[scim] SCIM Interest Group Meeting Notes for 2021-03-17

Tim Cappalli <Tim.Cappalli@microsoft.com> Fri, 19 March 2021 14:19 UTC

Return-Path: <Tim.Cappalli@microsoft.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F063D3A164F for <scim@ietfa.amsl.com>; Fri, 19 Mar 2021 07:19:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.348
X-Spam-Level:
X-Spam-Status: No, score=-2.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2IbOp9ko3lXN for <scim@ietfa.amsl.com>; Fri, 19 Mar 2021 07:19:22 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650135.outbound.protection.outlook.com [40.107.65.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 444FF3A164C for <scim@ietf.org>; Fri, 19 Mar 2021 07:19:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nd8Z9sNW/vczZ8gdPATjYGRmTz8vBn5Kz/7LRWWfn9AThnXsa0jPb+stuaPTNMMP7yK6r44ScK0tpB4FjcUcpmxZJRnVGkaYsgjh0XZIkfCT0kkski2gzjHLA0Suk42RNvukYXdGJDM6ta6mDeghjOJtZu2sFUGyXpPPNrCWQEnM9gUvOpOyFnvFgupYHYkkCIB2CLEiTQnWzhNn37kPIIlrzqbpWBIlFlIBBoR0bIyIGRkpUJ7hurk+axhgDz9pGEha2elaeVbTVG+AKyHMl9lD5H51e1Yhe8+0UM7MwZ+m36NWfBv0BJiSlGPWMUQ9qng8GidNj+R/5lfmxxoibA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xtOwPLH/A9D54cB37WG3ce/9OMdWgV9MN9kLFoKzTbQ=; b=eMeboA7790wrMKOPEGya+1f5ZO2Ih0nAsbom+kpoHeINNNrL7KgH5Ohz7JZvC4rSqJ4bQ0a9Qr/M6LRhodB0G/Ng8o/7DfSV3nUJzBYL3dCGLytSfgm5elW/AqjCsxMxTe65OgwW0ZPVcXOMdwmzNeuPN6yKPWq3kYVYhEJ+gjsAxJE8vg/r0C1wETwy5DFCgH04xUtKvyRW5JwWIXkOSknOmodg3HZOShVTZp5Dod31c7/5oS9eFuB1TEITXMybD5IahOyXo2u83hG1vloOsdgGfCLGSPp6Rw9mrcmPPpdS5raAq1LKLAlkZGA3nLNfRQoFxPNvDbr6B2BFKzeAzA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xtOwPLH/A9D54cB37WG3ce/9OMdWgV9MN9kLFoKzTbQ=; b=eC02i4jUiRh7QeIAyhG4oYVGGflztF8qgSywGJxKtyJ/DUKeuS87y9BwhSH0Ft29XIiBz+xE7nYDHxh0uOMcU4VdYhdvj+FNR1I0hJ0y2KV77Dw+0UffTMTcwBoZKgmSFX9dpNFLqmliW9J/6NEyH6Uobh28GInzNMRLrilb4is=
Received: from PH0PR00MB1029.namprd00.prod.outlook.com (2603:10b6:510:48::6) by PH0PR00MB1151.namprd00.prod.outlook.com (2603:10b6:510:9c::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3992.0; Fri, 19 Mar 2021 14:19:17 +0000
Received: from PH0PR00MB1029.namprd00.prod.outlook.com ([fe80::6054:51d0:e8ea:54ac]) by PH0PR00MB1029.namprd00.prod.outlook.com ([fe80::6054:51d0:e8ea:54ac%7]) with mapi id 15.20.4002.000; Fri, 19 Mar 2021 14:19:17 +0000
From: Tim Cappalli <Tim.Cappalli@microsoft.com>
To: "scim@ietf.org" <scim@ietf.org>
Thread-Topic: SCIM Interest Group Meeting Notes for 2021-03-17
Thread-Index: AQHXHMqSye/ZQSX2+U+kKWkIoQ6vRA==
Date: Fri, 19 Mar 2021 14:19:17 +0000
Message-ID: <PH0PR00MB10291968C324E04A8613F8B695689@PH0PR00MB1029.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-03-19T14:19:16.833Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [72.93.225.147]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 5e7a2fb3-1402-4f71-9deb-08d8eae1fb1d
x-ms-traffictypediagnostic: PH0PR00MB1151:
x-microsoft-antispam-prvs: <PH0PR00MB1151BF5791882AC080CADCE995689@PH0PR00MB1151.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: he/zArY2u+9J9peKiDeYLmipJe1haJbwv2I77d+PZJlvQHAB2bSE7G2gv2h37J+0DRKvmnhZ+8NuOtN/Lh05P0pQu4KfWLOjZ6sE/EB2Ry2pehlIuu7/3bTD8hvFsnrxLetiWUaguS4I8UZz7+F7YCDjonO3ikFuTHAj+l0ooILoUkoXZqrUhg5Z6Dt4gFT+IdNAOwz3+5/cm3XfwsgrVO4deduCHE2kfG69pdwCs//caBKauWlkv5u0AcZq2NNuAxE7Xx0qg0HHu4RDbtO6DtSGxuHF99Ncmjjc6sgpHJk08CTmsQiFML57HWa35dli+1guWxWW+hyHVkcIjxePD4Jw34F6zdQLB+FfqRoB0RKt8NIhdrH3BwToXU9IBvwwsF9aC60wa6SInrEQlRZ4BgDr3mYKNS77iUfa/qBTCYsaD7EDL6CblKNoVNnGA+h+gjEcrc9KhMuaiFTmpRr3JBWeZMx52Z18/tcgKFcAW+1CVUta7wmkk+RCCpQAsioGPnFxL/yyjP1Xd2cdiGk98LxTCU0KN+tM/FNHlQdbdvWwSgDoNBds883cyPm5dleMJuh6Vv2i4YV6G+BG3qagNP4TP4YXYbvucHCdK6LAqCht7C1au0d/bvCvzkLtbhECwfw1is80dbotVb2bprdVg0WVHrrEZ6mvsIdEfW7e5iAJ1sT2uPVHmJNYI5x1ilD7Dmyb+32Lsh/vgvAOfpAHuy3gPfme+SDbwgJtxm68r6k=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR00MB1029.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(136003)(39860400002)(376002)(366004)(8676002)(5660300002)(82950400001)(8936002)(166002)(10290500003)(966005)(83380400001)(55016002)(6916009)(478600001)(66556008)(52536014)(2906002)(316002)(82960400001)(86362001)(33656002)(71200400001)(9686003)(26005)(7696005)(8990500004)(66446008)(6506007)(38100700001)(186003)(66946007)(66476007)(64756008)(76116006)(19627405001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?fSDivit9bmK5N8mq7e9nnu8YFpD5TO1aIz7iA0pz0uiMklEkN8YZMGmxZ9?= =?iso-8859-1?Q?0MaVYB9K0cs+//dV2pdsmjUkhCXmKRBjwviNtpBDGhUHACgh/nRecaHMg8?= =?iso-8859-1?Q?mau+V7YN8i+mcAgfV2Jbp4zx5BXPIswPWAtsru19XP+uxnrQzkhqj2HNFf?= =?iso-8859-1?Q?V0j6+SbL1wtNkYvMkwJml2b+6VIvooKCeBbtROKMUSRf7s92KDCSbe1SIs?= =?iso-8859-1?Q?JvfF7xK6tmAoAWqREUby0jStlL3vECJGcnB7qJ9GEo3vc2UeJFjVj2nThV?= =?iso-8859-1?Q?CuzKK599TsQDL5VBl+mUOFCyQhG5CM0YTn4I+A01FIhMrmHyPo7otlpYYT?= =?iso-8859-1?Q?Be1Vpg6e7nbYA/Ie0CvGtlcX4P7Qjag+OlcKCPjY9O06YHMVELQzIk3MpS?= =?iso-8859-1?Q?a34HnrJNUTpi6IyIMzL1ccyEjgsarh7/lNmDrQNw3uT+LwpzDVJTTMjy+E?= =?iso-8859-1?Q?pYGsF/SimJ1rQhge2NYIWsWwNteJt3prgqBuXLRStvpkdqmjxMlnqz3tRW?= =?iso-8859-1?Q?F6Ci1sZEocvbWrLhlgBkdH+FUHThC65RRrmXtfkMVV2jSgtoMfW0OCzWUM?= =?iso-8859-1?Q?3yWQmkdTaFYKjxdRXmGF2rd/zbgyjsLNIOyI08xXnzf4Wqb3p7tQOy7BjG?= =?iso-8859-1?Q?6DByG6kSy0d6jgzJCclAxSoXw5aXO53Q6J7aQRZRFFY7oCjNe6koroDfXW?= =?iso-8859-1?Q?wXSBVFZJ1/K9KGcO7lj5GkcXYE/falPzNllPxwyq/RIP8JRtjoZplXxlhk?= =?iso-8859-1?Q?C4lxhCZWsr32sNI6qpr3n7tN1VfaX73wUYZqCgxPHGrpiWds1Lq/3j3wHW?= =?iso-8859-1?Q?x3KBWAiQOvp8GPt1qzoZVn4i+U4i0UhmhcPVkysIlxraAahRhPPijV73C8?= =?iso-8859-1?Q?RPmn0VF0uld8eWjxEYMZGHCf/XgQ2O4DiuNtUvuPKki5hyNotZqBxZjEUM?= =?iso-8859-1?Q?O4iruv/YPapT8Ob5li4Eyvkwuj+wwe+x8AQk8ndkTzoHHZMvZHN/gFmvKR?= =?iso-8859-1?Q?faQgoylruiQP7JaZXdpGKDIKvCHbmgdIdjtVic23wjQbpwYRBbcprpYNgi?= =?iso-8859-1?Q?yHnG6BRIx23zxT4kkmJcxaC81Pfm40FPiigouAiele7CpnRTJ0UbjbW34D?= =?iso-8859-1?Q?GRrpCFwJjTjJIQyI02CnWIjMTAN2UATuvYpIx8AumKrvreDjZ+1tYsqaCs?= =?iso-8859-1?Q?P/HrbGkQ5qaElGSzxK9d2iGvUC0ABhamCLPWPsuWijfB/uKRY/CUaKSuF0?= =?iso-8859-1?Q?1hUyZB69P1xMMBz089uKlHRwvnGork/GpYV82ghIc=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_PH0PR00MB10291968C324E04A8613F8B695689PH0PR00MB1029namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR00MB1029.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e7a2fb3-1402-4f71-9deb-08d8eae1fb1d
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2021 14:19:17.2845 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WFYyJxDB4yIcnJKCPJZkeI+9K4AgVS4Kmv6dmIMrGt0yCzK0XVQRWmLGeLrA2JZnieYm+fM80XUe87sLjjeemQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR00MB1151
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/5zQw9miH71cwj_r-43Tfz8JKGE4>
Subject: [scim] SCIM Interest Group Meeting Notes for 2021-03-17
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2021 14:19:25 -0000

