idnits 2.17.1 draft-ietf-scim-core-schema-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Corrected use of RFC2119 words (e.g. MUST not to MUST NOT) -- The document date (February 4, 2015) is 3340 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2141 (Obsoleted by RFC 8141) ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hunt, Ed. 3 Internet-Draft Oracle 4 Intended status: Standards Track K. Grizzle 5 Expires: August 8, 2015 SailPoint 6 E. Wahlstroem 7 Nexus Technology 8 C. Mortimore 9 Salesforce 10 February 4, 2015 12 System for Cross-Domain Identity Management: Core Schema 13 draft-ietf-scim-core-schema-16 15 Abstract 17 The System for Cross-Domain Identity Management (SCIM) specifications 18 are designed to make identity management in cloud based applications 19 and services easier. The specification suite builds upon experience 20 with existing schemas and deployments, placing specific emphasis on 21 simplicity of development and integration, while applying existing 22 authentication, authorization, and privacy models. Its intent is to 23 reduce the cost and complexity of user management operations by 24 providing a common user schema and extension model, as well as 25 binding documents to provide patterns for exchanging this schema 26 using HTTP protocol. 28 This document provides a platform neutral schema and extension model 29 for representing users and groups and other resource types in JSON 30 format. This schema is intended for exchange and use with cloud 31 service providers. 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at http://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on August 8, 2015. 50 Copyright Notice 52 Copyright (c) 2015 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 68 1.1. Requirements Notation and Conventions . . . . . . . . . . 4 69 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 70 2. SCIM Schema Data Types . . . . . . . . . . . . . . . . . . . 5 71 2.1. Attribute Data Types . . . . . . . . . . . . . . . . . . 6 72 2.1.1. String . . . . . . . . . . . . . . . . . . . . . . . 6 73 2.1.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 7 74 2.1.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 7 75 2.1.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 7 76 2.1.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 7 77 2.1.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 7 78 2.1.7. Reference . . . . . . . . . . . . . . . . . . . . . . 7 79 2.1.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 8 80 2.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 8 81 2.3. Unassigned and Null Values . . . . . . . . . . . . . . . 9 82 3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 9 83 3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 12 84 3.2. Defining New Resource Types . . . . . . . . . . . . . . . 13 85 3.3. Attribute Extensions to Resources . . . . . . . . . . . . 13 86 4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 14 87 4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 14 88 4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 14 89 4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 17 90 4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 19 91 4.3. Enterprise User Schema Extension . . . . . . . . . . . . 20 92 5. Service Provider Configuration Schema . . . . . . . . . . . . 21 93 6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 23 94 7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 24 95 8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 27 96 8.1. Minimal User Representation . . . . . . . . . . . . . . . 27 97 8.2. Full User Representation . . . . . . . . . . . . . . . . 27 98 8.3. Enterprise User Extension Representation . . . . . . . . 30 99 8.4. Group Representation . . . . . . . . . . . . . . . . . . 33 100 8.5. Service Provider Configuration Representation . . . . . . 34 101 8.6. Resource Type Representation . . . . . . . . . . . . . . 36 102 8.7. Schema Representation . . . . . . . . . . . . . . . . . . 36 103 9. Security Considerations . . . . . . . . . . . . . . . . . . . 60 104 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 105 10.1. New Registration of SCIM URN Sub-namespace . . . . . . . 60 106 10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 61 107 10.2.1. Specification Template . . . . . . . . . . . . . . . 61 108 10.2.2. Pre-Registered SCIM Schema Identifiers . . . . . . . 63 109 10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 63 110 10.3.1. Registration Procedure . . . . . . . . . . . . . . . 63 111 10.3.2. Schema Registration Template . . . . . . . . . . . . 64 112 10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 65 113 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 65 114 11.1. Normative References . . . . . . . . . . . . . . . . . . 65 115 11.2. Informative References . . . . . . . . . . . . . . . . . 66 116 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 67 117 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 68 118 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 71 120 1. Introduction and Overview 122 While there are existing standards for describing and exchanging user 123 information, many of these standards can be difficult to implement 124 and/or use; e.g., their wire protocols do not easily traverse 125 firewalls and/or are not easily layered onto existing web protocols. 126 As a result, many cloud providers implement non-standardized 127 protocols for managing users within their services. This increases 128 both the cost and complexity associated with organizations adopting 129 products and services from multiple cloud providers as they must 130 perform redundant integration development. Similarly, cloud services 131 providers seeking to inter-operate with multiple application 132 marketplaces or cloud identity providers must be redundantly 133 integrated. 135 SCIM seeks to simplify this problem through a simple to implement 136 specification suite that provides a common user schema and extension 137 model, as well as binding documents to provide patterns for 138 exchanging this schema via an HTTP based protocol. It draws 139 inspiration and best practice, building upon existing user protocols 140 and schemas from a wide variety of sources including, but not limited 141 to, existing services exposed by cloud providers, PortableContacts, 142 vCards, and LDAP directory services. 144 This document provides a JSON based schema and extension model for 145 representing users and groups, as well as service provider 146 configuration. This schema is intended for exchange and use with 147 cloud service providers and other cross-domain scenarios. An HTTP 148 protocol-binding document is provided separately. 150 1.1. Requirements Notation and Conventions 152 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 153 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 154 document are to be interpreted as described in [RFC2119]. 156 Throughout this document, values are quoted to indicate that they are 157 to be taken literally. When using these values in protocol messages, 158 the quotes MUST NOT be used as part of the value. 160 Throughout this documents all figures MAY contain spaces and extra 161 line-wrapping for readability and space reasons. Similarly, some 162 URI's contained within examples, have been shortened for space and 163 readability reasons. 165 1.2. Definitions 167 Service Provider 168 An HTTP web application that provides identity information via the 169 SCIM protocol. 171 Client 172 A website or application that uses the SCIM protocol to manage 173 identity data maintained by the service provider. The client 174 initiates SCIM HTTP requests to a target service provider. 176 Resource Type 177 A type of a resource that is managed by a service provider. The 178 resource type defines the resource name, endpoint URL, Schemas, 179 and other meta-data which indicate where a resource is managed and 180 how it is composed; e.g. "User" or "Group". 182 Resource 183 A service provider managed artifact containing one or more 184 attributes. For example a "User" or "Group". 186 Schema 187 A collection of Attribute Definitions that describe the contents 188 of an entire or partial resource; e.g. 189 "urn:ietf:params:scim:schemas:core:2.0:User". 191 Singular Attribute 192 A resource attribute that contains 0..1 values; e.g. 193 "displayName". 195 Multi-valued Attribute 196 A resource attribute that contains 0..n values; e.g. "emails". 198 Simple Attribute 199 A singular or multi-valued attribute whose value is a primitive; 200 e.g. "String". 202 Complex Attribute 203 A singular or multi-valued attribute whose value is a composition 204 of one or more simple attributes; e.g. "addresses". 206 Sub-Attribute 207 A simple attribute contained within a complex attribute. 209 2. SCIM Schema Data Types 211 SCIM schema provides a minimal core schema for representing users and 212 groups (resources), encompassing common attributes found in many 213 existing deployments and schemas. In addition to the minimal core 214 schema, this document also specifies a standardized means by which 215 service providers may extend schema to define new resources and 216 attributes in both standardized and service provider specific cases. 218 Resources are categorized into common resource types such as "User" 219 or "Group"). Collections of resources of the same type are usually 220 contained within the same "container" ("folder") endpoint. 222 A resource is a collection of attributes identified by one or more 223 schemas. Minimally, an attribute consists of the attribute name and 224 at least one simple or complex value either of which may be multi- 225 valued. For each attribute, SCIM schema defines the data type, 226 plurality, mutability, and other distinguishing features of an 227 attribute. 229 Attribute names SHOULD be camel-cased (e.g. "camelCase"). SCIM 230 resources are represented in JSON [RFC7159] and MUST specify schema 231 via the "schemas" attribute per Section 3. 233 Attribute names MUST conform to the following ABNF [RFC5234] rules: 235 ATTRNAME = ALPHA *(nameChar) 236 nameChar = "-" / "_" / DIGIT / ALPHA 238 Figure 1: ABNF for Attribute Names 240 2.1. Attribute Data Types 242 Attribute data types are derived from JSON [RFC7159] and unless 243 otherwise specified have the following characteristics (see Section 7 244 for attribute characteristic definitions): 246 o are OPTIONAL (is not required). 248 o are case insensitive (caseExact=false), 250 o are modifiable (mutability is readWrite), 252 o are returned in response to queries (returned by default), 254 o are not unique (uniqueness=none), and, 256 o of type String (Section 2.1.1). 258 The JSON format defines a limited set of data types, hence, where 259 appropriate, alternate JSON representations derived from XML Schema 260 [XML-Schema] are defined below. SCIM extensions SHOULD NOT introduce 261 new data types. 263 The following is a table that maps the following data types, to SCIM 264 schema type and the underlying JSON data type: 266 +----------------+--------------------+-----------------------------+ 267 | SCIM Data Type | SCIM Schema "type" | JSON Type | 268 +----------------+--------------------+-----------------------------+ 269 | String | "string" | String per Sec. 7 [RFC7159] | 270 | Boolean | "boolean" | Value per Sec. 3 [RFC7159] | 271 | Decimal | "decimal" | Number per Sec. 6 [RFC7159] | 272 | Integer | "integer" | Number per Sec. 6 [RFC7159] | 273 | DateTime | "dateTime" | String per Sec. 7 [RFC7159] | 274 | Binary | "string" | Base64 encoded String | 275 | Reference | "reference" | String per Sec. 7 [RFC7159] | 276 | Complex | "complex" | Object per Sec. 4 [RFC7159] | 277 +----------------+--------------------+-----------------------------+ 279 Table 1: SCIM Data Type to JSON Representation 281 2.1.1. String 283 A sequence of zero or more Unicode characters encoded using UTF-8 as 284 per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7 285 [RFC7159]. A "String" attribute MAY specify a required data format. 286 Additionally, when canonical values are specified service providers 287 SHOULD conform to those values if appropriate, but MAY provide 288 alternate "String" values to represent additional values. 290 2.1.2. Boolean 292 The literal "true" or "false". The JSON format is defined in 293 Section 3 [RFC7159]. 295 2.1.3. Decimal 297 A real number with at least one digit to the left and right of the 298 period. The JSON format is defined in Section 6 [RFC7159]. 300 2.1.4. Integer 302 A decimal number with no fractional digits. The JSON format is 303 defined in Section 6 [RFC7159] with the additional constraint that 304 the value MUST NOT contain fractional or exponent parts. 306 2.1.5. DateTime 308 A DateTime value (e.g. 2008-01-23T04:56:22Z). The attribute value 309 MUST be encoded as a valid xsd:dateTime as specified in Section 3.2.7 310 [XML-Schema]. 312 Values represented in JSON MUST conform to the XML constraints above 313 and are represented as a JSON String per Section 7 [RFC7159]. 315 2.1.6. Binary 317 Arbitrary binary data. The attribute value MUST be encoded as a 318 valid xsd:base64Binary as specified in Section 3.2.16 [XML-Schema]. 320 Values represented in JSON MUST conform to the XML constraints above 321 and are represented as a JSON String per Section 2.7 [RFC7159]. 323 2.1.7. Reference 325 A reference to a SCIM resource. The value MUST be the absolute or 326 relative URI of the target resource. Relative URIs should be 327 resolved as specified in Section 5.2 [RFC3986]. The base URI for 328 relative URI resolution MUST include all URI components and path 329 segments up to but not including the Endpoint URI; e.g., the base URI 330 for a request to "https://example.com/v2/Users/2819c223-7f76-453a- 331 919d-413861904646" would be "https://example.com/v2/" and the 332 relative URI for this resource would be "Users/2819c223-7f76-453a- 333 919d-413861904646". 335 Performing a GET operation on a reference URI MUST return the target 336 resource or an appropriate HTTP response code. The service provider 337 MAY optionally choose to enforce referential integrity for 338 references. 340 By convention, a reference is commonly represented as a "$ref" sub- 341 attribute in complex or multi-valued attributes, however this is 342 OPTIONAL. 