idnits 2.17.1 draft-ietf-scim-core-schema-18.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 1 character in excess of 72. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Corrected use of RFC2119 words (e.g., MUST not to MUST NOT) -- The document date (April 24, 2015) is 3289 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC4511' is defined on line 3996, but no explicit reference was found in the text == Outdated reference: A later version (-19) exists of draft-ietf-scim-api-16 ** Obsolete normative reference: RFC 2141 (Obsoleted by RFC 8141) ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 7232 (Obsoleted by RFC 9110) Summary: 5 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hunt, Ed. 3 Internet-Draft Oracle 4 Intended status: Standards Track K. Grizzle 5 Expires: October 26, 2015 SailPoint 6 E. Wahlstroem 7 Nexus Technology 8 C. Mortimore 9 Salesforce 10 April 24, 2015 12 System for Cross-Domain Identity Management: Core Schema 13 draft-ietf-scim-core-schema-18 15 Abstract 17 The System for Cross-Domain Identity Management (SCIM) specifications 18 are designed to make identity management in cloud based applications 19 and services easier. The specification suite builds upon experience 20 with existing schemas and deployments, placing specific emphasis on 21 simplicity of development and integration, while applying existing 22 authentication, authorization, and privacy models. Its intent is to 23 reduce the cost and complexity of user management operations by 24 providing a common user schema and extension model, as well as 25 binding documents to provide patterns for exchanging this schema 26 using HTTP protocol. 28 This document provides a platform neutral schema and extension model 29 for representing users and groups and other resource types in JSON 30 format. This schema is intended for exchange and use with cloud 31 service providers. 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at http://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on October 26, 2015. 50 Copyright Notice 52 Copyright (c) 2015 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 68 1.1. Requirements Notation and Conventions . . . . . . . . . . 4 69 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 70 2. SCIM Schema . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 6 72 2.2. Attribute Data Types . . . . . . . . . . . . . . . . . . 7 73 2.2.1. String . . . . . . . . . . . . . . . . . . . . . . . 7 74 2.2.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 7 75 2.2.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 8 76 2.2.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 8 77 2.2.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 8 78 2.2.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 8 79 2.2.7. Reference . . . . . . . . . . . . . . . . . . . . . . 8 80 2.2.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 9 81 2.3. Attribute Characteristics . . . . . . . . . . . . . . . . 9 82 2.4. Multi-valued Attributes . . . . . . . . . . . . . . . . . 10 83 2.5. Unassigned and Null Values . . . . . . . . . . . . . . . 11 84 3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 11 85 3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 14 86 3.2. Defining New Resource Types . . . . . . . . . . . . . . . 15 87 3.3. Attribute Extensions to Resources . . . . . . . . . . . . 16 88 4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 16 89 4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 16 90 4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 16 91 4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 19 92 4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 22 93 4.3. Enterprise User Schema Extension . . . . . . . . . . . . 22 94 5. Service Provider Configuration Schema . . . . . . . . . . . . 23 95 6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 25 96 7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 26 97 8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 30 98 8.1. Minimal User Representation . . . . . . . . . . . . . . . 30 99 8.2. Full User Representation . . . . . . . . . . . . . . . . 30 100 8.3. Enterprise User Extension Representation . . . . . . . . 33 101 8.4. Group Representation . . . . . . . . . . . . . . . . . . 36 102 8.5. Service Provider Configuration Representation . . . . . . 37 103 8.6. Resource Type Representation . . . . . . . . . . . . . . 39 104 8.7. Schema Representation . . . . . . . . . . . . . . . . . . 39 105 8.7.1. Resource Schema Representation . . . . . . . . . . . 40 106 8.7.2. Service Provider Schema Representation . . . . . . . 62 107 9. Security Considerations . . . . . . . . . . . . . . . . . . . 77 108 9.1. Protocol . . . . . . . . . . . . . . . . . . . . . . . . 77 109 9.2. Password and Other Sensitive Security Data . . . . . . . 77 110 9.3. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 77 111 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 78 112 10.1. Registration of SCIM URN Sub-namespace & SCIM Registry . 78 113 10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 79 114 10.2.1. Specification Template . . . . . . . . . . . . . . . 79 115 10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 81 116 10.3.1. Registration Procedure . . . . . . . . . . . . . . . 81 117 10.3.2. Schema Registration Template . . . . . . . . . . . . 82 118 10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 82 119 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 83 120 11.1. Normative References . . . . . . . . . . . . . . . . . . 83 121 11.2. Informative References . . . . . . . . . . . . . . . . . 84 122 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 85 123 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 86 124 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 90 126 1. Introduction and Overview 128 While there are existing standards for describing and exchanging user 129 information, many of these standards can be difficult to implement 130 and/or use; e.g., their wire protocols do not easily traverse 131 firewalls and/or are not easily layered onto existing web protocols. 132 As a result, many cloud providers implement non-standardized 133 protocols for managing users within their services. This increases 134 both the cost and complexity associated with organizations adopting 135 products and services from multiple cloud providers as they must 136 perform redundant integration development. Similarly, cloud services 137 providers seeking to inter-operate with multiple application 138 marketplaces or cloud identity providers would require pairwise 139 integration. 141 SCIM seeks to simplify this problem through a simple to implement 142 specification suite that provides a common user schema and extension 143 model, as well as a SCIM Protocol document, that defines exchanging 144 this schema via an HTTP based protocol [I-D.ietf-scim-api]. [[RFC 145 Editor: This document an the companion scim-api document should be 146 published together]] It draws inspiration and best practice, building 147 upon existing user protocols and schemas from a wide variety of 148 sources including, but not limited to, existing services exposed by 149 cloud providers, PortableContacts [PortableContacts], vCards 150 [RFC6350], and LDAP directory services [RFC6350]. 152 This document provides a JSON based schema and extension model for 153 representing users and groups, as well as Service Provider 154 configuration. This schema is intended for exchange and use with 155 cloud service providers and other cross-domain scenarios. 157 1.1. Requirements Notation and Conventions 159 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 160 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 161 document are to be interpreted as described in [RFC2119]. 163 Throughout this document, values are quoted to indicate that they are 164 to be taken literally. When using these values in protocol messages, 165 the quotes MUST NOT be used as part of the value. 167 Throughout this documents all figures MAY contain spaces and extra 168 line-wrapping for readability and space reasons. Similarly, some 169 URI's contained within examples, have been shortened for space and 170 readability reasons. 172 1.2. Definitions 174 Service Provider 175 An HTTP web application that provides identity information via the 176 SCIM protocol. 178 Client 179 A website or application that uses the SCIM protocol to manage 180 identity data maintained by the service provider. The Client 181 initiates SCIM HTTP requests to a target service provider. 183 Provisioning Domain 184 A provisioning domain is an administrative domain external to the 185 domain of a Service Provider for legal or technical reasons. For 186 example, a SCIM Client in an enterprise (provisioning client) 187 communicates with a SCIM Service Provider that is owned or 188 controlled by a different legal entity. 190 Resource Type 191 A type of a resource that is managed by a service provider. The 192 resource type defines the resource name, endpoint URL, Schemas, 193 and other meta-data which indicate where a resource is managed and 194 how it is composed; e.g., "User" or "Group". 196 Resource 197 A Service Provider managed artifact containing one or more 198 attributes. For example a "User" or "Group". 200 Endpoint 201 An endpoint for a Service Provider is a defined base path relative 202 to the service providers Base URI (see definitions of 203 [I-D.ietf-scim-api]) over which SCIM operations MAY be performed 204 against SCIM resources. For example, assuming the Service 205 Provider Base URI is "https://example.com/": "User" resources may 206 be accessed at the "https://example.com/Users", or 207 "https://example.com/v2/Users" (when including protocol version, 208 see Section 3.13 [I-D.ietf-scim-api]) endpoint. Service provider 209 schemas MAY be returned from the "/Schemas" endpoint. 211 Schema 212 A collection of attribute definitions that describe the contents 213 of an entire or partial resource; e.g., 214 "urn:ietf:params:scim:schemas:core:2.0:User". The attribute 215 definitions define the name of the attribute, and metadata such as 216 type (e.g., string, binary), cardinality (singular, multi, 217 complex), mutability, and returnability. 219 Singular Attribute 220 A resource attribute that contains 0..1 values; e.g., 221 "displayName". 223 Multi-valued Attribute 224 A resource attribute that contains 0..n values; e.g., "emails". 226 Simple Attribute 227 A singular or multi-valued attribute whose value is a primitive; 228 e.g., "String". A simple attribute MAY not contain sub- 229 attributes. 231 Complex Attribute 232 A singular or multi-valued attribute whose value is a composition 233 of one or more simple attributes; e.g., "addresses" has the sub- 234 attributes "streetAddress", "locality", "postalCode", and 235 "country". 237 Sub-Attribute 238 A simple attribute that is contained within a complex attribute. 240 2. SCIM Schema 242 A SCIM server provides a set of resources, the allowable contents of 243 which are defined by a set of schema URIs and a resource type. 244 SCIM's schema is not a document-centric one such as with 245 [XML-Schema]. Instead, SCIM's support of schema is attribute based 246 where each attribute may have different type, mutability, 247 cardinality, or returnability. validation of documents and messages 248 is always performed, as specified by the SCIM specifications by an 249 intended receiver. Validation is performed by the receiver in the 250 context of a SCIM protocol request (see [I-D.ietf-scim-api]). For 251 example, a SCIM service provider, upon receiving a request to replace 252 an existing resource with a replacement JSON object, evaluates each 253 asserted attribute based on its characteristics as defined in the 254 relevant schema (e.g., mutability) and decides which attributes may 255 be replaced or ignored. 257 This specification provides a minimal core schema for representing 258 users and groups (resources), encompassing common attributes found in 259 many existing deployments and schemas. In addition to the minimal 260 core schema, this document also specifies a standardized means by 261 which service providers may extend schemas to define new resources 262 and attributes in both standardized and Service Provider specific 263 cases. 265 Resources are categorized into common resource types such as "User" 266 or "Group"). Collections of resources of the same type are usually 267 contained within the same "container" ("folder") endpoint. 269 2.1. Attributes 271 A resource is a collection of attributes identified by one or more 272 schemas. Minimally, an attribute consists of the attribute name and 273 at least one simple or complex value either of which may be multi- 274 valued. For each attribute, SCIM schema defines the data type, 275 plurality, mutability, and other distinguishing features of an 276 attribute. 278 Attribute names are case-insensitive and MAY be camel-cased (e.g., 279 "camelCase"). SCIM resources are represented in JSON [RFC7159] and 280 MUST specify schema via the "schemas" attribute per Section 3. 282 Attribute names MUST conform to the following ABNF rules: 284 ATTRNAME = ALPHA *(nameChar) 285 nameChar = "$" / "-" / "_" / DIGIT / ALPHA 287 Figure 1: ABNF for Attribute Names 289 The above rules (and other rules in this specification) use the "Core 290 Rules" from ABNF, see Appendix B [RFC5234]. Unless otherwise 291 specified in this specification, all ABNF strings are case 292 insensitive and the character set for these strings is US-ASCII. For 293 example, all attribute names defined by the above rule are case 294 insensitive. 296 2.2. Attribute Data Types 298 Attribute data types are derived from JSON [RFC7159]. The JSON 299 format defines a limited set of data types, hence, where appropriate, 300 alternate JSON representations derived from XML Schema [XML-Schema] 301 are defined below. SCIM extensions SHOULD NOT introduce new data 302 types. 304 The following is a table that maps the following data types, to SCIM 305 schema type and the underlying JSON data type: 307 +--------------+-----------------+----------------------------------+ 308 | SCIM Data | SCIM Schema | JSON Type | 309 | Type | "type" | | 310 +--------------+-----------------+----------------------------------+ 311 | String | "string" | String per Sec. 7 [RFC7159] | 312 | Boolean | "boolean" | Value per Sec. 3 [RFC7159] | 313 | Decimal | "decimal" | Number per Sec. 6 [RFC7159] | 314 | Integer | "integer" | Number per Sec. 6 [RFC7159] | 315 | DateTime | "dateTime" | String per Sec. 7 [RFC7159] | 316 | Binary | "binary" | Base64 encoded String per Sec. 7 | 317 | | | [RFC7159] | 318 | Reference | "reference" | String per Sec. 7 [RFC7159] | 319 | Complex | "complex" | Object per Sec. 4 [RFC7159] | 320 +--------------+-----------------+----------------------------------+ 322 Table 1: SCIM Data Type to JSON Representation 324 2.2.1. String 326 A sequence of zero or more Unicode characters encoded using UTF-8 as 327 per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7 328 [RFC7159]. A "String" attribute MAY specify a required data format. 329 Additionally, when "canonicalValues" is specified, service providers 330 MAY restrict accepted values to the specified values. 332 2.2.2. Boolean 334 The literal "true" or "false". The JSON format is defined in 335 Section 3 [RFC7159]. A boolean has no case sensitivity or 336 uniqueness. 338 2.2.3. Decimal 340 A real number with at least one digit to the left and right of the 341 period. The JSON format is defined in Section 6 [RFC7159]. A 342 decimal has no case sensitivity. 344 2.2.4. Integer 346 A decimal number with no fractional digits. The JSON format is 347 defined in Section 6 [RFC7159] with the additional constraint that 348 the value MUST NOT contain fractional or exponent parts. An integer 349 has no case sensitivity. 351 2.2.5. DateTime 353 A DateTime value (e.g., 2008-01-23T04:56:22Z). The attribute value 354 MUST be encoded as a valid xsd:dateTime as specified in Section 3.3.7 355 [XML-Schema]. A date-time has no case-sensitivity or uniqueness. 357 Values represented in JSON MUST conform to the XML constraints above 358 and are represented as a JSON String per Section 7 [RFC7159]. 360 2.2.6. Binary 362 Arbitrary binary data. The attribute value MUST be encoded in base 363 64 encoding as specified in Section 4 [RFC4648]. In cases where a 364 URL-safe encoding is required, the attribute definition MAY specify 365 Base 64 URL encoding be used as per Section 5 [RFC4648]. Unless 366 otherwise specified in the attribute definition, trailing padding 367 characters MAY be omitted ("="). 369 In JSON representation, the encoded values are represented as a JSON 370 String per Section 7 [RFC7159]. A binary is case-exact and has no 371 uniqueness. 373 2.2.7. Reference 375 The value is a URI for a resource. A resource MAY be a SCIM 376 resource, an external link to a resource (e.g., a photo), or it may 377 be an identifier such as a URN. The value MUST be the absolute or 378 relative URI of the target resource. Relative URIs should be 379 resolved as specified in Section 5.2 [RFC3986]. However, the base 380 URI for relative URI resolution MUST include all URI components and 381 path segments up to but not including the Endpoint URI (the SCIM 382 Service Provider root endpoint); e.g., the base URI for a request to 383 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 384 would be "https://example.com/v2/" and the relative URI for this 385 resource would be "Users/2819c223-7f76-453a-919d-413861904646". 387 In JSON representation, the URI value is represented as a JSON String 388 per Section 7 [RFC7159]. A reference is case-exact. A reference has 389 a "referenceType" that indicates what types of resources may be 390 linked as per Section 7. 392 Performing a GET operation on a reference URI MUST return the target 393 resource or an appropriate HTTP response code. The Service Provider 394 MAY optionally choose to enforce referential integrity for reference 395 types referring to SCIM resources. 397 By convention, a reference is commonly represented as a "$ref" sub- 398 attribute in complex or multi-valued attributes, however this is 399 OPTIONAL. 401 2.2.8. Complex 403 A singular or multi-valued attribute whose value is a composition of 404 one or more simple attributes. The JSON format is defined in 405 Section 4 [RFC7159]. The order of the component attributes is not 406 significant. Servers and clients MUST NOT require or expect 407 attributes to be in any specific order when an object is either 408 generated or analyzed. A complex attribute has no uniqueness or case 409 sensitivity. A complex attribute MUST NOT contain sub-attributes 410 that have sub-attributes (i.e., that are complex). 412 2.3. Attribute Characteristics 414 If not otherwise stated in Section 7, SCIM attributes have the 415 following characteristics: 417 o are OPTIONAL (is not REQUIRED). 419 o are case insensitive ("caseExact" is "false"), 421 o are modifiable ("mutability" is "readWrite"), 423 o are returned in response to queries (returned by default), 425 o have no canonical values (for example, the "type" sub-attribute in 426 Section 2.4, 428 o are not unique ("uniqueness" is "none"), and, 430 o of type string (Section 2.2.1). 432 2.4. Multi-valued Attributes 434 Multi-valued attributes contain a list of elements using the JSON 435 array format defined in Section 5 of [RFC7159]. Elements can be 436 either 438 o primitive values, or 440 o objects with a set of sub-attributes and values, using the JSON 441 object format defined in Section 4 of [RFC7159], in which case 442 they MAY also be considered to be complex attributes. As with 443 complex attributes, the order of sub-attributes is not 444 significant. The pre-defined sub-attributes listed in this 445 section can be used with multi-valued attribute objects but these 446 sub-attributes should only be used with the meanings defined here. 448 The pre-defined set of sub-attributes for a multi-valued attribute 449 are: 451 type 452 A label indicating the attribute's function; e.g., "work" or 453 "home". 455 primary 456 A Boolean value indicating the 'primary' or preferred attribute 457 value for this attribute, e.g., the preferred mailing address or 458 the primary e-mail address. The primary attribute value "true" 459 MUST appear no more than once. If not specified, the value of 460 "primary" SHALL be assumed to be "false". 462 display 463 A human readable name, primarily used for display purposes and has 464 a mutability of "immutable". 466 value 467 The attribute's significant value; e.g., the e-mail address, phone 468 number, etc. 470 $ref 471 The reference URI of the target resource, if the attribute is a 472 reference. 474 When returning multi-valued attributes, service providers SHOULD 475 canonicalize the value returned (e.g., by returning a value for the 476 sub-attribute "type" such as "home" or "work") when appropriate 477 (e.g., for e-mail addresses and URLs). 479 Service providers MAY return element objects with the same "value" 480 sub-attribute more than once with a different "type" sub-attribute 481 (e.g., the same e-mail address may used for work and home), but 482 SHOULD NOT return the same (type, value) combination more than once 483 per attribute, as this complicates processing by the consumer. 485 When defining schema for multi-valued attributes, it is considered a 486 good practice to provide a type attribute that MAY be used for the 487 purpose of canonicalization of values. Further, in the schema 488 definition for an attribute MAY define the recommended canonical 489 values (see Section 7). 491 2.5. Unassigned and Null Values 493 Unassigned attributes, the null value, or empty array (in the case of 494 a multi-valued attribute) SHALL be considered to be equivalent in 495 "state". Assigning an attribute with the value "null" or an empty 496 array (in the case of multi-valued attributes) has the effect of 497 making the attribute "unassigned". When a resource is expressed in 498 JSON form, unassigned attributes, though they are defined in schema, 499 MAY be omitted for compactness. 501 3. SCIM Resources 503 Each SCIM resource is a JSON object that has the following 504 components: 506 Resource Type 507 Each resource (or JSON object) in SCIM has a resource type 508 ("meta.resourceType", see Section 3.1) that defines the resource's 509 core attribute schema and any attribute extension schema as well 510 as the endpoint where objects of the same type may be found. More 511 information about a resource MAY be found in its resourceType 512 definition (see Section 6). 514 Schemas Attribute 515 The "schemas" attribute is a REQUIRED attribute that MUST be 516 present and is an array of Strings containing URIs which are used 517 to indicate the namespaces of the SCIM schemas that define the 518 attributes present in the current JSON structure. It may be used 519 by parsers to define the attributes present in the JSON structure 520 that is the body to an HTTP Request or Response. Each String 521 value must be a unique URI. All representations of SCIM schemas 522 MUST include a non-empty array with value(s) of the URIs supported 523 by that representation. The schemas attribute for a resource MUST 524 only contain values defined as "schema" and "schemaExtensions" for 525 the resource's "resourceType". Duplicate values MUST NOT be 526 included. Value order is not specified and MUST NOT impact 527 behavior. 529 Common Attributes 530 Are attributes that are part of every SCIM resource regardless of 531 the value of the "schemas" attribute present in a JSON body. 532 These attributes are not defined in any particular schema, but 533 SHALL be assumed to be present in every resource regardless of the 534 value of the "schemas" attribute. See Section 3.1. 536 Core Attributes 537 A resource's core attributes are those attributes that sit at the 538 top level of the JSON object together with the common attributes 539 (such as the resource "id"). The list of valid attributes is 540 specified by the resource's resource type "schema" attribute (see 541 Section 6). This same value is also present in the resource's 542 "schemas" attribute. 544 Extended Attributes 545 Extended schema attributes are specified by the resource's 546 resource type "schemaExtensions" attribute (see Section 6). 547 Unlike core attributes, extended attributes are kept in their own 548 sub-attribute namespace identified by the schema extension URI. 549 This avoids attribute name conflicts that may arise due to 550 conflicts from separate schema extensions. 552 The following example "User" contains the common attributes "id", 553 "externalId", and the complex attribute "meta" which contains the 554 sub-attribute "resourceType". The resource also contains core 555 attributes "userName", "name", as well as extended enterprise user 556 attributes "employeeNumber" and "costCenter" which are contained in 557 their own JSON sub-structure identified by their schema URI. Some 558 values have been omitted (...), shortened or spaced out for clarity. 560 { 561 "schemas": 562 [ "urn:ietf:params:scim:schemas:core:2.0:User", 563 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], 565 "id": "2819c223-7f76-453a-413861904646", 566 "externalId": "701984", 568 "userName": "bjensen@example.com", 569 "name": { 570 "formatted": "Ms. Barbara J Jensen III", 571 "familyName": "Jensen", 572 "givenName": "Barbara", 573 "middleName": "Jane", 574 "honorificPrefix": "Ms.", 575 "honorificSuffix": "III" 576 }, 577 ... 579 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { 580 "employeeNumber": "701984", 581 "costCenter": "4130", 582 ... 583 }, 585 "meta": { 586 "resourceType": "User", 587 "created": "2010-01-23T04:56:22Z", 588 "lastModified": "2011-05-13T04:42:34Z", 589 "version": "W\/\"3694e05e9dff591\"", 590 "location": 591 "https://example.com/v2/Users/2819c223-7f76-453a-413861904646" 592 } 593 } 595 Figure 2: Example JSON Resource Structure 597 3.1. Common Attributes 599 Each SCIM resource (Users, Groups, etc.) includes the following 600 common attributes. With the exception of "ServiceProviderConfig" and 601 "ResourceType" server discovery endpoints and their associated 602 resources, these attributes MUST be included in all resources, 603 including any extended resource types. Common attributes are 604 considered to be part of every base resource schema and do not use 605 their own schemas URI and SHALL NOT be considered schema extensions. 607 For backwards compatibility reasons, some existing schema MAY list 608 common attributes as part of the schema. The attribute 609 characteristics listed here SHALL take precedence. 611 id 612 A unique identifier for a SCIM resource as defined by the service 613 provider. Each representation of the resource MUST include a non- 614 empty "id" value. This identifier MUST be unique across the SCIM 615 service provider's entire set of resources. It MUST be a stable, 616 non-reassignable identifier that does not change when the same 617 resource is returned in subsequent requests. The value of the 618 "id" attribute is always issued by the Service Provider and MUST 619 NOT be specified by the client. The string "bulkId" is a reserved 620 keyword and MUST NOT be used within any unique identifier value. 621 The attribute characteristics are "caseExact" as "true" and a 622 mutability of "readOnly". See Section 9 for additional 623 considerations regarding privacy. 625 externalId 626 A String that is an identifier for the resource as defined by the 627 provisioning client. The "externalId" may simplify identification 628 of a resource between the provisioning Client and the Service 629 Provider by allowing the Client to use a filter to locate the 630 resource with an identifier from the provisioning domain, 631 obviating the need to store a local mapping between the 632 provisioning domain's identifier of the resource and the 633 identifier used by the service provider. Each resource MAY 634 include a non-empty "externalId" value. The value of the 635 "externalId" attribute is always issued by the provisioning Client 636 and MUST NOT be specified by the service provider. The Service 637 Provider MUST always interpret the externalId as scoped to the 638 provisioning domain. While the server does not enforce 639 uniqueness, it is assumed that the value's uniqueness is 640 controlled by the Client setting the value. See Section 9 for 641 additional considerations regarding privacy. The attribute has 642 "caseExact" as "true" and has a mutability of "readWrite". The 643 attribute is OPTIONAL. 645 meta 646 A complex attribute containing resource metadata. All meta sub- 647 attributes are asserted by the Service Provider and SHALL be 648 ignored when provided by clients: 650 resourceType The name of the resource type of the resource. This 651 attribute has mutability of "readOnly" and has "caseExact" as 652 "true". The attribute is REQUIRED when provided by the service 653 provider. 655 created The DateTime the resource was added to the service 656 provider. The attribute MUST be a DateTime. This attribute 657 has mutability of "readOnly". 659 lastModified The most recent DateTime the details of this 660 resource were updated at the service provider. If this 661 resource has never been modified since its initial creation, 662 the value MUST be the same as the value of created. The 663 attribute MUST be a DateTime and has mutability of "readOnly". 664 The attribute is REQUIRED when provided by the service 665 provider. 667 location The URI of the resource being returned. This value MUST 668 be the same as the "Content-Location" HTTP response header (see 669 Section 3.1.4.2 [RFC7231]). The attribute has mutability of 670 "readOnly". The attribute is REQUIRED when provided by the 671 service provider. 673 version The version of the resource being returned. This value 674 must be the same as the ETag HTTP response header (See Sections 675 2.1 and 2.3 of [RFC7232]). The attribute has mutability of 676 "readOnly" and has "caseExact" as "true". The attribute is 677 OPTIONAL subject to the service provider's support for 678 versioning (see "Versioning Resources", Section 3.14 679 [I-D.ietf-scim-api]). If a Service Provider provides "version" 680 (entity-tag) for a representation and the generation of that 681 entity-tag does not satisfy all of the characteristics of a 682 strong validator (see Section 2.1, [RFC7232]), then the origin 683 server MUST mark the "version" (entity-tag) as weak by 684 prefixing its opaque value with "W/" (case-sensitive). 686 3.2. Defining New Resource Types 688 SCIM may be extended to define new classes of resources by defining a 689 resource type. Each resource type defines the name, endpoint, base 690 schema (the attributes), and any schema extensions registered for use 691 with the resource type. In order to offer new types of resources, a 692 Service Provider defines the new resource type as specified in 693 Section 6 and defines a schema representation (see Section 8.7). 695 3.3. Attribute Extensions to Resources 697 SCIM allows resource types to have extensions in addition to their 698 core schema. This is similar to how "ObjectClasses" are used in 699 LDAP. However, unlike LDAP there is no inheritance model; all 700 extensions are additive (similar to LDAP Auxiliary Object Class 701 [RFC4512] ). Each value in the "schemas" attribute indicates 702 additive schema that MAY exist in a SCIM resource representation. 703 The "schemas" attribute MUST contain at least one value which SHALL 704 be the base schema for the resource. The "schemas" attribute MAY 705 contain additional values indicating extended schemas that are in 706 use. Schema extensions SHOULD avoid redefining any attributes 707 defined in this specification and SHOULD follow conventions defined 708 in this specification. Except for the base object schema, the schema 709 extension URI SHALL be used as a JSON container to distinguish 710 attributes belonging to the extension namespace from base schema 711 attributes. See Figure 5 for an example of the JSON representation 712 of an extended User. 714 In order to determine which URI value in the "schemas" attribute is 715 the base schema and which is extended schema for any given resource, 716 the resource's "resourceType" attribute value MAY be used to retrieve 717 the resource's "ResourceType" schema ( Section 6 ). See example 718 "ResourceType" representation in Figure 8. 720 4. SCIM Core Resources and Extensions 722 This section defines the default resources schemas present in a SCIM 723 server. SCIM is not exclusive to these resources, and may be 724 extended to support other resource types (see Section 3.2). 726 4.1. User Resource Schema 728 SCIM provides a resource type for "User" resources. The core schema 729 for "User" is identified using the URI: 730 "urn:ietf:params:scim:schemas:core:2.0:User". The following 731 attributes are defined in addition to the core schema attributes: 733 4.1.1. Singular Attributes 735 userName 736 A Service Provider unique identifier for the user, typically used 737 by the user to directly authenticate to the service provider. 738 Often displayed to the user as their unique identifier within the 739 system (as opposed to "id" or "externalId", which are generally 740 opaque and not user-friendly identifiers). Each User MUST include 741 a non-empty userName value. This identifier MUST be unique across 742 the service provider's entire set of Users. The attribute is 743 REQUIRED and is case-insensitive. 745 name 746 The components of the user's real name. Service providers MAY 747 return just the full name as a single string in the formatted sub- 748 attribute, or they MAY return just the individual component 749 attributes using the other sub-attributes, or they MAY return 750 both. If both variants are returned, they SHOULD be describing 751 the same name, with the formatted name indicating how the 752 component attributes should be combined. 754 formatted The full name, including all middle names, titles, and 755 suffixes as appropriate, formatted for display (e.g., "Ms. 756 Barbara Jane Jensen, III." ). 758 familyName The family name of the User, or last name in most 759 Western languages (e.g., "Jensen" given the full name "Ms. 760 Barbara Jane Jensen, III." ). 762 givenName The given name of the User, or first name in most 763 Western languages (e.g., "Barbara" given the full name "Ms. 764 Barbara Jane Jensen, III." ). 766 middleName The middle name(s) of the User (e.g., "Jane" given the 767 full name "Ms. Barbara Jane Jensen, III." ). 769 honorificPrefix The honorific prefix(es) of the User, or title in 770 most Western languages (e.g., "Ms." given the full name "Ms. 771 Barbara Jane Jensen, III." ). 773 honorificSuffix The honorific suffix(es) of the User, or suffix 774 in most Western languages (e.g., "III." given the full name 775 "Ms. Barbara Jane Jensen, III." ). 777 displayName 778 The name of the user, suitable for display to end-users. Each 779 user returned MAY include a non-empty displayName value. The name 780 SHOULD be the full name of the User being described if known 781 (e.g., "Babs Jensen" or "Ms. Barbara J Jensen, III" ), but MAY be 782 a username or handle, if that is all that is available (e.g., 783 "bjensen" ). The value provided SHOULD be the primary textual 784 label by which this User is normally displayed by the Service 785 Provider when presenting it to end-users. 787 nickName 788 The casual way to address the user in real life, e.g., "Bob" or 789 "Bobby" instead of "Robert". This attribute SHOULD NOT be used to 790 represent a User's username (e.g., bjensen or mpepperidge). 792 profileUrl 793 A URI that is a uniform resource locator (as defined in 794 Section 1.1.3 [RFC3986]), that points to a location representing 795 the user's online profile (e.g. a web page). 797 title 798 The user's title, such as "Vice President". 