Re: [scim] Is ServiceProviderConfig Required?

Phillip Hunt <> Wed, 13 October 2021 15:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CE4CC3A0BBC for <>; Wed, 13 Oct 2021 08:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jQY2kpcFe2pt for <>; Wed, 13 Oct 2021 08:57:56 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D6D773A0BB9 for <>; Wed, 13 Oct 2021 08:57:56 -0700 (PDT)
Received: by with SMTP id m14so2847851pfc.9 for <>; Wed, 13 Oct 2021 08:57:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=Inx05PdggfqPUAYHe0VW0Zs8cuul0Trkn3JN9CMN7QE=; b=OY1sK/QXHkMekM6muxGpZqwZwj3XXiL3DQMfi7WzLCVET2ohsp/AaDagQ9onOgugPt chRVWfSmh682N5dyFlcIQ5hqutbEMa5qqGlhjga94fETHLwAsKGqJSmj3DVq41cBeI9K FRPbQ+JmtR1fkjv35doQUo4kbNeLp3+XeQu6tKSsDgrbATZpVo1HUnjep+5dL/GM7smy q94wC3/cvfiIwLPzY7tNfccMN+l0VoQUQOpGcsDcOg4YlihAGkIaBFisFhb0ZXKYvDFJ JwUwLtvHjUvDGZtrqGvJHWQjWSU/Mmw02IPxsUIXlQrtL+5O8BMZtCMFf6VHzeBhOOAl SYQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=Inx05PdggfqPUAYHe0VW0Zs8cuul0Trkn3JN9CMN7QE=; b=ai0uQXtypTXSIcIIbCnFqoFLQ79w2aGNJsG8IPHLz/MzF4fAxShakJpwuurprKNmAe R+uyY6v6b416zmIVgiwgDGwFqdSkmNR2EOEd9Ov27Rdllxi97T9mABERX77TuvR/3fwf y6ZjtxIbKLsJMhx1Dcev05TvwnX4aHYbN4tKIV8HA19TE66m2TLQh+a3wScnHG/iase2 KzilPVTtNxIbJD9m5YYxgsxsRW4lwe3bz/LVrPs5cT4C62Mniq7chrpYfGhVzKWcW9Uv D8Qdq9tj4OfkhW92K2KObo9dwmRmKDg+liI5L9kwnZLwiNly8dDn0jD4nLaDpqKfQvkv 8YQQ==
X-Gm-Message-State: AOAM5329Qvg0h4q2LqT24dJ3oppvDVBaNTkYzMcFzPMbhgi4i6tvTZ40 RojX08exBg7lw0za1DVOmmMKfv/ESx9/5Q==
X-Google-Smtp-Source: ABdhPJw+9oPIPT7pqecN0POnAj0NHy9/DjV7KbJcC1H6z+1uDpsOm5uM4INOs8Z9spKkIi4o8QH+8g==
X-Received: by 2002:a63:6c02:: with SMTP id h2mr13887237pgc.173.1634140675748; Wed, 13 Oct 2021 08:57:55 -0700 (PDT)
Received: from ( [2001:569:7316:ae00:4d88:4b67:7bdb:993c]) by with ESMTPSA id oo9sm11298pjb.53.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Oct 2021 08:57:55 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Phillip Hunt <>
Mime-Version: 1.0 (1.0)
Date: Wed, 13 Oct 2021 08:57:54 -0700
Message-Id: <>
References: <>
Cc: SCIM WG <>
In-Reply-To: <>
To: Danny Mayer <>
X-Mailer: iPhone Mail (19A348)
Archived-At: <>
Subject: Re: [scim] Is ServiceProviderConfig Required?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Oct 2021 15:58:02 -0000



> On Oct 13, 2021, at 8:24 AM, Danny Mayer <> wrote:
> I've been looking at some SCIM servers and it seems that some do not provide the ServiceProviderConfig endpoint and at least one Commercial SCIM Client didn't request the endpoint when I was testing it last year. Is it a requirement to provide this endpoint and is the client required to read it and obey the rules laid out in the returned information? Are clients using it?

ServiceProviderConfig is the standard way to do functionality, schema and resource type discovery. 

As a discovery feature it is technically optional. It does seem silly not to implement it since for many its fairly simple to implement. 

I have heard of many smarter clients that use it. client does discovery to defines its own schema to match. 
> I'm also not sure about the /Me endpoint. That requires that the SCIM server retain state. That should be the SCIM client's responsibility.

Not sure what you mean here. The server just uses the authorization header to locate what /Me refers to.  Eg matching username or sub claim. 

> Danny
> _______________________________________________
> scim mailing list