Re: [scim] Extend core schema multivalue complex attribute

Phillip Hunt <phil.hunt@independentid.com> Tue, 20 October 2020 19:54 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15E4C3A105D for <scim@ietfa.amsl.com>; Tue, 20 Oct 2020 12:54:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FhvwfHZyBamx for <scim@ietfa.amsl.com>; Tue, 20 Oct 2020 12:54:09 -0700 (PDT)
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C062D3A07CE for <scim@ietf.org>; Tue, 20 Oct 2020 12:54:09 -0700 (PDT)
Received: by mail-pl1-x636.google.com with SMTP id t22so1578630plr.9 for <scim@ietf.org>; Tue, 20 Oct 2020 12:54:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=wW3Ge622mZsdpfEKveJoGUntoEBXyFJYOqabcyDsLqA=; b=Ygxntxs1gUjGVUt8MIg2PHlUcn4TUFOKuSy7liOTuEDAg2isdkkTHovyGAG/vrJOPN Eem6t6KTgH67Xvwbfvf73mM8/QFsLYUF0Xm16IIhKmQWddFgO+Y1KyK+hVGybCuZjYan JivkL6RqMMh/qjjMq6BBkIovrnQSnIgHCL0a/Df/9aipOTYoE2qlBDfbIVy3PGsFbPyg x212Ng5dZDw/eC2e7zp0gerKwA30XXioA5YQKtuai/jGpgb0RFJc711pIuJC8u15ijx+ Zqoel7T7DGd4siA6aaDjtgWot8fns59BG4Ufey1ELFaXSVT9Cf/3yO/Jrb9Klw808qD7 6Oyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=wW3Ge622mZsdpfEKveJoGUntoEBXyFJYOqabcyDsLqA=; b=HGSI6D1wThrD3wuMRNsF0zwMnqSNof9FNWSondz0M09zh05gokBVWf8ED6Vx7IgZyx yAKzlb38QlivyS5r+c8zIPeNcYydJLK3UKRTXugtYP3Cqt2OSi3Pxiti69NhvqQJL1NO hXZQD3sxku1bAjuAY7VYMp5XP4hyBjwd7v8gITFGp4FbAyiLQ2VQnMZfQH/PRzp7SnpQ x8QQsdEerow+/I2VBKVCJ7xH7TZcEA+ou6PgroX/r5xrsoTgLDE76U8deGN+MhePQ/uz YZWW0bjjkaS+OI9Joj7yOpVMzMepUiZQFtjmqjB3nKyyxU2YYwdXVhDvWLK5Z0RMqPue htIg==
X-Gm-Message-State: AOAM530+10dSt2whFuxp+DB5IIpqBNNnhHHzCPt2821v540wcq7cJxif 7K7sydlb9Q1xLlt32kSsnNgq3A==
X-Google-Smtp-Source: ABdhPJy4TJ6z0Q7o11ktIjiPPd0oKbfxe9gpP9VcSJw/Vdie1gEQxmLfBOs1xOC9lLrusrFguLpYJA==
X-Received: by 2002:a17:90b:2345:: with SMTP id ms5mr3210052pjb.141.1603223649026; Tue, 20 Oct 2020 12:54:09 -0700 (PDT)
Received: from ?IPv6:2001:569:7a71:1d00:6913:8e7:e2a2:d95a? (node-1w7jr9qrfoxx94eujgqq75umy.ipv6.telus.net. [2001:569:7a71:1d00:6913:8e7:e2a2:d95a]) by smtp.gmail.com with ESMTPSA id jx17sm23795pjb.10.2020.10.20.12.54.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 20 Oct 2020 12:54:08 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-5D442460-2021-4B87-A7A7-696354327F37
Content-Transfer-Encoding: 7bit
From: Phillip Hunt <phil.hunt@independentid.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 20 Oct 2020 12:54:07 -0700
Message-Id: <578EC62F-F4EC-482F-A44F-C0AB3C38A024@independentid.com>
References: <VI1PR02MB5200B81A304D8131E2E9DA97F81E0@VI1PR02MB5200.eurprd02.prod.outlook.com>
Cc: scim@ietf.org
In-Reply-To: <VI1PR02MB5200B81A304D8131E2E9DA97F81E0@VI1PR02MB5200.eurprd02.prod.outlook.com>
To: "Karaimin, Aleyidin" <aleyidin.karaimin@sap.com>
X-Mailer: iPhone Mail (18A393)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/EEWTpn64Z0Bjb_c9rj06k2ZqrVY>
Subject: Re: [scim] Extend core schema multivalue complex attribute
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2020 19:54:13 -0000

Aleyidin

At present there is no way to do this. :-(

Best way I have seen is to move the whole CMVA attribute to the extension. 

Splitting attributes across schemas will like break most parsers as this is not expected. 

Extending existing complex attributes is well worth discussing in the scim.next discussion. Being able to add sub-attributes like “verified” is very useful. 

Another solution might be simply to add the new attribute to your core User schema definition. You won’t be running 100% standard schema but at lease your schemas endpoint would be discoverable and clients can understand the new attribute definition there.  Clients that don’t read the schemas will likely just ignore the attribute...which in many cases is fine since they don’t understand it anyway. 

There are also many cases where a scim endpoint does not support the full standard schema.  SCIM clients in general should expect some deployment differences which can be uncovered by looking at actual schema definition at the schemas endpoint. 

At the very least a best practice document from the group would be helpful. 

Phil

> On Oct 19, 2020, at 3:56 AM, Karaimin, Aleyidin <aleyidin.karaimin@sap.com> wrote:
> 
> 
> Hi
>  
> I would like to ask you for possible way to extend multivalue attribute. Our use cases require to support additional sub-attributes for some User and Groups multivalue complex attributes. For example:
>  
> {
>                 "schemas": [
>         "urn:ietf:params:scim:schemas:core:2.0:User"
>     ],
>     "userName": "sample",
>     "emails": [
>                 {
>                                 "type": "work",
>                                 "value" "sample@example.com".com",
>                                 "otherAttribute": "value" // the name is known (It is defined by us)
>                 }
>     ]
> }
>  
> According to spec, this will conflict with the core schema. I know that I could define extension schema and add this attribute but this would lead to a lot duplicate data.
>  
> {
>                 "schemas": [
>         "urn:ietf:params:scim:schemas:core:2.0:User"
>     ],
>     "userName": "sample",
>     "emails": [
>                 {
>                                 "type": "work",
>                                 "value" "sample@example.com".com",
>                                 ...
>                 }
>     ],
>     "urn:ietf:params:scim:schemas:extension:enterprise:2.0:Emails" : {
>                 "emails": [
>                 {
>                                 "type": "work",
>                                 "value" "sample@example.com".com",
>                                 "otherAttribute": "value" // the name is known (It is defined by us)
>                                 ...
>                 }
>     ]
>     }
> }
>  
> My question is if there is another solution to achieve this.
> Thank you.
>  
> Best Regards
> Aleydin
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim