Re: [scim] Multiple external id values
Mark Dobrinic <mark.dobrinic@twobotechnologies.com> Mon, 05 October 2015 17:05 UTC
Return-Path: <mark.dobrinic@twobotechnologies.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED6A81AD37C for <scim@ietfa.amsl.com>; Mon, 5 Oct 2015 10:05:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iOjYbjfPgBuk for <scim@ietfa.amsl.com>; Mon, 5 Oct 2015 10:05:13 -0700 (PDT)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 746041AD377 for <scim@ietf.org>; Mon, 5 Oct 2015 10:05:12 -0700 (PDT)
Received: by wicge5 with SMTP id ge5so130090441wic.0 for <scim@ietf.org>; Mon, 05 Oct 2015 10:05:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type; bh=kpTrzuKXFSLqvvFADZmXRrI/SF+1e36KZ4rHN0RPIuo=; b=fNjR2Bqa0W7s1Le4wM6N+ZcrRVOWOb8hp62eRQGBX8aLNtuvM22N4lrC1LfO65CkXk 0rT2PHx+AQrW84cZN6gTKIgUqNlnoWaNRva61+wAh37hey3Y/Xult6b5C3P+vT+auRT3 V8XMAA0cItvYtBZOSEneS2NUhrM40XPJR26NXsBx1QeP6Vba2p4zY5ieALwBPFO4eH+E mycG7M68e7PCfznT9ev/zCZkAhbxANYsVJeMr84j7eE5dbKZnAqsgp6fj2zWak7flw0W YfPbQf5K3auKePfVgv2JdbyfSJtJmigiCOvs286JdAwQR76PN/YKPkJGxzPVRiNtbLAj 0s+Q==
X-Gm-Message-State: ALoCoQnR5YQkBusIqJHXdPGREH9FMOFBVrlSPNkXsilqFArXi4uxaQ8PLEM2mlOzz8abblKQ6nOk
X-Received: by 10.180.86.39 with SMTP id m7mr13575268wiz.91.1444064710972; Mon, 05 Oct 2015 10:05:10 -0700 (PDT)
Received: from speedyM.local (ip5651156e.adsl-surfen.hetnet.nl. [86.81.21.110]) by smtp.googlemail.com with ESMTPSA id kb9sm27880507wjb.49.2015.10.05.10.05.10 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Oct 2015 10:05:10 -0700 (PDT)
To: Phil Hunt <phil.hunt@oracle.com>
References: <56128C3A.6050402@twobotechnologies.com> <E575C310-B322-4C6F-9E3A-A736D3CBB2CB@oracle.com> <561299B2.9010305@twobotechnologies.com> <DE247BA7-5205-4564-BA8A-E491D9A7EF2D@oracle.com>
From: Mark Dobrinic <mark.dobrinic@twobotechnologies.com>
Message-ID: <5612ADC5.10709@twobotechnologies.com>
Date: Mon, 05 Oct 2015 19:05:09 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <DE247BA7-5205-4564-BA8A-E491D9A7EF2D@oracle.com>
Content-Type: multipart/alternative; boundary="------------000801060504070202040109"
Archived-At: <http://mailarchive.ietf.org/arch/msg/scim/6dpvD44kBG5cpbRzD_X3N_1CBng>
Cc: scim@ietf.org
Subject: Re: [scim] Multiple external id values
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 17:05:17 -0000
In our particular case, you can indeed see that the client acts as a hub, applying multiple external identities for multiple domains. I totally agree that is is generally a bad idea to expose an identity that is registered with a client for domain A, to a client for domain B. Not for minimizing PII exposure primarily, but for exposing information that weakens the linkability property of privacy with identifiers. This is not what we try to solve though. It is that first case. We'd like to use Scim towards a backend system for the client-as-hub-case. The externalId attribute can not help with that. That's why I try to raise a general solution that does. Putting it in an extension as described is totally acceptable though. I don't feel like disturbing the choices that were made through consensus, but I do feel like coming up with a general solution for that alternative usecase. Including possible privacy implications. On 05/10/15 17:55, Phil Hunt wrote: > I did raise this issue. > > The consensus was one and one only. > > I do have a concern about multiple domains connecting to the same entity. > > Does one see this as a client hub controlling multiple cloud spokes. > Or does one see this as multiple client spokes contributing to a > common hub entity. > > The latter has PII propagation concerns. > > I suspect most for now only care about the former. > > Phil > > On Oct 5, 2015, at 08:39, Mark Dobrinic > <mark.dobrinic@twobotechnologies.com > <mailto:mark.dobrinic@twobotechnologies.com>> wrote: > >> Hi Phil, >> >> Thanks for the quick response. >> >> The resolution to expose a client specific externalId only works in >> half the scenario's, where you have multiple clients all representing >> one domain. In the other scenario, where one client representing >> multiple domains is using one Scim Service Provider, the client >> actually relies on the Service Provider to store multiple identities >> for its multiple domains, so in that usecase it is multi-valued by >> design. >> >> Do I get it right that this particular use case has not yet come up then? >> >> Concerning the privacy cinsideration, given a trust relationship >> between the Scim Service Provider and the Scim Client (quite some >> features are based on this already), privacy characteristics of the >> solution are not of primary concern here. The Scim Client could >> (should) actually take over the responsibility for protecting privacy >> in this one. >> >> Cheers! >> >> Mark >> >> >> >> >> On 05/10/15 17:17, Phil Hunt wrote: >>> This was discussed and the consensus was single value. >>> >>> What you can do is expose a different single value for each domain >>> client your server talks to. Thus domains cannot see each other's >>> ids. The spec already suggests this as a security consideration for >>> the id value. >>> >>> This would provide much better privacy characteristics and reduces >>> propagation of PII. >>> >>> Phil >>> >>> On Oct 5, 2015, at 07:42, Mark Dobrinic >>> <mark.dobrinic@twobotechnologies.com> wrote: >>> >>>> Hi Scim people, >>>> >>>> While incorporating Scim client functionality towards a Scim >>>> Service Provider, we've stumbled upon a limitation regarding our >>>> desired use of externalId, that doesn't fit the current spec. >>>> >>>> Our usecase involves managing multiple external id's, so that we >>>> can both support multiple externalId's to multiple Scim Clients >>>> from one Scim Service Provider, as well as let a Scim Client manage >>>> multiple external id's with one Scim Service Provider. Each >>>> external id lives within the domain of a, well, domain. There are >>>> plenty of real world examples where domain-scoped id's are used, so >>>> it seems no more than natural to consider this with Scim as well. >>>> >>>> For example, a user with id barbara has an externalId 'babs' in the >>>> domain 'home', and externalId 'labarbara' in domain 'work'. >>>> >>>> As I understand Scim as being as effective and simple as possible, >>>> we've been using the extensibility of Scim to make this work. I can >>>> imagine this to be a generic problem that more people are (or will >>>> be) facing. Therefore, I'd like to propose our solution and would >>>> like to discuss whether this could/should be considered a standard >>>> solution to a standard problem, either in this form or something >>>> better. >>>> >>>> What we did was introduce an extension " >>>> urn:scim:schemas:extensions:external-ids:1.0" >>>> that defines an attribute "externalIds", >>>> is of type "complex", >>>> is multiValued, >>>> can be described as "External Identities of a user. Each External >>>> Identity is scoped within its domain", >>>> is optional, >>>> and has the following sub-attributes: >>>> - value : string value containing the value of the external id >>>> - type : string value containing the domain of the external id >>>> >>>> In JSON, it would look like this: >>>> >>>> { >>>> "schemas": [ "urn:scim:schemas:core:1.0", >>>> "urn:scim:schemas:extensions:external-ids:1.0" ], >>>> "id":"2819c223-7f76-453a-919d-413861904646", >>>> "userName":"bjensen", >>>> "externalId":"bjensen", >>>> .... >>>> "urn:scim:schemas:extensions:external-ids:1.0": { >>>> "externalIds": [ >>>> { >>>> "value": "babs", >>>> "type": "home" >>>> }, >>>> { >>>> "value": "labarbara", >>>> "type": "work" >>>> }] >>>> } >>>> } >>>> >>>> >>>> >>>> Note that we are adding to the baseline features of Scim, and not >>>> changing anything existing. >>>> >>>> >>>> I would like to hear your feedback on this, and I'm interested >>>> whether this could be considered as a standard extension in >>>> upcoming Scim versions. >>>> >>>> >>>> Thanks! >>>> >>>> -- >>>> Regards, >>>> >>>> Mark Dobrinic >>>> Software Engineer and Identity Specialist >>>> Twobo Technologies AB >>>> >>>> mark.dobrinic@twobotechnologies.com >>>> www.twobotechnologies.com >>>> _______________________________________________ >>>> scim mailing list >>>> scim@ietf.org <mailto:scim@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/scim >> >> >> -- >> Regards, >> >> Mark Dobrinic >> Software Engineer and Identity Specialist >> Twobo Technologies AB >> >> mark.dobrinic@twobotechnologies.com >> www.twobotechnologies.com >> _______________________________________________ >> scim mailing list >> scim@ietf.org <mailto:scim@ietf.org> >> https://www.ietf.org/mailman/listinfo/scim -- Regards, Mark Dobrinic Software Engineer and Identity Specialist Twobo Technologies AB mark.dobrinic@twobotechnologies.com www.twobotechnologies.com
- [scim] Multiple external id values Mark Dobrinic
- Re: [scim] Multiple external id values Phil Hunt
- Re: [scim] Multiple external id values Mark Dobrinic
- Re: [scim] Multiple external id values Phil Hunt
- Re: [scim] Multiple external id values Mark Dobrinic