[scim] Discovery support for SCIM
Phil Hunt <phil.hunt@oracle.com> Mon, 28 September 2015 18:58 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 688571B2B9E for <scim@ietfa.amsl.com>; Mon, 28 Sep 2015 11:58:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.811
X-Spam-Level:
X-Spam-Status: No, score=-2.811 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6oShD-RXB-qo for <scim@ietfa.amsl.com>; Mon, 28 Sep 2015 11:58:10 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADFFD1B2B9D for <scim@ietf.org>; Mon, 28 Sep 2015 11:58:10 -0700 (PDT)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t8SIw9BZ020350 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <scim@ietf.org>; Mon, 28 Sep 2015 18:58:10 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id t8SIw9Th018870 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <scim@ietf.org>; Mon, 28 Sep 2015 18:58:09 GMT
Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id t8SIw4TS028938 for <scim@ietf.org>; Mon, 28 Sep 2015 18:58:09 GMT
Received: from [192.168.1.200] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 28 Sep 2015 11:58:04 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <CD73F905-2D21-4A2B-AB6D-BA2C51258F89@oracle.com>
Date: Mon, 28 Sep 2015 11:58:03 -0700
To: SCIM WG <scim@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <http://mailarchive.ietf.org/arch/msg/scim/LnThdRzC-cLL2LCqylOBWnFGqd0>
Subject: [scim] Discovery support for SCIM
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2015 18:58:12 -0000
It’s now Monday after completion of the SCIM RFCs and I have already received a new enhancement request. BTW thanks to everyone in the WG for all your efforts! The request is to define discovery for SCIM. For example using the Well-known mechanism (RFC5785) and potentially WebFinger (RFC7033). For example, a SCIM client may send the following query: GET https://www.example.com/.well-known/scim For which the server might respond with a URL to the appropriate SCIM server and path to the server root (e.g. "profile.example.com/scim”). In a more complex version with a webfinger (RFC7033) query: GET https://www.example.com/.well-known/webfinger?resource=acct%3Abob%40example.com& rel=scim-profile Which responds: HTTP/1.1 200 OK Access-Control-Allow-Origin: * Content-Type: application/jrd+json { "subject" : "acct:bob@example.com", "links" : [ { "rel" : “scim-profile", "href" : "https://www.example.com/sciim/Users/bob-id" } ] } Overall, I see a few different use-cases: 1. A SCIM client simply wants to know where the SCIM Profile service is for a specific domain (e.g. tenacy.example.com). 2. A SCIM client might be looking for a user’s profile service. So it asks example.com where is phil.hunt@acme.com? This would be a WebFinger style query based on the well-known endpoint. The same WebFinger query could also return the OIDC endpoints as well as the SCIM endpoints for the user. This may be useful for cases where service providers have multiple tenancies and there is a need to have a generic, tenancy neutral lookup service. 3. A SCIM client that has the service endpoint for a SaaS service (e.g. CRM, HCM, Finance) may be looking for the provisioning endpoint and the ResourceType and schemas relevant to the application. For example, a client that wants to provision to a User to a Finance system, wants know where the Finance app provisioning endpoint is. It could be an Finance SCIM endpoint or it may a profile service endpoint. Questions: A. Are there members of the WG interested in this? B. From a protocol standpoint, it should not matter whether a client is talking to SCIM that is deployed in front of a business application (like CRM, Finance), vs. SCIM as a general User profile service. However, due to possible difference in the higher-level logic of the client, would it be important to distinguish between say “scim-provisioning” and “scim-profile” as distinct types of services? If so, what do we think defines that difference? Thanks, Phil @independentid www.independentid.com phil.hunt@oracle.com
- [scim] Discovery support for SCIM Phil Hunt
- Re: [scim] Discovery support for SCIM Chuck Mortimore
- Re: [scim] Discovery support for SCIM Phil Hunt
- Re: [scim] Discovery support for SCIM Ian Glazer
- Re: [scim] Discovery support for SCIM Kelly Grizzle