344 2.1.8. Complex 346 A singular or multi-valued attribute whose value is a composition of 347 one or more simple Attributes. The JSON format is defined in 348 Section 4 [RFC7159]. 350 2.2. Multi-valued Attributes 352 Multi-valued attributes contain a list of value or may contain sub- 353 attributes and MAY also be considered complex attributes. The order 354 of values returned by the server SHOULD NOT be guaranteed. The sub- 355 attributes below are considered normative and when specified SHOULD 356 be used as defined. 358 type A label indicating the attribute's function; e.g., "work" or 359 "home". 361 primary A Boolean value indicating the 'primary' or preferred 362 attribute value for this attribute, e.g. the preferred mailing 363 address or the primary e-mail address. The primary attribute 364 value "true" MUST appear no more than once. 366 display A human readable name, primarily used for display purposes 367 and has a mutability of "immutable". 369 value The attribute's significant value; e.g., the e-mail address, 370 phone number, etc. 372 $ref The reference URI of the target resource, if the attribute is a 373 reference. 375 When returning multi-valued attributes, service providers SHOULD 376 canonicalize the value returned, if appropriate (e.g. for e-mail 377 addresses and URLs). Service providers MAY return the canonicalized 378 value using the "display" sub-attribute and return the original value 379 using the "value" attribute. 381 Service providers MAY return the same value more than once with 382 different types (e.g. the same e-mail address may used for work and 383 home), but SHOULD NOT return the same (type, value) combination more 384 than once per Attribute, as this complicates processing by the 385 Consumer. 387 2.3. Unassigned and Null Values 389 Unassigned attributes, the null value, or empty array (in the case of 390 a multi-valued attribute) SHALL be considered to be equivalent in 391 "state". Assigning an attribute with the value "null" or an empty 392 array (in the case of multi-valued attributes) has the effect of 393 making the attribute "unassigned". When a resource is expressed in 394 JSON form, unassigned attributes, though they are defined in schema, 395 MAY be omitted for compactness. 397 3. SCIM Resources 399 Each SCIM resource is a JSON object that has the following 400 components: 402 Resource Type 403 Each resource (or JSON object) in SCIM has a resource type 404 ("meta.resourceType") that defines the resource's core attribute 405 schema and any attribute extension schema as well as the endpoint 406 where objects of the same type may be found. More information 407 about a resource MAY be found in its resourceType definition (see 408 Section 6). 410 Schemas Attribute 411 The "schemas" attribute is a REQUIRED attribute that MUST be 412 present and is an array of Strings containing URIs which are used 413 to indicate the namespace of SCIM schema that defines the 414 attributes present in the current JSON structure. It may be used 415 by parsers to define the attributes present in the JSON structure 416 that is the body to an HTTP Request or Response. Each String 417 value must be a unique URI. All representations of SCIM schema 418 MUST include a non-zero value array with value(s) of the URIs 419 supported by that representation. The schemas attribute for a 420 resource MUST only contain values defined as "schema" and 421 "schemaExtensions" for the resource's "resourceType". Duplicate 422 values MUST NOT be included. Value order is not specified and 423 MUST NOT impact behavior. 425 Common Attributes 426 Are attributes that are part of every SCIM resource regardless of 427 the value of the "schemas" attribute present in a JSON body. 428 These attributes are not defined in any particular schema, but 429 SHALL be assumed to be present in every resource regardless of the 430 value of the "schemas" attribute. See Section 3.1. 432 Core Attributes 433 A resource's core attributes are those attributes that sit at the 434 top level of the JSON object together with the common attributes 435 (such as the resource "id"). The list of valid attributes is 436 specified by the resource's resource type "schema" attribute (see 437 Section 6). This same value is also present in the resource's 438 "schemas" attribute. 440 Extended Attributes 441 Extended schema attributes are specified by the resource's 442 resource type "schemaExtensions" attribute (see Section 6). 443 Unlike core attributes, extended attributes are kept in their own 444 sub-attribute namespace identified by the schema extension URI. 445 This avoids attribute name conflicts that may arise due to 446 conflicts from separate schema extensions. 448 The following example "User" contains the common attributes "id", 449 "externalId", and the complex attribute "meta" which contains the 450 sub-attribute "resourceType". The resource also contains core 451 attributes "userName", "name", as well as extended enterprise user 452 attributes "employeeNumber" and "costCenter" which are contained in 453 their own JSON sub-structure identified by their schema URI. Some 454 values have been omitted (...), shortened or spaced out for clarity. 456 { 457 "schemas": 458 [ "urn:ietf:params:scim:schemas:core:2.0:User", 459 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], 461 "id": "2819c223-7f76-453a-413861904646", 462 "externalId": "701984", 464 "userName": "bjensen@example.com", 465 "name": { 466 "formatted": "Ms. Barbara J Jensen III", 467 "familyName": "Jensen", 468 "givenName": "Barbara", 469 "middleName": "Jane", 470 "honorificPrefix": "Ms.", 471 "honorificSuffix": "III" 472 }, 473 ... 475 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { 476 "employeeNumber": "701984", 477 "costCenter": "4130", 478 ... 479 }, 481 "meta": { 482 "resourceType": "User", 483 "created": "2010-01-23T04:56:22Z", 484 "lastModified": "2011-05-13T04:42:34Z", 485 "version": "W\/\"3694e05e9dff591\"", 486 "location": 487 "https://example.com/v2/Users/2819c223-7f76-453a-413861904646" 488 } 489 } 491 Figure 2: Example JSON Resource Structure 493 3.1. Common Attributes 495 Each SCIM resource (Users, Groups, etc.) includes the following 496 common attributes. With the exception of "ServiceProviderConfig" and 497 "ResourceType" server discovery endpoints and their associated 498 resources, these attributes MUST be included in all resources, 499 including any extended resource types. Common attributes are 500 considered to be part of every base resource schema and do not use 501 their own schemas URI and SHALL NOT be considered schema extensions. 503 For backwards compatibility reasons, some existing schema MAY list 504 common attributes as part of the schema. The attribute 505 characteristics listed here SHALL take precedence. 507 id 508 A unique identifier for a SCIM resource as defined by the service 509 provider. Each representation of the resource MUST include a non- 510 empty "id" value. This identifier MUST be unique across the SCIM 511 service provider's entire set of resources. It MUST be a stable, 512 non-reassignable identifier that does not change when the same 513 resource is returned in subsequent requests. The value of the 514 "id" attribute is always issued by the service provider and MUST 515 NOT be specified by the client. The string "bulkId" is a reserved 516 keyword and MUST NOT be used within any unique identifier value. 517 REQUIRED and has a mutability of "readOnly". See Section 9 for 518 additional considerations regarding privacy. 520 externalId 521 A String that is an identifier for the resource as defined by the 522 provisioning client. The "externalId" may simplify identification 523 of a resource between the provisioning client and the service 524 provider by allowing the client to use a filter to locate the 525 resource with an identifier from the provisioning domain, 526 obviating the need to store a local mapping between the 527 provisioning domain's identifier of the resource and the 528 identifier used by the service provider. Each resource MAY 529 include a non-empty "externalId" value. The value of the 530 "externalId" attribute is always issued by the provisioning client 531 and MUST NOT be specified by the service provider. The service 532 provider MUST always interpret the externalId as scoped to the 533 client's tenant. While the server does not enforce uniqueness, it 534 is assumed that the value's uniqueness is controlled by the client 535 setting the value. See Section 9 for additional considerations 536 regarding privacy. 538 meta 539 A complex attribute containing resource metadata. All sub- 540 attributes are OPTIONAL and are asserted by the Service Provider: 542 resourceType The name of the resource type of the resource. This 543 attribute has mutability of "readOnly". 545 created The DateTime the resource was added to the service 546 provider. The attribute MUST be a DateTime. This attribute 547 has mutability of "readOnly". 549 lastModified The most recent DateTime the details of this 550 resource were updated at the service provider. If this 551 resource has never been modified since its initial creation, 552 the value MUST be the same as the value of created. The 553 attribute MUST be a DateTime and has mutability of "readOnly". 555 location The URI of the resource being returned. This value MUST 556 be the same as the Location HTTP response header. The 557 attribute has mutability of "readOnly". 559 version The version of the resource being returned. This value 560 must be the same as the ETag HTTP response header. The 561 attribute has mutability of "readOnly". 563 3.2. Defining New Resource Types 565 SCIM may be extended to define new classes of resources by defining a 566 resource type. Each resource type defines the name, endpoint, base 567 schema (the attributes), and any schema extensions registered for use 568 with the resource type. In order to offer new types of resources, a 569 service provider defines the new resource type as specified in 570 Section 6and defines a schema representation (see Section 8.7). 572 3.3. Attribute Extensions to Resources 574 SCIM allows resource types to have extensions in addition to their 575 core schema. This is similar to how "ObjectClasses" used in LDAP. 576 However, unlike LDAP there is no inheritance model; all extensions 577 are additive (similar to LDAP Auxiliary Object Class [RFC4512] ). 578 Each "schemas" value indicates additive schema that may exist in a 579 SCIM resource representation. The "schemas" attribute MUST contain 580 at least one value which SHALL be the base schema for the resource. 581 The "schemas" attribute MAY contain additional values indicating 582 extended schemas that are in use. Schema extensions SHOULD avoid 583 redefining any attributes defined in this specification and SHOULD 584 follow conventions defined in this specification. Except for the 585 base object schema, the schema extension URI SHALL be used as a JSON 586 container to distinguish attributes belonging to the extension 587 namespace from base schema attributes. See Figure 5 for an example 588 JSON representation of an extended User. 590 In order to determine which "schemas" URI value is the base schema 591 and which is extended schema for any given resource, the resource's 592 "resourceType" attribute value MAY be used to retrieve the resource's 593 "ResourceType" schema ( Section 6 ). See example "ResourceType" 594 representation in Figure 8. 596 4. SCIM Core Resources and Extensions 598 This section defines the default resources schemas present in a SCIM 599 server. SCIM is not exclusive to these resources, and may be 600 extended to support other resource types (see Section 3.2). 602 4.1. User Resource Schema 604 SCIM provides a resource type for "User" resources. The core schema 605 for "User" is identified using the URI: 606 "urn:ietf:params:scim:schemas:core:2.0:User". The following 607 attributes are defined in addition to the core schema attributes: 609 4.1.1. Singular Attributes 611 userName 612 A service provider unique identifier for the user, typically used 613 by the user to directly authenticate to the service provider. 614 Often displayed to the user as their unique identifier within the 615 system (as opposed to "id" or "externalId", which are generally 616 opaque and not user-friendly identifiers). Each User MUST include 617 a non-empty userName value. This identifier MUST be unique across 618 the service provider's entire set of Users. RECOMMENDED. 620 name 621 The components of the user's real name. Service providers MAY 622 return just the full name as a single string in the formatted sub- 623 attribute, or they MAY return just the individual component 624 attributes using the other sub-attributes, or they MAY return 625 both. If both variants are returned, they SHOULD be describing 626 the same name, with the formatted name indicating how the 627 component attributes should be combined. 629 formatted The full name, including all middle names, titles, and 630 suffixes as appropriate, formatted for display (e.g. "Ms. 631 Barbara Jane Jensen, III." ). 633 familyName The family name of the User, or last name in most 634 Western languages (e.g. "Jensen" given the full name "Ms. 635 Barbara Jane Jensen, III." ). 637 givenName The given name of the User, or first name in most 638 Western languages (e.g. "Barbara" given the full name "Ms. 639 Barbara Jane Jensen, III." ). 641 middleName The middle name(s) of the User (e.g. "Jane" given the 642 full name "Ms. Barbara Jane Jensen, III." ). 644 honorificPrefix The honorific prefix(es) of the User, or title in 645 most Western languages (e.g. "Ms." given the full name "Ms. 646 Barbara Jane Jensen, III." ). 648 honorificSuffix The honorific suffix(es) of the User, or suffix 649 in most Western languages (e.g. "III." given the full name 650 "Ms. Barbara Jane Jensen, III." ). 652 displayName 653 The name of the user, suitable for display to end-users. Each 654 user returned MAY include a non-empty displayName value. The name 655 SHOULD be the full name of the User being described if known (e.g. 656 "Babs Jensen" or "Ms. Barbara J Jensen, III" ), but MAY be a 657 username or handle, if that is all that is available (e.g. 658 "bjensen" ). The value provided SHOULD be the primary textual 659 label by which this User is normally displayed by the service 660 provider when presenting it to end-users. 