Re: [scim] [EXTERNAL] Re: Clarification on Groups Schema membership attribute

Danny Zollner <Danny.Zollner@microsoft.com> Mon, 09 January 2023 22:01 UTC

Return-Path: <Danny.Zollner@microsoft.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2D9C14EB14 for <scim@ietfa.amsl.com>; Mon, 9 Jan 2023 14:01:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.997
X-Spam-Level:
X-Spam-Status: No, score=-6.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZA2YIOuJUHjC for <scim@ietfa.amsl.com>; Mon, 9 Jan 2023 14:01:15 -0800 (PST)
Received: from DM6FTOPR00CU001-vft-obe.outbound.protection.outlook.com (mail-cusazon11020016.outbound.protection.outlook.com [52.101.61.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 803C2C14EB12 for <scim@ietf.org>; Mon, 9 Jan 2023 14:01:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XG7ZNAeOBmlGxKJ4WKzfQY2AGwjAS5DMv38LI5aITgjmuWgTu69m1dbivHwCOeTodTBGVJ3LMDjitB3L6PHa9l58Dpcxqk1JunSWtBLw5cOkUOzOyq+A/lkXuiSd36MP731J8ySd6VexzMeXZdzLErj74YqsasKVFwjuQVH+h9eV5vRNnxRbS6pvUHj0udTJERUg7bUtpVP42X+eDPXfIrsjOzuk49waRm3iAyU9bCMFaA1pWKR/dwapGGUHZfvIAU2qTCZQJxRh73fb47mLM+TwwcJ9yxajUkRGy52eARWvEovJD64QRDT5MbDnbRDSND/RvsPY3fdziiYfkoPijg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oGGQoF8nZtP2abmlECkWJ9sR35vSthVKPJevjP4ORec=; b=TMCu58yISqUlWBcaF/siIk2bIpLhC0HMY+YrZACWJYwlubxM9IRWmOmlE7E9xgypjUwEKo134m949YBzN1uqr+TbXDazxMMwBtvFKZOG1VdVgwVTYYleyUDIPK0lbH90EW6iIDuwQi/OcTJ8WV+hu0OElE5jj7tIk1EIcRbY1JFmgnqlH8/CGLfHTwXWqSq1zhMTAJMtimszqGWL+IIP9cgSDRI9Cmj2Y0Y4U436p2mul8QYNVuvhYwZl4ZNRwDKUgqEX+0fJAOGawiADrD+Ugozz5T1aMm0h3lXvoEhOMMMothioqhaK58dTqAOScMcWzqSzLNrdljk1rJql4NGSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oGGQoF8nZtP2abmlECkWJ9sR35vSthVKPJevjP4ORec=; b=OkRsrJfmE3XJ3yw8njUTyD5FrFfS4G9NkQzjrtyoyG94z+uP/sAeWQKWO+UQH3tYy7AKtxG4ixAwQ0csDEd49j8aUVOwMpbcfCHVUJdXrrJ8z6q2rifbBv+FGS59F5i/8+B0TLa26cehPcdxwi7e5HFA2Oz6+X590xGMfRiJpUM=
Received: from CH0PR00MB1415.namprd00.prod.outlook.com (2603:10b6:610:f3::11) by DM6PR00MB0829.namprd00.prod.outlook.com (2603:10b6:5:20b::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6035.0; Mon, 9 Jan 2023 22:01:11 +0000
Received: from CH0PR00MB1415.namprd00.prod.outlook.com ([fe80::9614:1901:ae30:1da8]) by CH0PR00MB1415.namprd00.prod.outlook.com ([fe80::9614:1901:ae30:1da8%9]) with mapi id 15.20.6035.000; Mon, 9 Jan 2023 22:01:11 +0000
From: Danny Zollner <Danny.Zollner@microsoft.com>
To: Brian Demers <brian.demers@gmail.com>, SCIM WG <scim@ietf.org>
Thread-Topic: [EXTERNAL] Re: [scim] Clarification on Groups Schema membership attribute
Thread-Index: AQHZJGf63X1Sm5sKnkKlMfC4b/+11K6WmoMQ
Date: Mon, 09 Jan 2023 22:01:11 +0000
Message-ID: <CH0PR00MB1415A9BE29E3413FB9216706FFFE9@CH0PR00MB1415.namprd00.prod.outlook.com>
References: <CAH9eYVpJQeoxyzQXmA_RD6u4SW01ph5LVywcdbTqAaZHQP5u=A@mail.gmail.com> <CAH9eYVoJCA1n9k6RdTewtsBJ8cJRiZcrFW_oN+vpmtmZJ+WBpg@mail.gmail.com>
In-Reply-To: <CAH9eYVoJCA1n9k6RdTewtsBJ8cJRiZcrFW_oN+vpmtmZJ+WBpg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR00MB1415:EE_|DM6PR00MB0829:EE_
x-ms-office365-filtering-correlation-id: 6b6427ff-e2d2-4337-9990-08daf28d04f0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YmT0A7UqDPYzA0d0jLwgJ5WX6wQrjUPL2qDZgagilZVQRYiKmWwSaeg2PUYiFaDpOExNGYbRg4cSbk5GU0PkiKjOxGf/lD4gkGEnw9WZIQnul1JkW6GM4SWTxUnlK2qa1H3LLFv9dCvgE/Q/8tcfLJKQbDVltFItnFYXmDrcKHRD+tUkozi6wUgm2I0CzjdAEnLvwI5T098XhD/jjhrFzjmw7HHvEkZWzROQaTht/Ls5CAppKuAlfYc64D/ZTf3x4+nbYlTQiSWvxXrUawYAu/6xQHUsvuY9QBRJGbvxHg3Pz8y94IcHSKczmVzipCNIEhW6FKwDRkVZsodwL0IPJCpayLSr0w5I4g0YyxKTUf0i3tosfL6NNoH2T2uYk+wX/cQUYatEd/48wfzcS8ZTuwqOuHjA7ca2Gx+7sNfRe9kaKbLNZOADc/Jce6dNtqgWfRAsnqBklvNtzSjUBZlyU3XkeFaNKYiGlg7wX0gaCdaIirZGhZzRd17SqafNV10hO5N3qJ9gZSMSs7jchRxbc807h46CmM0hgJHfzDaICysl36vLRrAkSsQ6492bA9zPUBuO50ZSxRQ/yt7ttfToL8CwxZjFGhWR1QRPTB2iUDgJYQ3bpO5B71fTFfOWq/01YOGT/WfR1K2GORVtmhTLQUQtBhdwLiqTpFtMXmish9ETx1UA/TYfhT9MmTIhRJpnMK7Cw2aerN/qBXDtj3Gg50hfZHviFOH2wNXG4kKyA+GFdMyEH79NI4fUwELsBVmOfRvPQ4gworaLpowqekS1VQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR00MB1415.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(136003)(346002)(376002)(396003)(366004)(39860400002)(451199015)(2906002)(8990500004)(5660300002)(8936002)(52536014)(9326002)(33656002)(76116006)(64756008)(66476007)(66556008)(41300700001)(66446008)(8676002)(66946007)(66574015)(316002)(86362001)(9686003)(186003)(26005)(6506007)(53546011)(122000001)(55016003)(10290500003)(110136005)(38100700002)(71200400001)(38070700005)(7696005)(966005)(478600001)(166002)(82960400001)(82950400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: lAB/1dSOxUcDnNzU+Y17KKrNrsqH+RH5VKnxahgnLaWHwn+RcPZZ94/Vhi6uA+buNaQZogVWr5m0O1jwPozJD9/cuBCUdxAAJtmvDBMk+JhiHwNShlFOqcx58J065o7XPTJmKu/ec/uI51pQIq6vq6+0gr5/2G60CpVCWkVifZ8VAblfFFnMAyYA0mtTCX0/oPDWf6SCAH+qu5UhQ6cO4LoDssxGctoOWcMu4QMlKGqXqlQSxKS+wtMP+2Lev+VYDU+KixTMuy0YyqVmqgUSXtztmHrkBLzGdzP4KU4VmRVN+Erm7ACrWVJUeBiHx2NjnCQ0zkAkkr50C9ydg5tmVCZs3sdjXRMjpzN+/d1L3dHFMQDpcdQb5CZ5LGPazcFolCkB0umShrLyLe6KYg2lsK96MeoOKzdwnwlTQglTjTytpydD5cw+9JoocrxbzEKxYa/u7QUKYIGyXwOYNdPpBq4CI1RLmWjs+wWPhaqweHNGTRpoV25BeNXZQg91Wds3xpbb0GNWH4tOtihNwqhh3/if6fkm/XRyH175RQPT8FU9+dimcEWhq39iAQFLccE5hQteBZ0KEVO1UvxJ2s1z0OC7ykQw9+ntGhGGm50nHk6RGV/i4WnJvItYZsJ2p9mhJzuOiy61Q2eNaP7kz6wCoydlnUl1bHIS1tPmYzVMwLpQn8xe6CENGieWj5rsef9DaXO6QJgnKVxnmU9lBiwoYbGr78KPkqBdG0qFAZDldpl81PqXUnUxrhLwnsp8HxWun+kre8dnEayX+WdEhEDuBb8HjjAC9JYMyTmN47bQwJHseuaRkocdXBkvYeXYzQ09OK6PSHYErJ8VoviW1EKnK9WCHIPr9r/94MvWb0oVGatmRNHFoD2ycXyC/fCXYInVDWkCcZr2LLFADPMyRzENheFuCqta4suDx3gOMGpilW1tnFEAfKxITGLnRHPUAJxbQVhCwQPbZq6sCmoEGDrj/p0aF9a0zci7NeBFP1KLr+vb9y3zlhr7LwyJfCkpq5SIRDxO1aYBj3i1b4l9Mzk7kCZtNgkAs7IgrHczRIMUQutgnC34FPquHfQ3rwQV6ZQIwS1ofnl7xtyCIXwWr+ybgIz3IWBG11bXrfBFPMbBGM3u0TWVUCzPd0SNp1cLFDU5wJwbWkUO1S4JgQY6ckXcJ7qciMcxxngdGlfGRI/+3B11NWIlEBFB4uQaSnI0Tz6gNYCLGM2217C4wyUrb4IEbjiVSY7eJMsCShjxRkgqhUyRo/7LgnSyUZqCzhxa8tZ1vLO0kCCckSE0B/fZGEe/S8d/gzwVA2SuXzYurl6nzFvvmqYOsTV7E2wGhj5EnnPXR7Uv1Laq2pLd904qk/ssHpGRJDnvMpbD+p1r8822DaL2uKeGZdNTxeIhKaIcCRnRnqtRnToNktQrsMdR7VFLcTVNr0U9HhvafprcJnR6fq10Pbd705RNZ6Mw3LqICRFLge+mqhjB8ZnIiHIa6mSSnySKm6F6WMm0uQ5y6Gktem6cdNq/iWa53UGfWEAxRq6CCalEoUuWo2iVEq6k2A+/KOJGKJtZqmR4KwbRJEpGOKUC16eXHANsujfaVCadzGUL
Content-Type: multipart/alternative; boundary="_000_CH0PR00MB1415A9BE29E3413FB9216706FFFE9CH0PR00MB1415namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR00MB1415.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6b6427ff-e2d2-4337-9990-08daf28d04f0
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2023 22:01:11.3221 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /CojkmkDporMm31fCsDC5nJHBWWuW1ri4hNd+1VpkUJqvlxdJlI7PQDAu0SU8jFlHauehlQ9gD+WFyYFYu90Iw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0829
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/YlnUrleqdo5izMRaaZGcVOVnqqw>
Subject: Re: [scim] [EXTERNAL] Re: Clarification on Groups Schema membership attribute
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2023 22:01:19 -0000

