idnits 2.17.1 draft-ietf-scim-core-schema-20.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 1 character in excess of 72. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Corrected use of RFC2119 words (e.g., MUST not to MUST NOT) -- The document date (May 12, 2015) is 3266 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-19) exists of draft-ietf-scim-api-18 ** Obsolete normative reference: RFC 2141 (Obsoleted by RFC 8141) ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 7232 (Obsoleted by RFC 9110) Summary: 5 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hunt, Ed. 3 Internet-Draft Oracle 4 Intended status: Standards Track K. Grizzle 5 Expires: November 13, 2015 SailPoint 6 E. Wahlstroem 7 Nexus Technology 8 C. Mortimore 9 Salesforce 10 May 12, 2015 12 System for Cross-Domain Identity Management: Core Schema 13 draft-ietf-scim-core-schema-20 15 Abstract 17 The System for Cross-Domain Identity Management (SCIM) specifications 18 are designed to make identity management in cloud based applications 19 and services easier. The specification suite builds upon experience 20 with existing schemas and deployments, placing specific emphasis on 21 simplicity of development and integration, while applying existing 22 authentication, authorization, and privacy models. Its intent is to 23 reduce the cost and complexity of user management operations by 24 providing a common user schema and extension model, as well as 25 binding documents to provide patterns for exchanging this schema 26 using HTTP protocol. 28 This document provides a platform neutral schema and extension model 29 for representing users and groups and other resource types in JSON 30 format. This schema is intended for exchange and use with cloud 31 service providers. 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at http://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on November 13, 2015. 50 Copyright Notice 52 Copyright (c) 2015 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (http://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 68 1.1. Requirements Notation and Conventions . . . . . . . . . . 4 69 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5 70 2. SCIM Schema . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 2.1. Attributes . . . . . . . . . . . . . . . . . . . . . . . 7 72 2.2. Attribute Characteristics . . . . . . . . . . . . . . . . 7 73 2.3. Attribute Data Types . . . . . . . . . . . . . . . . . . 8 74 2.3.1. String . . . . . . . . . . . . . . . . . . . . . . . 8 75 2.3.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 8 76 2.3.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 9 77 2.3.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 9 78 2.3.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 9 79 2.3.6. Binary . . . . . . . . . . . . . . . . . . . . . . . 9 80 2.3.7. Reference . . . . . . . . . . . . . . . . . . . . . . 9 81 2.3.8. Complex . . . . . . . . . . . . . . . . . . . . . . . 10 82 2.4. Multi-valued Attributes . . . . . . . . . . . . . . . . . 10 83 2.5. Unassigned and Null Values . . . . . . . . . . . . . . . 12 84 3. SCIM Resources . . . . . . . . . . . . . . . . . . . . . . . 12 85 3.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 15 86 3.2. Defining New Resource Types . . . . . . . . . . . . . . . 17 87 3.3. Attribute Extensions to Resources . . . . . . . . . . . . 17 88 4. SCIM Core Resources and Extensions . . . . . . . . . . . . . 17 89 4.1. User Resource Schema . . . . . . . . . . . . . . . . . . 17 90 4.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 18 91 4.1.2. Multi-valued Attributes . . . . . . . . . . . . . . . 21 92 4.2. Group Resource Schema . . . . . . . . . . . . . . . . . . 24 93 4.3. Enterprise User Schema Extension . . . . . . . . . . . . 24 94 5. Service Provider Configuration Schema . . . . . . . . . . . . 25 95 6. ResourceType Schema . . . . . . . . . . . . . . . . . . . . . 27 96 7. Schema Definition . . . . . . . . . . . . . . . . . . . . . . 28 97 8. JSON Representation . . . . . . . . . . . . . . . . . . . . . 31 98 8.1. Minimal User Representation . . . . . . . . . . . . . . . 31 99 8.2. Full User Representation . . . . . . . . . . . . . . . . 32 100 8.3. Enterprise User Extension Representation . . . . . . . . 35 101 8.4. Group Representation . . . . . . . . . . . . . . . . . . 38 102 8.5. Service Provider Configuration Representation . . . . . . 39 103 8.6. Resource Type Representation . . . . . . . . . . . . . . 41 104 8.7. Schema Representation . . . . . . . . . . . . . . . . . . 41 105 8.7.1. Resource Schema Representation . . . . . . . . . . . 42 106 8.7.2. Service Provider Schema Representation . . . . . . . 64 107 9. Security Considerations . . . . . . . . . . . . . . . . . . . 79 108 9.1. Protocol . . . . . . . . . . . . . . . . . . . . . . . . 79 109 9.2. Password and Other Sensitive Security Data . . . . . . . 79 110 9.3. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 80 111 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 81 112 10.1. Registration of SCIM URN Sub-namespace & SCIM Registry . 81 113 10.2. URN Sub-Namespace for SCIM . . . . . . . . . . . . . . . 81 114 10.2.1. Specification Template . . . . . . . . . . . . . . . 81 115 10.3. Registering SCIM Schemas . . . . . . . . . . . . . . . . 84 116 10.3.1. Registration Procedure . . . . . . . . . . . . . . . 84 117 10.3.2. Schema Registration Template . . . . . . . . . . . . 85 118 10.4. Initial SCIM Schema Registry . . . . . . . . . . . . . . 85 119 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 86 120 11.1. Normative References . . . . . . . . . . . . . . . . . . 86 121 11.2. Informative References . . . . . . . . . . . . . . . . . 87 122 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 88 123 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 89 124 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 93 126 1. Introduction and Overview 128 While there are existing standards for describing and exchanging user 129 information, many of these standards can be difficult to implement 130 and/or use; e.g., their wire protocols do not easily traverse 131 firewalls and/or are not easily layered onto existing web protocols. 132 As a result, many cloud providers implement non-standardized 133 protocols for managing users within their services. This increases 134 both the cost and complexity associated with organizations adopting 135 products and services from multiple cloud providers as they must 136 perform redundant integration development. Similarly, cloud services 137 providers seeking to inter-operate with multiple application 138 marketplaces or cloud identity providers would require pairwise 139 integration. 141 SCIM seeks to simplify this problem through a simple to implement 142 specification suite that provides a common user schema and extension 143 model, as well as a SCIM Protocol document, that defines exchanging 144 this schema via an HTTP based protocol [I-D.ietf-scim-api]. [[RFC 145 Editor: This document an the companion scim-api document should be 146 published together]] It draws inspiration and best practice, building 147 upon existing user protocols and schemas from a wide variety of 148 sources including, but not limited to, existing services exposed by 149 cloud providers, PortableContacts [PortableContacts], vCards 150 [RFC6350], and Lightweight Directory Access Protocol (LDAP) directory 151 services [RFC4512]. 153 SCIM protocol is an application-level protocol for provisioning and 154 managing identity data specified through SCIM schemas. The protocol 155 supports creation, modification, retrieval, and discovery of core 156 identity resources such as Users and Groups, using a subset of the 157 HTTP methods (GET for retrieval of resources, POST for creation, 158 searching and bulk modification, PUT for attribute replacement within 159 resources, PATCH for partial update of attributes, and DELETE for 160 removing resources). 162 While the SCIM protocol and core schema specifications are intended 163 to cover point-to-point scenarios, implementers and deployers should 164 consider multi-hop and multi-party scenarios such as a service 165 provider acting as a general profile service for in-domain 166 applications; as well as, scenarios where a service provider in turn 167 passes information to a 3rd party service provider either by acting 168 as a SCIM client or as a SCIM service provider. Implementers and 169 deployers should consider carefully their service level agreements 170 and privacy agreements when distributing or propagating personal 171 information (see also Privacy Considerations, Section 9.3). 173 This document provides a JSON based schema and extension model for 174 representing users and groups, as well as service provider 175 configuration. This schema is intended for exchange and use with 176 cloud service providers and other cross-domain scenarios. 178 1.1. Requirements Notation and Conventions 180 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 181 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 182 document are to be interpreted as described in [RFC2119]. 184 Throughout this document, values are quoted to indicate that they are 185 to be taken literally. When using these values in protocol messages, 186 the quotes MUST NOT be used as part of the value. 188 Throughout this document all figures MAY contain spaces and extra 189 line-wrapping for readability and space reasons. Similarly, some 190 URI's contained within examples, have been shortened for space and 191 readability reasons. 193 1.2. Definitions 195 Service Provider 196 An HTTP web application that provides identity information via the 197 SCIM protocol. 199 Client 200 A website or application that uses the SCIM protocol to manage 201 identity data maintained by the service provider. The client 202 initiates SCIM HTTP requests to a target service provider. 204 Provisioning Domain 205 A provisioning domain is an administrative domain external to the 206 domain of a service provider for legal or technical reasons. For 207 example, a SCIM client in an enterprise (provisioning client) 208 communicates with a SCIM service provider that is owned or 209 controlled by a different legal entity. 211 Resource Type 212 A type of a resource that is managed by a service provider. The 213 resource type defines the resource name, endpoint URL, Schemas, 214 and other meta-data which indicate where a resource is managed and 215 how it is composed; e.g., "User" or "Group". 217 Resource 218 A service provider managed artifact containing one or more 219 attributes. For example a "User" or "Group". 221 Endpoint 222 An endpoint for a service provider is a defined base path relative 223 to the service providers Base URI (see definitions of 224 [I-D.ietf-scim-api]) over which SCIM operations MAY be performed 225 against SCIM resources. For example, assuming the service 226 provider Base URI is "https://example.com/": "User" resources may 227 be accessed at the "https://example.com/Users", or 228 "https://example.com/v2/Users" (when including protocol version, 229 see Section 3.13 [I-D.ietf-scim-api]) endpoint. Service provider 230 schemas MAY be returned from the "/Schemas" endpoint. 232 Schema 233 A collection of attribute definitions that describe the contents 234 of an entire or partial resource; e.g., 235 "urn:ietf:params:scim:schemas:core:2.0:User". The attribute 236 definitions define the name of the attribute, and metadata such as 237 type (e.g., string, binary), cardinality (singular, multi, 238 complex), mutability, and returnability. 240 Singular Attribute 241 A resource attribute that contains 0..1 values; e.g., 242 "displayName". 244 Multi-valued Attribute 245 A resource attribute that contains 0..n values; e.g., "emails". 247 Simple Attribute 248 A singular or multi-valued attribute whose value is a primitive; 249 e.g., "String". A simple attribute MAY not contain sub- 250 attributes. 252 Complex Attribute 253 A singular or multi-valued attribute whose value is a composition 254 of one or more simple attributes; e.g., "addresses" has the sub- 255 attributes "streetAddress", "locality", "postalCode", and 256 "country". 258 Sub-Attribute 259 A simple attribute that is contained within a complex attribute. 261 2. SCIM Schema 263 A SCIM server provides a set of resources, the allowable contents of 264 which are defined by a set of schema URIs and a resource type. 265 SCIM's schema is not a document-centric one such as with 266 [XML-Schema]. Instead, SCIM's support of schema is attribute based 267 where each attribute may have different type, mutability, 268 cardinality, or returnability. validation of documents and messages 269 is always performed, as specified by the SCIM specifications by an 270 intended receiver. Validation is performed by the receiver in the 271 context of a SCIM protocol request (see [I-D.ietf-scim-api]). For 272 example, a SCIM service provider, upon receiving a request to replace 273 an existing resource with a replacement JSON object, evaluates each 274 asserted attribute based on its characteristics as defined in the 275 relevant schema (e.g., mutability) and decides which attributes may 276 be replaced or ignored. 278 This specification provides a minimal core schema for representing 279 users and groups (resources), encompassing common attributes found in 280 many existing deployments and schemas. In addition to the minimal 281 core schema, this document also specifies a standardized means by 282 which service providers may extend schemas to define new resources 283 and attributes in both standardized and service provider specific 284 cases. 286 Resources are categorized into common resource types such as "User" 287 or "Group"). Collections of resources of the same type are usually 288 contained within the same "container" ("folder") endpoint. 290 2.1. Attributes 292 A resource is a collection of attributes identified by one or more 293 schemas. Minimally, an attribute consists of the attribute name and 294 at least one simple or complex value either of which may be multi- 295 valued. For each attribute, SCIM schema defines the data type, 296 plurality, mutability, and other distinguishing features of an 297 attribute. 299 Attribute names are case-insensitive and MAY be camel-cased (e.g., 300 "camelCase"). SCIM resources are represented in JSON [RFC7159] and 301 MUST specify schema via the "schemas" attribute per Section 3. 303 Attribute names MUST conform to the following ABNF rules: 305 ATTRNAME = ALPHA *(nameChar) 306 nameChar = "$" / "-" / "_" / DIGIT / ALPHA 308 Figure 1: ABNF for Attribute Names 310 The above rules (and other rules in this specification) use the "Core 311 Rules" from ABNF, see Appendix B [RFC5234]. Unless otherwise 312 specified in this specification, all ABNF strings are case 313 insensitive and the character set for these strings is US-ASCII. For 314 example, all attribute names defined by the above rule are case 315 insensitive. 317 When defining attribute names it should be noted that the hyphen 318 ("-") is not permitted in Javascript (and some other languages) 319 attribute names. While there are no known issues within HTTP 320 protocol and JSON notation, attribute names containing hyphens MAY 321 need to be escaped when declaring corresponding names of Javascript 322 attributes. 324 2.2. Attribute Characteristics 326 If not otherwise stated in Section 7, SCIM attributes have the 327 following characteristics: 329 o are OPTIONAL (is not REQUIRED). 331 o are case insensitive ("caseExact" is "false"), 333 o are modifiable ("mutability" is "readWrite"), 335 o are returned in response to queries (returned by default), 336 o have no canonical values (for example, the "type" sub-attribute in 337 Section 2.4, 339 o are not unique ("uniqueness" is "none"), and, 341 o of type string (Section 2.3.1). 343 2.3. Attribute Data Types 345 Attribute data types are derived from JSON [RFC7159]. The JSON 346 format defines a limited set of data types, hence, where appropriate, 347 alternate JSON representations derived from XML Schema [XML-Schema] 348 are defined below. SCIM extensions SHOULD NOT introduce new data 349 types. 351 The following is a table that maps the following data types, to SCIM 352 schema type and the underlying JSON data type: 354 +--------------+-----------------+----------------------------------+ 355 | SCIM Data | SCIM Schema | JSON Type | 356 | Type | "type" | | 357 +--------------+-----------------+----------------------------------+ 358 | String | "string" | String per Sec. 7 [RFC7159] | 359 | Boolean | "boolean" | Value per Sec. 3 [RFC7159] | 360 | Decimal | "decimal" | Number per Sec. 6 [RFC7159] | 361 | Integer | "integer" | Number per Sec. 6 [RFC7159] | 362 | DateTime | "dateTime" | String per Sec. 7 [RFC7159] | 363 | Binary | "binary" | Base64 encoded String per Sec. 7 | 364 | | | [RFC7159] | 365 | Reference | "reference" | String per Sec. 7 [RFC7159] | 366 | Complex | "complex" | Object per Sec. 4 [RFC7159] | 367 +--------------+-----------------+----------------------------------+ 369 Table 1: SCIM Data Type to JSON Representation 371 2.3.1. String 373 A sequence of zero or more Unicode characters encoded using UTF-8 as 374 per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7 375 [RFC7159]. A "String" attribute MAY specify a required data format. 376 Additionally, when "canonicalValues" is specified, service providers 377 MAY restrict accepted values to the specified values. 379 2.3.2. Boolean 381 The literal "true" or "false". The JSON format is defined in 382 Section 3 [RFC7159]. A boolean has no case sensitivity or 383 uniqueness. 385 2.3.3. Decimal 387 A real number with at least one digit to the left and right of the 388 period. The JSON format is defined in Section 6 [RFC7159]. A 389 decimal has no case sensitivity. 391 2.3.4. Integer 393 A decimal number with no fractional digits. The JSON format is 394 defined in Section 6 [RFC7159] with the additional constraint that 395 the value MUST NOT contain fractional or exponent parts. An integer 396 has no case sensitivity. 398 2.3.5. DateTime 400 A DateTime value (e.g., 2008-01-23T04:56:22Z). The attribute value 401 MUST be encoded as a valid xsd:dateTime as specified in Section 3.3.7 402 [XML-Schema]. A date-time has no case-sensitivity or uniqueness. 404 Values represented in JSON MUST conform to the XML constraints above 405 and are represented as a JSON String per Section 7 [RFC7159]. 407 2.3.6. Binary 409 Arbitrary binary data. The attribute value MUST be encoded in base 410 64 encoding as specified in Section 4 [RFC4648]. In cases where a 411 URL-safe encoding is required, the attribute definition MAY specify 412 Base 64 URL encoding be used as per Section 5 [RFC4648]. Unless 413 otherwise specified in the attribute definition, trailing padding 414 characters MAY be omitted ("="). 