662 nickName 663 The casual way to address the user in real life, e.g. "Bob" or 664 "Bobby" instead of "Robert". This attribute SHOULD NOT be used to 665 represent a User's username (e.g. bjensen or mpepperidge). 667 profileUrl 668 A fully qualified URL to a page representing the user's online 669 profile. 671 title 672 The user's title, such as "Vice President". 674 userType 675 Used to identify the organization to user relationship. Typical 676 values used might be "Contractor", "Employee", "Intern", "Temp", 677 "External", and "Unknown" but any value may be used. 679 preferredLanguage 680 Indicates the user's preferred written or spoken languages and is 681 generally used for selecting a localized User interface. The 682 value indicates the set of natural languages that are preferred. 683 The format of the value is same as the Accept-Language header 684 field (not including "Accept-Language:") of HTTP and is specified 685 in Section 5.3.5 of [RFC7231]. The intent of this value is to 686 enable cloud applications to perform matching of language tags 687 [RFC4647] to the user's language preferences regardless of what 688 may be indicated by a user agent (which might be shared), or in a 689 non-user present interaction (such as in a delegated OAuth2 690 [RFC6749] style interaction) where normal HTTP Accept-Language 691 header negotiation cannot take place. 693 locale 694 Used to indicate the User's default location for purposes of 695 localizing items such as currency, date time format, numerical 696 representations, etc. A valid value is a language tag as defined 697 in [RFC5646]. Computer languages are explicitly excluded. 699 A language tag is a sequence of one or more case-insensitive sub- 700 tags, each separated by a hyphen character ("-", %x2D). For 701 backwards compatibility reasons, servers MAY accept tags separated 702 by an underscore character ("_", %5F). In most cases, a language 703 tag consists of a primary language sub-tag that identifies a broad 704 family of related languages (e.g., "en" = English) which is 705 optionally followed by a series of sub-tags that refine or narrow 706 that language's range (e.g., "en-CA" = the variety of English as 707 communicated in Canada). Whitespace is not allowed within a 708 language tag. Example tags include: 710 fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN 712 See [RFC5646] for further information. 714 timezone 715 The User's time zone in IANA Time Zone database format [RFC6557], 716 also known as "Olson" timezone database format [Olson-TZ] ; For 717 example: "America/Los_Angeles". 719 active 720 A Boolean value indicating the user's administrative status. The 721 definitive meaning of this attribute is determined by the service 722 provider. As a typical example, a value of true infers the user 723 is able to login while a value of false implies the user's account 724 has been suspended. 726 password 727 The user's clear text password. This attribute is intended to be 728 used as a means to specify an initial password when creating a new 729 User or to reset an existing User's password. Password policies 730 and the ability to update or set passwords are out of scope of 731 this document. The mutability of this attribute is "writeOnly" 732 indicating the value MUST NOT be returned by a service provider in 733 any form. 735 4.1.2. Multi-valued Attributes 737 The following multi-valued attributes are defined. 739 emails 740 E-mail addresses for the User. The value SHOULD be specified 741 according to [RFC5321]. Service providers SHOULD canonicalize the 742 value according to [RFC5321], e.g. "bjensen@example.com" instead 743 of "bjensen@EXAMPLE.COM". Ths "display" sub-attribute MAY be used 744 to return the canonicalized representation of the e-mail value. 745 Canonical type values of "work", "home", and "other". 747 phoneNumbers 748 Phone numbers for the user. The value SHOULD be specified 749 according to the format in [RFC3966] e.g. 'tel:+1-201-555-0123'. 750 Service providers SHOULD canonicalize the value according to 751 [RFC3966] format, when appropriate. The "display" sub-attribute 752 MAY be used to return the canonicalized representation of the 753 phone number value. Canonical type values of "work", "home", 754 "mobile", "fax", "pager", and "other". 756 ims 757 Instant messaging address for the user. No official 758 canonicalization rules exist for all instant messaging addresses, 759 but service providers SHOULD, when appropriate, remove all 760 whitespace and convert the address to lowercase. Instead of the 761 standard canonical values for type, this attribute defines the 762 following canonical values to represent currently popular IM 763 services: "aim", "gtalk", "icq", "xmpp", "msn", "skype", "qq", 764 "yahoo", and "other". 766 photos 767 URL of a photo of the User. The value SHOULD be a canonicalized 768 URL, and MUST point to an image file (e.g. a GIF, JPEG, or PNG 769 image file) rather than to a web page containing an image. 770 Service providers MAY return the same image at different sizes, 771 though it is recognized that no standard for describing images of 772 various sizes currently exists. Note that this attribute SHOULD 773 NOT be used to send down arbitrary photos taken by this user, but 774 specifically profile photos of the user suitable for display when 775 describing the user. Instead of the standard canonical values for 776 type, this attribute defines the following canonical values to 777 represent popular photo sizes: "photo", "thumbnail". 779 addresses 780 A physical mailing address for this user. Canonical type values 781 of "work", "home", and "other". The value attribute is a complex 782 type with the following sub-attributes. All sub-attributes are 783 OPTIONAL. 785 formatted The full mailing address, formatted for display or use 786 with a mailing label. This attribute MAY contain newlines. 788 streetAddress The full street address component, which may 789 include house number, street name, P.O. box, and multi-line 790 extended street address information. This attribute MAY 791 contain newlines. 793 locality The city or locality component. 795 region The state or region component. 797 postalCode The zipcode or postal code component. 799 country The country name component. When specified the value 800 MUST be in ISO 3166-1 alpha 2 "short" code format [ISO3166] ; 801 e.g., the United States and Sweden are "US" and "SE", 802 respectively. 804 groups 805 A list of groups that the user belongs to, either thorough direct 806 membership, nested groups, or dynamically calculated. The values 807 are meant to enable expression of common group or role based 808 access control models, although no explicit authorization model is 809 defined. It is intended that the semantics of group membership 810 and any behavior or authorization granted as a result of 811 membership are defined by the service provider. The canonical 812 types "direct" and "indirect" are defined to describe how the 813 group membership was derived. Direct group membership indicates 814 the user is directly associated with the group and SHOULD indicate 815 that clients may modify membership through the "Group" resource. 816 Indirect membership indicates user membership is transitive or 817 dynamic and implies that clients cannot modify indirect group 818 membership through the "Group" resource but MAY modify direct 819 group membership through the "Group" resource which MAY influence 820 indirect memberships. If the SCIM service provider exposes a 821 Group resource, the "value" sub-attribute MUST be the "id" and the 822 "$ref" sub-attribute must be the URI of the corresponding "Group" 823 resources to which the user belongs. Since this attribute has a 824 mutability of "readOnly", group membership changes MUST be applied 825 via the Group Resource (Section 4.2). The attribute has a 826 mutability of "readOnly". 828 entitlements 829 A list of entitlements for the user that represent a thing the 830 user has. An entitlement MAY be an additional right to a thing, 831 object, or service. No vocabulary or syntax is specified and 832 service providers and clients are expected to encode sufficient 833 information in the value so as to accurately and without ambiguity 834 determine what the user has access to. This value has NO 835 canonical types though type may be useful as a means to scope 836 entitlements. 838 roles 839 A list of roles for the user that collectively represent who the 840 user is; e.g., "Student, Faculty". No vocabulary or syntax is 841 specified though it is expected that a role value is a String or 842 label representing a collection of entitlements. This value has 843 NO canonical types. 845 x509Certificates 846 A list of certificates issued to the User. Values are Binary 847 (Section 2.1.6) and DER encoded x509. This value has NO canonical 848 types. 850 4.2. Group Resource Schema 852 SCIM provides a schema for representing groups, identified using the 853 following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group". 855 Group resources are meant to enable expression of common group or 856 role based access control models, although no explicit authorization 857 model is defined. It is intended that the semantics of group 858 membership and any behavior or authorization granted as a result of 859 membership are defined by the service provider are considered out of 860 scope for this specification. 862 The following singular attribute is defined in addition to the common 863 attributes defined in SCIM core schema: 865 displayName 866 A human readable name for the Group. REQUIRED. 868 The following multi-valued attribute is defined in addition to the 869 common attributes defined in SCIM Core Schema: 871 members 872 A list of members of the Group. While values MAY be added or 873 removed, sub-attributes of members are "immutable". The "value" 874 sub-attribute must be the "id" and the "$ref" sub-attribute must 875 be the URI of a SCIM resource, either a "User", or a "Group". The 876 intention of the "Group" type is to allow the service provider to 877 support nested groups. Service providers MAY require clients to 878 provide a non-empty members value based on the "required" sub 879 attribute of the "members" attribute in the "Group" resource 880 schema. 882 4.3. Enterprise User Schema Extension 884 The following SCIM extension defines attributes commonly used in 885 representing users that belong to, or act on behalf of a business or 886 enterprise. The enterprise user extension is identified using the 887 following schema URI: 888 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User". 890 The following Singular Attributes are defined: 892 employeeNumber 893 Numeric or alphanumeric identifier assigned to a person, typically 894 based on order of hire or association with an organization. 896 costCenter 897 Identifies the name of a cost center. 899 organization 900 Identifies the name of an organization. 902 division 903 Identifies the name of a division. 905 department 906 Identifies the name of a department. 908 manager 909 The user's manager. A complex type that optionally allows service 910 providers to represent organizational hierarchy by referencing the 911 "id" attribute of another User. 913 value The "id" of the SCIM resource representing the user's 914 manager. RECOMMENDED. 916 $ref The URI of the SCIM resource representing the User's 917 manager. RECOMMENDED. 919 displayName The displayName of the user's manager. This 920 attribute is OPTIONAL and mutability is "readOnly". 922 5. Service Provider Configuration Schema 924 SCIM provides a schema for representing the service provider's 925 configuration identified using the following schema URI: 926 "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" 928 The service provider configuration resource enables a service 929 provider to discovery of SCIM specification features in a 930 standardized form as well as provide additional implementation 931 details to clients. All attributes are READ-ONLY (a mutability of 932 "readOnly" ). Unlike other core resources, the "id" attribute is not 933 required for the service provider configuration resource. 935 The following Singular Attributes are defined in addition to the 936 common attributes defined in Core Schema: 938 documentationUrl 939 An HTTP addressable URL pointing to the service provider's human 940 consumable help documentation. 942 patch 943 A complex type that specifies PATCH configuration options. 944 REQUIRED. 946 supported Boolean value specifying whether the operation is 947 supported. REQUIRED. 949 bulk 950 A complex type that specifies BULK configuration options. 951 REQUIRED 953 supported Boolean value specifying whether the operation is 954 supported. REQUIRED. 956 maxOperations An integer value specifying the maximum number of 957 operations. REQUIRED. 959 maxPayloadSize An integer value specifying the maximum payload 960 size in bytes. REQUIRED. 962 filter 963 A complex type that specifies FILTER options. REQUIRED. 965 supported Boolean value specifying whether the operation is 966 supported. REQUIRED. 968 maxResults Integer value specifying the maximum number of 969 resources returned in a response. REQUIRED. 971 changePassword 972 A complex type that specifies Change Password configuration 973 options. REQUIRED. 975 supported Boolean value specifying whether the operation is 976 supported. REQUIRED. 978 sort 979 A complex type that specifies Sort configuration options. 980 REQUIRED. 982 supported Boolean value specifying whether sorting is supported. 983 REQUIRED. 985 etag 986 A complex type that specifies Etag configuration options. 987 REQUIRED. 989 supported Boolean value specifying whether the operation is 990 supported. REQUIRED. 992 The following multi-valued attribute is defined in addition to the 993 common attributes defined in core schema: 995 authenticationSchemes 996 A complex type that specifies supported Authentication Scheme 997 properties. This attribute defines the following canonical values 998 to represent common schemes: "oauth", "oauth2", 999 "oauthbearertoken", "httpbasic", and "httpdigest". To enable 1000 seamless discovery of configuration, the service provider SHOULD, 1001 with the appropriate security considerations, make the 1002 authenticationSchemes attribute publicly accessible without prior 1003 authentication. REQUIRED. 1005 name The common authentication scheme name; e.g., HTTP Basic. 1006 REQUIRED. 1008 description A description of the Authentication Scheme. 1009 REQUIRED. 1011 specUrl A HTTP addressable URL pointing to the Authentication 1012 Scheme's specification. OPTIONAL. 1014 documentationUrl A HTTP addressable URL pointing to the 1015 Authentication Scheme's usage documentation. OPTIONAL. 1017 6. ResourceType Schema 1019 The "ResourceType" schema specifies the meta-data about a resource 1020 type. Resource type resources are READ-ONLY and identified using the 1021 following schema URI: 1022 "urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other 1023 core resources, all attributes are REQUIRED unless otherwise 1024 specified. The "id" attribute is not required for the resource type 1025 resource. 1027 The following Singular Attributes are defined: 1029 id 1030 The resource type's server unique id. Often this is the same 1031 value as the "name" attribute. OPTIONAL 1033 name 1034 The resource type name. When applicable service providers MUST 1035 specify the name specified in the core schema specification; e.g., 1036 "User" or "Group". This name is referenced by the 1037 "meta.resourceType" attribute in all resources. 1039 description 1040 The resource type's human readable description. When applicable 1041 service providers MUST specify the description specified in the 1042 core schema specification. 1044 endpoint 1045 The resource type's HTTP addressable endpoint relative to the Base 1046 URL; e.g., "/Users". 1048 schema 1049 The resource type's primary/base schema URI; e.g., 1050 "urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal 1051 to the "id" attribute of the associated "Schema" resource. 1053 schemaExtensions 1054 A list of URIs of the resource type's schema extensions. 1055 OPTIONAL. 1057 schema The URI of an extended schema; e.g., "urn:edu:2.0:Staff". 1058 This MUST be equal to the "id" attribute of a "Schema" 1059 resource. REQUIRED. 1061 required A Boolean value that specifies whether the schema 1062 extension is required for the resource type. If true, a 1063 resource of this type MUST include this schema extension and 1064 include any attributes declared as required in this schema 1065 extension. If false, a resource of this type MAY omit this 1066 schema extension. REQUIRED. 1068 7. Schema Definition 1070 This section defines a way to specify the schema in use by resources 1071 available and accepted by a SCIM service provider. For each 1072 "schemas" URI value, this schema specifies the defined attribute(s) 1073 and their characteristics (mutability, returnability, etc). For 1074 every schema URI used in a resource object, there is a corresponding 1075 "Schema" resource. "Schema" resources have mutability of "readOnly" 1076 and are identified using the following schema URI: 1078 urn:ietf:params:scim:schemas:core:2.0:Schema 1080 Unlike other core resources the "Schema" resource MAY contain a 1081 complex object within a sub-attribute and all attributes are REQUIRED 1082 unless otherwise specified. 1084 The following Singular Attributes are defined: 1086 id 1087 The unique URI of the schema. When applicable service providers 1088 MUST specify the URI specified in the core schema specification; 1089 e.g., "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most 1090 other schemas, which use some sort of a GUID for the "id", the 1091 schema "id" is a URI so that it can be registered and is portable 1092 between different service providers and clients. 1094 name 1095 The schema's human readable name. When applicable service 1096 providers MUST specify the name specified in the core schema 1097 specification; e.g., "User" or "Group". OPTIONAL. 1099 description 1100 The schema's human readable description. When applicable service 1101 providers MUST specify the description specified in the core 1102 schema specification. OPTIONAL. 1104 The following multi-valued attribute is defined: 1106 attributes 1107 A complex type with the following set of sub-attributes that 1108 defines service provider attributes and their qualities: 1110 name The attribute's name. 1112 type The attribute's data type. Valid values are: "string", 1113 "complex", and "boolean". When an attribute is of type 1114 "complex", there SHOULD be a corresponding schema attribute 1115 "subAttributes" defined listing the sub-attribtues of the 1116 attribute. 1118 subAttributes When an attribute is of type "complex", 1119 "subAttributes" defines set of sub-attributes. "subAttributes" 1120 has the same schema sub-attributes as "attributes". 1122 multiValued Boolean value indicating the attribute's plurality. 1124 description The attribute's human readable description. When 1125 applicable service providers MUST specify the description 1126 specified in the core schema specification. 1128 required A Boolean value that specifies if the attribute is 1129 required. 1131 canonicalValues A collection of canonical values. When 1132 applicable service providers MUST specify the canonical types 1133 specified in the core schema specification; e.g., "work", 1134 "home". OPTIONAL. 1136 caseExact A Boolean value that specifies if the String attribute 1137 is case sensitive. The server SHALL use case sensitivity when 1138 evaluating filters. For attributes that are case exact, the 1139 server SHALL preserve case for any value submitted. If the 1140 attribute is case insensitive, the server MAY alter case for a 1141 submitted value. 1143 mutability A single keyword indicating what types of 1144 modifications an attribute MAY accept as follows: 1146 readOnly The attribute SHALL NOT be modified. 1148 readWrite The attribute MAY be updated and read at any time. 1149 DEFAULT. 1151 immutable The attribute MAY be defined at resource creation 1152 (e.g. POST) or at record replacement via request (e.g. a 1153 PUT). The attribute SHALL NOT be updated. 1155 writeOnly The attribute MAY be updated at any time. Attribute 1156 values SHALL NOT be returned (e.g. because the value is a 1157 stored hash). Note: an attribute with mutability of 1158 "writeOnly" usually also has a returned setting of "never". 1160 returned A single keyword that indicates when an attribute and 1161 associated values are returned in response to a GET request or 1162 in response to a PUT, POST, or PATCH request. Valid keywords 1163 are: 1165 always The attribute is always returned regardless of the 1166 contents of the "attributes" parameter. For example, "id" 1167 is always returned to identify a SCIM resource. 1169 never The attribute is never returned. This may occur because 1170 the original attribute value is not retained by the service 1171 provider (e.g. such as with a hashed value). A service 1172 provider MAY allow attributes to be used in a search filter. 1174 default The attribute is returned by default in all SCIM 1175 operation responses where attribute values are returned. If 1176 the GET request "attributes" parameter is specified, 1177 attribute values are only returned if the attribute is named 1178 in the attributes parameter. DEFAULT. 1180 request The attribute is returned in response to any PUT, 1181 POST, or PATCH operations if the attribute was specified by 1182 the client (for example, the attribute was modified). The 1183 attribute is returned in a SCIM query operation only if 1184 specified in the "attributes" parameter. 1186 uniqueness A single keyword value that specifies how the service 1187 provider enforces uniqueness of attribute values. A server MAY 1188 reject an invalid value based on uniqueness by returning HTTP 1189 Response code 400 (Bad Request). A client MAY enforce 1190 uniqueness on the client-side to a greater degree than the 1191 service provider enforces. For example, a client could make a 1192 value unique while the server has uniqueness of "none". Valid 1193 keywords are: 1195 none The values are not intended to be unique in any way. 1196 DEFAULT. 1198 server The value SHOULD be unique within the context of the 1199 current SCIM endpoint (or tenancy) and MAY be globally 1200 unique (e.g. a "username", email address, or other server 1201 generated key or counter). No two resources on the same 1202 server SHOULD possess the same value. 1204 global The value SHOULD be globally unique (e.g. an email 1205 address, a GUID, or other value). No two resources on any 1206 server SHOULD possess the same value. 1208 referenceTypes The names of the resource types that may be 1209 referenced; e.g., "User". This is only applicable for 1210 attributes that are of the "reference" Section 2.1.7 data type. 1212 8. JSON Representation 1214 8.1. Minimal User Representation 1216 The following is a non-normative example of the minimal required SCIM 1217 representation in JSON format. 1219 { 1220 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], 1221 "id": "2819c223-7f76-453a-919d-413861904646", 1222 "userName": "bjensen@example.com", 1223 "meta": { 1224 "resourceType": "User", 1225 "created": "2010-01-23T04:56:22Z", 1226 "lastModified": "2011-05-13T04:42:34Z", 1227 "version": "W\/\"3694e05e9dff590\"", 1228 "location": 1229 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1230 } 1231 } 1233 Figure 3: Example Minimal User JSON Representation 1235 8.2. Full User Representation 1237 The following is a non-normative example of the fully populated SCIM 1238 representation in JSON format. 1240 { 1241 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], 1242 "id": "2819c223-7f76-453a-919d-413861904646", 1243 "externalId": "701984", 1244 "userName": "bjensen@example.com", 1245 "name": { 1246 "formatted": "Ms. Barbara J Jensen III", 1247 "familyName": "Jensen", 1248 "givenName": "Barbara", 1249 "middleName": "Jane", 1250 "honorificPrefix": "Ms.", 1251 "honorificSuffix": "III" 1252 }, 1253 "displayName": "Babs Jensen", 1254 "nickName": "Babs", 1255 "profileUrl": "https://login.example.com/bjensen", 1256 "emails": [ 1257 { 1258 "value": "bjensen@example.com", 1259 "type": "work", 1260 "primary": true 1261 }, 1262 { 1263 "value": "babs@jensen.org", 1264 "type": "home" 1265 } 1266 ], 1267 "addresses": [ 1268 { 1269 "type": "work", 1270 "streetAddress": "100 Universal City Plaza", 1271 "locality": "Hollywood", 1272 "region": "CA", 1273 "postalCode": "91608", 1274 "country": "USA", 1275 "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA", 1276 "primary": true 1277 }, 1278 { 1279 "type": "home", 1280 "streetAddress": "456 Hollywood Blvd", 1281 "locality": "Hollywood", 1282 "region": "CA", 1283 "postalCode": "91608", 1284 "country": "USA", 1285 "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA" 1286 } 1287 ], 1288 "phoneNumbers": [ 1289 { 1290 "value": "555-555-5555", 1291 "type": "work" 1292 }, 1293 { 1294 "value": "555-555-4444", 1295 "type": "mobile" 1296 } 1297 ], 1298 "ims": [ 1299 { 1300 "value": "someaimhandle", 1301 "type": "aim" 1302 } 1303 ], 1304 "photos": [ 1305 { 1306 "value": 1307 "https://photos.example.com/profilephoto/72930000000Ccne/F", 1308 "type": "photo" 1309 }, 1310 { 1311 "value": 1312 "https://photos.example.com/profilephoto/72930000000Ccne/T", 1313 "type": "thumbnail" 1314 } 1315 ], 1316 "userType": "Employee", 1317 "title": "Tour Guide", 1318 "preferredLanguage":"en-US", 1319 "locale": "en-US", 1320 "timezone": "America/Los_Angeles", 1321 "active":true, 1322 "password":"t1meMa$heen", 1323 "groups": [ 1324 { 1325 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1326 "$ref": 1327 "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 1328 "display": "Tour Guides" 1329 }, 1330 { 1331 "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", 1332 "$ref": 1333 "https://example.com/v2/Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5", 1334 "display": "Employees" 1335 }, 1336 { 1337 "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1338 "$ref": 1339 "https://example.com/v2/Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1340 "display": "US Employees" 1341 } 1342 ], 1343 "x509Certificates": [ 1344 { 1345 "value": 1346 "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx 1347 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD 1348 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa 1349 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl 1350 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw 1351 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B 1352 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc 1353 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i 1354 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ 1355 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3 1356 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr 1357 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV 1358 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp 1359 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU 1360 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt 1361 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R 1362 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1 1363 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=" 1364 } 1365 ], 1366 "meta": { 1367 "resourceType": "User", 1368 "created": "2010-01-23T04:56:22Z", 1369 "lastModified": "2011-05-13T04:42:34Z", 1370 "version": "W\/\"a330bc54f0671c9\"", 1371 "location": 1372 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1373 } 1374 } 1376 Figure 4: Example Full User JSON Representation 1378 8.3. Enterprise User Extension Representation 1380 The following is a non-normative example of the fully populated User 1381 using the enterprise User extension in JSON format. 