IETF Logo Mail Archive

[scim] New SCIM extension drafts published: roles + entitlements & domains

Danny Zollner <Danny.Zollner@microsoft.com> Mon, 25 October 2021 19:46 UTC

Return-Path: <Danny.Zollner@microsoft.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 304763A08A9 for <scim@ietfa.amsl.com>; Mon, 25 Oct 2021 12:46:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PPBmxJMgRRzB for <scim@ietfa.amsl.com>; Mon, 25 Oct 2021 12:46:17 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-dm3nam06on0730.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe56::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E1483A08E7 for <scim@ietf.org>; Mon, 25 Oct 2021 12:46:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SN+RiNG/8gALVrxK8mHbh/zfkvbRCIqXW5K54pIGKeC7vnywRv9/dNw9wZX8kh+RfR0LIfR0EJEkHVWs7OZNjZHJBcPNsfK7SsZuqXB9bEtJEs7+px+6duU+HU4ZBSu03yae4So2jTe8F32ouzI1U9a3BxeCELJ1hM12N7oNRahOflnXBm33b84wGzIXpyeE/g6+O10pX/iuWA5i6yLhojV80CTE3EeN+NVtaWt4ioacIy3gvpla1+2rLIGbP60Z/aY3YtF3Jm214zFlHm4seNhKVX3sPBpU2KcGFTrmkGKIilaeBFe2TAIc5tLh8pZlwzhrNVGpTXccS2WgjV1Oow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=v/SSdushaCT0hS0374G2NUwp6m1urA2UDKbpAEGnQJM=; b=N2hmMFUCRDN4HZd+iVly+ck5p6C5Ghob9lcX+kJGeLhNKXcjcSLzTP203KUyD1mswyHGisKEQVT/I0YbmCegOCQECz7zXlHuy4zm+1D+oNNWxeXZq5IHRIXQ0d2b4biAixjV8d2wQ+iNWiyiHwLPn0WglPSWfn+blzzBcP5oU1NItJ9lfUyGY5qHBMv2bXSNRi7s/O+nN6AXeg5s7ufo6aZ+tm8br8c+3YR/HMyjdQpi9BizyqzZxY7SIoIut7YE3ilwSH2UYpLPQaT4z/WVtTxARe/U1gQZTJq8R/gue6sI4sjbgbtxIgyWOWNMiIrcdhSbcVyv0RF5wjrwHMLqyQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v/SSdushaCT0hS0374G2NUwp6m1urA2UDKbpAEGnQJM=; b=AyVyAY/fL+6XMJxaZF4O7D+owjWVaNvCgM0MMJQo8z9dOjp7p6BNDgL8LoZiOJQdAvQ1uC6tGm6KwonjtZcDpYGlI1VDWmau+KTYoMz/9rADUGZEcfvah/JPCLcWgCN/nDvApV2devbtE9L5EINtK7n6BLku6KRuvdaSNmRyC0I=
Received: from MN2PR00MB0720.namprd00.prod.outlook.com (2603:10b6:208:1d8::15) by DM6PR00MB0751.namprd00.prod.outlook.com (2603:10b6:5:1be::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4682.0; Mon, 25 Oct 2021 19:11:28 +0000
Received: from MN2PR00MB0720.namprd00.prod.outlook.com ([fe80::e98c:2b9e:c299:7512]) by MN2PR00MB0720.namprd00.prod.outlook.com ([fe80::e98c:2b9e:c299:7512%5]) with mapi id 15.20.4682.000; Mon, 25 Oct 2021 19:11:28 +0000
From: Danny Zollner <Danny.Zollner@microsoft.com>
To: "scim@ietf.org" <scim@ietf.org>
Thread-Topic: New SCIM extension drafts published: roles + entitlements & domains
Thread-Index: AdfJ0vRMYKVjA2yPTsavE5n36H7ptQ==
Date: Mon, 25 Oct 2021 19:11:28 +0000
Message-ID: <MN2PR00MB0720EBD4DD782DC647106B7CFF839@MN2PR00MB0720.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-10-25T18:39:59Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=53616a6e-42f8-4e22-89f3-8a7c55206eac; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 034cedb7-ed48-4bff-a227-08d997eb3f1e
x-ms-traffictypediagnostic: DM6PR00MB0751:
x-microsoft-antispam-prvs: <DM6PR00MB075153D7EDCF8C3C155E0A8AFF839@DM6PR00MB0751.