idnits 2.17.1
draft-scim-core-schema-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
** There are 73 instances of too long lines in the document, the longest
one being 446 characters in excess of 72.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please
use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
mean).
Found 'SHOULD not' in this paragraph:
Attribute data types are derived from XML schema [1] and unless
otherwise specified are optional, modifiable by Consumers, and of type
String (Section 3.1.1). The JSON format defines a limited set of data
types, hence, where appropriate, alternate JSON representations are
defined below. SCIM extensions SHOULD not introduce new data types.
== Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please
use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
mean).
Found 'MUST not' in this paragraph:
schemas The schemas attribute is an array of Strings which allows
introspection of the supported schema version for a SCIM representation
as well any schema extensions supported by that representation. Each
String value must be a unique URI. This specification defines URIs for
User, Group, and a standard "enterprise" extension. All representations
of SCIM schema MUST include a non-zero value array with value(s) of the
URIs supported by that representation. Duplicate values MUST NOT be
included. Value order is not specified and MUST not impact behavior.
REQUIRED.
-- The document date (August 02, 2012) is 4285 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
No issues found here.
Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group C. Mortimore, Ed.
3 Internet-Draft Salesforce
4 Intended status: Informational P. Harding
5 Expires: January 10, 2013 P. Madsen
6 Ping
7 T. Drake
8 UnboundID
9 August 02, 2012
11 System for Cross-Domain Identity Management: Core Schema 1.1
12 draft-scim-core-schema-01
14 Abstract
16 The System for Cross-Domain Identity Management (SCIM) specification
17 is designed to make managing user identity in cloud based
18 applications and services easier. The specification suite builds
19 upon experience with existing schemas and deployments, placing
20 specific emphasis on simplicity of development and integration, while
21 applying existing authentication, authorization, and privacy models.
22 Its intent is to reduce the cost and complexity of user management
23 operations by providing a common user schema and extension model, as
24 well as binding documents to provide patterns for exchanging this
25 schema using standard protocols. In essence, make it fast, cheap,
26 and easy to move identity in to, out of, and around the cloud.
28 This document provides a platform neutral schema and extension model
29 for representing users and groups in JSON and XML formats. This
30 schema is intended for exchange and use with cloud service providers.
31 Additional binding documents provide a standard REST API, SAML
32 binding, and use cases.
34 Status of this Memo
36 This Internet-Draft is submitted in full conformance with the
37 provisions of BCP 78 and BCP 79.
39 Internet-Drafts are working documents of the Internet Engineering
40 Task Force (IETF). Note that other groups may also distribute
41 working documents as Internet-Drafts. The list of current Internet-
42 Drafts is at http://datatracker.ietf.org/drafts/current/.
44 Internet-Drafts are draft documents valid for a maximum of six months
45 and may be updated, replaced, or obsoleted by other documents at any
46 time. It is inappropriate to use Internet-Drafts as reference
47 material or to cite them other than as "work in progress."
48 This Internet-Draft will expire on January 10, 2013.
50 Copyright Notice
52 Copyright (c) 2012 IETF Trust and the persons identified as the
53 document authors. All rights reserved.
55 This document is subject to BCP 78 and the IETF Trust's Legal
56 Provisions Relating to IETF Documents
57 (http://trustee.ietf.org/license-info) in effect on the date of
58 publication of this document. Please review these documents
59 carefully, as they describe your rights and restrictions with respect
60 to this document. Code Components extracted from this document must
61 include Simplified BSD License text as described in Section 4.e of
62 the Trust Legal Provisions and are provided without warranty as
63 described in the Simplified BSD License.
65 Table of Contents
67 1. Requirements Notation and Conventions . . . . . . . . . . . . 4
68 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
69 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
70 3. SCIM Schema Structure . . . . . . . . . . . . . . . . . . . . 5
71 3.1. Attribute Data Types . . . . . . . . . . . . . . . . . . . 6
72 3.1.1. String . . . . . . . . . . . . . . . . . . . . . . . . 6
73 3.1.2. Boolean . . . . . . . . . . . . . . . . . . . . . . . 6
74 3.1.3. Decimal . . . . . . . . . . . . . . . . . . . . . . . 6
75 3.1.4. Integer . . . . . . . . . . . . . . . . . . . . . . . 6
76 3.1.5. DateTime . . . . . . . . . . . . . . . . . . . . . . . 6
77 3.1.6. Binary . . . . . . . . . . . . . . . . . . . . . . . . 7
78 3.1.7. Complex . . . . . . . . . . . . . . . . . . . . . . . 7
79 3.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 7
80 4. Schema Extension Model . . . . . . . . . . . . . . . . . . . . 8
81 5. SCIM Core Schema . . . . . . . . . . . . . . . . . . . . . . . 8
82 5.1. Common Schema Attributes . . . . . . . . . . . . . . . . . 8
83 5.2. "schemas" Attribute . . . . . . . . . . . . . . . . . . . 10
84 6. SCIM User Schema . . . . . . . . . . . . . . . . . . . . . . . 10
85 6.1. Singular Attributes . . . . . . . . . . . . . . . . . . . 10
86 6.2. Multi-valued Attributes . . . . . . . . . . . . . . . . . 12
87 7. SCIM Enterprise User Schema Extension . . . . . . . . . . . . 14
88 8. SCIM Group Schema . . . . . . . . . . . . . . . . . . . . . . 15
89 9. Service Provider Configuration Schema . . . . . . . . . . . . 16
90 10. Resource Schema . . . . . . . . . . . . . . . . . . . . . . . 18
91 11. JSON Representation . . . . . . . . . . . . . . . . . . . . . 20
92 11.1. Minimal User Representation . . . . . . . . . . . . . . . 20
93 11.2. Full User Representation . . . . . . . . . . . . . . . . . 20
94 11.3. Enterprise User Extension Representation . . . . . . . . . 23
95 11.4. Group Representation . . . . . . . . . . . . . . . . . . . 26
96 11.5. Service Provider Configuration Representation . . . . . . 26
97 11.6. Resource Schema Representation . . . . . . . . . . . . . . 28
98 12. XML Representation . . . . . . . . . . . . . . . . . . . . . . 32
99 12.1. Minimal Representation . . . . . . . . . . . . . . . . . . 32
100 12.2. Full Representation . . . . . . . . . . . . . . . . . . . 33
101 12.3. Enterprise User Extension Representation . . . . . . . . . 36
102 12.4. Group Representation . . . . . . . . . . . . . . . . . . . 39
103 13. Security Considerations . . . . . . . . . . . . . . . . . . . 39
104 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 39
105 14. Normative References . . . . . . . . . . . . . . . . . . . . . 40
106 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40
108 1. Requirements Notation and Conventions
110 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
111 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
112 document are to be interpreted as described in [RFC2119] .
114 Throughout this document, values are quoted to indicate that they are
115 to be taken literally. When using these values in protocol messages,
116 the quotes MUST NOT be used as part of the value.
118 2. Overview
120 While there are existing standards for describing and exchanging user
121 information, many of these standards can be difficult to implement
122 and/or use; e.g., their wire protocols do not easily traverse
123 firewalls and/or are not easily layered onto existing web protocols.
124 As a result, many cloud providers implement non-standard APIs for
125 managing users within their services. This increases both the cost
126 and complexity associated with organizations adopting products and
127 services from multiple cloud providers as they must perform redundant
128 integration development. Similarly, cloud services providers seeking
129 to interoperate with multiple application marketplaces or cloud
130 identity providers must be redundantly integrated.
132 SCIM seeks to simplify this problem through a simple to implement
133 specification suite that provides a common user schema and extension
134 model, as well as binding documents to provide patterns for
135 exchanging this schema via a REST API. It draws inspiration and best
136 practice, building upon existing user APIs and schemas from a wide
137 variety of sources including, but not limited to, existing APIs
138 exposed by cloud providers, PortableContacts, and LDAP directory
139 services.
141 This document provides a platform neutral schema and extension model
142 for representing users and groups in JSON and XML formats. This
143 schema is intended for exchange and use with cloud service providers.
144 Additional binding documents provide a standard REST API, SAML
145 binding, and use cases.
147 2.1. Definitions
149 Service Provider: A web application that provides identity
150 information via the SCIM protocol.
152 Consumer: A website or application that uses the SCIM protocol to
153 manage identity data maintained by the Service Provider.
155 Resource: The Service Provider managed artifact containing one or
156 more attributes; e.g., User or Group
158 Singular Attribute: A Resource attribute that contains 0..1 values;
159 e.g., displayName.
161 Multi-valued Attribute: A Resource attribute that contains 0..n
162 values; e.g., emails.
164 Simple Attribute: A Singular or Multi-valued Attribute whose value
165 is a primitive; e.g., String.
167 Complex Attribute: A Singular or Multi-valued Attribute whose value
168 is a composition of one or more Simple Attributes.
170 Sub-Attribute: A Simple Attribute contained within a Complex
171 Attribute.
173 3. SCIM Schema Structure
175 SCIM schema provides a minimal core schema for representing users and
176 groups (resources), encompassing common attributes found in many
177 existing deployments and schemas.
179 A resource is a collection of attributes identified by one or more
180 schemas. Minimally, an attribute consists of the attribute name and
181 at least one Simple or Complex value either of which may be Multi-
182 valued. SCIM schema defines the data type, plurality and other
183 distinguishing features of an attribute. Unless otherwise specified
184 all attributes are modifiable by Consumers. Immutable (read-only)
185 attributes SHALL be specified as 'READ-ONLY' within the attribute
186 definition. Additionally, Service Providers MAY choose to make some
187 or all Resource attributes immutable and SHOULD identify those
188 attributes via the associated Resource's schema endpoint
189 (Section 5.2).
191 Both XML and JSON formats are defined. Resource and attribute names
192 MUST conform to XML naming rules;i.e., SCIM names MUST be valid XML
193 names and SHOULD be camelCased. When marshalling or extending SCIM
194 resources in XML implementors MUST use the normative, SCIM, XML
195 schema (.xsd). SCIM resources represented in a schema-less format;
196 e.g., JSON, MUST specify schema via the schemas attribute
197 (Section 5.2).
199 3.1. Attribute Data Types
201 Attribute data types are derived from XML schema [1] and unless
202 otherwise specified are optional, modifiable by Consumers, and of
203 type String (Section 3.1.1). The JSON format defines a limited set
204 of data types, hence, where appropriate, alternate JSON
205 representations are defined below. SCIM extensions SHOULD not
206 introduce new data types.
208 3.1.1. String
210 A sequence of characters as defined in section 3.2.1 of the XML
211 Schema Datatypes Specification. A String attribute MAY specify a
212 required data format. Additionally, when Canonical Values are
213 specified Service Providers SHOULD conform to those values if
214 appropriate, but MAY provide alternate String values to represent
215 additional values.
217 3.1.2. Boolean
219 The literal "true" or "false" as specified in section 3.2.2 of the
220 XML Schema Datatypes Specification.
222 3.1.3. Decimal
224 A real number with at least one digit to the left and right of the
225 period as specified in section 3.2.3 of the XML Schema Datatypes
226 Specification.
228 Values represented in JSON MUST conform to the XML constraints above
229 and are represented as a JSON Number [2].
231 3.1.4. Integer
233 A Decimal number with no fractional digits as defined in section
234 3.3.13 of the XML Schema Datatypes Specification.
236 Values represented in JSON MUST conform to the XML constraints above
237 and are represented as a JSON Number [2].
239 3.1.5. DateTime
241 A dateTime (e.g. 2008-01-23T04:56:22Z) as specified in section 3.2.7
242 of the XML Schema Datatypes Specification.
244 Values represented in JSON MUST conform to the XML constraints above
245 and are represented as a JSON String [2].
247 3.1.6. Binary
249 The attribute value MUST be encoded as a valid xsd:base64Binary value
250 as specified in section 3.2.16 of the XML Schema Datatypes
251 Specification.
253 Values represented in JSON MUST conform to the XML constraints above
254 and are represented as a JSON String [2].
256 3.1.7. Complex
258 A Singular or Multi-valued Attribute whose value is a composition of
259 one or more Simple Attributes as specified in section 3.4 XML Schema
260 Datatypes Specification.
262 JSON values are represented as JSON Objects [2].
264 3.2. Multi-valued Attributes
266 Multi-valued attributes are unordered lists of attributes. Each
267 attribute MAY contain Sub-Attributes and therefore multi-valued
268 attributes may contain Complex Attributes. The below Sub-Attributes
269 are considered normative and when specified SHOULD be used as
270 defined.
272 type A label indicating the attribute's function; e.g., "work" or
273 "home".
275 primary A Boolean value indicating the 'primary' or preferred
276 attribute value for this attribute, e.g. the preferred mailing
277 address or primary e-mail address. The primary attribute value
278 'true' MUST appear no more than once.
280 display A human readable name, primarily used for display purposes.
281 READ-ONLY.
283 operation The operation to perform on the multi-valued attribute
284 during a PATCH request. The only valid value is "delete", which
285 signifies that this instance should be removed from the Resource.
287 value The attribute's significant value; e.g., the e-mail address,
288 phone number, etc. Attributes that define a "value" sub-attribute
289 MAY be alternately represented as a collection of primitive types.
290 For example:
292 {
293 "emails": [
294 {"value":"bjensen@example.com"},
295 {"value":"babs@example.com"}
296 ]
297 }
299 May also be represented as:
301 {
302 "emails": ["bjensen@example.com","babs@example.com"]
303 }
305 When returning multi-valued attributes, Service Providers SHOULD
306 canonicalize the value returned, if appropriate (e.g. for e-mail
307 addresses and URLs). Providers MAY return the same value more than
308 once with different types (e.g. the same e-mail address may used for
309 work and home), but SHOULD NOT return the same (type, value)
310 combination more than once per Attribute, as this complicates
311 processing by the Consumer.
313 4. Schema Extension Model
315 SCIM schema follows an object extension model similar to
316 ObjectClasses used in LDAP. Unlike LDAP there is no inheritance
317 model; all extensions are additive (similar to LDAP Auxiliary Object
318 Classes [3]). Each value indicates additive schema that may exist in
319 a SCIM representation as specified by extensions not defined in this
320 suite. Schema extensions MUST NOT redefine any attributes defined in
321 this specification and SHOULD follow conventions defined in this
322 specification. Each schema extension must identify a URI used to
323 identify the extension. XML MUST use XML namespaces and JSON formats
324 MUST use the "schemas" attribute (Section 5.2) to distinguish
325 extended resources and attributes.