1383 { 1384 "schemas": 1385 [ "urn:ietf:params:scim:schemas:core:2.0:User", 1386 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], 1387 "id": "2819c223-7f76-453a-919d-413861904646", 1388 "externalId": "701984", 1389 "userName": "bjensen@example.com", 1390 "name": { 1391 "formatted": "Ms. Barbara J Jensen III", 1392 "familyName": "Jensen", 1393 "givenName": "Barbara", 1394 "middleName": "Jane", 1395 "honorificPrefix": "Ms.", 1396 "honorificSuffix": "III" 1397 }, 1398 "displayName": "Babs Jensen", 1399 "nickName": "Babs", 1400 "profileUrl": "https://login.example.com/bjensen", 1401 "emails": [ 1402 { 1403 "value": "bjensen@example.com", 1404 "type": "work", 1405 "primary": true 1406 }, 1407 { 1408 "value": "babs@jensen.org", 1409 "type": "home" 1410 } 1411 ], 1412 "addresses": [ 1413 { 1414 "streetAddress": "100 Universal City Plaza", 1415 "locality": "Hollywood", 1416 "region": "CA", 1417 "postalCode": "91608", 1418 "country": "USA", 1419 "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA", 1420 "type": "work", 1421 "primary": true 1422 }, 1423 { 1424 "streetAddress": "456 Hollywood Blvd", 1425 "locality": "Hollywood", 1426 "region": "CA", 1427 "postalCode": "91608", 1428 "country": "USA", 1429 "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA", 1430 "type": "home" 1431 } 1432 ], 1433 "phoneNumbers": [ 1434 { 1435 "value": "555-555-5555", 1436 "type": "work" 1437 }, 1438 { 1439 "value": "555-555-4444", 1440 "type": "mobile" 1441 } 1442 ], 1443 "ims": [ 1444 { 1445 "value": "someaimhandle", 1446 "type": "aim" 1447 } 1449 ], 1450 "photos": [ 1451 { 1452 "value": 1453 "https://photos.example.com/profilephoto/72930000000Ccne/F", 1454 "type": "photo" 1455 }, 1456 { 1457 "value": 1458 "https://photos.example.com/profilephoto/72930000000Ccne/T", 1459 "type": "thumbnail" 1460 } 1461 ], 1462 "userType": "Employee", 1463 "title": "Tour Guide", 1464 "preferredLanguage":"en-US", 1465 "locale": "en-US", 1466 "timezone": "America/Los_Angeles", 1467 "active":true, 1468 "password":"t1meMa$heen", 1469 "groups": [ 1470 { 1471 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1472 "$ref": "/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 1473 "display": "Tour Guides" 1474 }, 1475 { 1476 "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", 1477 "$ref": "/Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5", 1478 "display": "Employees" 1479 }, 1480 { 1481 "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1482 "$ref": "/Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1483 "display": "US Employees" 1484 } 1485 ], 1486 "x509Certificates": [ 1487 { 1488 "value": 1489 "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx 1490 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD 1491 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa 1492 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl 1493 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw 1494 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B 1495 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc 1496 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i 1497 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ 1498 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3 1499 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr 1500 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV 1501 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp 1502 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU 1503 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt 1504 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R 1505 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1 1506 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=" 1507 } 1508 ], 1509 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { 1510 "employeeNumber": "701984", 1511 "costCenter": "4130", 1512 "organization": "Universal Studios", 1513 "division": "Theme Park", 1514 "department": "Tour Operations", 1515 "manager": [{ 1516 "value": "26118915-6090-4610-87e4-49d8ca9f808d", 1517 "$ref": "/Users/26118915-6090-4610-87e4-49d8ca9f808d", 1518 "displayName": "John Smith" 1519 }] 1520 }, 1521 "meta": { 1522 "resourceType": "User", 1523 "created": "2010-01-23T04:56:22Z", 1524 "lastModified": "2011-05-13T04:42:34Z", 1525 "version": "W\/\"3694e05e9dff591\"", 1526 "location": 1527 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1528 } 1529 } 1531 Figure 5: Example Enterprise User JSON Representation 1533 8.4. Group Representation 1535 The following is a non-normative example of SCIM Group representation 1536 in JSON format. 1538 { 1539 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], 1540 "id": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1541 "displayName": "Tour Guides", 1542 "members": [ 1543 { 1544 "value": "2819c223-7f76-453a-919d-413861904646", 1545 "$ref": 1546 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646", 1547 "display": "Babs Jensen" 1548 }, 1549 { 1550 "value": "902c246b-6245-4190-8e05-00816be7344a", 1551 "$ref": 1552 "https://example.com/v2/Users/902c246b-6245-4190-8e05-00816be7344a", 1553 "display": "Mandy Pepperidge" 1554 } 1555 ], 1556 "meta": { 1557 "resourceType": "Group", 1558 "created": "2010-01-23T04:56:22Z", 1559 "lastModified": "2011-05-13T04:42:34Z", 1560 "version": "W\/\"3694e05e9dff592\"", 1561 "location": 1562 "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a" 1563 } 1564 } 1566 Figure 6: Example Group JSON Representation 1568 8.5. Service Provider Configuration Representation 1570 The following is a non-normative example of the SCIM service provider 1571 configuration representation in JSON format. 1573 { 1574 "schemas": [ 1575 "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" 1576 ], 1577 "documentationUrl":"http://example.com/help/scim.html", 1578 "patch": { 1579 "supported":true 1580 }, 1581 "bulk": { 1582 "supported":true, 1583 "maxOperations":1000, 1584 "maxPayloadSize":1048576 1585 }, 1586 "filter": { 1587 "supported":true, 1588 "maxResults": 200 1589 }, 1590 "changePassword" : { 1591 "supported":true 1592 }, 1593 "sort": { 1594 "supported":true 1595 }, 1596 "etag": { 1597 "supported":true 1598 }, 1599 "authenticationSchemes": [ 1600 { 1601 "name": "OAuth Bearer Token", 1602 "description": 1603 "Authentication Scheme using the OAuth Bearer Token Standard", 1604 "specUrl": 1605 "http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01", 1606 "documentationUrl":"http://example.com/help/oauth.html", 1607 "type":"oauthbearertoken", 1608 "primary": true 1609 }, 1610 { 1611 "name": "HTTP Basic", 1612 "description": 1613 "Authentication Scheme using the Http Basic Standard", 1614 "specUrl":"http://www.ietf.org/rfc/rfc2617.txt", 1615 "documentationUrl":"http://example.com/help/httpBasic.html", 1616 "type":"httpbasic" 1617 } 1618 ], 1619 "meta": { 1620 "location":"https://example.com/v2/ServiceProviderConfig", 1621 "resourceType": "ServiceProviderConfig", 1622 "created": "2010-01-23T04:56:22Z", 1623 "lastModified": "2011-05-13T04:42:34Z", 1624 "version": "W\/\"3694e05e9dff594\"" 1625 } 1626 } 1628 Figure 7: Example Service Provider Config JSON Representation 1630 8.6. Resource Type Representation 1632 The following is a non-normative example of the SCIM resource types 1633 in JSON format. 1635 [{ 1636 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], 1637 "id":"User", 1638 "name":"User", 1639 "endpoint": "/Users", 1640 "description": "User Account", 1641 "schema": "urn:ietf:params:scim:schemas:core:2.0:User", 1642 "schemaExtensions": [ 1643 { 1644 "schema": 1645 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", 1646 "required": true 1647 } 1648 ], 1649 "meta": { 1650 "location":"https://example.com/v2/ResourceTypes/User", 1651 "resourceType": "ResourceType" 1652 } 1653 }, 1654 { 1655 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], 1656 "id":"Group", 1657 "name":"Group", 1658 "endpoint": "/Groups", 1659 "description": "Group", 1660 "schema": "urn:ietf:params:scim:schemas:core:2.0:Group", 1661 "meta": { 1662 "location":"https://example.com/v2/ResourceTypes/Group", 1663 "resourceType": "ResourceType" 1664 } 1665 }] 1667 Figure 8: Example Resource Type JSON Representation 1669 8.7. Schema Representation 1671 The following is intended as normative example of the SCIM Schema 1672 representation in JSON format. Where permitted individual values and 1673 schema MAY change. Included but not limited to, are schemas for 1674 User, Group, and enterprise user. 1676 [ 1677 { 1678 "id" : "urn:ietf:params:scim:schemas:core:2.0:User", 1679 "name" : "User", 1680 "description" : "User Account", 1681 "attributes" : [ 1682 { 1683 "name" : "userName", 1684 "type" : "string", 1685 "multiValued" : false, 1686 "description" : "Unique identifier for the User typically used 1687 by the user to directly authenticate to the service provider. Each User 1688 MUST include a non-empty userName value. This identifier MUST be unique 1689 across the Service Consumer's entire set of Users. REQUIRED", 1690 "required" : true, 1691 "caseExact" : false, 1692 "mutability" : "readWrite", 1693 "returned" : "default", 1694 "uniqueness" : "server" 1695 }, 1696 { 1697 "name" : "name", 1698 "type" : "complex", 1699 "multiValued" : false, 1700 "description" : "The components of the user's real name. 1701 Providers MAY return just the full name as a single string in the 1702 formatted sub-attribute, or they MAY return just the individual 1703 component attributes using the other sub-attributes, or they MAY return 1704 both. If both variants are returned, they SHOULD be describing the same 1705 name, with the formatted name indicating how the component attributes 1706 should be combined.", 1707 "required" : false, 1708 "caseExact" : false, 1709 "subAttributes" : [ 1710 { 1711 "name" : "formatted", 1712 "type" : "string", 1713 "multiValued" : false, 1714 "description" : "The full name, including all middle names, 1715 titles, and suffixes as appropriate, formatted for display (e.g. Ms. 1716 Barbara J Jensen, III.).", 1717 "required" : false, 1718 "caseExact" : false, 1719 "mutability" : "readWrite", 1720 "returned" : "default", 1721 "uniqueness" : "none" 1722 }, 1723 { 1724 "name" : "familyName", 1725 "type" : "string", 1726 "multiValued" : false, 1727 "description" : "The family name of the User, or Last Name 1728 in most Western languages (e.g. Jensen given the full name Ms. Barbara J 1729 Jensen, III.).", 1730 "required" : false, 1731 "caseExact" : false, 1732 "mutability" : "readWrite", 1733 "returned" : "default", 1734 "uniqueness" : "none" 1735 }, 1736 { 1737 "name" : "givenName", 1738 "type" : "string", 1739 "multiValued" : false, 1740 "description" : "The given name of the User, or First Name 1741 in most Western languages (e.g. Barbara given the full name Ms. Barbara 1742 J Jensen, III.).", 1743 "required" : false, 1744 "caseExact" : false, 1745 "mutability" : "readWrite", 1746 "returned" : "default", 1747 "uniqueness" : "none" 1748 }, 1749 { 1750 "name" : "middleName", 1751 "type" : "string", 1752 "multiValued" : false, 1753 "description" : "The middle name(s) of the User (e.g. Robert 1754 given the full name Ms. Barbara J Jensen, III.).", 1755 "required" : false, 1756 "caseExact" : false, 1757 "mutability" : "readWrite", 1758 "returned" : "default", 1759 "uniqueness" : "none" 1760 }, 1761 { 1762 "name" : "honorificPrefix", 1763 "type" : "string", 1764 "multiValued" : false, 1765 "description" : "The honorific prefix(es) of the User, or 1766 Title in most Western languages (e.g. Ms. given the full name Ms. 1767 Barbara J Jensen, III.).", 1768 "required" : false, 1769 "caseExact" : false, 1770 "mutability" : "readWrite", 1771 "returned" : "default", 1772 "uniqueness" : "none" 1773 }, 1774 { 1775 "name" : "honorificSuffix", 1776 "type" : "string", 1777 "multiValued" : false, 1778 "description" : "The honorific suffix(es) of the User, or 1779 Suffix in most Western languages (e.g. III. given the full name Ms. 1780 Barbara J Jensen, III.).", 1781 "required" : false, 1782 "caseExact" : false, 1783 "mutability" : "readWrite", 1784 "returned" : "default", 1785 "uniqueness" : "none" 1786 } 1787 ], 1788 "mutability" : "readWrite", 1789 "returned" : "default", 1790 "uniqueness" : "none" 1791 }, 1792 { 1793 "name" : "displayName", 1794 "type" : "string", 1795 "multiValued" : false, 1796 "description" : "The name of the User, suitable for display to 1797 end-users. The name SHOULD be the full name of the User being described 1798 if known", 1799 "required" : false, 1800 "caseExact" : false, 1801 "mutability" : "readWrite", 1802 "returned" : "default", 1803 "uniqueness" : "none" 1804 }, 1805 { 1806 "name" : "nickName", 1807 "type" : "string", 1808 "multiValued" : false, 1809 "description" : "The casual way to address the user in real 1810 life, e.g. "Bob" or "Bobby" instead of "Robert". This attribute 1811 SHOULD NOT be used to represent a User's username (e.g. bjensen or 1812 mpepperidge)", 1813 "required" : false, 1814 "caseExact" : false, 1815 "mutability" : "readWrite", 1816 "returned" : "default", 1817 "uniqueness" : "none" 1818 }, 1819 { 1820 "name" : "profileUrl", 1821 "type" : "reference", 1822 "multiValued" : false, 1823 "description" : "A fully qualified URL to a page representing 1824 the User's online profile", 1825 "required" : false, 1826 "caseExact" : false, 1827 "mutability" : "readWrite", 1828 "returned" : "default", 1829 "uniqueness" : "none" 1830 }, 1831 { 1832 "name" : "title", 1833 "type" : "string", 1834 "multiValued" : false, 1835 "description" : "The user's title, such as \"Vice President.