416 In JSON representation, the encoded values are represented as a JSON 417 String per Section 7 [RFC7159]. A binary is case-exact and has no 418 uniqueness. 420 2.3.7. Reference 422 The value is a URI for a resource. A resource MAY be a SCIM 423 resource, an external link to a resource (e.g., a photo), or it may 424 be an identifier such as a URN. The value MUST be the absolute or 425 relative URI of the target resource. Relative URIs should be 426 resolved as specified in Section 5.2 [RFC3986]. However, the base 427 URI for relative URI resolution MUST include all URI components and 428 path segments up to but not including the Endpoint URI (the SCIM 429 service provider root endpoint); e.g., the base URI for a request to 430 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 431 would be "https://example.com/v2/" and the relative URI for this 432 resource would be "Users/2819c223-7f76-453a-919d-413861904646". 434 In JSON representation, the URI value is represented as a JSON String 435 per Section 7 [RFC7159]. A reference is case-exact. A reference has 436 a "referenceType" that indicates what types of resources may be 437 linked as per Section 7. 439 Performing a GET operation on a reference URI MUST return the target 440 resource or an appropriate HTTP response code. The service provider 441 MAY optionally choose to enforce referential integrity for reference 442 types referring to SCIM resources. 444 By convention, a reference is commonly represented as a "$ref" sub- 445 attribute in complex or multi-valued attributes, however this is 446 OPTIONAL. 448 2.3.8. Complex 450 A singular or multi-valued attribute whose value is a composition of 451 one or more simple attributes. The JSON format is defined in 452 Section 4 [RFC7159]. The order of the component attributes is not 453 significant. Servers and clients MUST NOT require or expect 454 attributes to be in any specific order when an object is either 455 generated or analyzed. A complex attribute has no uniqueness or case 456 sensitivity. A complex attribute MUST NOT contain sub-attributes 457 that have sub-attributes (i.e., that are complex). 459 2.4. Multi-valued Attributes 461 Multi-valued attributes contain a list of elements using the JSON 462 array format defined in Section 5 of [RFC7159]. Elements can be 463 either 465 o primitive values, or 467 o objects with a set of sub-attributes and values, using the JSON 468 object format defined in Section 4 of [RFC7159], in which case 469 they MAY also be considered to be complex attributes. As with 470 complex attributes, the order of sub-attributes is not 471 significant. The pre-defined sub-attributes listed in this 472 section can be used with multi-valued attribute objects but these 473 sub-attributes MUST be used with the meanings defined here. 475 The pre-defined set of sub-attributes for a multi-valued attribute 476 are: 478 type 479 A label indicating the attribute's function; e.g., "work" or 480 "home". 482 primary 483 A Boolean value indicating the 'primary' or preferred attribute 484 value for this attribute, e.g., the preferred mailing address or 485 the primary e-mail address. The primary attribute value "true" 486 MUST appear no more than once. If not specified, the value of 487 "primary" SHALL be assumed to be "false". 489 display 490 A human readable name, primarily used for display purposes and has 491 a mutability of "immutable". 493 value 494 The attribute's significant value; e.g., the e-mail address, phone 495 number, etc. 497 $ref 498 The reference URI of a target resource, if the attribute is a 499 reference. URIs are canonicalized per Section 6.2 of [RFC3986]. 500 While the representation of a resource MAY vary in different SCIM 501 protocol API versions (see section 3.13 of [I-D.ietf-scim-api]), 502 URI's for SCIM resources with an API version SHALL be considered 503 comparable to one without a version or different version. For 504 example, "https://example.com/Users/12345" is equivalent to 505 "https://example.com/v2/Users/12345". 507 When returning multi-valued attributes, service providers SHOULD 508 canonicalize the value returned (e.g., by returning a value for the 509 sub-attribute "type" such as "home" or "work") when appropriate 510 (e.g., for e-mail addresses and URLs). 512 Service providers MAY return element objects with the same "value" 513 sub-attribute more than once with a different "type" sub-attribute 514 (e.g., the same e-mail address may used for work and home), but 515 SHOULD NOT return the same (type, value) combination more than once 516 per attribute, as this complicates processing by the consumer. 518 When defining schema for multi-valued attributes, it is considered a 519 good practice to provide a type attribute that MAY be used for the 520 purpose of canonicalization of values. Further, in the schema 521 definition for an attribute MAY define the recommended canonical 522 values (see Section 7). 524 2.5. Unassigned and Null Values 526 Unassigned attributes, the null value, or empty array (in the case of 527 a multi-valued attribute) SHALL be considered to be equivalent in 528 "state". Assigning an attribute with the value "null" or an empty 529 array (in the case of multi-valued attributes) has the effect of 530 making the attribute "unassigned". When a resource is expressed in 531 JSON form, unassigned attributes, though they are defined in schema, 532 MAY be omitted for compactness. 534 3. SCIM Resources 536 Each SCIM resource is a JSON object that has the following 537 components: 539 Resource Type 540 Each resource (or JSON object) in SCIM has a resource type 541 ("meta.resourceType", see Section 3.1) that defines the resource's 542 core attribute schema and any attribute extension schema as well 543 as the endpoint where objects of the same type may be found. More 544 information about a resource MAY be found in its resourceType 545 definition (see Section 6). 547 Schemas Attribute 548 The "schemas" attribute is a REQUIRED attribute that MUST be 549 present and is an array of Strings containing URIs which are used 550 to indicate the namespaces of the SCIM schemas that define the 551 attributes present in the current JSON structure. It may be used 552 by parsers to define the attributes present in the JSON structure 553 that is the body to an HTTP Request or Response. Each String 554 value must be a unique URI. All representations of SCIM schemas 555 MUST include a non-empty array with value(s) of the URIs supported 556 by that representation. The schemas attribute for a resource MUST 557 only contain values defined as "schema" and "schemaExtensions" for 558 the resource's "resourceType". Duplicate values MUST NOT be 559 included. Value order is not specified and MUST NOT impact 560 behavior. 562 Common Attributes 563 Are attributes that are part of every SCIM resource regardless of 564 the value of the "schemas" attribute present in a JSON body. 565 These attributes are not defined in any particular schema, but 566 SHALL be assumed to be present in every resource regardless of the 567 value of the "schemas" attribute. See Section 3.1. 569 Core Attributes 570 A resource's core attributes are those attributes that sit at the 571 top level of the JSON object together with the common attributes 572 (such as the resource "id"). The list of valid attributes is 573 specified by the resource's resource type "schema" attribute (see 574 Section 6). This same value is also present in the resource's 575 "schemas" attribute. 577 Extended Attributes 578 Extended schema attributes are specified by the resource's 579 resource type "schemaExtensions" attribute (see Section 6). 580 Unlike core attributes, extended attributes are kept in their own 581 sub-attribute namespace identified by the schema extension URI. 582 This avoids attribute name conflicts that may arise due to 583 conflicts from separate schema extensions. 585 The following example "User" contains the common attributes "id", 586 "externalId", and the complex attribute "meta" which contains the 587 sub-attribute "resourceType". The resource also contains core 588 attributes "userName", "name", as well as extended enterprise user 589 attributes "employeeNumber" and "costCenter" which are contained in 590 their own JSON sub-structure identified by their schema URI. Some 591 values have been omitted (...), shortened or spaced out for clarity. 593 { 594 "schemas": 595 [ "urn:ietf:params:scim:schemas:core:2.0:User", 596 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], 598 "id": "2819c223-7f76-453a-413861904646", 599 "externalId": "701984", 601 "userName": "bjensen@example.com", 602 "name": { 603 "formatted": "Ms. Barbara J Jensen III", 604 "familyName": "Jensen", 605 "givenName": "Barbara", 606 "middleName": "Jane", 607 "honorificPrefix": "Ms.", 608 "honorificSuffix": "III" 609 }, 610 ... 612 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { 613 "employeeNumber": "701984", 614 "costCenter": "4130", 615 ... 616 }, 618 "meta": { 619 "resourceType": "User", 620 "created": "2010-01-23T04:56:22Z", 621 "lastModified": "2011-05-13T04:42:34Z", 622 "version": "W\/\"3694e05e9dff591\"", 623 "location": 624 "https://example.com/v2/Users/2819c223-7f76-453a-413861904646" 625 } 626 } 628 Figure 2: Example JSON Resource Structure 630 3.1. Common Attributes 632 Each SCIM resource (Users, Groups, etc.) includes the following 633 common attributes. With the exception of "ServiceProviderConfig" and 634 "ResourceType" server discovery endpoints and their associated 635 resources, these attributes MUST be defined for all resources, 636 including any extended resource types. When accepted by a service 637 provider (e.g., after a SCIM create), the attributes "id" and "meta" 638 (and its associated sub-attributes) MUST be assigned values by the 639 service provider. Common attributes are considered to be part of 640 every base resource schema and do not use their own schemas URI and 641 SHALL NOT be considered schema extensions. 643 For backwards compatibility reasons, some existing schema MAY list 644 common attributes as part of the schema. The attribute 645 characteristics listed here SHALL take precedence. 647 id 648 A unique identifier for a SCIM resource as defined by the service 649 provider. Each representation of the resource MUST include a non- 650 empty "id" value. This identifier MUST be unique across the SCIM 651 service provider's entire set of resources. It MUST be a stable, 652 non-reassignable identifier that does not change when the same 653 resource is returned in subsequent requests. The value of the 654 "id" attribute is always issued by the service provider and MUST 655 NOT be specified by the client. The string "bulkId" is a reserved 656 keyword and MUST NOT be used within any unique identifier value. 657 The attribute characteristics are "caseExact" as "true" and a 658 mutability of "readOnly". See Section 9 for additional 659 considerations regarding privacy. 661 externalId 662 A String that is an identifier for the resource as defined by the 663 provisioning client. The "externalId" may simplify identification 664 of a resource between the provisioning client and the service 665 provider by allowing the client to use a filter to locate the 666 resource with an identifier from the provisioning domain, 667 obviating the need to store a local mapping between the 668 provisioning domain's identifier of the resource and the 669 identifier used by the service provider. Each resource MAY 670 include a non-empty "externalId" value. The value of the 671 "externalId" attribute is always issued by the provisioning client 672 and MUST NOT be specified by the service provider. The service 673 provider MUST always interpret the externalId as scoped to the 674 provisioning domain. While the server does not enforce 675 uniqueness, it is assumed that the value's uniqueness is 676 controlled by the client setting the value. See Section 9 for 677 additional considerations regarding privacy. The attribute has 678 "caseExact" as "true" and has a mutability of "readWrite". The 679 attribute is OPTIONAL. 681 meta 682 A complex attribute containing resource metadata. All meta sub- 683 attributes are asserted by the service provider and SHALL be 684 ignored when provided by clients: 686 resourceType The name of the resource type of the resource. This 687 attribute has mutability of "readOnly" and has "caseExact" as 688 "true". The attribute is REQUIRED when provided by the service 689 provider. 691 created The DateTime the resource was added to the service 692 provider. The attribute MUST be a DateTime. This attribute 693 has mutability of "readOnly". 695 lastModified The most recent DateTime the details of this 696 resource were updated at the service provider. If this 697 resource has never been modified since its initial creation, 698 the value MUST be the same as the value of created. The 699 attribute MUST be a DateTime and has mutability of "readOnly". 700 The attribute is REQUIRED when provided by the service 701 provider. 703 location The URI of the resource being returned. This value MUST 704 be the same as the "Content-Location" HTTP response header (see 705 Section 3.1.4.2 [RFC7231]). The attribute has mutability of 706 "readOnly". The attribute is REQUIRED when provided by the 707 service provider. 709 version The version of the resource being returned. This value 710 must be the same as the ETag HTTP response header (See Sections 711 2.1 and 2.3 of [RFC7232]). The attribute has mutability of 712 "readOnly" and has "caseExact" as "true". The attribute is 713 OPTIONAL subject to the service provider's support for 714 versioning (see "Versioning Resources", Section 3.14 715 [I-D.ietf-scim-api]). If a service provider provides "version" 716 (entity-tag) for a representation and the generation of that 717 entity-tag does not satisfy all of the characteristics of a 718 strong validator (see Section 2.1, [RFC7232]), then the origin 719 server MUST mark the "version" (entity-tag) as weak by 720 prefixing its opaque value with "W/" (case-sensitive). 722 3.2. Defining New Resource Types 724 SCIM may be extended to define new classes of resources by defining a 725 resource type. Each resource type defines the name, endpoint, base 726 schema (the attributes), and any schema extensions registered for use 727 with the resource type. In order to offer new types of resources, a 728 service provider defines the new resource type as specified in 729 Section 6 and defines a schema representation (see Section 8.7). 731 3.3. Attribute Extensions to Resources 733 SCIM allows resource types to have extensions in addition to their 734 core schema. This is similar to how "ObjectClasses" are used in LDAP 735 [RFC4512]. However, unlike LDAP there is no inheritance model; all 736 extensions are additive (similar to LDAP Auxiliary Object Class). 737 Each value in the "schemas" attribute indicates additive schema that 738 MAY exist in a SCIM resource representation. The "schemas" attribute 739 MUST contain at least one value which SHALL be the base schema for 740 the resource. The "schemas" attribute MAY contain additional values 741 indicating extended schemas that are in use. Schema extensions 742 SHOULD avoid redefining any attributes defined in this specification 743 and SHOULD follow conventions defined in this specification. Except 744 for the base object schema, the schema extension URI SHALL be used as 745 a JSON container to distinguish attributes belonging to the extension 746 namespace from base schema attributes. See Figure 5 for an example 747 of the JSON representation of an extended User. 749 In order to determine which URI value in the "schemas" attribute is 750 the base schema and which is extended schema for any given resource, 751 the resource's "resourceType" attribute value MAY be used to retrieve 752 the resource's "ResourceType" schema ( Section 6 ). See example 753 "ResourceType" representation in Figure 8. 755 4. SCIM Core Resources and Extensions 757 This section defines the default resources schemas present in a SCIM 758 server. SCIM is not exclusive to these resources, and may be 759 extended to support other resource types (see Section 3.2). 761 4.1. User Resource Schema 763 SCIM provides a resource type for "User" resources. The core schema 764 for "User" is identified using the URI: 765 "urn:ietf:params:scim:schemas:core:2.0:User". The following 766 attributes are defined in addition to the core schema attributes: 768 4.1.1. Singular Attributes 770 userName 771 A service provider unique identifier for the user, typically used 772 by the user to directly authenticate to the service provider. 773 Often displayed to the user as their unique identifier within the 774 system (as opposed to "id" or "externalId", which are generally 775 opaque and not user-friendly identifiers). Each User MUST include 776 a non-empty userName value. This identifier MUST be unique across 777 the service provider's entire set of Users. The attribute is 778 REQUIRED and is case-insensitive. 780 name 781 The components of the user's real name. Service providers MAY 782 return just the full name as a single string in the formatted sub- 783 attribute, or they MAY return just the individual component 784 attributes using the other sub-attributes, or they MAY return 785 both. If both variants are returned, they SHOULD be describing 786 the same name, with the formatted name indicating how the 787 component attributes should be combined. 789 formatted The full name, including all middle names, titles, and 790 suffixes as appropriate, formatted for display (e.g., "Ms. 791 Barbara Jane Jensen, III." ). 793 familyName The family name of the User, or last name in most 794 Western languages (e.g., "Jensen" given the full name "Ms. 795 Barbara Jane Jensen, III." ). 797 givenName The given name of the User, or first name in most 798 Western languages (e.g., "Barbara" given the full name "Ms. 799 Barbara Jane Jensen, III." ). 801 middleName The middle name(s) of the User (e.g., "Jane" given the 802 full name "Ms. Barbara Jane Jensen, III." ). 804 honorificPrefix The honorific prefix(es) of the User, or title in 805 most Western languages (e.g., "Ms." given the full name "Ms. 806 Barbara Jane Jensen, III." ). 808 honorificSuffix The honorific suffix(es) of the User, or suffix 809 in most Western languages (e.g., "III." given the full name 810 "Ms. Barbara Jane Jensen, III." ). 812 displayName 813 The name of the user, suitable for display to end-users. Each 814 user returned MAY include a non-empty displayName value. The name 815 SHOULD be the full name of the User being described if known 816 (e.g., "Babs Jensen" or "Ms. Barbara J Jensen, III" ), but MAY be 817 a username or handle, if that is all that is available (e.g., 818 "bjensen" ). The value provided SHOULD be the primary textual 819 label by which this User is normally displayed by the service 820 provider when presenting it to end-users. 