IETF Logo Mail Archive

[scim] Re: Pagination Support for Multi-Valued Attributes in SCIM 2.0

Danny Zollner <danny.zollner@okta.com> Thu, 05 February 2026 03:32 UTC

Return-Path: <prvs=34967acb43=danny.zollner@okta.com>
X-Original-To: scim@mail2.ietf.org
Delivered-To: scim@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C9C35B2168AB for <scim@mail2.ietf.org>; Wed, 4 Feb 2026 19:32:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.695
X-Spam-Level:
X-Spam-Status: No, score=-2.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=spera.security header.b="k+xaHv6k"; dkim=pass (2048-bit key) header.d=okta.com header.b="JfSGHHX7"; dkim=pass (1024-bit key) header.d=okta.com header.b="Y/NrlCm5"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0N53wQBoVFV for <scim@mail2.ietf.org>; Wed, 4 Feb 2026 19:32:33 -0800 (PST)
Received: from mx0b-00553301.pphosted.com (mx0b-00553301.pphosted.com [205.220.176.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id DA1FFB2168A1 for <scim@ietf.org>; Wed, 4 Feb 2026 19:32:32 -0800 (PST)
Received: from pps.filterd (m0209339.ppops.net [127.0.0.1]) by mx0b-00553301.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 61511KFS4150028 for <scim@ietf.org>; Wed, 4 Feb 2026 19:32:24 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spera.security; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=proofpoint-2020; bh=6fXinX/huL8xbDZJXv +z5D2YBP2gZGxR5AKBxeGZ3xE=; b=k+xaHv6k46nkQUqQSIvniraMLirPlyhpSH RHE5npR8Bf6kSAtT3OH8qUa7oOWnppvh4ZapvwOtm3O7rhjdtkxLg/cxS5ElE8zR GZ+Q7Ga9WPO22/PjVBrj0GPIgTokYS9MEI2tPPXA5AzSJg7EDVtGLBABsG6J3IcS HZHI6AO1+eZCxJBzKa4DKGb5JO/qYnwDc/OzhEOdOZVhCjqd6pP/IGmvAj9COrPK inm36Cd26xRSBRkgIg7szVizwrGMgGO8EJlEbme5f57ae4jfyMPcPXO57L2Wt1l9 pOfJItCmnnJIQdlAFYQPnuYBWD/vgM9N57xF02SrVL9qarRrUs1w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=proofpoint-2020; bh=6fXinX/huL8xbDZJXv +z5D2YBP2gZGxR5AKBxeGZ3xE=; b=JfSGHHX7TeMQIFKJc9IVJvGiEL5UZhgXye UJ1c3qWjGI0lZ488I/gvQUjLIQLtWnujdc/Sx9mJi3nT766Rzl3ZIr8bDO9zWRV6 FgNHNcAMDpGvdQDNgEMtGzbI9vtD6LJqMN20vXOoRSYYPieUOAfrM1jIWJmym7iV 0V6KjbiStlwCU3sivR7ppfnsHboYADLA/rTJ+qjRu2JMv85CWuVjnd55wT6fK8xU 2JiZGV0fikBd16MWdJ1aHQ7l/2N8uTp2unAkAIvjyEhZp225BVI6Vvhi8HLg+Xof 8zE+beImRV+AKJqpo1m43HXgVihyzY9WepP8nm176bebpyxjw75w==
Received: from mail-dy1-f199.google.com (mail-dy1-f199.google.com [74.125.82.199]) by mx0b-00553301.pphosted.com (PPS) with ESMTPS id 4c3p2km362-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for <scim@ietf.org>; Wed, 04 Feb 2026 19:32:24 -0800 (PST)