\"", 1836 "required" : false, 1837 "caseExact" : false, 1838 "mutability" : "readWrite", 1839 "returned" : "default", 1840 "uniqueness" : "none" 1841 }, 1842 { 1843 "name" : "userType", 1844 "type" : "string", 1845 "multiValued" : false, 1846 "description" : "Used to identify the organization to user 1847 relationship. Typical values used might be "Contractor", "Employee", 1848 "Intern", "Temp", "External", and "Unknown" but any value may be 1849 used ", 1850 "required" : false, 1851 "caseExact" : false, 1852 "mutability" : "readWrite", 1853 "returned" : "default", 1854 "uniqueness" : "none" 1855 }, 1856 { 1857 "name" : "preferredLanguage", 1858 "type" : "string", 1859 "multiValued" : false, 1860 "description" : "Indicates the User's preferred written or 1861 spoken language. Generally used for selecting a localized User 1862 interface. e.g., 'en_US' specifies the language English and country 1863 US.", 1864 "required" : false, 1865 "caseExact" : false, 1866 "mutability" : "readWrite", 1867 "returned" : "default", 1868 "uniqueness" : "none" 1869 }, 1870 { 1871 "name" : "locale", 1872 "type" : "string", 1873 "multiValued" : false, 1874 "description" : "Used to indicate the User's default location 1875 for purposes of localizing items such as currency, date time format, 1876 numerical representations, etc.", 1877 "required" : false, 1878 "caseExact" : false, 1879 "mutability" : "readWrite", 1880 "returned" : "default", 1881 "uniqueness" : "none" 1882 }, 1883 { 1884 "name" : "timezone", 1885 "type" : "string", 1886 "multiValued" : false, 1887 "description" : "The User's time zone in the "Olson" timezone 1888 database format; e.g.,'America/Los_Angeles'", 1889 "required" : false, 1890 "caseExact" : false, 1891 "mutability" : "readWrite", 1892 "returned" : "default", 1893 "uniqueness" : "none" 1894 }, 1895 { 1896 "name" : "active", 1897 "type" : "boolean", 1898 "multiValued" : false, 1899 "description" : "A Boolean value indicating the User's 1900 administrative status.", 1901 "required" : false, 1902 "caseExact" : false, 1903 "mutability" : "readWrite", 1904 "returned" : "default", 1905 "uniqueness" : "none" 1906 }, 1907 { 1908 "name" : "password", 1909 "type" : "string", 1910 "multiValued" : false, 1911 "description" : "The User's clear text password. This attribute 1912 is intended to be used as a means to specify an initial password when 1913 creating a new User or to reset an existing User's password.", 1914 "required" : false, 1915 "caseExact" : false, 1916 "mutability" : "writeOnly", 1917 "returned" : "never", 1918 "uniqueness" : "none" 1919 }, 1920 { 1921 "name" : "emails", 1922 "type" : "complex", 1923 "multiValued" : true, 1924 "description" : "E-mail addresses for the user. The value SHOULD 1925 be canonicalized by the Service Provider, e.g. bjensen@example.com 1926 instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and 1927 other.", 1928 "required" : false, 1929 "caseExact" : false, 1930 "subAttributes" : [ 1931 { 1932 "name" : "value", 1933 "type" : "string", 1934 "multiValued" : false, 1935 "description" : "E-mail addresses for the user. The value 1936 SHOULD be canonicalized by the Service Provider, e.g. 1937 bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type 1938 values of work, home, and other.", 1939 "required" : false, 1940 "caseExact" : false, 1941 "mutability" : "readWrite", 1942 "returned" : "default", 1943 "uniqueness" : "none" 1944 }, 1945 { 1946 "name" : "display", 1947 "type" : "string", 1948 "multiValued" : false, 1949 "description" : "A human readable name, primarily used for 1950 display purposes. READ-ONLY.", 1951 "required" : false, 1952 "caseExact" : false, 1953 "mutability" : "readWrite", 1954 "returned" : "default", 1955 "uniqueness" : "none" 1956 }, 1957 { 1958 "name" : "type", 1959 "type" : "string", 1960 "multiValued" : false, 1961 "description" : "A label indicating the attribute's 1962 function; e.g., 'work' or 'home'.", 1963 "required" : false, 1964 "caseExact" : false, 1965 "canonicalValues" : [ 1966 "work", 1967 "home", 1968 "other" 1969 ], 1970 "mutability" : "readWrite", 1971 "returned" : "default", 1972 "uniqueness" : "none" 1973 }, 1974 { 1975 "name" : "primary", 1976 "type" : "boolean", 1977 "multiValued" : false, 1978 "description" : "A Boolean value indicating the 'primary' or 1979 preferred attribute value for this attribute, e.g. the preferred mailing 1980 address or primary e-mail address. The primary attribute value 'true' 1981 MUST appear no more than once.", 1982 "required" : false, 1983 "caseExact" : false, 1984 "mutability" : "readWrite", 1985 "returned" : "default", 1986 "uniqueness" : "none" 1987 } 1988 ], 1989 "mutability" : "readWrite", 1990 "returned" : "default", 1991 "uniqueness" : "none" 1992 }, 1993 { 1994 "name" : "phoneNumbers", 1995 "type" : "complex", 1996 "multiValued" : true, 1997 "description" : "Phone numbers for the User. The value SHOULD 1998 be canonicalized by the Service Provider according to format in RFC3966 1999 e.g. 'tel:+1-201-555-0123'. Canonical Type values of work, home, 2000 mobile, fax, pager and other.", 2001 "required" : false, 2002 "caseExact" : false, 2003 "subAttributes" : [ 2004 { 2005 "name" : "value", 2006 "type" : "string", 2007 "multiValued" : false, 2008 "description" : "Phone number of the User", 2009 "required" : false, 2010 "caseExact" : false, 2011 "mutability" : "readWrite", 2012 "returned" : "default", 2013 "uniqueness" : "none" 2015 }, 2016 { 2017 "name" : "display", 2018 "type" : "string", 2019 "multiValued" : false, 2020 "description" : "A human readable name, primarily used for 2021 display purposes. READ-ONLY.", 2022 "required" : false, 2023 "caseExact" : false, 2024 "mutability" : "readWrite", 2025 "returned" : "default", 2026 "uniqueness" : "none" 2027 }, 2028 { 2029 "name" : "type", 2030 "type" : "string", 2031 "multiValued" : false, 2032 "description" : "A label indicating the attribute's 2033 function; e.g., 'work' or 'home' or 'mobile' etc.", 2034 "required" : false, 2035 "caseExact" : false, 2036 "canonicalValues" : [ 2037 "work", 2038 "home", 2039 "mobile", 2040 "fax", 2041 "pager", 2042 "other" 2043 ], 2044 "mutability" : "readWrite", 2045 "returned" : "default", 2046 "uniqueness" : "none" 2047 }, 2048 { 2049 "name" : "primary", 2050 "type" : "boolean", 2051 "multiValued" : false, 2052 "description" : "A Boolean value indicating the 'primary' or 2053 preferred attribute value for this attribute, e.g. the preferred phone 2054 number or primary phone number. The primary attribute value 'true' MUST 2055 appear no more than once.", 2056 "required" : false, 2057 "caseExact" : false, 2058 "mutability" : "readWrite", 2059 "returned" : "default", 2060 "uniqueness" : "none" 2061 } 2062 ], 2063 "mutability" : "readWrite", 2064 "returned" : "default", 2065 "uniqueness" : "none" 2066 }, 2067 { 2068 "name" : "ims", 2069 "type" : "complex", 2070 "multiValued" : true, 2071 "description" : "Instant messaging addresses for the User.", 2072 "required" : false, 2073 "caseExact" : false, 2074 "subAttributes" : [ 2075 { 2076 "name" : "value", 2077 "type" : "string", 2078 "multiValued" : false, 2079 "description" : "Instant messaging address for the User.", 2080 "required" : false, 2081 "caseExact" : false, 2082 "mutability" : "readWrite", 2083 "returned" : "default", 2084 "uniqueness" : "none" 2085 }, 2086 { 2087 "name" : "display", 2088 "type" : "string", 2089 "multiValued" : false, 2090 "description" : "A human readable name, primarily used for 2091 display purposes. READ-ONLY.", 2092 "required" : false, 2093 "caseExact" : false, 2094 "mutability" : "readWrite", 2095 "returned" : "default", 2096 "uniqueness" : "none" 2097 }, 2098 { 2099 "name" : "type", 2100 "type" : "string", 2101 "multiValued" : false, 2102 "description" : "A label indicating the attribute's 2103 function; e.g., 'aim', 'gtalk', 'mobile' etc.", 2104 "required" : false, 2105 "caseExact" : false, 2106 "canonicalValues" : [ 2107 "aim", 2108 "gtalk", 2109 "icq", 2110 "xmpp", 2111 "msn", 2112 "skype", 2113 "qq", 2114 "yahoo" 2115 ], 2116 "mutability" : "readWrite", 2117 "returned" : "default", 2118 "uniqueness" : "none" 2119 }, 2120 { 2121 "name" : "primary", 2122 "type" : "boolean", 2123 "multiValued" : false, 2124 "description" : "A Boolean value indicating the 'primary' or 2125 preferred attribute value for this attribute, e.g. the preferred 2126 messenger or primary messenger. The primary attribute value 'true' MUST 2127 appear no more than once.", 2128 "required" : false, 2129 "caseExact" : false, 2130 "mutability" : "readWrite", 2131 "returned" : "default", 2132 "uniqueness" : "none" 2133 } 2134 ], 2135 "mutability" : "readWrite", 2136 "returned" : "default", 2137 "uniqueness" : "none" 2138 }, 2139 { 2140 "name" : "photos", 2141 "type" : "complex", 2142 "multiValued" : true, 2143 "description" : "URLs of photos of the User.", 2144 "required" : false, 2145 "caseExact" : false, 2146 "subAttributes" : [ 2147 { 2148 "name" : "value", 2149 "type" : "reference", 2150 "multiValued" : false, 2151 "description" : "URL of a photo of the User.", 2152 "required" : false, 2153 "caseExact" : false, 2154 "mutability" : "readWrite", 2155 "returned" : "default", 2156 "uniqueness" : "none" 2157 }, 2158 { 2159 "name" : "display", 2160 "type" : "string", 2161 "multiValued" : false, 2162 "description" : "A human readable name, primarily used for 2163 display purposes. READ-ONLY.", 2164 "required" : false, 2165 "caseExact" : false, 2166 "mutability" : "readWrite", 2167 "returned" : "default", 2168 "uniqueness" : "none" 2169 }, 2170 { 2171 "name" : "type", 2172 "type" : "string", 2173 "multiValued" : false, 2174 "description" : "A label indicating the attribute's 2175 function; e.g., 'photo' or 'thumbnail'.", 2176 "required" : false, 2177 "caseExact" : false, 2178 "canonicalValues" : [ 2179 "photo", 2180 "thumbnail" 2181 ], 2182 "mutability" : "readWrite", 2183 "returned" : "default", 2184 "uniqueness" : "none" 2185 }, 2186 { 2187 "name" : "primary", 2188 "type" : "boolean", 2189 "multiValued" : false, 2190 "description" : "A Boolean value indicating the 'primary' or 2191 preferred attribute value for this attribute, e.g. the preferred photo 2192 or thumbnail. The primary attribute value 'true' MUST appear no more 2193 than once.", 2194 "required" : false, 2195 "caseExact" : false, 2196 "mutability" : "readWrite", 2197 "returned" : "default", 2198 "uniqueness" : "none" 2199 } 2200 ], 2201 "mutability" : "readWrite", 2202 "returned" : "default", 2203 "uniqueness" : "none" 2204 }, 2205 { 2206 "name" : "addresses", 2207 "type" : "complex", 2208 "multiValued" : true, 2209 "description" : "A physical mailing address for this User, as 2210 described in (address Element). Canonical Type Values of work, home, and 2211 other. The value attribute is a complex type with the following 2212 sub-attributes.", 2213 "required" : false, 2214 "caseExact" : false, 2215 "subAttributes" : [ 2216 { 2217 "name" : "formatted", 2218 "type" : "string", 2219 "multiValued" : false, 2220 "description" : "The full mailing address, formatted for 2221 display or use with a mailing label. This attribute MAY contain 2222 newlines.", 2223 "required" : false, 2224 "caseExact" : false, 2225 "mutability" : "readWrite", 2226 "returned" : "default", 2227 "uniqueness" : "none" 2228 }, 2229 { 2230 "name" : "streetAddress", 2231 "type" : "string", 2232 "multiValued" : false, 2233 "description" : "The full street address component, which 2234 may include house number, street name, PO BOX, and multi-line extended 2235 street address information. This attribute MAY contain newlines.", 2236 "required" : false, 2237 "caseExact" : false, 2238 "mutability" : "readWrite", 2239 "returned" : "default", 2240 "uniqueness" : "none" 2241 }, 2242 { 2243 "name" : "locality", 2244 "type" : "string", 2245 "multiValued" : false, 2246 "description" : "The city or locality component.", 2247 "required" : false, 2248 "caseExact" : false, 2249 "mutability" : "readWrite", 2250 "returned" : "default", 2251 "uniqueness" : "none" 2252 }, 2253 { 2254 "name" : "region", 2255 "type" : "string", 2256 "multiValued" : false, 2257 "description" : "The state or region component.", 2258 "required" : false, 2259 "caseExact" : false, 2260 "mutability" : "readWrite", 2261 "returned" : "default", 2262 "uniqueness" : "none" 2263 }, 2264 { 2265 "name" : "postalCode", 2266 "type" : "string", 2267 "multiValued" : false, 2268 "description" : "The zipcode or postal code component.", 2269 "required" : false, 2270 "caseExact" : false, 2271 "mutability" : "readWrite", 2272 "returned" : "default", 2273 "uniqueness" : "none" 2274 }, 2275 { 2276 "name" : "country", 2277 "type" : "string", 2278 "multiValued" : false, 2279 "description" : "The country name component.", 2280 "required" : false, 2281 "caseExact" : false, 2282 "mutability" : "readWrite", 2283 "returned" : "default", 2284 "uniqueness" : "none" 2285 }, 2286 { 2287 "name" : "type", 2288 "type" : "string", 2289 "multiValued" : false, 2290 "description" : "A label indicating the attribute's 2291 function; e.g., 'work' or 'home'.", 2292 "required" : false, 2293 "caseExact" : false, 2294 "canonicalValues" : [ 2295 "work", 2296 "home", 2297 "other" 2298 ], 2299 "mutability" : "readWrite", 2300 "returned" : "default", 2301 "uniqueness" : "none" 2302 } 2304 ], 2305 "mutability" : "readWrite", 2306 "returned" : "default", 2307 "uniqueness" : "none" 2308 }, 2309 { 2310 "name" : "groups", 2311 "type" : "complex", 2312 "multiValued" : true, 2313 "description" : "A list of groups that the user belongs to, 2314 either thorough direct membership, nested groups, or dynamically 2315 calculated", 2316 "required" : false, 2317 "caseExact" : false, 2318 "subAttributes" : [ 2319 { 2320 "name" : "value", 2321 "type" : "string", 2322 "multiValued" : false, 2323 "description" : "The identifier of the User's group.", 2324 "readOnly" : false, 2325 "required" : false, 2326 "caseExact" : false, 2327 "mutability" : "readOnly", 2328 "returned" : "default", 2329 "uniqueness" : "none" 2330 }, 2331 { 2332 "name" : "$ref", 2333 "type" : "reference", 2334 "multiValued" : false, 2335 "description" : "The URI of the corresponding Group 2336 resource to which the user belongs", 2337 "readOnly" : false, 2338 "required" : false, 2339 "caseExact" : false, 2340 "mutability" : "readOnly", 2341 "returned" : "default", 2342 "uniqueness" : "none" 2343 }, 2344 { 2345 "name" : "display", 2346 "type" : "string", 2347 "multiValued" : false, 2348 "description" : "A human readable name, primarily used 2349 for display purposes. READ-ONLY.", 2350 "readOnly" : true, 2351 "required" : false, 2352 "caseExact" : false, 2353 "mutability" : "readOnly", 2354 "returned" : "default", 2355 "uniqueness" : "none" 2356 }, 2357 { 2358 "name" : "type", 2359 "type" : "string", 2360 "multiValued" : false, 2361 "description" : "A label indicating the attribute's 2362 function; e.g., 'direct' or 'indirect'.", 2363 "readOnly" : false, 2364 "required" : false, 2365 "caseExact" : false, 2366 "canonicalValues" : [ 2367 "direct", 2368 "indirect" 2369 ], 2370 "mutability" : "readOnly", 2371 "returned" : "default", 2372 "uniqueness" : "none" 2373 } 2374 ], 2375 "mutability" : "readOnly", 2376 "returned" : "default", 2377 "uniqueness" : "none" 2378 }, 2379 { 2380 "name" : "entitlements", 2381 "type" : "complex", 2382 "multiValued" : true, 2383 "description" : "A list of entitlements for the User that 2384 represent a thing the User has.", 2385 "required" : false, 2386 "caseExact" : false, 2387 "subAttributes" : [ 2388 { 2389 "name" : "value", 2390 "type" : "string", 2391 "multiValued" : false, 2392 "description" : "The value of an entitlement.", 2393 "required" : false, 2394 "caseExact" : false, 2395 "mutability" : "readWrite", 2396 "returned" : "default", 2397 "uniqueness" : "none" 2398 }, 2399 { 2400 "name" : "display", 2401 "type" : "string", 2402 "multiValued" : false, 2403 "description" : "A human readable name, primarily used 2404 for display purposes. READ-ONLY.", 2405 "required" : false, 2406 "caseExact" : false, 2407 "mutability" : "readWrite", 2408 "returned" : "default", 2409 "uniqueness" : "none" 2410 }, 2411 { 2412 "name" : "type", 2413 "type" : "string", 2414 "multiValued" : false, 2415 "description" : "A label indicating the attribute's 2416 function.", 2417 "required" : false, 2418 "caseExact" : false, 2419 "canonicalValues" : [], 2420 "mutability" : "readWrite", 2421 "returned" : "default", 2422 "uniqueness" : "none" 2423 }, 2424 { 2425 "name" : "primary", 2426 "type" : "boolean", 2427 "multiValued" : false, 2428 "description" : "A Boolean value indicating the 'primary' or 2429 preferred attribute value for this attribute. The primary attribute 2430 value 'true' MUST appear no more than once.", 2431 "required" : false, 2432 "caseExact" : false, 2433 "mutability" : "readWrite", 2434 "returned" : "default", 2435 "uniqueness" : "none" 2436 } 2437 ], 2438 "mutability" : "readWrite", 2439 "returned" : "default", 2440 "uniqueness" : "none" 2441 }, 2442 { 2443 "name" : "roles", 2444 "type" : "complex", 2445 "multiValued" : true, 2446 "description" : "A list of roles for the User that collectively 2447 represent who the User is; e.g., 'Student', 'Faculty'.", 2448 "required" : false, 2449 "caseExact" : false, 2450 "subAttributes" : [ 2451 { 2452 "name" : "value", 2453 "type" : "string", 2454 "multiValued" : false, 2455 "description" : "The value of a role.", 2456 "required" : false, 2457 "caseExact" : false, 2458 "mutability" : "readWrite", 2459 "returned" : "default", 2460 "uniqueness" : "none" 2461 }, 2462 { 2463 "name" : "display", 2464 "type" : "string", 2465 "multiValued" : false, 2466 "description" : "A human readable name, primarily used for 2467 display purposes. READ-ONLY.", 2468 "required" : false, 2469 "caseExact" : false, 2470 "mutability" : "readWrite", 2471 "returned" : "default", 2472 "uniqueness" : "none" 2473 }, 2474 { 2475 "name" : "type", 2476 "type" : "string", 2477 "multiValued" : false, 2478 "description" : "A label indicating the attribute's 2479 function.", 2480 "required" : false, 2481 "caseExact" : false, 2482 "canonicalValues" : [], 2483 "mutability" : "readWrite", 2484 "returned" : "default", 2485 "uniqueness" : "none" 2486 }, 2487 { 2488 "name" : "primary", 2489 "type" : "boolean", 2490 "multiValued" : false, 2491 "description" : "A Boolean value indicating the 'primary' or 2492 preferred attribute value for this attribute. The primary attribute 2493 value 'true' MUST appear no more than once.", 2494 "required" : false, 2495 "caseExact" : false, 2496 "mutability" : "readWrite", 2497 "returned" : "default", 2498 "uniqueness" : "none" 2499 } 2500 ], 2501 "mutability" : "readWrite", 2502 "returned" : "default", 2503 "uniqueness" : "none" 2504 }, 2505 { 2506 "name" : "x509Certificates", 2507 "type" : "complex", 2508 "multiValued" : true, 2509 "description" : "A list of certificates issued to the User.", 2510 "required" : false, 2511 "caseExact" : false, 2512 "subAttributes" : [ 2513 { 2514 "name" : "value", 2515 "type" : "binary", 2516 "multiValued" : false, 2517 "description" : "The value of a X509 certificate.", 2518 "required" : false, 2519 "caseExact" : false, 2520 "mutability" : "readWrite", 2521 "returned" : "default", 2522 "uniqueness" : "none" 2523 }, 2524 { 2525 "name" : "display", 2526 "type" : "string", 2527 "multiValued" : false, 2528 "description" : "A human readable name, primarily used 2529 for display purposes. READ-ONLY.", 2530 "required" : false, 2531 "caseExact" : false, 2532 "mutability" : "readWrite", 2533 "returned" : "default", 2534 "uniqueness" : "none" 2535 }, 2536 { 2537 "name" : "type", 2538 "type" : "string", 2539 "multiValued" : false, 2540 "description" : "A label indicating the attribute's 2541 function.", 2542 "required" : false, 2543 "caseExact" : false, 2544 "canonicalValues" : [], 2545 "mutability" : "readWrite", 2546 "returned" : "default", 2547 "uniqueness" : "none" 2548 }, 2549 { 2550 "name" : "primary", 2551 "type" : "boolean", 2552 "multiValued" : false, 2553 "description" : "A Boolean value indicating the 'primary' or 2554 preferred attribute value for this attribute. The primary attribute 2555 value 'true' MUST appear no more than once.", 2556 "required" : false, 2557 "caseExact" : false, 2558 "mutability" : "readWrite", 2559 "returned" : "default", 2560 "uniqueness" : "none" 2561 } 2562 ], 2563 "mutability" : "readWrite", 2564 "returned" : "default", 2565 "uniqueness" : "none" 2566 } 2567 ], 2568 "meta" : { 2569 "resourceType" : "Schema", 2570 "created" : "2010-01-23T04:56:22Z", 2571 "lastModified" : "2014-02-04T00:00:00Z", 2572 "version" : "W/\"3694e05e9dff596\"", 2573 "location" : 2574 "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User" 2575 } 2576 }, 2577 { 2578 "id" : "urn:ietf:params:scim:schemas:core:2.0:Group", 2579 "name" : "Group", 2580 "description" : "Group", 2581 "attributes" : [ 2582 { 2583 "name" : "displayName", 2584 "type" : "string", 2585 "multiValued" : false, 2586 "description" : "Human readable name for the Group. REQUIRED.", 2587 "required" : false, 2588 "caseExact" : false, 2589 "mutability" : "readWrite", 2590 "returned" : "default", 2591 "uniqueness" : "none" 2593 }, 2594 { 2595 "name" : "members", 2596 "type" : "complex", 2597 "multiValued" : true, 2598 "description" : "A list of members of the Group.", 2599 "required" : false, 2600 "caseExact" : false, 2601 "subAttributes" : [ 2602 { 2603 "name" : "value", 2604 "type" : "string", 2605 "multiValued" : false, 2606 "description" : "Identifier of the member of this Group.", 2607 "required" : false, 2608 "caseExact" : false, 2609 "mutability" : "immutable", 2610 "returned" : "default", 2611 "uniqueness" : "none" 2612 }, 2613 { 2614 "name" : "$ref", 2615 "type" : "reference", 2616 "multiValued" : false, 2617 "description" : "The URI of the corresponding to the member 2618 resource of this Group.", 2619 "required" : false, 2620 "caseExact" : false, 2621 "mutability" : "immutable", 2622 "returned" : "default", 2623 "uniqueness" : "none" 2624 }, 2625 { 2626 "name" : "type", 2627 "type" : "string", 2628 "multiValued" : false, 2629 "description" : "A label indicating the type of resource; 2630 e.g., 'User' or 'Group'.", 2631 "required" : false, 2632 "caseExact" : false, 2633 "canonicalValues" : [ 2634 "User", 2635 "Group" 2636 ], 2637 "mutability" : "immutable", 2638 "returned" : "default", 2639 "uniqueness" : "none" 2640 } 2642 ], 2643 "mutability" : "readWrite", 2644 "returned" : "default", 2645 "uniqueness" : "none" 2646 } 2647 ], 2648 "meta" : { 2649 "resourceType" : "Schema", 2650 "created" : "2010-01-23T04:56:22Z", 2651 "lastModified" : "2014-02-04T00:00:00Z", 2652 "version" : "W/\"3694e05e9dff596\"", 2653 "location" : 2654 "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group" 2655 } 2656 }, 2657 { 2658 "id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", 2659 "name" : "EnterpriseUser", 2660 "description" : "Enterprise User", 2661 "attributes" : [ 2662 { 2663 "name" : "employeeNumber", 2664 "type" : "string", 2665 "multiValued" : false, 2666 "description" : "Numeric or alphanumeric identifier assigned to 2667 a person, typically based on order of hire or association with an 2668 organization.", 2669 "required" : false, 2670 "caseExact" : false, 2671 "mutability" : "readWrite", 2672 "returned" : "default", 2673 "uniqueness" : "none" 2674 }, 2675 { 2676 "name" : "costCenter", 2677 "type" : "string", 2678 "multiValued" : false, 2679 "description" : "Identifies the name of a cost center.", 2680 "required" : false, 2681 "caseExact" : false, 2682 "mutability" : "readWrite", 2683 "returned" : "default", 2684 "uniqueness" : "none" 2685 }, 2686 { 2687 "name" : "organization", 2688 "type" : "string", 2689 "multiValued" : false, 2690 "description" : "Identifies the name of an organization.", 2691 "required" : false, 2692 "caseExact" : false, 2693 "mutability" : "readWrite", 2694 "returned" : "default", 2695 "uniqueness" : "none" 2696 }, 2697 { 2698 "name" : "division", 2699 "type" : "string", 2700 "multiValued" : false, 2701 "description" : "Identifies the name of a division.", 2702 "required" : false, 2703 "caseExact" : false, 2704 "mutability" : "readWrite", 2705 "returned" : "default", 2706 "uniqueness" : "none" 2707 }, 2708 { 2709 "name" : "department", 2710 "type" : "string", 2711 "multiValued" : false, 2712 "description" : "Identifies the name of a department.", 2713 "required" : false, 2714 "caseExact" : false, 2715 "mutability" : "readWrite", 2716 "returned" : "default", 2717 "uniqueness" : "none" 2718 }, 2719 { 2720 "name" : "manager", 2721 "type" : "complex", 2722 "multiValued" : true, 2723 "description" : "The User's manager. A complex type that 2724 optionally allows Service Providers to represent organizational 2725 hierarchy by referencing the "id" attribute of another User.", 2726 "required" : false, 2727 "caseExact" : false, 2728 "subAttributes" : [ 2729 { 2730 "name" : "value", 2731 "type" : "string", 2732 "multiValued" : false, 2733 "description" : "The id of the SCIM resource representing 2734 the User's manager. REQUIRED.", 2735 "required" : false, 2736 "caseExact" : false, 2737 "mutability" : "readWrite", 2738 "returned" : "default", 2739 "uniqueness" : "none" 2740 }, 2741 { 2742 "name" : "$ref", 2743 "type" : "reference", 2744 "multiValued" : false, 2745 "description" : "The URI of the SCIM resource representing 2746 the User's manager. REQUIRED.", 2747 "required" : false, 2748 "caseExact" : false, 2749 "mutability" : "readWrite", 2750 "returned" : "default", 2751 "uniqueness" : "none" 2752 }, 2753 { 2754 "name" : "displayName", 2755 "type" : "string", 2756 "multiValued" : false, 2757 "description" : "The displayName of the User's manager. 2758 OPTIONAL and READ-ONLY.", 2759 "required" : false, 2760 "caseExact" : false, 2761 "mutability" : "readOnly", 2762 "returned" : "default", 2763 "uniqueness" : "none" 2764 } 2765 ], 2766 "mutability" : "readWrite", 2767 "returned" : "default", 2768 "uniqueness" : "none" 2769 } 2770 ], 2771 "meta" : { 2772 "resourceType" : "Schema", 2773 "created" : "2010-01-23T04:56:22Z", 2774 "lastModified" : "2014-02-04T00:00:00Z", 2775 "version" : "W/\"3694e05e9dff596\"", 2776 "location" : 2777 "/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" 2778 } 2779 } 2780 ] 2782 Figure 9: Example Schema JSON Representation 2784 9. Security Considerations 2786 The SCIM Core schema defines attributes that MAY contain personally 2787 identifiable information as well as other sensitive data. Aside from 2788 prohibiting password values in a SCIM response this specification 2789 does not provide any means or guarantee of confidentiality. 2791 In particular, attributes such as "id" and "externalId" are of 2792 particular concern as personally identifiable information that 2793 uniquely map to Users (because they are URIs). Where possible, it is 2794 suggested that service providers take the following remediations: 2796 o Assign and bind identifiers to specific tenants and/or clients. 2797 When mulitple tenants are able to reference the same resource, 2798 they should do so via separate identifiers (id or externalId). 2799 This ensures that separate domains linked to the same information 2800 can not perform identifier correlation. 2802 o In the case of "externalId", if multiple values are supported, use 2803 access control to restrict access to the client domain that 2804 assigned the "externalId" value. 2806 o Ensure that access to data is appropriately restricted to 2807 authorized parties with a need-to-know. 2809 o When persisted, the appropriate protection mechanisms are in place 2810 to restrict access by unauthorized parties including 2811 administrators or parties with access to backup data. 2813 It is important to note that these considerations are intentionally 2814 general in nature. Considerations relative to the access protocol 2815 are out of scope of the core-schema document and are addressed in 2816 other SCIM specifications. 2818 10. IANA Considerations 2820 10.1. New Registration of SCIM URN Sub-namespace 2822 IANA has created a registry for new IETF URN sub-namespaces, 2823 "urn:ietf:params:scim:", per [RFC3553]. The registration request is 2824 as follows: 2826 Per [RFC3553], IANA has registered a new URN sub-namespace, 2827 "urn:ietf:params:scim". 2829 o Registry name: scim 2831 o Specification: [this document] 2832 o Repository: [see Section 10.2] 2834 o Index value: values [see Section 10.2] 2836 10.2. URN Sub-Namespace for SCIM 2838 SCIM schemas and SCIM messages utilize URIs to identify the schema in 2839 use or other relevant context. This section creates and registers an 2840 IETF URN Sub-namespace for use in the SCIM specifications and future 2841 extensions. 2843 10.2.1. Specification Template 2845 Namespace ID: 2847 The Namespace ID "scim" is requested. 2849 Registration Information: 2851 Version: 1 2853 Date: [[insert final submission date]] 2855 Declared registrant of the namespace: 2857 Registering organization 2858 The Internet Engineering Task Force 2860 Designated contact 2861 A designated expert will monitor the SCIM public mailing list, 2862 "scim@ietf.org". 2864 Declaration of Syntactic Structure: 2866 The Namespace Specific String (NSS) of all URNs that use the 2867 "scim" NID shall have the following structure: 2869 urn:ietf:params:scim:{type}:{name}{:other} 2871 The keywords have the following meaning: 2873 type 2874 The entity type which is either "schemas" or "api". 2876 name 2877 A required US-ASCII string that conforms to the URN syntax 2878 requirements (see [RFC2141] ) and defines a major namespace of 2879 a schema used within SCIM (e.g. "core" in the case of SCIM Core 2880 Schema). The value MAY also be an industry name or 2881 organization name. 2883 other 2884 Any US-ASCII string that conforms to the URN syntax 2885 requirements (see [RFC2141] ) and defines the sub-namespace 2886 (which MAY be further broken down in namespaces delimited by 2887 colons) as needed to uniquely identify a schema. 