800 userType 801 Used to identify the organization to user relationship. Typical 802 values used might be "Contractor", "Employee", "Intern", "Temp", 803 "External", and "Unknown" but any value may be used. 805 preferredLanguage 806 Indicates the user's preferred written or spoken languages and is 807 generally used for selecting a localized User interface. The 808 value indicates the set of natural languages that are preferred. 809 The format of the value is same as the Accept-Language header 810 field (not including "Accept-Language:") of HTTP and is specified 811 in Section 5.3.5 of [RFC7231]. The intent of this value is to 812 enable cloud applications to perform matching of language tags 813 [RFC4647] to the user's language preferences regardless of what 814 may be indicated by a user agent (which might be shared), or in a 815 non-user present interaction (such as in a delegated OAuth2 816 [RFC6749] style interaction) where normal HTTP Accept-Language 817 header negotiation cannot take place. 819 locale 820 Used to indicate the User's default location for purposes of 821 localizing items such as currency, date time format, numerical 822 representations, etc. A valid value is a language tag as defined 823 in [RFC5646]. Computer languages are explicitly excluded. 825 A language tag is a sequence of one or more case-insensitive sub- 826 tags, each separated by a hyphen character ("-", %x2D). For 827 backwards compatibility reasons, servers MAY accept tags separated 828 by an underscore character ("_", %5F). In most cases, a language 829 tag consists of a primary language sub-tag that identifies a broad 830 family of related languages (e.g., "en" = English) which is 831 optionally followed by a series of sub-tags that refine or narrow 832 that language's range (e.g., "en-CA" = the variety of English as 833 communicated in Canada). Whitespace is not allowed within a 834 language tag. Example tags include: 836 fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN 838 See [RFC5646] for further information. 840 timezone 841 The User's time zone in IANA Time Zone database format [RFC6557], 842 also known as "Olson" timezone database format [Olson-TZ] ; For 843 example: "America/Los_Angeles". 845 active 846 A Boolean value indicating the user's administrative status. The 847 definitive meaning of this attribute is determined by the service 848 provider. As a typical example, a value of true infers the user 849 is able to login while a value of false implies the user's account 850 has been suspended. 852 password 853 The user's clear text password. This attribute is intended to be 854 used as a means to specify an initial password when creating a new 855 User or to reset an existing User's password. Password policies 856 and the ability to update or set passwords are out of scope of 857 this document. The mutability of this attribute is "writeOnly" 858 indicating the value MUST NOT be returned by a Service Provider in 859 any form (the attribute characteristic "returned" is "never"). 860 Please see Sections 7.5 and 7.6 [I-D.ietf-scim-api] for security 861 considerations regarding the handling of passwords. 863 4.1.2. Multi-valued Attributes 865 The following multi-valued attributes are defined. 867 emails 868 E-mail addresses for the User. The value SHOULD be specified 869 according to [RFC5321]. Service providers SHOULD canonicalize the 870 value according to [RFC5321], e.g., "bjensen@example.com" instead 871 of "bjensen@EXAMPLE.COM". The "display" sub-attribute MAY be used 872 to return the canonicalized representation of the e-mail value. 873 The "type" sub-attribute of contains values of "work", "home", and 874 "other", and MAY allow more types to be defined by the SCIM 875 clients. 877 phoneNumbers 878 Phone numbers for the user. The value SHOULD be specified 879 according to the format in [RFC3966] e.g., 'tel:+1-201-555-0123'. 880 Service providers SHOULD canonicalize the value according to 881 [RFC3966] format, when appropriate. The "display" sub-attribute 882 MAY be used to return the canonicalized representation of the 883 phone number value. The sub-attribute "type" often has typical 884 values of "work", "home", "mobile", "fax", "pager", and "other", 885 and MAY allow more types to be defined by the SCIM clients. 887 ims 888 Instant messaging address for the user. No official 889 canonicalization rules exist for all instant messaging addresses, 890 but service providers SHOULD, when appropriate, remove all 891 whitespace and convert the address to lowercase. The "type" 892 attribute defines several "canonicalValues" to represent currently 893 popular IM services: "aim", "gtalk", "icq", "xmpp", "msn", 894 "skype", "qq", "yahoo", and "other". 896 photos 897 A URI that is a uniform resource locator (as defined in 898 Section 1.1.3 [RFC3986]) that points to a resource location 899 representing the user's image. The resource MUST be a file (e.g., 900 a GIF, JPEG, or PNG image file) rather than a web page containing 901 an image. Service providers MAY return the same image at 902 different sizes, though it is recognized that no standard for 903 describing images of various sizes currently exists. Note that 904 this attribute SHOULD NOT be used to send down arbitrary photos 905 taken by this user, but specifically profile photos of the user 906 suitable for display when describing the user. Instead of the 907 standard canonical values for type, this attribute defines the 908 following canonical values to represent popular photo sizes: 909 "photo", "thumbnail". 911 addresses 912 A physical mailing address for this user. Canonical type values 913 of "work", "home", and "other". The value attribute is a complex 914 type with the following sub-attributes. All sub-attributes are 915 OPTIONAL. 917 formatted The full mailing address, formatted for display or use 918 with a mailing label. This attribute MAY contain newlines. 920 streetAddress The full street address component, which may 921 include house number, street name, P.O. box, and multi-line 922 extended street address information. This attribute MAY 923 contain newlines. 925 locality The city or locality component. 927 region The state or region component. 929 postalCode The zipcode or postal code component. 931 country The country name component. When specified the value 932 MUST be in ISO 3166-1 alpha 2 "short" code format [ISO3166] ; 933 e.g., the United States and Sweden are "US" and "SE", 934 respectively. 936 groups 937 A list of groups that the user belongs to, either thorough direct 938 membership, nested groups, or dynamically calculated. The values 939 are meant to enable expression of common group or role based 940 access control models, although no explicit authorization model is 941 defined. It is intended that the semantics of group membership 942 and any behavior or authorization granted as a result of 943 membership are defined by the service provider. The canonical 944 types "direct" and "indirect" are defined to describe how the 945 group membership was derived. Direct group membership indicates 946 the user is directly associated with the group and SHOULD indicate 947 that clients may modify membership through the "Group" resource. 948 Indirect membership indicates user membership is transitive or 949 dynamic and implies that clients cannot modify indirect group 950 membership through the "Group" resource but MAY modify direct 951 group membership through the "Group" resource which MAY influence 952 indirect memberships. If the SCIM Service Provider exposes a 953 Group resource, the "value" sub-attribute MUST be the "id" and the 954 "$ref" sub-attribute must be the URI of the corresponding "Group" 955 resources to which the user belongs. Since this attribute has a 956 mutability of "readOnly", group membership changes MUST be applied 957 via the Group Resource (Section 4.2). The attribute has a 958 mutability of "readOnly". 960 entitlements 961 A list of entitlements for the user that represent a thing the 962 user has. An entitlement MAY be an additional right to a thing, 963 object, or service. No vocabulary or syntax is specified and 964 service providers and clients are expected to encode sufficient 965 information in the value so as to accurately and without ambiguity 966 determine what the user has access to. This value has no 967 canonical types though type may be useful as a means to scope 968 entitlements. 970 roles 971 A list of roles for the user that collectively represent who the 972 user is; e.g., "Student, Faculty". No vocabulary or syntax is 973 specified though it is expected that a role value is a String or 974 label representing a collection of entitlements. This value has 975 no canonical types. 977 x509Certificates 978 A list of certificates associated with the resource (e.g., a 979 User). Each certificate is a DER encoded X.509 (see Section 4 980 [RFC5280]), which MUST be base 64 encoded per Section 4 [RFC4648]. 982 4.2. Group Resource Schema 984 SCIM provides a schema for representing groups, identified using the 985 following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group". 987 Group resources are meant to enable expression of common group or 988 role based access control models, although no explicit authorization 989 model is defined. It is intended that the semantics of group 990 membership and any behavior or authorization granted as a result of 991 membership are defined by the service provider, and are considered 992 out of scope for this specification. 994 The following singular attribute is defined in addition to the common 995 attributes defined in SCIM core schema: 997 displayName 998 A human readable name for the Group. REQUIRED. 1000 The following multi-valued attribute is defined in addition to the 1001 common attributes defined in SCIM Core Schema: 1003 members 1004 A list of members of the Group. While values MAY be added or 1005 removed, sub-attributes of members are "immutable". The "value" 1006 sub-attribute must be the "id" and the "$ref" sub-attribute must 1007 be the URI of a SCIM resource, either a "User", or a "Group". The 1008 intention of the "Group" type is to allow the Service Provider to 1009 support nested groups. Service providers MAY require clients to 1010 provide a non-empty members value based on the "required" sub 1011 attribute of the "members" attribute in the "Group" resource 1012 schema. 1014 4.3. Enterprise User Schema Extension 1016 The following SCIM extension defines attributes commonly used in 1017 representing users that belong to, or act on behalf of a business or 1018 enterprise. The enterprise user extension is identified using the 1019 following schema URI: 1020 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User". 1022 The following Singular Attributes are defined: 1024 employeeNumber 1025 A string identifier, typically numeric or alpha-numeric, assigned 1026 to a person, typically based on order of hire or association with 1027 an organization. 1029 costCenter 1030 Identifies the name of a cost center. 1032 organization 1033 Identifies the name of an organization. 1035 division 1036 Identifies the name of a division. 1038 department 1039 Identifies the name of a department. 1041 manager 1042 The user's manager. A complex type that optionally allows service 1043 providers to represent organizational hierarchy by referencing the 1044 "id" attribute of another User. 1046 value The "id" of the SCIM resource representing the user's 1047 manager. RECOMMENDED. 1049 $ref The URI of the SCIM resource representing the User's 1050 manager. RECOMMENDED. 1052 displayName The displayName of the user's manager. This 1053 attribute is OPTIONAL and mutability is "readOnly". 1055 5. Service Provider Configuration Schema 1057 SCIM provides a schema for representing the service provider's 1058 configuration identified using the following schema URI: 1059 "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" 1061 The Service Provider configuration resource enables a Service 1062 Provider to discover SCIM specification features in a standardized 1063 form as well as provide additional implementation details to clients. 1064 All attributes have a mutability of "readOnly". Unlike other core 1065 resources, the "id" attribute is not required for the Service 1066 Provider configuration resource. 1068 The following Singular Attributes are defined in addition to the 1069 common attributes defined in Core Schema: 1071 documentationUrl 1072 An HTTP addressable URL pointing to the service provider's human 1073 consumable help documentation. 1075 patch 1076 A complex type that specifies PATCH configuration options. 1077 REQUIRED. See Section 3.5.2 [I-D.ietf-scim-api]. 1079 supported Boolean value specifying whether the operation is 1080 supported. REQUIRED. 1082 bulk 1083 A complex type that specifies Bulk configuration options. 1084 REQUIRED 1086 supported Boolean value specifying whether the operation is 1087 supported. REQUIRED. See Section 3.7 [I-D.ietf-scim-api]. 1089 maxOperations An integer value specifying the maximum number of 1090 operations. REQUIRED. 1092 maxPayloadSize An integer value specifying the maximum payload 1093 size in bytes. REQUIRED. 1095 filter 1096 A complex type that specifies FILTER options. REQUIRED. See 1097 Section 3.4.2.2 [I-D.ietf-scim-api]. 1099 supported Boolean value specifying whether the operation is 1100 supported. REQUIRED. 1102 maxResults Integer value specifying the maximum number of 1103 resources returned in a response. REQUIRED. 1105 changePassword 1106 A complex type that specifies Change Password configuration 1107 options. REQUIRED. 1109 supported Boolean value specifying whether the operation is 1110 supported. REQUIRED. 1112 sort 1113 A complex type that specifies Sort configuration options. 1114 REQUIRED. 1116 supported Boolean value specifying whether sorting is supported. 1117 REQUIRED. 1119 etag 1120 A complex type that specifies Etag configuration options. 1121 REQUIRED. 1123 supported Boolean value specifying whether the operation is 1124 supported. REQUIRED. 1126 The following multi-valued attribute is defined in addition to the 1127 common attributes defined in core schema: 1129 authenticationSchemes 1130 A complex type that specifies supported Authentication Scheme 1131 properties. This attribute defines the following canonical values 1132 to represent common schemes: "oauth", "oauth2", 1133 "oauthbearertoken", "httpbasic", and "httpdigest". To enable 1134 seamless discovery of configuration, the Service Provider SHOULD, 1135 with the appropriate security considerations, make the 1136 authenticationSchemes attribute publicly accessible without prior 1137 authentication. REQUIRED. 1139 name The common authentication scheme name; e.g., HTTP Basic. 1140 REQUIRED. 1142 description A description of the Authentication Scheme. 1143 REQUIRED. 1145 specUrl An HTTP addressable URL pointing to the Authentication 1146 Scheme's specification. OPTIONAL. 1148 documentationUrl An HTTP addressable URL pointing to the 1149 Authentication Scheme's usage documentation. OPTIONAL. 1151 6. ResourceType Schema 1153 The "ResourceType" schema specifies the meta-data about a resource 1154 type. Resource type resources are READ-ONLY and identified using the 1155 following schema URI: 1156 "urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other 1157 core resources, all attributes are REQUIRED unless otherwise 1158 specified. The "id" attribute is not required for the resource type 1159 resource. 1161 The following Singular Attributes are defined: 1163 id 1164 The resource type's server unique id. Often this is the same 1165 value as the "name" attribute. OPTIONAL 1167 name 1168 The resource type name. When applicable service providers MUST 1169 specify the name specified in the core schema specification; e.g., 1170 "User" or "Group". This name is referenced by the 1171 "meta.resourceType" attribute in all resources. 1173 description 1174 The resource type's human readable description. When applicable 1175 service providers MUST specify the description specified in the 1176 core schema specification. 1178 endpoint 1179 The resource type's HTTP addressable endpoint relative to the Base 1180 URL of the service provider; e.g., "Users". 1182 schema 1183 The resource type's primary/base schema URI; e.g., 1184 "urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal 1185 to the "id" attribute of the associated "Schema" resource. 1187 schemaExtensions 1188 A list of URIs of the resource type's schema extensions. 1189 OPTIONAL. 1191 schema The URI of an extended schema; e.g., "urn:edu:2.0:Staff". 1192 This MUST be equal to the "id" attribute of a "Schema" 1193 resource. REQUIRED. 1195 required A Boolean value that specifies whether the schema 1196 extension is required for the resource type. If true, a 1197 resource of this type MUST include this schema extension and 1198 include any attributes declared as required in this schema 1199 extension. If false, a resource of this type MAY omit this 1200 schema extension. REQUIRED. 1202 7. Schema Definition 1204 This section defines a way to specify the schema in use by resources 1205 available and accepted by a SCIM service provider. For each 1206 "schemas" URI value, this schema specifies the defined attribute(s) 1207 and their characteristics (mutability, returnability, etc). For 1208 every schema URI used in a resource object, there is a corresponding 1209 "Schema" resource. "Schema" resources have mutability of "readOnly" 1210 and are identified using the following schema URI: 1212 urn:ietf:params:scim:schemas:core:2.0:Schema 1213 Unlike other core resources the "Schema" resource MAY contain a 1214 complex object within a sub-attribute and all attributes are REQUIRED 1215 unless otherwise specified. 1217 The following Singular Attributes are defined: 1219 id 1220 The unique URI of the schema. When applicable service providers 1221 MUST specify the URI specified in the core schema specification; 1222 e.g., "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most 1223 other schemas, which use some sort of a GUID for the "id", the 1224 schema "id" is a URI so that it can be registered and is portable 1225 between different service providers and clients. 1227 name 1228 The schema's human readable name. When applicable service 1229 providers MUST specify the name specified in the core schema 1230 specification; e.g., "User" or "Group". OPTIONAL. 1232 description 1233 The schema's human readable description. When applicable service 1234 providers MUST specify the description specified in the core 1235 schema specification. OPTIONAL. 1237 The following multi-valued attribute is defined: 1239 attributes 1240 A complex type with the following set of sub-attributes that 1241 defines Service Provider attributes and their qualities: 1243 name The attribute's name. 1245 type The attribute's data type. Valid values are: "string", 1246 "boolean", "decimal", "integer", "dateTime", "reference", and 1247 "complex". When an attribute is of type "complex", there 1248 SHOULD be a corresponding schema attribute "subAttributes" 1249 defined listing the sub-attribtues of the attribute. 1251 subAttributes When an attribute is of type "complex", 1252 "subAttributes" defines set of sub-attributes. "subAttributes" 1253 has the same schema sub-attributes as "attributes". 1255 multiValued Boolean value indicating the attribute's plurality. 1257 description The attribute's human readable description. When 1258 applicable service providers MUST specify the description 1259 specified in the core schema specification. 1261 required A Boolean value that specifies if the attribute is 1262 required. 1264 canonicalValues A collection of suggested canonical values that 1265 MAY be used. Example: "work" and"home". In some cases service 1266 providers MAY choose to ignore unsupported values. The use of 1267 canonicalValues is OPTIONAL. 1269 caseExact A Boolean value that specifies if the String attribute 1270 is case sensitive. The server SHALL use case sensitivity when 1271 evaluating filters. For attributes that are case exact, the 1272 server SHALL preserve case for any value submitted. If the 1273 attribute is case insensitive, the server MAY alter case for a 1274 submitted value. Case sensitivity also impacts how attribute 1275 values MAY be compared against filter values (see section 1276 3.4.2.2 [I-D.ietf-scim-api]). 1278 mutability A single keyword indicating the circumstances under 1279 which the value of the attribute can be (re)defined: 1281 readOnly The attribute SHALL NOT be modified. 1283 readWrite The attribute MAY be updated and read at any time. 1284 DEFAULT. 1286 immutable The attribute MAY be defined at resource creation 1287 (e.g., POST) or at record replacement via request (e.g., a 1288 PUT). The attribute SHALL NOT be updated. 1290 writeOnly The attribute MAY be updated at any time. Attribute 1291 values SHALL NOT be returned (e.g., because the value is a 1292 stored hash). Note: an attribute with mutability of 1293 "writeOnly" usually also has a returned setting of "never". 1295 returned A single keyword that indicates when an attribute and 1296 associated values are returned in response to a GET request or 1297 in response to a PUT, POST, or PATCH request. Valid keywords 1298 are: 1300 always The attribute is always returned regardless of the 1301 contents of the "attributes" parameter. For example, "id" 1302 is always returned to identify a SCIM resource. 1304 never The attribute is never returned. This may occur because 1305 the original attribute value is not retained by the Service 1306 Provider (e.g., such as with a hashed value). A Service 1307 Provider MAY allow attributes to be used in a search filter. 1309 default The attribute is returned by default in all SCIM 1310 operation responses where attribute values are returned. If 1311 the GET request "attributes" parameter is specified, 1312 attribute values are only returned if the attribute is named 1313 in the attributes parameter. DEFAULT. 1315 request The attribute is returned in response to any PUT, 1316 POST, or PATCH operations if the attribute was specified by 1317 the Client (for example, the attribute was modified). The 1318 attribute is returned in a SCIM query operation only if 1319 specified in the "attributes" parameter. 1321 uniqueness A single keyword value that specifies how the Service 1322 Provider enforces uniqueness of attribute values. A server MAY 1323 reject an invalid value based on uniqueness by returning HTTP 1324 Response code 400 (Bad Request). A Client MAY enforce 1325 uniqueness on the client-side to a greater degree than the 1326 Service Provider enforces. For example, a Client could make a 1327 value unique while the server has uniqueness of "none". Valid 1328 keywords are: 1330 none The values are not intended to be unique in any way. 1331 DEFAULT. 1333 server The value SHOULD be unique within the context of the 1334 current SCIM endpoint (or tenancy) and MAY be globally 1335 unique (e.g., a "username", email address, or other server 1336 generated key or counter). No two resources on the same 1337 server SHOULD possess the same value. 1339 global The value SHOULD be globally unique (e.g., an email 1340 address, a GUID, or other value). No two resources on any 1341 server SHOULD possess the same value. 1343 referenceTypes A multi-valued array of JSON strings that indicate 1344 the SCIM resource types that may be referenced. Valid values 1345 are: 1347 + A SCIM resource type (e.g., "User" or "Group"), 1349 + "external" - indicating the resource is an external resource 1350 (e.g., such as a photo), or 1352 + "uri" - indicating that the reference is to a service 1353 endpoint or an identifier (e.g., such as a schema urn). 1355 This attribute is only applicable for attributes that are of 1356 type "reference" (Section 2.2.7). 1358 8. JSON Representation 1360 8.1. Minimal User Representation 1362 The following is a non-normative example of the minimal required SCIM 1363 representation in JSON format. 1365 { 1366 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], 1367 "id": "2819c223-7f76-453a-919d-413861904646", 1368 "userName": "bjensen@example.com", 1369 "meta": { 1370 "resourceType": "User", 1371 "created": "2010-01-23T04:56:22Z", 1372 "lastModified": "2011-05-13T04:42:34Z", 1373 "version": "W\/\"3694e05e9dff590\"", 1374 "location": 1375 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1376 } 1377 } 1379 Figure 3: Example Minimal User JSON Representation 1381 8.2. Full User Representation 1383 The following is a non-normative example of the fully populated SCIM 1384 representation in JSON format. 1386 { 1387 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], 1388 "id": "2819c223-7f76-453a-919d-413861904646", 1389 "externalId": "701984", 1390 "userName": "bjensen@example.com", 1391 "name": { 1392 "formatted": "Ms. Barbara J Jensen III", 1393 "familyName": "Jensen", 1394 "givenName": "Barbara", 1395 "middleName": "Jane", 1396 "honorificPrefix": "Ms.", 1397 "honorificSuffix": "III" 1398 }, 1399 "displayName": "Babs Jensen", 1400 "nickName": "Babs", 1401 "profileUrl": "https://login.example.com/bjensen", 1402 "emails": [ 1403 { 1404 "value": "bjensen@example.com", 1405 "type": "work", 1406 "primary": true 1407 }, 1408 { 1409 "value": "babs@jensen.org", 1410 "type": "home" 1411 } 1412 ], 1413 "addresses": [ 1414 { 1415 "type": "work", 1416 "streetAddress": "100 Universal City Plaza", 1417 "locality": "Hollywood", 1418 "region": "CA", 1419 "postalCode": "91608", 1420 "country": "USA", 1421 "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA", 1422 "primary": true 1423 }, 1424 { 1425 "type": "home", 1426 "streetAddress": "456 Hollywood Blvd", 1427 "locality": "Hollywood", 1428 "region": "CA", 1429 "postalCode": "91608", 1430 "country": "USA", 1431 "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA" 1432 } 1433 ], 1434 "phoneNumbers": [ 1435 { 1436 "value": "555-555-5555", 1437 "type": "work" 1438 }, 1439 { 1440 "value": "555-555-4444", 1441 "type": "mobile" 1442 } 1443 ], 1444 "ims": [ 1445 { 1446 "value": "someaimhandle", 1447 "type": "aim" 1448 } 1449 ], 1450 "photos": [ 1451 { 1452 "value": 1453 "https://photos.example.com/profilephoto/72930000000Ccne/F", 1455 "type": "photo" 1456 }, 1457 { 1458 "value": 1459 "https://photos.example.com/profilephoto/72930000000Ccne/T", 1460 "type": "thumbnail" 1461 } 1462 ], 1463 "userType": "Employee", 1464 "title": "Tour Guide", 1465 "preferredLanguage":"en-US", 1466 "locale": "en-US", 1467 "timezone": "America/Los_Angeles", 1468 "active":true, 1469 "password":"t1meMa$heen", 1470 "groups": [ 1471 { 1472 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1473 "$ref": 1474 "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 1475 "display": "Tour Guides" 1476 }, 1477 { 1478 "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", 1479 "$ref": 1480 "https://example.com/v2/Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5", 1481 "display": "Employees" 1482 }, 1483 { 1484 "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1485 "$ref": 1486 "https://example.com/v2/Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1487 "display": "US Employees" 1488 } 1489 ], 1490 "x509Certificates": [ 1491 { 1492 "value": 1493 "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx 1494 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD 1495 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa 1496 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl 1497 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw 1498 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B 1499 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc 1500 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i 1501 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ 1502 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3 1503 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr 1504 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV 1505 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp 1506 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU 1507 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt 1508 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R 1509 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1 1510 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=" 1511 } 1512 ], 1513 "meta": { 1514 "resourceType": "User", 1515 "created": "2010-01-23T04:56:22Z", 1516 "lastModified": "2011-05-13T04:42:34Z", 1517 "version": "W\/\"a330bc54f0671c9\"", 1518 "location": 1519 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1520 } 1521 } 1523 Figure 4: Example Full User JSON Representation 1525 8.3. Enterprise User Extension Representation 1527 The following is a non-normative example of the fully populated User 1528 using the enterprise User extension in JSON format. 1530 { 1531 "schemas": 1532 [ "urn:ietf:params:scim:schemas:core:2.0:User", 1533 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], 1534 "id": "2819c223-7f76-453a-919d-413861904646", 1535 "externalId": "701984", 1536 "userName": "bjensen@example.com", 1537 "name": { 1538 "formatted": "Ms. Barbara J Jensen III", 1539 "familyName": "Jensen", 1540 "givenName": "Barbara", 1541 "middleName": "Jane", 1542 "honorificPrefix": "Ms.", 1543 "honorificSuffix": "III" 1544 }, 1545 "displayName": "Babs Jensen", 1546 "nickName": "Babs", 1547 "profileUrl": "https://login.example.com/bjensen", 1548 "emails": [ 1549 { 1550 "value": "bjensen@example.com", 1551 "type": "work", 1552 "primary": true 1553 }, 1554 { 1555 "value": "babs@jensen.org", 1556 "type": "home" 1557 } 1558 ], 1559 "addresses": [ 1560 { 1561 "streetAddress": "100 Universal City Plaza", 1562 "locality": "Hollywood", 1563 "region": "CA", 1564 "postalCode": "91608", 1565 "country": "USA", 1566 "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA", 1567 "type": "work", 1568 "primary": true 1569 }, 1570 { 1571 "streetAddress": "456 Hollywood Blvd", 1572 "locality": "Hollywood", 1573 "region": "CA", 1574 "postalCode": "91608", 1575 "country": "USA", 1576 "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA", 1577 "type": "home" 1578 } 1579 ], 1580 "phoneNumbers": [ 1581 { 1582 "value": "555-555-5555", 1583 "type": "work" 1584 }, 1585 { 1586 "value": "555-555-4444", 1587 "type": "mobile" 1588 } 1589 ], 1590 "ims": [ 1591 { 1592 "value": "someaimhandle", 1593 "type": "aim" 1594 } 1595 ], 1596 "photos": [ 1597 { 1598 "value": 1600 "https://photos.example.com/profilephoto/72930000000Ccne/F", 1601 "type": "photo" 1602 }, 1603 { 1604 "value": 1605 "https://photos.example.com/profilephoto/72930000000Ccne/T", 1606 "type": "thumbnail" 1607 } 1608 ], 1609 "userType": "Employee", 1610 "title": "Tour Guide", 1611 "preferredLanguage":"en-US", 1612 "locale": "en-US", 1613 "timezone": "America/Los_Angeles", 1614 "active":true, 1615 "password":"t1meMa$heen", 1616 "groups": [ 1617 { 1618 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1619 "$ref": "/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 1620 "display": "Tour Guides" 1621 }, 1622 { 1623 "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", 1624 "$ref": "/Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5", 1625 "display": "Employees" 1626 }, 1627 { 1628 "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1629 "$ref": "/Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1630 "display": "US Employees" 1631 } 1632 ], 1633 "x509Certificates": [ 1634 { 1635 "value": 1636 "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx 1637 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD 1638 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa 1639 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl 1640 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw 1641 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B 1642 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc 1643 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i 1644 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ 1645 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3 1646 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr 1647 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV 1648 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp 1649 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU 1650 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt 1651 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R 1652 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1 1653 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=" 1654 } 1655 ], 1656 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { 1657 "employeeNumber": "701984", 1658 "costCenter": "4130", 1659 "organization": "Universal Studios", 1660 "division": "Theme Park", 1661 "department": "Tour Operations", 1662 "manager": [{ 1663 "value": "26118915-6090-4610-87e4-49d8ca9f808d", 1664 "$ref": "/Users/26118915-6090-4610-87e4-49d8ca9f808d", 1665 "displayName": "John Smith" 1666 }] 1667 }, 1668 "meta": { 1669 "resourceType": "User", 1670 "created": "2010-01-23T04:56:22Z", 1671 "lastModified": "2011-05-13T04:42:34Z", 1672 "version": "W\/\"3694e05e9dff591\"", 1673 "location": 1674 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1675 } 1676 } 1678 Figure 5: Example Enterprise User JSON Representation 1680 8.4. Group Representation 1682 The following is a non-normative example of SCIM Group representation 1683 in JSON format. 1685 { 1686 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], 1687 "id": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1688 "displayName": "Tour Guides", 1689 "members": [ 1690 { 1691 "value": "2819c223-7f76-453a-919d-413861904646", 1692 "$ref": 1693 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646", 1694 "display": "Babs Jensen" 1695 }, 1696 { 1697 "value": "902c246b-6245-4190-8e05-00816be7344a", 1698 "$ref": 1699 "https://example.com/v2/Users/902c246b-6245-4190-8e05-00816be7344a", 1700 "display": "Mandy Pepperidge" 1701 } 1702 ], 1703 "meta": { 1704 "resourceType": "Group", 1705 "created": "2010-01-23T04:56:22Z", 1706 "lastModified": "2011-05-13T04:42:34Z", 1707 "version": "W\/\"3694e05e9dff592\"", 1708 "location": 1709 "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a" 1710 } 1711 } 1713 Figure 6: Example Group JSON Representation 1715 8.5. Service Provider Configuration Representation 1717 The following is a non-normative example of the SCIM Service Provider 1718 configuration representation in JSON format. 1720 { 1721 "schemas": [ 1722 "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" 1723 ], 1724 "documentationUrl":"http://example.com/help/scim.html", 1725 "patch": { 1726 "supported":true 1727 }, 1728 "bulk": { 1729 "supported":true, 1730 "maxOperations":1000, 1731 "maxPayloadSize":1048576 1732 }, 1733 "filter": { 1734 "supported":true, 1735 "maxResults": 200 1736 }, 1737 "changePassword" : { 1738 "supported":true 1739 }, 1740 "sort": { 1741 "supported":true 1742 }, 1743 "etag": { 1744 "supported":true 1745 }, 1746 "authenticationSchemes": [ 1747 { 1748 "name": "OAuth Bearer Token", 1749 "description": 1750 "Authentication Scheme using the OAuth Bearer Token Standard", 1751 "specUrl": 1752 "http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01", 1753 "documentationUrl":"http://example.com/help/oauth.html", 1754 "type":"oauthbearertoken", 1755 "primary": true 1756 }, 1757 { 1758 "name": "HTTP Basic", 1759 "description": 1760 "Authentication Scheme using the Http Basic Standard", 1761 "specUrl":"http://www.ietf.org/rfc/rfc2617.txt", 1762 "documentationUrl":"http://example.com/help/httpBasic.html", 1763 "type":"httpbasic" 1764 } 1765 ], 1766 "meta": { 1767 "location":"https://example.com/v2/ServiceProviderConfig", 1768 "resourceType": "ServiceProviderConfig", 1769 "created": "2010-01-23T04:56:22Z", 1770 "lastModified": "2011-05-13T04:42:34Z", 1771 "version": "W\/\"3694e05e9dff594\"" 1772 } 1773 } 1775 Figure 7: Example Service Provider Config JSON Representation 1777 8.6. Resource Type Representation 1779 The following is a non-normative example of the SCIM resource types 1780 in JSON format. 1782 [{ 1783 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], 1784 "id":"User", 1785 "name":"User", 1786 "endpoint": "/Users", 1787 "description": "User Account", 1788 "schema": "urn:ietf:params:scim:schemas:core:2.0:User", 1789 "schemaExtensions": [ 1790 { 1791 "schema": 1792 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", 1793 "required": true 1794 } 1795 ], 1796 "meta": { 1797 "location":"https://example.com/v2/ResourceTypes/User", 1798 "resourceType": "ResourceType" 1799 } 1800 }, 1801 { 1802 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], 1803 "id":"Group", 1804 "name":"Group", 1805 "endpoint": "/Groups", 1806 "description": "Group", 1807 "schema": "urn:ietf:params:scim:schemas:core:2.0:Group", 1808 "meta": { 1809 "location":"https://example.com/v2/ResourceTypes/Group", 1810 "resourceType": "ResourceType" 1811 } 1812 }] 1814 Figure 8: Example Resource Type JSON Representation 1816 8.7. Schema Representation 1818 The following sections provide representations of schemas for both 1819 SCIM resources and Service Provider schemas. Note that the JSON 1820 representation has been modified for readability and to fit the 1821 specification format. 1823 8.7.1. Resource Schema Representation 1825 The following is intended as an example of the SCIM Schema 1826 representation in JSON format for SCIM resources. Where permitted 1827 individual values and schema MAY change. Included but not limited 1828 to, are schemas for User, Group, and enterprise user. 1830 [ 1831 { 1832 "id" : "urn:ietf:params:scim:schemas:core:2.0:User", 1833 "name" : "User", 1834 "description" : "User Account", 1835 "attributes" : [ 1836 { 1837 "name" : "userName", 1838 "type" : "string", 1839 "multiValued" : false, 1840 "description" : "Unique identifier for the User typically used 1841 by the user to directly authenticate to the service provider. Each User 1842 MUST include a non-empty userName value. This identifier MUST be unique 1843 across the Service Consumer's entire set of Users. REQUIRED", 1844 "required" : true, 1845 "caseExact" : false, 1846 "mutability" : "readWrite", 1847 "returned" : "default", 1848 "uniqueness" : "server" 1849 }, 1850 { 1851 "name" : "name", 1852 "type" : "complex", 1853 "multiValued" : false, 1854 "description" : "The components of the user's real name. 1855 Providers MAY return just the full name as a single string in the 1856 formatted sub-attribute, or they MAY return just the individual 1857 component attributes using the other sub-attributes, or they MAY return 1858 both. If both variants are returned, they SHOULD be describing the same 1859 name, with the formatted name indicating how the component attributes 1860 should be combined.", 1861 "required" : false, 1862 "subAttributes" : [ 1863 { 1864 "name" : "formatted", 1865 "type" : "string", 1866 "multiValued" : false, 1867 "description" : "The full name, including all middle names, 1868 titles, and suffixes as appropriate, formatted for display (e.g., Ms. 1869 Barbara J Jensen, III.).", 1870 "required" : false, 1871 "caseExact" : false, 1872 "mutability" : "readWrite", 1873 "returned" : "default", 1874 "uniqueness" : "none" 1875 }, 1876 { 1877 "name" : "familyName", 1878 "type" : "string", 1879 "multiValued" : false, 1880 "description" : "The family name of the User, or Last Name 1881 in most Western languages (e.g. Jensen given the full name Ms. Barbara J 1882 Jensen, III.).", 1883 "required" : false, 1884 "caseExact" : false, 1885 "mutability" : "readWrite", 1886 "returned" : "default", 1887 "uniqueness" : "none" 1888 }, 1889 { 1890 "name" : "givenName", 1891 "type" : "string", 1892 "multiValued" : false, 1893 "description" : "The given name of the User, or First Name 1894 in most Western languages (e.g. Barbara given the full name Ms. Barbara 1895 J Jensen, III.).", 1896 "required" : false, 1897 "caseExact" : false, 1898 "mutability" : "readWrite", 1899 "returned" : "default", 1900 "uniqueness" : "none" 1901 }, 1902 { 1903 "name" : "middleName", 1904 "type" : "string", 1905 "multiValued" : false, 1906 "description" : "The middle name(s) of the User (e.g. Robert 1907 given the full name Ms. Barbara J Jensen, III.).", 1908 "required" : false, 1909 "caseExact" : false, 1910 "mutability" : "readWrite", 1911 "returned" : "default", 1912 "uniqueness" : "none" 1913 }, 1914 { 1915 "name" : "honorificPrefix", 1916 "type" : "string", 1917 "multiValued" : false, 1918 "description" : "The honorific prefix(es) of the User, or 1920 Title in most Western languages (e.g., Ms. given the full name Ms. 1921 Barbara J Jensen, III.).", 1922 "required" : false, 1923 "caseExact" : false, 1924 "mutability" : "readWrite", 1925 "returned" : "default", 1926 "uniqueness" : "none" 1927 }, 1928 { 1929 "name" : "honorificSuffix", 1930 "type" : "string", 1931 "multiValued" : false, 1932 "description" : "The honorific suffix(es) of the User, or 1933 Suffix in most Western languages (e.g., III. given the full name Ms. 1934 Barbara J Jensen, III.).", 1935 "required" : false, 1936 "caseExact" : false, 1937 "mutability" : "readWrite", 1938 "returned" : "default", 1939 "uniqueness" : "none" 1940 } 1941 ], 1942 "mutability" : "readWrite", 1943 "returned" : "default", 1944 "uniqueness" : "none" 1945 }, 1946 { 1947 "name" : "displayName", 1948 "type" : "string", 1949 "multiValued" : false, 1950 "description" : "The name of the User, suitable for display to 1951 end-users. The name SHOULD be the full name of the User being described 1952 if known", 1953 "required" : false, 1954 "caseExact" : false, 1955 "mutability" : "readWrite", 1956 "returned" : "default", 1957 "uniqueness" : "none" 1958 }, 1959 { 1960 "name" : "nickName", 1961 "type" : "string", 1962 "multiValued" : false, 1963 "description" : "The casual way to address the user in real 1964 life, e.g.'Bob' or 'Bobby' instead of 'Robert'. This attribute 1965 SHOULD NOT be used to represent a User's username (e.g., bjensen or 1966 mpepperidge)", 1967 "required" : false, 1968 "caseExact" : false, 1969 "mutability" : "readWrite", 1970 "returned" : "default", 1971 "uniqueness" : "none" 1972 }, 1973 { 1974 "name" : "profileUrl", 1975 "type" : "reference", 1976 "referenceTypes" : ["external"], 1977 "multiValued" : false, 1978 "description" : "A fully qualified URL to a page representing 1979 the User's online profile", 1980 "required" : false, 1981 "caseExact" : false, 1982 "mutability" : "readWrite", 1983 "returned" : "default", 1984 "uniqueness" : "none" 1985 }, 1986 { 1987 "name" : "title", 1988 "type" : "string", 1989 "multiValued" : false, 1990 "description" : "The user's title, such as \"Vice President.\"", 1991 "required" : false, 1992 "caseExact" : false, 1993 "mutability" : "readWrite", 1994 "returned" : "default", 1995 "uniqueness" : "none" 1996 }, 1997 { 1998 "name" : "userType", 1999 "type" : "string", 2000 "multiValued" : false, 2001 "description" : "Used to identify the organization to user 2002 relationship. Typical values used might be 'Contractor', 'Employee', 2003 'Intern', 'Temp', 'External', and 'Unknown' but any value may be 2004 used.", 2005 "required" : false, 2006 "caseExact" : false, 2007 "mutability" : "readWrite", 2008 "returned" : "default", 2009 "uniqueness" : "none" 2010 }, 2011 { 2012 "name" : "preferredLanguage", 2013 "type" : "string", 2014 "multiValued" : false, 2015 "description" : "Indicates the User's preferred written or 2017 spoken language. Generally used for selecting a localized User 2018 interface. e.g., 'en_US' specifies the language English and country 2019 US.", 2020 "required" : false, 2021 "caseExact" : false, 2022 "mutability" : "readWrite", 2023 "returned" : "default", 2024 "uniqueness" : "none" 2025 }, 2026 { 2027 "name" : "locale", 2028 "type" : "string", 2029 "multiValued" : false, 2030 "description" : "Used to indicate the User's default location 2031 for purposes of localizing items such as currency, date time format, 2032 numerical representations, etc.", 2033 "required" : false, 2034 "caseExact" : false, 2035 "mutability" : "readWrite", 2036 "returned" : "default", 2037 "uniqueness" : "none" 2038 }, 2039 { 2040 "name" : "timezone", 2041 "type" : "string", 2042 "multiValued" : false, 2043 "description" : "The User's time zone in the 'Olson' timezone 2044 database format; e.g.,'America/Los_Angeles'", 2045 "required" : false, 2046 "caseExact" : false, 2047 "mutability" : "readWrite", 2048 "returned" : "default", 2049 "uniqueness" : "none" 2050 }, 2051 { 2052 "name" : "active", 2053 "type" : "boolean", 2054 "multiValued" : false, 2055 "description" : "A Boolean value indicating the User's 2056 administrative status.", 2057 "required" : false, 2058 "mutability" : "readWrite", 2059 "returned" : "default" 2060 }, 2061 { 2062 "name" : "password", 2063 "type" : "string", 2064 "multiValued" : false, 2065 "description" : "The User's clear text password. This attribute 2066 is intended to be used as a means to specify an initial password when 2067 creating a new User or to reset an existing User's password.", 2068 "required" : false, 2069 "caseExact" : false, 2070 "mutability" : "writeOnly", 2071 "returned" : "never", 2072 "uniqueness" : "none" 2073 }, 2074 { 2075 "name" : "emails", 2076 "type" : "complex", 2077 "multiValued" : true, 2078 "description" : "E-mail addresses for the user. The value SHOULD 2079 be canonicalized by the Service Provider, e.g., bjensen@example.com 2080 instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and 2081 other.", 2082 "required" : false, 2083 "subAttributes" : [ 2084 { 2085 "name" : "value", 2086 "type" : "string", 2087 "multiValued" : false, 2088 "description" : "E-mail addresses for the user. The value 2089 SHOULD be canonicalized by the Service Provider, e.g. 2090 bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type 2091 values of work, home, and other.", 2092 "required" : false, 2093 "caseExact" : false, 2094 "mutability" : "readWrite", 2095 "returned" : "default", 2096 "uniqueness" : "none" 2097 }, 2098 { 2099 "name" : "display", 2100 "type" : "string", 2101 "multiValued" : false, 2102 "description" : "A human readable name, primarily used for 2103 display purposes. READ-ONLY.", 2104 "required" : false, 2105 "caseExact" : false, 2106 "mutability" : "readWrite", 2107 "returned" : "default", 2108 "uniqueness" : "none" 2109 }, 2110 { 2111 "name" : "type", 2112 "type" : "string", 2113 "multiValued" : false, 2114 "description" : "A label indicating the attribute's 2115 function; e.g., 'work' or 'home'.", 2116 "required" : false, 2117 "caseExact" : false, 2118 "canonicalValues" : [ 2119 "work", 2120 "home", 2121 "other" 2122 ], 2123 "mutability" : "readWrite", 2124 "returned" : "default", 2125 "uniqueness" : "none" 2126 }, 2127 { 2128 "name" : "primary", 2129 "type" : "boolean", 2130 "multiValued" : false, 2131 "description" : "A Boolean value indicating the 'primary' or 2132 preferred attribute value for this attribute, e.g., the preferred mailing 2133 address or primary e-mail address. The primary attribute value 'true' 2134 MUST appear no more than once.", 2135 "required" : false, 2136 "mutability" : "readWrite", 2137 "returned" : "default" 2138 } 2139 ], 2140 "mutability" : "readWrite", 2141 "returned" : "default", 2142 "uniqueness" : "none" 2143 }, 2144 { 2145 "name" : "phoneNumbers", 2146 "type" : "complex", 2147 "multiValued" : true, 2148 "description" : "Phone numbers for the User. The value SHOULD 2149 be canonicalized by the Service Provider according to format in RFC3966 2150 e.g., 'tel:+1-201-555-0123'. Canonical Type values of work, home, 2151 mobile, fax, pager and other.", 2152 "required" : false, 2153 "subAttributes" : [ 2154 { 2155 "name" : "value", 2156 "type" : "string", 2157 "multiValued" : false, 2158 "description" : "Phone number of the User", 2159 "required" : false, 2160 "caseExact" : false, 2161 "mutability" : "readWrite", 2162 "returned" : "default", 2163 "uniqueness" : "none" 2164 }, 2165 { 2166 "name" : "display", 2167 "type" : "string", 2168 "multiValued" : false, 2169 "description" : "A human readable name, primarily used for 2170 display purposes. READ-ONLY.", 2171 "required" : false, 2172 "caseExact" : false, 2173 "mutability" : "readWrite", 2174 "returned" : "default", 2175 "uniqueness" : "none" 2176 }, 2177 { 2178 "name" : "type", 2179 "type" : "string", 2180 "multiValued" : false, 2181 "description" : "A label indicating the attribute's 2182 function; e.g., 'work' or 'home' or 'mobile' etc.", 2183 "required" : false, 2184 "caseExact" : false, 2185 "canonicalValues" : [ 2186 "work", 2187 "home", 2188 "mobile", 2189 "fax", 2190 "pager", 2191 "other" 2192 ], 2193 "mutability" : "readWrite", 2194 "returned" : "default", 2195 "uniqueness" : "none" 2196 }, 2197 { 2198 "name" : "primary", 2199 "type" : "boolean", 2200 "multiValued" : false, 2201 "description" : "A Boolean value indicating the 'primary' or 2202 preferred attribute value for this attribute, e.g., the preferred phone 2203 number or primary phone number. The primary attribute value 'true' MUST 2204 appear no more than once.", 2205 "required" : false, 2206 "mutability" : "readWrite", 2207 "returned" : "default" 2208 } 2210 ], 2211 "mutability" : "readWrite", 2212 "returned" : "default" 2213 }, 2214 { 2215 "name" : "ims", 2216 "type" : "complex", 2217 "multiValued" : true, 2218 "description" : "Instant messaging addresses for the User.", 2219 "required" : false, 2220 "subAttributes" : [ 2221 { 2222 "name" : "value", 2223 "type" : "string", 2224 "multiValued" : false, 2225 "description" : "Instant messaging address for the User.", 2226 "required" : false, 2227 "caseExact" : false, 2228 "mutability" : "readWrite", 2229 "returned" : "default", 2230 "uniqueness" : "none" 2231 }, 2232 { 2233 "name" : "display", 2234 "type" : "string", 2235 "multiValued" : false, 2236 "description" : "A human readable name, primarily used for 2237 display purposes. READ-ONLY.", 2238 "required" : false, 2239 "caseExact" : false, 2240 "mutability" : "readWrite", 2241 "returned" : "default", 2242 "uniqueness" : "none" 2243 }, 2244 { 2245 "name" : "type", 2246 "type" : "string", 2247 "multiValued" : false, 2248 "description" : "A label indicating the attribute's 2249 function; e.g., 'aim', 'gtalk', 'mobile' etc.", 2250 "required" : false, 2251 "caseExact" : false, 2252 "canonicalValues" : [ 2253 "aim", 2254 "gtalk", 2255 "icq", 2256 "xmpp", 2257 "msn", 2258 "skype", 2259 "qq", 2260 "yahoo" 2261 ], 2262 "mutability" : "readWrite", 2263 "returned" : "default", 2264 "uniqueness" : "none" 2265 }, 2266 { 2267 "name" : "primary", 2268 "type" : "boolean", 2269 "multiValued" : false, 2270 "description" : "A Boolean value indicating the 'primary' or 2271 preferred attribute value for this attribute, e.g., the preferred 2272 messenger or primary messenger. The primary attribute value 'true' MUST 2273 appear no more than once.", 2274 "required" : false, 2275 "mutability" : "readWrite", 2276 "returned" : "default" 2277 } 2278 ], 2279 "mutability" : "readWrite", 2280 "returned" : "default" 2281 }, 2282 { 2283 "name" : "photos", 2284 "type" : "complex", 2285 "multiValued" : true, 2286 "description" : "URLs of photos of the User.", 2287 "required" : false, 2288 "subAttributes" : [ 2289 { 2290 "name" : "value", 2291 "type" : "reference", 2292 "referenceTypes" : ["external"], 2293 "multiValued" : false, 2294 "description" : "URL of a photo of the User.", 2295 "required" : false, 2296 "caseExact" : false, 2297 "mutability" : "readWrite", 2298 "returned" : "default", 2299 "uniqueness" : "none" 2300 }, 2301 { 2302 "name" : "display", 2303 "type" : "string", 2304 "multiValued" : false, 2305 "description" : "A human readable name, primarily used for 2307 display purposes. READ-ONLY.", 2308 "required" : false, 2309 "caseExact" : false, 2310 "mutability" : "readWrite", 2311 "returned" : "default", 2312 "uniqueness" : "none" 2313 }, 2314 { 2315 "name" : "type", 2316 "type" : "string", 2317 "multiValued" : false, 2318 "description" : "A label indicating the attribute's 2319 function; e.g., 'photo' or 'thumbnail'.", 2320 "required" : false, 2321 "caseExact" : false, 2322 "canonicalValues" : [ 2323 "photo", 2324 "thumbnail" 2325 ], 2326 "mutability" : "readWrite", 2327 "returned" : "default", 2328 "uniqueness" : "none" 2329 }, 2330 { 2331 "name" : "primary", 2332 "type" : "boolean", 2333 "multiValued" : false, 2334 "description" : "A Boolean value indicating the 'primary' or 2335 preferred attribute value for this attribute, e.g., the preferred photo 2336 or thumbnail. The primary attribute value 'true' MUST appear no more 2337 than once.", 2338 "required" : false, 2339 "mutability" : "readWrite", 2340 "returned" : "default" 2341 } 2342 ], 2343 "mutability" : "readWrite", 2344 "returned" : "default" 2345 }, 2346 { 2347 "name" : "addresses", 2348 "type" : "complex", 2349 "multiValued" : true, 2350 "description" : "A physical mailing address for this User, as 2351 described in (address Element). Canonical Type Values of work, home, and 2352 other. The value attribute is a complex type with the following 2353 sub-attributes.", 2354 "required" : false, 2355 "subAttributes" : [ 2356 { 2357 "name" : "formatted", 2358 "type" : "string", 2359 "multiValued" : false, 2360 "description" : "The full mailing address, formatted for 2361 display or use with a mailing label. This attribute MAY contain 2362 newlines.", 2363 "required" : false, 2364 "caseExact" : false, 2365 "mutability" : "readWrite", 2366 "returned" : "default", 2367 "uniqueness" : "none" 2368 }, 2369 { 2370 "name" : "streetAddress", 2371 "type" : "string", 2372 "multiValued" : false, 2373 "description" : "The full street address component, which 2374 may include house number, street name, PO BOX, and multi-line extended 2375 street address information. This attribute MAY contain newlines.", 2376 "required" : false, 2377 "caseExact" : false, 2378 "mutability" : "readWrite", 2379 "returned" : "default", 2380 "uniqueness" : "none" 2381 }, 2382 { 2383 "name" : "locality", 2384 "type" : "string", 2385 "multiValued" : false, 2386 "description" : "The city or locality component.", 2387 "required" : false, 2388 "caseExact" : false, 