822 nickName 823 The casual way to address the user in real life, e.g., "Bob" or 824 "Bobby" instead of "Robert". This attribute SHOULD NOT be used to 825 represent a User's username (e.g., bjensen or mpepperidge). 827 profileUrl 828 A URI that is a uniform resource locator (as defined in 829 Section 1.1.3 [RFC3986]), that points to a location representing 830 the user's online profile (e.g. a web page). URIs are 831 canonicalized per Section 6.2 of [RFC3986]. 833 title 834 The user's title, such as "Vice President". 836 userType 837 Used to identify the organization to user relationship. Typical 838 values used might be "Contractor", "Employee", "Intern", "Temp", 839 "External", and "Unknown" but any value may be used. 841 preferredLanguage 842 Indicates the user's preferred written or spoken languages and is 843 generally used for selecting a localized User interface. The 844 value indicates the set of natural languages that are preferred. 845 The format of the value is same as the Accept-Language header 846 field (not including "Accept-Language:") of HTTP and is specified 847 in Section 5.3.5 of [RFC7231]. The intent of this value is to 848 enable cloud applications to perform matching of language tags 849 [RFC4647] to the user's language preferences regardless of what 850 may be indicated by a user agent (which might be shared), or in a 851 non-user present interaction (such as in a delegated OAuth2 852 [RFC6749] style interaction) where normal HTTP Accept-Language 853 header negotiation cannot take place. 855 locale 856 Used to indicate the User's default location for purposes of 857 localizing items such as currency, date time format, numerical 858 representations, etc. A valid value is a language tag as defined 859 in [RFC5646]. Computer languages are explicitly excluded. 861 A language tag is a sequence of one or more case-insensitive sub- 862 tags, each separated by a hyphen character ("-", %x2D). For 863 backwards compatibility reasons, servers MAY accept tags separated 864 by an underscore character ("_", %5F). In most cases, a language 865 tag consists of a primary language sub-tag that identifies a broad 866 family of related languages (e.g., "en" = English) which is 867 optionally followed by a series of sub-tags that refine or narrow 868 that language's range (e.g., "en-CA" = the variety of English as 869 communicated in Canada). Whitespace is not allowed within a 870 language tag. Example tags include: 872 fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN 874 See [RFC5646] for further information. 876 timezone 877 The User's time zone in IANA Time Zone database format [RFC6557], 878 also known as "Olson" timezone database format [Olson-TZ] ; For 879 example: "America/Los_Angeles". 881 active 882 A Boolean value indicating the user's administrative status. The 883 definitive meaning of this attribute is determined by the service 884 provider. As a typical example, a value of true infers the user 885 is able to login while a value of false implies the user's account 886 has been suspended. 888 password 889 This attribute is intended to be used as a means to set, replace, 890 or compare (i.e., filter for equality) a password. The clear-text 891 value or the hashed value of a password SHALL NOT be returnable by 892 a service provider. If a service provider holds the value 893 locally, the value SHOULD be hashed. When a password is set or 894 changed, the clear text password SHOULD be: 896 * Prepared for international language comparison. See 897 Section 7.7 of [I-D.ietf-scim-api]. 899 * Validated against server password policy. Note: the definition 900 and enforcment of password policy is beyond the scope of this 901 document. 903 * And, is hashed or encrypted. See Section 9.2 for acceptable 904 hasing and encryption handling when storing or persisting for 905 provisioning workflow reasons. 907 A service provider that immediately passes the value on to another 908 system or programming interface, MAY pass the value directly over 909 a secured connection (e.g., TLS). If the value needs to be 910 temporarily persisted for a period of time (e.g., because of a 911 workflow) before provisioning, then the value MUST be protected by 912 some method such as encryption. 914 Testing for an equality match MAY be supported if there is an 915 existing stored hashed value. When testing for equality, the 916 service provider: 918 * Prepares the filter value for international language 919 comparison. See Section 7.7 of [I-D.ietf-scim-api]. 921 * The service provider generates the salted hash of the filter 922 value and test for a match with the locally held value. 924 The mutability of the password attribute is "writeOnly" indicating 925 the value MUST NOT be returned by a service provider in any form 926 (the attribute characteristic "returned" is "never"). 928 4.1.2. Multi-valued Attributes 930 The following multi-valued attributes are defined. 932 emails 933 E-mail addresses for the User. The value SHOULD be specified 934 according to [RFC5321]. Service providers SHOULD canonicalize the 935 value according to [RFC5321], e.g., "bjensen@example.com" instead 936 of "bjensen@EXAMPLE.COM". The "display" sub-attribute MAY be used 937 to return the canonicalized representation of the e-mail value. 938 The "type" sub-attribute is used to provide a classification 939 meaningful to the (human) user. The user interface should 940 encourage the use of basic values of "work", "home", and "other", 941 and MAY allow additional type values to be used at the descretion 942 of SCIM clients. 944 phoneNumbers 945 Phone numbers for the user. The value SHOULD be specified 946 according to the format in [RFC3966] e.g., 'tel:+1-201-555-0123'. 947 Service providers SHOULD canonicalize the value according to 948 [RFC3966] format, when appropriate. The "display" sub-attribute 949 MAY be used to return the canonicalized representation of the 950 phone number value. The sub-attribute "type" often has typical 951 values of "work", "home", "mobile", "fax", "pager", and "other", 952 and MAY allow more types to be defined by the SCIM clients. 954 ims 955 Instant messaging address for the user. No official 956 canonicalization rules exist for all instant messaging addresses, 957 but service providers SHOULD, when appropriate, remove all 958 whitespace and convert the address to lowercase. The "type" sub- 959 attribute SHOULD take one of the following values: "aim", "gtalk", 960 "icq", "xmpp", "msn", "skype", "qq", "yahoo", and "other", 961 representing currently popular IM services at the time of writing. 962 Service providers MAY add further values if new IM services are 963 introduced and MAY specify more detailed canonicalization rules 964 for each possible value. 966 photos 967 A URI that is a uniform resource locator (as defined in 968 Section 1.1.3 [RFC3986]) that points to a resource location 969 representing the user's image. The resource MUST be a file (e.g., 970 a GIF, JPEG, or PNG image file) rather than a web page containing 971 an image. Service providers MAY return the same image at 972 different sizes, though it is recognized that no standard for 973 describing images of various sizes currently exists. Note that 974 this attribute SHOULD NOT be used to send down arbitrary photos 975 taken by this user, but specifically profile photos of the user 976 suitable for display when describing the user. Instead of the 977 standard canonical values for type, this attribute defines the 978 following canonical values to represent popular photo sizes: 979 "photo", "thumbnail". 981 addresses 982 A physical mailing address for this user. Canonical type values 983 of "work", "home", and "other". The value attribute is a complex 984 type with the following sub-attributes. All sub-attributes are 985 OPTIONAL. 987 formatted The full mailing address, formatted for display or use 988 with a mailing label. This attribute MAY contain newlines. 990 streetAddress The full street address component, which may 991 include house number, street name, P.O. box, and multi-line 992 extended street address information. This attribute MAY 993 contain newlines. 995 locality The city or locality component. 997 region The state or region component. 999 postalCode The zipcode or postal code component. 1001 country The country name component. When specified the value 1002 MUST be in ISO 3166-1 alpha 2 "short" code format [ISO3166] ; 1003 e.g., the United States and Sweden are "US" and "SE", 1004 respectively. 1006 groups 1007 A list of groups that the user belongs to, either thorough direct 1008 membership, nested groups, or dynamically calculated. The values 1009 are meant to enable expression of common group or role based 1010 access control models, although no explicit authorization model is 1011 defined. It is intended that the semantics of group membership 1012 and any behavior or authorization granted as a result of 1013 membership are defined by the service provider. The canonical 1014 types "direct" and "indirect" are defined to describe how the 1015 group membership was derived. Direct group membership indicates 1016 the user is directly associated with the group and SHOULD indicate 1017 that clients may modify membership through the "Group" resource. 1018 Indirect membership indicates user membership is transitive or 1019 dynamic and implies that clients cannot modify indirect group 1020 membership through the "Group" resource but MAY modify direct 1021 group membership through the "Group" resource which MAY influence 1022 indirect memberships. If the SCIM service provider exposes a 1023 Group resource, the "value" sub-attribute MUST be the "id" and the 1024 "$ref" sub-attribute must be the URI of the corresponding "Group" 1025 resources to which the user belongs. Since this attribute has a 1026 mutability of "readOnly", group membership changes MUST be applied 1027 via the Group Resource (Section 4.2). The attribute has a 1028 mutability of "readOnly". 1030 entitlements 1031 A list of entitlements for the user that represent a thing the 1032 user has. An entitlement MAY be an additional right to a thing, 1033 object, or service. No vocabulary or syntax is specified and 1034 service providers and clients are expected to encode sufficient 1035 information in the value so as to accurately and without ambiguity 1036 determine what the user has access to. This value has no 1037 canonical types though type may be useful as a means to scope 1038 entitlements. 1040 roles 1041 A list of roles for the user that collectively represent who the 1042 user is; e.g., "Student, Faculty". No vocabulary or syntax is 1043 specified though it is expected that a role value is a String or 1044 label representing a collection of entitlements. This value has 1045 no canonical types. 1047 x509Certificates 1048 A list of certificates associated with the resource (e.g., a 1049 User). Each certificate is a DER encoded X.509 (see Section 4 1050 [RFC5280]), which MUST be base 64 encoded per Section 4 [RFC4648]. 1052 4.2. Group Resource Schema 1054 SCIM provides a schema for representing groups, identified using the 1055 following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group". 1057 Group resources are meant to enable expression of common group or 1058 role based access control models, although no explicit authorization 1059 model is defined. It is intended that the semantics of group 1060 membership and any behavior or authorization granted as a result of 1061 membership are defined by the service provider, and are considered 1062 out of scope for this specification. 1064 The following singular attribute is defined in addition to the common 1065 attributes defined in SCIM core schema: 1067 displayName 1068 A human readable name for the Group. REQUIRED. 1070 The following multi-valued attribute is defined in addition to the 1071 common attributes defined in SCIM Core Schema: 1073 members 1074 A list of members of the Group. While values MAY be added or 1075 removed, sub-attributes of members are "immutable". The "value" 1076 sub-attribute must be the "id" and the "$ref" sub-attribute must 1077 be the URI of a SCIM resource, either a "User", or a "Group". The 1078 intention of the "Group" type is to allow the service provider to 1079 support nested groups. Service providers MAY require clients to 1080 provide a non-empty members value based on the "required" sub 1081 attribute of the "members" attribute in the "Group" resource 1082 schema. 1084 4.3. Enterprise User Schema Extension 1086 The following SCIM extension defines attributes commonly used in 1087 representing users that belong to, or act on behalf of a business or 1088 enterprise. The enterprise user extension is identified using the 1089 following schema URI: 1090 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User". 1092 The following Singular Attributes are defined: 1094 employeeNumber 1095 A string identifier, typically numeric or alpha-numeric, assigned 1096 to a person, typically based on order of hire or association with 1097 an organization. 1099 costCenter 1100 Identifies the name of a cost center. 1102 organization 1103 Identifies the name of an organization. 1105 division 1106 Identifies the name of a division. 1108 department 1109 Identifies the name of a department. 1111 manager 1112 The user's manager. A complex type that optionally allows service 1113 providers to represent organizational hierarchy by referencing the 1114 "id" attribute of another User. 1116 value The "id" of the SCIM resource representing the user's 1117 manager. RECOMMENDED. 1119 $ref The URI of the SCIM resource representing the User's 1120 manager. RECOMMENDED. 1122 displayName The displayName of the user's manager. This 1123 attribute is OPTIONAL and mutability is "readOnly". 1125 5. Service Provider Configuration Schema 1127 SCIM provides a schema for representing the service provider's 1128 configuration identified using the following schema URI: 1129 "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" 1131 The service provider configuration resource enables a service 1132 provider to discover SCIM specification features in a standardized 1133 form as well as provide additional implementation details to clients. 1134 All attributes have a mutability of "readOnly". Unlike other core 1135 resources, the "id" attribute is not required for the service 1136 provider configuration resource. 1138 The following Singular Attributes are defined in addition to the 1139 common attributes defined in Core Schema: 1141 documentationUrl 1142 An HTTP addressable URL pointing to the service provider's human 1143 consumable help documentation. 1145 patch 1146 A complex type that specifies PATCH configuration options. 1147 REQUIRED. See Section 3.5.2 [I-D.ietf-scim-api]. 1149 supported Boolean value specifying whether the operation is 1150 supported. REQUIRED. 1152 bulk 1153 A complex type that specifies Bulk configuration options. See 1154 Section 3.7 [I-D.ietf-scim-api]. REQUIRED 1156 supported Boolean value specifying whether the operation is 1157 supported. REQUIRED. 1159 maxOperations An integer value specifying the maximum number of 1160 operations. REQUIRED. 1162 maxPayloadSize An integer value specifying the maximum payload 1163 size in bytes. REQUIRED. 1165 filter 1166 A complex type that specifies FILTER options. REQUIRED. See 1167 Section 3.4.2.2 [I-D.ietf-scim-api]. 1169 supported Boolean value specifying whether the operation is 1170 supported. REQUIRED. 1172 maxResults Integer value specifying the maximum number of 1173 resources returned in a response. REQUIRED. 1175 changePassword 1176 A complex type that specifies Change Password configuration 1177 options. REQUIRED. 1179 supported Boolean value specifying whether the operation is 1180 supported. REQUIRED. 1182 sort 1183 A complex type that specifies Sort configuration options. 1184 REQUIRED. 1186 supported Boolean value specifying whether sorting is supported. 1187 REQUIRED. 1189 etag 1190 A complex type that specifies Etag configuration options. 1191 REQUIRED. 1193 supported Boolean value specifying whether the operation is 1194 supported. REQUIRED. 1196 The following multi-valued attribute is defined in addition to the 1197 common attributes defined in core schema: 1199 authenticationSchemes 1200 A complex type that specifies supported Authentication Scheme 1201 properties. This attribute defines the following canonical values 1202 to represent common schemes: "oauth", "oauth2", 1203 "oauthbearertoken", "httpbasic", and "httpdigest". To enable 1204 seamless discovery of configuration, the service provider SHOULD, 1205 with the appropriate security considerations, make the 1206 authenticationSchemes attribute publicly accessible without prior 1207 authentication. REQUIRED. 1209 name The common authentication scheme name; e.g., HTTP Basic. 1210 REQUIRED. 1212 description A description of the Authentication Scheme. 1213 REQUIRED. 1215 specUrl An HTTP addressable URL pointing to the Authentication 1216 Scheme's specification. OPTIONAL. 1218 documentationUrl An HTTP addressable URL pointing to the 1219 Authentication Scheme's usage documentation. OPTIONAL. 1221 6. ResourceType Schema 1223 The "ResourceType" schema specifies the meta-data about a resource 1224 type. Resource type resources are READ-ONLY and identified using the 1225 following schema URI: 1226 "urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other 1227 core resources, all attributes are REQUIRED unless otherwise 1228 specified. The "id" attribute is not required for the resource type 1229 resource. 1231 The following Singular Attributes are defined: 1233 id 1234 The resource type's server unique id. Often this is the same 1235 value as the "name" attribute. OPTIONAL 1237 name 1238 The resource type name. When applicable service providers MUST 1239 specify the name specified in the core schema specification; e.g., 1240 "User" or "Group". This name is referenced by the 1241 "meta.resourceType" attribute in all resources. 1243 description 1244 The resource type's human readable description. When applicable 1245 service providers MUST specify the description specified in the 1246 core schema specification. 1248 endpoint 1249 The resource type's HTTP addressable endpoint relative to the Base 1250 URL of the service provider; e.g., "Users". 1252 schema 1253 The resource type's primary/base schema URI; e.g., 1254 "urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal 1255 to the "id" attribute of the associated "Schema" resource. 1257 schemaExtensions 1258 A list of URIs of the resource type's schema extensions. 1259 OPTIONAL. 1261 schema The URI of an extended schema; e.g., "urn:edu:2.0:Staff". 1262 This MUST be equal to the "id" attribute of a "Schema" 1263 resource. REQUIRED. 1265 required A Boolean value that specifies whether the schema 1266 extension is required for the resource type. If true, a 1267 resource of this type MUST include this schema extension and 1268 include any attributes declared as required in this schema 1269 extension. If false, a resource of this type MAY omit this 1270 schema extension. REQUIRED. 1272 7. Schema Definition 1274 This section defines a way to specify the schema in use by resources 1275 available and accepted by a SCIM service provider. For each 1276 "schemas" URI value, this schema specifies the defined attribute(s) 1277 and their characteristics (mutability, returnability, etc). For 1278 every schema URI used in a resource object, there is a corresponding 1279 "Schema" resource. "Schema" resources have mutability of "readOnly" 1280 and are identified using the following schema URI: 1282 urn:ietf:params:scim:schemas:core:2.0:Schema 1284 Unlike other core resources the "Schema" resource MAY contain a 1285 complex object within a sub-attribute and all attributes are REQUIRED 1286 unless otherwise specified. 1288 The following Singular Attributes are defined: 1290 id 1291 The unique URI of the schema. When applicable service providers 1292 MUST specify the URI specified in the core schema specification; 1293 e.g., "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most 1294 other schemas, which use some sort of a GUID for the "id", the 1295 schema "id" is a URI so that it can be registered and is portable 1296 between different service providers and clients. 1298 name 1299 The schema's human readable name. When applicable service 1300 providers MUST specify the name specified in the core schema 1301 specification; e.g., "User" or "Group". OPTIONAL. 1303 description 1304 The schema's human readable description. When applicable service 1305 providers MUST specify the description specified in the core 1306 schema specification. OPTIONAL. 1308 The following multi-valued attribute is defined: 1310 attributes 1311 A complex type with the following set of sub-attributes that 1312 defines service provider attributes and their qualities: 1314 name The attribute's name. 1316 type The attribute's data type. Valid values are: "string", 1317 "boolean", "decimal", "integer", "dateTime", "reference", and 1318 "complex". When an attribute is of type "complex", there 1319 SHOULD be a corresponding schema attribute "subAttributes" 1320 defined listing the sub-attribtues of the attribute. 1322 subAttributes When an attribute is of type "complex", 1323 "subAttributes" defines set of sub-attributes. "subAttributes" 1324 has the same schema sub-attributes as "attributes". 1326 multiValued Boolean value indicating the attribute's plurality. 1328 description The attribute's human readable description. When 1329 applicable service providers MUST specify the description 1330 specified in the core schema specification. 1332 required A Boolean value that specifies if the attribute is 1333 required. 1335 canonicalValues A collection of suggested canonical values that 1336 MAY be used. Example: "work" and"home". In some cases service 1337 providers MAY choose to ignore unsupported values. The use of 1338 canonicalValues is OPTIONAL. 1340 caseExact A Boolean value that specifies if the String attribute 1341 is case sensitive. The server SHALL use case sensitivity when 1342 evaluating filters. For attributes that are case exact, the 1343 server SHALL preserve case for any value submitted. If the 1344 attribute is case insensitive, the server MAY alter case for a 1345 submitted value. Case sensitivity also impacts how attribute 1346 values MAY be compared against filter values (see section 1347 3.4.2.2 [I-D.ietf-scim-api]). 1349 mutability A single keyword indicating the circumstances under 1350 which the value of the attribute can be (re)defined: 1352 readOnly The attribute SHALL NOT be modified. 1354 readWrite The attribute MAY be updated and read at any time. 1355 DEFAULT. 1357 immutable The attribute MAY be defined at resource creation 1358 (e.g., POST) or at record replacement via request (e.g., a 1359 PUT). The attribute SHALL NOT be updated. 1361 writeOnly The attribute MAY be updated at any time. Attribute 1362 values SHALL NOT be returned (e.g., because the value is a 1363 stored hash). Note: an attribute with mutability of 1364 "writeOnly" usually also has a returned setting of "never". 1366 returned A single keyword that indicates when an attribute and 1367 associated values are returned in response to a GET request or 1368 in response to a PUT, POST, or PATCH request. Valid keywords 1369 are: 1371 always The attribute is always returned regardless of the 1372 contents of the "attributes" parameter. For example, "id" 1373 is always returned to identify a SCIM resource. 1375 never The attribute is never returned. This may occur because 1376 the original attribute value is not retained by the service 1377 provider (e.g., such as with a hashed value). A service 1378 provider MAY allow attributes to be used in a search filter. 1380 default The attribute is returned by default in all SCIM 1381 operation responses where attribute values are returned. If 1382 the GET request "attributes" parameter is specified, 1383 attribute values are only returned if the attribute is named 1384 in the attributes parameter. DEFAULT. 1386 request The attribute is returned in response to any PUT, 1387 POST, or PATCH operations if the attribute was specified by 1388 the client (for example, the attribute was modified). The 1389 attribute is returned in a SCIM query operation only if 1390 specified in the "attributes" parameter. 1392 uniqueness A single keyword value that specifies how the service 1393 provider enforces uniqueness of attribute values. A server MAY 1394 reject an invalid value based on uniqueness by returning HTTP 1395 Response code 400 (Bad Request). A client MAY enforce 1396 uniqueness on the client-side to a greater degree than the 1397 service provider enforces. For example, a client could make a 1398 value unique while the server has uniqueness of "none". Valid 1399 keywords are: 1401 none The values are not intended to be unique in any way. 1402 DEFAULT. 1404 server The value SHOULD be unique within the context of the 1405 current SCIM endpoint (or tenancy) and MAY be globally 1406 unique (e.g., a "username", email address, or other server 1407 generated key or counter). No two resources on the same 1408 server SHOULD possess the same value. 1410 global The value SHOULD be globally unique (e.g., an email 1411 address, a GUID, or other value). No two resources on any 1412 server SHOULD possess the same value. 1414 referenceTypes A multi-valued array of JSON strings that indicate 1415 the SCIM resource types that may be referenced. Valid values 1416 are: 1418 + A SCIM resource type (e.g., "User" or "Group"), 1420 + "external" - indicating the resource is an external resource 1421 (e.g., such as a photo), or 1423 + "uri" - indicating that the reference is to a service 1424 endpoint or an identifier (e.g., such as a schema urn). 1426 This attribute is only applicable for attributes that are of 1427 type "reference" (Section 2.3.7). 1429 8. JSON Representation 1431 8.1. Minimal User Representation 1433 The following is a non-normative example of the minimal required SCIM 1434 representation in JSON format. 1436 { 1437 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], 1438 "id": "2819c223-7f76-453a-919d-413861904646", 1439 "userName": "bjensen@example.com", 1440 "meta": { 1441 "resourceType": "User", 1442 "created": "2010-01-23T04:56:22Z", 1443 "lastModified": "2011-05-13T04:42:34Z", 1444 "version": "W\/\"3694e05e9dff590\"", 1445 "location": 1446 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1447 } 1448 } 1450 Figure 3: Example Minimal User JSON Representation 1452 8.2. Full User Representation 1454 The following is a non-normative example of the fully populated SCIM 1455 representation in JSON format. 1457 { 1458 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], 1459 "id": "2819c223-7f76-453a-919d-413861904646", 1460 "externalId": "701984", 1461 "userName": "bjensen@example.com", 1462 "name": { 1463 "formatted": "Ms. Barbara J Jensen III", 1464 "familyName": "Jensen", 1465 "givenName": "Barbara", 1466 "middleName": "Jane", 1467 "honorificPrefix": "Ms.", 1468 "honorificSuffix": "III" 1469 }, 1470 "displayName": "Babs Jensen", 1471 "nickName": "Babs", 1472 "profileUrl": "https://login.example.com/bjensen", 1473 "emails": [ 1474 { 1475 "value": "bjensen@example.com", 1476 "type": "work", 1477 "primary": true 1478 }, 1479 { 1480 "value": "babs@jensen.org", 1481 "type": "home" 1482 } 1483 ], 1484 "addresses": [ 1485 { 1486 "type": "work", 1487 "streetAddress": "100 Universal City Plaza", 1488 "locality": "Hollywood", 1489 "region": "CA", 1490 "postalCode": "91608", 1491 "country": "USA", 1492 "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA", 1493 "primary": true 1494 }, 1495 { 1496 "type": "home", 1497 "streetAddress": "456 Hollywood Blvd", 1498 "locality": "Hollywood", 1499 "region": "CA", 1500 "postalCode": "91608", 1501 "country": "USA", 1502 "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA" 1503 } 1504 ], 1505 "phoneNumbers": [ 1506 { 1507 "value": "555-555-5555", 1508 "type": "work" 1509 }, 1510 { 1511 "value": "555-555-4444", 1512 "type": "mobile" 1513 } 1514 ], 1515 "ims": [ 1516 { 1517 "value": "someaimhandle", 1518 "type": "aim" 1519 } 1520 ], 1521 "photos": [ 1522 { 1523 "value": 1524 "https://photos.example.com/profilephoto/72930000000Ccne/F", 1525 "type": "photo" 1526 }, 1527 { 1528 "value": 1529 "https://photos.example.com/profilephoto/72930000000Ccne/T", 1530 "type": "thumbnail" 1531 } 1533 ], 1534 "userType": "Employee", 1535 "title": "Tour Guide", 1536 "preferredLanguage":"en-US", 1537 "locale": "en-US", 1538 "timezone": "America/Los_Angeles", 1539 "active":true, 1540 "password":"t1meMa$heen", 1541 "groups": [ 1542 { 1543 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1544 "$ref": 1545 "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 1546 "display": "Tour Guides" 1547 }, 1548 { 1549 "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", 1550 "$ref": 1551 "https://example.com/v2/Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5", 1552 "display": "Employees" 1553 }, 1554 { 1555 "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1556 "$ref": 1557 "https://example.com/v2/Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1558 "display": "US Employees" 1559 } 1560 ], 1561 "x509Certificates": [ 1562 { 1563 "value": 1564 "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx 1565 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD 1566 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa 1567 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl 1568 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw 1569 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B 1570 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc 1571 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i 1572 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ 1573 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3 1574 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr 1575 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV 1576 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp 1577 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU 1578 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt 1579 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R 1580 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1 1581 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=" 1582 } 1583 ], 1584 "meta": { 1585 "resourceType": "User", 1586 "created": "2010-01-23T04:56:22Z", 1587 "lastModified": "2011-05-13T04:42:34Z", 1588 "version": "W\/\"a330bc54f0671c9\"", 1589 "location": 1590 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1591 } 1592 } 1594 Figure 4: Example Full User JSON Representation 1596 8.3. Enterprise User Extension Representation 1598 The following is a non-normative example of the fully populated User 1599 using the enterprise User extension in JSON format. 1601 { 1602 "schemas": 1603 [ "urn:ietf:params:scim:schemas:core:2.0:User", 1604 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], 1605 "id": "2819c223-7f76-453a-919d-413861904646", 1606 "externalId": "701984", 1607 "userName": "bjensen@example.com", 1608 "name": { 1609 "formatted": "Ms. Barbara J Jensen III", 1610 "familyName": "Jensen", 1611 "givenName": "Barbara", 1612 "middleName": "Jane", 1613 "honorificPrefix": "Ms.", 1614 "honorificSuffix": "III" 1615 }, 1616 "displayName": "Babs Jensen", 1617 "nickName": "Babs", 1618 "profileUrl": "https://login.example.com/bjensen", 1619 "emails": [ 1620 { 1621 "value": "bjensen@example.com", 1622 "type": "work", 1623 "primary": true 1624 }, 1625 { 1626 "value": "babs@jensen.org", 1627 "type": "home" 1628 } 1630 ], 1631 "addresses": [ 1632 { 1633 "streetAddress": "100 Universal City Plaza", 1634 "locality": "Hollywood", 1635 "region": "CA", 1636 "postalCode": "91608", 1637 "country": "USA", 1638 "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA", 1639 "type": "work", 1640 "primary": true 1641 }, 1642 { 1643 "streetAddress": "456 Hollywood Blvd", 1644 "locality": "Hollywood", 1645 "region": "CA", 1646 "postalCode": "91608", 1647 "country": "USA", 1648 "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA", 1649 "type": "home" 1650 } 1651 ], 1652 "phoneNumbers": [ 1653 { 1654 "value": "555-555-5555", 1655 "type": "work" 1656 }, 1657 { 1658 "value": "555-555-4444", 1659 "type": "mobile" 1660 } 1661 ], 1662 "ims": [ 1663 { 1664 "value": "someaimhandle", 1665 "type": "aim" 1666 } 1667 ], 1668 "photos": [ 1669 { 1670 "value": 1671 "https://photos.example.com/profilephoto/72930000000Ccne/F", 1672 "type": "photo" 1673 }, 1674 { 1675 "value": 1676 "https://photos.example.com/profilephoto/72930000000Ccne/T", 1677 "type": "thumbnail" 1679 } 1680 ], 1681 "userType": "Employee", 1682 "title": "Tour Guide", 1683 "preferredLanguage":"en-US", 1684 "locale": "en-US", 1685 "timezone": "America/Los_Angeles", 1686 "active":true, 1687 "password":"t1meMa$heen", 1688 "groups": [ 1689 { 1690 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1691 "$ref": "../Groups/e9e30dba-f08f-4109-8486-d5c6a331660a", 1692 "display": "Tour Guides" 1693 }, 1694 { 1695 "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5", 1696 "$ref": "../Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5", 1697 "display": "Employees" 1698 }, 1699 { 1700 "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1701 "$ref": "../Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7", 1702 "display": "US Employees" 1703 } 1704 ], 1705 "x509Certificates": [ 1706 { 1707 "value": 1708 "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx 1709 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD 1710 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa 1711 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl 1712 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw 1713 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B 1714 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc 1715 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i 1716 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ 1717 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3 1718 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr 1719 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV 1720 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp 1721 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU 1722 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt 1723 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R 1724 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1 1725 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=" 1726 } 1728 ], 1729 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { 1730 "employeeNumber": "701984", 1731 "costCenter": "4130", 1732 "organization": "Universal Studios", 1733 "division": "Theme Park", 1734 "department": "Tour Operations", 1735 "manager": { 1736 "value": "26118915-6090-4610-87e4-49d8ca9f808d", 1737 "$ref": "../Users/26118915-6090-4610-87e4-49d8ca9f808d", 1738 "displayName": "John Smith" 1739 } 1740 }, 1741 "meta": { 1742 "resourceType": "User", 1743 "created": "2010-01-23T04:56:22Z", 1744 "lastModified": "2011-05-13T04:42:34Z", 1745 "version": "W\/\"3694e05e9dff591\"", 1746 "location": 1747 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" 1748 } 1749 } 1751 Figure 5: Example Enterprise User JSON Representation 1753 8.4. Group Representation 1755 The following is a non-normative example of SCIM Group representation 1756 in JSON format. 1758 { 1759 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], 1760 "id": "e9e30dba-f08f-4109-8486-d5c6a331660a", 1761 "displayName": "Tour Guides", 1762 "members": [ 1763 { 1764 "value": "2819c223-7f76-453a-919d-413861904646", 1765 "$ref": 1766 "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646", 1767 "display": "Babs Jensen" 1768 }, 1769 { 1770 "value": "902c246b-6245-4190-8e05-00816be7344a", 1771 "$ref": 1772 "https://example.com/v2/Users/902c246b-6245-4190-8e05-00816be7344a", 1773 "display": "Mandy Pepperidge" 1774 } 1775 ], 1776 "meta": { 1777 "resourceType": "Group", 1778 "created": "2010-01-23T04:56:22Z", 1779 "lastModified": "2011-05-13T04:42:34Z", 1780 "version": "W\/\"3694e05e9dff592\"", 1781 "location": 1782 "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a" 1783 } 1784 } 1786 Figure 6: Example Group JSON Representation 1788 8.5. Service Provider Configuration Representation 1790 The following is a non-normative example of the SCIM service provider 1791 configuration representation in JSON format. 1793 { 1794 "schemas": [ 1795 "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" 1796 ], 1797 "documentationUrl":"http://example.com/help/scim.html", 1798 "patch": { 1799 "supported":true 1800 }, 1801 "bulk": { 1802 "supported":true, 1803 "maxOperations":1000, 1804 "maxPayloadSize":1048576 1805 }, 1806 "filter": { 1807 "supported":true, 1808 "maxResults": 200 1809 }, 1810 "changePassword" : { 1811 "supported":true 1812 }, 1813 "sort": { 1814 "supported":true 1815 }, 1816 "etag": { 1817 "supported":true 1818 }, 1819 "authenticationSchemes": [ 1820 { 1821 "name": "OAuth Bearer Token", 1822 "description": 1823 "Authentication Scheme using the OAuth Bearer Token Standard", 1824 "specUrl": 1825 "http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01", 1826 "documentationUrl":"http://example.com/help/oauth.html", 1827 "type":"oauthbearertoken", 1828 "primary": true 1829 }, 1830 { 1831 "name": "HTTP Basic", 1832 "description": 1833 "Authentication Scheme using the Http Basic Standard", 1834 "specUrl":"http://www.ietf.org/rfc/rfc2617.txt", 1835 "documentationUrl":"http://example.com/help/httpBasic.html", 1836 "type":"httpbasic" 1837 } 1838 ], 1839 "meta": { 1840 "location":"https://example.com/v2/ServiceProviderConfig", 1841 "resourceType": "ServiceProviderConfig", 1842 "created": "2010-01-23T04:56:22Z", 1843 "lastModified": "2011-05-13T04:42:34Z", 1844 "version": "W\/\"3694e05e9dff594\"" 1845 } 1846 } 1848 Figure 7: Example Service Provider Config JSON Representation 1850 8.6. Resource Type Representation 1852 The following is a non-normative example of the SCIM resource types 1853 in JSON format. 