IETF Logo Mail Archive

Re: [scim] Discovery support for SCIM

Kelly Grizzle <kelly.grizzle@sailpoint.com> Thu, 01 October 2015 02:31 UTC

Return-Path: <kelly.grizzle@sailpoint.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5B3C1ACED5 for <scim@ietfa.amsl.com>; Wed, 30 Sep 2015 19:31:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rVIecKrMJdM8 for <scim@ietfa.amsl.com>; Wed, 30 Sep 2015 19:31:13 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0127.outbound.protection.outlook.com [207.46.100.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85BD01ACDA5 for <scim@ietf.org>; Wed, 30 Sep 2015 19:31:13 -0700 (PDT)
Received: from BN1PR04MB392.namprd04.prod.outlook.com (10.141.60.151) by BN1PR04MB389.namprd04.prod.outlook.com (10.141.60.140) with Microsoft SMTP Server (TLS) id 15.1.280.20; Thu, 1 Oct 2015 02:31:09 +0000
Received: from BN1PR04MB392.namprd04.prod.outlook.com ([169.254.10.16]) by BN1PR04MB392.namprd04.prod.outlook.com ([169.254.10.16]) with mapi id 15.01.0280.017; Thu, 1 Oct 2015 02:31:09 +0000
From: Kelly Grizzle <kelly.grizzle@sailpoint.com>
To: Ian Glazer <iglazer@salesforce.com>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [scim] Discovery support for SCIM
Thread-Index: AQHQ+h+lT8JbNdrpyEulUhXjQhnZa55T0BlOgAAV3ICAAggBgA==
Date: Thu, 01 Oct 2015 02:31:09 +0000
Message-ID: <BN1PR04MB392BC5B246BF082E0E3DCA9E24C0@BN1PR04MB392.namprd04.prod.outlook.com>
References: <CD73F905-2D21-4A2B-AB6D-BA2C51258F89@oracle.com> <CAKzGp_6t_YZdzOu3EZkvBf==bM8JcpyCgQpu-urP4-sXe9BE+A@mail.gmail.com> <8EE2BEE7-8873-410B-8E17-FBA34C77A9FF@oracle.com> <CAOJ9JzQAfMEseMj7DVBDD=Ku_Af=twt30sc--KbyG7ZoTGtw4w@mail.gmail.com>
In-Reply-To: <CAOJ9JzQAfMEseMj7DVBDD=Ku_Af=twt30sc--KbyG7ZoTGtw4w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-vipre-scanned: 2B77915A00AC962B7792A7
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kelly.grizzle@sailpoint.com;
x-originating-ip: [70.114.158.171]
x-microsoft-exchange-diagnostics: 1; BN1PR04MB389; 5:T2cO56JK0yryCo6QfSQmPSbqREteuUhKiD+gZCx/KjULmmWSzfi8IWpE/xBofASCIJ/sK0PfoadOrKHD/1AmWQTLrqWVOjJgAkHV3eLbNy/lzIPCeHIG3whxeQS/f/kXLh5v1Sz8GFRM5gF385ZgQg==; 24:kOIaE1KVRUNG/Cot42OdPLlfskBgXvRudApYqGDPg0kTGgkyXTkOcaL/f/ASoZxQWuJArQTM+FvmAnPzcFgW7EiuIY8CTvl0+YthX75VA+0=; 20:d0uOJMfIW1dGl4T0eS9fcCMBi5q6kqxZsUzZesMckFXHxq9UTx9EnczjxHzK5/ExKUok2Br/39OVAyE9g/tcGA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR04MB389;
x-microsoft-antispam-prvs: <BN1PR04MB3896D19B0395B5639F87888E24C0@BN1PR04MB389.namprd04.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(520078)(3002001); SRVR:BN1PR04MB389; BCL:0; PCL:0; RULEID:; SRVR:BN1PR04MB389;
x-forefront-prvs: 0716E70AB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(54164003)(164054003)(189002)(377454003)(24454002)(199003)(15395725005)(99286002)(50986999)(40100003)(101416001)(76176999)(105586002)(5002640100001)(86362001)(54356999)(106116001)(15975445007)(5001960100002)(5007970100001)(5008740100001)(10400500002)(74316001)(5004730100002)(11100500001)(106356001)(189998001)(5003600100002)(68736005)(5001770100001)(5001830100001)(19580405001)(46102003)(16601075003)(87936001)(64706001)(122556002)(81156007)(4001540100001)(5001860100001)(16236675004)(66066001)(76576001)(19625215002)(19609705001)(33656002)(93886004)(92566002)(2950100001)(62966003)(19617315012)(77156002)(102836002)(2900100001)(19300405004)(97736004)(19580395003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR04MB389; H:BN1PR04MB392.namprd04.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: sailpoint.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN1PR04MB392BC5B246BF082E0E3DCA9E24C0BN1PR04MB392namprd_"
MIME-Version: 1.0
X-OriginatorOrg: sailpoint.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2015 02:31:09.5201 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c848b2a-49ba-4c39-9749-118d06717a84
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR04MB389
Archived-At: <http://mailarchive.ietf.org/arch/msg/scim/ADKj9oukkgYDQ86TuEQXqPdUkUc>
Cc: SCIM WG <scim@ietf.org>, Chuck Mortimore <charliemortimore@gmail.com>
Subject: Re: [scim] Discovery support for SCIM
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2015 02:31:16 -0000

