose 3944 of distinguishing extensions used in a SCIM resource. 3946 10.3.1. Registration Procedure 3948 The IETF has created a mailing list, scim@ietf.org, which can be used 3949 for public discussion of SCIM schema proposals prior to registration. 3950 Use of the mailing list is strongly encouraged. The IESG has 3951 appointed a designated expert who will monitor the scim@ietf.org 3952 mailing list and review registrations. 3954 Registration of new "core" (e.g. in the namespace 3955 "urn:ietf:params:scim:schemas:core") and "API" schemas (e.g., in the 3956 namespace "urn:ietf:params:scim:api") MUST be reviewed by the 3957 designated expert and published in an RFC. An RFC is REQUIRED for 3958 the registration of new value data types that modify existing 3959 properties. An RFC is also REQUIRED for registration of SCIM schema 3960 URIs that modify SCIM schema previously documented in a existing RFC. 3961 URN's within the "urn:ietf:params:scim", but outside the above 3962 namespaces MAY be registered with a simple review (e.g. check for 3963 SPAM) by the designated expert on a first-come-first-served basis. 3965 The registration procedure begins when a completed registration 3966 template, defined in the sections below, is sent to scim@ietf.org and 3967 iana@iana.org. Within two weeks, the designated expert is expected 3968 to tell IANA and the submitter of the registration whether the 3969 registration is approved, approved with minor changes, or rejected 3970 with cause. When a registration is rejected with cause, it can be 3971 re-submitted if the concerns listed in the cause are addressed. 3972 Decisions made by the designated expert can be appealed to the IESG 3973 Applications Area Director, then to the IESG. They follow the normal 3974 appeals procedure for IESG decisions. 3976 Once the registration procedure concludes successfully, IANA creates 3977 or modifies the corresponding record in the SCIM schema registry. 3978 The completed registration template is discarded. 3980 An RFC specifying new schema URI MUST include the completed 3981 registration templates, which MAY be expanded with additional 3982 information. These completed templates are intended to go in the 3983 body of the document, not in the IANA Considerations section. The 3984 RFC SHOULD include any attributes defined. 3986 10.3.2. Schema Registration Template 3988 A SCIM schema URI is defined by completing the following template: 3990 Schema URI: Schema URI: A unique URI for the SCIM schema extension. 3992 Schema Name: A descriptive name of the schema extension (e.g., 3993 Generic Device) 3995 Intended or Associated Resource Type: A value defining the resource 3996 type (e.g., "Device"). 3998 Purpose: A description of the purpose of the extension and/or its 3999 intended use. 4001 Single-value Attributes: A list and description of single-valued 4002 attributes defined including complex attributes. 4004 Multi-valued Attributes: A list and description of multi-valued 4005 attributes defined including complex attributes. 4007 10.4. Initial SCIM Schema Registry 4009 The IANA is requested to populate the "SCIM" registry with the 4010 following registries for SCIM schema URIs with pointers to 4011 appropriate reference documents. Note: the Schema URI broken into 4012 two lines for readability. 4014 +-----------------------------------+-----------------+-------------+ 4015 | Schema URI | Name | Reference | 4016 +-----------------------------------+-----------------+-------------+ 4017 | urn:ietf:params:scim:schemas: | User Resource | See Section | 4018 | core:2.0:User | | 4.1 | 4019 | urn:ietf:params:scim:schemas: | Enterprise User | See Section | 4020 | extension:enterprise:2.0:User | Extension | 4.3 | 4021 | urn:ietf:params:scim:schemas: | Group Resource | See Section | 4022 | core:2.0:Group | | 4.2 | 4023 +-----------------------------------+-----------------+-------------+ 4025 SCIM Schema URIs for Data Resources 4027 +-----------------------------------+-------------------+-----------+ 4028 | Schema URI | Name | Reference | 4029 +-----------------------------------+-------------------+-----------+ 4030 | urn:ietf:params:scim:schemas: | Service Provider | See | 4031 | core:2.0:ServiceProviderConfig | Configuration | Section 5 | 4032 | | Schema | | 4033 | urn:ietf:params:scim:schemas: | Resource Type | See | 4034 | core:2.0:ResourceType | Config | Section 6 | 4035 | urn:ietf:params:scim:schemas: | Schema | See | 4036 | core:2.0:Schema | Definitions | Section 7 | 4037 | | Schema | | 4038 +-----------------------------------+-------------------+-----------+ 4040 SCIM Server Related Schema URIs 4042 11. References 4044 11.1. Normative References 4046 [I-D.ietf-scim-api] 4047 Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C. 4048 Mortimore, "System for Cross-Domain Identity Management: 4049 Protocol", draft-ietf-scim-api-19 (work in progress), May 4050 2015. 4052 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4053 Requirement Levels", BCP 14, RFC 2119, March 1997. 4055 [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. 4057 [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An 4058 IETF URN Sub-namespace for Registered Protocol 4059 Parameters", BCP 73, RFC 3553, June 2003. 4061 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 4062 10646", STD 63, RFC 3629, November 2003. 4064 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC 4065 3966, December 2004. 4067 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 4068 Resource Identifier (URI): Generic Syntax", STD 66, RFC 4069 3986, January 2005. 4071 [RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags", 4072 BCP 47, RFC 4647, September 2006. 4074 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 4075 Encodings", RFC 4648, October 2006. 4077 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 4078 Specifications: ABNF", STD 68, RFC 5234, January 2008. 4080 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 4081 Housley, R., and W. Polk, "Internet X.509 Public Key 4082 Infrastructure Certificate and Certificate Revocation List 4083 (CRL) Profile", RFC 5280, May 2008. 4085 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 4086 October 2008. 4088 [RFC5646] Phillips, A. and M. Davis, "Tags for Identifying 4089 Languages", BCP 47, RFC 5646, September 2009. 4091 [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the 4092 Time Zone Database", BCP 175, RFC 6557, February 2012. 4094 [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data 4095 Interchange Format", RFC 7159, March 2014. 4097 [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 4098 (HTTP/1.1): Semantics and Content", RFC 7231, June 2014. 4100 [RFC7232] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 4101 (HTTP/1.1): Conditional Requests", RFC 7232, June 2014. 4103 11.2. Informative References 4105 [ISO3166] "ISO 3166:1988 (E/F) - Codes for the representation of 4106 names of countries - The International Organization for 4107 Standardization, 3rd edition", 08 1988. 4109 [Olson-TZ] 4110 Internet Assigned Numbers Authority, "IANA Time Zone 4111 Database". 4113 [PortableContacts] 4114 Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only", 4115 August 2008. 4117 [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and 4118 Languages", BCP 18, RFC 2277, January 1998. 4120 [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol 4121 (LDAP): Directory Information Models", RFC 4512, June 4122 2006. 4124 [RFC6350] Perreault, S., "vCard Format Specification", RFC 6350, 4125 August 2011. 4127 [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 4128 6749, October 2012. 4130 [RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0 4131 Threat Model and Security Considerations", RFC 6819, 4132 January 2013. 4134 [XML-Schema] 4135 Peterson, D., Gao, S., Malhotra, A., Sperberg-McQueen, C., 4136 and H. Thompson, "XML Schema Definition Language (XSD) 1.1 4137 Part 2: Datatypes", April 2012. 