[scim] Registering new schema (was Re: Question on the use of attributes from schema extensions)
Phil Hunt <phil.hunt@oracle.com> Fri, 14 August 2015 18:58 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52D301A6ED9 for <scim@ietfa.amsl.com>; Fri, 14 Aug 2015 11:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gLKG_87I5cvK for <scim@ietfa.amsl.com>; Fri, 14 Aug 2015 11:58:26 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8F351A701A for <scim@ietf.org>; Fri, 14 Aug 2015 11:56:13 -0700 (PDT)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t7EIuCCS021225 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 14 Aug 2015 18:56:13 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id t7EIuBPX009367 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 14 Aug 2015 18:56:12 GMT
Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id t7EIuBLh000931; Fri, 14 Aug 2015 18:56:11 GMT
Received: from [10.0.1.22] (/24.86.216.17) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 14 Aug 2015 11:56:09 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_73AAEE3A-B1E1-4A70-AB56-79E3D6A1D6A3"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <404475DD-43E0-4CC8-974C-6D280A84FA43@wisc.edu>
Date: Fri, 14 Aug 2015 11:56:07 -0700
Message-Id: <710B1229-77C9-42A8-8E9E-DFF9C7EECAA5@oracle.com>
References: <3FBCDECF-424B-4C8D-AE4F-7C2BADEC91F2@wisc.edu> <BN1PR04MB39292911CB883FC04ADB06BE27F0@BN1PR04MB392.namprd04.prod.outlook.com> <79955440-1957-492D-B815-54E5FC3B228C@wisc.edu> <BN1PR04MB392247FE2E9878E6468DCDDE27F0@BN1PR04MB392.namprd04.prod.outlook.com> <88E432CB-B735-4673-A737-38A3C2FA24C1@oracle.com> <078408D6-44F5-456C-A6FD-AF6717CC7672@oracle.com> <6998A838-73A9-480D-B0C5-2E4438A94D74@wisc.edu> <A8072F32-17AC-4C07-B616-099EF06030D6@oracle.com> <404475DD-43E0-4CC8-974C-6D280A84FA43@wisc.edu>
To: Keith Hazelton <keith.hazelton@wisc.edu>
X-Mailer: Apple Mail (2.2102)
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <http://mailarchive.ietf.org/arch/msg/scim/o0-Smcr5DNzJDAWkSK3GMU9elnE>
Cc: SCIM WG <scim@ietf.org>
Subject: [scim] Registering new schema (was Re: Question on the use of attributes from schema extensions)
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2015 18:58:30 -0000
Yes. Wide open. My understanding of the WG and the IESG intent is the only intent of review is to eliminate spammy registrations. Some thoughts... Before you register, the only caution is that the WG has not really discussed (at length) how to handle versioning of schema (as opposed to versioning of the protocol). For example, if you were to submit a first draft of the “edu" schema, what should you do when you want to revise it? Simply revise the current document registration, OR, register a new schema URN with version n.1? The problem that arises is does a new “version” of a schema represent a different schema “bag” because it is technically a different URN. Or is it a replacement? I’m not sure it matters that much to the WG. But we might be able to collectively come up with some best practices. Something to think about. Curious as to your thoughts. Given the edu schema that’s been used in other protocols is actually very mature, I wouldn’t be afraid to register it sooner than later. One item to consider is whether to make use of SCIM’s complex attributes if you are porting from the LDAP eduschema. There’s a certain advantage in SCIM to be able to “type” multi-valued attributes (such as we have with emails and addresses). Phil @independentid www.independentid.com phil.hunt@oracle.com > On Aug 14, 2015, at 11:31 AM, Keith Hazelton <keith.hazelton@wisc.edu> wrote: > > Understood about the server-side support. Would you say the IANA registry process defined in Core Schema Section 10 is intended to be relatively open to outside contributions (such as higher ed) for new schema or schema extensions? —Keith > -- > email & jabber: keith.hazelton@wisc.edu <mailto:keith.hazelton@wisc.edu> > calendar: http://go.wisc.edu/i6zxx0 <http://go.wisc.edu/i6zxx0> > > From: Phil Hunt > Date: Friday, August 14, 2015 at 12:11 > To: Keith Hazelton > Cc: SCIM WG > Subject: Re: [scim] Question on the use of attributes from schema extensions > > From a protocol perspective it does not matter. > > However we set aside that namespace in the IANA registry for those that want to use it to signal a schema is an “extension”. > > In practice a server will only pay attention to those schemas that it lists under the /Schemas endpoint and will ignore the rest. Wether a schema defines an object or an extension to an object is defined under /ResourceTypes. > > Cheers, > > Phil > > @independentid > www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> >> On Aug 14, 2015, at 9:53 AM, Keith Hazelton <keith.hazelton@wisc.edu <mailto:keith.hazelton@wisc.edu>> wrote: >> >> Quick followup question: For custom extensions, does the unique schema value URI have to be under urn:ietf:params:scim:schemas:extension or could it be under any valid uri? —Keith >> -- >> email & jabber: keith.hazelton@wisc.edu <mailto:keith.hazelton@wisc.edu> >> calendar: http://go.wisc.edu/i6zxx0 <http://go.wisc.edu/i6zxx0> >> >> From: Phil Hunt >> Date: Friday, August 14, 2015 at 11:43 >> To: Phil Hunt >> Cc: Kelly Grizzle, Keith Hazelton, SCIM WG >> Subject: Re: [scim] Question on the use of attributes from schema extensions >> >> Ooops… in my “good” example below, I forgot to make the schemas value "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" consistent with the schema bag "urn:enterprise:2.0:User" >> >> apologies for any confusion. >> >> Phil >> >> @independentid >> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> >>> On Aug 14, 2015, at 9:41 AM, Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote: >>> >>> Keith, >>> >>> Sorry for the late response. Just got back from my off-the-grid holiday. :-) >>> >>> The example below (from Kelly) would likely not parse reliably as some parsers might only return the last or first instance. The idea is to place all extension attributes together in a JSON “bag” which is a JSON attribute holding the name of the schema extension URI (as per the examples). >>> >>> BAD: >>>> "userName": "bjensen@example.com <mailto:bjensen@example.com>", >>>> "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {"employeeNumber": "701984" }, >>>> "displayName": "Babs Jensen", >>>> "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {"department": "Tour Operations" }, >>> >>> Good: >>> { >>> "schemas": >>> [ "urn:ietf:params:scim:schemas:core:2.0:User", >>> "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], >>> "id": "2819c223-7f76-453a-919d-413861904646", >>> "externalId": "701984", >>> "userName": "bjensen@example.com <mailto:bjensen@example.com>", >>> "name": { >>> "formatted": "Ms. Barbara J Jensen III", >>> "familyName": "Jensen", >>> "givenName": "Barbara", >>> "middleName": "Jane", >>> "honorificPrefix": "Ms.", >>> "honorificSuffix": "III" >>> }, >>> "displayName": "Babs Jensen", >>> "nickName": "Babs", >>> >>> “urn:enterprise:2.0:User”: { >>> "employeeNumber": "701984", >>> “costCenter": "4130", >>> "organization": "Universal Studios", >>> "division": "Theme Park", >>> "department": "Tour Operations", >>> "manager": { >>> "value": "26118915-6090-4610-87e4-49d8ca9f808d", >>> "$ref": "../Users/26118915-6090-4610-87e4-49d8ca9f808d", >>> "displayName": "John Smith" >>> } >>> } >>> ... >>> } >>> >>> “urn:enterprise:2.0:User” could be any extension URN you define. Thus if you define attributes of same name as urn:ietf:params:scim:schemas:extension:enterprise:2.0:User”, then there is no collision. >>> >>> In this sense, every attribute is prefixed with its own schema. We do not have to worry about attribute name collisions since the base object and each extension have their own position in the json structure. >>> >>> You will also notice that when referring to those attributes, you use the schema uri plus the attribute extension name together. Eg. >>> >>> filter=urn:enterprise:2.0:User:organization eq “Universal Studio" >>> >>> At the time we wrote this specification, there was still a tremendous pushback in the JSON community on having any schema at all. As a result, we adopted a very “loose” model that focuses on letting a parser know what attributes may be present in a JSON object that also avoids naming conflicts. >>> >>> Hopefully this helps. >>> >>> Thanks for the comments! >>> >>> Phil >>> >>> @independentid >>> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> >>>> On Aug 11, 2015, at 10:14 AM, Kelly Grizzle <kelly.grizzle@sailpoint.com <mailto:kelly.grizzle@sailpoint.com>> wrote: >>>> >>>> Hmmm … I don’t think the docs are quite so clear on that one. In JSON, ordering does not matter, so it doesn’t matter if it is interleaved with other attributes or not. However, JSON also does not allow multiple keys with the same name. In other words, this will not work: >>>> >>>> "userName": "bjensen@example.com <mailto:bjensen@example.com>", >>>> "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {"employeeNumber": "701984" }, >>>> "displayName": "Babs Jensen", >>>> "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {"department": "Tour Operations" }, >>>> ... >>>> >>>> >>>> From: scim [mailto:scim-bounces@ietf.org <mailto:scim-bounces@ietf.org>] On Behalf Of Keith Hazelton >>>> Sent: Tuesday, August 11, 2015 12:07 PM >>>> To: SCIM WG >>>> Subject: Re: [scim] Question on the use of attributes from schema extensions >>>> >>>> Kelly, >>>> >>>> Thanks for your quick response. >>>> >>>> So does 'the sub-attribute must be named using the schema extension URI” mean that all the enterprise user attributes have to appear together in a uri-container as indicated in draft-22, Figure 5: Example Enterprise User JSON Representation: >>>> >>>> … >>>> "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { >>>> "employeeNumber": "701984", >>>> "costCenter": "4130", >>>> "organization": "Universal Studios", >>>> "division": "Theme Park", >>>> "department": "Tour Operations", >>>> "manager": { >>>> "value": "26118915-6090-4610-87e4-49d8ca9f808d", >>>> "$ref": "../Users/26118915-6090-4610-87e4-49d8ca9f808d", >>>> "displayName": "John Smith" >>>> } >>>> }, >>>> … >>>> >>>> Or could the extended attributes be interleaved with the User schema attributes by putting each one in that form, e.g., >>>> >>>> … >>>> "userName": "bjensen@example.com <mailto:bjensen@example.com>", >>>> "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {"employeeNumber": "701984",}, >>>> "displayName": "Babs Jensen", >>>> … >>>> -- >>>> email & jabber: keith.hazelton@wisc.edu <mailto:keith.hazelton@wisc.edu> >>>> calendar: http://go.wisc.edu/i6zxx0 <http://go.wisc.edu/i6zxx0> >>>> >>>> From: Kelly Grizzle >>>> Date: Tuesday, August 11, 2015 at 11:48 >>>> To: Keith Hazelton, SCIM WG >>>> Subject: RE: Question on the use of attributes from schema extensions >>>> >>>> named using th >>>> _______________________________________________ >>>> scim mailing list >>>> scim@ietf.org <mailto:scim@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/scim <https://www.ietf.org/mailman/listinfo/scim> >>> >> >> _______________________________________________ >> scim mailing list >> scim@ietf.org <mailto:scim@ietf.org> >> https://www.ietf.org/mailman/listinfo/scim <https://www.ietf.org/mailman/listinfo/scim> > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim
- [scim] Question on the use of attributes from sch… Keith Hazelton
- Re: [scim] Question on the use of attributes from… Kelly Grizzle
- Re: [scim] Question on the use of attributes from… Keith Hazelton
- Re: [scim] Question on the use of attributes from… Kelly Grizzle
- Re: [scim] Question on the use of attributes from… Keith Hazelton
- Re: [scim] Question on the use of attributes from… Keith Hazelton
- Re: [scim] Question on the use of attributes from… Phil Hunt
- Re: [scim] Question on the use of attributes from… Phil Hunt
- Re: [scim] Question on the use of attributes from… Keith Hazelton
- Re: [scim] Question on the use of attributes from… Keith Hazelton
- Re: [scim] Question on the use of attributes from… Phil Hunt
- Re: [scim] Question on the use of attributes from… Keith Hazelton
- [scim] Registering new schema (was Re: Question o… Phil Hunt