IETF Logo Mail Archive

Re: [scim] SCIM v3?

Matt Domsch <matt.domsch@sailpoint.com> Tue, 09 June 2020 16:08 UTC

Return-Path: <matt.domsch@sailpoint.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F87C3A08E7 for <scim@ietfa.amsl.com>; Tue, 9 Jun 2020 09:08:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sailpoint.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AUMh9Wl67ljL for <scim@ietfa.amsl.com>; Tue, 9 Jun 2020 09:08:51 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2112.outbound.protection.outlook.com [40.107.94.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9E9B3A08E3 for <scim@ietf.org>; Tue, 9 Jun 2020 09:08:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jpax8DGSL+2+TTh1vt4ZZAxAXEvEFA5OFPEzHztNbwbtmzcYMXTvfitqA72/QbW8V1ZBe6BKMu5bVxJPVH7+RdclVXrfOMPK32BuGAyhAq5VDioj3qdgW70JBTTF5iDI190aU2cumrgyk09wsIOKzL/Rc04Maq0dQ24mcuaKnsjfavDoQghl4l17+wUugGp17YuO1so9BGKCgyYWY9Ts96ejNtdaSO02+XS7s+2Gbry1+eqiRRWhhQqDtS1XKTzNFdrwSBFSqYiiIzjMPi5N0tXNLgluNW92rlHYlCN9t3+4jquEI4fN5H5L+GlFmgfxYBQD0Tk1Lax+l5wniKAr7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dfGMtkj3KfeDJ6xOAp7FfNodVyhW8Q9LDwigK7ZxGxk=; b=mFXCiWGlOzTy20r5MUAyfQkFzAho0vs9PsKQDte8F0YolQd0q+pIV8SwziG/uugEa6B/PxCdiaKl9BwJhqv/JufUWxl6Lt+AuKU10EHk+8AXIy/75S61LyAy5lqtmdxRcrpV76+QEEQ8+yZNv1dHIcragfIeZ3QnJM4KJ4oRDulGUP0HklbBVpJK/iU3LczM9bV/aYt8/kjnN2rUNIbBsVrJYGBwtO2Vz9J9J6bioa8eaNtOvW/TdK+MokCI4tgA/mlptGjDbCfCAfKKprNNOd63T6mZQk0jLnmi2ujpzN/Q67kIgmvTQlHu8gF8eTHu4abK8EF/j1ZPB2qq8e4S+w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sailpoint.com; dmarc=pass action=none header.from=sailpoint.com; dkim=pass header.d=sailpoint.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sailpoint.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dfGMtkj3KfeDJ6xOAp7FfNodVyhW8Q9LDwigK7ZxGxk=; b=AbitXY0DpkzWn0HI5yMef7rtEyIxwiQc3u2snfe/ud6IWkgerXPuK7QS++bZ7XjPjsywH7R8o7VLBaSHg/Zl5uquq+aSbp4O4w2mnywpNMB5OHPjIdSlzfibb4EUbZGcWXkdnnjZckNzqpEIgOIKOlNv7wMc47MxUg60xQGyqRE=
Received: from DM6PR04MB4604.namprd04.prod.outlook.com (2603:10b6:5:23::14) by DM6PR04MB5852.namprd04.prod.outlook.com (2603:10b6:5:172::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.18; Tue, 9 Jun 2020 16:08:50 +0000
Received: from DM6PR04MB4604.namprd04.prod.outlook.com ([fe80::c533:1bb1:9d51:c597]) by DM6PR04MB4604.namprd04.prod.outlook.com ([fe80::c533:1bb1:9d51:c597%6]) with mapi id 15.20.3066.023; Tue, 9 Jun 2020 16:08:50 +0000
From: Matt Domsch <matt.domsch@sailpoint.com>
To: Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org>, Darran Rolls <me@darranrolls.com>, "scim@ietf.org" <scim@ietf.org>
Thread-Topic: [scim] SCIM v3?
Thread-Index: AQHWPCYIftrO9ji/AUueiiOD1vRo+qjL+hAAgAJs2wCAABHxgIAAalKAgAAIlQCAAPqsgIAAeN0AgAAYI9A=
Date: Tue, 09 Jun 2020 16:08:49 +0000
Message-ID: <DM6PR04MB460489A55B634872BDFB760BF2820@DM6PR04MB4604.namprd04.prod.outlook.com>
References: <F4D06C51-8D39-4AA3-83B0-6D6982C451C7@cisco.com> <A9824A60-BFB0-4047-8C09-6328CE497E36@independentid.com> <CA+7VvRZ0HVo_hTk_zx+bt+d5T9T0gue2VeY5tN1haSwG_xA-bg@mail.gmail.com> <21CF422B-4F2F-41E6-AC48-9B37929A5E25@darranrolls.com> <DM6PR00MB0666B2889D8D37FDC01316C3A6820@DM6PR00MB0666.namprd00.prod.outlook.com>
