Re: [scim] Feedback and support for draft-hunt-scim-mv-filtering-00.html
"Matt Peterson (mpeterso)" <Matt.Peterson@oneidentity.com> Sat, 21 May 2022 18:56 UTC
Return-Path: <Matt.Peterson@oneidentity.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89D95C3A6263 for <scim@ietfa.amsl.com>; Sat, 21 May 2022 11:56:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oneidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id whKieUkkPv7u for <scim@ietfa.amsl.com>; Sat, 21 May 2022 11:56:04 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on20700.outbound.protection.outlook.com [IPv6:2a01:111:f400:7eab::700]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30ED5C3A6268 for <scim@ietf.org>; Sat, 21 May 2022 11:56:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oeRNlR0ceCJUHYpPWSyB02AwRnh+Kj2gXicGTGl8tVQ5RrsuChjMQOT39yhjLLshRWftLIzXoSMc0zzztrlLpD03Xfjm1uFpDy7QULEw+SqUECh4u5M/J0SsnXgBPCFOSpkFknHo4XdG0pm30zLpkA7kz8foYnB+xkYnc1tWOzd+f1qGoELBkta/0QKJYrx7Bca+VfjsRNfeneTyZYzG+1G6JlH56MkgLjL8mbe3F1+fN10Nx8khsK6bGTQG+in440NnZgmz+xYi52+pE9ibQ+Z288aIdCAq+ZpQKxMFLaNIrAt1d+Y6Kd1BA7DP/BXIq3FpD43ZXXodI7Jc3Qesog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1AhzcZe4YKwNQBdoey/UxAg7cDIJERsfcsCG02NfDhM=; b=li/vhmEnc7R9SGXwh2aRHsvc3uatatW3c+3GGwdamdGy/vBIWHENHeLvYQ7hVTOKtER4+rN6YGocZrjk9dbwc+fE24CvJMOFj4+TQfzbQ9baLEr5A/mkcek9yOfZx6Lq7m2YGxt6SNHLYSUJSkO+84kqCzrSsQaqsCzD+kJpbCwJXuisJ/Bk33NegY1WA7cUiK1IpyYnFL6lT/JvzASzljpKqJwIpliW1r4mPASr8F5LMWaki97fcGdFPEKzzpfKNb3Ka3kIlImZMWbFiG8cMBcwGaYUNrOex43qPupF6kROCY8+/B1owG/JXYt8VTQwGsak+ImrNTgkSJPQC6TdkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oneidentity.com; dmarc=pass action=none header.from=oneidentity.com; dkim=pass header.d=oneidentity.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oneidentity.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1AhzcZe4YKwNQBdoey/UxAg7cDIJERsfcsCG02NfDhM=; b=PoHWWmnL1GDGnezrWR+oPnSA2PjB01Mksqig9vEuZ3rtBbLW0wtd1jQfwVWncH25euOpe48r3AbXyHJtGp+tHB0qfu9pjUJWncHOsL9k2Wi84Lt9rdc108//pxBX7G6uRJJn1lyEhuEIx9spasOP1eTYMoaXmvqEo68BpWj4SYZBFrHQ6n2N9ypgTVsWjvYqYyiUHPvOfiHz0fz1gFpN38IwSflElbjQ4kr0W8n+cDlj/ty5Jmi//TUWF3GS2VDHIxuRI17kbRUy1HobmKNjZil6XxRCed7VifYg3cVXObEGTLTnMqbe/ekipGCdXmhASwm4hW8HCRYV0a/mCIwgQQ==
Received: from SJ1PR19MB6138.namprd19.prod.outlook.com (2603:10b6:a03:48b::14) by MN2PR19MB3199.namprd19.prod.outlook.com (2603:10b6:208:154::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5273.21; Sat, 21 May 2022 18:55:57 +0000
Received: from SJ1PR19MB6138.namprd19.prod.outlook.com ([fe80::7c1f:11f7:8821:d1d2]) by SJ1PR19MB6138.namprd19.prod.outlook.com ([fe80::7c1f:11f7:8821:d1d2%7]) with mapi id 15.20.5250.018; Sat, 21 May 2022 18:55:57 +0000
From: "Matt Peterson (mpeterso)" <Matt.Peterson@oneidentity.com>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>, "scim@ietf.org" <scim@ietf.org>
Thread-Topic: Feedback and support for draft-hunt-scim-mv-filtering-00.html
Thread-Index: AQHYa8aT1c67Gt9Y9U60QqaQriuBIq0poXHg
Date: Sat, 21 May 2022 18:55:57 +0000
Message-ID: <SJ1PR19MB6138651B2D3C16B364F19422E1D29@SJ1PR19MB6138.namprd19.prod.outlook.com>
References: <F320FC7B-405B-442C-B251-C3D5464603C7@cisco.com>
In-Reply-To: <F320FC7B-405B-442C-B251-C3D5464603C7@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=oneidentity.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cf63d328-b09d-42c6-7e98-08da3b5b8a2e
x-ms-traffictypediagnostic: MN2PR19MB3199:EE_
x-microsoft-antispam-prvs: <MN2PR19MB3199C274078B872D7E7858B3E1D29@MN2PR19MB3199.namprd19.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RVR+Jkhm3d/FqI0I4xoKNkYjHvvAE/JRdnSPBe9/hed4NvwXDs0eXgy2e01M/iUpJkqURdV7iLNFZqjBO0zWpl336/z6OLWq84N16K4nrK/GQh/wstaH4MYRN/LC/jwQOgS1XSvHPK9RHAFc/hA/kex9BdG+V3zV2uKFuo1Lb+FCTDcVx+PtUesdAJSn0Xj5T2A+p6GNZYAmc8b1pVPNLLSBR+Mwn+/HPi8/Hbw7sdRFAR4ntjr2XKwcybaxcABRc4l9+P2A9fRYcPrHoawvZ/ZnSbpFUbgA2/jT5PgI0cqHoUdsrhUSEXaqRyIvMEoiwzD45Bnmf1/5tKM8XW18E4uMz+as9jYJP/Q96TNn2nVVJCt0sevLQhAfjkUmKWGlcoqd40niu23wPjkdHf18Ga6kTjlkbe3BisHAezjKgFnqXu7OnSsQUP+5VqDgiXDyNMoqyCveTXDnKma38lkULpr+v3VTfhV+R74EivtoPxClr3JYer3j7t4hNqm3hQ/+9nFHbD925D8oT1pqyhVzqKFjZPdWkSXOBEYTo203WT2j5tPphzj85n9NNq0UEl9Cohoi9mykqFYXaVwRdWCdQZeRneDm36sqamJN4VXQDOHQCFhuBsq2MU5MjiJaUrSN8dKfqgCXa+IBy2vRk8fEpnr0zV5BK4kcDdzBtvyuC3tybUAnIWnjs9P90qNTnvh1l6o+A6g6Gll4s5IuGR7Ud83iv3QrEIlH6DiJYCceemPjJbSAQOfceow0zyg3OR4EgEsUyfICkGpjpamT4x4jRhonhSxnAVfR8NKbuRi7JVc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ1PR19MB6138.namprd19.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(7696005)(45080400002)(71200400001)(186003)(55016003)(110136005)(6506007)(508600001)(966005)(316002)(83380400001)(33656002)(26005)(38070700005)(38100700002)(9326002)(8936002)(122000001)(52536014)(5660300002)(8676002)(76116006)(66946007)(66556008)(64756008)(66446008)(66476007)(166002)(53546011)(9686003)(86362001)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: fO6oRpzxi6tWtP9kQVHXtiOBp/KJ9koH9LO/EIQHjsDyGrkE1vSdoRoz0C0QkGUXKGkuWhtj/Gfjy05PeYyE2U3VHQwHMMwc1osi2H89QEPPxYQAh9k52YjhxL6BNd1JI2qhRRtgHgHQ9NAmVKf1jxlZfKhYLPBKL5b83uhcqnERmNHERNKiEqfB91NZX8mZoyKOfkYz7IUZczmtVTPMKlGe0hgLmbkdv99eCobAh3dRducuXs+dTHJwI958gO/FgqVs3HiDIKyFC1+ex1RLgiYLu8hXm526+64l5ONz4OTyGxqJdmKpF+srJ8Y9YNZu/YK/sTKVZdRufYHARhLs6FlAsBZ4X2Cc+bCvn+mUc0pYBASXOAV00X9zX8+5DsapFFM+6zAWrn101gxEHmMsGrorX5YTGAVN/H+cOsVWepwAzRndwVMRvSj1wg5K+DoKM+WAx0SxY9aMTPdq7avNXI3slScFIT5U4gyAC/sDCanEOo6WM0ZdVvxvXRFFBsuMioJi87HScGNksTrNIvEpB9HCvm3tHii7p3+E/qk9YjNx25oM/l12AP9enU8pfzsBfOXAhuwjv72Jkdinpbrwd7rwOCHQETmXnY2nu8OMdRTmkRn6lu3QhE5L7qM1EgSn0yUStHD8EEwxLdtOTU9TqwpWsMQmooK0eN3NrKp1iWEjsSvSbRN8r7e1jUVYOlxmDIjNOZGUSRPsQSl8PV4eaMwUBO5iE037DT+hKouM3Rmg+79eXZYwN08FCTPVwMslxSSJGn27Mze2goDSBmvTqDrkhmVI9d47np7Ce3QmiQt2U6Cu5fRO8XY/bSWNB7u4m9+FZdDeVj0yfEl6c8AVgi3aD3feehcQ9FDjyAwUP/sLeoOxntNr34iO6m6ozELiUBSqvUweErES/IswM0UO7MX3cuJd5xIpwxNEd60X2mTAPzY2lh1AHjyu+ohIZUC9ybGAlILFmrqyYBKiZYGTFkQP6eqOj7EzxotP0RSGBVxgSk05vRSPZBA++LFP3PD75kb1XGNjhg1hMDN+Ne0TpmXHM8rxCyWa6ui3Zu4eDmWGesAdZYwwFHA/te8lruHpHVX/8zJ4jmL9nRzb0zHTSVPwOuTetodcYF2Ontwy0YsqUFjbKF+t0JoZMQdKchSSqv3p48NGg/TAr3iSdj3sARXJVrPkKdEecx/9N8q715m4j6IAqTWf+oR9hFo+lFTwl+zIsYCLWr6m7osg4P+MkpBh9/5uNaSqrCXXyyuys8u5MaojMFroA36aE3ns3ZN727O8HIvk6y/HT3+IDEe3kqGwPny+uZ35vXJr+yhRKoWLKIDSddszSXTc0X0/WUpRWswvlwxw6RbrdWIBEZ61Pr5blxGTbzKNif93toeQ7ZTf6mHiq0kX01lWsDYbfe9IBLLedNBaEmPnpvsTVoC7PcdibOh3xJPMT+BJtMFrc3U8+tRnbF5orf4RBRVxX7eUd+MQJJcmnEf0IXnAe48Gtcbl3OadR9fYlPrardHWXwoPYwTwRLzHKRhj4Xwe6cDfazLUqWyJUj/lSudoIjYKtkHNPFssBXjvwF3ryGuNSeGSrbjehaA6s2sRVjtNaYVtGXxXP0bEi8yMCDU8dP3Nhpo0cGxrN6dTPwD8qF8Zq8sz7TgHdVVJ2cpMOfi60cjHdZkGzo/4XqB6V7/yR4u1+4atc6Q5QD00kWJr8JRJV7gD57qcKgnh4ya13Mf/rWQ93HN5LJskUVxFE3zj5sFk4Q==
Content-Type: multipart/alternative; boundary="_000_SJ1PR19MB6138651B2D3C16B364F19422E1D29SJ1PR19MB6138namp_"
MIME-Version: 1.0
X-OriginatorOrg: oneidentity.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ1PR19MB6138.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cf63d328-b09d-42c6-7e98-08da3b5b8a2e
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 May 2022 18:55:57.2086 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 91c369b5-1c9e-439c-989c-1867ec606603
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: S4dP1oI48kn60/sUQRXUcGhNCER9loNrTWEo/LAG/DNfeqBGP/Y/h+dbA2f5dFhSG/zJkJbcdunKmZGEGI7B5g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR19MB3199
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/Y03mYswu4rA8QezAwz-FFWCnFzY>
Subject: Re: [scim] Feedback and support for draft-hunt-scim-mv-filtering-00.html
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 May 2022 18:56:10 -0000
Hi Nancy, I have read the draft. We have no plans to implement the draft-hunt-scim-mv-filtering-00. Except for group memberships (which have many values) it is far easier to filter simple multi-valued attributes (like email) on the SCIM client-side. The only attributes in the base SCIM schema that are likely to have so many values that server-side filtering is useful are: Group.members (members of a group) and User.groups (groups a user is a member of). We handle the most common group memberships use cases without needing multi-valued pagination - using existing SCIM filtering and SCIM *object* pagination. The following is a list of use cases for group memberships. I have provided the SCIMv2 request that we use to satisfy each use case (without the need for multi-valued attribute pagination or any changes to the SCIM v2 spec). For additional clarity, I have also included the equivalent Microsoft Graph query for each use case to show how the SCIMv2 request would translate to another familiar API: Use Case #1: I have the group id "ffffffff-1111-49f5-b200-2c8aa95f3a49", I want to get all the members of the group (even if there are many paged results): Solution: Use the SCIMv2 /user resource: GET https://scimserver.mydomain.com/user?filter=groups.value+eq+ffffffff-1111-49f5-b200-2c8aa95f3a49 Corresponding Microsoft Graph API: GET https://graph.microsoft.com/v1.0/groups/ffffffff-1111-49f5-b200-2c8aa95f3a49/members Use Case #2: I have the user id "aaaaaaaa-1111-4306-8e52-bb1921f1a7ed" and I want to get all the groups that the user is a member of (even if there are many paged results): Solution: Use the SCIMv2 /group resource: GET https://scimserver.mydomain.com/group?filter=members.value+eq+aaaaaaaa-1111-4306-8e52-bb1921f1a7ed Corresponding Microsoft Graph API: GET https://graph.microsoft.com/v1.0/users/aaaaaaaa-1111-4306-8e52-bb1921f1a7ed/transitiveMemberOf Note that that the SCIMv2 solution to use cases #1 and #2 (above) may have many results. However, the results are *objects* that are paged using existing SCIM object pagination (RFC 7644 3.4.2.4). No pagination of multiple values is necessary. Use Case #3: I have the user id "aaaaaaaa-1111-4306-8e52-bb1921f1a7ed" and I want to check if the user is a member of group with id "ffffffff-1111-49f5-b200-2c8aa95f3a49" Solution: Use the SCIMv2 /user or /group resource with a compound filter: GET https://scimserver.mydomain.com/user?filter=id+eq+aaaaaaaa-1111-4306-8e52-bb1921f1a7ed+and+(groups.value+eq+ffffffff-1111-49f5-b200-2c8aa95f3a49) -OR- GET https://graph.microsoft.com/v1.0/group?filter=id+eq+ffffffff-2222-4263-abd9-878238d6f7b2+and+(users.value+eq+ aaaaaaaa-1111-4306-8e52-bb1921f1a7ed) Corresponding Microsoft Graph API: POST https://graph.microsoft.com/v1.0/users/aaaaaaaa-1111-4306-8e52-bb1921f1a7ed/checkMemberGroups { "groupIds": [ "ffffffff-1111-49f5-b200-2c8aa95f3a49" ] } Use Case #4: I have the group with id "ffffffff-1111-49f5-b200-2c8aa95f3a49" I want to check if the group has a member with user id "aaaaaaaa-1111-4306-8e52-bb1921f1a7ed" Solution: This is essentially the same as use case #3 above (just worded from the group perspective). LDAP has taught us that representing group membership as a multi-valued attribute makes common use cases difficult. As a result, new APIs (like Azure Graph) represent group memberships with separate resource types. Even though it is possible to handle common use cases with SCIM filters (described in use cases above), it might still be useful to investigate the addition of two new SCIM resource types (as an extension): a "GroupMembers" and a "UserGroups". These would be used in the following way (same use cases as above): Get me the members of a group (returns User objects): GET https://scimserver.mydomain.com/GroupMembers/<groupId<https://scimserver.mydomain.com/GroupMembers/%3cgroupId>> Get me groups a user is a member of (returns Group objects) GET https://scimserver.mydomain.com/UserGroups/<userId<https://scimserver.mydomain.com/UserGroups/%3cuserId>> Is user a member of a group? GET https://scimserver.mydomain.com/GroupMembers/<groupId>?filter=<https://scimserver.mydomain.com/GroupMembers/%3cgroupId%3e?filter=> id+eq+<userId> GET https://scimserver.mydomain.com/UserGroups/<userId>?filter=<https://scimserver.mydomain.com/UserGroups/%3cuserId%3e?filter=> id+eq+<groupId> -- Matt Peterson Distinguished Engineer matt.peterson@oneidentity.com<mailto:matt.peterson@oneidentity.com> From: scim <scim-bounces@ietf.org> On Behalf Of Nancy Cam-Winget (ncamwing) Sent: Thursday, May 19, 2022 3:23 PM To: scim@ietf.org Subject: [scim] Feedback and support for draft-hunt-scim-mv-filtering-00.html CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hello SCIMers, We need feedback on to gauge support and adoption of https://datatracker.ietf.org/doc/html/draft-hunt-scim-mv-filtering-00.html<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-hunt-scim-mv-filtering-00.html&data=05%7C01%7Cmatt.peterson%40oneidentity.com%7C10503fa871554b5554af08da39ddc433%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637885921896175212%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=leZb8egHAXQd8WBKXfujrYd1iWHldZy%2Bww02KOQyDsQ%3D&reserved=0> Please respond to this thread on the following: 1. You have read the draft and believe it is ready to be adopted by the working group. Any other feedback on the content of the draft is welcomed too. 2. You are willing to contribute to the draft as a co-author or editor 3. You are willing to be an active contributor to the content but can not be a co-author 4. You support the draft and plan to implement 5. You support the draft but have no time or plans to implement now, but can provide feedback 6. You have no interest in the draft Please provide your feedback by June 10th. Thanks, Nancy
- [scim] Feedback and support for draft-hunt-scim-m… Nancy Cam-Winget (ncamwing)
- Re: [scim] Feedback and support for draft-hunt-sc… Matt Peterson (mpeterso)
- Re: [scim] Feedback and support for draft-hunt-sc… Nancy Cam-Winget (ncamwing)