327 5. SCIM Core Schema
329 5.1. Common Schema Attributes
331 Each SCIM Resource (Users, Groups, etc.) includes the below common
332 attributes. These attributes MUST be included in all Resources,
333 including any extended Resource types. It is not necessary to
334 specify the schemas attribute if the Resource is fully defined in
335 this document as the core schema is implicitly included.
337 id Unique identifier for the SCIM Resource as defined by the Service
338 Provider. Each representation of the Resource MUST include a non-
339 empty id value. This identifier MUST be unique across the Service
340 Provider's entire set of Resources. It MUST be a stable, non-
341 reassignable identifier that does not change when the same
342 Resource is returned in subsequent requests. The value of the id
343 attribute is always issued by the Service Provider and MUST never
344 be specified by the Service Consumer. bulkId: is a reserved
345 keyword and MUST NOT be used in the unique identifier. REQUIRED
346 and READ-ONLY.
348 externalId An identifier for the Resource as defined by the Service
349 Consumer. The externalId may simplify identification of the
350 Resource between Service Consumer and Service provider by allowing
351 the Consumer to refer to the Resource with its own identifier,
352 obviating the need to store a local mapping between the local
353 identifier of the Resource and the identifier used by the Service
354 Provider. Each Resource MAY include a non-empty externalId value.
355 The value of the externalId attribute is always issued be the
356 Service Consumer and can never be specified by the Service
357 Provider. The Service Provider MUST always interpret the
358 externalId as scoped to the Service Consumer's tenant.
360 meta A complex attribute containing resource metadata. All sub-
361 attributes are OPTIONAL
363 created The DateTime the Resource was added to the Service
364 Provider. The attribute MUST be a DateTime. READ-ONLY.
366 lastModified The most recent DateTime the details of this
367 Resource were updated at the Service Provider. If this
368 Resource has never been modified since its initial creation,
369 the value MUST be the same as the value of created. The
370 attribute MUST be a DateTime. READ-ONLY.
372 location The URI of the Resource being returned. This value MUST
373 be the same as the Location HTTP response header. READ-ONLY.
375 version The version of the Resource being returned. This value
376 must be the same as the ETag HTTP response header. READ-ONLY.
378 attributes The names of the attributes to remove from the
379 Resource during a PATCH operation.
381 5.2. "schemas" Attribute
383 SCIM supports resources of different types, with extensible schemas.
384 Each resource MUST be indicated using fully qualified URLs.
386 Where a specific representation has existing support for expressing
387 schema, the traditional convention of that representation MUST be
388 applied. For example, when representing users using XML, XML
389 Namespace should be used.
391 When a representation does not explicitly provide support for
392 indicating a schema, such as JSON, a schemas attribute is used to
393 indicate the version of SCIM schema as well as any schema extensions.
395 schemas The schemas attribute is an array of Strings which allows
396 introspection of the supported schema version for a SCIM
397 representation as well any schema extensions supported by that
398 representation. Each String value must be a unique URI. This
399 specification defines URIs for User, Group, and a standard
400 "enterprise" extension. All representations of SCIM schema MUST
401 include a non-zero value array with value(s) of the URIs supported
402 by that representation. Duplicate values MUST NOT be included.
403 Value order is not specified and MUST not impact behavior.
404 REQUIRED.
406 6. SCIM User Schema
408 SCIM provides a schema for representing Users, identified using the
409 following URI: 'urn:scim:schemas:core:1.0'. The following attributes
410 are defined in addition to those attributes defined in SCIM Core
411 Schema:
413 6.1. Singular Attributes
415 userName Unique identifier for the User, typically used by the user
416 to directly authenticate to the service provider. Often displayed
417 to the user as their unique identifier within the system (as
418 opposed to id or externalId, which are generally opaque and not
419 user-friendly identifiers). Each User MUST include a non-empty
420 userName value. This identifier MUST be unique across the Service
421 Consumer's entire set of Users. REQUIRED.
423 name The components of the User's real name. Providers MAY return
424 just the full name as a single string in the formatted sub-
425 attribute, or they MAY return just the individual component
426 attributes using the other sub-attributes, or they MAY return
427 both. If both variants are returned, they SHOULD be describing
428 the same name, with the formatted name indicating how the
429 component attributes should be combined.
431 formatted The full name, including all middle names, titles, and
432 suffixes as appropriate, formatted for display (e.g. Ms.
433 Barbara Jane Jensen, III.).
435 familyName The family name of the User, or "Last Name" in most
436 Western languages (e.g. Jensen given the full name Ms. Barbara
437 Jane Jensen, III.).
439 givenName The given name of the User, or "First Name" in most
440 Western languages (e.g. Barbara given the full name Ms.
441 Barbara Jane Jensen, III.).
443 middleName The middle name(s) of the User (e.g. Jane given the
444 full name Ms. Barbara Jane Jensen, III.).
446 honorificPrefix The honorific prefix(es) of the User, or "Title"
447 in most Western languages (e.g. Ms. given the full name Ms.
448 Barbara Jane Jensen, III.).
450 honorificSuffix The honorific suffix(es) of the User, or "Suffix"
451 in most Western languages (e.g. III. given the full name Ms.
452 Barbara Jane Jensen, III.).
454 displayName The name of the User, suitable for display to end-users.
455 Each User returned MAY include a non-empty displayName value. The
456 name SHOULD be the full name of the User being described if known
457 (e.g. Babs Jensen or Ms. Barbara J Jensen, III), but MAY be a
458 username or handle, if that is all that is available (e.g.
459 bjensen). The value provided SHOULD be the primary textual label
460 by which this User is normally displayed by the Service Provider
461 when presenting it to end-users.
463 nickName The casual way to address the user in real life, e.g.
464 "Bob" or "Bobby" instead of "Robert". This attribute SHOULD NOT
465 be used to represent a User's username (e.g. bjensen or
466 mpepperidge).
468 profileUrl A fully qualified URL to a page representing the User's
469 online profile.
471 title The user's title, such as "Vice President."
472 userType Used to identify the organization to user relationship.
473 Typical values used might be "Contractor", "Employee", "Intern",
474 "Temp", "External", and "Unknown" but any value may be used.
476 preferredLanguage Indicates the User's preferred written or spoken
477 language. Generally used for selecting a localized User
478 interface. Valid values are concatenation of the ISO 639-1 two
479 letter language code [4], an underscore, and the ISO 3166-1 2
480 letter country code [5]; e.g., 'en_US' specifies the language
481 English and country US.
483 locale Used to indicate the User's default location for purposes of
484 localizing items such as currency, date time format, numerical
485 representations, etc. A locale value is a concatenation of the
486 ISO 639-1 two letter language code [4], an underscore, and the ISO
487 3166-1 2 letter country code [5]; e.g., 'en_US' specifies the
488 language English and country US.
490 timezone The User's time zone in the "Olson" timezone database
491 format [6]; e.g.,'America/Los_Angeles'.
493 active A Boolean value indicating the User's administrative status.
494 The definitive meaning of this attribute is determined by the
495 Service Provider though a value of true infers the User is, for
496 example, able to login while a value of false implies the User's
497 account has been suspended.
499 password The User's clear text password. This attribute is intended
500 to be used as a means to specify an initial password when creating
501 a new User or to reset an existing User's password. No accepted
502 standards exist to convey password policies, hence Consumers
503 should expect Service Providers to reject password values. This
504 value MUST never be returned by a Service Provider in any form.