1855 [{ 1856 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], 1857 "id":"User", 1858 "name":"User", 1859 "endpoint": "/Users", 1860 "description": "User Account", 1861 "schema": "urn:ietf:params:scim:schemas:core:2.0:User", 1862 "schemaExtensions": [ 1863 { 1864 "schema": 1865 "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", 1866 "required": true 1867 } 1868 ], 1869 "meta": { 1870 "location":"https://example.com/v2/ResourceTypes/User", 1871 "resourceType": "ResourceType" 1872 } 1873 }, 1874 { 1875 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], 1876 "id":"Group", 1877 "name":"Group", 1878 "endpoint": "/Groups", 1879 "description": "Group", 1880 "schema": "urn:ietf:params:scim:schemas:core:2.0:Group", 1881 "meta": { 1882 "location":"https://example.com/v2/ResourceTypes/Group", 1883 "resourceType": "ResourceType" 1884 } 1885 }] 1887 Figure 8: Example Resource Type JSON Representation 1889 8.7. Schema Representation 1891 The following sections provide representations of schemas for both 1892 SCIM resources and service provider schemas. Note that the JSON 1893 representation has been modified for readability and to fit the 1894 specification format. 1896 8.7.1. Resource Schema Representation 1898 The following is intended as an example of the SCIM Schema 1899 representation in JSON format for SCIM resources. Where permitted 1900 individual values and schema MAY change. Included but not limited 1901 to, are schemas for User, Group, and enterprise user. 1903 [ 1904 { 1905 "id" : "urn:ietf:params:scim:schemas:core:2.0:User", 1906 "name" : "User", 1907 "description" : "User Account", 1908 "attributes" : [ 1909 { 1910 "name" : "userName", 1911 "type" : "string", 1912 "multiValued" : false, 1913 "description" : "Unique identifier for the User typically used 1914 by the user to directly authenticate to the service provider. Each User 1915 MUST include a non-empty userName value. This identifier MUST be unique 1916 across the Service Consumer's entire set of Users. REQUIRED", 1917 "required" : true, 1918 "caseExact" : false, 1919 "mutability" : "readWrite", 1920 "returned" : "default", 1921 "uniqueness" : "server" 1922 }, 1923 { 1924 "name" : "name", 1925 "type" : "complex", 1926 "multiValued" : false, 1927 "description" : "The components of the user's real name. 1928 Providers MAY return just the full name as a single string in the 1929 formatted sub-attribute, or they MAY return just the individual 1930 component attributes using the other sub-attributes, or they MAY return 1931 both. If both variants are returned, they SHOULD be describing the same 1932 name, with the formatted name indicating how the component attributes 1933 should be combined.", 1934 "required" : false, 1935 "subAttributes" : [ 1936 { 1937 "name" : "formatted", 1938 "type" : "string", 1939 "multiValued" : false, 1940 "description" : "The full name, including all middle names, 1941 titles, and suffixes as appropriate, formatted for display (e.g., Ms. 1942 Barbara J Jensen, III.).", 1943 "required" : false, 1944 "caseExact" : false, 1945 "mutability" : "readWrite", 1946 "returned" : "default", 1947 "uniqueness" : "none" 1948 }, 1949 { 1950 "name" : "familyName", 1951 "type" : "string", 1952 "multiValued" : false, 1953 "description" : "The family name of the User, or Last Name 1954 in most Western languages (e.g. Jensen given the full name Ms. Barbara J 1955 Jensen, III.).", 1956 "required" : false, 1957 "caseExact" : false, 1958 "mutability" : "readWrite", 1959 "returned" : "default", 1960 "uniqueness" : "none" 1961 }, 1962 { 1963 "name" : "givenName", 1964 "type" : "string", 1965 "multiValued" : false, 1966 "description" : "The given name of the User, or First Name 1967 in most Western languages (e.g. Barbara given the full name Ms. Barbara 1968 J Jensen, III.).", 1969 "required" : false, 1970 "caseExact" : false, 1971 "mutability" : "readWrite", 1972 "returned" : "default", 1973 "uniqueness" : "none" 1974 }, 1975 { 1976 "name" : "middleName", 1977 "type" : "string", 1978 "multiValued" : false, 1979 "description" : "The middle name(s) of the User (e.g. Robert 1980 given the full name Ms. Barbara J Jensen, III.).", 1981 "required" : false, 1982 "caseExact" : false, 1983 "mutability" : "readWrite", 1984 "returned" : "default", 1985 "uniqueness" : "none" 1986 }, 1987 { 1988 "name" : "honorificPrefix", 1989 "type" : "string", 1990 "multiValued" : false, 1991 "description" : "The honorific prefix(es) of the User, or 1993 Title in most Western languages (e.g., Ms. given the full name Ms. 1994 Barbara J Jensen, III.).", 1995 "required" : false, 1996 "caseExact" : false, 1997 "mutability" : "readWrite", 1998 "returned" : "default", 1999 "uniqueness" : "none" 2000 }, 2001 { 2002 "name" : "honorificSuffix", 2003 "type" : "string", 2004 "multiValued" : false, 2005 "description" : "The honorific suffix(es) of the User, or 2006 Suffix in most Western languages (e.g., III. given the full name Ms. 2007 Barbara J Jensen, III.).", 2008 "required" : false, 2009 "caseExact" : false, 2010 "mutability" : "readWrite", 2011 "returned" : "default", 2012 "uniqueness" : "none" 2013 } 2014 ], 2015 "mutability" : "readWrite", 2016 "returned" : "default", 2017 "uniqueness" : "none" 2018 }, 2019 { 2020 "name" : "displayName", 2021 "type" : "string", 2022 "multiValued" : false, 2023 "description" : "The name of the User, suitable for display to 2024 end-users. The name SHOULD be the full name of the User being described 2025 if known", 2026 "required" : false, 2027 "caseExact" : false, 2028 "mutability" : "readWrite", 2029 "returned" : "default", 2030 "uniqueness" : "none" 2031 }, 2032 { 2033 "name" : "nickName", 2034 "type" : "string", 2035 "multiValued" : false, 2036 "description" : "The casual way to address the user in real 2037 life, e.g.'Bob' or 'Bobby' instead of 'Robert'. This attribute 2038 SHOULD NOT be used to represent a User's username (e.g., bjensen or 2039 mpepperidge)", 2040 "required" : false, 2041 "caseExact" : false, 2042 "mutability" : "readWrite", 2043 "returned" : "default", 2044 "uniqueness" : "none" 2045 }, 2046 { 2047 "name" : "profileUrl", 2048 "type" : "reference", 2049 "referenceTypes" : ["external"], 2050 "multiValued" : false, 2051 "description" : "A fully qualified URL to a page representing 2052 the User's online profile", 2053 "required" : false, 2054 "caseExact" : false, 2055 "mutability" : "readWrite", 2056 "returned" : "default", 2057 "uniqueness" : "none" 2058 }, 2059 { 2060 "name" : "title", 2061 "type" : "string", 2062 "multiValued" : false, 2063 "description" : "The user's title, such as \"Vice President.\"", 2064 "required" : false, 2065 "caseExact" : false, 2066 "mutability" : "readWrite", 2067 "returned" : "default", 2068 "uniqueness" : "none" 2069 }, 2070 { 2071 "name" : "userType", 2072 "type" : "string", 2073 "multiValued" : false, 2074 "description" : "Used to identify the organization to user 2075 relationship. Typical values used might be 'Contractor', 'Employee', 2076 'Intern', 'Temp', 'External', and 'Unknown' but any value may be 2077 used.", 2078 "required" : false, 2079 "caseExact" : false, 2080 "mutability" : "readWrite", 2081 "returned" : "default", 2082 "uniqueness" : "none" 2083 }, 2084 { 2085 "name" : "preferredLanguage", 2086 "type" : "string", 2087 "multiValued" : false, 2088 "description" : "Indicates the User's preferred written or 2090 spoken language. Generally used for selecting a localized User 2091 interface. e.g., 'en_US' specifies the language English and country 2092 US.", 2093 "required" : false, 2094 "caseExact" : false, 2095 "mutability" : "readWrite", 2096 "returned" : "default", 2097 "uniqueness" : "none" 2098 }, 2099 { 2100 "name" : "locale", 2101 "type" : "string", 2102 "multiValued" : false, 2103 "description" : "Used to indicate the User's default location 2104 for purposes of localizing items such as currency, date time format, 2105 numerical representations, etc.", 2106 "required" : false, 2107 "caseExact" : false, 2108 "mutability" : "readWrite", 2109 "returned" : "default", 2110 "uniqueness" : "none" 2111 }, 2112 { 2113 "name" : "timezone", 2114 "type" : "string", 2115 "multiValued" : false, 2116 "description" : "The User's time zone in the 'Olson' timezone 2117 database format; e.g.,'America/Los_Angeles'", 2118 "required" : false, 2119 "caseExact" : false, 2120 "mutability" : "readWrite", 2121 "returned" : "default", 2122 "uniqueness" : "none" 2123 }, 2124 { 2125 "name" : "active", 2126 "type" : "boolean", 2127 "multiValued" : false, 2128 "description" : "A Boolean value indicating the User's 2129 administrative status.", 2130 "required" : false, 2131 "mutability" : "readWrite", 2132 "returned" : "default" 2133 }, 2134 { 2135 "name" : "password", 2136 "type" : "string", 2137 "multiValued" : false, 2138 "description" : "The User's clear text password. This attribute 2139 is intended to be used as a means to specify an initial password when 2140 creating a new User or to reset an existing User's password.", 2141 "required" : false, 2142 "caseExact" : false, 2143 "mutability" : "writeOnly", 2144 "returned" : "never", 2145 "uniqueness" : "none" 2146 }, 2147 { 2148 "name" : "emails", 2149 "type" : "complex", 2150 "multiValued" : true, 2151 "description" : "E-mail addresses for the user. The value SHOULD 2152 be canonicalized by the Service Provider, e.g., bjensen@example.com 2153 instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and 2154 other.", 2155 "required" : false, 2156 "subAttributes" : [ 2157 { 2158 "name" : "value", 2159 "type" : "string", 2160 "multiValued" : false, 2161 "description" : "E-mail addresses for the user. The value 2162 SHOULD be canonicalized by the Service Provider, e.g. 2163 bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type 2164 values of work, home, and other.", 2165 "required" : false, 2166 "caseExact" : false, 2167 "mutability" : "readWrite", 2168 "returned" : "default", 2169 "uniqueness" : "none" 2170 }, 2171 { 2172 "name" : "display", 2173 "type" : "string", 2174 "multiValued" : false, 2175 "description" : "A human readable name, primarily used for 2176 display purposes. READ-ONLY.", 2177 "required" : false, 2178 "caseExact" : false, 2179 "mutability" : "readWrite", 2180 "returned" : "default", 2181 "uniqueness" : "none" 2182 }, 2183 { 2184 "name" : "type", 2185 "type" : "string", 2186 "multiValued" : false, 2187 "description" : "A label indicating the attribute's 2188 function; e.g., 'work' or 'home'.", 2189 "required" : false, 2190 "caseExact" : false, 2191 "canonicalValues" : [ 2192 "work", 2193 "home", 2194 "other" 2195 ], 2196 "mutability" : "readWrite", 2197 "returned" : "default", 2198 "uniqueness" : "none" 2199 }, 2200 { 2201 "name" : "primary", 2202 "type" : "boolean", 2203 "multiValued" : false, 2204 "description" : "A Boolean value indicating the 'primary' or 2205 preferred attribute value for this attribute, e.g., the preferred mailing 2206 address or primary e-mail address. The primary attribute value 'true' 2207 MUST appear no more than once.", 2208 "required" : false, 2209 "mutability" : "readWrite", 2210 "returned" : "default" 2211 } 2212 ], 2213 "mutability" : "readWrite", 2214 "returned" : "default", 2215 "uniqueness" : "none" 2216 }, 2217 { 2218 "name" : "phoneNumbers", 2219 "type" : "complex", 2220 "multiValued" : true, 2221 "description" : "Phone numbers for the User. The value SHOULD 2222 be canonicalized by the Service Provider according to format in RFC3966 2223 e.g., 'tel:+1-201-555-0123'. Canonical Type values of work, home, 2224 mobile, fax, pager and other.", 2225 "required" : false, 2226 "subAttributes" : [ 2227 { 2228 "name" : "value", 2229 "type" : "string", 2230 "multiValued" : false, 2231 "description" : "Phone number of the User", 2232 "required" : false, 2233 "caseExact" : false, 2234 "mutability" : "readWrite", 2235 "returned" : "default", 2236 "uniqueness" : "none" 2237 }, 2238 { 2239 "name" : "display", 2240 "type" : "string", 2241 "multiValued" : false, 2242 "description" : "A human readable name, primarily used for 2243 display purposes. READ-ONLY.", 2244 "required" : false, 2245 "caseExact" : false, 2246 "mutability" : "readWrite", 2247 "returned" : "default", 2248 "uniqueness" : "none" 2249 }, 2250 { 2251 "name" : "type", 2252 "type" : "string", 2253 "multiValued" : false, 2254 "description" : "A label indicating the attribute's 2255 function; e.g., 'work' or 'home' or 'mobile' etc.", 2256 "required" : false, 2257 "caseExact" : false, 2258 "canonicalValues" : [ 2259 "work", 2260 "home", 2261 "mobile", 2262 "fax", 2263 "pager", 2264 "other" 2265 ], 2266 "mutability" : "readWrite", 2267 "returned" : "default", 2268 "uniqueness" : "none" 2269 }, 2270 { 2271 "name" : "primary", 2272 "type" : "boolean", 2273 "multiValued" : false, 2274 "description" : "A Boolean value indicating the 'primary' or 2275 preferred attribute value for this attribute, e.g., the preferred phone 2276 number or primary phone number. The primary attribute value 'true' MUST 2277 appear no more than once.", 2278 "required" : false, 2279 "mutability" : "readWrite", 2280 "returned" : "default" 2281 } 2283 ], 2284 "mutability" : "readWrite", 2285 "returned" : "default" 2286 }, 2287 { 2288 "name" : "ims", 2289 "type" : "complex", 2290 "multiValued" : true, 2291 "description" : "Instant messaging addresses for the User.", 2292 "required" : false, 2293 "subAttributes" : [ 2294 { 2295 "name" : "value", 2296 "type" : "string", 2297 "multiValued" : false, 2298 "description" : "Instant messaging address for the User.", 2299 "required" : false, 2300 "caseExact" : false, 2301 "mutability" : "readWrite", 2302 "returned" : "default", 2303 "uniqueness" : "none" 2304 }, 2305 { 2306 "name" : "display", 2307 "type" : "string", 2308 "multiValued" : false, 2309 "description" : "A human readable name, primarily used for 2310 display purposes. READ-ONLY.", 2311 "required" : false, 2312 "caseExact" : false, 2313 "mutability" : "readWrite", 2314 "returned" : "default", 2315 "uniqueness" : "none" 2316 }, 2317 { 2318 "name" : "type", 2319 "type" : "string", 2320 "multiValued" : false, 2321 "description" : "A label indicating the attribute's 2322 function; e.g., 'aim', 'gtalk', 'mobile' etc.", 2323 "required" : false, 2324 "caseExact" : false, 2325 "canonicalValues" : [ 2326 "aim", 2327 "gtalk", 2328 "icq", 2329 "xmpp", 2330 "msn", 2331 "skype", 2332 "qq", 2333 "yahoo" 2334 ], 2335 "mutability" : "readWrite", 2336 "returned" : "default", 2337 "uniqueness" : "none" 2338 }, 2339 { 2340 "name" : "primary", 2341 "type" : "boolean", 2342 "multiValued" : false, 2343 "description" : "A Boolean value indicating the 'primary' or 2344 preferred attribute value for this attribute, e.g., the preferred 2345 messenger or primary messenger. The primary attribute value 'true' MUST 2346 appear no more than once.", 2347 "required" : false, 2348 "mutability" : "readWrite", 2349 "returned" : "default" 2350 } 2351 ], 2352 "mutability" : "readWrite", 2353 "returned" : "default" 2354 }, 2355 { 2356 "name" : "photos", 2357 "type" : "complex", 2358 "multiValued" : true, 2359 "description" : "URLs of photos of the User.", 2360 "required" : false, 2361 "subAttributes" : [ 2362 { 2363 "name" : "value", 2364 "type" : "reference", 2365 "referenceTypes" : ["external"], 2366 "multiValued" : false, 2367 "description" : "URL of a photo of the User.", 2368 "required" : false, 2369 "caseExact" : false, 2370 "mutability" : "readWrite", 2371 "returned" : "default", 2372 "uniqueness" : "none" 2373 }, 2374 { 2375 "name" : "display", 2376 "type" : "string", 2377 "multiValued" : false, 2378 "description" : "A human readable name, primarily used for 2380 display purposes. READ-ONLY.", 2381 "required" : false, 2382 "caseExact" : false, 2383 "mutability" : "readWrite", 2384 "returned" : "default", 2385 "uniqueness" : "none" 2386 }, 2387 { 2388 "name" : "type", 2389 "type" : "string", 2390 "multiValued" : false, 2391 "description" : "A label indicating the attribute's 2392 function; e.g., 'photo' or 'thumbnail'.", 2393 "required" : false, 2394 "caseExact" : false, 2395 "canonicalValues" : [ 2396 "photo", 2397 "thumbnail" 2398 ], 2399 "mutability" : "readWrite", 2400 "returned" : "default", 2401 "uniqueness" : "none" 2402 }, 2403 { 2404 "name" : "primary", 2405 "type" : "boolean", 2406 "multiValued" : false, 2407 "description" : "A Boolean value indicating the 'primary' or 2408 preferred attribute value for this attribute, e.g., the preferred photo 2409 or thumbnail. The primary attribute value 'true' MUST appear no more 2410 than once.", 2411 "required" : false, 2412 "mutability" : "readWrite", 2413 "returned" : "default" 2414 } 2415 ], 2416 "mutability" : "readWrite", 2417 "returned" : "default" 2418 }, 2419 { 2420 "name" : "addresses", 2421 "type" : "complex", 2422 "multiValued" : true, 2423 "description" : "A physical mailing address for this User, as 2424 described in (address Element). Canonical Type Values of work, home, and 2425 other. The value attribute is a complex type with the following 2426 sub-attributes.", 2427 "required" : false, 2428 "subAttributes" : [ 2429 { 2430 "name" : "formatted", 2431 "type" : "string", 2432 "multiValued" : false, 2433 "description" : "The full mailing address, formatted for 2434 display or use with a mailing label. This attribute MAY contain 2435 newlines.", 2436 "required" : false, 2437 "caseExact" : false, 2438 "mutability" : "readWrite", 2439 "returned" : "default", 2440 "uniqueness" : "none" 2441 }, 2442 { 2443 "name" : "streetAddress", 2444 "type" : "string", 2445 "multiValued" : false, 2446 "description" : "The full street address component, which 2447 may include house number, street name, PO BOX, and multi-line extended 2448 street address information. This attribute MAY contain newlines.", 2449 "required" : false, 2450 "caseExact" : false, 2451 "mutability" : "readWrite", 2452 "returned" : "default", 2453 "uniqueness" : "none" 2454 }, 2455 { 2456 "name" : "locality", 2457 "type" : "string", 2458 "multiValued" : false, 2459 "description" : "The city or locality component.", 2460 "required" : false, 2461 "caseExact" : false, 2462 "mutability" : "readWrite", 2463 "returned" : "default", 2464 "uniqueness" : "none" 2465 }, 2466 { 2467 "name" : "region", 2468 "type" : "string", 2469 "multiValued" : false, 2470 "description" : "The state or region component.", 2471 "required" : false, 2472 "caseExact" : false, 2473 "mutability" : "readWrite", 2474 "returned" : "default", 2475 "uniqueness" : "none" 2477 }, 2478 { 2479 "name" : "postalCode", 2480 "type" : "string", 2481 "multiValued" : false, 2482 "description" : "The zipcode or postal code component.", 2483 "required" : false, 2484 "caseExact" : false, 2485 "mutability" : "readWrite", 2486 "returned" : "default", 2487 "uniqueness" : "none" 2488 }, 2489 { 2490 "name" : "country", 2491 "type" : "string", 2492 "multiValued" : false, 2493 "description" : "The country name component.", 2494 "required" : false, 2495 "caseExact" : false, 2496 "mutability" : "readWrite", 2497 "returned" : "default", 2498 "uniqueness" : "none" 2499 }, 2500 { 2501 "name" : "type", 2502 "type" : "string", 2503 "multiValued" : false, 2504 "description" : "A label indicating the attribute's 2505 function; e.g., 'work' or 'home'.", 2506 "required" : false, 2507 "caseExact" : false, 2508 "canonicalValues" : [ 2509 "work", 2510 "home", 2511 "other" 2512 ], 2513 "mutability" : "readWrite", 2514 "returned" : "default", 2515 "uniqueness" : "none" 2516 } 2517 ], 2518 "mutability" : "readWrite", 2519 "returned" : "default", 2520 "uniqueness" : "none" 2521 }, 2522 { 2523 "name" : "groups", 2524 "type" : "complex", 2525 "multiValued" : true, 2526 "description" : "A list of groups that the user belongs to, 2527 either thorough direct membership, nested groups, or dynamically 2528 calculated", 2529 "required" : false, 2530 "subAttributes" : [ 2531 { 2532 "name" : "value", 2533 "type" : "string", 2534 "multiValued" : false, 2535 "description" : "The identifier of the User's group.", 2536 "required" : false, 2537 "caseExact" : false, 2538 "mutability" : "readOnly", 2539 "returned" : "default", 2540 "uniqueness" : "none" 2541 }, 2542 { 2543 "name" : "$ref", 2544 "type" : "reference", 2545 "referenceTypes" : [ 2546 "User", 2547 "Group" 2548 ], 2549 "multiValued" : false, 2550 "description" : "The URI of the corresponding Group 2551 resource to which the user belongs", 2552 "required" : false, 2553 "caseExact" : false, 2554 "mutability" : "readOnly", 2555 "returned" : "default", 2556 "uniqueness" : "none" 2557 }, 2558 { 2559 "name" : "display", 2560 "type" : "string", 2561 "multiValued" : false, 2562 "description" : "A human readable name, primarily used 2563 for display purposes. READ-ONLY.", 2564 "required" : false, 2565 "caseExact" : false, 2566 "mutability" : "readOnly", 2567 "returned" : "default", 2568 "uniqueness" : "none" 2569 }, 2570 { 2571 "name" : "type", 2572 "type" : "string", 2573 "multiValued" : false, 2574 "description" : "A label indicating the attribute's 2575 function; e.g., 'direct' or 'indirect'.", 2576 "required" : false, 2577 "caseExact" : false, 2578 "canonicalValues" : [ 2579 "direct", 2580 "indirect" 2581 ], 2582 "mutability" : "readOnly", 2583 "returned" : "default", 2584 "uniqueness" : "none" 2585 } 2586 ], 2587 "mutability" : "readOnly", 2588 "returned" : "default" 2589 }, 2590 { 2591 "name" : "entitlements", 2592 "type" : "complex", 2593 "multiValued" : true, 2594 "description" : "A list of entitlements for the User that 2595 represent a thing the User has.", 2596 "required" : false, 2597 "subAttributes" : [ 2598 { 2599 "name" : "value", 2600 "type" : "string", 2601 "multiValued" : false, 2602 "description" : "The value of an entitlement.", 2603 "required" : false, 2604 "caseExact" : false, 2605 "mutability" : "readWrite", 2606 "returned" : "default", 2607 "uniqueness" : "none" 2608 }, 2609 { 2610 "name" : "display", 2611 "type" : "string", 2612 "multiValued" : false, 2613 "description" : "A human readable name, primarily used 2614 for display purposes. READ-ONLY.", 2615 "required" : false, 2616 "caseExact" : false, 2617 "mutability" : "readWrite", 2618 "returned" : "default", 2619 "uniqueness" : "none" 2620 }, 2621 { 2622 "name" : "type", 2623 "type" : "string", 2624 "multiValued" : false, 2625 "description" : "A label indicating the attribute's 2626 function.", 2627 "required" : false, 2628 "caseExact" : false, 2629 "mutability" : "readWrite", 2630 "returned" : "default", 2631 "uniqueness" : "none" 2632 }, 2633 { 2634 "name" : "primary", 2635 "type" : "boolean", 2636 "multiValued" : false, 2637 "description" : "A Boolean value indicating the 'primary' or 2638 preferred attribute value for this attribute. The primary attribute 2639 value 'true' MUST appear no more than once.", 2640 "required" : false, 2641 "mutability" : "readWrite", 2642 "returned" : "default" 2643 } 2644 ], 2645 "mutability" : "readWrite", 2646 "returned" : "default" 2647 }, 2648 { 2649 "name" : "roles", 2650 "type" : "complex", 2651 "multiValued" : true, 2652 "description" : "A list of roles for the User that collectively 2653 represent who the User is; e.g., 'Student', 'Faculty'.", 2654 "required" : false, 2655 "subAttributes" : [ 2656 { 2657 "name" : "value", 2658 "type" : "string", 2659 "multiValued" : false, 2660 "description" : "The value of a role.", 2661 "required" : false, 2662 "caseExact" : false, 2663 "mutability" : "readWrite", 2664 "returned" : "default", 2665 "uniqueness" : "none" 2666 }, 2667 { 2668 "name" : "display", 2669 "type" : "string", 2670 "multiValued" : false, 2671 "description" : "A human readable name, primarily used for 2672 display purposes. READ-ONLY.", 2673 "required" : false, 2674 "caseExact" : false, 2675 "mutability" : "readWrite", 2676 "returned" : "default", 2677 "uniqueness" : "none" 2678 }, 2679 { 2680 "name" : "type", 2681 "type" : "string", 2682 "multiValued" : false, 2683 "description" : "A label indicating the attribute's 2684 function.", 2685 "required" : false, 2686 "caseExact" : false, 2687 "canonicalValues" : [], 2688 "mutability" : "readWrite", 2689 "returned" : "default", 2690 "uniqueness" : "none" 2691 }, 2692 { 2693 "name" : "primary", 2694 "type" : "boolean", 2695 "multiValued" : false, 2696 "description" : "A Boolean value indicating the 'primary' or 2697 preferred attribute value for this attribute. The primary attribute 2698 value 'true' MUST appear no more than once.", 2699 "required" : false, 2700 "mutability" : "readWrite", 2701 "returned" : "default" 2702 } 2703 ], 2704 "mutability" : "readWrite", 2705 "returned" : "default" 2706 }, 2707 { 2708 "name" : "x509Certificates", 2709 "type" : "complex", 2710 "multiValued" : true, 2711 "description" : "A list of certificates issued to the User.", 2712 "required" : false, 2713 "caseExact" : false, 2714 "subAttributes" : [ 2715 { 2716 "name" : "value", 2717 "type" : "binary", 2718 "multiValued" : false, 2719 "description" : "The value of a X509 certificate.", 2720 "required" : false, 2721 "caseExact" : false, 2722 "mutability" : "readWrite", 2723 "returned" : "default", 2724 "uniqueness" : "none" 2725 }, 2726 { 2727 "name" : "display", 2728 "type" : "string", 2729 "multiValued" : false, 2730 "description" : "A human readable name, primarily used 2731 for display purposes. READ-ONLY.", 2732 "required" : false, 2733 "caseExact" : false, 2734 "mutability" : "readWrite", 2735 "returned" : "default", 2736 "uniqueness" : "none" 2737 }, 2738 { 2739 "name" : "type", 2740 "type" : "string", 2741 "multiValued" : false, 2742 "description" : "A label indicating the attribute's 2743 function.", 2744 "required" : false, 2745 "caseExact" : false, 2746 "canonicalValues" : [], 2747 "mutability" : "readWrite", 2748 "returned" : "default", 2749 "uniqueness" : "none" 2750 }, 2751 { 2752 "name" : "primary", 2753 "type" : "boolean", 2754 "multiValued" : false, 2755 "description" : "A Boolean value indicating the 'primary' or 2756 preferred attribute value for this attribute. The primary attribute 2757 value 'true' MUST appear no more than once.", 2758 "required" : false, 2759 "mutability" : "readWrite", 2760 "returned" : "default" 2761 } 2762 ], 2763 "mutability" : "readWrite", 2764 "returned" : "default" 2766 } 2767 ], 2768 "meta" : { 2769 "resourceType" : "Schema", 2770 "location" : 2771 "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User" 2772 } 2773 }, 2774 { 2775 "id" : "urn:ietf:params:scim:schemas:core:2.0:Group", 2776 "name" : "Group", 2777 "description" : "Group", 2778 "attributes" : [ 2779 { 2780 "name" : "displayName", 2781 "type" : "string", 2782 "multiValued" : false, 2783 "description" : "Human readable name for the Group. REQUIRED.", 2784 "required" : false, 2785 "caseExact" : false, 2786 "mutability" : "readWrite", 2787 "returned" : "default", 2788 "uniqueness" : "none" 2789 }, 2790 { 2791 "name" : "members", 2792 "type" : "complex", 2793 "multiValued" : true, 2794 "description" : "A list of members of the Group.", 2795 "required" : false, 2796 "subAttributes" : [ 2797 { 2798 "name" : "value", 2799 "type" : "string", 2800 "multiValued" : false, 2801 "description" : "Identifier of the member of this Group.", 2802 "required" : false, 2803 "caseExact" : false, 2804 "mutability" : "immutable", 2805 "returned" : "default", 2806 "uniqueness" : "none" 2807 }, 2808 { 2809 "name" : "$ref", 2810 "type" : "reference", 2811 "referenceTypes" : [ 2812 "User", 2813 "Group" 2815 ], 2816 "multiValued" : false, 2817 "description" : "The URI of the corresponding to the member 2818 resource of this Group.", 2819 "required" : false, 2820 "caseExact" : false, 2821 "mutability" : "immutable", 2822 "returned" : "default", 2823 "uniqueness" : "none" 2824 }, 2825 { 2826 "name" : "type", 2827 "type" : "string", 2828 "multiValued" : false, 2829 "description" : "A label indicating the type of resource; 2830 e.g., 'User' or 'Group'.", 2831 "required" : false, 2832 "caseExact" : false, 2833 "canonicalValues" : [ 2834 "User", 2835 "Group" 2836 ], 2837 "mutability" : "immutable", 2838 "returned" : "default", 2839 "uniqueness" : "none" 2840 } 2841 ], 2842 "mutability" : "readWrite", 2843 "returned" : "default" 2844 } 2845 ], 2846 "meta" : { 2847 "resourceType" : "Schema", 2848 "location" : 2849 "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group" 2850 } 2851 }, 2852 { 2853 "id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", 2854 "name" : "EnterpriseUser", 2855 "description" : "Enterprise User", 2856 "attributes" : [ 2857 { 2858 "name" : "employeeNumber", 2859 "type" : "string", 2860 "multiValued" : false, 2861 "description" : "Numeric or alphanumeric identifier assigned to 2862 a person, typically based on order of hire or association with an 2863 organization.", 2864 "required" : false, 2865 "caseExact" : false, 2866 "mutability" : "readWrite", 2867 "returned" : "default", 2868 "uniqueness" : "none" 2869 }, 2870 { 2871 "name" : "costCenter", 2872 "type" : "string", 2873 "multiValued" : false, 2874 "description" : "Identifies the name of a cost center.", 2875 "required" : false, 2876 "caseExact" : false, 2877 "mutability" : "readWrite", 2878 "returned" : "default", 2879 "uniqueness" : "none" 2880 }, 2881 { 2882 "name" : "organization", 2883 "type" : "string", 2884 "multiValued" : false, 2885 "description" : "Identifies the name of an organization.", 2886 "required" : false, 2887 "caseExact" : false, 2888 "mutability" : "readWrite", 2889 "returned" : "default", 2890 "uniqueness" : "none" 2891 }, 2892 { 2893 "name" : "division", 2894 "type" : "string", 2895 "multiValued" : false, 2896 "description" : "Identifies the name of a division.", 2897 "required" : false, 2898 "caseExact" : false, 2899 "mutability" : "readWrite", 2900 "returned" : "default", 2901 "uniqueness" : "none" 2902 }, 2903 { 2904 "name" : "department", 2905 "type" : "string", 2906 "multiValued" : false, 2907 "description" : "Identifies the name of a department.", 2908 "required" : false, 2909 "caseExact" : false, 2910 "mutability" : "readWrite", 2911 "returned" : "default", 2912 "uniqueness" : "none" 2913 }, 2914 { 2915 "name" : "manager", 2916 "type" : "complex", 2917 "multiValued" : false, 2918 "description" : "The User's manager. A complex type that 2919 optionally allows Service Providers to represent organizational 2920 hierarchy by referencing the 'id' attribute of another User.", 2921 "required" : false, 2922 "subAttributes" : [ 2923 { 2924 "name" : "value", 2925 "type" : "string", 2926 "multiValued" : false, 2927 "description" : "The id of the SCIM resource representing 2928 the User's manager. REQUIRED.", 2929 "required" : false, 2930 "caseExact" : false, 2931 "mutability" : "readWrite", 2932 "returned" : "default", 2933 "uniqueness" : "none" 2934 }, 2935 { 2936 "name" : "$ref", 2937 "type" : "reference", 2938 "referenceTypes" : [ 2939 "User" 2940 ], 2941 "multiValued" : false, 2942 "description" : "The URI of the SCIM resource representing 2943 the User's manager. REQUIRED.", 2944 "required" : false, 2945 "caseExact" : false, 2946 "mutability" : "readWrite", 2947 "returned" : "default", 2948 "uniqueness" : "none" 2949 }, 2950 { 2951 "name" : "displayName", 2952 "type" : "string", 2953 "multiValued" : false, 2954 "description" : "The displayName of the User's manager. 2955 OPTIONAL and READ-ONLY.", 2956 "required" : false, 2957 "caseExact" : false, 2958 "mutability" : "readOnly", 2959 "returned" : "default", 2960 "uniqueness" : "none" 2961 } 2962 ], 2963 "mutability" : "readWrite", 2964 "returned" : "default" 2965 } 2966 ], 2967 "meta" : { 2968 "resourceType" : "Schema", 2969 "location" : 2970 "/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" 2971 } 2972 } 2973 ] 2975 Figure 9: Example JSON Representation for Resource Schema 2977 8.7.2. Service Provider Schema Representation 2979 The following is a representation of the SCIM Schema for the fixed 2980 service provider schemas: ServiceProviderConfig, ResourceType, and 2981 Schema. 2983 [ 2984 { 2985 "id" : 2986 "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig", 2987 "name" : "Service Provider Configuration", 2988 "description" : "Schema for representing the service provider's 2989 configuration", 2990 "attributes" : [ 2991 { 2992 "name" : "documentationUri", 2993 "type" : "reference", 2994 "referenceTypes" : ["external"], 2995 "multiValued" : false, 2996 "description" : "An HTTP addressable URL pointing to the service 2997 provider's human consumable help documentation.", 2998 "required" : false, 2999 "caseExact" : false, 3000 "mutability" : "readOnly", 3001 "returned" : "default", 3002 "uniqueness" : "none" 3003 }, 3004 { 3005 "name" : "patch", 3006 "type" : "complex", 3007 "multiValued" : false, 3008 "description" : "A complex type that specifies PATCH 3009 configuration options.", 3010 "required" : true, 3011 "returned" : "default", 3012 "mutability" : "readOnly", 3013 "subAttributes" : [ 3014 { 3015 "name" : "supported", 3016 "type" : "boolean", 3017 "multiValued" : false, 3018 "description" : "Boolean value specifying whether the 3019 operation is supported.", 3020 "required" : true, 3021 "mutability" : "readOnly", 3022 "returned" : "default" 3023 } 3024 ] 3025 }, 3026 { 3027 "name" : "bulk", 3028 "type" : "complex", 3029 "multiValued" : false, 3030 "description" : "A complex type that specifies BULK 3031 configuration options.", 3032 "required" : true, 3033 "returned" : "default", 3034 "mutability" : "readOnly", 3035 "subAttributes" : [ 3036 { 3037 "name" : "supported", 3038 "type" : "boolean", 3039 "multiValued" : false, 3040 "description" : "Boolean value specifying whether the 3041 operation is supported.", 3042 "required" : true, 3043 "mutability" : "readOnly", 3044 "returned" : "default" 3045 }, 3046 { 3047 "name" : "maxOperations", 3048 "type" : "integer", 3049 "multiValued" : false, 3050 "description" : "An integer value specifying the maximum 3051 number of operations.", 3052 "required" : true, 3053 "mutability" : "readOnly", 3054 "returned" : "default", 3055 "uniqueness" : "none" 3056 }, 3057 { 3058 "name" : "maxPayloadSize", 3059 "type" : "integer", 3060 "multiValued" : false, 3061 "description" : "An integer value specifying the maximum 3062 payload size in bytes.", 3063 "required" : true, 3064 "mutability" : "readOnly", 3065 "returned" : "default", 3066 "uniqueness" : "none" 3067 } 3068 ] 3069 }, 3070 { 3071 "name" : "filter", 3072 "type" : "complex", 3073 "multiValued" : false, 3074 "description" : "A complex type that specifies FILTER options.", 3075 "required" : true, 3076 "returned" : "default", 3077 "mutability" : "readOnly", 3078 "subAttributes" : [ 3079 { 3080 "name" : "supported", 3081 "type" : "boolean", 3082 "multiValued" : false, 3083 "description" : "Boolean value specifying whether the 3084 operation is supported.", 3085 "required" : true, 3086 "mutability" : "readOnly", 3087 "returned" : "default" 3088 }, 3089 { 3090 "name" : "maxResults", 3091 "type" : "integer", 3092 "multiValued" : false, 3093 "description" : "Integer value specifying the maximum number 3094 of resources returned in a response.", 3095 "required" : true, 3096 "mutability" : "readOnly", 3097 "returned" : "default", 3098 "uniqueness" : "none" 3099 } 3100 ] 3101 }, 3102 { 3103 "name" : "changePassword", 3104 "type" : "complex", 3105 "multiValued" : false, 3106 "description" : "A complex type that specifies change password 3107 options.", 3108 "required" : true, 3109 "returned" : "default", 3110 "mutability" : "readOnly", 3111 "subAttributes" : [ 3112 { 3113 "name" : "supported", 3114 "type" : "boolean", 3115 "multiValued" : false, 3116 "description" : "Boolean value specifying whether the 3117 operation is supported.", 3118 "required" : true, 3119 "mutability" : "readOnly", 3120 "returned" : "default" 3121 } 3122 ] 3123 }, 3124 { 3125 "name" : "sort", 3126 "type" : "complex", 3127 "multiValued" : false, 3128 "description" : "A complex type that specifies sort result 3129 options.", 3130 "required" : true, 3131 "returned" : "default", 3132 "mutability" : "readOnly", 3133 "subAttributes" : [ 3134 { 3135 "name" : "supported", 3136 "type" : "boolean", 3137 "multiValued" : false, 3138 "description" : "Boolean value specifying whether the 3139 operation is supported.", 3140 "required" : true, 3141 "mutability" : "readOnly", 3142 "returned" : "default" 3143 } 3144 ] 3145 }, 3146 { 3147 "name" : "authenticationSchemes", 3148 "type" : "complex", 3149 "multiValued" : true, 3150 "description" : "A complex type that specifies supported 3151 Authentication Scheme properties.", 3152 "required" : true, 3153 "returned" : "default", 3154 "mutability" : "readOnly", 3155 "subAttributes" : [ 3156 { 3157 "name" : "name", 3158 "type" : "string", 3159 "multiValued" : false, 3160 "description" : "The common authentication scheme name; 3161 e.g., HTTP Basic.", 3162 "required" : true, 3163 "caseExact" : false, 3164 "mutability" : "readOnly", 3165 "returned" : "default", 3166 "uniqueness" : "none" 3167 }, 3168 { 3169 "name" : "description", 3170 "type" : "string", 3171 "multiValued" : false, 3172 "description" : "A description of the authentication 3173 scheme.", 3174 "required" : true, 3175 "caseExact" : false, 3176 "mutability" : "readOnly", 3177 "returned" : "default", 3178 "uniqueness" : "none" 3179 }, 3180 { 3181 "name" : "specUri", 3182 "type" : "reference", 3183 "referenceTypes" : ["external"], 3184 "multiValued" : false, 3185 "description" : "An HTTP addressable URL pointing to the 3186 Authentication Scheme's specification.", 3187 "required" : false, 3188 "caseExact" : false, 3189 "mutability" : "readOnly", 3190 "returned" : "default", 3191 "uniqueness" : "none" 3192 }, 3193 { 3194 "name" : "documentationUri", 3195 "type" : "reference", 3196 "referenceTypes" : ["external"], 3197 "multiValued" : false, 3198 "description" : "An HTTP addressable URL pointing to the 3199 Authentication Scheme's usage documentation.", 3200 "required" : false, 3201 "caseExact" : false, 3202 "mutability" : "readOnly", 3203 "returned" : "default", 3204 "uniqueness" : "none" 3205 } 3206 ] 3207 } 3208 ] 3209 }, 3210 { 3211 "id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType", 3212 "name" : "ResourceType", 3213 "description" : "Specifies the schema that describes a SCIM Resource 3214 Type", 3215 "attributes" : [ 3216 { 3217 "name" : "id", 3218 "type" : "string", 3219 "multiValued" : false, 3220 "description" : "The resource type's server unique id. May be 3221 the same as the 'name' attribute.", 3222 "required" : false, 3223 "caseExact" : false, 3224 "mutability" : "readOnly", 3225 "returned" : "default", 3226 "uniqueness" : "none" 3227 }, 3228 { 3229 "name" : "name", 3230 "type" : "string", 3231 "multiValued" : false, 3232 "description" : "The resource type name. When applicable service 3233 providers MUST specify the name specified in the core schema 3234 specification; e.g., User", 3235 "required" : true, 3236 "caseExact" : false, 3237 "mutability" : "readOnly", 3238 "returned" : "default", 3239 "uniqueness" : "none" 3240 }, 3241 { 3242 "name" : "description", 3243 "type" : "string", 3244 "multiValued" : false, 3245 "description" : "The resource type's human readable description. 3246 When applicable service providers MUST specify the description 3247 specified in the core schema specification.", 3248 "required" : false, 3249 "caseExact" : false, 3250 "mutability" : "readOnly", 3251 "returned" : "default", 3252 "uniqueness" : "none" 3253 }, 3254 { 3255 "name" : "endpoint", 3256 "type" : "reference", 3257 "referenceTypes" : ["uri"], 3258 "multiValued" : false, 3259 "description" : "The resource type's HTTP addressable endpoint 3260 relative to the Base URL; e.g., /Users", 3261 "required" : true, 3262 "caseExact" : false, 3263 "mutability" : "readOnly", 3264 "returned" : "default", 3265 "uniqueness" : "none" 3266 }, 3267 { 3268 "name" : "schema", 3269 "type" : "reference", 3270 "referenceTypes" : ["uri"], 3271 "multiValued" : false, 3272 "description" : "The resource types primary/base schema URI", 3273 "required" : true, 3274 "caseExact" : true, 3275 "mutability" : "readOnly", 3276 "returned" : "default", 3277 "uniqueness" : "none" 3278 }, 3279 { 3280 "name" : "schemaExtensions", 3281 "type" : "complex", 3282 "multiValued" : false, 3283 "description" : "A list of URIs of the resource type's schema 3284 extensions", 3285 "required" : true, 3286 "mutability" : "readOnly", 3287 "returned" : "default", 3288 "subAttributes" : [ 3289 { 3290 "name" : "schema", 3291 "type" : "reference", 3292 "referenceTypes" : ["uri"], 3293 "multiValued" : false, 3294 "description" : "The URI of a schema extension.", 3295 "required" : true, 3296 "caseExact" : true, 3297 "mutability" : "readOnly", 3298 "returned" : "default", 3299 "uniqueness" : "none" 3300 }, 3301 { 3302 "name" : "required", 3303 "type" : "boolean", 3304 "multiValued" : false, 3305 "description" : "A Boolean value that specifies whether the 3306 schema extension is required for the resource type. If 3307 true, a resource of this type MUST include this schema 3308 extension and include any attributes declared as required 3309 in this schema extension. If false, a resource of this 3310 type MAY omit this schema extension.", 3311 "required" : true, 3312 "mutability" : "readOnly", 3313 "returned" : "default" 3314 } 3315 ] 3316 } 3317 ] 3318 }, 3319 { 3320 "id" : "urn:ietf:params:scim:schemas:core:2.0:Schema", 3321 "name" : "Schema", 3322 "description" : "Specifies the schema that describes a SCIM Schema", 3323 "attributes" : [ 3324 { 3325 "name" : "id", 3326 "type" : "string", 3327 "multiValued" : false, 3328 "description" : "The unique URI of the schema. When applicable 3329 service providers MUST specify the URI specified in the core 3330 schema specification", 3331 "required" : true, 3332 "caseExact" : false, 3333 "mutability" : "readOnly", 3334 "returned" : "default", 3335 "uniqueness" : "none" 3336 }, 3337 { 3338 "name" : "name", 3339 "type" : "string", 3340 "multiValued" : false, 3341 "description" : "The schema's human readable name. When 3342 applicable service providers MUST specify the name specified 3343 in the core schema specification; e.g., User", 3344 "required" : true, 3345 "caseExact" : false, 3346 "mutability" : "readOnly", 3347 "returned" : "default", 3348 "uniqueness" : "none" 3349 }, 3350 { 3351 "name" : "description", 3352 "type" : "string", 3353 "multiValued" : false, 3354 "description" : "The schema's human readable name. When 3355 applicable service providers MUST specify the name specified 3356 in the core schema specification; e.g., User", 3357 "required" : false, 3358 "caseExact" : false, 3359 "mutability" : "readOnly", 3360 "returned" : "default", 3361 "uniqueness" : "none" 3362 }, 3363 { 3364 "name" : "attributes", 3365 "type" : "complex", 3366 "multiValued" : true, 3367 "description" : "A complex attribute that includes the 3368 attributes of a schema", 3369 "required" : true, 3370 "mutability" : "readOnly", 3371 "returned" : "default", 3372 "subAttributes" : [ 3373 { 3374 "name" : "name", 3375 "type" : "string", 3376 "multiValued" : false, 3377 "description" : "The attribute's name", 3378 "required" : true, 3379 "caseExact" : true, 3380 "mutability" : "readOnly", 3381 "returned" : "default", 3382 "uniqueness" : "none" 3383 }, 3384 { 3385 "name" : "type", 3386 "type" : "string", 3387 "multiValued" : false, 3388 "description" : "The attribute's data type. Valid values 3389 include: 'string', 'complex', 'boolean', 'decimal', 3390 'integer', 'dateTime', 'reference'. ", 3392 "required" : true, 3393 "canonicalValues" : [ 3394 "string", 3395 "complex", 3396 "boolean", 3397 "decimal", 3398 "integer", 3399 "dateTime", 3400 "reference" 3401 ], 3402 "caseExact" : false, 3403 "mutability" : "readOnly", 3404 "returned" : "default", 3405 "uniqueness" : "none" 3406 }, 3407 { 3408 "name" : "multiValued", 3409 "type" : "boolean", 3410 "multiValued" : false, 3411 "description" : "Boolean indicating an attribute's 3412 plurality.", 3413 "required" : true, 3414 "mutability" : "readOnly", 3415 "returned" : "default" 3416 }, 3417 { 3418 "name" : "description", 3419 "type" : "string", 3420 "multiValued" : false, 3421 "description" : "A human readable description of the 3422 attribute.", 3423 "required" : false, 3424 "caseExact" : true, 3425 "mutability" : "readOnly", 3426 "returned" : "default", 3427 "uniqueness" : "none" 3428 }, 3429 { 3430 "name" : "required", 3431 "type" : "boolean", 3432 "multiValued" : false, 3433 "description" : "A boolean indicating if the attribute 3434 is required.", 3435 "required" : false, 3436 "mutability" : "readOnly", 3437 "returned" : "default" 3438 }, 3439 { 3440 "name" : "canonicalValues", 3441 "type" : "string", 3442 "multiValued" : true, 3443 "description" : "A collection of canonical values. When 3444 applicable service providers MUST specify the canonical 3445 types specified in the core schema specification; e.g., 3446 'work', 'home'.", 3447 "required" : false, 3448 "caseExact" : true, 3449 "mutability" : "readOnly", 3450 "returned" : "default", 3451 "uniqueness" : "none" 3452 }, 3453 { 3454 "name" : "caseExact", 3455 "type" : "boolean", 3456 "multiValued" : false, 3457 "description" : "Indicates if a string attribute is 3458 case-sensitive.", 3459 "required" : false, 3460 "mutability" : "readOnly", 3461 "returned" : "default" 3462 }, 3463 { 3464 "name" : "mutability", 3465 "type" : "string", 3466 "multiValued" : false, 3467 "description" : "Indicates if an attribute is modifiable.", 3468 "required" : false, 3469 "caseExact" : true, 3470 "mutability" : "readOnly", 3471 "returned" : "default", 3472 "uniqueness" : "none", 3473 "canonicalValues" : [ 3474 "readOnly", 3475 "readWrite", 3476 "immutable", 3477 "writeOnly" 3478 ] 3479 }, 3480 { 3481 "name" : "returned", 3482 "type" : "string", 3483 "multiValued" : false, 3484 "description" : "Indicates when an attribute is returned in 3485 a response (e.g., to a query).", 3486 "required" : false, 3487 "caseExact" : true, 3488 "mutability" : "readOnly", 3489 "returned" : "default", 3490 "uniqueness" : "none", 3491 "canonicalValues" : [ 3492 "always", 3493 "never", 3494 "default", 3495 "request" 3496 ] 3497 }, 3498 { 3499 "name" : "uniqueness", 3500 "type" : "string", 3501 "multiValued" : false, 3502 "description" : "Indicates how unique a value must be.", 3503 "required" : false, 3504 "caseExact" : true, 3505 "mutability" : "readOnly", 3506 "returned" : "default", 3507 "uniqueness" : "none", 3508 "canonicalValues" : [ 3509 "none", 3510 "server", 3511 "global" 3512 ] 3513 }, 3514 { 3515 "name" : "referenceTypes", 3516 "type" : "string", 3517 "multiValued" : true, 3518 "description" : "Used only with an attribute of type 3519 'reference'. Specifies a SCIM resourceType that a 3520 reference attribute MAY refer to. e.g., User", 3521 "required" : false, 3522 "caseExact" : true, 3523 "mutability" : "readOnly", 3524 "returned" : "default", 3525 "uniqueness" : "none" 3526 }, 3527 { 3528 "name" : "subAttributes", 3529 "type" : "complex", 3530 "multiValued" : true, 3531 "description" : "Used to define the sub-attributes of a 3532 complex attribute", 3533 "required" : false, 3534 "mutability" : "readOnly", 3535 "returned" : "default", 3536 "subAttributes" : [ 3537 { 3538 "name" : "name", 3539 "type" : "string", 3540 "multiValued" : false, 3541 "description" : "The attribute's name", 3542 "required" : true, 3543 "caseExact" : true, 3544 "mutability" : "readOnly", 3545 "returned" : "default", 3546 "uniqueness" : "none" 3547 }, 3548 { 3549 "name" : "type", 3550 "type" : "string", 3551 "multiValued" : false, 3552 "description" : "The attribute's data type. Valid values 3553 include: 'string', 'complex', 'boolean', 'decimal', 3554 'integer', 'dateTime', 'reference'. ", 3555 "required" : true, 3556 "caseExact" : false, 3557 "mutability" : "readOnly", 3558 "returned" : "default", 3559 "uniqueness" : "none", 3560 "canonicalValues" : [ 3561 "string", 3562 "complex", 3563 "boolean", 3564 "decimal", 3565 "integer", 3566 "dateTime", 3567 "reference" 3568 ] 3569 }, 3570 { 3571 "name" : "multiValued", 3572 "type" : "boolean", 3573 "multiValued" : false, 3574 "description" : "Boolean indicating an attribute's 3575 plurality.", 3576 "required" : true, 3577 "mutability" : "readOnly", 3578 "returned" : "default" 3579 }, 3580 { 3581 "name" : "description", 3582 "type" : "string", 3583 "multiValued" : false, 3584 "description" : "A human readable description of the 3585 attribute.", 3586 "required" : false, 3587 "caseExact" : true, 3588 "mutability" : "readOnly", 3589 "returned" : "default", 3590 "uniqueness" : "none" 3591 }, 3592 { 3593 "name" : "required", 3594 "type" : "boolean", 3595 "multiValued" : false, 3596 "description" : "A boolean indicating if the attribute 3597 is required.", 3598 "required" : false, 3599 "mutability" : "readOnly", 3600 "returned" : "default" 3601 }, 3602 { 3603 "name" : "canonicalValues", 3604 "type" : "string", 3605 "multiValued" : true, 3606 "description" : "A collection of canonical values. When 3607 applicable service providers MUST specify the 3608 canonical types specified in the core schema 3609 specification; e.g., 'work', 'home'.", 3610 "required" : false, 3611 "caseExact" : true, 3612 "mutability" : "readOnly", 3613 "returned" : "default", 3614 "uniqueness" : "none" 3615 }, 3616 { 3617 "name" : "caseExact", 3618 "type" : "boolean", 3619 "multiValued" : false, 3620 "description" : "Indicates if a string attribute is 3621 case-sensitive.", 3622 "required" : false, 3623 "mutability" : "readOnly", 3624 "returned" : "default" 3625 }, 3626 { 3627 "name" : "mutability", 3628 "type" : "string", 3629 "multiValued" : false, 3630 "description" : "Indicates if an attribute is 3631 modifiable.", 3633 "required" : false, 3634 "caseExact" : true, 3635 "mutability" : "readOnly", 3636 "returned" : "default", 3637 "uniqueness" : "none", 3638 "canonicalValues" : [ 3639 "readOnly", 3640 "readWrite", 3641 "immutable", 3642 "writeOnly" 3643 ] 3644 }, 3645 { 3646 "name" : "returned", 3647 "type" : "string", 3648 "multiValued" : false, 3649 "description" : "Indicates when an attribute is 3650 returned in a response (e.g., to a query).", 3651 "required" : false, 3652 "caseExact" : true, 3653 "mutability" : "readOnly", 3654 "returned" : "default", 3655 "uniqueness" : "none", 3656 "canonicalValues" : [ 3657 "always", 3658 "never", 3659 "default", 3660 "request" 3661 ] 3662 }, 3663 { 3664 "name" : "uniqueness", 3665 "type" : "string", 3666 "multiValued" : false, 3667 "description" : "Indicates how unique a value must be.", 3668 "required" : false, 3669 "caseExact" : true, 3670 "mutability" : "readOnly", 3671 "returned" : "default", 3672 "uniqueness" : "none", 3673 "canonicalValues" : [ 3674 "none", 3675 "server", 3676 "global" 3677 ] 3678 }, 3679 { 3680 "name" : "referenceTypes", 3681 "type" : "string", 3682 "multiValued" : false, 3683 "description" : "Used only with an attribute of type 3684 'reference'. Specifies a SCIM resourceType that a 3685 reference attribute MAY refer to. e.g., 'User'", 3686 "required" : false, 3687 "caseExact" : true, 3688 "mutability" : "readOnly", 3689 "returned" : "default", 3690 "uniqueness" : "none" 3691 } 3692 ] 3693 } 3694 ] 3695 } 3696 ] 3697 } 3698 ] 3700 Figure 10: Representation of Fixed ServiceProvider Endpoint Schemas 3702 9. Security Considerations 3704 9.1. Protocol 3706 SCIM data is intended to be exchanged using SCIM Protocol. It is 3707 important when handling data to implement the security considerations 3708 outlined in Section 7 of [I-D.ietf-scim-api]. 3710 9.2. Password and Other Sensitive Security Data 3712 Passwords and other attributes related to security credentials are of 3713 extreme sensitive nature and require special handling when 3714 transmitted or stored. While SCIM Protocol uses clear-text passwords 3715 for setting and equality testing purposes, password values MUST NOT 3716 be stored in clear-text form. 3718 Administrators should undertake industry best practices to protect 3719 the storage of credentials and in particular SHOULD follow 3720 recommendations outlines in Section 5.1.4.1 [RFC6819]. These 3721 requirements include but are not limited to: 3723 o Provide injection attack counter measures (e.g., by validating all 3724 inputs and parameters), 3726 o No cleartext storage of credentials, 3727 o Store credentials using an encrypted protection mechanism (e.g. 3728 hashing), and 3730 o Where possible, avoid passwords as the sole form of 3731 authentication, and consider use of asymmetric cryptography based 3732 credentials. 3734 9.3. Privacy 3736 The SCIM Core schema defines attributes that are sensitive and may be 3737 considered personally identifying information (PII). These privacy 3738 considerations should be considered for extensions as well as the 3739 schema defined in this specification. 3741 For the purposes of this specification personally identifying 3742 information is defined as any attribute that MAY be used as a unique 3743 key to identify a person (e.g., User). Since other information MAY 3744 be used in combination to identify an individual, all attributes in 3745 SCIM are considered "sensitive" personal information. Consult 3746 regional jurisdictions to see if there are special considerations for 3747 the handling of personal and PII information. 3749 Information should be shared on an as-needed basis. A SCIM client 3750 should limit information to what it believes a service provider 3751 requires, and a SCIM service provider, should only accept information 3752 it needs. Clients and service providers should take into 3753 consideration that personal information is being conveyed across 3754 technical (e.g., protocol and applications), administrative (e.g. 3755 organizational, corporate), and jurisdictional boundaries. In 3756 particular information security and privacy must be considered. 3758 Security service level agreements for the handling of these 3759 attributes are beyond the scope of this document, but are to be 3760 carefully considered by implementers and deploying organizations. 3762 Please see the Privacy Considerations section of [I-D.ietf-scim-api], 3763 for more protocol specific considerations for handling of SCIM 3764 information. 3766 SCIM defines attributes such as "id" and "externalId" and SCIM 3767 resource URIs which causes new PII information to be generated which 3768 is important to the way SCIM protocol identifies and locates 3769 resources. Where possible, it is suggested that service providers 3770 take the following remediations: 3772 o Where possible, assign and bind identifiers to specific tenants 3773 and/or clients. When multiple tenants are able to reference the 3774 same resource, they should do so via separate identifiers (id or 3775 externalId). This ensures that separate domains linked to the 3776 same information can not perform identifier correlation. 3778 o In the case of "externalId", if multiple values are supported, use 3779 access control to restrict access to the client domain that 3780 assigned the "externalId" value. 3782 o Ensure that access to data is appropriately restricted to 3783 authorized parties with a need-to-know. 3785 o When persisted, the appropriate protection mechanisms are in place 3786 to restrict access by unauthorized parties including 3787 administrators or parties with access to backup data. 3789 10. IANA Considerations 3791 10.1. Registration of SCIM URN Sub-namespace & SCIM Registry 3793 IANA is requested to add an entry to the 'IETF URN Sub-namespace for 3794 Registered Protocol Parameter Identifiers' registry and create a sub- 3795 namespace for the Registered Parameter Identifier as per [RFC3553]: 3796 "urn:ietf:params:scim". 3798 To manage this sub-namespace, IANA is requested to create the "SCIM" 3799 Registry which shall be used to manage entries within the 3800 "urn:ietf:params:scim" namespace. The registry description is as 3801 follows: 3803 o Registry name: SCIM 3805 o Specification: [this document] 3807 o Repository: [see Section 10.2] 3809 o Index value: values [see Section 10.2] 3811 10.2. URN Sub-Namespace for SCIM 3813 SCIM schemas and SCIM messages utilize URIs to identify the schema in 3814 use or other relevant context. This section creates and registers an 3815 IETF URN Sub-namespace for use in the SCIM specifications and future 3816 extensions. 3818 10.2.1. Specification Template 3820 Namespace ID: 3822 The Namespace ID "scim" is requested. 3824 Registration Information: 3826 Version: 1 3828 Date: [[insert final submission date]] 3830 Declared registrant of the namespace: 3832 Registering organization 3833 The Internet Engineering Task Force 3835 Designated contact 3836 A designated expert will monitor the SCIM public mailing list, 3837 "scim@ietf.org". 3839 Declaration of Syntactic Structure: 3841 The Namespace Specific String (NSS) of all URNs that use the 3842 "scim" NID shall have the following structure: 3844 urn:ietf:params:scim:{type}:{name}{:other} 3846 The keywords have the following meaning: 3848 type 3849 The entity type which is either "schemas" or "api". 3851 name 3852 A required US-ASCII string that conforms to the URN syntax 3853 requirements (see [RFC2141] ) and defines a major namespace of 3854 a schema used within SCIM (e.g., "core", which is reserved for 3855 SCIM specifications). The value MAY also be an industry name 3856 or organization name. 3858 other 3859 Any US-ASCII string that conforms to the URN syntax 3860 requirements (see [RFC2141] ) and defines the sub-namespace 3861 (which MAY be further broken down in namespaces delimited by 3862 colons) as needed to uniquely identify a schema. 3864 Relevant Ancillary Documentation: 3866 None 3868 Identifier Uniqueness Considerations: 3870 The designated contact shall be responsible for reviewing and 3871 enforcing uniqueness. 3873 Identifier Persistence Considerations: 3875 Once a name has been allocated it MUST NOT be re-allocated for a 3876 different purpose. The rules provided for assignments of values 3877 within a sub-namespace MUST be constructed so that the meaning of 3878 values cannot change. This registration mechanism is not 3879 appropriate for naming values whose meaning may change over time. 3881 As the SCIM specifications are updated and the SCIM protocol 3882 version is adjusted, a new registration will be made when 3883 significant changes are made. Example, 3884 "urn:ietf:params:scim:schemas:core:1.0 (externally defined, not 3885 previously registered)" and 3886 "urn:ietf:params:scim:schemas:core:2.0". 3888 Process of Identifier Assignment: 3890 Identifiers with namespace type "schema" (e.g., 3891 "urn:ietf:params:scim:schemas" ) are assigned after the review of 3892 the assigned contact via the SCIM public mailing list, 3893 "scim@ietf.org" as documented in Section 10.3. 3895 Namespaces with type "api" (e.g., "urn:ietf:params:scim:api") and 3896 "param" (e.g., "urn:ietf:params:scim:param" ) are reserved for 3897 IETF approved SCIM specifications. 3899 Process of Identifier Resolution: 3901 The namespace is not currently listed with a Resolution Discovery 3902 System (RDS), but nothing about the namespace prohibits the future 3903 definition of appropriate resolution methods or listing with an 3904 RDS. 3906 Rules for Lexical Equivalence: 3908 No special considerations; the rules for lexical equivalence 3909 specified in [RFC2141] apply. 3911 Conformance with URN Syntax: 3913 No special considerations. 3915 Validation Mechanism: 3917 None specified. 3919 Scope: 3921 Global. 3923 10.3. Registering SCIM Schemas 3925 This section defines the process for registering new SCIM schemas 3926 with IANA in the "SCIM" registry (see Section 10.1). A schema URI is 3927 used as a value in the schemas attribute (Section 3) for the purpose 3928 of distinguishing extensions used in a SCIM resource. 3930 10.3.1. Registration Procedure 3932 The IETF has created a mailing list, scim@ietf.org, which can be used 3933 for public discussion of SCIM schema proposals prior to registration. 3934 Use of the mailing list is strongly encouraged. The IESG has 3935 appointed a designated expert who will monitor the scim@ietf.org 3936 mailing list and review registrations. 3938 Registration of new "core" (e.g. in the namespace 3939 "urn:ietf:params:scim:schemas:core") and "API" schemas (e.g., in the 3940 namespace "urn:ietf:params:scim:api") MUST be reviewed by the 3941 designated expert and published in an RFC. An RFC is REQUIRED for 3942 the registration of new value data types that modify existing 3943 properties. An RFC is also REQUIRED for registration of SCIM schema 3944 URIs that modify SCIM schema previously documented in a existing RFC. 3945 URN's within the "urn:ietf:params:scim", but outside the above 3946 namespaces MAY be registered with a simple review (e.g. check for 3947 SPAM) by the designated expert on a first-come-first-served basis. 3949 The registration procedure begins when a completed registration 3950 template, defined in the sections below, is sent to scim@ietf.org and 3951 iana@iana.org. Within two weeks, the designated expert is expected 3952 to tell IANA and the submitter of the registration whether the 3953 registration is approved, approved with minor changes, or rejected 3954 with cause. When a registration is rejected with cause, it can be 3955 re-submitted if the concerns listed in the cause are addressed. 3956 Decisions made by the designated expert can be appealed to the IESG 3957 Applications Area Director, then to the IESG. They follow the normal 3958 appeals procedure for IESG decisions. 3960 Once the registration procedure concludes successfully, IANA creates 3961 or modifies the corresponding record in the SCIM schema registry. 3962 The completed registration template is discarded. 3964 An RFC specifying new schema URI MUST include the completed 3965 registration templates, which MAY be expanded with additional 3966 information. These completed templates are intended to go in the 3967 body of the document, not in the IANA Considerations section. The 3968 RFC SHOULD include any attributes defined. 3970 10.3.2. Schema Registration Template 3972 A SCIM schema URI is defined by completing the following template: 3974 Schema URI: Schema URI: A unique URI for the SCIM schema extension. 3976 Schema Name: A descriptive name of the schema extension (e.g., 3977 Generic Device) 3979 Intended or Associated Resource Type: A value defining the resource 3980 type (e.g., "Device"). 3982 Purpose: A description of the purpose of the extension and/or its 3983 intended use. 3985 Single-value Attributes: A list and description of single-valued 3986 attributes defined including complex attributes. 3988 Multi-valued Attributes: A list and description of multi-valued 3989 attributes defined including complex attributes. 3991 10.4. Initial SCIM Schema Registry 3993 The IANA is requested to populate the "SCIM" registry with the 3994 following registries for SCIM schema URIs with pointers to 3995 appropriate reference documents. Note: the Schema URI broken into 3996 two lines for readability. 3998 +-----------------------------------+-----------------+-------------+ 3999 | Schema URI | Name | Reference | 4000 +-----------------------------------+-----------------+-------------+ 4001 | urn:ietf:params:scim:schemas: | User Resource | See Section | 4002 | core:2.0:User | | 4.1 | 4003 | urn:ietf:params:scim:schemas: | Enterprise User | See Section | 4004 | extension:enterprise:2.0:User | Extension | 4.3 | 4005 | urn:ietf:params:scim:schemas: | Group Resource | See Section | 4006 | core:2.0:Group | | 4.2 | 4007 +-----------------------------------+-----------------+-------------+ 4009 SCIM Schema URIs for Data Resources 4011 +-----------------------------------+-------------------+-----------+ 4012 | Schema URI | Name | Reference | 4013 +-----------------------------------+-------------------+-----------+ 4014 | urn:ietf:params:scim:schemas: | Service Provider | See | 4015 | core:2.0:ServiceProviderConfig | Configuration | Section 5 | 4016 | | Schema | | 4017 | urn:ietf:params:scim:schemas: | Resource Type | See | 4018 | core:2.0:ResourceType | Config | Section 6 | 4019 | urn:ietf:params:scim:schemas: | Schema | See | 4020 | core:2.0:Schema | Definitions | Section 7 | 4021 | | Schema | | 4022 +-----------------------------------+-------------------+-----------+ 4024 SCIM Server Related Schema URIs 4026 11. References 4028 11.1. Normative References 4030 [I-D.ietf-scim-api] 4031 Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C. 4032 Mortimore, "System for Cross-Domain Identity Management: 4033 Protocol", draft-ietf-scim-api-18 (work in progress), May 4034 2015. 4036 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 4037 Requirement Levels", BCP 14, RFC 2119, March 1997. 4039 [RFC2141] Moats, R., "URN Syntax", RFC 2141, May 1997. 4041 [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An 4042 IETF URN Sub-namespace for Registered Protocol 4043 Parameters", BCP 73, RFC 3553, June 2003. 4045 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 4046 10646", STD 63, RFC 3629, November 2003. 4048 [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC 4049 3966, December 2004. 4051 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 4052 Resource Identifier (URI): Generic Syntax", STD 66, RFC 4053 3986, January 2005. 4055 [RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags", 4056 BCP 47, RFC 4647, September 2006. 4058 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 4059 Encodings", RFC 4648, October 2006. 4061 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 4062 Specifications: ABNF", STD 68, RFC 5234, January 2008. 4064 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 4065 Housley, R., and W. Polk, "Internet X.509 Public Key 4066 Infrastructure Certificate and Certificate Revocation List 4067 (CRL) Profile", RFC 5280, May 2008. 4069 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 4070 October 2008. 4072 [RFC5646] Phillips, A. and M. Davis, "Tags for Identifying 4073 Languages", BCP 47, RFC 5646, September 2009. 4075 [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the 4076 Time Zone Database", BCP 175, RFC 6557, February 2012. 4078 [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data 4079 Interchange Format", RFC 7159, March 2014. 4081 [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 4082 (HTTP/1.1): Semantics and Content", RFC 7231, June 2014. 4084 [RFC7232] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 4085 (HTTP/1.1): Conditional Requests", RFC 7232, June 2014. 4087 11.2. Informative References 4089 [ISO3166] "ISO 3166:1988 (E/F) - Codes for the representation of 4090 names of countries - The International Organization for 4091 Standardization, 3rd edition", 08 1988. 4093 [Olson-TZ] 4094 Internet Assigned Numbers Authority, "IANA Time Zone 4095 Database". 4097 [PortableContacts] 4098 Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only", 4099 August 2008. 4101 [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and 4102 Languages", BCP 18, RFC 2277, January 1998. 4104 [RFC4512] Zeilenga, K., "Lightweight Directory Access Protocol 4105 (LDAP): Directory Information Models", RFC 4512, June 4106 2006. 4108 [RFC6350] Perreault, S., "vCard Format Specification", RFC 6350, 4109 August 2011. 4111 [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 4112 6749, October 2012. 4114 [RFC6819] Lodderstedt, T., McGloin, M., and P. Hunt, "OAuth 2.0 4115 Threat Model and Security Considerations", RFC 6819, 4116 January 2013. 4118 [XML-Schema] 4119 Peterson, D., Gao, S., Malhotra, A., Sperberg-McQueen, C., 4120 and H. Thompson, "XML Schema Definition Language (XSD) 1.1 4121 Part 2: Datatypes", April 2012. 4123 Appendix A. Acknowledgements 4125 The editors would like to acknowledge the contribution and work of 4126 the past draft editors: 4128 Chuck Mortimore, Salesforce 4130 Patrick Harding, Ping 4132 Paul Madsen, Ping 4134 Trey Drake, UnboundID 4136 The SCIM Community would like to thank the following people for the 4137 work they've done in the research, formulation, drafting, editing, 4138 and support of this specification. 4140 Morteza Ansari (morteza.ansari@cisco.com) 4142 Sidharth Choudhury (schoudhury@salesforce.com) 4144 Samuel Erdtman (samuel@erdtman.se) 4146 Kelly Grizzle (kelly.grizzle@sailpoint.com) 4148 Chris Phillips (cjphillips@gmail.com) 4150 Erik Wahlstroem (erik@wahlstromstekniska.se) 4151 Phil Hunt (phil.hunt@yahoo.com) 4153 Special thanks to Joeseph Smarr, who's excellent work on the Portable 4154 Contacts Specification [PortableContacts] provided a basis for the 4155 SCIM schema structure and text. 4157 Appendix B. Change Log 4159 [[This section to be removed prior to publication as an RFC]] 4161 Draft 02 - KG - Addition of schema extensibility 4163 Draft 03 - PH - Revisions based on following tickets: 4165 09 - Attribute uniquenes 4167 10 - Returnability of attributes 4169 35 - Attribute mutability (replaces readOnly) 4171 52 - Minor textual changes 4173 53 - Standard use of term client (some was consumer) 4175 56 - Make manager attribute consistent with other $ref attrs 4177 58 - Add optional id to ResourceType objects for consistency 4179 59 - Fix capitalization per IETF editor practices 4181 60 - Changed tags to normal and tags 4183 Draft 04 - PH - Revisions based on the following tickets: 4185 43 - Drop short-hand notation for complex multi-valued attributes 4187 61 - Specify attribute name limitations 4189 62 - Fix 'mutability' normative language 4191 63 - Fix incorrect EnterpriseUser schema reference 4193 68 - Update JSON references from RFC4627 to RFC7159 4195 71 - Made corrections to language tags in compliance with BCP47 / 4196 RFC5646 4198 Draft 05 - PH - Revisions based on the following tickets 4199 23 - Clarified that the server is not required to preserve case 4200 for case insensitive strings 4202 41 - Add IANA considerations 4204 72 - Added text to indicate UTF-8 is default and mandatory 4205 encoding format per BCP18 4207 - Typo corrections and removed some redundant text 4209 Draft 06 - PH - Revisions based on the following tickets 4211 63 - Corrected enterprise user URI in 14.2 and section 7, URI 4212 namespace changes due to ticket #41 4214 66 - Updated reference to final HTTP/1.1 drafts (RFC 7230) 4216 41 - Add IANA considerations 4218 - Removed redundant text (e.g., SAML binding, replaced REST with 4219 HTTP) 4221 - Reordered introduction, definitions and notation sections to 4222 follow typical format 4224 - meta.attributes removed due to new PURGE command in draft 04 (no 4225 longer used) 4227 Draft 07 - PH - Edits and revisions 4229 - Dropped use of the term API in favour of HTTP protocol or just 4230 protocol. 4232 - Clarified meaning of null and unassigned 4234 Draft 08 - PH - Revised IANA namespace to urn:ietf:params:scim per 4235 RFC3553 4237 Draft 09 - PH - Editorial revisions and clarifications 4239 Removed duplicate text from Schema Schema section 4241 Removed "operation" attribute from Multi-valued Attribute sub- 4242 attribute definitions. This was used in the old PATCH command and 4243 is no longer valid. 4245 Revised some layout to make indentation and definition of 4246 attributes more clear (added vspace elements) 4248 Draft 10 - PH - Editorial revisions 4250 Simplified namespace definition for urn:ietf:params:scim 4252 Clarified "schemas" attribute as representing the JSON body schema 4253 in an HTTP Req/Resp 4255 Reduced use of confusing term "core" in "Core User" and "Core 4256 Group" 4258 Added clarifications and security considerations for externalId 4260 Re-worded descriptions SCIM schema extension model (sec 3) and 4261 core schema (sec 4) for improved clarity 4263 Draft 11 - PH - Clarification to definition of externalId 4265 Draft 12 - PH - Nits / Corrections 4267 Corrected use of RFC2119 words (e.g., MUST not to MUST NOT) 4269 Corrected JSON examples to be 72 characters or less per line 4271 Corrected enterprise User manager attribute to use sub-attribute 4272 value and make multi-valued 4274 Corrected sec 8.7, make members multi-valued in JSON 4276 Added missing definition for subattributes in sec 7, Schema 4277 Definition 4279 Draft 13 - PH - Correctings NITS to externalId example and clarified 4280 phoneNumber & emails canonicalization 4282 Draft 14 - PH - Nits / Corrections 4284 Corrected JSON structure for example Schema (removed outer {} 4285 around array of schemas). 4287 Added example Group resource type to example of resource types in 4288 JSON 4290 Draft 15 - PH - Corrected schema in sec 7 to use defined types from 4291 sec 2.1 4293 Draft 16 - PH - Corrected photo.value from "type":"binary" to 4294 "type":"reference" (should be a URL) 4295 Draft 17 - PH - Changes as follows: 4297 Updated reference for XML-Schema to the 5 April 2012 XML Schema 4298 1.1 draft 4300 Added clarifications on attribute characteristics and Schema usage 4302 Added schema in section 8.7 for Schema, ServiceProviderConfig, and 4303 ResourceType 4305 Fixed nit in service provider config. 4307 Clarified binary attribute may be base 64 or base 64 url encoding 4308 per RFC4648. x509certificates are now base64 encoded. 4310 Clarified x509certificates values are DER certificates that are 4311 then base64 encoded 4313 Corrected "reference" attribute to use the "referenceTypes" meta- 4314 attribute that says what type of reference an attribute is. 4316 Draft 18 - PH - Comments from GenART and IANA review 4318 General Edits and Nits after Gen-ART and IANA review 4320 Add references to SCIM API protocol document where appropriate 4322 Added clarifications and privacy considerations to security 4323 considerations 4325 Clarified IANA section to create new "SCIM" registry 4327 Removed out-of-date "readOnly" attribute from Group schema 4328 (replaced a long time ago by "mutability"). 4330 Draft 19 - PH - Comments from IESG review 4332 Additional Gen-Art edits (type canonicalization, moved attribute 4333 types section, etc 4335 Added clarification on password use of clear text and hashing 4337 Clarified statements about sensitive and PII data 4339 Updated references to SCIM Protocol sections 4341 Made capitalization of 'client' and 'service provider' terms 4342 consistent (lower case) 4343 Corrected schema and examples to have singluar value for manager 4344 attribute 4346 Draft 20 - PH - Additional clarification on multi-hop/3rd party, and 4347 small nit in section 1.1 4349 Authors' Addresses 4351 Phil Hunt (editor) 4352 Oracle Corporation 4354 Email: phil.hunt@yahoo.com 4356 Kelly Grizzle 4357 SailPoint 4359 Email: kelly.grizzle@sailpoint.com 4361 Erik Wahlstroem 4362 Nexus Technology 4364 Email: erik.wahlstrom@nexusgroup.com 4366 Chuck Mortimore 4367 Salesforce.com 4369 Email: cmortimore@salesforce.com