4139 Appendix A. Acknowledgements 4141 The editors would like to acknowledge the contribution and work of 4142 the past draft editors: 4144 Chuck Mortimore, Salesforce 4146 Patrick Harding, Ping 4148 Paul Madsen, Ping 4150 Trey Drake, UnboundID 4152 The SCIM Community would like to thank the following people for the 4153 work they've done in the research, formulation, drafting, editing, 4154 and support of this specification. 4156 Morteza Ansari (morteza.ansari@cisco.com) 4158 Sidharth Choudhury (schoudhury@salesforce.com) 4160 Samuel Erdtman (samuel@erdtman.se) 4162 Kelly Grizzle (kelly.grizzle@sailpoint.com) 4164 Chris Phillips (cjphillips@gmail.com) 4166 Erik Wahlstroem (erik@wahlstromstekniska.se) 4167 Phil Hunt (phil.hunt@yahoo.com) 4169 Special thanks to Joeseph Smarr, who's excellent work on the Portable 4170 Contacts Specification [PortableContacts] provided a basis for the 4171 SCIM schema structure and text. 4173 Appendix B. Change Log 4175 [[This section to be removed prior to publication as an RFC]] 4177 Draft 02 - KG - Addition of schema extensibility 4179 Draft 03 - PH - Revisions based on following tickets: 4181 09 - Attribute uniquenes 4183 10 - Returnability of attributes 4185 35 - Attribute mutability (replaces readOnly) 4187 52 - Minor textual changes 4189 53 - Standard use of term client (some was consumer) 4191 56 - Make manager attribute consistent with other $ref attrs 4193 58 - Add optional id to ResourceType objects for consistency 4195 59 - Fix capitalization per IETF editor practices 4197 60 - Changed tags to normal and tags 4199 Draft 04 - PH - Revisions based on the following tickets: 4201 43 - Drop short-hand notation for complex multi-valued attributes 4203 61 - Specify attribute name limitations 4205 62 - Fix 'mutability' normative language 4207 63 - Fix incorrect EnterpriseUser schema reference 4209 68 - Update JSON references from RFC4627 to RFC7159 4211 71 - Made corrections to language tags in compliance with BCP47 / 4212 RFC5646 4214 Draft 05 - PH - Revisions based on the following tickets 4215 23 - Clarified that the server is not required to preserve case 4216 for case insensitive strings 4218 41 - Add IANA considerations 4220 72 - Added text to indicate UTF-8 is default and mandatory 4221 encoding format per BCP18 4223 - Typo corrections and removed some redundant text 4225 Draft 06 - PH - Revisions based on the following tickets 4227 63 - Corrected enterprise user URI in 14.2 and section 7, URI 4228 namespace changes due to ticket #41 4230 66 - Updated reference to final HTTP/1.1 drafts (RFC 7230) 4232 41 - Add IANA considerations 4234 - Removed redundant text (e.g., SAML binding, replaced REST with 4235 HTTP) 4237 - Reordered introduction, definitions and notation sections to 4238 follow typical format 4240 - meta.attributes removed due to new PURGE command in draft 04 (no 4241 longer used) 4243 Draft 07 - PH - Edits and revisions 4245 - Dropped use of the term API in favour of HTTP protocol or just 4246 protocol. 4248 - Clarified meaning of null and unassigned 4250 Draft 08 - PH - Revised IANA namespace to urn:ietf:params:scim per 4251 RFC3553 4253 Draft 09 - PH - Editorial revisions and clarifications 4255 Removed duplicate text from Schema Schema section 4257 Removed "operation" attribute from Multi-valued Attribute sub- 4258 attribute definitions. This was used in the old PATCH command and 4259 is no longer valid. 4261 Revised some layout to make indentation and definition of 4262 attributes more clear (added vspace elements) 4264 Draft 10 - PH - Editorial revisions 4266 Simplified namespace definition for urn:ietf:params:scim 4268 Clarified "schemas" attribute as representing the JSON body schema 4269 in an HTTP Req/Resp 4271 Reduced use of confusing term "core" in "Core User" and "Core 4272 Group" 4274 Added clarifications and security considerations for externalId 4276 Re-worded descriptions SCIM schema extension model (sec 3) and 4277 core schema (sec 4) for improved clarity 4279 Draft 11 - PH - Clarification to definition of externalId 4281 Draft 12 - PH - Nits / Corrections 4283 Corrected use of RFC2119 words (e.g., MUST not to MUST NOT) 4285 Corrected JSON examples to be 72 characters or less per line 4287 Corrected enterprise User manager attribute to use sub-attribute 4288 value and make multi-valued 4290 Corrected sec 8.7, make members multi-valued in JSON 4292 Added missing definition for subattributes in sec 7, Schema 4293 Definition 4295 Draft 13 - PH - Correctings NITS to externalId example and clarified 4296 phoneNumber & emails canonicalization 4298 Draft 14 - PH - Nits / Corrections 4300 Corrected JSON structure for example Schema (removed outer {} 4301 around array of schemas). 4303 Added example Group resource type to example of resource types in 4304 JSON 4306 Draft 15 - PH - Corrected schema in sec 7 to use defined types from 4307 sec 2.1 4309 Draft 16 - PH - Corrected photo.value from "type":"binary" to 4310 "type":"reference" (should be a URL) 4311 Draft 17 - PH - Changes as follows: 4313 Updated reference for XML-Schema to the 5 April 2012 XML Schema 4314 1.1 draft 4316 Added clarifications on attribute characteristics and Schema usage 4318 Added schema in section 8.7 for Schema, ServiceProviderConfig, and 4319 ResourceType 4321 Fixed nit in service provider config. 4323 Clarified binary attribute may be base 64 or base 64 url encoding 4324 per RFC4648. x509certificates are now base64 encoded. 4326 Clarified x509certificates values are DER certificates that are 4327 then base64 encoded 4329 Corrected "reference" attribute to use the "referenceTypes" meta- 4330 attribute that says what type of reference an attribute is. 4332 Draft 18 - PH - Comments from GenART and IANA review 4334 General Edits and Nits after Gen-ART and IANA review 4336 Add references to SCIM API protocol document where appropriate 4338 Added clarifications and privacy considerations to security 4339 considerations 4341 Clarified IANA section to create new "SCIM" registry 4343 Removed out-of-date "readOnly" attribute from Group schema 4344 (replaced a long time ago by "mutability"). 4346 Draft 19 - PH - Comments from IESG review 4348 Additional Gen-Art edits (type canonicalization, moved attribute 4349 types section, etc 4351 Added clarification on password use of clear text and hashing 4353 Clarified statements about sensitive and PII data 4355 Updated references to SCIM Protocol sections 4357 Made capitalization of 'client' and 'service provider' terms 4358 consistent (lower case) 4359 Corrected schema and examples to have singluar value for manager 4360 attribute 4362 Draft 20 - PH - Additional clarification on multi-hop/3rd party, and 4363 small nit in section 1.1 4365 Draft 21 - PH - IESG feedback from draft 20 (Ben, Stephen, Benoit) 4367 Reduced use of normative MAY for statements of fact 4369 Corrected MAYs that were intended to imply MUST or SHALL (e.g. 4370 TLS MUST be used). 4372 Added notation definition for REQUIRED and OPTIONAL 4374 Redefined Integer so as not to conflict with decimal 4376 Clarified a reference URI must be a valid HTTP addressable URI 4378 Clarified attribute characteristics for meta attribute 4380 Dropped use of "real" in definition of name as no real name policy 4381 was implied. 4383 Re-worded/improved readability of password definition 4385 At request of Stephen Farrell, clarified x509certificate values 4386 contain only one certificate. 4388 Other typos and nits 4390 Draft 22 - PH - Clarified sub-attribute definition of Group "members" 4391 attribute 4393 Authors' Addresses 4395 Phil Hunt (editor) 4396 Oracle Corporation 4398 Email: phil.hunt@yahoo.com 4400 Kelly Grizzle 4401 SailPoint 4403 Email: kelly.grizzle@sailpoint.com 4404 Erik Wahlstroem 4405 Nexus Technology 4407 Email: erik.wahlstrom@nexusgroup.com 4409 Chuck Mortimore 4410 Salesforce.com 4412 Email: cmortimore@salesforce.com