+1.  Just the base URL should be good.  Then the /ServiceProviderConfigs, /ResourceTypes, and /Schemas can be used based on the SCIM spec.

From: scim [mailto:scim-bounces@ietf.org] On Behalf Of Ian Glazer
Sent: Tuesday, September 29, 2015 2:29 PM
To: Phil Hunt
Cc: SCIM WG; Chuck Mortimore
Subject: Re: [scim] Discovery support for SCIM

I like that approach Phil

On Tue, Sep 29, 2015 at 2:10 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:
Chuck,

Thanks.  That too was my main objective.

Is there anything else that should be returned other than the URL for the SCIM server?  E.g. do we want a JSON structure that might convey multiple pieces of information?  E.g. authentication requirements and endpoints.

I am leaning towards just returning a URL and keeping the response simple since SCIM already has its own service specific discovery endpoints (e.g. /ServiceProviderConfig).

Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>

On Sep 28, 2015, at 12:37 PM, Chuck Mortimore <charliemortimore@gmail.com<mailto:charliemortimore@gmail.com>> wrote:

We're interested, in the service discovery aspect.   Less so on the profile discovery / webfinger

On Mon, Sep 28, 2015 at 11:58 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:
It’s now Monday after completion of the SCIM RFCs and I have already received a new enhancement request.  BTW thanks to everyone in the WG for all your efforts!

The request is to define discovery for SCIM. For example using the Well-known mechanism (RFC5785) and potentially WebFinger (RFC7033).

For example, a SCIM client may send the following query:

GET  https://www.example.com/.well-known/scim

For which the server might respond with a URL to the appropriate SCIM server and path to the server root (e.g. "profile.example.com/scim<http://profile.example.com/scim>”).

In a more complex version with a webfinger (RFC7033) query:

GET https://www.example.com/.well-known/webfinger?resource=acct%3Abob%40example.com&
        rel=scim-profile

Which responds:
     HTTP/1.1 200 OK
     Access-Control-Allow-Origin: *
     Content-Type: application/jrd+json

     {
       "subject" : "acct:bob@example.com<mailto:acct%3Abob@example.com>",
       "links" :
       [
         {
           "rel" : “scim-profile",
           "href" : "https://www.example.com/sciim/Users/bob-id"
         }
       ]
     }


Overall, I see a few different use-cases:

1.  A SCIM client simply wants to know where the SCIM Profile service is for a specific domain (e.g. tenacy.example.com<http://tenacy.example.com/>).

2.  A SCIM client might be looking for a user’s profile service.  So it asks example.com<http://example.com/> where is phil.hunt@acme.com<mailto:phil.hunt@acme.com>?  This would be a WebFinger style query based on the well-known endpoint. The same WebFinger query could also return the OIDC endpoints as well as the SCIM endpoints for the user.  This may be useful for cases where service providers have multiple tenancies and there is a need to have a generic, tenancy neutral lookup service.

3.  A SCIM client that has the service endpoint for a SaaS service (e.g. CRM, HCM, Finance) may be looking for the provisioning endpoint and the ResourceType and schemas relevant to the application.   For example, a client that wants to provision to a User to a Finance system, wants know where the Finance app provisioning endpoint is.  It could be an Finance SCIM endpoint or it may a profile service endpoint.

Questions:

A. Are there members of the WG interested in this?

B. From a protocol standpoint, it should not matter whether a client is talking to SCIM that is deployed in front of a business application (like CRM, Finance), vs. SCIM as a general User profile service. However, due to possible difference in the higher-level logic of the client, would it be important to distinguish between say “scim-provisioning” and “scim-profile” as distinct types of services?  If so, what do we think defines that difference?

Thanks,

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>

_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim



_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim



--
Ian Glazer
Senior Director, Identity
+1 202 255 3166
@iglazer<https://twitter.com/iglazer>

v2.23.0 | Report a Bug | By Email