IETF Logo Mail Archive

Re: [scim] Groups Member Type

Kelly Grizzle <kelly.grizzle@sailpoint.com> Wed, 09 August 2017 21:45 UTC

Return-Path: <kelly.grizzle@sailpoint.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D93713244B for <scim@ietfa.amsl.com>; Wed, 9 Aug 2017 14:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sailpoint.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zb9fq-tWmaIM for <scim@ietfa.amsl.com>; Wed, 9 Aug 2017 14:45:16 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0103.outbound.protection.outlook.com [104.47.32.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7E53132458 for <scim@ietf.org>; Wed, 9 Aug 2017 14:45:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sailpoint.onmicrosoft.com; s=selector1-sailpoint-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TP4AL+iPxZ9JIM1yZ591R1+OnHasTQrsXxFAhm04SRw=; b=HHntPyO+z820zG1abGBV43lf/82B51g/jW4CF44ET+apOQ00tP5XOxoKrtnqIa+jvs3WjgsFQOa1mNKL5OxYWo9BxItTqJN0F7jSQKjT/BCFZuWOR/YfS2NFyKSqrGN/fgaDESS2czB1hgLYTLMaHQ8QjaHT+OhRGsdlQGIC10g=
Received: from CY1PR04MB2363.namprd04.prod.outlook.com (10.167.10.143) by CY1PR04MB2362.namprd04.prod.outlook.com (10.167.10.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.16; Wed, 9 Aug 2017 21:45:13 +0000
Received: from CY1PR04MB2363.namprd04.prod.outlook.com ([10.167.10.143]) by CY1PR04MB2363.namprd04.prod.outlook.com ([10.167.10.143]) with mapi id 15.01.1320.018; Wed, 9 Aug 2017 21:45:13 +0000
From: Kelly Grizzle <kelly.grizzle@sailpoint.com>
To: Shelley <randomshelley@gmail.com>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
CC: "scim@ietf.org" <scim@ietf.org>
Thread-Topic: [scim] Groups Member Type
Thread-Index: AQHOALOOeHp6hjJutkGc7C2Tyxq6nZhpv6cAgAs7UQCAAEp64IAVpkqAiftC6wCAABjZ4IAACfiAgAArcoCAADMQsA==
Date: Wed, 09 Aug 2017 21:45:13 +0000
Message-ID: <CY1PR04MB2363D27C3FCAE2AD9AFEDB61E28B0@CY1PR04MB2363.namprd04.prod.outlook.com>
References: <CAGUsYPz7_9Tat93aC2t=YAQcHG6dmboYDYij_8sRpKA6CZoWEA@mail.gmail.com> <56C3C758F9D6534CA3778EAA1E0C343753AB2F38@BLUPRD0412MB643.namprd04.prod.outlook.com> <CAGUsYPwUt997zV9sxC4p93Jz=9j+bWeqygyMSkssM1gMZfxhpQ@mail.gmail.com> <56C3C758F9D6534CA3778EAA1E0C343753AC4630@BLUPRD0412MB643.namprd04.prod.outlook.com> <CAGUsYPyV7RjdmbUMcQ5N8NdwGjPzt2xHSANyNJon_uceNjhUgA@mail.gmail.com> <CAGUsYPzYh0zqpEedtAx2rwTKzPYRiURY3DTzJi8jyDUxrifUiw@mail.gmail.com> <CY1PR04MB2363D61AB4E1F0C5843904F5E28B0@CY1PR04MB2363.namprd04.prod.outlook.com> <BC21670B-1A93-430C-BBF7-0E1B5BE4B570@oracle.com> <CAGUsYPxTc-2Z0ifMNc2iY9xoyRXYLW46nrOtdJFw2VHUboXmcQ@mail.gmail.com>
In-Reply-To: <CAGUsYPxTc-2Z0ifMNc2iY9xoyRXYLW46nrOtdJFw2VHUboXmcQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kelly.grizzle@sailpoint.com;