Hi all,

The meeting notes for this week's meeting have been posted to GitHub and are included below:
meetings/2021-03-17.md at main · SCIM-Interest-Group/meetings (github.com)<https://github.com/SCIM-Interest-Group/meetings/blob/main/2021/2021-03-17.md>


# 2021-03-17 Meeting
* Notes taken by Pam Dingle and Tim Cappalli

## attendees
* Pam Dingle (Microsoft Identity)
* Tim Cappalli (Microsoft Identity)
* Danny Mayer (NTP)
* Darin McAdams (AWS)
* Jeremy Palenchar (Orcas Consulting)
* Matt Domsch (SailPoint)
* Phil Hunt (IndependentId)
* Shon Vella (Identity Automation)
* Heather Flanagan ()
* Matt Peterson (Quest)
* Dean Saxe (AWS)

## meeting notes
* Blog Entry from Sailpoint:  https://medium.com/sailpointtechblog/identity-security-standards-you-should-scim-through-sailpoint-390f88f92118
    * Need to amplify!
* Pam to create a page where operating practices are notated
    * For searchability reasons, meeting notes should be sent into the SCIM mailing list (on Monday following the meeting?).
    *
* At some point we need to talk about the timing for Draft Charter

### Phil on History of SCIM
* Restfulness was the new craze when SCIM started
* Everyone had a separate interface - everyone was implementing REST interfaces differently -
* implementations were asymmetric - usually one entity wrote, everyone else conforms to the vagaries of that entity
* REST itself was never standardized
* Lots of folks were veterans of X.509 and LDAP - they had scars
* Rigidity created fragility -- if it was too strict, implementations would fail.  better option is to describe behavior
* Adopted Postel's law (robustness principle)  <- IETF has moved from this philosophy
* Didn't support stateful querying etc because the role/charter was to create a provisioning API not a database.  Returning a result set rather than the whole thing was seen as more DB-ish than provisioning-ish
* The 1000 paper cuts came from pressure to finish  - simultaneous criticism as being over-defined and under-defined
* Could solve these problems in ways of OIDC
    * OIDC test suite encapsulated practices of APIs as well as protocols
    * If SCIM could host a test suite... but it takes $$
* Lots of enhancements discussed but the question is, is there an interop need?
* Paged results
    * Phil thinks it is cool, but paging of multi-value attributes (e.g groups members - ie million member groups) might have more value
* Danny:  notes every place's access is very different (everyone nodded)
* MattD: applications looking to offload authZ
* Phil: can see use for a schema for particular kinds of applications
    * you have to store state somewhere
    * complementary to OAuth Dynamic Registration
* Question: is there a canonical name for the 4 roles (push/pull) or (client/server)
    * Phil: no! nobody was thinking about it back then, at the time all of the data was considered to be behind the perimeter, and also cloud providers had big issues with punching through firewalls, so the dominant paradigm really was one directional
    * We were focused on SCIM clients being request initiators against SCIM service providers (same as HTTP Client and Server).
    * Pushers vs. pullers can begin to be a tricky question (experience from SET).
        * Aside, the SET event model was something we had planned to build SCIM "Triggers" on (see original charter). Could be foundation for Async SCIM.


## actions for next week

* Pam to create iCal list
* Need to get rid of lobby (without inviting Zoom bombers)
* Matt will find that spreadsheet!


## actions for a future meeting
* Paul/Matt:  PAM draft
* "Death by Paper cuts" session
    * Lots of small things getting us down
    * Darin has already sent thoughts on Amazon's papercuts