Received: by mail-dy1-f199.google.com with SMTP id 5a478bee46e88-2b72b6fc371so2570753eec.0 for <scim@ietf.org>; Wed, 04 Feb 2026 19:32:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770262343; cv=none; d=google.com; s=arc-20240605; b=Ckry64YUXpiuIMJ3cZOtMcWFNWKU9JNy6zKTbMQ6NGxSIq4M+bm0kTiJ3ozMwTF0KZ qP5pxoz+8uvdw8z+pxN5I88frZzAtp/YNff0WxyqhcOmAeyvp0Mv+J1EyZiBHDeQ/ZkP YQ4x/wPggrZU0tZz3iNMe+5RV+TMRklTWYWk0eddwFupnJrYvbwUi9Nnt7R06RZiyLzi kQGxsjetA2NUlq51xcc8aSyc6cL7aWmx2+VvemS07kodpY3XoeyTgig8HySqMx7DO0Hq g7fb9AB1oFdIanRVzaUCYyfo0A5S1n8oYpeL2hwHTWvecGsdDFvBsMukQeEW1Tyg04pB H2TQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=6fXinX/huL8xbDZJXv+z5D2YBP2gZGxR5AKBxeGZ3xE=; fh=fe71JzUALM1+2nYC2b0Nay+IKLrCFCJp5jVKNuh+Udk=; b=QVB9fwWRVxqSx/PBX2KXHq8AEe00JFHUMfpxxUL7iIsRxY7XGxUXcDwRAwFUuX+7kx gJ4ZPVCDyXbNJ5/aaJ3A8xbP3keM+QsCkP1bax/Lu5kHA73a4JnIwUeoNQXlOuVY7E3D F7h1/8tfldvvhvLCiQSQF7TGcCEDNLGKVXcoYdz+y0GjBD2jksXDwPhiollex1OoZT6T r3UcvcI6/8SpdM4cdhAMipxQlKJypALXekeKNVM8oe8H2O2cO5qn8JwB5sB1VdzFwPpC QfhRysBSLu1FesDZOZZi7qZu6CoryIroVEdsD1mnvym5RlYJI+FXszrpNqyreOsX5PaE pQeg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; s=gap; t=1770262343; x=1770867143; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6fXinX/huL8xbDZJXv+z5D2YBP2gZGxR5AKBxeGZ3xE=; b=Y/NrlCm5VYPtaiEm8qDKicohSXR3QcIoGtgNHM2ZioKigny9QbAOTVYPAK3hJCcKcA yQf2GtVIiAxsAyFPcycicWq9QOKlUgYurSqsMqXPHgw34oVBTtiJIiL88PryVvCKXbPj VpZlCkdRHWvFlgv2ei6+9uNrKu0zaczOMV8Sc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770262343; x=1770867143; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=6fXinX/huL8xbDZJXv+z5D2YBP2gZGxR5AKBxeGZ3xE=; b=tj+6s7nwf9gUpU80P+0yU8FiExCUF69p0C2zHA1xfQCesWTU3E86AuMl9FZNEj9PY3 gip/k0MZfF1eGjT6ON+1MaRn4I+ImQOiklihNjW+TNQXbm6bfVZKi21nGYHq0ZdOWEZ5 Ot2j1NSepV0u779Ut0uJVvQRrTT0u71yv4e8A1ZRaVtwYcar3uH7vw/rwfcwBzSvbFIj Cd/j+TZTdjdyrXFPS5TrhUzxLvQPVkO+j41NqpUnvYxVt02Ldx/tgPLxyJBjtYbevgjh rd1nAdOAws0hGG8Sxnom299z4hYJiyJde3H09g41zX4XsLaMnGrJwL8rOVnXWOSc7JU5 ZwqQ==
X-Forwarded-Encrypted: i=1; AJvYcCXFAWiyeUQ79pRNdXRlaFCS6XJLsab4dqZKvrpsdW/JilWV63/jp98udRyuzi9z1mCxg57e@ietf.org
X-Gm-Message-State: AOJu0YyxZ5eJjbYeiRX36ONx08oIIrSBSfT2VoXGB9IU4A/WQCJvGEI8 awZHU7NHvI8OgHot+pajjw7T35BcJyWKlgzyRmUxTK0RLyKK8GngjtHuVAbK7xMPcovlLw52eDf ZmjIwC5jj9xRXkhwFN5dwq0Xu2+fBHjxiI6mdF07UMQl5qmAcr8mrTAqvcXmpB2CU9Q9EUlVaJ9 lv+v1cngZPkkcZmmv6Bhs=
X-Gm-Gg: AZuq6aLtaQYmM62JsgXzw6UDP0U6oyICR/6bWFWrWEVrbTQJ4eLrN6piOav1oCTo3ZQ 8NebNr3O3aadSuD/eem4maZrOFWhoFS9+LizThJeGNIuvgUxutrjH3edz8ykNwqgSaZOZz/ompS 9H9aiTA2mw0TgCNM4MnVdqi+RV3QXZl2RunDNdRVBgazWrfTswEac1XfYBOWVegs+V
X-Received: by 2002:a05:7300:534f:b0:2b7:145d:eb66 with SMTP id 5a478bee46e88-2b83299fdabmr2596848eec.24.1770262342873; Wed, 04 Feb 2026 19:32:22 -0800 (PST)
X-Received: by 2002:a05:7300:534f:b0:2b7:145d:eb66 with SMTP id 5a478bee46e88-2b83299fdabmr2596825eec.24.1770262342249; Wed, 04 Feb 2026 19:32:22 -0800 (PST)
MIME-Version: 1.0