x-originating-ip: [70.114.154.180]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY1PR04MB2362; 6:wOLqoa0fVc5uI8BA69rrcSYQhHJz9BzU5HUzxoU+AOg/aKsUixt4+tdZUmn9uOWzgA1oO8KaEVxFs1pNVAAZlI++OaSIVS+VASMS3OiTxm2DQE813xDteoebHC3Ysu6posABRIvldv3teGEAbVC3z5jPMDTqFpOXcT4piT+uQd/aUm3ozXW/jM33Is4gyzwTGyffP5kfIBkL+EfUG8eD/L7FGKm1iuM8L4Lzmz/Tfx+kTpmumYO6iR7ReSuNQZR/aZ8lAHVdPaHgml6ZtyVvPtEVy9dRO22TICveZqmnrOPxf8Hhg3+0CSv1/17qqjUQPweY9kJXxsEQJ/iylBqYUw==; 5:Q+m3aj6gUc00Bg0/wR7R7uebxW/HzbpApACZWuuLAladztFeDh8oTOlgpPETR1IRn2On6GqdWeoryMdAEr3EDkJ/+HpuG8GC8vqb99xMRpdFLsjoM8MHUHJIuwy8C+0eovayJTRIFWNZV4PSzEYTFw==; 24:/H3NtBSQaFkbtN4c71lhkF4ZH9aFze5B9UOE6IJjxFWakg6ZJCKkm1D+2+K1s+trD/LNmcyuZccgNtchZN+6zOzoipBxXRqubToRSQmfrGU=; 7:CAFftUzf4FCZ4PwkjCLfoPm4H3yafI26tLq8es2yE1Dh3/FGx8HXxgJsH8TeGkx7BvkZvUrZzWk9VtATOKAdqqTpO8ZXa3VFzzfq5mzwLEx0yHFhb/TbmKveJHGTNFLhMR8uqjARGdVOk+OXqkfTydFtNWCc47P8lMHRrVon4/92XTTonvK9Uw5+Vnp7EjaScR6pCWakHw7oyzfeD8zl3zBUAO8QB6lxehl0zjzJQNI=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 2de8735a-7e31-4f04-e992-08d4df6fea93
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY1PR04MB2362;
x-ms-traffictypediagnostic: CY1PR04MB2362:
x-exchange-antispam-report-test: UriScan:(158342451672863)(10436049006162)(21748063052155)(146099531331640);
x-microsoft-antispam-prvs: <CY1PR04MB2362296BB21496143F507F63E28B0@CY1PR04MB2362.namprd04.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(3002001)(6041248)(20161123558100)(20161123555025)(20161123562025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY1PR04MB2362; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY1PR04MB2362;
x-forefront-prvs: 0394259C80
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39450400003)(39400400002)(39410400002)(39840400002)(24454002)(189002)(199003)(377454003)(966005)(81166006)(478600001)(106356001)(4326008)(33656002)(5660300001)(3280700002)(105586002)(3660700001)(6506006)(2900100001)(66066001)(6436002)(517774005)(93886004)(7696004)(53546010)(606006)(8676002)(229853002)(14454004)(2950100002)(77096006)(19609705001)(39060400002)(8936002)(7736002)(55016002)(99286003)(102836003)(790700001)(189998001)(54896002)(575784001)(101416001)(81156014)(97736004)(6116002)(53946003)(53936002)(561944003)(9686003)(68736007)(3846002)(6246003)(236005)(2906002)(74316002)(86362001)(50986999)(25786009)(38730400002)(54356999)(76176999)(6306002)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR04MB2362; H:CY1PR04MB2363.namprd04.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: sailpoint.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR04MB2363D27C3FCAE2AD9AFEDB61E28B0CY1PR04MB2363namp_"
MIME-Version: 1.0
X-OriginatorOrg: sailpoint.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2017 21:45:13.5383 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c848b2a-49ba-4c39-9749-118d06717a84
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR04MB2362
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/aEtMPhv0Td2z0LbNwsHC2btAch4>
Subject: Re: [scim] Groups Member Type
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 21:45:20 -0000

Your plan sounds good to me, Shelly.  That’s how I would implement it.