506 6.2. Multi-valued Attributes
508 The following multi-valued attributes are defined.
510 emails E-mail addresses for the User. The value SHOULD be
511 canonicalized by the Service Provider, e.g. bjensen@example.com
512 instead of bjensen@EXAMPLE.COM. Canonical Type values of work,
513 home, and other.
515 phoneNumbers Phone numbers for the User. The value SHOULD be
516 canonicalized by the Service Provider according to format in
517 RFC3966 [7] e.g. 'tel:+1-201-555-0123'. Canonical Type values of
518 work, home, mobile, fax, pager and other.
520 ims Instant messaging address for the User. No official
521 canonicalization rules exist for all instant messaging addresses,
522 but Service Providers SHOULD, when appropriate, remove all
523 whitespace and convert the address to lowercase. Instead of the
524 standard Canonical Values for type, this attribute defines the
525 following Canonical Values to represent currently popular IM
526 services: aim, gtalk, icq, xmpp, msn, skype, qq, and yahoo.
528 photos URL of a photo of the User. The value SHOULD be a
529 canonicalized URL, and MUST point to an image file (e.g. a GIF,
530 JPEG, or PNG image file) rather than to a web page containing an
531 image. Service Providers MAY return the same image at different
532 sizes, though it is recognized that no standard for describing
533 images of various sizes currently exists. Note that this
534 attribute SHOULD NOT be used to send down arbitrary photos taken
535 by this User, but specifically profile photos of the User suitable
536 for display when describing the User. Instead of the standard
537 Canonical Values for type, this attribute defines the following
538 Canonical Values to represent popular photo sizes: photo,
539 thumbnail.
541 addresses A physical mailing address for this User. Canonical Type
542 Values of work, home, and other. The value attribute is a complex
543 type with the following sub-attributes. All Sub-Attributes are
544 OPTIONAL.
546 formatted The full mailing address, formatted for display or use
547 with a mailing label. This attribute MAY contain newlines.
549 streetAddress The full street address component, which may
550 include house number, street name, P.O. box, and multi-line
551 extended street address information. This attribute MAY
552 contain newlines.
554 locality The city or locality component.
556 region The state or region component.
558 postalCode The zipcode or postal code component.
560 country The country name component. When specified the value
561 MUST be in ISO 3166-1 alpha 2 "short" code format [5]; e.g.,
562 the United States and Sweden are "US" and "SE", respectively.
564 groups A list of groups that the user belongs to, either thorough
565 direct membership, nested groups, or dynamically calculated. The
566 values are meant to enable expression of common group or role
567 based access control models, although no explicit authorization
568 model is defined. It is intended that the semantics of group
569 membership and any behavior or authorization granted as a result
570 of membership are defined by the Service Provider. The Canonical
571 types "direct" and "indirect" are defined to describe how the
572 group membership was derived. Direct group membership indicates
573 the User is directly associated with the group and SHOULD indicate
574 that Consumers may modify membership through the Group Resource.
575 Indirect membership indicates User membership is transitive or
576 dynamic and implies that Consumers cannot modify indirect group
577 membership through the Group resource but MAY modify direct group
578 membership through the Group resource which MAY influence indirect
579 memberships. If the SCIM Service Provider exposes a Group
580 resource, the value MUST be the "id" attribute of the
581 corresponding Group resources to which the user belongs. Since
582 this attribute is read-only, group membership changes MUST be
583 applied via the Group Resource (Section 8). READ-ONLY.
585 entitlements A list of entitlements for the User that represent a
586 thing the User has. That is, an entitlement is an additional
587 right to a thing, object or service. No vocabulary or syntax is
588 specified and Service Providers/Consumers are expected to encode
589 sufficient information in the value so as to accurately and
590 without ambiguity determine what the User has access to. This
591 value has NO canonical types though type may be useful as a means
592 to scope entitlements.
594 roles A list of roles for the User that collectively represent who
595 the User is; e.g., 'Student', "Faculty". No vocabulary or syntax
596 is specified though it is expected that a role value is a String
597 or label representing a collection of entitlements. This value
598 has NO canonical types.
600 x509Certificates A list of certificates issued to the User. Values
601 are Binary (Section 3.1.6) and DER encoded x509. This value has
602 NO canonical types.
604 7. SCIM Enterprise User Schema Extension
606 The following SCIM extension defines attributes commonly used in
607 representing users that belong to, or act on behalf of a business or
608 enterprise. The enterprise user extension is identified using the
609 following URI: 'urn:scim:schemas:extension:enterprise:1.0'.
611 The following Singular Attributes are defined:
613 employeeNumber Numeric or alphanumeric identifier assigned to a
614 person, typically based on order of hire or association with an
615 organization.
617 costCenter Identifies the name of a cost center.
619 organization Identifies the name of an organization.
621 division Identifies the name of a division.
623 department Identifies the name of a department.
625 manager The User's manager. A complex type that optionally allows
626 Service Providers to represent organizational hierarchy by
627 referencing the "id" attribute of another User.
629 managerId The id of the SCIM resource representing the User's
630 manager. REQUIRED.
632 displayName The displayName of the User's manager. OPTIONAL and
633 READ-ONLY.
635 8. SCIM Group Schema
637 SCIM provides a schema for representing groups, identified using the
638 following URI: 'urn:scim:schemas:core:1.0'.
640 Group resources are meant to enable expression of common Group or
641 role based access control models, although no explicit authorization
642 model is defined. It is intended that the semantics of group
643 membership and any behavior or authorization granted as a result of
644 membership are defined by the Service Provider are considered out of
645 scope for this specification.
647 The following Singular Attribute is defined in addition to the common
648 attributes defined in SCIM Core Schema:
650 displayName A human readable name for the Group. REQUIRED.
652 The following multi-valued attribute is defined in addition to the
653 common attributes defined in SCIM Core Schema:
655 members A list of members of the Group. Canonical Types "User" and
656 "Group" are READ-ONLY. The value must be the "id" of a SCIM
657 resource, either a User, or a Group. The intention of the Group
658 type is to allow the Service Provider to support nested Groups.
659 Service Providers MAY require Consumers to provide a non-empty
660 members value based on the "required" sub attribute of the
661 "members" attribute in Group Resource Schema.
663 9. Service Provider Configuration Schema
665 SCIM provides a schema for representing the Service Provider's
666 configuration identified using the following URI:
667 'urn:scim:schemas:core:1.0'
669 The Service Provider Configuration Resource enables a Service
670 Provider to expose its compliance with the SCIM specification in a
671 standardized form as well as provide additional implementation
672 details to Consumers. All attributes are READ-ONLY.
674 The following Singular Attributes are defined in addition to the
675 common attributes defined in Core Schema:
677 documentationUrl An HTTP addressable URL pointing to the Service
678 Provider's human consumable help documentation.
680 patch A complex type that specifies PATCH configuration options.
681 REQUIRED.
683 supported Boolean value specifying whether the operation is
684 supported. REQUIRED.
686 bulk A complex type that specifies BULK configuration options.
687 REQUIRED
689 supported Boolean value specifying whether the operation is
690 supported. REQUIRED.
692 maxOperations An integer value specifying the maximum number of
693 operations. REQUIRED.
695 maxPayloadSize An integer value specifying the maximum payload
696 size in bytes. REQUIRED.