References: <CAOoRr-OUq26BPbNM7EqyEgSUzDaNPuN-XyyAU+kQr9sZ-1u01A@mail.gmail.com> <BCA320D4-9E1D-4944-B2F7-26BE3B13B687@independentid.com>
In-Reply-To: <BCA320D4-9E1D-4944-B2F7-26BE3B13B687@independentid.com>
From: Danny Zollner <danny.zollner@okta.com>
Date: Wed, 04 Feb 2026 21:32:10 -0600
X-Gm-Features: AZwV_Qj4g3AZscJXlqoK45hjOsOKot8otwIJyOdCZ_OhjlSUlTIGKUBclJT9vg8
Message-ID: <CADzbaOoQAFT0xsPeC38dpyMi1houBcb1WGR-Wii=mK7vDX42EQ@mail.gmail.com>
To: Phillip Hunt <phil.hunt@independentid.com>
Content-Type: multipart/related; boundary="00000000000012a10e064a0b521c"
X-Gmail-Okta-Auth: Authenticated
X-Gm-Spam: 0
X-Gm-Phishy: 0
X-Authority-Analysis: v=2.4 cv=LumfC3dc c=1 sm=1 tr=0 ts=69840f48 cx=c_pps a=cFYjgdjTJScbgFmBucgdfQ==:117 a=HzLeVaNsDn8A:10 a=Bdx-TKn-h1YA:10 a=VkNPw1HP01LnGYTKEx00:22 a=48vgC7mUAAAA:8 a=IqETP1_tAAAA:8 a=pGLkceISAAAA:8 a=XyJVEfRiF3fUlVI1RlsA:9 a=QEXdDO2ut3YA:10 a=xBXxo-bjWDnaS2pKKrYA:9 a=zY27L3GK4gL7R8eD:21 a=lqcHg5cX4UMA:10 a=HXjIzolwW10A:10 a=T6a71-JsGAwA:10 a=scEy_gLbYbu1JhEsrz4S:22 a=84G_OkgMc8xwACs048Fv:22
X-Proofpoint-GUID: XsB6di_I054OMQxkLDSO_blzOVopoffV
X-Proofpoint-ORIG-GUID: XsB6di_I054OMQxkLDSO_blzOVopoffV
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjA1MDAyMSBTYWx0ZWRfX+naICMMwWM0J jWeEGjDze5y6QZwTUd1xXX2DbLgs7ezIOyGpJKvwKxkKQmWqjk2R9UfRHpHjQvStbu5OYSaZfhm VEjGvk9Y0EqEHM4RVInxcVhHxrfrZ7APTpUPOIWtM3azyjVv1Z1/IsABCNqlO4ZkAyvoAKJQE2o GnTbYv4hjEOMPT9SvhotRA6MzXHY4OsvT0AoHWshtlF9n6584q0xELt2A2Xad1x3ngbkXYsTCdM m1tqnyLLTrHUPqJm0cpLPrTLaYh+gLFQALEz7DThjFtm0FnEmcZzgjGWp1Nm7eqB1DS113bl3l+ GceWgUL1lfXuGwKWm//HSYoi8WmNJSdEtMZlIastcDYgFoCICTwL9yAyAbqkR9P4IwnLVULFfWz fmg2Wp+HF8gmvUTN1ZkV6gcMmcQAHNCql73BfWlf+io4SGBt043S6OUw3y24thZDGQM28EtJGEx WCO9pD3uN/q/fnZ2Iyw==
X-Proofpoint-Virus-Version:
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 impostorscore=0 priorityscore=1501 adultscore=0 malwarescore=0 suspectscore=0 bulkscore=0 phishscore=0 lowpriorityscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2601150000 definitions=main-2602050021
Message-ID-Hash: KECRMT2ZU6YD4637EZ54LY346JX4ITIZ
X-Message-ID-Hash: KECRMT2ZU6YD4637EZ54LY346JX4ITIZ
X-MailFrom: prvs=34967acb43=danny.zollner@okta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-scim.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Daniel Cormier <daniel.cormier+ietf@gmail.com>, scim@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [scim] Re: Pagination Support for Multi-Valued Attributes in SCIM 2.0
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/beAvJMzTdDCzZfv6jgj4U8qMjPA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Owner: <mailto:scim-owner@ietf.org>
List-Post: <mailto:scim@ietf.org>
List-Subscribe: <mailto:scim-join@ietf.org>
List-Unsubscribe: <mailto:scim-leave@ietf.org>

I've had various conversations about this over the last few years and
representing the multi-valued attribute as a (sub)resource has always ended
up looking like a cleaner option than the SCIM query/filter-based methods
described in draft-hunt-scim-mv-filtering-00 and in the recent email to
this mailing list by Saurabh. Going deeper on the multi-valued attribute as
a (sub)resource approach, there are a few different ideas that have come to
mind:


   1. A draft to explicitly address group memberships, as that's the
   primary real world scenario I've seen where SCIM resource sizes become too
   large to manage. I've seen some other APIs represent group memberships as
   their own resource (e.g.: /GroupMembers) and I think that has value in SCIM
   as well when thinking about things like delta query/change detection. I
   think /Groups/<id>/members is useful too and can exist alongside
   /GroupMembers without issue.

   2. A draft to explicitly address existing attributes defined in the SCIM
   specifications - the members attribute on groups, but also potentially
   roles, entitlements, the "groups" attribute on users (and other
   resources?), etc.

   3. A draft to define an extensible approach to representing a
   multi-valued attribute as a sub-resource endpoint (e.g.:
   /Users/<id>/entitlements, or /Users/<id>/<customAttributeURN>


Separate from the sub-resource approach, a few other ideas that have come
up in my discussions:


   - Define a way to paginate a SCIM resource that treats the JSON object
   representing the SCIM resource as the thing to be paginated, rather than
   the list of values in an array for a specific multi-valued attribute. This
   has the benefit of helping with pagination on a resource with several
   multi-valued attributes that each require pagination, and with
   single-valued attributes that have large values.

   - Utilize an existing feature in HTTP (or another standard). I'm not an
   expert on HTTP, but Chunked Transfer Encoding stood out when I was looking
   into this.


I lean towards option #1 or #3 from the list of subresource representation
variations.

Thanks,

Danny



On Thu, Jan 29, 2026 at 11:58 AM Phillip Hunt <phil.hunt@independentid.com>
wrote:

> *This message originated outside your organization.*
>
> ------------------------------
>
> There was a mult-value paging extension draft submitted back in 2019.
>
> SCIM Protocol: Multi-Value Paging Extension
> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-hunt-scim-mv-paging/__;!!PwKahg!-QXA_7ekr2W3bWqtyUF8mHPk4mH7F0m5NQfl7nBcUg1Cm1nCK8PiBBe0aaQTePX72wIdSK3Dlv7VJL_dJMc6-0k6p4g$>
> datatracker.ietf.org
> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-hunt-scim-mv-paging/__;!!PwKahg!-QXA_7ekr2W3bWqtyUF8mHPk4mH7F0m5NQfl7nBcUg1Cm1nCK8PiBBe0aaQTePX72wIdSK3Dlv7VJL_dJMc6-0k6p4g$>
> [image: ietf-logo-nor-180.png]
> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-hunt-scim-mv-paging/__;!!PwKahg!-QXA_7ekr2W3bWqtyUF8mHPk4mH7F0m5NQfl7nBcUg1Cm1nCK8PiBBe0aaQTePX72wIdSK3Dlv7VJL_dJMc6-0k6p4g$>
> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-hunt-scim-mv-paging/__;!!PwKahg!-QXA_7ekr2W3bWqtyUF8mHPk4mH7F0m5NQfl7nBcUg1Cm1nCK8PiBBe0aaQTePX72wIdSK3Dlv7VJL_dJMc6-0k6p4g$>
>
> This was basically adding paging features to the filter query so that
> queries like the following become possible:
>
> In the following example, all Groups are searched and only Groups
>    whose name starts with "Group" are selected.  Additionally, the
>    members attribute values are filtered return only member values with
>    "type" equal to "groups" (as in sub-groups) returning only the first
>    5 values using the attributes paging qualifying parameters.
> GET /v2/Groups?filter=displayName sw 'Group'&attributes=*,members[type
>       eq \"Group\"&count=5&startIndex=1]
>
>
> The draft had the advantage of being backwards compatible and was
> relatively stateless.
>
> One note, it’s not clear, but the first example in the draft of retrieving
> only work emails is to show existing core
> SCIM functionality.  The following example show how the extension of
> adding paging values, allows a client to
> ask for sub-sets of items.
>
> I think it was lost in the Covid shutdown that happened after.
>
> Cheers,
>
> Phil Hunt
> phil.hunt@independentid.com
>
>
>
>
>
>
> On Jan 29, 2026, at 6:32 AM, Daniel Cormier <daniel.cormier+ietf@gmail.com>
> wrote:
>
> We've had the same problem getting groups with many members (some with
>
> 100k). For what it's worth, since it is an internal implementation,
>
> we added a new endpoint: GET /Groups/{id}/members. Our flow was to
> retrieve the group (GET /Groups/{id}) with its members excluded, then
> paginate through GET /Group/{id}/members separately. It worked well
> for our case.
>
> Some previous discussion around group member pagination:
>
> * <https://mailarchive.ietf.org/arch/msg/scim/YCcs_ZRWOo4HM8zxKbXlAi2Cpag/
> <https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/scim/YCcs_ZRWOo4HM8zxKbXlAi2Cpag/__;!!PwKahg!-QXA_7ekr2W3bWqtyUF8mHPk4mH7F0m5NQfl7nBcUg1Cm1nCK8PiBBe0aaQTePX72wIdSK3Dlv7VJL_dJMc6FvmOQQI$>
> >
> <-- Mentions the same solution we used
>  * <
> https://mailarchive.ietf.org/arch/msg/scim/67Bd0iotMoEx5rcjCUsHUzQzQGU/
> <https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/scim/67Bd0iotMoEx5rcjCUsHUzQzQGU/__;!!PwKahg!-QXA_7ekr2W3bWqtyUF8mHPk4mH7F0m5NQfl7nBcUg1Cm1nCK8PiBBe0aaQTePX72wIdSK3Dlv7VJL_dJMc6CDlxIfw$>
> >
> * <https://mailarchive.ietf.org/arch/msg/scim/txBFAJgcxb0mhIi1Bp0jaL6t2WU/
> <https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/scim/txBFAJgcxb0mhIi1Bp0jaL6t2WU/__;!!PwKahg!-QXA_7ekr2W3bWqtyUF8mHPk4mH7F0m5NQfl7nBcUg1Cm1nCK8PiBBe0aaQTePX72wIdSK3Dlv7VJL_dJMc61biKnDQ$>
> >
>
> _______________________________________________
> scim mailing list -- scim@ietf.org
> To unsubscribe send an email to scim-leave@ietf.org
>
>
> _______________________________________________
> scim mailing list -- scim@ietf.org
> To unsubscribe send an email to scim-leave@ietf.org
>

v2.40.4 | Report a Bug | By Email | System Status