2389 "mutability" : "readWrite", 2390 "returned" : "default", 2391 "uniqueness" : "none" 2392 }, 2393 { 2394 "name" : "region", 2395 "type" : "string", 2396 "multiValued" : false, 2397 "description" : "The state or region component.", 2398 "required" : false, 2399 "caseExact" : false, 2400 "mutability" : "readWrite", 2401 "returned" : "default", 2402 "uniqueness" : "none" 2404 }, 2405 { 2406 "name" : "postalCode", 2407 "type" : "string", 2408 "multiValued" : false, 2409 "description" : "The zipcode or postal code component.", 2410 "required" : false, 2411 "caseExact" : false, 2412 "mutability" : "readWrite", 2413 "returned" : "default", 2414 "uniqueness" : "none" 2415 }, 2416 { 2417 "name" : "country", 2418 "type" : "string", 2419 "multiValued" : false, 2420 "description" : "The country name component.", 2421 "required" : false, 2422 "caseExact" : false, 2423 "mutability" : "readWrite", 2424 "returned" : "default", 2425 "uniqueness" : "none" 2426 }, 2427 { 2428 "name" : "type", 2429 "type" : "string", 2430 "multiValued" : false, 2431 "description" : "A label indicating the attribute's 2432 function; e.g., 'work' or 'home'.", 2433 "required" : false, 2434 "caseExact" : false, 2435 "canonicalValues" : [ 2436 "work", 2437 "home", 2438 "other" 2439 ], 2440 "mutability" : "readWrite", 2441 "returned" : "default", 2442 "uniqueness" : "none" 2443 } 2444 ], 2445 "mutability" : "readWrite", 2446 "returned" : "default", 2447 "uniqueness" : "none" 2448 }, 2449 { 2450 "name" : "groups", 2451 "type" : "complex", 2452 "multiValued" : true, 2453 "description" : "A list of groups that the user belongs to, 2454 either thorough direct membership, nested groups, or dynamically 2455 calculated", 2456 "required" : false, 2457 "subAttributes" : [ 2458 { 2459 "name" : "value", 2460 "type" : "string", 2461 "multiValued" : false, 2462 "description" : "The identifier of the User's group.", 2463 "required" : false, 2464 "caseExact" : false, 2465 "mutability" : "readOnly", 2466 "returned" : "default", 2467 "uniqueness" : "none" 2468 }, 2469 { 2470 "name" : "$ref", 2471 "type" : "reference", 2472 "referenceTypes" : [ 2473 "User", 2474 "Group" 2475 ], 2476 "multiValued" : false, 2477 "description" : "The URI of the corresponding Group 2478 resource to which the user belongs", 2479 "required" : false, 2480 "caseExact" : false, 2481 "mutability" : "readOnly", 2482 "returned" : "default", 2483 "uniqueness" : "none" 2484 }, 2485 { 2486 "name" : "display", 2487 "type" : "string", 2488 "multiValued" : false, 2489 "description" : "A human readable name, primarily used 2490 for display purposes. READ-ONLY.", 2491 "required" : false, 2492 "caseExact" : false, 2493 "mutability" : "readOnly", 2494 "returned" : "default", 2495 "uniqueness" : "none" 2496 }, 2497 { 2498 "name" : "type", 2499 "type" : "string", 2500 "multiValued" : false, 2501 "description" : "A label indicating the attribute's 2502 function; e.g., 'direct' or 'indirect'.", 2503 "required" : false, 2504 "caseExact" : false, 2505 "canonicalValues" : [ 2506 "direct", 2507 "indirect" 2508 ], 2509 "mutability" : "readOnly", 2510 "returned" : "default", 2511 "uniqueness" : "none" 2512 } 2513 ], 2514 "mutability" : "readOnly", 2515 "returned" : "default" 2516 }, 2517 { 2518 "name" : "entitlements", 2519 "type" : "complex", 2520 "multiValued" : true, 2521 "description" : "A list of entitlements for the User that 2522 represent a thing the User has.", 2523 "required" : false, 2524 "subAttributes" : [ 2525 { 2526 "name" : "value", 2527 "type" : "string", 2528 "multiValued" : false, 2529 "description" : "The value of an entitlement.", 2530 "required" : false, 2531 "caseExact" : false, 2532 "mutability" : "readWrite", 2533 "returned" : "default", 2534 "uniqueness" : "none" 2535 }, 2536 { 2537 "name" : "display", 2538 "type" : "string", 2539 "multiValued" : false, 2540 "description" : "A human readable name, primarily used 2541 for display purposes. READ-ONLY.", 2542 "required" : false, 2543 "caseExact" : false, 2544 "mutability" : "readWrite", 2545 "returned" : "default", 2546 "uniqueness" : "none" 2547 }, 2548 { 2549 "name" : "type", 2550 "type" : "string", 2551 "multiValued" : false, 2552 "description" : "A label indicating the attribute's 2553 function.", 2554 "required" : false, 2555 "caseExact" : false, 2556 "mutability" : "readWrite", 2557 "returned" : "default", 2558 "uniqueness" : "none" 2559 }, 2560 { 2561 "name" : "primary", 2562 "type" : "boolean", 2563 "multiValued" : false, 2564 "description" : "A Boolean value indicating the 'primary' or 2565 preferred attribute value for this attribute. The primary attribute 2566 value 'true' MUST appear no more than once.", 2567 "required" : false, 2568 "mutability" : "readWrite", 2569 "returned" : "default" 2570 } 2571 ], 2572 "mutability" : "readWrite", 2573 "returned" : "default" 2574 }, 2575 { 2576 "name" : "roles", 2577 "type" : "complex", 2578 "multiValued" : true, 2579 "description" : "A list of roles for the User that collectively 2580 represent who the User is; e.g., 'Student', 'Faculty'.", 2581 "required" : false, 2582 "subAttributes" : [ 2583 { 2584 "name" : "value", 2585 "type" : "string", 2586 "multiValued" : false, 2587 "description" : "The value of a role.", 2588 "required" : false, 2589 "caseExact" : false, 2590 "mutability" : "readWrite", 2591 "returned" : "default", 2592 "uniqueness" : "none" 2593 }, 2594 { 2595 "name" : "display", 2596 "type" : "string", 2597 "multiValued" : false, 2598 "description" : "A human readable name, primarily used for 2599 display purposes. READ-ONLY.", 2600 "required" : false, 2601 "caseExact" : false, 2602 "mutability" : "readWrite", 2603 "returned" : "default", 2604 "uniqueness" : "none" 2605 }, 2606 { 2607 "name" : "type", 2608 "type" : "string", 2609 "multiValued" : false, 2610 "description" : "A label indicating the attribute's 2611 function.", 2612 "required" : false, 2613 "caseExact" : false, 2614 "canonicalValues" : [], 2615 "mutability" : "readWrite", 2616 "returned" : "default", 2617 "uniqueness" : "none" 2618 }, 2619 { 2620 "name" : "primary", 2621 "type" : "boolean", 2622 "multiValued" : false, 2623 "description" : "A Boolean value indicating the 'primary' or 2624 preferred attribute value for this attribute. The primary attribute 2625 value 'true' MUST appear no more than once.", 2626 "required" : false, 2627 "mutability" : "readWrite", 2628 "returned" : "default" 2629 } 2630 ], 2631 "mutability" : "readWrite", 2632 "returned" : "default" 2633 }, 2634 { 2635 "name" : "x509Certificates", 2636 "type" : "complex", 2637 "multiValued" : true, 2638 "description" : "A list of certificates issued to the User.", 2639 "required" : false, 2640 "caseExact" : false, 2641 "subAttributes" : [ 2642 { 2643 "name" : "value", 2644 "type" : "binary", 2645 "multiValued" : false, 2646 "description" : "The value of a X509 certificate.", 2647 "required" : false, 2648 "caseExact" : false, 2649 "mutability" : "readWrite", 2650 "returned" : "default", 2651 "uniqueness" : "none" 2652 }, 2653 { 2654 "name" : "display", 2655 "type" : "string", 2656 "multiValued" : false, 2657 "description" : "A human readable name, primarily used 2658 for display purposes. READ-ONLY.", 2659 "required" : false, 2660 "caseExact" : false, 2661 "mutability" : "readWrite", 2662 "returned" : "default", 2663 "uniqueness" : "none" 2664 }, 2665 { 2666 "name" : "type", 2667 "type" : "string", 2668 "multiValued" : false, 2669 "description" : "A label indicating the attribute's 2670 function.", 2671 "required" : false, 2672 "caseExact" : false, 2673 "canonicalValues" : [], 2674 "mutability" : "readWrite", 2675 "returned" : "default", 2676 "uniqueness" : "none" 2677 }, 2678 { 2679 "name" : "primary", 2680 "type" : "boolean", 2681 "multiValued" : false, 2682 "description" : "A Boolean value indicating the 'primary' or 2683 preferred attribute value for this attribute. The primary attribute 2684 value 'true' MUST appear no more than once.", 2685 "required" : false, 2686 "mutability" : "readWrite", 2687 "returned" : "default" 2688 } 2689 ], 2690 "mutability" : "readWrite", 2691 "returned" : "default" 2693 } 2694 ], 2695 "meta" : { 2696 "resourceType" : "Schema", 2697 "location" : 2698 "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User" 2699 } 2700 }, 2701 { 2702 "id" : "urn:ietf:params:scim:schemas:core:2.0:Group", 2703 "name" : "Group", 2704 "description" : "Group", 2705 "attributes" : [ 2706 { 2707 "name" : "displayName", 2708 "type" : "string", 2709 "multiValued" : false, 2710 "description" : "Human readable name for the Group. REQUIRED.", 2711 "required" : false, 2712 "caseExact" : false, 2713 "mutability" : "readWrite", 2714 "returned" : "default", 2715 "uniqueness" : "none" 2716 }, 2717 { 2718 "name" : "members", 2719 "type" : "complex", 2720 "multiValued" : true, 2721 "description" : "A list of members of the Group.", 2722 "required" : false, 2723 "subAttributes" : [ 2724 { 2725 "name" : "value", 2726 "type" : "string", 2727 "multiValued" : false, 2728 "description" : "Identifier of the member of this Group.", 2729 "required" : false, 2730 "caseExact" : false, 2731 "mutability" : "immutable", 2732 "returned" : "default", 2733 "uniqueness" : "none" 2734 }, 2735 { 2736 "name" : "$ref", 2737 "type" : "reference", 2738 "referenceTypes" : [ 2739 "User", 2740 "Group" 2742 ], 2743 "multiValued" : false, 2744 "description" : "The URI of the corresponding to the member 2745 resource of this Group.", 2746 "required" : false, 2747 "caseExact" : false, 2748 "mutability" : "immutable", 2749 "returned" : "default", 2750 "uniqueness" : "none" 2751 }, 2752 { 2753 "name" : "type", 2754 "type" : "string", 2755 "multiValued" : false, 2756 "description" : "A label indicating the type of resource; 2757 e.g., 'User' or 'Group'.", 2758 "required" : false, 2759 "caseExact" : false, 2760 "canonicalValues" : [ 2761 "User", 2762 "Group" 2763 ], 2764 "mutability" : "immutable", 2765 "returned" : "default", 2766 "uniqueness" : "none" 2767 } 2768 ], 2769 "mutability" : "readWrite", 2770 "returned" : "default" 2771 } 2772 ], 2773 "meta" : { 2774 "resourceType" : "Schema", 2775 "location" : 2776 "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group" 2777 } 2778 }, 2779 { 2780 "id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", 2781 "name" : "EnterpriseUser", 2782 "description" : "Enterprise User", 2783 "attributes" : [ 2784 { 2785 "name" : "employeeNumber", 2786 "type" : "string", 2787 "multiValued" : false, 2788 "description" : "Numeric or alphanumeric identifier assigned to 2789 a person, typically based on order of hire or association with an 2790 organization.", 2791 "required" : false, 2792 "caseExact" : false, 2793 "mutability" : "readWrite", 2794 "returned" : "default", 2795 "uniqueness" : "none" 2796 }, 2797 { 2798 "name" : "costCenter", 2799 "type" : "string", 2800 "multiValued" : false, 2801 "description" : "Identifies the name of a cost center.", 2802 "required" : false, 2803 "caseExact" : false, 2804 "mutability" : "readWrite", 2805 "returned" : "default", 2806 "uniqueness" : "none" 2807 }, 2808 { 2809 "name" : "organization", 2810 "type" : "string", 2811 "multiValued" : false, 2812 "description" : "Identifies the name of an organization.", 2813 "required" : false, 2814 "caseExact" : false, 2815 "mutability" : "readWrite", 2816 "returned" : "default", 2817 "uniqueness" : "none" 2818 }, 2819 { 2820 "name" : "division", 2821 "type" : "string", 2822 "multiValued" : false, 2823 "description" : "Identifies the name of a division.", 2824 "required" : false, 2825 "caseExact" : false, 2826 "mutability" : "readWrite", 2827 "returned" : "default", 2828 "uniqueness" : "none" 2829 }, 2830 { 2831 "name" : "department", 2832 "type" : "string", 2833 "multiValued" : false, 2834 "description" : "Identifies the name of a department.", 2835 "required" : false, 2836 "caseExact" : false, 2837 "mutability" : "readWrite", 2838 "returned" : "default", 2839 "uniqueness" : "none" 2840 }, 2841 { 2842 "name" : "manager", 2843 "type" : "complex", 2844 "multiValued" : true, 2845 "description" : "The User's manager. A complex type that 2846 optionally allows Service Providers to represent organizational 2847 hierarchy by referencing the 'id' attribute of another User.", 2848 "required" : false, 2849 "subAttributes" : [ 2850 { 2851 "name" : "value", 2852 "type" : "string", 2853 "multiValued" : false, 2854 "description" : "The id of the SCIM resource representing 2855 the User's manager. REQUIRED.", 2856 "required" : false, 2857 "caseExact" : false, 2858 "mutability" : "readWrite", 2859 "returned" : "default", 2860 "uniqueness" : "none" 2861 }, 2862 { 2863 "name" : "$ref", 2864 "type" : "reference", 2865 "referenceTypes" : [ 2866 "User" 2867 ], 2868 "multiValued" : false, 2869 "description" : "The URI of the SCIM resource representing 2870 the User's manager. REQUIRED.", 2871 "required" : false, 2872 "caseExact" : false, 2873 "mutability" : "readWrite", 2874 "returned" : "default", 2875 "uniqueness" : "none" 2876 }, 2877 { 2878 "name" : "displayName", 2879 "type" : "string", 2880 "multiValued" : false, 2881 "description" : "The displayName of the User's manager. 2882 OPTIONAL and READ-ONLY.", 2883 "required" : false, 2884 "caseExact" : false, 2885 "mutability" : "readOnly", 2886 "returned" : "default", 2887 "uniqueness" : "none" 2888 } 2889 ], 2890 "mutability" : "readWrite", 2891 "returned" : "default" 2892 } 2893 ], 2894 "meta" : { 2895 "resourceType" : "Schema", 2896 "location" : 2897 "/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" 2898 } 2899 } 2900 ] 2902 Figure 9: Example JSON Representation for Resource Schema 2904 8.7.2. Service Provider Schema Representation 2906 The following is a representation of the SCIM Schema for the fixed 2907 Service Provider schemas: ServiceProviderConfig, ResourceType, and 2908 Schema. 2910 [ 2911 { 2912 "id" : 2913 "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig", 2914 "name" : "Service Provider Configuration", 2915 "description" : "Schema for representing the service provider's 2916 configuration", 2917 "attributes" : [ 2918 { 2919 "name" : "documentationUri", 2920 "type" : "reference", 2921 "referenceTypes" : ["external"], 2922 "multiValued" : false, 2923 "description" : "An HTTP addressable URL pointing to the service 2924 provider's human consumable help documentation.", 2925 "required" : false, 2926 "caseExact" : false, 2927 "mutability" : "readOnly", 2928 "returned" : "default", 2929 "uniqueness" : "none" 2930 }, 2931 { 2932 "name" : "patch", 2933 "type" : "complex", 2934 "multiValued" : false, 2935 "description" : "A complex type that specifies PATCH 2936 configuration options.", 2937 "required" : true, 2938 "returned" : "default", 2939 "mutability" : "readOnly", 2940 "subAttributes" : [ 2941 { 2942 "name" : "supported", 2943 "type" : "boolean", 2944 "multiValued" : false, 2945 "description" : "Boolean value specifying whether the 2946 operation is supported.", 2947 "required" : true, 2948 "mutability" : "readOnly", 2949 "returned" : "default" 2950 } 2951 ] 2952 }, 2953 { 2954 "name" : "bulk", 2955 "type" : "complex", 2956 "multiValued" : false, 2957 "description" : "A complex type that specifies BULK 2958 configuration options.", 2959 "required" : true, 2960 "returned" : "default", 2961 "mutability" : "readOnly", 2962 "subAttributes" : [ 2963 { 2964 "name" : "supported", 2965 "type" : "boolean", 2966 "multiValued" : false, 2967 "description" : "Boolean value specifying whether the 2968 operation is supported.", 2969 "required" : true, 2970 "mutability" : "readOnly", 2971 "returned" : "default" 2972 }, 2973 { 2974 "name" : "maxOperations", 2975 "type" : "integer", 2976 "multiValued" : false, 2977 "description" : "An integer value specifying the maximum 2978 number of operations.", 2979 "required" : true, 2980 "mutability" : "readOnly", 2981 "returned" : "default", 2982 "uniqueness" : "none" 2983 }, 2984 { 2985 "name" : "maxPayloadSize", 2986 "type" : "integer", 2987 "multiValued" : false, 2988 "description" : "An integer value specifying the maximum 2989 payload size in bytes.", 2990 "required" : true, 2991 "mutability" : "readOnly", 2992 "returned" : "default", 2993 "uniqueness" : "none" 2994 } 2995 ] 2996 }, 2997 { 2998 "name" : "filter", 2999 "type" : "complex", 3000 "multiValued" : false, 3001 "description" : "A complex type that specifies FILTER options.", 3002 "required" : true, 3003 "returned" : "default", 3004 "mutability" : "readOnly", 3005 "subAttributes" : [ 3006 { 3007 "name" : "supported", 3008 "type" : "boolean", 3009 "multiValued" : false, 3010 "description" : "Boolean value specifying whether the 3011 operation is supported.", 3012 "required" : true, 3013 "mutability" : "readOnly", 3014 "returned" : "default" 3015 }, 3016 { 3017 "name" : "maxResults", 3018 "type" : "integer", 3019 "multiValued" : false, 3020 "description" : "Integer value specifying the maximum number 3021 of resources returned in a response.", 3022 "required" : true, 3023 "mutability" : "readOnly", 3024 "returned" : "default", 3025 "uniqueness" : "none" 3026 } 3027 ] 3028 }, 3029 { 3030 "name" : "changePassword", 3031 "type" : "complex", 3032 "multiValued" : false, 3033 "description" : "A complex type that specifies change password 3034 options.", 3035 "required" : true, 3036 "returned" : "default", 3037 "mutability" : "readOnly", 3038 "subAttributes" : [ 3039 { 3040 "name" : "supported", 3041 "type" : "boolean", 3042 "multiValued" : false, 3043 "description" : "Boolean value specifying whether the 3044 operation is supported.", 3045 "required" : true, 3046 "mutability" : "readOnly", 3047 "returned" : "default" 3048 } 3049 ] 3050 }, 3051 { 3052 "name" : "sort", 3053 "type" : "complex", 3054 "multiValued" : false, 3055 "description" : "A complex type that specifies sort result 3056 options.", 3057 "required" : true, 3058 "returned" : "default", 3059 "mutability" : "readOnly", 3060 "subAttributes" : [ 3061 { 3062 "name" : "supported", 3063 "type" : "boolean", 3064 "multiValued" : false, 3065 "description" : "Boolean value specifying whether the 3066 operation is supported.", 