Microsoft

danny@zollnerd.com

TODO SCIM Internet-Draft SCIM The System for Cross-domain Identity Management standard's schema RFC [RFC7643], as well as custom schemas, may have attribute values that have a finite set of acceptable values. These acceptable values are frequently tied to a value on another resource. For instance, an organization may only allow values in the Enterprise User schema's costCenter attribute that are valid identifiers of cost centers defined in another location. This draft aims to provide a way for a SCIM client to determine if an attribute in a schema is limited to a specific set of values, and where those values may be located on another SCIM resource type.

Introduction The System for Cross-domain Identity Management standard's schema RFC [RFC7643], as well as custom schemas, may have attribute values that have a finite set of acceptable values. These acceptable values are frequently tied to a value on another resource. For instance, an organization may only allow values in the Enterprise User schema's costCenter attribute that are valid identifiers of existing cost centers defined in another location. This draft aims to provide a way for a SCIM client to determine if an attribute in a schema is limited to a specific set of values, and where those values may be located on another SCIM resource type. The mechanism that this draft proposes is an extension to the schema of [RFC7643]'s "attributes" attribute in the schema definition. This extension will define three new sub-attributes of the "attributes" attribute. These attributes will indicate if the attribute is constrained by a referential relationship, and if it is what resource type and attribute is the value linked to. This problem that this aims to solve is a problem of discovery and efficiency. Without a standardized way to determine when an attribute is constrained by the existence of and linked to the values of another resource's attribute, a SCIM client cannot know which values will be accepted and which will fail. This leads to failed requests due to invalid values being provided for attributes in requests, and reduces efficiency and success rate of requests being made.

ServiceProviderConfig Extension SCIM Service Providers that have implemented this extension must advertise its availability via the following serviceProviderConfig attribute:

referentialValueLocation

A complex type that specifies configuration related to referential value location information. REQUIRED.

supported

A boolean type that indicates if the referential value location extension has been implemented. REQUIRED.

Schema Definition Extension This extension implements the following new sub-attributes of the "attributes" attribute in urn:ietf:params:scim:schemas:core:2.0:Schema as defined in [RFC7643]. These attributes are:

referentialValue

A complex type that indicates if the value of the attribute is constrained by values present on a SCIM resource type. REQUIRED.

required

A boolean type that indicates if the attribute's allowed values are constrained by those present on a SCIM resource type.

referentialValueURI

A reference type that contains the URI of the SCIM schema attribute that the attribute is constrained against. REQUIRED if required is true.

referentialValueResourceType

A reference type that contains the relative URI of the root resource type that is referenced. REQUIRED if required is true.

Normative Examples

Manager Example The following example shows a section of the core user schema adapted to support the referential value location attributes in this extension for the user resource's "manager" attribute.

In the above example, the extension indicates that the value of the user resource's "manager" attribute is constrained by the id value of the core schema's User resource located at <baseUrl>/Users. A request of GET <baseUrl>/Users would return a list of results containing all visible cost centers. The id value of any of the users returned should be valid for the value of the user resource's "manager" attribute.

Cost Center Example The following example shows a section of the Enterprise User schema adapted to support the referential value location attributes in this extension for the user resource's enterprise costCenter attribute.

In the above example, the extension indicates that the value of urn:ietf:params:scim:schemas:enterprise:2.0:User:costCenter is constrained by the displayName value of a custom resource located at <baseUrl>/costCenters. A request of GET <baseUrl>/costCenters would return a list of results containing all visible cost centers. The displayName values of any of the cost centers returned by the request should be valid for the value of the user resource's urn:ietf:params:Scim:schemas:enterprise:2.0:User:costCenter attribute.

Change Log v00 - July 28, 2022: Initial version v00 - July 29, 2022: Fixes of small errors in initial draft's examples and incorrect title

References TO-DO