From: Shelley [mailto:randomshelley@gmail.com]
Sent: Wednesday, August 9, 2017 1:42 PM
To: Phil Hunt (IDM) <phil.hunt@oracle.com>
Cc: Kelly Grizzle <kelly.grizzle@sailpoint.com>; scim@ietf.org
Subject: Re: [scim] Groups Member Type

You can also tell via id which is local and $ref path given's scim's strict path rules (look at the parent of the last segment).

  *   Is the id now required to be globally unique across all resource types? If not, there is no guarantee that an SP can determine the resource type from the id.
  *   The $ref is also optional, so this cannot be consistently used to determine the type. Further, I was under the impression that the $ref is primarily used for SPs to communicate the resource location to consumers, rather than vice versa (i.e. it's essentially a read-only attribute).

Here is my tentative plan for our SP implementation for evaluating group members:

  *   Treat value as REQUIRED. While the example SCIM schema<https://tools.ietf.org/html/rfc7643#page-69> does not actually require the group member value sub-attribute, this is the most consistent identifier for referring to members.
  *   Treat $ref as READ-ONLY (i.e. ignore it completely when processing requests). Using a $ref provided by consumers seems a bit fragile (aside from eliminating the complexity of URI comparison, it's possible that a single resource may have multiple DNS names, which further complicates absolute URI comparisons and integrity), and introduces redundancy (and potential ambiguity) with value/type.
  *   Treat type as OPTIONAL. My preference would be to treat this as REQUIRED in order to eliminate any ambiguity, but given that the SCIM specs don't require it, doing this would limit interoperability for consumers that may not be sending it.
  *   If type is not provided, assume the default value is "User".
  *   Perform referential integrity to ensure that any provided group member resources exist, based on value and type.

Examples

Given the existence of the following resources, here are some example requests/responses based on this proposal:

  *   ../Users/abc
  *   ../Groups/xyz


Group Members


Response


"members": [

  {
    "value": "abc",

    "type": "User"

  },

  {

    "value": "xyz",

    "type": "Group"

  }

]


2xx - Success


"members": [

  {

    "value": "abc"

  },

  {

    "value": "xyz",

    "type": "Group"

  }

]


"members": [

  {

    "value": "abc",

    "$ref": "anything at all"

  },

  {

    "value": "xyz",

    "type": "Group",

    "$ref": "anything at all"

  }

]


"members": [

  {

    "value": "xyz"

  }

]


400 - Missing “Group” "type" on nested group member definition


"members": [

  {

    "value": "xyz"

    "$ref": "../Groups/xyz"

  }

]


"members": [

  {

    "$ref": "../Users/abc"

  }

]


400 - Missing "value" on group member definition


"members": [

  {

    "$ref": "../Groups/xyz"

  }

]


"members": [

  {

    "value": "abc",

    "type": "Group"

  }

]


400 - Wrong "type" provided


"members": [

  {

    "value": "xyz",

    "type": "User"

  }

]


"members": [

  {

    "value": "abc",

    "type": "UnsupportedType"

  }

]


400 - Unsupported "type" provided


"members": [

  {

    "value": "no such resource with or without type"

  }

]


400 - Member does not exist



On Wed, Aug 9, 2017 at 11:06 AM, Phil Hunt (IDM) <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:
I agree the server can decide.

IMO the server should check referential integrity. By doing so it would likely know the type. The spec is silent (as far as i recall) on whether it expresses it.

You can also tell via id which is local and $ref path given's scim's strict path rules (look at the parent of the last segment).
From my recollection some of these items were not that important given scim was provisioning api for apps - apps implementing server side are free to do what they can/want. Now that it is being used as directory, closing some unspecified / loose areas might be better for interop IMO.

Phil

On Aug 9, 2017, at 8:32 AM, Kelly Grizzle <kelly.grizzle@sailpoint.com<mailto:kelly.grizzle@sailpoint.com>> wrote:
Given the general desire for SCIM to allow loose reading but strict writing, I would vote for option 1.  If type is not specified in a PUT/POST/PATCH then the server can assume “User”.

--Kelly

From: Shelley [mailto:randomshelley@gmail.com]
Sent: Wednesday, August 9, 2017 9:02 AM
To: Kelly Grizzle <kelly.grizzle@sailpoint.com<mailto:kelly.grizzle@sailpoint.com>>
Cc: scim@ietf.org<mailto:scim@ietf.org>
Subject: Re: [scim] Groups Member Type

Resurrecting this old thread, as this question has recently come up during some of our interoperability testing, and there still appears to be some ambiguity in the spec...

The SCIM 1.1 and 2.0 specifications do not seem to indicate the expected behavior if the type sub-attribute is not provided on a Group resource member. Neither spec seems to explicitly require this attribute, so what is the expected behavior if no type is provided? Is there a default (e.g. "User" or "Group"), must Service Providers search for the member across all resource types, or should it be treated as REQUIRED (e.g. returning a 400 error)?


On Mon, Feb 25, 2013 at 10:38 AM, Shelley <randomshelley@gmail.com<mailto:randomshelley@gmail.com>> wrote:
Thanks, Kelly. Given that the ID may represent either a User or Group and only the combination of "type" and "value" uniquely identify the reference, should the canonical "type" attribute for group members be REQUIRED as well? (Further, the majority of examples throughout the Protocol specification only include a "value" and not "type", so it's ambiguous as to whether these "values" represent Users or Groups.)

On Mon, Feb 11, 2013 at 4:02 PM, Kelly Grizzle <kelly.grizzle@sailpoint.com<mailto:kelly.grizzle@sailpoint.com>> wrote:
I opened ticket #35 to change this.

http://trac.tools.ietf.org/wg/scim/trac/ticket/35<https://urldefense.proofpoint.com/v2/url?u=http-3A__trac.tools.ietf.org_wg_scim_trac_ticket_35&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=nXj1uLbLovxxCW-VPX0d1geWghpaAIZtMXKkPYyACLo&s=azLSrYlOBRiSWZ3BiA7nEnSujz0OPCep2bx8PeAdobE&e=>

--Kelly

From: scim-bounces@ietf.org<mailto:scim-bounces@ietf.org> [mailto:scim-bounces@ietf.org<mailto:scim-bounces@ietf.org>] On Behalf Of Shelley
Sent: Monday, February 11, 2013 11:36 AM
To: Kelly Grizzle
Cc: scim@ietf.org<mailto:scim@ietf.org>
Subject: Re: [scim] Groups Member Type

+1 to mark it as "immutable".
On Mon, Feb 4, 2013 at 8:08 AM, Kelly Grizzle <kelly.grizzle@sailpoint.com<mailto:kelly.grizzle@sailpoint.com>> wrote:
Good point.  It seems like this should say “immutable” rather than “read-only”, since it can be set initially but not updated.  Thoughts from anyone else?  If this seems reasonable I’ll open an issue to get this fixed.

--Kelly

From: scim-bounces@ietf.org<mailto:scim-bounces@ietf.org> [mailto:scim-bounces@ietf.org<mailto:scim-bounces@ietf.org>] On Behalf Of Shelley
Sent: Friday, February 01, 2013 1:37 PM
To: scim@ietf.org<mailto:scim@ietf.org>
Subject: [scim] Groups Member Type

As indicated in Section 8, the canonical types for Group members are READ-ONLY. As such, how can consumers provide the type (i.e. "User" or "Group")? Is it implied that IDs are unique across both users and groups in order for service providers to fulfill this requirement?



_______________________________________________
scim mailing list
scim@ietf.org<mailto:scim@ietf.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=nXj1uLbLovxxCW-VPX0d1geWghpaAIZtMXKkPYyACLo&s=rCY_ttBwpsTcGVSsZT2hsLHWPXL17cWyIBS5WDT4oDs&e=

v2.23.0 | Report a Bug | By Email