Re: [scim] Call for support on proposed SCIM/SINS (re)charter

Phillip Hunt <phil.hunt@independentid.com> Tue, 14 September 2021 00:22 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E7FA3A1C23 for <scim@ietfa.amsl.com>; Mon, 13 Sep 2021 17:22:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mKzjRaHFh_zO for <scim@ietfa.amsl.com>; Mon, 13 Sep 2021 17:22:49 -0700 (PDT)
Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 041C23A1C22 for <scim@ietf.org>; Mon, 13 Sep 2021 17:22:48 -0700 (PDT)
Received: by mail-pg1-x533.google.com with SMTP id 17so11037375pgp.4 for <scim@ietf.org>; Mon, 13 Sep 2021 17:22:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=j8StRKRyx19RrPlpQVbSAbGXsUq0z9tVsyiO5ZOZopc=; b=DjhFIaXjNecgxf1JNNYFmzxXS0sGpWdkkgDCw4G+nJUxLSMo2h7q1sa6jopDOa5zhf xHWXA5DLupLbqfXDgo0tdDYZ3SfMoeWMv1OeqRFb4Qi5KDnYTKQvWBOkk/nnnRQZV+zW attIil8VE0Scub+OayFSoYW/9inH/8D4PdXprEgXXWskHHMqCKnjNTLSc/LhTyFtPQmQ GAcygdt1m0qDyoG9nq4bQs4MprLbfdBTA3dP6PxNJ4n7LBpThqJYGolXv4jRJlSqrHqT fTq6Mfi0xVYjn5WEoZPrRpuxyZhncWeEi8sIdce/25AKiDuq+drA8dKJcSXNF0pVtF5J /4KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=j8StRKRyx19RrPlpQVbSAbGXsUq0z9tVsyiO5ZOZopc=; b=uvBced5fyyWTOZPq9P0FjFNmziGDVffarWWKnwxwPqgmzzYko79u+3pWPquJImn2HD ZTJR37jjQvVHluId1ah6vYUm7yYFn7Xqg21IFim490eM7Gdv7UsdXqzi+Z5ReDEvJ6LL /CqHm8wDBRbJ0KfKnzJPhaceylTlvwFwziBC2dJf6hPF984VYXD4nvxBPeplLfjxAYRU fIIaP1tz8PwZ4gczNhMSYfk5y03ArxLzazKG/fbkOGAqyltGhgM22VlYy05kqvsn2j29 IzS9ghKBP/GiRw/9USZxhAYOOu6w9FnIifGBzzff2aF2BWF+8C1B2pER5yX0UgRkhNeN XkKg==
X-Gm-Message-State: AOAM532eP809s4fDV6DDP3b+tJSyY5kuPoGhbyyjM8inNu+m4AY90kOe HrcqVRbLflZbKC1ppgSNLQb3+jNKiDwPkA==
X-Google-Smtp-Source: ABdhPJx+R6ez7lYCgJ/Kf5hDdr+IiYx9AjJfmt7ooiGhJ0v2Lx3X2v8mzjdQePOab1YAyigWTA7ftg==
X-Received: by 2002:a63:4d20:: with SMTP id a32mr13276114pgb.247.1631578966635; Mon, 13 Sep 2021 17:22:46 -0700 (PDT)
Received: from smtpclient.apple (node-1w7jr9plyoqws5ps59fgczcir.ipv6.telus.net. [2001:569:540c:4900:454:6489:bcfe:2623]) by smtp.gmail.com with ESMTPSA id i5sm7638949pjk.47.2021.09.13.17.22.45 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 13 Sep 2021 17:22:46 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-1DD35C52-F884-452E-A220-D8C373E47CEC
Content-Transfer-Encoding: 7bit
From: Phillip Hunt <phil.hunt@independentid.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 13 Sep 2021 17:22:44 -0700
Message-Id: <1C31A4EF-6BD4-415F-98BB-3716C72138C4@independentid.com>
References: <f5cf0dd4-e013-3219-2069-db1b43290520@pdmconsulting.net>
Cc: "Matt Peterson (mpeterso)" <Matt.Peterson=40oneidentity.com@dmarc.ietf.org>, "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, scim@ietf.org
In-Reply-To: <f5cf0dd4-e013-3219-2069-db1b43290520@pdmconsulting.net>
To: Danny Mayer <mayer@pdmconsulting.net>
X-Mailer: iPhone Mail (18G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/2IERlw3A5Q2kGiHQFoIp_A0UvKw>
Subject: Re: [scim] Call for support on proposed SCIM/SINS (re)charter
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2021 00:22:56 -0000

Ahem. Maybe just change the maximum results limit for privileged clients that need it?

Maybe this is a best practice item?

Phil

> On Sep 13, 2021, at 4:53 PM, Danny Mayer <mayer@pdmconsulting.net> wrote:
> 
> 
> The experience I've had in doing pagination mostly (but not exclusively) involved HR systems which had a 1000 per response limit but were not related to usage of scim. However any API call that returns a list can be subject to a limit by the scim server, most likely in order to preserve resources and not to tax the memory.
> 
> Danny
> 
> On 9/13/21 5:45 PM, Matt Peterson (mpeterso) wrote:
>> I agree.  
>>  
>> Pagination and Synchronization show up under the same bullet in the charter, but, like you, I think of them as separate (possibly related) topics.  I am interested in both topics. 
>>  
>> As proof, I’m hoping to get feedback from anyone that has additional pagination use case besides the “use of pagination for initial load of synchronized objects”:
>>  
>> Fetch all users and groups for the application side cache so that the application can use this cache to quickly make authorization decisions. ß Pagination
>> Incrementally keep the application-side cache of users and groups up to date with changes being made on the SCIM server.  ß Synchronization
>>  
>> One classic use case for pagination is to support pages of results in a UI.   Like Google search results.   Is anyone doing this?  
>>  
>> We aren’t.  For UI to find/search SCIM objects, we use a more modern  “Typeahead Find” pattern that is preferred by our users – and it does not require pagination.
>>  
>> Again… I don’t know all the use cases for pagination.  I’m sure there are more out there that are very relevant.  Step one is making a list of reasons people need pagination.   
>>  
>>  
>> From: Danny Mayer <mayer@pdmconsulting.net> 
>> Sent: Monday, September 13, 2021 2:27 PM
>> To: Matt Peterson (mpeterso) <Matt.Peterson@oneidentity.com>om>; Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com>om>; Phil Hunt <phil.hunt@independentid.com>
>> Cc: scim@ietf.org
>> Subject: Re: [scim] Call for support on proposed SCIM/SINS (re)charter
>>  
>> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
>>  
>> Matt,
>> 
>> Synchronization and paging are different issues and should be handled separately. You may need paging for synchronization but that may not be the only case. I don't personally know of other cases but I would like to hear other people's experience of this so that the requirements be properly included in the draft RFCs.
>> 
>> Danny
>> 
>> On 9/13/21 11:02 AM, Matt Peterson (mpeterso) wrote:
>> Danny,
>>  
>> One of the goals of the workgroup is to understand what the pagination use cases are (besides initial loading of object set to be synchronized). 
>>  
>> I’m eager to start keeping track of pagination use cases.  Can you posting to the list the use cases that you are thinking of you’d need pagination for?   Thanks! 
>>  
>> From: scim <scim-bounces@ietf.org> On Behalf Of Danny Mayer
>> Sent: Friday, September 10, 2021 6:11 PM
>> To: Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org>rg>; Phil Hunt <phil.hunt@independentid.com>
>> Cc: scim@ietf.org
>> Subject: Re: [scim] Call for support on proposed SCIM/SINS (re)charter
>>  
>> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
>>  
>> Pagination and synchronization are really different issues. Synchronization MAY need pagination but not necessarily. There are other reasons why pagination may be necessary.
>> 
>> Danny
>> 
>> On 9/10/21 8:00 PM, Nancy Cam-Winget (ncamwing) wrote:
>> Thanks for the feedback Phil.  I’m trying to determine proposed changes to the charter text…..I suspect there might have been a translation issue for synchronization being more about pagination than paging?
>>  
>> If you can provide suggested updates, it will be helpful to rally agreement for the updates too.
>>  
>> Best, Nancy
>>  
>> From: Phil Hunt <phil.hunt@independentid.com>
>> Date: Wednesday, September 8, 2021 at 6:34 PM
>> To: ncamwing <ncamwing@cisco.com>
>> Cc: "scim@ietf.org" <scim@ietf.org>
>> Subject: Re: [scim] Call for support on proposed SCIM/SINS (re)charter
>>  
>> Nancy,
>>  
>> Thanks for putting this together.
>>  
>> For this go around my interest lies mainly in Events and Synchronization and profiles.  I am willing to provide updated drafts for this process after some initial agreement on cases.  Drafts already in the archive (they may be fairly out of date!):
>>  
>> * SCIM Events - draft-hunt-idevent-scim  (needs to be updated to reflect the work we did in RFC8417)
>> * OpenId Connect Profile for SCIM - https://openid.net/specs/openid-connect-scim-profile-1_0.html
>>  
>> Regarding the MV-Paging draft.  This draft has nothing to do with synchronization and is intended for clients who need to pull a limited number of values in a multi-valued-attribute in situations such as large groups. Most typical use would be in building a user interface allowing the searching of MVAs.
>>  
>> As far as exploring using paging as a synchronization approach is not something we should explore (ie in the charter). IMHO this appraoch an anti-pattern.  If its needed, I am happy to add text in the best practices or elsewhere as to why this isn’t a great approach from the perspective of security, DoS, timeliness, scale, and cost.
>>  
>> That said, a couple people indicated they wanted stateful paging. Unfortunately they didn’t elaborate on a use case.
>>   
>> Phil Hunt
>> @independentid
>> phil.hunt@independentid.com
>>  
>>  
>> 
>> 
>> 
>> 
>> 
>> On Sep 8, 2021, at 5:21 PM, Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org> wrote:
>>  
>> Hello SCIM participants,
>>  
>> After some virtual meetings (thank you Pam for hosting these!) and discussion, there is a new proposed charter that addresses the points raised at the IETF 111 SINS session. 
>> This is a call for support of the charter defined below, please provide your response by Sept. 24, 2021. 
>>  
>> As you respond in support for the charter, please also specify if you are willing to produce, review and/or implement the resulting documents.
>> Otherwise, do provide feedback in the time window if there are concerns or issues you see with the charter below:
>>  
>> Charter
>> 
>> The System for Cross-domain Identity Management (SCIM) specification is an HTTP-based protocol that makes managing identities in multi-domain scenarios easier. SCIM was last published in 2015 and has seen growing adoption.
>> 
>> One goal for this working group is to shepherd SCIM, currently RFC series 7642, 7643, 7644, through the Internet Standard process. The group will deliver revised specifications for the SCIM requirements as Informational, and for the SCIM protocol and base schema suitable for consideration as a Standard. This work will be based upon the existing RFCs, errata and interoperabilty feedback, and incorporate current security and privacy best practices.
>> 
>> In addition to revising the requirements, protocol and base schema RFCs, the group will also consider additional specifications as extensions to SCIM that have found broad adoption and are ready for standards track. This includes profiles and schemas for interoperability in additional scenarios. The working group will develop additional Proposed Standard RFCs based on outcomes of the following work:
>> 
>> Revision of the informational RFC 7642 will:
>> Focus on Use cases and implementation patterns
>> Pull vs. Push based use cases
>> Events and signals use cases
>> Deletion use cases
>> New use cases may be added to the revised RFC
>> Revision of RFC 7643/44 will include:
>> Profiling SCIM relationships with other identity-centric protocols such as OAuth 2.0, OpenID Connect, Shared Signals, and Fastfed
>> Updates to the evolution of the externalid usage
>> Document SCIM support for synchronization-related goals between domains focused on:
>> Handling returning large result sets through paging, based on [draft-hunt-scim-mv-paging-00]
>> Incremental approaches to synchronization
>> Support for deletion-related goals including:
>> Handling Deletes in SCIM Servers that don’t allow Deletes (Soft Deletes) - based on [draft-ansari-scim-soft-delete-00]
>> Support for advanced automation scenarios such as:
>> Discovery and negotiation of client credentials
>> Attribute mapping
>> Per-attribute schema negotiation
>> Enhance the existing schema to support exchanging of HR, Enterprise group and privileged access management (using draft-grizzle-scim-pam as a base)
>>  
>> Best, Nancy (as one of the BoF chairs)
>>  
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim
>>  
>> 
>> 
>> 
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim
>> 
>> 
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim
>> 
>> 
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim