Re: [scim] Multiple external id values
Mark Dobrinic <mark.dobrinic@twobotechnologies.com> Mon, 05 October 2015 15:39 UTC
Return-Path: <mark.dobrinic@twobotechnologies.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 617341AD070 for <scim@ietfa.amsl.com>; Mon, 5 Oct 2015 08:39:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SKDrGF803FWj for <scim@ietfa.amsl.com>; Mon, 5 Oct 2015 08:39:34 -0700 (PDT)
Received: from mail-wi0-f169.google.com (mail-wi0-f169.google.com [209.85.212.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1318C1A87B3 for <scim@ietf.org>; Mon, 5 Oct 2015 08:39:34 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so120432518wic.0 for <scim@ietf.org>; Mon, 05 Oct 2015 08:39:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=4RnSl2R7drSMrUISP1zKhLwl4YTyYsViFo/ljVLKAdk=; b=dohewax28pkeWc1R6rO5xVKBO1pMwvIF1Ak5bhznwLcOgknst2gEU3U/KZco0r76qM z6lxfeP0cLEmV3g+xA0t0ef1aZyABD0IGc6k7+C83J3b6i+UdIzvCijJxCx5CUxillEZ iSin5gJ7X8he9LGrn/SugnIEJlHyEKHdHqziztZL7fRHaGHjSQ0E5fPucdUWGcLym0DW s4+q4uaxKmDrOo1VcL37gInBbhQVMt7B2qgvfSZM14KBBt0IPVaFQqLJ8Kj6bQWBUt0/ AlkBW7RIVSGV/JsgcX6ayw63O0DB3/mxz7kV+8I+RVOd4fGUZIDIa43kG5m9yS7ptesY gktQ==
X-Gm-Message-State: ALoCoQlclYiY6DFhPeHQ8hTb6nKvkD+mTm5nzq+wcJ2GNa4i2K6VJhqoXiud1/MwYKs08DjcsvNf
X-Received: by 10.180.74.47 with SMTP id q15mr13094898wiv.73.1444059572556; Mon, 05 Oct 2015 08:39:32 -0700 (PDT)
Received: from speedyM.local (ip5651156e.adsl-surfen.hetnet.nl. [86.81.21.110]) by smtp.googlemail.com with ESMTPSA id pl7sm15261048wic.4.2015.10.05.08.39.31 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 05 Oct 2015 08:39:31 -0700 (PDT)
To: Phil Hunt <phil.hunt@oracle.com>
References: <56128C3A.6050402@twobotechnologies.com> <E575C310-B322-4C6F-9E3A-A736D3CBB2CB@oracle.com>
From: Mark Dobrinic <mark.dobrinic@twobotechnologies.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <561299B2.9010305@twobotechnologies.com>
Date: Mon, 05 Oct 2015 17:39:30 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <E575C310-B322-4C6F-9E3A-A736D3CBB2CB@oracle.com>
Content-Type: multipart/alternative; boundary="------------020201050703050403010502"
Archived-At: <http://mailarchive.ietf.org/arch/msg/scim/-68yyijuU_je68fvd5he6RoYF6w>
Cc: scim@ietf.org
Subject: Re: [scim] Multiple external id values
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 15:39:37 -0000
Hi Phil, Thanks for the quick response. The resolution to expose a client specific externalId only works in half the scenario's, where you have multiple clients all representing one domain. In the other scenario, where one client representing multiple domains is using one Scim Service Provider, the client actually relies on the Service Provider to store multiple identities for its multiple domains, so in that usecase it is multi-valued by design. Do I get it right that this particular use case has not yet come up then? Concerning the privacy cinsideration, given a trust relationship between the Scim Service Provider and the Scim Client (quite some features are based on this already), privacy characteristics of the solution are not of primary concern here. The Scim Client could (should) actually take over the responsibility for protecting privacy in this one. Cheers! Mark On 05/10/15 17:17, Phil Hunt wrote: > This was discussed and the consensus was single value. > > What you can do is expose a different single value for each domain > client your server talks to. Thus domains cannot see each other's > ids. The spec already suggests this as a security consideration for > the id value. > > This would provide much better privacy characteristics and reduces > propagation of PII. > > Phil > > On Oct 5, 2015, at 07:42, Mark Dobrinic > <mark.dobrinic@twobotechnologies.com > <mailto:mark.dobrinic@twobotechnologies.com>> wrote: > >> Hi Scim people, >> >> While incorporating Scim client functionality towards a Scim Service >> Provider, we've stumbled upon a limitation regarding our desired use >> of externalId, that doesn't fit the current spec. >> >> Our usecase involves managing multiple external id's, so that we can >> both support multiple externalId's to multiple Scim Clients from one >> Scim Service Provider, as well as let a Scim Client manage multiple >> external id's with one Scim Service Provider. Each external id lives >> within the domain of a, well, domain. There are plenty of real world >> examples where domain-scoped id's are used, so it seems no more than >> natural to consider this with Scim as well. >> >> For example, a user with id barbara has an externalId 'babs' in the >> domain 'home', and externalId 'labarbara' in domain 'work'. >> >> As I understand Scim as being as effective and simple as possible, >> we've been using the extensibility of Scim to make this work. I can >> imagine this to be a generic problem that more people are (or will >> be) facing. Therefore, I'd like to propose our solution and would >> like to discuss whether this could/should be considered a standard >> solution to a standard problem, either in this form or something better. >> >> What we did was introduce an extension " >> urn:scim:schemas:extensions:external-ids:1.0" >> that defines an attribute "externalIds", >> is of type "complex", >> is multiValued, >> can be described as "External Identities of a user. Each External >> Identity is scoped within its domain", >> is optional, >> and has the following sub-attributes: >> - value : string value containing the value of the external id >> - type : string value containing the domain of the external id >> >> In JSON, it would look like this: >> >> { >> "schemas": [ "urn:scim:schemas:core:1.0", >> "urn:scim:schemas:extensions:external-ids:1.0" ], >> "id":"2819c223-7f76-453a-919d-413861904646", >> "userName":"bjensen", >> "externalId":"bjensen", >> .... >> "urn:scim:schemas:extensions:external-ids:1.0": { >> "externalIds": [ >> { >> "value": "babs", >> "type": "home" >> }, >> { >> "value": "labarbara", >> "type": "work" >> }] >> } >> } >> >> >> >> Note that we are adding to the baseline features of Scim, and not >> changing anything existing. >> >> >> I would like to hear your feedback on this, and I'm interested >> whether this could be considered as a standard extension in upcoming >> Scim versions. >> >> >> Thanks! >> >> -- >> Regards, >> >> Mark Dobrinic >> Software Engineer and Identity Specialist >> Twobo Technologies AB >> >> mark.dobrinic@twobotechnologies.com >> www.twobotechnologies.com >> _______________________________________________ >> scim mailing list >> scim@ietf.org <mailto:scim@ietf.org> >> https://www.ietf.org/mailman/listinfo/scim -- Regards, Mark Dobrinic Software Engineer and Identity Specialist Twobo Technologies AB mark.dobrinic@twobotechnologies.com www.twobotechnologies.com
- [scim] Multiple external id values Mark Dobrinic
- Re: [scim] Multiple external id values Phil Hunt
- Re: [scim] Multiple external id values Mark Dobrinic
- Re: [scim] Multiple external id values Phil Hunt
- Re: [scim] Multiple external id values Mark Dobrinic