Re: [scim] Multiple external id values

[Phil Hunt <phil.hunt@oracle.com>]

This was discussed and the consensus was single value. 

What you can do is expose a different single value for each domain client your server talks to.  Thus domains cannot see each other's ids. The spec already suggests this as a security consideration for the id value. 

This would provide much better privacy characteristics and reduces propagation of PII. 

Phil

> On Oct 5, 2015, at 07:42, Mark Dobrinic <mark.dobrinic@twobotechnologies.com> wrote:
> 
> Hi Scim people,
> 
> While incorporating Scim client functionality towards a Scim Service Provider, we've stumbled upon a limitation regarding our desired use of externalId, that doesn't fit the current spec.
> 
> Our usecase involves managing multiple external id's, so that we can both support multiple externalId's to multiple Scim Clients from one Scim Service Provider, as well as let a Scim Client manage multiple external id's with one Scim Service Provider.  Each external id lives within the domain of a, well, domain. There are plenty of real world examples where domain-scoped id's are used, so it seems no more than natural to consider this with Scim as well.
> 
> For example, a user with id barbara has an externalId 'babs' in the domain 'home', and externalId 'labarbara' in domain 'work'.
> 
> As I understand Scim as being as effective and simple as possible, we've been using the extensibility of Scim to make this work. I can imagine this to be a generic problem that more people are (or will be) facing. Therefore, I'd like to propose our solution and would like to discuss whether this could/should be considered a standard solution to a standard problem, either in this form or something better.
> 
> What we did was introduce an extension " urn:scim:schemas:extensions:external-ids:1.0"
> that defines an attribute "externalIds",
> is of type "complex",
> is multiValued,
> can be described as "External Identities of a user. Each External Identity is scoped within its domain",
> is optional,
> and has the following sub-attributes:
> - value : string value containing the value of the external id
> - type : string value containing the domain of the external id
> 
> In JSON, it would look like this:
> 
>                 {
>                 "schemas": [ "urn:scim:schemas:core:1.0", "urn:scim:schemas:extensions:external-ids:1.0" ],
>                 "id":"2819c223-7f76-453a-919d-413861904646",
>                 "userName":"bjensen",
>                 "externalId":"bjensen",
>                 ....
>                 "urn:scim:schemas:extensions:external-ids:1.0": {
>                     "externalIds": [
>                         {
>                             "value": "babs",
>                             "type": "home"
>                         },
>                         {
>                             "value": "labarbara",
>                             "type": "work"
>                         }]
>                     }
>                 }
> 
> 
> 
> Note that we are adding to the baseline features of Scim, and not changing anything existing.
> 
> 
> I would like to hear your feedback on this, and I'm interested whether this could be considered as a standard extension in upcoming Scim versions.
> 
> 
> Thanks!
> 
> -- 
> Regards,
> 
> Mark Dobrinic
> Software Engineer and Identity Specialist
> Twobo Technologies AB
> 
> mark.dobrinic@twobotechnologies.com
> www.twobotechnologies.com
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim