Re: [scim] Call for support on proposed SCIM/SINS (re)charter

Phil Hunt <phil.hunt@independentid.com> Thu, 09 September 2021 01:34 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB143A1103 for <scim@ietfa.amsl.com>; Wed, 8 Sep 2021 18:34:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06nhUxw2UtqS for <scim@ietfa.amsl.com>; Wed, 8 Sep 2021 18:34:01 -0700 (PDT)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35B043A1320 for <scim@ietf.org>; Wed, 8 Sep 2021 18:34:00 -0700 (PDT)
Received: by mail-pf1-x429.google.com with SMTP id n34so320332pfv.7 for <scim@ietf.org>; Wed, 08 Sep 2021 18:34:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Wu4AuMUX0q6t+B/0swrap4XxB401j2Iiu451lD/j510=; b=GcS98ZIPauSYlqInGAWoLVPMjClJsp4RDqXsnQ/nLF+No3Sxn83mISm6uIBGZu8jqq J0DLzd7k99ZCehOUC//OTD7EgS6cELHTKOgAAFTfWut+ZY00H0Kaf1A23n/wqCQMGsif SSPfnxN2q/fP7CLYlCnVvAFRwgSqZm+yIQJmRzLjUMoDgLp5LE/iiV2VyhU871qIr6bF wjIJOsuinxzQHA/R9yLg1zY1XVawdMN7P/auCGmvccm/pw6T8LSQ05AZwODUZCkX2wb8 Oarxf1JgCpOwySUKGvA/H8/pVjWLDHvWyJHffUFJwVmD++2DxfODplUid6WAZDAdA0GN B9Sg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Wu4AuMUX0q6t+B/0swrap4XxB401j2Iiu451lD/j510=; b=DIwSCvbusZjdUb6Km2WNiVjWnbrjIs3WUth8L3rWH310RFfxL++dpgdAqEAQlelf1J 999VzVSUuRwPwLM518i9UWDHJBGvCSm2aqAjre6kbPyq1wxlJ+Q4Nqv9QABl0zzUEK2l GSKcufw4slnIJeSZzKEZrVc1a+E+BnPoDGWinZZnlhTkvXF0giDihAP6e6LerZqzBp7S SncQyGj+gzDOLxO4MI4avu0fS21qs+53vikKPiWAo83LDepTUlsT0OzlfT7T3YzX+xWP lmgxSQcKVKxXQfpejZ+wQrYcCa3T/0bPTnDTBJkHRQ9jC8Y3F1lnXWOR/KQQUrbjHDg+ ik+g==
X-Gm-Message-State: AOAM530wGcSUX3366C4BLvM7tQsLBPLg/d0oj/0OM1Te/Mb7rpeiQDxB Gd3OAsr8SlkzeMfAwTXuVGxFB1G/355ABiE5
X-Google-Smtp-Source: ABdhPJx/tQ2x8zDB87Q2OHG6/1ha11HE0S2Weo5KbtUvFQWjwahMMc6Kdpi1EIpvXjgB1i11FgXfhQ==
X-Received: by 2002:a63:7d0f:: with SMTP id y15mr329064pgc.446.1631151239686; Wed, 08 Sep 2021 18:33:59 -0700 (PDT)
Received: from smtpclient.apple (node-1w7jr9qrfoxx9sgsmvqsnpbrb.ipv6.telus.net. [2001:569:7a71:1d00:9503:1143:9e20:cec7]) by smtp.gmail.com with ESMTPSA id d4sm139748pfv.21.2021.09.08.18.33.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Sep 2021 18:33:59 -0700 (PDT)
From: Phil Hunt <phil.hunt@independentid.com>
Message-Id: <BBE3BC42-F3C5-4B89-A10F-0949D9876E62@independentid.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8E887732-5994-4BA7-9B63-2790A3922F2B"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Wed, 8 Sep 2021 18:33:58 -0700
In-Reply-To: <9BCA478F-548E-4F6A-9F1B-6D8E15AE9373@cisco.com>
Cc: "scim@ietf.org" <scim@ietf.org>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>
References: <9BCA478F-548E-4F6A-9F1B-6D8E15AE9373@cisco.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/VYSV6rfLt3IDMCO4Y8ifilRMFTY>
Subject: Re: [scim] Call for support on proposed SCIM/SINS (re)charter
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2021 01:34:07 -0000

Nancy,

Thanks for putting this together.

For this go around my interest lies mainly in Events and Synchronization and profiles.  I am willing to provide updated drafts for this process after some initial agreement on cases.  Drafts already in the archive (they may be fairly out of date!):

* SCIM Events - draft-hunt-idevent-scim <https://tools.ietf.org/html/draft-hunt-idevent-scim>  (needs to be updated to reflect the work we did in RFC8417)
* OpenId Connect Profile for SCIM - https://openid.net/specs/openid-connect-scim-profile-1_0.html

Regarding the MV-Paging draft.  This draft has nothing to do with synchronization and is intended for clients who need to pull a limited number of values in a multi-valued-attribute in situations such as large groups. Most typical use would be in building a user interface allowing the searching of MVAs.

As far as exploring using paging as a synchronization approach is not something we should explore (ie in the charter). IMHO this appraoch an anti-pattern.  If its needed, I am happy to add text in the best practices or elsewhere as to why this isn’t a great approach from the perspective of security, DoS, timeliness, scale, and cost.

That said, a couple people indicated they wanted stateful paging. Unfortunately they didn’t elaborate on a use case.
  
Phil Hunt
@independentid
phil.hunt@independentid.com




> On Sep 8, 2021, at 5:21 PM, Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org> wrote:
> 
> Hello SCIM participants,
>  
> After some virtual meetings (thank you Pam for hosting these!) and discussion, there is a new proposed charter that addresses the points raised at the IETF 111 SINS session. 
> This is a call for support of the charter defined below, please provide your response by Sept. 24, 2021. 
>  
> As you respond in support for the charter, please also specify if you are willing to produce, review and/or implement the resulting documents.
> Otherwise, do provide feedback in the time window if there are concerns or issues you see with the charter below:
>  
> Charter
> 
> The System for Cross-domain Identity Management (SCIM) specification is an HTTP-based protocol that makes managing identities in multi-domain scenarios easier. SCIM was last published in 2015 and has seen growing adoption.
> 
> One goal for this working group is to shepherd SCIM, currently RFC series 7642 <https://datatracker.ietf.org/doc/html/rfc7642>, 7643 <https://datatracker.ietf.org/doc/html/rfc7643>, 7644 <https://datatracker.ietf.org/doc/html/rfc7644>, through the Internet Standard process. The group will deliver revised specifications for the SCIM requirements as Informational, and for the SCIM protocol and base schema suitable for consideration as a Standard. This work will be based upon the existing RFCs, errata and interoperabilty feedback, and incorporate current security and privacy best practices.
> 
> In addition to revising the requirements, protocol and base schema RFCs, the group will also consider additional specifications as extensions to SCIM that have found broad adoption and are ready for standards track. This includes profiles and schemas for interoperability in additional scenarios. The working group will develop additional Proposed Standard RFCs based on outcomes of the following work:
> 
> Revision of the informational RFC 7642 will:
> Focus on Use cases and implementation patterns
> Pull vs. Push based use cases
> Events and signals use cases
> Deletion use cases
> New use cases may be added to the revised RFC
> Revision of RFC 7643/44 will include:
> Profiling SCIM relationships with other identity-centric protocols such as OAuth 2.0, OpenID Connect, Shared Signals, and Fastfed
> Updates to the evolution of the externalid usage
> Document SCIM support for synchronization-related goals between domains focused on:
> Handling returning large result sets through paging, based on [draft-hunt-scim-mv-paging-00]
> Incremental approaches to synchronization
> Support for deletion-related goals including:
> Handling Deletes in SCIM Servers that don’t allow Deletes (Soft Deletes) - based on [draft-ansari-scim-soft-delete-00]
> Support for advanced automation scenarios such as:
> Discovery and negotiation of client credentials
> Attribute mapping
> Per-attribute schema negotiation
> Enhance the existing schema to support exchanging of HR, Enterprise group and privileged access management (using draft-grizzle-scim-pam <https://tools.ietf.org/id/draft-grizzle-scim-pam-ext-00.html> as a base)
>  
> Best, Nancy (as one of the BoF chairs)
>  
> _______________________________________________
> scim mailing list
> scim@ietf.org <mailto:scim@ietf.org>
> https://www.ietf.org/mailman/listinfo/scim <https://www.ietf.org/mailman/listinfo/scim>