3067 "required" : true, 3068 "mutability" : "readOnly", 3069 "returned" : "default" 3070 } 3071 ] 3072 }, 3073 { 3074 "name" : "authenticationSchemes", 3075 "type" : "complex", 3076 "multiValued" : true, 3077 "description" : "A complex type that specifies supported 3078 Authentication Scheme properties.", 3079 "required" : true, 3080 "returned" : "default", 3081 "mutability" : "readOnly", 3082 "subAttributes" : [ 3083 { 3084 "name" : "name", 3085 "type" : "string", 3086 "multiValued" : false, 3087 "description" : "The common authentication scheme name; 3088 e.g., HTTP Basic.", 3089 "required" : true, 3090 "caseExact" : false, 3091 "mutability" : "readOnly", 3092 "returned" : "default", 3093 "uniqueness" : "none" 3094 }, 3095 { 3096 "name" : "description", 3097 "type" : "string", 3098 "multiValued" : false, 3099 "description" : "A description of the authentication 3100 scheme.", 3101 "required" : true, 3102 "caseExact" : false, 3103 "mutability" : "readOnly", 3104 "returned" : "default", 3105 "uniqueness" : "none" 3106 }, 3107 { 3108 "name" : "specUri", 3109 "type" : "reference", 3110 "referenceTypes" : ["external"], 3111 "multiValued" : false, 3112 "description" : "An HTTP addressable URL pointing to the 3113 Authentication Scheme's specification.", 3114 "required" : false, 3115 "caseExact" : false, 3116 "mutability" : "readOnly", 3117 "returned" : "default", 3118 "uniqueness" : "none" 3119 }, 3120 { 3121 "name" : "documentationUri", 3122 "type" : "reference", 3123 "referenceTypes" : ["external"], 3124 "multiValued" : false, 3125 "description" : "An HTTP addressable URL pointing to the 3126 Authentication Scheme's usage documentation.", 3127 "required" : false, 3128 "caseExact" : false, 3129 "mutability" : "readOnly", 3130 "returned" : "default", 3131 "uniqueness" : "none" 3132 } 3133 ] 3134 } 3135 ] 3136 }, 3137 { 3138 "id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType", 3139 "name" : "ResourceType", 3140 "description" : "Specifies the schema that describes a SCIM Resource 3141 Type", 3142 "attributes" : [ 3143 { 3144 "name" : "id", 3145 "type" : "string", 3146 "multiValued" : false, 3147 "description" : "The resource type's server unique id. May be 3148 the same as the 'name' attribute.", 3149 "required" : false, 3150 "caseExact" : false, 3151 "mutability" : "readOnly", 3152 "returned" : "default", 3153 "uniqueness" : "none" 3154 }, 3155 { 3156 "name" : "name", 3157 "type" : "string", 3158 "multiValued" : false, 3159 "description" : "The resource type name. When applicable service 3160 providers MUST specify the name specified in the core schema 3161 specification; e.g., User", 3162 "required" : true, 3163 "caseExact" : false, 3164 "mutability" : "readOnly", 3165 "returned" : "default", 3166 "uniqueness" : "none" 3167 }, 3168 { 3169 "name" : "description", 3170 "type" : "string", 3171 "multiValued" : false, 3172 "description" : "The resource type's human readable description. 3173 When applicable service providers MUST specify the description 3174 specified in the core schema specification.", 3175 "required" : false, 3176 "caseExact" : false, 3177 "mutability" : "readOnly", 3178 "returned" : "default", 3179 "uniqueness" : "none" 3180 }, 3181 { 3182 "name" : "endpoint", 3183 "type" : "reference", 3184 "referenceTypes" : ["uri"], 3185 "multiValued" : false, 3186 "description" : "The resource type's HTTP addressable endpoint 3187 relative to the Base URL; e.g., /Users", 3188 "required" : true, 3189 "caseExact" : false, 3190 "mutability" : "readOnly", 3191 "returned" : "default", 3192 "uniqueness" : "none" 3193 }, 3194 { 3195 "name" : "schema", 3196 "type" : "reference", 3197 "referenceTypes" : ["uri"], 3198 "multiValued" : false, 3199 "description" : "The resource types primary/base schema URI", 3200 "required" : true, 3201 "caseExact" : true, 3202 "mutability" : "readOnly", 3203 "returned" : "default", 3204 "uniqueness" : "none" 3205 }, 3206 { 3207 "name" : "schemaExtensions", 3208 "type" : "complex", 3209 "multiValued" : false, 3210 "description" : "A list of URIs of the resource type's schema 3211 extensions", 3212 "required" : true, 3213 "mutability" : "readOnly", 3214 "returned" : "default", 3215 "subAttributes" : [ 3216 { 3217 "name" : "schema", 3218 "type" : "reference", 3219 "referenceTypes" : ["uri"], 3220 "multiValued" : false, 3221 "description" : "The URI of a schema extension.", 3222 "required" : true, 3223 "caseExact" : true, 3224 "mutability" : "readOnly", 3225 "returned" : "default", 3226 "uniqueness" : "none" 3227 }, 3228 { 3229 "name" : "required", 3230 "type" : "boolean", 3231 "multiValued" : false, 3232 "description" : "A Boolean value that specifies whether the 3233 schema extension is required for the resource type. If 3234 true, a resource of this type MUST include this schema 3235 extension and include any attributes declared as required 3236 in this schema extension. If false, a resource of this 3237 type MAY omit this schema extension.", 3238 "required" : true, 3239 "mutability" : "readOnly", 3240 "returned" : "default" 3241 } 3242 ] 3243 } 3244 ] 3245 }, 3246 { 3247 "id" : "urn:ietf:params:scim:schemas:core:2.0:Schema", 3248 "name" : "Schema", 3249 "description" : "Specifies the schema that describes a SCIM Schema", 3250 "attributes" : [ 3251 { 3252 "name" : "id", 3253 "type" : "string", 3254 "multiValued" : false, 3255 "description" : "The unique URI of the schema. When applicable 3256 service providers MUST specify the URI specified in the core 3257 schema specification", 3258 "required" : true, 3259 "caseExact" : false, 3260 "mutability" : "readOnly", 3261 "returned" : "default", 3262 "uniqueness" : "none" 3263 }, 3264 { 3265 "name" : "name", 3266 "type" : "string", 3267 "multiValued" : false, 3268 "description" : "The schema's human readable name. When 3269 applicable service providers MUST specify the name specified 3270 in the core schema specification; e.g., User", 3271 "required" : true, 3272 "caseExact" : false, 3273 "mutability" : "readOnly", 3274 "returned" : "default", 3275 "uniqueness" : "none" 3276 }, 3277 { 3278 "name" : "description", 3279 "type" : "string", 3280 "multiValued" : false, 3281 "description" : "The schema's human readable name. When 3282 applicable service providers MUST specify the name specified 3283 in the core schema specification; e.g., User", 3284 "required" : false, 3285 "caseExact" : false, 3286 "mutability" : "readOnly", 3287 "returned" : "default", 3288 "uniqueness" : "none" 3289 }, 3290 { 3291 "name" : "attributes", 3292 "type" : "complex", 3293 "multiValued" : true, 3294 "description" : "A complex attribute that includes the 3295 attributes of a schema", 3296 "required" : true, 3297 "mutability" : "readOnly", 3298 "returned" : "default", 3299 "subAttributes" : [ 3300 { 3301 "name" : "name", 3302 "type" : "string", 3303 "multiValued" : false, 3304 "description" : "The attribute's name", 3305 "required" : true, 3306 "caseExact" : true, 3307 "mutability" : "readOnly", 3308 "returned" : "default", 3309 "uniqueness" : "none" 3310 }, 3311 { 3312 "name" : "type", 3313 "type" : "string", 3314 "multiValued" : false, 3315 "description" : "The attribute's data type. Valid values 3316 include: 'string', 'complex', 'boolean', 'decimal', 3317 'integer', 'dateTime', 'reference'. ", 3319 "required" : true, 3320 "canonicalValues" : [ 3321 "string", 3322 "complex", 3323 "boolean", 3324 "decimal", 3325 "integer", 3326 "dateTime", 3327 "reference" 3328 ], 3329 "caseExact" : false, 3330 "mutability" : "readOnly", 3331 "returned" : "default", 3332 "uniqueness" : "none" 3333 }, 3334 { 3335 "name" : "multiValued", 3336 "type" : "boolean", 3337 "multiValued" : false, 3338 "description" : "Boolean indicating an attribute's 3339 plurality.", 3340 "required" : true, 3341 "mutability" : "readOnly", 3342 "returned" : "default" 3343 }, 3344 { 3345 "name" : "description", 3346 "type" : "string", 3347 "multiValued" : false, 3348 "description" : "A human readable description of the 3349 attribute.", 3350 "required" : false, 3351 "caseExact" : true, 3352 "mutability" : "readOnly", 3353 "returned" : "default", 3354 "uniqueness" : "none" 3355 }, 3356 { 3357 "name" : "required", 3358 "type" : "boolean", 3359 "multiValued" : false, 3360 "description" : "A boolean indicating if the attribute 3361 is required.", 3362 "required" : false, 3363 "mutability" : "readOnly", 3364 "returned" : "default" 3365 }, 3366 { 3367 "name" : "canonicalValues", 3368 "type" : "string", 3369 "multiValued" : true, 3370 "description" : "A collection of canonical values. When 3371 applicable service providers MUST specify the canonical 3372 types specified in the core schema specification; e.g., 3373 'work', 'home'.", 3374 "required" : false, 3375 "caseExact" : true, 3376 "mutability" : "readOnly", 3377 "returned" : "default", 3378 "uniqueness" : "none" 3379 }, 3380 { 3381 "name" : "caseExact", 3382 "type" : "boolean", 3383 "multiValued" : false, 3384 "description" : "Indicates if a string attribute is 3385 case-sensitive.", 3386 "required" : false, 3387 "mutability" : "readOnly", 3388 "returned" : "default" 3389 }, 3390 { 3391 "name" : "mutability", 3392 "type" : "string", 3393 "multiValued" : false, 3394 "description" : "Indicates if an attribute is modifiable.", 3395 "required" : false, 3396 "caseExact" : true, 3397 "mutability" : "readOnly", 3398 "returned" : "default", 3399 "uniqueness" : "none", 3400 "canonicalValues" : [ 3401 "readOnly", 3402 "readWrite", 3403 "immutable", 3404 "writeOnly" 3405 ] 3406 }, 3407 { 3408 "name" : "returned", 3409 "type" : "string", 3410 "multiValued" : false, 3411 "description" : "Indicates when an attribute is returned in 3412 a response (e.g., to a query).", 3413 "required" : false, 3414 "caseExact" : true, 3415 "mutability" : "readOnly", 3416 "returned" : "default", 3417 "uniqueness" : "none", 3418 "canonicalValues" : [ 3419 "always", 3420 "never", 3421 "default", 3422 "request" 3423 ] 3424 }, 3425 { 3426 "name" : "uniqueness", 3427 "type" : "string", 3428 "multiValued" : false, 3429 "description" : "Indicates how unique a value must be.", 3430 "required" : false, 3431 "caseExact" : true, 3432 "mutability" : "readOnly", 3433 "returned" : "default", 3434 "uniqueness" : "none", 3435 "canonicalValues" : [ 3436 "none", 3437 "server", 3438 "global" 3439 ] 3440 }, 3441 { 3442 "name" : "referenceTypes", 3443 "type" : "string", 3444 "multiValued" : true, 3445 "description" : "Used only with an attribute of type 3446 'reference'. Specifies a SCIM resourceType that a 3447 reference attribute MAY refer to. e.g., User", 3448 "required" : false, 3449 "caseExact" : true, 3450 "mutability" : "readOnly", 3451 "returned" : "default", 3452 "uniqueness" : "none" 3453 }, 3454 { 3455 "name" : "subAttributes", 3456 "type" : "complex", 3457 "multiValued" : true, 3458 "description" : "Used to define the sub-attributes of a 3459 complex attribute", 3460 "required" : false, 3461 "mutability" : "readOnly", 3462 "returned" : "default", 3463 "subAttributes" : [ 3464 { 3465 "name" : "name", 3466 "type" : "string", 3467 "multiValued" : false, 3468 "description" : "The attribute's name", 3469 "required" : true, 3470 "caseExact" : true, 3471 "mutability" : "readOnly", 3472 "returned" : "default", 3473 "uniqueness" : "none" 3474 }, 3475 { 3476 "name" : "type", 3477 "type" : "string", 3478 "multiValued" : false, 3479 "description" : "The attribute's data type. Valid values 3480 include: 'string', 'complex', 'boolean', 'decimal', 3481 'integer', 'dateTime', 'reference'. ", 3482 "required" : true, 3483 "caseExact" : false, 3484 "mutability" : "readOnly", 3485 "returned" : "default", 3486 "uniqueness" : "none", 3487 "canonicalValues" : [ 3488 "string", 3489 "complex", 3490 "boolean", 3491 "decimal", 3492 "integer", 3493 "dateTime", 3494 "reference" 3495 ] 3496 }, 3497 { 3498 "name" : "multiValued", 3499 "type" : "boolean", 3500 "multiValued" : false, 3501 "description" : "Boolean indicating an attribute's 3502 plurality.", 3503 "required" : true, 3504 "mutability" : "readOnly", 3505 "returned" : "default" 3506 }, 3507 { 3508 "name" : "description", 3509 "type" : "string", 3510 "multiValued" : false, 3511 "description" : "A human readable description of the 3512 attribute.", 3513 "required" : false, 3514 "caseExact" : true, 3515 "mutability" : "readOnly", 3516 "returned" : "default", 3517 "uniqueness" : "none" 3518 }, 3519 { 3520 "name" : "required", 3521 "type" : "boolean", 3522 "multiValued" : false, 3523 "description" : "A boolean indicating if the attribute 3524 is required.", 3525 "required" : false, 3526 "mutability" : "readOnly", 3527 "returned" : "default" 3528 }, 3529 { 3530 "name" : "canonicalValues", 3531 "type" : "string", 3532 "multiValued" : true, 3533 "description" : "A collection of canonical values. When 3534 applicable service providers MUST specify the 3535 canonical types specified in the core schema 3536 specification; e.g., 'work', 'home'.", 3537 "required" : false, 3538 "caseExact" : true, 3539 "mutability" : "readOnly", 3540 "returned" : "default", 3541 "uniqueness" : "none" 3542 }, 3543 { 3544 "name" : "caseExact", 3545 "type" : "boolean", 3546 "multiValued" : false, 3547 "description" : "Indicates if a string attribute is 3548 case-sensitive.", 3549 "required" : false, 3550 "mutability" : "readOnly", 3551 "returned" : "default" 3552 }, 3553 { 3554 "name" : "mutability", 3555 "type" : "string", 3556 "multiValued" : false, 3557 "description" : "Indicates if an attribute is 3558 modifiable.", 3560 "required" : false, 3561 "caseExact" : true, 3562 "mutability" : "readOnly", 3563 "returned" : "default", 3564 "uniqueness" : "none", 3565 "canonicalValues" : [ 3566 "readOnly", 3567 "readWrite", 3568 "immutable", 3569 "writeOnly" 3570 ] 3571 }, 3572 { 3573 "name" : "returned", 3574 "type" : "string", 3575 "multiValued" : false, 3576 "description" : "Indicates when an attribute is 3577 returned in a response (e.g., to a query).", 3578 "required" : false, 3579 "caseExact" : true, 3580 "mutability" : "readOnly", 3581 "returned" : "default", 3582 "uniqueness" : "none", 3583 "canonicalValues" : [ 3584 "always", 3585 "never", 3586 "default", 3587 "request" 3588 ] 3589 }, 3590 { 3591 "name" : "uniqueness", 3592 "type" : "string", 3593 "multiValued" : false, 3594 "description" : "Indicates how unique a value must be.", 3595 "required" : false, 3596 "caseExact" : true, 3597 "mutability" : "readOnly", 3598 "returned" : "default", 3599 "uniqueness" : "none", 3600 "canonicalValues" : [ 3601 "none", 3602 "server", 3603 "global" 3604 ] 3605 }, 3606 { 3607 "name" : "referenceTypes", 3608 "type" : "string", 3609 "multiValued" : false, 3610 "description" : "Used only with an attribute of type 3611 'reference'. Specifies a SCIM resourceType that a 3612 reference attribute MAY refer to. e.g., 'User'", 3613 "required" : false, 3614 "caseExact" : true, 3615 "mutability" : "readOnly", 3616 "returned" : "default", 3617 "uniqueness" : "none" 3618 } 3619 ] 3620 } 3621 ] 3622 } 3623 ] 3624 } 3625 ] 3627 Figure 10: Representation of Fixed ServiceProvider Endpoint Schemas 3629 9. Security Considerations 3631 9.1. Protocol 3633 SCIM data is intended to be exchanged using SCIM Protocol. It is 3634 important when handling data to implement the security considerations 3635 outlined in Section 7 of [I-D.ietf-scim-api]. 3637 9.2. Password and Other Sensitive Security Data 3639 Passwords and other attributes related to security credentials are of 3640 extreme sensitive nature and require special handling when 3641 transmitted or stored. See Sections 7.5 and 7.6 of 3642 [I-D.ietf-scim-api] regarding guidelines on how to store and compare 3643 password values. 3645 9.3. Privacy 3647 The SCIM Core schema defines attributes that MAY contain personally 3648 identifying information as well as other sensitive data. These 3649 privacy considerations should be considered for extensions as well as 3650 the schema defined in this specification 3652 In particular, attributes such as "id" and "externalId" are of 3653 particular concern as personally identifiable information that 3654 uniquely map to Users (because they are URIs). Where possible, it is 3655 suggested that service providers take the following remediations: 3657 o Assign and bind identifiers to specific tenants and/or clients. 3658 When multiple tenants are able to reference the same resource, 3659 they should do so via separate identifiers (id or externalId). 3660 This ensures that separate domains linked to the same information 3661 can not perform identifier correlation. 3663 o In the case of "externalId", if multiple values are supported, use 3664 access control to restrict access to the Client domain that 3665 assigned the "externalId" value. 3667 o Ensure that access to data is appropriately restricted to 3668 authorized parties with a need-to-know. 3670 o When persisted, the appropriate protection mechanisms are in place 3671 to restrict access by unauthorized parties including 3672 administrators or parties with access to backup data. 3674 Clients and Service Providers should take into consideration that 3675 personal information is being conveyed across technical (e.g., 3676 protocol and applications), administrative (e.g. organizational, 3677 corporate), and jurisdictional boundaries. In particular information 3678 security and privacy must be considered. 3680 10. IANA Considerations 3682 10.1. Registration of SCIM URN Sub-namespace & SCIM Registry 3684 IANA is requested to add an entry to the 'IETF URN Sub-namespace for 3685 Registered Protocol Parameter Identifiers' registry and create a sub- 3686 namespace for the Registered Parameter Identifier as per [RFC3553]: 3687 "urn:ietf:params:scim". 3689 To manage this sub-namespace, IANA is requested to create the "SCIM" 3690 Registry which shall be used to manage entries within the 3691 "urn:ietf:params:scim" namespace. The registry description is as 3692 follows: 3694 o Registry name: SCIM 3696 o Specification: [this document] 3698 o Repository: [see Section 10.2] 3700 o Index value: values [see Section 10.2] 3702 10.2. URN Sub-Namespace for SCIM 3704 SCIM schemas and SCIM messages utilize URIs to identify the schema in 3705 use or other relevant context. This section creates and registers an 3706 IETF URN Sub-namespace for use in the SCIM specifications and future 3707 extensions. 