Hi Brian,

You're correct that sections 8.4 and 8.7.1 conflict with each other. It looks like there was an erratum filed on this a few years ago - https://www.rfc-editor.org/errata/eid6011 - and I'd agree with it. In the linked erratum it is reported that this was discussed on the mailing list a few years ago as well. TL;DR on the erratum: value, type, $ref, display. From my own experience with managing group memberships as a client, the value sub-attribute is the workhorse and other sub-attributes are sometimes included and returned by the SCIM server. I think for major SaaS/internet facing SCIM implementations it is uncommon at best, rare/unheard of at worst for group members to be identified by $ref or display as the primary means. Given the way the spec is written, though, I believe having those sub-attribute values be provided by the client is permissible.

Regarding section 2.4, the key is that it says "unless otherwise defined" - so it is not true that all multi-valued complex attributes have/must have those sub-attributes. In this case, the sub-attributes are defined, albeit inconsistently between 8.4 and 8.7.1.

Regarding 8.7.1's mention of "Where permitted, individual values and schema MAY change" - I believe the intent here is that, should it be needed, an implementer can make modify the existing schema to suit their needs. For instance, if an attribute's mutability, cardinality, case sensitivity, sub-attributes, etc. in your application/system is different than that in the core SCIM schema. In practice, this is a huge pain for scalable interoperability, and I know a number of people (myself included) strongly dislike that text's inclusion in the standard because of the challenges it introduces.

Finally, I am not aware of an existing SCIM JSON schema representation of the core/enterprise user SCIM 2.0 schemas, but I agree that it would be helpful and would be happy to contribute.

Thanks,

Danny Zollner (He/Him)


From: scim <scim-bounces@ietf.org> On Behalf Of Brian Demers
Sent: Monday, January 9, 2023 2:21 PM
To: SCIM WG <scim@ietf.org>
Subject: [EXTERNAL] Re: [scim] Clarification on Groups Schema membership attribute

To follow up, a colleague reached out directly to me and mentioned section 2.4 of the Core RFC https://www.rfc-editor.org/rfc/rfc7643#section-2.4<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rfc-editor.org%2Frfc%2Frfc7643%23section-2.4&data=05%7C01%7Cdanny.zollner%40microsoft.com%7C11f4eebdf7df48e1be0e08daf27f19ff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638088924981568470%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LTJKfovKSFfqw7Qq%2FhgFU5XwT8Rs0rV5BPuOVbTNfUs%3D&reserved=0>

This mentions that _all_ multivalued attributes have the sub-attributes: type, primary, value, display, $ref

Is this something that should be added to section 8.7.1?
Is there someplace where we could host official reference copies of the schema defined in the RFCs? Something like simplecloud.info<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsimplecloud.info%2F&data=05%7C01%7Cdanny.zollner%40microsoft.com%7C11f4eebdf7df48e1be0e08daf27f19ff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638088924981568470%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nD2sNbP%2B46v90FOebZJKY2q9SO%2F1%2FK1tQVJ4SgPzH1Q%3D&reserved=0> (I don't know who owns this site)

On Fri, Jan 6, 2023 at 2:09 PM Brian Demers <brian.demers@gmail.com<mailto:brian.demers@gmail.com>> wrote:
TL;DR - What are the official sub-attributes of "membership" items in the Groups schema?

The Groups schema listed in section 8.7.1 lists the possible sub-attributes for `members` to be: `value`, `$ref`, and `type`.
The example in 8.4, contains `value`, `$ref`, and `display`

Section 4.2,  "Group" Resource Schema, only makes reference to `id`, `$ref`, and _hints_ at `type`

members
      A list of members of the Group.  While values MAY be added or
      removed, sub-attributes of members are "immutable".  The "value"
      sub-attribute contains the value of an "id" attribute of a SCIM
      resource, and the "$ref" sub-attribute must be the URI of a SCIM
      resource such as a "User", or a "Group".  The intention of the
      "Group" type is to allow the service provider to support nested
      groups.  Service providers MAY require clients to provide a
      non-empty value by setting the "required" attribute characteristic
      of a sub-attribute of the "members" attribute in the "Group"
      resource schema.

NOTE: Section 8.7.1 does state the following:
> Where permitted, individual values and schema MAY change

If this schema is not complete, is there an _official_ schema in JSON that is?