2889 Relevant Ancillary Documentation: 2891 None 2893 Identifier Uniqueness Considerations: 2895 The designated contact shall be responsible for reviewing and 2896 enforcing uniqueness. 2898 Identifier Persistence Considerations: 2900 Once a name has been allocated it MUST NOT be re-allocated for a 2901 different purpose. The rules provided for assignments of values 2902 within a sub-namespace MUST be constructed so that the meaning of 2903 values cannot change. This registration mechanism is not 2904 appropriate for naming values whose meaning may change over time. 2906 As the SCIM specifications are updated and the SCIM protocol 2907 version is adjusted, a new registration will be made when 2908 significant changes are made. Example, 2909 "urn:ietf:params:scim:schemas:core:1.0 (externally defined, not 2910 previously registered)" and 2911 "urn:ietf:params:scim:schemas:core:2.0". 2913 Process of Identifier Assignment: 2915 Identifiers with namespace type "schema" (e.g. 2916 "urn:ietf:params:scim:schemas" ) are assigned after the review of 2917 the assigned contact via the SCIM public mailing list, 2918 "scim@ietf.org" as documented in Section 10.3. 2920 Namespaces with type "api" (e.g. "urn:ietf:params:scim:api" ) are 2921 reserved for IETF approved SCIM specifications. Namespaces with 2922 type "param" are reserved for future use. 2924 Process of Identifier Resolution: 2926 The namespace is not currently listed with a Resolution Discovery 2927 System (RDS), but nothing about the namespace prohibits the future 2928 definition of appropriate resolution methods or listing with an 2929 RDS. 2931 Rules for Lexical Equivalence: 2933 No special considerations; the rules for lexical equivalence 2934 specified in [RFC2141] apply. 2936 Conformance with URN Syntax: 2938 No special considerations. 2940 Validation Mechanism: 2942 None specified. 2944 Scope: 2946 Global. 2948 10.2.2. Pre-Registered SCIM Schema Identifiers 2950 The following SCIM Identifiers are defined: 2952 urn:ietf:params:scim:schemas:core:2.0 2954 SCIM Core Schema as specified in Section 4 and Section 10.4. 2956 urn:ietf:params:scim:schemas:extension:enterprise:2.0 2958 Enterprise schema extensions as defined in Section 4.3 and 2959 Section 10.4. 2961 10.3. Registering SCIM Schemas 2963 This section defines the process for registering new SCIM schemas 2964 with IANA. A schema URI is used as a value in the schemas attribute 2965 (Section 3) for the purpose of distinguishing extensions used in a 2966 SCIM resource. 2968 10.3.1. Registration Procedure 2970 The IETF has created a mailing list, scim@ietf.org, which can be used 2971 for public discussion of SCIM schema proposals prior to registration. 2972 Use of the mailing list is strongly encouraged. The IESG has 2973 appointed a designated expert who will monitor the scim@ietf.org 2974 mailing list and review registrations. 2976 Registration of new schemas MUST be reviewed by the designated expert 2977 and published in an RFC. A Standards Track RFC is REQUIRED for the 2978 registration of new value data types that modify existing properties. 2979 A Standards Track RFC is also REQUIRED for registration of SCIM 2980 schema URIs that modify SCIM schema previously documented in a 2981 Standards Track RFC. 2983 The registration procedure begins when a completed registration 2984 template, defined in the sections below, is sent to scim@ietf.org and 2985 iana@iana.org. Within two weeks, the designated expert is expected 2986 to tell IANA and the submitter of the registration whether the 2987 registration is approved, approved with minor changes, or rejected 2988 with cause. When a registration is rejected with cause, it can be 2989 re-submitted if the concerns listed in the cause are addressed. 2990 Decisions made by the designated expert can be appealed to the IESG 2991 Applications Area Director, then to the IESG. They follow the normal 2992 appeals procedure for IESG decisions. 2994 Once the registration procedure concludes successfully, IANA creates 2995 or modifies the corresponding record in the SCIM schema registry. 2996 The completed registration template is discarded. 2998 An RFC specifying new schema URI MUST include the completed 2999 registration templates, which MAY be expanded with additional 3000 information. These completed templates are intended to go in the 3001 body of the document, not in the IANA Considerations section. The 3002 RFC SHOULD include any attributes defined. 3004 10.3.2. Schema Registration Template 3006 A SCIM schema URI is defined by completing the following template: 3008 Schema URI: Schema URI: A unique URI for the SCIM schema extension. 3010 Schema Name: A descriptive name of the schema extension (e.g. 3011 Generic Device) 3013 Intended or Associated Resource Type: A value defining the resource 3014 type (e.g. "Device"). 3016 Purpose: A description of the purpose of the extension and/or its 3017 intended use. 3019 Single-value Attributes: A list and description of single-valued 3020 attributes defined including complex attributes. 3022 Multi-valued Attributes: A list and description of multi-valued 3023 attributes defined including complex attributes. 3025 10.4. Initial SCIM Schema Registry 3027 The IANA has created and will maintain the following registries for 3028 SCIM schema URIs with pointers to appropriate reference documents. 3029 Note: the Schema URI broken into two lines for readability. 3031 +-----------------------------------+-----------------+-------------+ 3032 | Schema URI | Name | Reference | 3033 +-----------------------------------+-----------------+-------------+ 3034 | urn:ietf:params:scim:schemas: | User Resource | See Section | 3035 | core:2.0:User | | 4.1 | 3036 | urn:ietf:params:scim:schemas: | Enterprise User | See Section | 3037 | extension:enterprise:2.0:User | Extension | 4.3 | 3038 | urn:ietf:params:scim:schemas: | Group Resource | See Section | 3039 | core:2.0:Group | | 4.2 | 3040 +-----------------------------------+-----------------+-------------+ 3042 SCIM Schema URIs for Data Resources 3044 +-----------------------------------+-------------------+-----------+ 3045 | Schema URI | Name | Reference | 3046 +-----------------------------------+-------------------+-----------+ 3047 | urn:ietf:params:scim:schemas: | Service Provider | See | 3048 | core:2.0:ServiceProviderConfig | Configuration | Section 5 | 3049 | | Schema | | 3050 | urn:ietf:params:scim:schemas: | Resource Type | See | 3051 | core:2.0:ResourceType | Config | Section 6 | 3052 | urn:ietf:params:scim:schemas: | Schema | See | 3053 | core:2.0:Schema | Definitions | Section 7 | 3054 | | Schema | | 3055 +-----------------------------------+-------------------+-----------+ 3057 SCIM Server Related Schema URIs 3059 11. References 3061 11.1. Normative References 3063 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3064 Requirement Levels", BCP 14, RFC 2119, March 1997. 3066 [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. 3068 [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An 3069 IETF URN Sub-namespace for Registered Protocol 3070 Parameters", BCP 73, RFC 3553, June 2003. 3072 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 3073 10646", STD 63, RFC 3629, November 2003. 3075 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC 3076 3966, December 2004. 3078 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 3079 Resource Identifier (URI): Generic Syntax", STD 66, RFC 3080 3986, January 2005. 3082 [RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags", 3083 BCP 47, RFC 4647, September 2006. 3085 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 3086 Specifications: ABNF", STD 68, RFC 5234, January 2008. 3088 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 3089 October 2008. 3091 [RFC5646] Phillips, A. and M. Davis, "Tags for Identifying 3092 Languages", BCP 47, RFC 5646, September 2009. 3094 [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the 3095 Time Zone Database", BCP 175, RFC 6557, February 2012. 3097 [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data 3098 Interchange Format", RFC 7159, March 2014. 3100 [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 3101 (HTTP/1.1): Semantics and Content", RFC 7231, June 2014. 3103 11.2. Informative References 3105 [ISO3166] "ISO 3166:1988 (E/F) - Codes for the representation of 3106 names of countries - The International Organization for 3107 Standardization, 3rd edition", 08 1988. 3109 [Olson-TZ] 3110 "Sources for Time Zone and Daylight Saving Time Data", . 3112 [PortableContacts] 3113 Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only", 3114 August 2008. 3116 [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and 3117 Languages", BCP 18, RFC 2277, January 1998. 3119 [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol 3120 (LDAP): Directory Information Models", RFC 4512, June 3121 2006. 3123 [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 3124 6749, October 2012. 3126 [XML-Schema] 3127 Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes 3128 Second Edition", October 2004. 3130 Appendix A. Acknowledgements 3132 The editors would like to acknowledge the contribution and work of 3133 the past draft editors: 3135 Chuck Mortimore, Salesforce 3137 Patrick Harding, Ping 3139 Paul Madsen, Ping 3141 Trey Drake, UnboundID 3143 The SCIM Community would like to thank the following people for the 3144 work they've done in the research, formulation, drafting, editing, 3145 and support of this specification. 3147 Morteza Ansari (morteza.ansari@cisco.com) 3149 Sidharth Choudhury (schoudhury@salesforce.com) 3151 Samuel Erdtman (samuel@erdtman.se) 3153 Kelly Grizzle (kelly.grizzle@sailpoint.com) 3155 Chris Phillips (cjphillips@gmail.com) 3157 Erik Wahlstroem (erik@wahlstromstekniska.se) 3159 Phil Hunt (phil.hunt@yahoo.com) 3161 Special thanks to Joeseph Smarr, who's excellent work on the Portable 3162 Contacts Specification [PortableContacts] provided a basis for the 3163 SCIM schema structure and text. 3165 Appendix B. Change Log 3167 [[This section to be removed prior to publication as an RFC]] 3169 Draft 02 - KG - Addition of schema extensibility 3171 Draft 03 - PH - Revisions based on following tickets: 3173 09 - Attribute uniquenes 3175 10 - Returnability of attributes 3177 35 - Attribute mutability (replaces readOnly) 3179 52 - Minor textual changes 3181 53 - Standard use of term client (some was consumer) 3183 56 - Make manager attribute consistent with other $ref attrs 3185 58 - Add optional id to ResourceType objects for consistency 3187 59 - Fix capitalization per IETF editor practices 3189 60 - Changed tags to normal and tags 3191 Draft 04 - PH - Revisions based on the following tickets: 3193 43 - Drop short-hand notation for complex multi-valued attributes 3195 61 - Specify attribute name limitations 3197 62 - Fix 'mutability' normative language 3199 63 - Fix incorrect EnterpriseUser schema reference 3201 68 - Update JSON references from RFC4627 to RFC7159 3203 71 - Made corrections to language tags in compliance with BCP47 / 3204 RFC5646 3206 Draft 05 - PH - Revisions based on the following tickets 3208 23 - Clarified that the server is not required to preserve case 3209 for case insensitive strings 3211 41 - Add IANA considerations 3212 72 - Added text to indicate UTF-8 is default and mandatory 3213 encoding format per BCP18 3215 - Typo corrections and removed some redundant text 3217 Draft 06 - PH - Revisions based on the following tickets 3219 63 - Corrected enterprise user URI in 14.2 and section 7, URI 3220 namespace changes due to ticket #41 3222 66 - Updated reference to final HTTP/1.1 drafts (RFC 7230) 3224 41 - Add IANA considerations 3226 - Removed redundant text (e.g. SAML binding, replaced REST with 3227 HTTP) 3229 - Reordered introduction, definitions and notation sections to 3230 follow typical format 3232 - meta.attributes removed due to new PURGE command in draft 04 (no 3233 longer used) 3235 Draft 07 - PH - Edits and revisions 3237 - Dropped use of the term API in favour of HTTP protocol or just 3238 protocol. 3240 - Clarified meaning of null and unassigned 3242 Draft 08 - PH - Revised IANA namespace to urn:ietf:params:scim per 3243 RFC3553 3245 Draft 09 - PH - Editorial revisions and clarifications 3247 Removed duplicate text from Schema Schema section 3249 Removed "operation" attribute from Multi-valued Attribute sub- 3250 attribute definitions. This was used in the old PATCH command and 3251 is no longer valid. 3253 Revised some layout to make indentation and definition of 3254 attributes more clear (added vspace elements) 3256 Draft 10 - PH - Editorial revisions 3258 Simplified namespace definition for urn:ietf:params:scim 3259 Clarified "schemas" attribute as representing the JSON body schema 3260 in an HTTP Req/Resp 3262 Reduced use of confusing term "core" in "Core User" and "Core 3263 Group" 3265 Added clarifications and security considerations for externalId 3267 Re-worded descriptions SCIM schema extension model (sec 3) and 3268 core schema (sec 4) for improved clarity 3270 Draft 11 - PH - Clarification to definition of externalId 3272 Draft 12 - PH - Nits / Corrections 3274 Corrected use of RFC2119 words (e.g. MUST not to MUST NOT) 3276 Corrected JSON examples to be 72 characters or less per line 3278 Corrected enterprise User manager attribute to use sub-attribute 3279 value and make multi-valued 3281 Corrected sec 8.7, make members multi-valued in JSON 3283 Added missing definition for subattributes in sec 7, Schema 3284 Definition 3286 Draft 13 - PH - Correctings NITS to externalId example and clarified 3287 phoneNumber & emails canonicalization 3289 Draft 14 - PH - Nits / Corrections 3291 Corrected JSON structure for example Schema (removed outer {} 3292 around array of schemas). 3294 Added example Group resource type to example of resource types in 3295 JSON 3297 Draft 15 - PH - Corrected schema in sec 7 to use defined types from 3298 sec 2.1 3300 Draft 16 - PH - Corrected photo.value from "type":"binary" to 3301 "type":"reference" (should be a URL) 3303 Authors' Addresses 3305 Phil Hunt (editor) 3306 Oracle Corporation 3308 Email: phil.hunt@yahoo.com 3310 Kelly Grizzle 3311 SailPoint 3313 Email: kelly.grizzle@sailpoint.com 3315 Erik Wahlstroem 3316 Nexus Technology 3318 Email: erik.wahlstrom@nexusgroup.com 3320 Chuck Mortimore 3321 Salesforce.com 3323 Email: cmortimore@salesforce.com