IETF Logo Mail Archive

Re: [scim] New Version Notification for draft-hunt-scim-events-00.txt

"Matt Peterson (mpeterso)" <Matt.Peterson@oneidentity.com> Tue, 01 March 2022 23:20 UTC

Return-Path: <Matt.Peterson@oneidentity.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31E493A11C0 for <scim@ietfa.amsl.com>; Tue, 1 Mar 2022 15:20:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oneidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UdkvG_QOLzjf for <scim@ietfa.amsl.com>; Tue, 1 Mar 2022 15:20:08 -0800 (PST)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on20703.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8a::703]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6AE93A11BC for <scim@ietf.org>; Tue, 1 Mar 2022 15:20:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c51DcU6TSrzr6YVvT74GNDKCHdALXsMav7CkCbaIaQZvHNJKMYUPzBt/E94mk0iPcL78aQYkBN2F/J+ig3tSr5BKSjAlqAkfl9M6dJwyG10aUZ5C1J0PiZ6RNUrsWtM7MwM6jXQEEHp77biP9i7qB6QT7Sd4iIkVZaIGZoTvdJBHgh+vrP1O/0TN3J+eTGSanBrS9ZbRQWCrQcKyArKpK4XI/Fl8h5KWPchvFV+kF/8XLPEVIKXAndv5+F5rkOH9AtbMzp/O3cBAEse63P4MME8R5jBZr/x7QdM2zM16D1KWSPAHjxj8W6WVn1xcRkXCMv0Vi80gblPl33HWd0vMFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=V+fPxzpponlVWaw0d1lnQByIo4oK4YYT3bxE6CmW2Zo=; b=O+iGctwFiKponWDIymb4nb2pTEwjNeFQhswUEEHrj+RePncOSMji8QwY5s7cMzOZT09lFWRV+5sBugkkp6RtB4/yFAECoNQTisQY6hvjnz1bNbOsDsUAVx9O6h/gN22J6W10DQrZtcRLBGwgE7pecNOuHEb16FG+m4LumL+gMShc7WRAaekoLhidP1acLKiQAwOL8nkM+RbRcRkuZzFvTzNOMVX5vAVDrMycoJLJELqcab+Opk4iDR1fvxhTl/lcuTSalQGv/KJ04PkeXYYpIh7KzPqTFeFdntbTTgPR8oD4wmcl0bUnCVh9/xcKf+ciTZJQQXsa+J7lTOivTZrapA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oneidentity.com; dmarc=pass action=none header.from=oneidentity.com; dkim=pass header.d=oneidentity.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oneidentity.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=V+fPxzpponlVWaw0d1lnQByIo4oK4YYT3bxE6CmW2Zo=; b=YMRAWmY3V7bZP3Sq+0p/M6Z1ML9nVntqvEP6bxgN2JpPR0EpooBEf78w/WzhYrjNHEGQP+C4z+fbFgx2vnW9Q6/dCtRPym3g07ONm0iy1n1V3OlmK7MvF4EpOF9zndC6lQVG2affEjdrsAH9ruJxmjXNwcbBiHXrL9f6nUZxS5FWSOj1LZxZ+6sCOQ0E/6p2pP71KC8mhP+Mfu/6YdoSqM38HEbIFg3sMJlSujHtY3v8BwrM9HZORlANp4k+P42CNwi4LZvoQtrdbE+OfEWOTp9lQiFMoajrF8cM2wEjTY3qJKGbeU1epuFYawqqdOSD/aRRDQl25RQmUVBoGihCFA==
Received: from MWHPR19MB0957.namprd19.prod.outlook.com (2603:10b6:300:a4::16) by DM5PR19MB1593.namprd19.prod.outlook.com (2603:10b6:3:14d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.26; Tue, 1 Mar 2022 23:20:03 +0000
Received: from MWHPR19MB0957.namprd19.prod.outlook.com ([fe80::521:4f8c:2ac6:e493]) by MWHPR19MB0957.namprd19.prod.outlook.com ([fe80::521:4f8c:2ac6:e493%11]) with mapi id 15.20.5017.027; Tue, 1 Mar 2022 23:20:02 +0000
From: "Matt Peterson (mpeterso)" <Matt.Peterson@oneidentity.com>
To: Phillip Hunt <phil.hunt@independentid.com>, SCIM WG <scim@ietf.org>
Thread-Topic: [scim] New Version Notification for draft-hunt-scim-events-00.txt
Thread-Index: AQHYISOUk9bW7DQFJ0KHII+hxj/ytKyrPHVA
Date: Tue, 01 Mar 2022 23:20:02 +0000
Message-ID: <MWHPR19MB09570E7856B0AB8F3C302B54E1029@MWHPR19MB0957.namprd19.prod.outlook.com>
References: <164478778536.18383.9465550742040458278@ietfa.amsl.com> <24C0EC30-ED30-416E-9E52-1C6287488DE5@independentid.com>
In-Reply-To: <24C0EC30-ED30-416E-9E52-1C6287488DE5@independentid.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=oneidentity.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1c49914f-8b89-4ddb-291f-08d9fbda037e
x-ms-traffictypediagnostic: DM5PR19MB1593:EE_
x-microsoft-antispam-prvs: <DM5PR19MB15931301C43BBEFA84365926E1029@DM5PR19MB1593.namprd19.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: P76yL657ayJrdGgvyiWCdsn5ePYatgaa5zD2usOa0AFhDWGXgSP8v4GsAe/KyteiVp/E1gYa3/w2KzE0115firfpOyCoPXogDF/uLxl5IyXS2gBk4cZwjb6+CDEybmltx9yyuyVx+YiYNfM2EsdpenHkta5XMcF24Y6d32DrjPWsWbzfL7bE1KkmuJq9t5v61+IloMizusnbGB+sO0RV2POScKJBCxFuJ3A4AqSnGwmWnDRudPobdZeXUvL7wcW/+NRFnFgMHMeY6XJbwMA7uQqquB1qOttLVw4FF9ETY6JkyzzIZUZQnJKawW206XR9HZ2rNIpTL3ad2On6ED2VDMzJ06j5v7oKRASmxBcRjb/roUKFnTF7Ld0AozNLs4IIUedWmRx8Fcwk+P2oDES0RIB2/iPbJw8RjtY4wLOdw1e0F2VeN11KPHjIMTlErohXBUwc3cSWv2R9LSgOJ9y0XPaR5xusc47NPHUVt3o5s1q++bERn7z7DrmBrZF4RdFl+welBvlYVLGtKGEg94ePUmdOpYsC7ESh/hYCzS/wtNxQEYZ9O+Jhgwgfk9rPgp94Q+leyISK/iSV1oO5YaFhp3fjnZvIIv2UhhnBNbr94b5hwhSSJGeW3kl2xP3V3YkSYgGCNz/p4Udbeh6cAig09ZtByZm7S0jcPa5HM743y4RGD29kfOqoO4SpvFeUHXPyu+eIkrWkqNAy5BY3GK5vxJ2anyck19F+FVxvbpcrKoLGp6YF4VIk6bnoJaYoZieAsyzXQQFAFBNiPsPe64iQVogfhD4ZeMG9OoQsQwLRnp8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR19MB0957.namprd19.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(86362001)(66946007)(53546011)(64756008)(66446008)(6506007)(966005)(7696005)(110136005)(316002)(508600001)(9686003)(66476007)(38070700005)(76116006)(26005)(66556008)(66574015)(186003)(166002)(71200400001)(38100700002)(83380400001)(122000001)(55016003)(15650500001)(5660300002)(9326002)(8936002)(2906002)(52536014)(8676002)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Yg41VIgevdXlgSsxu/DVyMmLIFnYdM6nYtefN1p/HKQJl32ID9n3SUoLMb/T7hYazeyWlcmJ4xxluQvaat/l2POP5i9mLTO5dcOeM4hyJoSiexJeWtKrEaq4NT/qYVieZMNPG92YtIw+4b2aCO3vYGXT3MSvr9bmS5BiCMtx3+IY/peAoWnOn9TsBa5DcOUg1VKzia0muW3uImiaWSpPghVU8rrjruObBXZ+NfW5SQ1JFfK+JzqTALMDes/mOU4ZTpdJhuAMWleiCZC1Njh9L1F1hsR1dc8WKUWz7ojKOitkoyQUVlDyJ58sBUTWmO3/nyzqAKBomia18R2/VKqLpLoi95s3XhYAY/KONBPIOKq4FcjgfKUSYMMr6Qxl5Fm/ZQnTRcoZRYqhaHkyDrdrAqLfKe7vRKkTkoh0mWFXRfZwZIh3SvL0zrJI6yH/PSOz/K0xshYzwvHdvhxpMTlGZEUXV2gYJsnmhK3ua3C/Sp+oyII4p3H3/YBM6SR3pb7bRaXpepRwt5ZvXNdyyhY3qd8QlgUyvqpLVVYzW2QI79p2T4+ru0qwAKCJyKZ+sbSGLC8LqW1YtZCFqJwMTojbNNc+jgVyQETZnkbzwKRxeHf6cADln/IEsceJ68JfcTDRvxHNlS38X32hhN4AQHZzXId6VQW5aPcQaLb3d1etwDiiFbu0wDKaaN+9pmepD4aNlK3dSOeLP+yCI78HXNMD6z9kauDKb6X69BWK1jBsJ4durNIqJ7hsxtMsN5mvWdjxcCtljg1wn69msLQY+9ew/VvIHWyq/Ht9/jqLnB7AeZj5X88bLuNpSC4XN/uefl/Ra5eILSVncXaZ4iUFpZx+5XDMm0y/wcEneukPupi+X+gyXgn2dL+jITz7tmdSevXePwl9OmBjKWOYbY/Fg4Rs4KVuEuUBd7TBPXLusZfbjeeTv6w2UHjT+XS305RTQK9nhy9F2yMu4hJF80f3Scgbkk8GyLr7jkGX8LlgePS1K2ZNwRVRQgISJGjd4DQHgdL0u993Ef1mJX2sebtNADAxtSAD4cIYhGuDgg98mbA4nExW6BzP7LbDviJcb6O83oJTP+aLt8WXvWrEoOH2gudOuj+UU77E+OMlvS7tNnO4jBhGEEldlvfe1lmxWNUIoFFKz+8lRFfwoet8DjMEdBn2+g2vA3Ui6Fj0dgOc2GARq2llW0jAw8JdJpNHKo5DjejBOAfVm9iq+wmw3YTgGw1RDSIc1F98hIWgVFT1vMtXr2qaakGw9kDciKs0vmsOPNmhejLKGb2yYrk8f1xN4dUi0I5SIRxjJwssjM7UHnYDTTX4mBVTaTciZjPqF0UpB+dV0igHvGqeNYURVCLu3III0bzJGuzfv9FjIfVTgabJDLG1gdGaMs5EzdyEPBtkUgx0X4YomuhWg5kdKCCZdqiDonzegoWQFGqwKnL+HUAx6SrLiBEYtIg/jgXdymGAWsWTZs8S2BWiDkJUytI4PNJ7pvF5dcOksnTHhOfOOAdRVHrhACx7o3BRABrSctSXzW2uV4lVcn6QHOqpL057xAc33iZn9NVX71PfpBko093o+vvOjwcz9ajcdWXzUwDumxGnhCWl5DKn0KbeCQvsH8znrg==
Content-Type: multipart/alternative; boundary="_000_MWHPR19MB09570E7856B0AB8F3C302B54E1029MWHPR19MB0957namp_"
MIME-Version: 1.0
X-OriginatorOrg: oneidentity.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR19MB0957.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1c49914f-8b89-4ddb-291f-08d9fbda037e
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2022 23:20:02.7802 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 91c369b5-1c9e-439c-989c-1867ec606603
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5YFQ4WII5cBhmhnQwo7kx+LKfEsTpkm8Da7MFN8KXsTNyEQv1BJCyNHN0O/ye+f9acmLMu5G6lL5EbSzVLUMzQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR19MB1593
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/BvwAN1RfzPM9HxX8HrxgxsO-HXw>
Subject: Re: [scim] New Version Notification for draft-hunt-scim-events-00.txt
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2022 23:20:13 -0000

