IETF Logo Mail Archive

Re: [scim] Call for support on proposed SCIM/SINS (re)charter

Danny Mayer <mayer@pdmconsulting.net> Sat, 11 September 2021 00:10 UTC

Return-Path: <mayer@pdmconsulting.net>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3904A3A25C1 for <scim@ietfa.amsl.com>; Fri, 10 Sep 2021 17:10:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhV6sI8TL5D8 for <scim@ietfa.amsl.com>; Fri, 10 Sep 2021 17:10:41 -0700 (PDT)
Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AAE33A25BF for <scim@ietf.org>; Fri, 10 Sep 2021 17:10:39 -0700 (PDT)
Received: from newusers-MBP.fios-router.home (pool-108-26-179-179.bstnma.fios.verizon.net [108.26.179.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4H5tRs163dzMNH8; Sat, 11 Sep 2021 00:10:33 +0000 (UTC)
To: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>, Phil Hunt <phil.hunt@independentid.com>
Cc: "scim@ietf.org" <scim@ietf.org>
References: <9BCA478F-548E-4F6A-9F1B-6D8E15AE9373@cisco.com> <BBE3BC42-F3C5-4B89-A10F-0949D9876E62@independentid.com> <7B200805-50FD-4C77-8F92-E9877F6E70B5@cisco.com>
From: Danny Mayer <mayer@pdmconsulting.net>
Message-ID: <c131d8dc-8072-f0dc-9ed2-69cffcbae4c7@pdmconsulting.net>
Date: Fri, 10 Sep 2021 20:10:32 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <7B200805-50FD-4C77-8F92-E9877F6E70B5@cisco.com>
Content-Type: multipart/alternative; boundary="------------B1680294C474A48F6CFB3492"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/pULq-TGSXg0vfm0-fgeh6Yp6Hqw>
Subject: Re: [scim] Call for support on proposed SCIM/SINS (re)charter
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Sep 2021 00:10:45 -0000

Pagination and synchronization are really different issues. 
Synchronization MAY need pagination but not necessarily. There are other 
reasons why pagination may be necessary.

