Re: [scim] Call for support on proposed SCIM/SINS (re)charter
Danny Mayer <mayer@pdmconsulting.net> Mon, 13 September 2021 20:27 UTC
Return-Path: <mayer@pdmconsulting.net>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 602F93A0A88 for <scim@ietfa.amsl.com>; Mon, 13 Sep 2021 13:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vfvO83U4me7 for <scim@ietfa.amsl.com>; Mon, 13 Sep 2021 13:27:18 -0700 (PDT)
Received: from chessie.everett.org (chessie.everett.org [IPv6:2001:470:1:205::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 900943A0A90 for <scim@ietf.org>; Mon, 13 Sep 2021 13:27:13 -0700 (PDT)
Received: from newusers-MBP.fios-router.home (pool-108-26-179-179.bstnma.fios.verizon.net [108.26.179.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4H7dLk6Tn5zMNXJ; Mon, 13 Sep 2021 20:27:10 +0000 (UTC)
To: "Matt Peterson (mpeterso)" <Matt.Peterson=40oneidentity.com@dmarc.ietf.org>, "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>, Phil Hunt <phil.hunt@independentid.com>
Cc: "scim@ietf.org" <scim@ietf.org>
References: <9BCA478F-548E-4F6A-9F1B-6D8E15AE9373@cisco.com> <BBE3BC42-F3C5-4B89-A10F-0949D9876E62@independentid.com> <7B200805-50FD-4C77-8F92-E9877F6E70B5@cisco.com> <c131d8dc-8072-f0dc-9ed2-69cffcbae4c7@pdmconsulting.net> <MWHPR19MB0957B822C7CE28EF366EAFA7E1D99@MWHPR19MB0957.namprd19.prod.outlook.com>
From: Danny Mayer <mayer@pdmconsulting.net>
Message-ID: <2b1c1794-137f-6fd7-eb84-9d1715ef7413@pdmconsulting.net>
Date: Mon, 13 Sep 2021 16:27:10 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <MWHPR19MB0957B822C7CE28EF366EAFA7E1D99@MWHPR19MB0957.namprd19.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------80A847D85A0D640DEBFA2110"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/r0B_UE-3oe3-5nivp_QP4E7AxNQ>
Subject: Re: [scim] Call for support on proposed SCIM/SINS (re)charter
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2021 20:27:28 -0000
Matt, Synchronization and paging are different issues and should be handled separately. You may need paging for synchronization but that may not be the only case. I don't personally know of other cases but I would like to hear other people's experience of this so that the requirements be properly included in the draft RFCs. Danny On 9/13/21 11:02 AM, Matt Peterson (mpeterso) wrote: > > Danny, > > One of the goals of the workgroup is to understand what the pagination > use cases are (besides initial loading of object set to be synchronized). > > I’m eager to start keeping track of pagination use cases. Can you > posting to the list the use cases that you are thinking of you’d need > pagination for? Thanks! > > *From:* scim <scim-bounces@ietf.org> *On Behalf Of * Danny Mayer > *Sent:* Friday, September 10, 2021 6:11 PM > *To:* Nancy Cam-Winget (ncamwing) > <ncamwing=40cisco.com@dmarc.ietf.org>; Phil Hunt > <phil.hunt@independentid.com> > *Cc:* scim@ietf.org > *Subject:* Re: [scim] Call for support on proposed SCIM/SINS (re)charter > > *CAUTION:*This email originated from outside of the organization. Do > not follow guidance, click links, or open attachments unless you > recognize the sender and know the content is safe. > > Pagination and synchronization are really different issues. > Synchronization MAY need pagination but not necessarily. There are > other reasons why pagination may be necessary. > > Danny > > On 9/10/21 8:00 PM, Nancy Cam-Winget (ncamwing) wrote: > > Thanks for the feedback Phil. I’m trying to determine proposed > changes to the charter text…..I suspect there might have been a > translation issue for synchronization being more about pagination > than paging? > > If you can provide suggested updates, it will be helpful to rally > agreement for the updates too. > > Best, Nancy > > *From: *Phil Hunt <phil.hunt@independentid.com> > <mailto:phil.hunt@independentid.com> > *Date: *Wednesday, September 8, 2021 at 6:34 PM > *To: *ncamwing <ncamwing@cisco.com> <mailto:ncamwing@cisco.com> > *Cc: *"scim@ietf.org" <mailto:scim@ietf.org> <scim@ietf.org> > <mailto:scim@ietf.org> > *Subject: *Re: [scim] Call for support on proposed SCIM/SINS > (re)charter > > Nancy, > > Thanks for putting this together. > > For this go around my interest lies mainly in Events and > Synchronization and profiles. I am willing to provide updated > drafts for this process after some initial agreement on cases. > Drafts already in the archive (they may be fairly out of date!): > > * SCIM Events - draft-hunt-idevent-scim > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-hunt-idevent-scim&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559076639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aTbIFVma5fAKXT1IFSNi0VMxhpHgwPxbzLLP8Lyfleg%3D&reserved=0> > (needs to be updated to reflect the work we did in RFC8417) > > * OpenId Connect Profile for SCIM - > https://openid.net/specs/openid-connect-scim-profile-1_0.html > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-scim-profile-1_0.html&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559086635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dpdcId61OuqI2BznbvQYF%2BCM1xr3mDhbNeLra8R%2FFYk%3D&reserved=0> > > Regarding the MV-Paging draft. This draft has nothing to do with > synchronization and is intended for clients who need to pull a > limited number of values in a multi-valued-attribute in situations > such as large groups. Most typical use would be in building a user > interface allowing the searching of MVAs. > > As far as exploring using paging as a synchronization approach is > not something we should explore (ie in the charter). IMHO this > appraoch an anti-pattern. If its needed, I am happy to add text > in the best practices or elsewhere as to why this isn’t a great > approach from the perspective of security, DoS, timeliness, scale, > and cost. > > That said, a couple people indicated they wanted stateful paging. > Unfortunately they didn’t elaborate on a use case. > > Phil Hunt > > @independentid > > phil.hunt@independentid.com <mailto:phil.hunt@independentid.com> > > > > > On Sep 8, 2021, at 5:21 PM, Nancy Cam-Winget (ncamwing) > <ncamwing=40cisco.com@dmarc.ietf.org > <mailto:ncamwing=40cisco.com@dmarc.ietf.org>> wrote: > > Hello SCIM participants, > > After some virtual meetings (thank you Pam for hosting these!) > and discussion, there is a new proposed charter that addresses > the points raised at the IETF 111 SINS session. > > This is a call for support of the charter defined below, > please provide your response by Sept. 24, 2021. > > As you respond in support for the charter, please also specify > if you are willing to produce, review and/or implement the > resulting documents. > > Otherwise, do provide feedback in the time window if there are > concerns or issues you see with the charter below: > > > Charter > > The System for Cross-domain Identity Management (SCIM) > specification is an HTTP-based protocol that makes managing > identities in multi-domain scenarios easier. SCIM was last > published in 2015 and has seen growing adoption. > > One goal for this working group is to shepherd SCIM, currently > RFC series 7642 > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc7642&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559086635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oAINKBwQkQ7brNWd9N3RS1L7kclX1ES9%2BXzMXINnMzQ%3D&reserved=0>, > 7643 > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc7643&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559096631%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hA9V7rnyX9ueO9RCfWtIea3YUnvA1tXL8zFIbrWZPZ4%3D&reserved=0>, > 7644 > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc7644&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559106629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=N129Lu9sJF8uld90ch7n5bznb%2BkT1pq9C5%2B6UBzIHUg%3D&reserved=0>, > through the Internet Standard process. The group will deliver > revised specifications for the SCIM requirements as > Informational, and for the SCIM protocol and base schema > suitable for consideration as a Standard. This work will be > based upon the existing RFCs, errata and interoperabilty > feedback, and incorporate current security and privacy best > practices. > > In addition to revising the requirements, protocol and base > schema RFCs, the group will also consider additional > specifications as extensions to SCIM that have found broad > adoption and are ready for standards track. This includes > profiles and schemas for interoperability in additional > scenarios. The working group will develop additional Proposed > Standard RFCs based on outcomes of the following work: > > 1. Revision of the informational RFC 7642 will: > > 1. Focus on Use cases and implementation patterns > > 1. Pull vs. Push based use cases > 2. Events and signals use cases > 3. Deletion use cases > > 2. New use cases may be added to the revised RFC > > 2. Revision of RFC 7643/44 will include: > > 1. Profiling SCIM relationships with other > identity-centric protocols such as OAuth 2.0, OpenID > Connect, Shared Signals, and Fastfed > 2. Updates to the evolution of the externalid usage > > 3. Document SCIM support for synchronization-related goals > between domains focused on: > > 1. Handling returning large result sets through paging, > based on [draft-hunt-scim-mv-paging-00] > 2. Incremental approaches to synchronization > > 4. Support for deletion-related goals including: > > 1. Handling Deletes in SCIM Servers that don’t allow > Deletes (Soft Deletes) - based on > [draft-ansari-scim-soft-delete-00] > > 5. Support for advanced automation scenarios such as: > > 1. Discovery and negotiation of client credentials > 2. Attribute mapping > 3. Per-attribute schema negotiation > > 6. Enhance the existing schema to support exchanging of HR, > Enterprise group and privileged access management (using > draft-grizzle-scim-pam > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fid%2Fdraft-grizzle-scim-pam-ext-00.html&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559106629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=uP8dDJjH%2FI%2Bhy5AoAOt6imwhj8N7sdC7lUlbDml2DN0%3D&reserved=0> as > a base) > > Best, Nancy (as one of the BoF chairs) > > _______________________________________________ > scim mailing list > scim@ietf.org <mailto:scim@ietf.org> > https://www.ietf.org/mailman/listinfo/scim > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559116621%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DpSg289QfIVbN1KOPrHy2UzcI0lPpXQ0dGR3NnPtXII%3D&reserved=0> > > > > _______________________________________________ > > scim mailing list > > scim@ietf.org <mailto:scim@ietf.org> > > https://www.ietf.org/mailman/listinfo/scim <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559126620%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BkQqK3IdyA2D7Y%2F4OtSTbjlgsBS3U8VPTt3aEJv8gs0%3D&reserved=0> > > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim
- [scim] Call for support on proposed SCIM/SINS (re… Nancy Cam-Winget (ncamwing)
- Re: [scim] Call for support on proposed SCIM/SINS… Phil Hunt
- Re: [scim] Call for support on proposed SCIM/SINS… Danny Mayer
- Re: [scim] Call for support on proposed SCIM/SINS… Danny Mayer
- Re: [scim] Call for support on proposed SCIM/SINS… Mark Wahl
- Re: [scim] Call for support on proposed SCIM/SINS… Mike Kiser
- Re: [scim] Call for support on proposed SCIM/SINS… Erik Gustavson
- Re: [scim] [⚠️] Call for support on proposed SCIM… Alice Wang
- Re: [scim] Call for support on proposed SCIM/SINS… Matt Peterson (mpeterso)
- Re: [scim] Call for support on proposed SCIM/SINS… Nancy Cam-Winget (ncamwing)
- Re: [scim] Call for support on proposed SCIM/SINS… Danny Mayer
- Re: [scim] Call for support on proposed SCIM/SINS… Matt Peterson (mpeterso)
- Re: [scim] Call for support on proposed SCIM/SINS… Danny Mayer
- Re: [scim] Call for support on proposed SCIM/SINS… Craig McClanahan
- Re: [scim] Call for support on proposed SCIM/SINS… Matt Peterson (mpeterso)
- Re: [scim] Call for support on proposed SCIM/SINS… Paul Lanzi
- Re: [scim] Call for support on proposed SCIM/SINS… Danny Mayer
- Re: [scim] Call for support on proposed SCIM/SINS… Phillip Hunt
- Re: [scim] Call for support on proposed SCIM/SINS… Danny Mayer
- Re: [scim] Call for support on proposed SCIM/SINS… Phillip Hunt
- Re: [scim] Call for support on proposed SCIM/SINS… Danny Mayer
- Re: [scim] Call for support on proposed SCIM/SINS… Ryan Bradley
- Re: [scim] Call for support on proposed SCIM/SINS… Roman Danyliw