Hi Phil,

I finally found time today to review draft-hunt-scim-events-00.

I am happy that this draft addresses two very common use cases that the draft labels: “coordinated provisioning” and “domain-based replication”.  I have been strong proponent of these use cases in meetings and on this list, so I wanted to emphasize for others.  If you are interested in keeping your SCIM Client up to date with changes happening on the SCIM Service Provider, YOU SHOULD READ THIS DRAFT. 😊

I have created a short list of nit-picks (typos, rewords, etc) that I will send to you privately.   In addition, I have a few initial comments for the list since there may be others that have similar thoughts when they read the draft:


  1.  For point-to-point delivery over HTTP Push-based SET (RFC 8935), the draft does not describe the SCIM mechanism by which the Event Provider (SCIM Service Provider) determines the HTTP endpoint to use when transmitting to the Event Receiver.
  2.  For point-to-point delivery over HTTP Poll-based SET (RFC8936), the draft does not describe the SCIM mechanism for “pre-arranging polling endpoint to check for SETs that are available.
  3.  The draft does not describe ServiceProviderConfig schema that would allow a SCIM Service Provider’s support for SCIM Events to be discovered

Thoughts?

--
Matt Peterson

From: scim <scim-bounces@ietf.org> On Behalf Of Phillip Hunt
Sent: Sunday, February 13, 2022 2:49 PM
To: SCIM WG <scim@ietf.org>
Subject: Re: [scim] New Version Notification for draft-hunt-scim-events-00.txt

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi SCIMers!

As promised, I have submitted the draft proposal for Co-ordinated Events between SCIM Providers (called SCIM Profile for Security Event Tokens).

The draft is a bit long, but that is primarily because I have included a number of diagrams and examples as well as use case (delivery mode) discussion. The actual implementation specification is relatively short.

The draft leverages the Securtiy Event Token spec set and defines events for SCIM that can be used for:
* Feed control (what resources are part of an event feed)
* HTTP Async Request completion messages
* Security signals
* Co-ordinated cross-domain provisioning and domain based replication.

Apologies, the draft has a few “TODOs". Though I have included several privacy and security considerations in the content, I still need to complete the separate sections. As an editor introducing a brand new specification, I prefer to do write these sections when there is a rudimentary consensus and the basic approach has crystalized. I plan to complete this before adoption as a possible working group draft.

There is also a section on event processing logic.I feel this too needs some prior requirements discussion as we may need to refine scenarios. It could also be argued that processing logic is up to the implementer and not necessary for inter-op.

One item that is out of scope for this draft is “bootstrap” and “recovery” for SCIM Service Providers. I’m not sure this content belongs in this draft. Obviously if one is setting up a new replica node, you have to have a method for initial transfer. I would be happy to contribute to, or help write such a draft. It might not need to be normative but more of a best practice draft.

Finally, it is my hope that this draft eliminates much (or all) of the stated requests I have heard for cursor-based paging.  The idea of event processing is to prevent the repeated need for full system transfers (via paged gets) by dealing with events as they occur once two or more systems are running based on a bulk load.  The approach of using “call-backs” also helps to enforce data access and disclosure restrictions that might not otherwise be possible in cursor-based approaches.

Chairs…obviously I would like to discuss this at the next IETF meeting in March.

Phillip Hunt
@independentid
phil.hunt@independentid.com<mailto:phil.hunt@independentid.com>




Begin forwarded message:

From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-hunt-scim-events-00.txt
Date: February 13, 2022 at 1:29:45 PM PST
To: "Phil Hunt" <phil.hunt@independentid.com<mailto:phil.hunt@independentid.com>>, "Phillip Hunt" <phil.hunt@independentid.com<mailto:phil.hunt@independentid.com>>


A new version of I-D, draft-hunt-scim-events-00.txt
has been successfully submitted by Phil Hunt and posted to the
IETF repository.

Name: draft-hunt-scim-events
Revision: 00
Title: SCIM Profile for Security Event Tokens
Document date: 2022-02-13
Group: Individual Submission
Pages: 27
URL:            https://www.ietf.org/archive/id/draft-hunt-scim-events-00.txt<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-hunt-scim-events-00.txt&data=04%7C01%7Cmatt.peterson%40quest.com%7Cafbf176686a64adc284908d9ef3ab565%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637803857715854543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=I06UprJhJfj9FMMnErkn%2FmpxXLVLbKECod1oN8F1UEE%3D&reserved=0>
Status:         https://datatracker.ietf.org/doc/draft-hunt-scim-events/<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-hunt-scim-events%2F&data=04%7C01%7Cmatt.peterson%40quest.com%7Cafbf176686a64adc284908d9ef3ab565%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637803857715854543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=34tMhvkKm7ps2MPD8nAfobpti8W%2FXbHbb4c%2B8cQmxms%3D&reserved=0>
Html:           https://www.ietf.org/archive/id/draft-hunt-scim-events-00.html<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-hunt-scim-events-00.html&data=04%7C01%7Cmatt.peterson%40quest.com%7Cafbf176686a64adc284908d9ef3ab565%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637803857715854543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bmi%2BaRO2jF0LgE%2FzsJTDmHLyCc1fdwLADnUrMROEmm0%3D&reserved=0>
Htmlized:       https://datatracker.ietf.org/doc/html/draft-hunt-scim-events<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-hunt-scim-events&data=04%7C01%7Cmatt.peterson%40quest.com%7Cafbf176686a64adc284908d9ef3ab565%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637803857715854543%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6kI1XuuXEgH6ekJuX6yabv1G%2F7m3hFV2h%2BfaT6nFy08%3D&reserved=0>


Abstract:
  This specification profiles the Security Event Token specification,
  to define a set of events for SCIM Protocol servers that can be used
  for asynchronous transaction confirmations, replication, cross-domain
  provisioning co-ordination, and security signals.




The IETF Secretariat

v2.23.0 | Report a Bug | By Email