3709 10.2.1. Specification Template 3711 Namespace ID: 3713 The Namespace ID "scim" is requested. 3715 Registration Information: 3717 Version: 1 3719 Date: [[insert final submission date]] 3721 Declared registrant of the namespace: 3723 Registering organization 3724 The Internet Engineering Task Force 3726 Designated contact 3727 A designated expert will monitor the SCIM public mailing list, 3728 "scim@ietf.org". 3730 Declaration of Syntactic Structure: 3732 The Namespace Specific String (NSS) of all URNs that use the 3733 "scim" NID shall have the following structure: 3735 urn:ietf:params:scim:{type}:{name}{:other} 3737 The keywords have the following meaning: 3739 type 3740 The entity type which is either "schemas" or "api". 3742 name 3743 A required US-ASCII string that conforms to the URN syntax 3744 requirements (see [RFC2141] ) and defines a major namespace of 3745 a schema used within SCIM (e.g., "core", which is reserved for 3746 SCIM specifications). The value MAY also be an industry name 3747 or organization name. 3749 other 3750 Any US-ASCII string that conforms to the URN syntax 3751 requirements (see [RFC2141] ) and defines the sub-namespace 3752 (which MAY be further broken down in namespaces delimited by 3753 colons) as needed to uniquely identify a schema. 3755 Relevant Ancillary Documentation: 3757 None 3759 Identifier Uniqueness Considerations: 3761 The designated contact shall be responsible for reviewing and 3762 enforcing uniqueness. 3764 Identifier Persistence Considerations: 3766 Once a name has been allocated it MUST NOT be re-allocated for a 3767 different purpose. The rules provided for assignments of values 3768 within a sub-namespace MUST be constructed so that the meaning of 3769 values cannot change. This registration mechanism is not 3770 appropriate for naming values whose meaning may change over time. 3772 As the SCIM specifications are updated and the SCIM protocol 3773 version is adjusted, a new registration will be made when 3774 significant changes are made. Example, 3775 "urn:ietf:params:scim:schemas:core:1.0 (externally defined, not 3776 previously registered)" and 3777 "urn:ietf:params:scim:schemas:core:2.0". 3779 Process of Identifier Assignment: 3781 Identifiers with namespace type "schema" (e.g., 3782 "urn:ietf:params:scim:schemas" ) are assigned after the review of 3783 the assigned contact via the SCIM public mailing list, 3784 "scim@ietf.org" as documented in Section 10.3. 3786 Namespaces with type "api" (e.g., "urn:ietf:params:scim:api") and 3787 "param" (e.g., "urn:ietf:params:scim:param" ) are reserved for 3788 IETF approved SCIM specifications. 3790 Process of Identifier Resolution: 3792 The namespace is not currently listed with a Resolution Discovery 3793 System (RDS), but nothing about the namespace prohibits the future 3794 definition of appropriate resolution methods or listing with an 3795 RDS. 3797 Rules for Lexical Equivalence: 3799 No special considerations; the rules for lexical equivalence 3800 specified in [RFC2141] apply. 3802 Conformance with URN Syntax: 3804 No special considerations. 3806 Validation Mechanism: 3808 None specified. 3810 Scope: 3812 Global. 3814 10.3. Registering SCIM Schemas 3816 This section defines the process for registering new SCIM schemas 3817 with IANA in the "SCIM" registry (see Section 10.1). A schema URI is 3818 used as a value in the schemas attribute (Section 3) for the purpose 3819 of distinguishing extensions used in a SCIM resource. 3821 10.3.1. Registration Procedure 3823 The IETF has created a mailing list, scim@ietf.org, which can be used 3824 for public discussion of SCIM schema proposals prior to registration. 3825 Use of the mailing list is strongly encouraged. The IESG has 3826 appointed a designated expert who will monitor the scim@ietf.org 3827 mailing list and review registrations. 3829 Registration of new "core" (e.g. in the namespace 3830 "urn:ietf:params:scim:schemas:core") and "API" schemas (e.g., in the 3831 namespace "urn:ietf:params:scim:api") MUST be reviewed by the 3832 designated expert and published in an RFC. An RFC is REQUIRED for 3833 the registration of new value data types that modify existing 3834 properties. An RFC is also REQUIRED for registration of SCIM schema 3835 URIs that modify SCIM schema previously documented in a existing RFC. 3836 URN's within the "urn:ietf:params:scim", but outside the above 3837 namespaces MAY be registered with a simple review (e.g. check for 3838 SPAM) by the designated expert on a first-come-first-served basis. 3840 The registration procedure begins when a completed registration 3841 template, defined in the sections below, is sent to scim@ietf.org and 3842 iana@iana.org. Within two weeks, the designated expert is expected 3843 to tell IANA and the submitter of the registration whether the 3844 registration is approved, approved with minor changes, or rejected 3845 with cause. When a registration is rejected with cause, it can be 3846 re-submitted if the concerns listed in the cause are addressed. 3848 Decisions made by the designated expert can be appealed to the IESG 3849 Applications Area Director, then to the IESG. They follow the normal 3850 appeals procedure for IESG decisions. 3852 Once the registration procedure concludes successfully, IANA creates 3853 or modifies the corresponding record in the SCIM schema registry. 3854 The completed registration template is discarded. 3856 An RFC specifying new schema URI MUST include the completed 3857 registration templates, which MAY be expanded with additional 3858 information. These completed templates are intended to go in the 3859 body of the document, not in the IANA Considerations section. The 3860 RFC SHOULD include any attributes defined. 3862 10.3.2. Schema Registration Template 3864 A SCIM schema URI is defined by completing the following template: 3866 Schema URI: Schema URI: A unique URI for the SCIM schema extension. 3868 Schema Name: A descriptive name of the schema extension (e.g., 3869 Generic Device) 3871 Intended or Associated Resource Type: A value defining the resource 3872 type (e.g., "Device"). 3874 Purpose: A description of the purpose of the extension and/or its 3875 intended use. 3877 Single-value Attributes: A list and description of single-valued 3878 attributes defined including complex attributes. 3880 Multi-valued Attributes: A list and description of multi-valued 3881 attributes defined including complex attributes. 3883 10.4. Initial SCIM Schema Registry 3885 The IANA is requested to populate the "SCIM" registry with the 3886 following registries for SCIM schema URIs with pointers to 3887 appropriate reference documents. Note: the Schema URI broken into 3888 two lines for readability. 3890 +-----------------------------------+-----------------+-------------+ 3891 | Schema URI | Name | Reference | 3892 +-----------------------------------+-----------------+-------------+ 3893 | urn:ietf:params:scim:schemas: | User Resource | See Section | 3894 | core:2.0:User | | 4.1 | 3895 | urn:ietf:params:scim:schemas: | Enterprise User | See Section | 3896 | extension:enterprise:2.0:User | Extension | 4.3 | 3897 | urn:ietf:params:scim:schemas: | Group Resource | See Section | 3898 | core:2.0:Group | | 4.2 | 3899 +-----------------------------------+-----------------+-------------+ 3901 SCIM Schema URIs for Data Resources 3903 +-----------------------------------+-------------------+-----------+ 3904 | Schema URI | Name | Reference | 3905 +-----------------------------------+-------------------+-----------+ 3906 | urn:ietf:params:scim:schemas: | Service Provider | See | 3907 | core:2.0:ServiceProviderConfig | Configuration | Section 5 | 3908 | | Schema | | 3909 | urn:ietf:params:scim:schemas: | Resource Type | See | 3910 | core:2.0:ResourceType | Config | Section 6 | 3911 | urn:ietf:params:scim:schemas: | Schema | See | 3912 | core:2.0:Schema | Definitions | Section 7 | 3913 | | Schema | | 3914 +-----------------------------------+-------------------+-----------+ 3916 SCIM Server Related Schema URIs 3918 11. References 3920 11.1. Normative References 3922 [I-D.ietf-scim-api] 3923 Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C. 3924 Mortimore, "System for Cross-Domain Identity Management: 3925 Protocol", draft-ietf-scim-api-16 (work in progress), 3926 March 2015. 3928 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 3929 Requirement Levels", BCP 14, RFC 2119, March 1997. 3931 [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. 3933 [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An 3934 IETF URN Sub-namespace for Registered Protocol 3935 Parameters", BCP 73, RFC 3553, June 2003. 3937 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 3938 10646", STD 63, RFC 3629, November 2003. 3940 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC 3941 3966, December 2004. 3943 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 3944 Resource Identifier (URI): Generic Syntax", STD 66, RFC 3945 3986, January 2005. 3947 [RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags", 3948 BCP 47, RFC 4647, September 2006. 3950 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 3951 Encodings", RFC 4648, October 2006. 3953 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 3954 Specifications: ABNF", STD 68, RFC 5234, January 2008. 3956 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 3957 Housley, R., and W. Polk, "Internet X.509 Public Key 3958 Infrastructure Certificate and Certificate Revocation List 3959 (CRL) Profile", RFC 5280, May 2008. 3961 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 3962 October 2008. 3964 [RFC5646] Phillips, A. and M. Davis, "Tags for Identifying 3965 Languages", BCP 47, RFC 5646, September 2009. 3967 [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the 3968 Time Zone Database", BCP 175, RFC 6557, February 2012. 3970 [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data 3971 Interchange Format", RFC 7159, March 2014. 3973 [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 3974 (HTTP/1.1): Semantics and Content", RFC 7231, June 2014. 3976 [RFC7232] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 3977 (HTTP/1.1): Conditional Requests", RFC 7232, June 2014. 3979 11.2. Informative References 3981 [ISO3166] "ISO 3166:1988 (E/F) - Codes for the representation of 3982 names of countries - The International Organization for 3983 Standardization, 3rd edition", 08 1988. 3985 [Olson-TZ] 3986 Internet Assigned Numbers Authority, "IANA Time Zone 3987 Database". 3989 [PortableContacts] 3990 Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only", 3991 August 2008. 3993 [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and 3994 Languages", BCP 18, RFC 2277, January 1998. 3996 [RFC4511] Sermersheim, J., "Lightweight Directory Access Protocol 3997 (LDAP): The Protocol", RFC 4511, June 2006. 3999 [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol 4000 (LDAP): Directory Information Models", RFC 4512, June 4001 2006. 4003 [RFC6350] Perreault, S., "vCard Format Specification", RFC 6350, 4004 August 2011. 4006 [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 4007 6749, October 2012. 4009 [XML-Schema] 4010 Peterson, D., Gao, S., Malhotra, A., Sperberg-McQueen, C., 4011 and H. Thompson, "XML Schema Definition Language (XSD) 1.1 4012 Part 2: Datatypes", April 2012. 4014 Appendix A. Acknowledgements 4016 The editors would like to acknowledge the contribution and work of 4017 the past draft editors: 4019 Chuck Mortimore, Salesforce 4021 Patrick Harding, Ping 4023 Paul Madsen, Ping 4025 Trey Drake, UnboundID 4027 The SCIM Community would like to thank the following people for the 4028 work they've done in the research, formulation, drafting, editing, 4029 and support of this specification. 4031 Morteza Ansari (morteza.ansari@cisco.com) 4032 Sidharth Choudhury (schoudhury@salesforce.com) 4034 Samuel Erdtman (samuel@erdtman.se) 4036 Kelly Grizzle (kelly.grizzle@sailpoint.com) 4038 Chris Phillips (cjphillips@gmail.com) 4040 Erik Wahlstroem (erik@wahlstromstekniska.se) 4042 Phil Hunt (phil.hunt@yahoo.com) 4044 Special thanks to Joeseph Smarr, who's excellent work on the Portable 4045 Contacts Specification [PortableContacts] provided a basis for the 4046 SCIM schema structure and text. 4048 Appendix B. Change Log 4050 [[This section to be removed prior to publication as an RFC]] 4052 Draft 02 - KG - Addition of schema extensibility 4054 Draft 03 - PH - Revisions based on following tickets: 4056 09 - Attribute uniquenes 4058 10 - Returnability of attributes 4060 35 - Attribute mutability (replaces readOnly) 4062 52 - Minor textual changes 4064 53 - Standard use of term Client (some was consumer) 4066 56 - Make manager attribute consistent with other $ref attrs 4068 58 - Add optional id to ResourceType objects for consistency 4070 59 - Fix capitalization per IETF editor practices 4072 60 - Changed tags to normal and tags 4074 Draft 04 - PH - Revisions based on the following tickets: 4076 43 - Drop short-hand notation for complex multi-valued attributes 4078 61 - Specify attribute name limitations 4079 62 - Fix 'mutability' normative language 4081 63 - Fix incorrect EnterpriseUser schema reference 4083 68 - Update JSON references from RFC4627 to RFC7159 4085 71 - Made corrections to language tags in compliance with BCP47 / 4086 RFC5646 4088 Draft 05 - PH - Revisions based on the following tickets 4090 23 - Clarified that the server is not required to preserve case 4091 for case insensitive strings 4093 41 - Add IANA considerations 4095 72 - Added text to indicate UTF-8 is default and mandatory 4096 encoding format per BCP18 4098 - Typo corrections and removed some redundant text 4100 Draft 06 - PH - Revisions based on the following tickets 4102 63 - Corrected enterprise user URI in 14.2 and section 7, URI 4103 namespace changes due to ticket #41 4105 66 - Updated reference to final HTTP/1.1 drafts (RFC 7230) 4107 41 - Add IANA considerations 4109 - Removed redundant text (e.g., SAML binding, replaced REST with 4110 HTTP) 4112 - Reordered introduction, definitions and notation sections to 4113 follow typical format 4115 - meta.attributes removed due to new PURGE command in draft 04 (no 4116 longer used) 4118 Draft 07 - PH - Edits and revisions 4120 - Dropped use of the term API in favour of HTTP protocol or just 4121 protocol. 4123 - Clarified meaning of null and unassigned 4125 Draft 08 - PH - Revised IANA namespace to urn:ietf:params:scim per 4126 RFC3553 4127 Draft 09 - PH - Editorial revisions and clarifications 4129 Removed duplicate text from Schema Schema section 4131 Removed "operation" attribute from Multi-valued Attribute sub- 4132 attribute definitions. This was used in the old PATCH command and 4133 is no longer valid. 4135 Revised some layout to make indentation and definition of 4136 attributes more clear (added vspace elements) 4138 Draft 10 - PH - Editorial revisions 4140 Simplified namespace definition for urn:ietf:params:scim 4142 Clarified "schemas" attribute as representing the JSON body schema 4143 in an HTTP Req/Resp 4145 Reduced use of confusing term "core" in "Core User" and "Core 4146 Group" 4148 Added clarifications and security considerations for externalId 4150 Re-worded descriptions SCIM schema extension model (sec 3) and 4151 core schema (sec 4) for improved clarity 4153 Draft 11 - PH - Clarification to definition of externalId 4155 Draft 12 - PH - Nits / Corrections 4157 Corrected use of RFC2119 words (e.g., MUST not to MUST NOT) 4159 Corrected JSON examples to be 72 characters or less per line 4161 Corrected enterprise User manager attribute to use sub-attribute 4162 value and make multi-valued 4164 Corrected sec 8.7, make members multi-valued in JSON 4166 Added missing definition for subattributes in sec 7, Schema 4167 Definition 4169 Draft 13 - PH - Correctings NITS to externalId example and clarified 4170 phoneNumber & emails canonicalization 4172 Draft 14 - PH - Nits / Corrections 4173 Corrected JSON structure for example Schema (removed outer {} 4174 around array of schemas). 4176 Added example Group resource type to example of resource types in 4177 JSON 4179 Draft 15 - PH - Corrected schema in sec 7 to use defined types from 4180 sec 2.1 4182 Draft 16 - PH - Corrected photo.value from "type":"binary" to 4183 "type":"reference" (should be a URL) 4185 Draft 17 - PH - Changes as follows: 4187 Updated reference for XML-Schema to the 5 April 2012 XML Schema 4188 1.1 draft 4190 Added clarifications on attribute characteristics and Schema usage 4192 Added schema in section 8.7 for Schema, ServiceProviderConfig, and 4193 ResourceType 4195 Fixed nit in service provider config. 4197 Clarified binary attribute may be base 64 or base 64 url encoding 4198 per RFC4648. x509certificates are now base64 encoded. 4200 Clarified x509certificates values are DER certificates that are 4201 then base64 encoded 4203 Corrected "reference" attribute to use the "referenceTypes" meta- 4204 attribute that says what type of reference an attribute is. 4206 Draft 18 - PH - Comments from GenART and IANA review 4208 General Edits and Nits after Gen-ART and IANA review 4210 Add references to SCIM API protocol document where appropriate 4212 Added clarifications and privacy considerations to security 4213 considerations 4215 Clarified IANA section to create new "SCIM" registry 4217 Removed out-of-date "readOnly" attribute from Group schema 4218 (replaced a long time ago by "mutability"). 4220 Authors' Addresses 4222 Phil Hunt (editor) 4223 Oracle Corporation 4225 Email: phil.hunt@yahoo.com 4227 Kelly Grizzle 4228 SailPoint 4230 Email: kelly.grizzle@sailpoint.com 4232 Erik Wahlstroem 4233 Nexus Technology 4235 Email: erik.wahlstrom@nexusgroup.com 4237 Chuck Mortimore 4238 Salesforce.com 4240 Email: cmortimore@salesforce.com