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4MXhPRvF3pgUnMj6DD0fCQNVb+ca7U/mcQUypB0ND0DIPYR6wmJ9D3zc2ZqNaKmQ2ar28nQnwr4cYnmmTK/H39DjvLuI/7coCeAd7hH0eAFtlrO7ek5WrdSWWlMREBsVMCtmiOroioEEsGVWLpcb0Y0y4IFbH6yDn0vNJjeIsJywg50BlRAl1mPwzmQP9fVYVVZ2LHU9RY0sVcWIrsI9aiZIkHxW+a2xkUPWIFk8eHqaVRBylBmyrABVW/Blec5BLsaQpmJ7VbrjZgtOdJbh990DKK5z4NFv4P4Jsz9v/Bp9xUrjY92QyLtsg1/jw9MSP5TyhDb2JtkBmjm3uV1TLBIwy+zrufdFRJbV42v4hd1UQD7dSc93RL9HI3s61s+5qDFSCCywWkCcOs79Tx/EBg4mXIl2NYK7thmDuSWy8MhZl4AJaU8hg7CXLh7e+TmW7/JSG2k23IXzTnIREd3NDzh6Z5+sVCJGD+YoXh4iEKEE6J7K99CqtDUcwmoOTIED6lczqwbsxVXj9Sh893Z+cW+P1eIibIkDAwqJ7hsrZwqDZvziDEjTai+5q9xMLGZRLI70M/7PJH+nk0XVghASl+mcN/IoancLwd6V3MelzcvTIO3R4TEQmUWD3AHA8IcocTWjAoEoMkrKnXz0dlOKJJQFQu9yAjPfWG2hdoKdrWvTN2hTuEzr+WoFzivke2ovuyJjiK76S4bsKtKPam/9kp3l/oxCmULYhgDAwTwHRdZ2gYGJYLYlnHcQ0XJQLyL2J/RnONe6WGh454TNqG740yjL5dq5ZbzFGuVh95sT7mFtEmT+Qe0YBYFCOj0LoJ7vuS6x++8B1Nc0KMOabODWZg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0720.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(83380400001)(186003)(6506007)(66574015)(66476007)(64756008)(6916009)(66446008)(76116006)(66946007)(66556008)(316002)(2906002)(86362001)(8990500004)(9686003)(966005)(82950400001)(7696005)(82960400001)(38070700005)(508600001)(122000001)(38100700002)(166002)(33656002)(10290500003)(71200400001)(8936002)(8676002)(52536014)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Wp/YoXXUlyuE0Ax65DTXjq3GThbDV2jbVbhFCYwm6swmxVOVbjf6Pd9qE7CgBMj9xS3Woc6qOqb0x6ptYZFWHqtF8h3vzOVo22EkzDw5IF/7Ox63o5jKnZK6pOeKeSyZVU9wZaoXFlJW76/dpeTqaLauqhKoXWYhkKP80SRNp6z5Q35NqtNgGmkc8BgO+Aqc8END9Ju233+1kIwjhKh5lqM67LAWXTeW9AikpaSSckoulzyprmgX7Lf8ByLi7JVbDsv6at7MmEAHSeMLtDYgXeFNK5qAIwaRoloDXcYePaMfZU1uf7ZEXdrN4IvNhiNzwmo6uhVWRXqjAsb8GtVhCr0Qdq7X/89uxoOsC/fKWBYCQZWvuO6xBl1w9YaQWqvSNQbOW7izNXzGWBtm2UMcPyDIsiC2BV1bqkIY5NTYvUyOjGr32LfzDHfbFgU/+uDj8jgfnB5cai7lmgp41zJ/rLq1yA4LBVl5kcxBsScDkgnEl/vl3PFPS+mOapW9SV/C5+aHXEPdkyZvfPyddFEEeRlf2o3tsGJZ9vyxHu88QJVyIuI+1/O8H8cMQlsmUquQSeiUQNEnD5zDuhzbR2TATgqZ4t3PHfZv0/kbtiT809YQ9YYy3Rj5KD5MrV4FtU6EKWw4EaZ3/N3HwDPy1UELjFWmkVHiwrqc0cCB6J5w8f3xv70UYb5DI4DLFRcqterojDgGsi9RV1PIPD3r/RrhRQsQPoF2ohOxHFJ/CxRbsbzZW18YiQY1z1xjcNeYduhUqt2Rr7/pHKe4ixXi1aXJd/LB9QGyHd8Xz1vSJ+0UcFqjnJ6SDGEskLXHmmpesWCLk+TagD6WSJIr9NXBINyYV1vqVtdpdpOFhXcoyF1fpgdTGBTlu8MED2tD3HfcGb1ZPHiZouj5yKr8mbRm/ylXRDsubX2WOaicNz8+08bZQGl7rOkl/gtP2YNmru6STpKwN/NmAvdr/A36qZzTbBZnN6PQwMo0i+wmWhl3ChgvAL3PJLLcaPyG37JhQWK0tTR8O+Fz5zb0gSM32dgGhrv503ScdkC2CPqzILmvV5XF9ojJvJL3BM3kMjy3kFPCc5egxf1iH4xToNpLkdk7aAcu0x5ppDEfIVlyWDhNCVaQgMftf2c6hWjooMj6P0PsmyNrHKDa6s2x5qAkmBK+lP4/IEfBIcIyhVXvKLYvB17Qbk4H6KlkWgeQQZSeJ95PAMJTfnnspSunM9jlMW4wFUZ44/fcZMD2HlY18Nepp1hLup4iW3OBGlXgHVO6Rs0T5CRGTP50pxqTtpQ2ZWnXmTzG7SGVo7R3x2cmTja9psWHwNphuQErkctsZE8uKfWD3qJVA+2HWHd/TXAby1icWgoAKsyA7ZSop0Og3GmvW0w+eGrUFGv2uAZCbKGGB2nj+6FLT49jBU7cuCm99xRJRDaOpzrhOIAXweTqusXYaXegfKkJv5+fmhUQ5+J06vHTRJPnRso7TpEXuDWTI4GNnbdpRYkIYYBEjAXK8GZIMxStZLid0F0aaECjpW2BWRElAQ82qsrYKblZYd51i3d8BNI4ALh80kbrn8Bl6HG9ckePx5oaiMlpmTc/F5il+TBUlW3iAWhmU08wc6Wr/wYzmTFdtwxjExdKDdiNOCv+7T53++fXp/5uQZtknfMIEy7rf5vl5BVk5/Q6il4vMpPB6+ve9feIFFDtYd4uHRvozJvuf2Y=
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB0720EBD4DD782DC647106B7CFF839MN2PR00MB0720namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0720.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 034cedb7-ed48-4bff-a227-08d997eb3f1e
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2021 19:11:28.0541 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0lDDWg6XGRWyBVfMxoQ/CW08VO+8ANMzyfndJ6vE/779clps94PGzr26hKUmfq65f3SaYrkkCKXCURr10IFkLA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0751
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/MVfjnWOiq1pw3Et7X9tvg6t5sW4>
Subject: [scim] New SCIM extension drafts published: roles + entitlements & domains
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 19:46:22 -0000