In-Reply-To: <DM6PR00MB0666B2889D8D37FDC01316C3A6820@DM6PR00MB0666.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=782c62de-1a41-4f46-b353-0000188a1574; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-06-09T14:36:13Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=sailpoint.com;
x-originating-ip: [70.115.144.155]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 45b09afe-f7cd-4ba2-2c52-08d80c8f65d3
x-ms-traffictypediagnostic: DM6PR04MB5852:
x-microsoft-antispam-prvs: <DM6PR04MB5852534EBBEB233F7FBAECE6F2820@DM6PR04MB5852.namprd04.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 042957ACD7
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 23mEzl2nqy0KDzbTVNzSEBRwA5pM+rzp/50CRZnTNHaPg8NZl0Mr6IwXoQuhzF4zhEBOiTiUdebT836SMaz89e+endxsq6zINdRwsyLg1zFazt9Wj9uZUnx83BTGQn3Ke+eJlNxBTyQnWnxfU+o0o4PclC2QaReZ5QwxCJx6nvlldlU4R7Ygxo12xWq/KhX7nuSqsVc0v5arZkSV+0ob8C+oDMIPOn3SoBWaSgLXv9rRGEN9J2vBCGUTyTkxsu/Ja1GZOGMocqssvIrpmjb4Zap7Nnsl2uxFCTUXif7gx0FmbVs4YZ+h6I9pASrm4W7pmsRPIeldo5k5COfV92uq6LfGjg34Hwvl46kluXabmG7y5tCzohVLDxWO976s3lmsU6PLzEDo1x5mTejbZombfA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR04MB4604.namprd04.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(136003)(376002)(346002)(396003)(39850400004)(26005)(66476007)(966005)(66946007)(2906002)(45080400002)(478600001)(166002)(66556008)(52536014)(8936002)(76116006)(66446008)(8676002)(110136005)(64756008)(316002)(44832011)(86362001)(83380400001)(55016002)(53546011)(5660300002)(7696005)(33656002)(6506007)(71200400001)(186003)(9686003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: H7To2K1uuQGCquDAP8Z6ltYHmMKlpFYZUSv+VO0Du5vBnW8ceMZ/IjnPFgDEA7qvMX2q5Y9hAoQbpJSsxctuUhsErYI+WdGms6rOtuDW+pm78qKqM/6HAYNUWOhOvBhAqL/nZCPcB87dvvUdTfXAVzKfZp9t75JTxndbjWN6sW80kwunuO0mHo30LuTvK4w2buSt7RiI4NcRZl5s1iI5PmxrV9sZg3hD/p+5R6gCbEBCjW4tmC+wIltXBHbyqL+S/HNJ7uN3gAaYRas5e27LK8lcXn2XBsL7QbCr6Wv8OgZwPBcVuFp/jaXjopPdSCdFp9ZZYUP0BeYxrUe2sSt8TXabObBTqZ6ErVQh2qljspmcEehOqf+lKCzXRlKpvFrnz+6yjoEIfDjgAmc/iADrtdWqfe+mH/ejU7QKQse/HXaP4dWJnLBu/bBqZ3V8/fiOsteDPcUHBqAEjsU+cZtHTB7xM6gxCiCqBa+mnhk12avKbVPnHVfhwa1py5pTdH1N
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR04MB460489A55B634872BDFB760BF2820DM6PR04MB4604namp_"
MIME-Version: 1.0
X-OriginatorOrg: sailpoint.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 45b09afe-f7cd-4ba2-2c52-08d80c8f65d3
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2020 16:08:49.9501 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c848b2a-49ba-4c39-9749-118d06717a84
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Rd6maiIUFIiChHTJXLcBkQJZWyzWeCg7amJMptGHoV8gyeM104P04e0IWo5kHCr0yJCjvXlhzaNU3sPQFEn+03sKAW1WjxvGkARaA9uKtwI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR04MB5852
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/WK_G_q_B-AblcXjNkNT4uiQkzFA>
Subject: Re: [scim] SCIM v3?
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2020 16:08:54 -0000

We’ll definitely ask for a BOF, or if the charter and its approvals can be done in time, a formal WG session at IETF 108.  That may be pushing it, but the area directors think it’s possible.  They’ve offered to reserve a time as a BOF now.