698 filter A complex type that specifies FILTER options. REQUIRED.
700 supported Boolean value specifying whether the operation is
701 supported. REQUIRED.
703 maxResults Integer value specifying the maximum number of
704 Resources returned in a response. REQUIRED.
706 changePassword A complex type that specifies Change Password
707 configuration options. REQUIRED.
709 supported Boolean value specifying whether the operation is
710 supported. REQUIRED.
712 sort A complex type that specifies Sort configuration options.
713 REQUIRED.
715 supported Boolean value specifying whether sorting is supported.
716 REQUIRED.
718 etag A complex type that specifies Etag configuration options.
719 REQUIRED.
721 supported Boolean value specifying whether the operation is
722 supported. REQUIRED.
724 xmlDataFormat A complex type that specifies whether the XML data
725 format is supported. REQUIRED.
727 supported Boolean value specifying whether the operation is
728 supported. REQUIRED.
730 The following multi-valued attribute is defined in addition to the
731 common attributes defined in Core Schema:
733 authenticationSchemes A complex type that specifies supported
734 Authentication Scheme properties. Instead of the standard
735 Canonical Values for type, this attribute defines the following
736 Canonical Values to represent common schemes: oauth, oauth2,
737 oauthbearertoken, httpbasic, and httpdigest. To enable seamless
738 discovery of configuration, the Service Provider SHOULD, with the
739 appropriate security considerations, make the
740 authenticationSchemes attribute publicly accessible without prior
741 authentication. REQUIRED.
743 name The common authentication scheme name; e.g., HTTP Basic.
744 REQUIRED.
746 description A description of the Authentication Scheme.
747 REQUIRED.
749 specUrl A HTTP addressable URL pointing to the Authentication
750 Scheme's specification. OPTIONAL.
752 documentationUrl A HTTP addressable URL pointing to the
753 Authentication Scheme's usage documentation. OPTIONAL.
755 10. Resource Schema
757 The Resource schema specifies the Attribute(s) and meta-data that
758 constitute a Resource. Schema Resources are READ-ONLY and identified
759 using the following URI: 'urn:scim:schemas:core:1.0'. Unlike other
760 core Resources the schema Resource MAY contain a complex object
761 within a Sub-Attribute and all Attributes are REQUIRED unless other
762 specified.
764 The following Singular Attributes are defined:
766 name The Resource name. When applicable Service Providers MUST
767 specify the name specified in the core schema specification; e.g.,
768 "User" or "Group".
770 description The Resource's human readable description. When
771 applicable Service Providers MUST specify the description
772 specified in the core schema specification.
774 schema The Resource's associated schema URI; e.g.,
775 urn:scim:schemas:core:1.0.
777 endpoint The Resource's HTTP addressable endpoint relative to the
778 Base URL; e.g., /Users.
780 The following multi-valued attribute is defined:
782 attributes A complex type that specifies the set of Resource
783 attributes.
785 name The attribute's name.
787 type The attribute's data type; e.g., String.
789 multiValued Boolean value indicating the attribute's plurality.
791 multiValuedAttributeChildName String value specifying the child
792 XML element name; e.g., the 'emails' attribute value is
793 'email', 'phoneNumbers', is 'phoneNumber'. REQUIRED when the
794 multiValued attribute value is true otherwise this attribute
795 MUST be omitted.
797 description The attribute's human readable description. When
798 applicable Service Providers MUST specify the description
799 specified in the core schema specification.
801 schema The attribute's associated schema; e.g.,
802 urn:scim:schemas:core:1.0.
804 readOnly A Boolean value that specifies if the attribute is
805 mutable.
807 required A Boolean value that specifies if the attribute is
808 required.
810 caseExact A Boolean value that specifies if the String attribute
811 is case sensitive.
813 The following multi-valued attributes are defined. There are
814 no canonical type values defined and the primary value serves
815 no useful purpose.
817 subAttributes A list specifying the contained attributes.
818 OPTIONAL.
820 name The attribute's name.
822 type The attribute's data type; e.g., String.
824 description The attribute's human readable description.
825 When applicable Service Providers MUST specify the
826 description specified in the core schema specification.
828 readOnly A Boolean value that specifies if the attribute is
829 mutable.
831 required A Boolean value that specifies if the attribute is
832 required.
834 caseExact A Boolean value that specifies if the String
835 attribute is case sensitive.
837 canonicalValues A collection of canonical values. When
838 applicable Service Providers MUST specify the canonical
839 types specified in the core schema specification;
840 e.g.,"work","home". OPTIONAL.
842 11. JSON Representation
844 11.1. Minimal User Representation
846 The following is a non-normative example of the minimal required SCIM
847 representation in JSON format.
849 {
850 "schemas": ["urn:scim:schemas:core:1.0"],
851 "id": "2819c223-7f76-453a-919d-413861904646",
852 "userName": "bjensen@example.com"
853 }
855 11.2. Full User Representation
857 The following is a non-normative example of the fully populated SCIM
858 representation in JSON format.
860 {
861 "schemas": ["urn:scim:schemas:core:1.0"],
862 "id": "2819c223-7f76-453a-919d-413861904646",
863 "externalId": "701984",
864 "userName": "bjensen@example.com",
865 "name": {
866 "formatted": "Ms. Barbara J Jensen III",
867 "familyName": "Jensen",
868 "givenName": "Barbara",
869 "middleName": "Jane",
870 "honorificPrefix": "Ms.",
871 "honorificSuffix": "III"
872 },
873 "displayName": "Babs Jensen",
874 "nickName": "Babs",
875 "profileUrl": "https://login.example.com/bjensen",
876 "emails": [
877 {
878 "value": "bjensen@example.com",
879 "type": "work",
880 "primary": true
881 },
882 {
883 "value": "babs@jensen.org",
884 "type": "home"
885 }
886 ],
887 "addresses": [
888 {
889 "type": "work",
890 "streetAddress": "100 Universal City Plaza",
891 "locality": "Hollywood",
892 "region": "CA",
893 "postalCode": "91608",
894 "country": "USA",
895 "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA",
896 "primary": true
897 },
898 {
899 "type": "home",
900 "streetAddress": "456 Hollywood Blvd",
901 "locality": "Hollywood",
902 "region": "CA",
903 "postalCode": "91608",
904 "country": "USA",
905 "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA"
906 }
907 ],
908 "phoneNumbers": [
909 {
910 "value": "555-555-5555",
911 "type": "work"
912 },
913 {
914 "value": "555-555-4444",
915 "type": "mobile"
916 }
917 ],
918 "ims": [
919 {
920 "value": "someaimhandle",
921 "type": "aim"
922 }
923 ],
924 "photos": [
925 {
926 "value": "https://photos.example.com/profilephoto/72930000000Ccne/F",
927 "type": "photo"
928 },
929 {
930 "value": "https://photos.example.com/profilephoto/72930000000Ccne/T",
931 "type": "thumbnail"
932 }
933 ],
934 "userType": "Employee",
935 "title": "Tour Guide",
936 "preferredLanguage":"en_US",
937 "locale": "en_US",
938 "timezone": "America/Los_Angeles",
939 "active":true,
940 "password":"t1meMa$heen",
941 "groups": [
942 {
943 "display": "Tour Guides",
944 "value": "00300000005N2Y6AA"
945 },
946 {
947 "display": "Employees",
948 "value": "00300000005N34H78"
949 },
950 {
951 "display": "US Employees",
952 "value": "00300000005N98YT1"
953 }
954 ],
955 "x509Certificates": [
956 {
957 "value": "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
958 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD
959 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa
960 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl
961 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw
962 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
963 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc
964 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i
965 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ
966 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3
967 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr
968 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV
969 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
970 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU
971 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt
972 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R
973 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1
974 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo="
976 }
977 ],
978 "meta": {
979 "created": "2010-01-23T04:56:22Z",
980 "lastModified": "2011-05-13T04:42:34Z",
981 "version": "W\/\"a330bc54f0671c9\"",
982 "location": "https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646"
983 }
984 }
986 11.3. Enterprise User Extension Representation
988 The following is a non-normative example of the fully populated User
989 using the enterprise User extension in JSON format.
991 {
992 "schemas": ["urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0"],
993 "id": "2819c223-7f76-453a-919d-413861904646",
994 "externalId": "701984",
995 "userName": "bjensen@example.com",
996 "name": {
997 "formatted": "Ms. Barbara J Jensen III",
998 "familyName": "Jensen",
999 "givenName": "Barbara",
1000 "middleName": "Jane",
1001 "honorificPrefix": "Ms.",
1002 "honorificSuffix": "III"
1003 },
1004 "displayName": "Babs Jensen",
1005 "nickName": "Babs",
1006 "profileUrl": "https://login.example.com/bjensen",
1007 "emails": [
1008 {
1009 "value": "bjensen@example.com",
1010 "type": "work",
1011 "primary": true
1012 },
1013 {
1014 "value": "babs@jensen.org",
1015 "type": "home"
1016 }
1017 ],
1018 "addresses": [
1019 {
1020 "streetAddress": "100 Universal City Plaza",
1021 "locality": "Hollywood",
1022 "region": "CA",
1023 "postalCode": "91608",
1024 "country": "USA",
1025 "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA",
1026 "type": "work",
1027 "primary": true
1028 },
1029 {
1030 "streetAddress": "456 Hollywood Blvd",
1031 "locality": "Hollywood",
1032 "region": "CA",
1033 "postalCode": "91608",
1034 "country": "USA",
1035 "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA",
1036 "type": "home"
1037 }
1038 ],
1039 "phoneNumbers": [
1040 {
1041 "value": "555-555-5555",
1042 "type": "work"
1043 },
1044 {
1045 "value": "555-555-4444",
1046 "type": "mobile"
1047 }
1048 ],
1049 "ims": [
1050 {
1051 "value": "someaimhandle",
1052 "type": "aim"
1053 }
1054 ],
1055 "photos": [
1056 {
1057 "value": "https://photos.example.com/profilephoto/72930000000Ccne/F",
1058 "type": "photo"
1059 },
1060 {
1061 "value": "https://photos.example.com/profilephoto/72930000000Ccne/T",
1062 "type": "thumbnail"
1063 }
1064 ],
1065 "userType": "Employee",
1066 "title": "Tour Guide",
1067 "preferredLanguage":"en_US",
1068 "locale": "en_US",
1069 "timezone": "America/Los_Angeles",
1070 "active":true,
1071 "password":"t1meMa$heen",
1072 "groups": [
1073 {
1074 "value": "e9e30dba-f08f-4109-8486-d5c6a331660a",
1075 "display": "Tour Guides"
1076 },
1077 {
1078 "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5",
1079 "display": "Employees"
1080 },
1081 {
1082 "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7",
1083 "display": "US Employees"
1084 }
1085 ],
1086 "x509Certificates": [
1087 {
1088 "value": "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
1089 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD
1090 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa
1091 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl
1092 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw
1093 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
1094 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc
1095 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i
1096 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ
1097 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3
1098 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr
1099 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV
1100 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
1101 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU
1102 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt
1103 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R
1104 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1
1105 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo="
1106 }
1107 ],
1108 "urn:scim:schemas:extension:enterprise:1.0": {
1109 "employeeNumber": "701984",
1110 "costCenter": "4130",
1111 "organization": "Universal Studios",
1112 "division": "Theme Park",
1113 "department": "Tour Operations",
1114 "manager": {
1115 "managerId": "26118915-6090-4610-87e4-49d8ca9f808d",
1116 "displayName": "John Smith"
1117 }
1118 },
1119 "meta": {
1120 "created": "2010-01-23T04:56:22Z",
1121 "lastModified": "2011-05-13T04:42:34Z",
1122 "version": "W\/\"3694e05e9dff591\"",
1123 "location": "https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646"
1124 }
1125 }
1127 11.4. Group Representation
1129 The following is a non-normative example of SCIM Group representation
1130 in JSON format.
1132 {
1133 "schemas": ["urn:scim:schemas:core:1.0"],
1134 "id": "e9e30dba-f08f-4109-8486-d5c6a331660a",
1135 "displayName": "Tour Guides",
1136 "members": [
1137 {
1138 "value": "2819c223-7f76-453a-919d-413861904646",
1139 "display": "Babs Jensen"
1140 },
1141 {
1142 "value": "902c246b-6245-4190-8e05-00816be7344a",
1143 "display": "Mandy Pepperidge"
1144 }
1145 ]
1146 }
1148 11.5. Service Provider Configuration Representation
1150 The following is a non-normative example of the SCIM Service Provider
1151 Configuration representation in JSON format.
1153 {
1154 "schemas": ["urn:scim:schemas:core:1.0"],
1155 "documentationUrl":"http://example.com/help/scim.html",
1156 "patch": {
1157 "supported":true
1158 },
1159 "bulk": {
1160 "supported":true,
1161 "maxOperations":1000,
1162 "maxPayloadSize":1048576
1163 },
1164 "filter": {
1165 "supported":true,
1166 "maxResults": 200
1167 },
1168 "changePassword" : {
1169 "supported":true
1170 },
1171 "sort": {
1172 "supported":true
1173 },
1174 "etag": {
1175 "supported":true
1176 },
1177 "xmlDataFormat": {
1178 "supported":true
1179 },
1180 "authenticationSchemes": [
1181 {
1182 "name": "OAuth Bearer Token",
1183 "description": "Authentication Scheme using the OAuth Bearer Token Standard",
1184 "specUrl":"http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01",
1185 "documentationUrl":"http://example.com/help/oauth.html",
1186 "type":"oauthbearertoken",
1187 "primary": true
1188 },
1189 {
1190 "name": "HTTP Basic",
1191 "description": "Authentication Scheme using the Http Basic Standard",
1192 "specUrl":"http://www.ietf.org/rfc/rfc2617.txt",
1193 "documentationUrl":"http://example.com/help/httpBasic.html",
1194 "type":"httpbasic"
1195 }
1196 ]
1197 }
1198 11.6. Resource Schema Representation
1200 The following is a normative example of the SCIM Resource Schema
1201 representation in JSON format.
1203 {
1204 "id":"urn:scim:schemas:core:1.0:User",
1205 "name":"User",
1206 "description":"Core User",
1207 "schema":"urn:scim:schemas:core:1.0",
1208 "endpoint":"/Users",
1209 "attributes":[
1210 {
1211 "name":"id",
1212 "type":"string",
1213 "multiValued":false,
1214 "description":"Unique identifier for the SCIM resource as defined by the Service Provider. Each representation of the resource MUST include a non-empty id value. This identifier MUST be unique across the Service Provider's entire set of resources. It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests. The value of the id attribute is always issued by the Service Provider and MUST never be specified by the Service Consumer. REQUIRED.",
1215 "schema":"urn:scim:schemas:core:1.0",
1216 "readOnly":true,
1217 "required":true,
1218 "caseExact":false
1219 },
1220 {
1221 "name":"name",
1222 "type":"complex",
1223 "multiValued":false,
1224 "description":"The components of the user's real name. Providers MAY return just the full name as a single string in the formatted sub-attribute, or they MAY return just the individual component attributes using the other sub-attributes, or they MAY return both. If both variants are returned, they SHOULD be describing the same name, with the formatted name indicating how the component attributes should be combined.",
1225 "schema":"urn:scim:schemas:core:1.0",
1226 "readOnly":false,
1227 "required":false,
1228 "caseExact":false,
1229 "subAttributes":[
1230 {
1231 "name":"formatted",
1232 "type":"string",
1233 "multiValued":false,
1234 "description":"The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (e.g. Ms. Barbara J Jensen, III.)." ,
1235 "readOnly":false,
1236 "required":false,
1237 "caseExact":false
1238 },
1239 {
1240 "name":"familyName",
1241 "type":"string",
1242 "multiValued":false,
1243 "description":"The family name of the User, or Last Name in most Western languages (e.g. Jensen given the full name Ms. Barbara J Jensen, III.).",
1244 "readOnly":false,
1245 "required":false,
1246 "caseExact":false
1247 },
1248 {
1249 "name":"givenName",
1250 "type":"string",
1251 "multiValued":false,
1252 "description":"The given name of the User, or First Name in most Western languages (e.g. Barbara given the full name Ms. Barbara J Jensen, III.).",
1253 "readOnly":false,
1254 "required":false,
1255 "caseExact":false
1256 },
1257 {
1258 "name":"middleName",
1259 "type":"string",
1260 "multiValued":false,
1261 "description":"The middle name(s) of the User (e.g. Robert given the full name Ms. Barbara J Jensen, III.).",
1262 "readOnly":false,
1263 "required":false,
1264 "caseExact":false
1265 },
1266 {
1267 "name":"honorificPrefix",
1268 "type":"string",
1269 "multiValued":false,
1270 "description":"The honorific prefix(es) of the User, or Title in most Western languages (e.g. Ms. given the full name Ms. Barbara J Jensen, III.).",
1271 "readOnly":false,
1272 "required":false,
1273 "caseExact":false
1274 },
1275 {
1276 "name":"honorificSuffix",
1277 "type":"string",
1278 "multiValued":false,
1279 "description":"The honorific suffix(es) of the User, or Suffix in most Western languages (e.g. III. given the full name Ms. Barbara J Jensen, III.).",
1280 "readOnly":false,
1281 "required":false,
1282 "caseExact":false
1283 }
1284 ]
1285 },
1286 {
1287 "name":"emails",
1288 "type":"complex",
1289 "multiValued":true,
1290 "multiValuedAttributeChildName":"email",
1291 "description":"E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g. bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
1292 "schema":"urn:scim:schemas:core:1.0",
1293 "readOnly":false,
1294 "required":false,
1295 "caseExact":false,
1296 "subAttributes":[
1297 {
1298 "name":"value",
1299 "type":"string",
1300 "multiValued":false,
1301 "description":"E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g. bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
1302 "readOnly":false,
1303 "required":false,
1304 "caseExact":false
1305 },
1306 {
1307 "name":"display",
1308 "type":"string",
1309 "multiValued":false,
1310 "description":"A human readable name, primarily used for display purposes. READ-ONLY.",
1311 "readOnly":true,
1312 "required":false,
1313 "caseExact":false
1314 },
1315 {
1316 "name":"type",
1317 "type":"string",
1318 "multiValued":false,
1319 "description":"A label indicating the attribute's function; e.g., 'work' or 'home'.",
1320 "readOnly":false,
1321 "required":false,
1322 "caseExact":false,
1323 "canonicalValues":["work","home","other"]
1324 },
1325 {
1326 "name":"primary",
1327 "type":"boolean",
1328 "multiValued":false,
1329 "description":"A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g. the preferred mailing address or primary e-mail address. The primary attribute value 'true' MUST appear no more than once.",
1330 "readOnly":false,
1331 "required":false,
1332 "caseExact":false
1333 }
1334 },
1335 {
1336 "name":"addresses",
1337 "type":"complex",
1338 "multiValued":true,
1339 "multiValuedAttributeChildName":"address",
1340 "description":"A physical mailing address for this User, as described in (address Element). Canonical Type Values of work, home, and other. The value attribute is a complex type with the following sub-attributes.",
1341 "schema":"urn:scim:schemas:core:1.0",
1342 "readOnly":false,
1343 "required":false,
1344 "caseExact":false,
1345 "subAttributes":[
1346 {
1347 "name":"formatted",
1348 "type":"string",
1349 "multiValued":false,
1350 "description":"The full mailing address, formatted for display or use with a mailing label. This attribute MAY contain newlines.",
1351 "readOnly":false,
1352 "required":false,
1353 "caseExact":false
1354 },
1355 {
1356 "name":"streetAddress",
1357 "type":"string",
1358 "multiValued":false,
1359 "description":"The full street address component, which may include house number, street name, PO BOX, and multi-line extended street address information. This attribute MAY contain newlines.",
1360 "readOnly":false,
1361 "required":false,
1362 "caseExact":false
1363 },
1364 {
1365 "name":"locality",
1366 "type":"string",
1367 "multiValued":false,
1368 "description":"The city or locality component.",
1369 "readOnly":false,
1370 "required":false,
1371 "caseExact":false
1372 },
1373 {
1374 "name":"region",
1375 "type":"string",
1376 "multiValued":false,
1377 "description":"The state or region component.",
1378 "readOnly":false,
1379 "required":false,
1380 "caseExact":false
1381 },
1382 {
1383 "name":"postalCode",
1384 "type":"string",
1385 "multiValued":false,
1386 "description":"The zipcode or postal code component.",
1387 "readOnly":false,
1388 "required":false,
1389 "caseExact":false
1391 },
1392 {
1393 "name":"country",
1394 "type":"string",
1395 "multiValued":false,
1396 "description":"The country name component.",
1397 "readOnly":false,
1398 "required":false,
1399 "caseExact":false
1400 },
1401 {
1402 "name":"type",
1403 "type":"string",
1404 "multiValued":false,
1405 "description":"A label indicating the attribute's function; e.g., 'work' or 'home'.",
1406 "readOnly":false,
1407 "required":false,
1408 "caseExact":false,
1409 "canonicalValues":["work","home","other"]
1410 },
1411 ]
1412 },
1413 {
1414 "name":"employeeNumber",
1415 "type":"string",
1416 "multiValued":false,
1417 "description":"Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization.",
1418 "schema":"urn:scim:schemas:extension:enterprise:1.0",
1419 "readOnly":false,
1420 "required":false,
1421 "caseExact":false
1422 }
1423 ]
1424 }
1426 12. XML Representation
1428 12.1. Minimal Representation
1430 The following is a non-normative example of the minimal required SCIM
1431 User representation in XML format.
1433
1434 2819c223-7f76-453a-919d-413861904646
1435 bjensen@example.com
1437
1439 12.2. Full Representation
1441 The following is a non-normative example of the fully populated SCIM
1442 representation in XML format.
1444
1445 2819c223-7f76-453a-919d-413861904646
1446 701984
1447 bjensen@example.com
1448
1449 Ms. Babs J Jensen III
1450 Jensen
1451 Barbara
1452 Jane
1453 Ms.
1454 III
1455
1456 Babs Jensen
1457 Babs
1458 https://login.example.com/bjensen
1459
1460
1461 bjensen@example.com
1462 work
1463 true
1464
1465
1466 babs@jensen.com
1467 home
1468
1469
1470
1471
1472 100 Universal City Plaza\nHollywood, CA 91608 USA
1473 100 Universal City Plaza
1474 Hollywood
1475 CA
1476 91608
1477 USA
1478 work
1479 true
1480
1481
1482 456 Hollywood Blvd\nHollywood, CA 91608 USA
1483 456 Hollywood Blvd
1484 San Francisco
1485 CA
1486 91608
1487 USA
1488 home
1489
1490
1491
1492
1493 555-555-5555
1494 work
1495
1496
1497 555-555-4444
1498 mobile
1499
1500
1501
1502
1503 someaimhandle
1504 aim
1505
1506
1507
1508
1509 https://photos.example.com/profilephoto/72930000000Ccne/F
1510 photo
1511
1512
1513 https://photos.example.com/profilephoto/72930000000Ccne/T
1514 thumbnail
1515
1516
1517 Employee
1518 Tour Guide
1519 en_US
1520 en_US
1521 America/Los_Angeles
1522 true
1523 t1meMa$heen
1524
1525
1526 e9e30dba-f08f-4109-8486-d5c6a331660a
1527 Tour Guides
1528
1529
1530 6d1a1088-3a56-4371-8e3b-6d48d67493ec
1531 Employees
1532
1533
1534 5fd998b9-d2bd-479c-991b-6790537608dc
1535 US Employees
1536
1537
1538
1539
1540 administrator
1541
1542
1543
1544
1545 delete users
1546
1547
1548
1549
1550
1551 MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
1552 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD
1553 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa
1554 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl
1555 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw
1556 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
1557 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc
1558 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i
1559 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ
1560 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3
1561 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr
1562 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV
1563 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
1564 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU
1565 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt
1566 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R
1567 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1
1568 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=
1569
1570
1571
1572
1573 2010-01-23T04:56:22Z
1574 2011-05-13T04:42:34Z
1575 W/"a330bc54f0671c9"
1576 https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646
1577
1578
1579 12.3. Enterprise User Extension Representation
1581 The following is a non-normative example of the fully populated User
1582 using the enterprise User extension in XML format.
1584
1585 2819c223-7f76-453a-919d-413861904646
1586 701984
1587 bjensen@example.com
1588
1589 Ms. Babs J Jensen III
1590 Jensen
1591 Barbara
1592 Jane
1593 Ms.
1594 III
1595
1596 Babs Jensen
1597 Babs
1598 https://login.example.com/bjensen
1599 Tour Guide
1600 Employee
1601 en_US
1602 en_US
1603 America/Los_Angeles
1604 true
1605 t1meMa$heen
1606
1607
1608 bjensen@example.com
1609 work
1610 true
1611
1612
1613 babs@jensen.com/value>
1614 home
1615
1616
1617
1618
1619 100 Universal City Plaza\nHollywood, CA 91608 USA
1620 100 Universal City Plaza
1621 Hollywood
1622 CA
1623 91608
1624 USA
1625 work
1626 true
1627
1628
1629 456 Hollywood Blvd\nHollywood, CA 91608 USA
1630 456 Hollywood Blvd
1631 San Francisco
1632 CA
1633 91608
1634 USA
1635
1636
1637
1638
1639
1640 555-555-5555
1641 work
1642
1643
1644 555-555-4444
1645 mobile
1646
1647
1648
1649
1650 someaimhandle
1651 aim
1652
1653
1654
1655
1656 https://photos.example.com/profilephoto/72930000000Ccne/F
1657 photo>
1658
1659
1660 https://photos.example.com/profilephoto/72930000000Ccne/T
1661 thumbnail>
1662
1663
1664
1665
1666 Tour Guides
1667 00300000005N2Y6AA
1668
1669
1670 Employees
1671 00300000005N34H78
1672
1673
1674 US Employees
1675 00300000005N98YT1
1676
1677
1678
1679
1680 administrator
1681
1682
1683
1684
1685 delete users
1686
1687
1688
1689
1690
1691 MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
1692 EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD
1693 VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa
1694 MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl
1695 eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw
1696 IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
1697 AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc
1698 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i
1699 PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ
1700 zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3
1701 DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr
1702 SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV
1703 HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
1704 Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU
1705 dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt
1706 Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R
1707 C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1
1708 +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo=
1709
1710
1711
1712 701984
1713
1714 902c246b-6245-4190-8e05-00816be7344a
1715 Mandy Pepperidge
1716
1717 4130
1718 Universal Studios
1719 Theme Park
1720 Tour Operations
1721
1722 2010-01-23T04:56:22Z
1723 2011-05-13T04:42:34Z
1724 W/"3694e05e9dff591"
1725 https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646
1726
1727
1729 12.4. Group Representation
1731 The following is a non-normative example of a SCIM Group
1732 representation in XML format.
1734
1735 2819c223-7f76-453a-919d-413861904646
1736 Tour Guides
1737
1738
1739 902c246b-6245-4190-8e05-00816be7344a
1740 Babs Jensen
1741
1742
1743 902c246b-6245-4190-8e05-00816be7344a
1744 Mandy Pepperidge
1745
1746
1747
1749 13. Security Considerations
1751 The SCIM Core schema contains personally identifiable information as
1752 well as other sensitive data. Aside from prohibiting password values
1753 in a SCIM response this specification does not provide any means or
1754 guarantee of confidentiality.
1756 Appendix A. Contributors
1758 The SCIM Community would like to thank the following people for the
1759 work they've done in the research, formulation, drafting, editing,
1760 and support of this specification.
1762 Morteza Ansari (morteza.ansari@cisco.com)
1763 Sidharth Choudhury (schoudhury@salesforce.com)
1765 Samuel Erdtman (samuel@erdtman.se)
1767 Kelly Grizzle (kelly.grizzle@sailpoint.com)
1769 Chris Phillips (cjphillips@gmail.com)
1771 Erik Wahlstroem (erik.wahlstrom@nexussafe.com)
1773 Special thanks to Joeseph Smarr, who's excellent work on the Portable
1774 Contacts Specification [PortableContacts] provided a basis for the
1775 SCIM schema structure and text.
1777 14. Normative References
1779 [PortableContacts]
1780 Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only",
1781 August 2008.
1783 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1784 Requirement Levels", BCP 14, RFC 2119, March 1997.
1786 [1]
1788 [2]
1790 [3]
1792 [4]
1794 [5]
1797 [6]
1799 [7]
1801 Authors' Addresses
1803 Chuck Mortimore (editor)
1804 Salesforce.com
1806 Email: cmortimore@salesforce.com
1807 Patrick Harding
1808 Ping Identity
1810 Email: pharding@pingidentity.com
1812 Paul Madsen
1813 Ping Identity
1815 Email: pmadsen@pingidentity.com
1817 Trey Drake
1818 UnboundID
1820 Email: trey.drake@unboundid.com