Danny

On 9/10/21 8:00 PM, Nancy Cam-Winget (ncamwing) wrote:
>
> Thanks for the feedback Phil.  I’m trying to determine proposed 
> changes to the charter text…..I suspect there might have been a 
> translation issue for synchronization being more about pagination than 
> paging?
>
> If you can provide suggested updates, it will be helpful to rally 
> agreement for the updates too.
>
> Best, Nancy
>
> *From: *Phil Hunt <phil.hunt@independentid.com>
> *Date: *Wednesday, September 8, 2021 at 6:34 PM
> *To: *ncamwing <ncamwing@cisco.com>
> *Cc: *"scim@ietf.org" <scim@ietf.org>
> *Subject: *Re: [scim] Call for support on proposed SCIM/SINS (re)charter
>
> Nancy,
>
> Thanks for putting this together.
>
> For this go around my interest lies mainly in Events and 
> Synchronization and profiles.  I am willing to provide updated drafts 
> for this process after some initial agreement on cases.  Drafts 
> already in the archive (they may be fairly out of date!):
>
> * SCIM Events - draft-hunt-idevent-scim 
> <https://tools.ietf.org/html/draft-hunt-idevent-scim>  (needs to be 
> updated to reflect the work we did in RFC8417)
>
> * OpenId Connect Profile for SCIM - 
> https://openid.net/specs/openid-connect-scim-profile-1_0.html 
> <https://openid.net/specs/openid-connect-scim-profile-1_0.html>
>
> Regarding the MV-Paging draft.  This draft has nothing to do with 
> synchronization and is intended for clients who need to pull a limited 
> number of values in a multi-valued-attribute in situations such as 
> large groups. Most typical use would be in building a user interface 
> allowing the searching of MVAs.
>
> As far as exploring using paging as a synchronization approach is not 
> something we should explore (ie in the charter). IMHO this appraoch an 
> anti-pattern.  If its needed, I am happy to add text in the best 
> practices or elsewhere as to why this isn’t a great approach from the 
> perspective of security, DoS, timeliness, scale, and cost.
>
> That said, a couple people indicated they wanted stateful paging. 
> Unfortunately they didn’t elaborate on a use case.
>
> Phil Hunt
>
> @independentid
>
> phil.hunt@independentid.com <mailto:phil.hunt@independentid.com>
>
>
>
>     On Sep 8, 2021, at 5:21 PM, Nancy Cam-Winget (ncamwing)
>     <ncamwing=40cisco.com@dmarc.ietf.org
>     <mailto:ncamwing=40cisco.com@dmarc.ietf.org>> wrote:
>
>     Hello SCIM participants,
>
>     After some virtual meetings (thank you Pam for hosting these!) and
>     discussion, there is a new proposed charter that addresses the
>     points raised at the IETF 111 SINS session.
>
>     This is a call for support of the charter defined below, please
>     provide your response by Sept. 24, 2021.
>
>     As you respond in support for the charter, please also specify if
>     you are willing to produce, review and/or implement the resulting
>     documents.
>
>     Otherwise, do provide feedback in the time window if there are
>     concerns or issues you see with the charter below:
>
>
>       Charter
>
>     The System for Cross-domain Identity Management (SCIM)
>     specification is an HTTP-based protocol that makes managing
>     identities in multi-domain scenarios easier. SCIM was last
>     published in 2015 and has seen growing adoption.
>
>     One goal for this working group is to shepherd SCIM, currently RFC
>     series 7642 <https://datatracker.ietf.org/doc/html/rfc7642>, 7643
>     <https://datatracker.ietf.org/doc/html/rfc7643>, 7644
>     <https://datatracker.ietf.org/doc/html/rfc7644>, through the
>     Internet Standard process. The group will deliver revised
>     specifications for the SCIM requirements as Informational, and for
>     the SCIM protocol and base schema suitable for consideration as a
>     Standard. This work will be based upon the existing RFCs, errata
>     and interoperabilty feedback, and incorporate current security and
>     privacy best practices.
>
>     In addition to revising the requirements, protocol and base schema
>     RFCs, the group will also consider additional specifications as
>     extensions to SCIM that have found broad adoption and are ready
>     for standards track. This includes profiles and schemas for
>     interoperability in additional scenarios. The working group will
>     develop additional Proposed Standard RFCs based on outcomes of the
>     following work:
>
>       * Revision of the informational RFC 7642 will:
>
>           o Focus on Use cases and implementation patterns
>
>               + Pull vs. Push based use cases
>               + Events and signals use cases
>               + Deletion use cases
>
>           o New use cases may be added to the revised RFC
>
>       * Revision of RFC 7643/44 will include:
>
>           o Profiling SCIM relationships with other identity-centric
>             protocols such as OAuth 2.0, OpenID Connect, Shared
>             Signals, and Fastfed
>           o Updates to the evolution of the externalid usage
>
>       * Document SCIM support for synchronization-related goals
>         between domains focused on:
>
>           o Handling returning large result sets through paging, based
>             on [draft-hunt-scim-mv-paging-00]
>           o Incremental approaches to synchronization
>
>       * Support for deletion-related goals including:
>
>           o Handling Deletes in SCIM Servers that don’t allow Deletes
>             (Soft Deletes) - based on [draft-ansari-scim-soft-delete-00]
>
>       * Support for advanced automation scenarios such as:
>
>           o Discovery and negotiation of client credentials
>           o Attribute mapping
>           o Per-attribute schema negotiation
>
>       * Enhance the existing schema to support exchanging of HR,
>         Enterprise group and privileged access management (using
>         draft-grizzle-scim-pam
>         <https://tools.ietf.org/id/draft-grizzle-scim-pam-ext-00.html> as
>         a base)
>
>     Best, Nancy (as one of the BoF chairs)
>
>     _______________________________________________
>     scim mailing list
>     scim@ietf.org <mailto:scim@ietf.org>
>     https://www.ietf.org/mailman/listinfo/scim
>     <https://www.ietf.org/mailman/listinfo/scim>
>
>
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim

v2.23.0 | Report a Bug | By Email