System for Cross-domain Identity Management (scim)

Last modified: 2016-07-19

Chairs

Applications and Real-Time Area Director

Mailing Lists

General Discussion: scim@ietf.org
To Subscribe: https://www.ietf.org/mailman/listinfo/scim
Archive: https://mailarchive.ietf.org/arch/browse/scim/

Description of Working Group:

The System for Cross-domain Identity Management (SCIM) working group will standardize methods for creating, reading, searching, modifying, and deleting user identities and identity-related objects across administrative domains, with the goal of simplifying common tasks related to user identity management in services and applications.

"Standardize" does not necessarily mean that the working group will develop new technologies. The existing specifications for "SCIM 1.0" provide RESTful interfaces on top of HTTP rather than defining a new application protocol. That will be the basis for the new work.

Today, distributed identity management across administrative domains is complicated by a lack of protocol and schema standardization between consumers and producers of identities. This has led to a number of approaches, including error-prone manual administration and bulk file uploads, as well as proprietary protocols and mediation devices that must be adapted to each service for each organization. While there is existing work in the field, it has not been widely adopted for a variety of reasons, including a lack of common artifacts such as schema, toolsets, and libraries.

The SCIM working group will develop the core schema and interfaces based on HTTP and REST to address these problems. Initially, the group will focus on

  • a schema definition
  • a set of operations for creation, modification, and deletion of users
  • schema discovery
  • read and search
  • bulk operations
  • mapping between the inetOrgPerson LDAP object class (RFC 2798) and the SCIM schema

It will follow that by considering extensions for client targeting of specific SCIM endpoints and SAML binding. The approach will be extensible.

The group will use, as starting points, the following drafts in the following ways:

  • draft-scim-use-cases-00 as the initial use cases for SCIM
  • draft-scim-core-schema-00 as the schema specification
  • draft-scim-api-00 as the protocol specification

These drafts are based on existing specifications, which together are commonly known as SCIM 1.0. Because there is existing work with existing implementations, some consideration should be given to backward compatibility, though getting it right takes priority. This group will consider the operational experience gathered from the existing work, as well as experiences with work done by other bodies, including the OASIS Provisioning TC.

The use cases document will be a "living document", guiding the working group during its development of the standards. The group may take snapshots of that document for Informational publication, to serve as documentation of the motivation for the work in progress and to similarly guide planning and implementation.

The group will produce Proposed Standards for a schema, a REST-based protocol, and a SAML binding, as well as an Informational document defining an LDAP mapping. In doing so, the group will make the terminology consistent, identify any functional gaps that would be useful for future work, address internationalization, and provide guidelines and mechanisms for extensibility.

In addition, the working group will ensure that the SCIM protocol embodies good security practices. Given both the sensitivity of the information being conveyed in SCIM messages and the regulatory requirements regarding the privacy of personally identifiable information, the working group will pay particular attention to issues around authorization, authenticity, and privacy.

The group considers the following out of scope for this group:
Defining new authentication schemes
Defining new policy/authorization schemes

Goals and Milestones

Jan 2014 Work completed; discuss re-charter
Nov 2013 SCIM SAML bindings to IESG as Proposed Standard
Sep 2013 Snapshot update of SCIM use cases as Informational (possibly)
Aug 2013 Client targeting of SCIM endpoints to IESG as Proposed Standard
Jul 2013 Initial adoption of SCIM SAML bindings draft
Jun 2013 SCIM LDAP inetOrgPerson mapping to IESG as Informational
May 2013 SCIM restful interface to IESG as Proposed Standard
Mar 2013 Initial adoption of SCIM use cases, as a living document
Feb 2013 SCIM core schema to IESG as Proposed Standard
Dec 2012 Proposal for client targeting of SCIM endpoints
Nov 2012 Initial adoption of SCIM LDAP inetOrgPerson mapping draft
Done Initial adoption of SCIM restful interface draft
Done Initial adoption of SCIM core schema

Request for Comments

Internet SocietyAMSHome - Tools Team - Datatracker - IASA - IAB - RFC Editor - IANA - IRTF - IETF Trust - ISOC - IETF Journal - Store - Contact Us
Secretariat services provided by Association Management Solutions, LLC (AMS).
Please send problem reports to: ietf-action@ietf.org.