Hi everyone,

I wanted to share two drafts I've worked on recently. This is my first attempt at writing internet drafts. I'm aware that both of these drafts are lacking when it comes to proper internet draft structure, section titles, etc and I'll be attending any available sessions at IETF 112 to learn more about the process and will fix any identified problems with the drafts in a future revision. Even with the structural problems, I wanted to get these published so that feedback can be generated on the technical concepts in them. Both of these aim to improve SCIM client ability to formulate successful requests to SCIM service providers by identifying what values are acceptable ahead of time, rather than discovering this only via failures on POST/PATCH/PUT operations. In a recent SCIM IG meeting it was also suggested that these changes could potentially be folded into a future version of the core schema RFC (RFC 7643 currently).

https://datatracker.ietf.org/doc/draft-zollner-scim-domain-extension/
https://datatracker.ietf.org/doc/draft-zollner-scim-roles-entitlements-extension/

The first draft aims to introduce a way for SCIM service providers to advertise what domain suffixes are acceptable for emails.value and userName(if following user@domain.com<mailto:user@domain.com> format), as a lot of SaaS/multi-tenant apps have proof of ownership-related restrictions on what domains can be used by a customer.

The second draft aims to introduce a way for SCIM service providers to advertise acceptable values for the user resource's roles and entitlements attributes. By representing these as resources rather than via /schemas canonicalValues, this allows the complex object to be represented - both the "value" and "display" attributes - allowing the SCIM client to represent these more clearly via the friendly "display" value and incorporate them into other logic to determine what roles/entitlements a user resource is given.

Thanks in advance for any feedback!

Danny Zollner

zollnerd@microsoft.com<mailto:zollnerd@microsoft.com>

v2.23.0 | Report a Bug | By Email