Re: [scim] Root Query & Search Requirements

Phillip Hunt <> Sat, 29 February 2020 17:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4C83F3A0F19 for <>; Sat, 29 Feb 2020 09:05:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uaSxNdsV_S2M for <>; Sat, 29 Feb 2020 09:05:32 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E636C3A0F17 for <>; Sat, 29 Feb 2020 09:05:31 -0800 (PST)
Received: by with SMTP id i11so2540750pju.3 for <>; Sat, 29 Feb 2020 09:05:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=qUi8j+FGiw5iwEdghUjupxE0axG9jQkBXTInPIf8v4g=; b=KDt6CCuVK8PlTVhiA8HF6mU+0IcU9J6maHeAYgIJNDXfpdWhFvAvnuEArKkSQLU3BT zfZfxJh6cs9VOWDG1udWRfgc5Tisv749Q/ZaR+B5t/DbyxouQHRFVLuY9ksEn+L8P6be q3XthyOmva77W/aDh0PdonoHTKuAyUKoicXHkoRpTFOblFeGn68X+5T8i3yz21OhPyJ1 Td8OeaOm8Sx2AY75qXFvTipd7+pPwqkOapMq/N+t0VWo48pPcE28HkaWaMi3PKIru9RT H50cy2RUQqZWC7IKVeaqk/ii+j80w4Oxlfq2N3tasWKu7nmAB0ZjVscGXoSHNuT77Rsq HhkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=qUi8j+FGiw5iwEdghUjupxE0axG9jQkBXTInPIf8v4g=; b=QEoLnGvd4BH2DmNMIaq7XwHIF3h4uaIniaelaWfbjXa47VQqCo5dq1ne9qBe7QtAsK yas16EulBWLMiMEBtm4wbr7Qy8T07au6hQrU2PaQ+qFUolhpSEdDS18GQSVX7BYP7iiD 7QV/qvKaYZN+afI6oM2NKN8DwHvr0B8t0hOx9iCAyIEbSeBXOqxylsjSt6Av2FbCG/Mu FJuPRMvEZGfBjaGzDSRnWWpld0vY0Kwb8cJrROMcUUpm0JiU7uPhy5/r/6FNPqP0vF/Y mSh6TNkbqn9F2pBaJ1XklPhOQ45JX4rjvwFTKi9vPR/gG33nXuDb2ttRoaDPSvluox2F pvBg==
X-Gm-Message-State: APjAAAXiRkGg7fbZByLGTeEAGOE8I/qxnr19Oe+Jp+uQhpxgblbKKpmt wyfEMMdzEADFKQdz14IomudYbQ==
X-Google-Smtp-Source: APXvYqxEoWYvN0JKcOiwGNhbk3GyXhugylt+Gwjv648+iFwfAy9KPCJqJjjxA9x0cK3yrCBeKwRYOA==
X-Received: by 2002:a17:90a:da03:: with SMTP id e3mr11402422pjv.100.1582995930918; Sat, 29 Feb 2020 09:05:30 -0800 (PST)
Received: from phil-mbp-dev.hitronhub.home ( []) by with ESMTPSA id b18sm15564564pfd.63.2020. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 29 Feb 2020 09:05:30 -0800 (PST)
From: Phillip Hunt <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_86557B97-E5A2-4852-97F7-B018AE141591"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Sat, 29 Feb 2020 10:05:28 -0700
In-Reply-To: <>
To: Shelley <>
References: <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [scim] Root Query & Search Requirements
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 29 Feb 2020 17:05:34 -0000


Section of RFC7644 states that the server root is a valid search endpoint. 

The root is not and endpoint for the purpose of holding resources. It only holds the resource type containers (which each define their own endpoint) and which in turn contain resources 

The use case for querying from the root came from implementers who were using SCIM in a directory lookup style of functionality and performing search while typing type of functionality. In these cases the scim client does not know what type of resource the user wants and wants to be able to return all resource types, or a specific set of types (like Users and Groups).

Phil Hunt

> On Feb 26, 2020, at 11:47 AM, Shelley <> wrote:
> The server root is not defined as a supported endpoint [1] for querying (GET), yet the inline text for the Query Resources section [2] implies that it is a required endpoint responsible for returning all resource types:
> > Queries MAY be performed against a SCIM resource object, a resource type endpoint, or a SCIM server root.
> > A query against a server root indicates that all resources within the server SHALL be included, subject to filtering....
> > When processing query operations using endpoints that include more than one SCIM resource type (e.g., a query from the server root endpoint)...
> Similarly, searching (POST) [3] seems to assume that the search is attached to a valid SCIM endpoint, although the root is not clearly defined as such:
> > The inclusion of "/.search" on the end of a valid SCIM endpoint...
> I found some old tickets/discussions [4,5,6] that proposed making these requirements more clear in the RFC text and service provider configuration, but that clarity doesn't appear to have made its way into the final RFCs.
> Can someone provide some clarity on whether the server root must be a supported SCIM endpoint responsible for returning all resources (subject to standard filtering) and/or if it must support the .search capability?
> Our SCIM implementation does not currently have any use cases that would benefit from querying/searching across resource types, any I would prefer to add any custom support there unless it becomes necessary (i.e. just return a basic 404 response for any requests to the server root as an unknown/unsupported resource).
> [1] <>
> [2] <>
> [3] <>
> [4] <>
> [5] <>
> [6] <>_______________________________________________
> scim mailing list