I can attend any of Darran’s suggested times for a videoconference.

Thanks,
Matt

Matt Domsch
VP, Lead Corporate Architect
matt.domsch@sailpoint.com<mailto:matt.domsch@sailpoint.com>
mobile: 512-981-6486
www.sailpoint.com<http://www.sailpoint.com/>


From: scim <scim-bounces@ietf.org> On Behalf Of Anthony Nadalin
Sent: Tuesday, June 9, 2020 9:40 AM
To: Darran Rolls <me@darranrolls.com>; scim@ietf.org
Subject: Re: [scim] SCIM v3?

It may be better to have a bof for ietf 108. I think there are some updates that could be made to SCIM as we have some things on our list, but I’m not sure that another directory protocol is what is needed

From: scim <scim-bounces@ietf.org<mailto:scim-bounces@ietf.org>> On Behalf Of Darran Rolls
Sent: Tuesday, June 9, 2020 5:27 AM
To: scim@ietf.org<mailto:scim@ietf.org>
Subject: [EXTERNAL] Re: [scim] SCIM v3?

So, I read lots of interest to restart and contribute – excellent.

In the interest of rapidly moving towards a strawman charter, I’ll take a first pass at what that charter might look like and send it out here for comment.  If no one has any objection, I propose we set a time for an “interest-group call” mid/late next week?  I  know it’s tricky and a little unfair to throw out call times without more prior planning BUT if we can move this along quickly we can catch the IETF 108 train.

So, is there support to hold one of the following times next week for a conversation on that (to be sent) strawman charter?  LMK if anyone feels that’s too tight or unfair for folks that are interested but can’t make it and we can stick to a list-only conversation.

10am Central US Wednesday 24th
11am  Central US Wednesday 24th
---
10am Central US Thursday 25th
11am  Central US Thursday 25th
---
10am Central US Friday 26th
11am  Central US Friday 26th

Thanks
Darran

From: Paul Lanzi <paul@remediant.com<mailto:paul@remediant.com>>
Date: Monday, June 8, 2020 at 11:30 AM
To: Darran Rolls <me@darranrolls.com<mailto:me@darranrolls.com>>, "scim@ietf.org<mailto:scim@ietf.org>" <scim@ietf.org<mailto:scim@ietf.org>>
Subject: Re: [scim] SCIM v3?

Darran, all --

I think a relook at some of the items you mentioned would be great -- count me in!

On this topic:
> Ratification of extension to address Privilege Account Management user cases

We've had some discussions with the SailPoint folks (most notably: David Lee, Matt Domsch and more recently, Adam C) that the current SCIM-PAM API is very specifically focused on supporting password-vault use cases, and doesn't have an allowance for the Just-In-Time PAM approach. Both the Identity Defined Security Alliance (IDSA) and Gartner have recently recognized this approach, and I think it would make sense to further extend the SCIM-PAM proposal to also include the use cases around JIT PAM. I'm happy to help contribute towards the technical work needed to do so.

Thanks,

--Paul
--Co-Founder @ Remediant
[Image removed by sender.]ᐧ

On Mon, Jun 8, 2020 at 8:59 AM Phillip Hunt <phil.hunt@independentid.com<mailto:phil.hunt@independentid.com>> wrote:
Thanks Elliot.

A number of these features including MVA filtering and paging are based on a desire to build front end IDM management UIs to SCIM API providers.

One could say this would begin to move SCIM from a provisioning protocol to a “directory” protocol. Is SCIM Directory a theme that would drive interest in a new charter?
Phil

On Jun 8, 2020, at 2:38 AM, Eliot Lear <lear@cisco.com<mailto:lear@cisco.com>> wrote:
Hi Paul,

As a hanger-on, I like your list.  I don’t see the value in paging, but clearly a great many others do, so I have something to learn.

Eliot

On 8 Jun 2020, at 10:34, Paul Logston <paul.logston@gmail.com<mailto:paul.logston@gmail.com>> wrote:

Hi Darran and Phil,

I am interested in being part of this discussion. I work for a company that regularly uses the SCIM protocol and we have a use for a number of the extensions Darran suggested above.

Best,
Paul

Paul Logston
(510) 755 - 4474
paul.logston@gmail..com<mailto:paul.logston@gmail.com>
linkedin.com/in/paullogston<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpaullogston%2F&data=02%7C01%7Ctonynad%40microsoft.com%7Cc861765885a84cf4641708d80c7071b9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637273024386708033&sdata=7M3nM2ir6U%2BCgYbZOed6DGSflQc4jy7%2FxOE5Bqqpyu0%3D&reserved=0>



On Sun, Jun 7, 2020 at 3:32 AM Phillip Hunt <phil.hunt@independentid.com<mailto:phil.hunt@independentid.com>> wrote:
Darran

Good to hear!

I am not sure these items require a v3. I believe these all can be done via extensions thus maintaining backwards compatibility.

For example I did submit a proposal for paged attributes based on the current drafts.

https://tools..ietf.org/html/draft-hunt-scim-mv-paging-00<https://tools.ietf..org/html/draft-hunt-scim-mv-paging-00>

I think we have to see if there is sufficient interest to charter a WG and determine interest in specific items.

Another long term issue compliance issues. For this we to find an independent organization to develop and host an interop test suite as compliance testing is not something the IETF does.  This will likely require direct donation of funds and time. This is how things happened for OIDC testing.
Phil Hunt

On Jun 6, 2020, at 10:15 AM, Darran Rolls <me@darranrolls..com<mailto:me@darranrolls.com>> wrote:
Hello SCIM folks,

To introduce myself to the group, up until March of this year I was the CTO at SailPoint and worked with Kelly Grizzle and Matt Domsch on all things identity standards.  I'm now consulting and engaging on various projects around the IAM space.

Having chatted with Leif and Morteza directly, I wanted to bring a discussion back here to the full WG alias.  As several of you will already know, I’d like to formally make a request to re-chartering this WG.  The goal of the WG would be to address the ratification of the following work items:


  *   Protocol /operational enhancements

     *   Multi-value paging & cursor pagination
     *   Relying party user provisioning
     *   Soft Delete
     *   Interop and testing capabilities

  *   New schema to address

     *   Extended HR /user data and related action events
     *   Ratification of extension to address Privilege Account Management user cases

I therefore seek your comments and input on this  proposal.  Are you interested to participate?  What is missing from the above list of work items?  Is there support for an informal interest-group call sometime in the next two weeks?

Thanks
Darran

--
https://www.darranrolls.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.darranrolls.com%2F&data=02%7C01%7Ctonynad%40microsoft.com%7Cc861765885a84cf4641708d80c7071b9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637273024386718036&sdata=rCp7YeXBYLgKG8yDmT0IZxp0bcddlPV8JIZNht9mgrY%3D&reserved=0>
LinkedIn<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fdarran-rolls-068b84&data=02%7C01%7Ctonynad%40microsoft.com%7Cc861765885a84cf4641708d80c7071b9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637273024386728031&sdata=oLPoy3%2BnrAeO5GMFkP2RVn8WpskrxP7fNIwJx6tCbH8%3D&reserved=0> @djrolls<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fdjrolls&data=02%7C01%7Ctonynad%40microsoft.com%7Cc861765885a84cf4641708d80c7071b9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637273024386728031&sdata=sQK%2B0BI5bKQjCFt78zCeGmd3UIN5QmOfqFuqEmX4ncA%3D&reserved=0>

_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://www.ietf..org/mailman/listinfo/scim>
_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=02%7C01%7Ctonynad%40microsoft.com%7Cc861765885a84cf4641708d80c7071b9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637273024386738025&sdata=6jbsd0ErjL%2Ba2UbnN3mUTJ2m%2BfE6P7c2pNG1XMxlBJw%3D&reserved=0>
_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=02%7C01%7Ctonynad%40microsoft.com%7Cc861765885a84cf4641708d80c7071b9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637273024386748018&sdata=ZTOfVOy18FxvswVRRQvqLkdR3QprxTOSud8T%2BxgkdBs%3D&reserved=0>

_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=02%7C01%7Ctonynad%40microsoft.com%7Cc861765885a84cf4641708d80c7071b9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637273024386748018&sdata=ZTOfVOy18FxvswVRRQvqLkdR3QprxTOSud8T%2BxgkdBs%3D&reserved=0>

v2.23.0 | Report a Bug | By Email