Re: [scim] Call for support on proposed SCIM/SINS (re)charter

Danny Mayer <mayer@pdmconsulting.net> Mon, 13 September 2021 20:27 UTC

Return-Path: <mayer@pdmconsulting.net>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 602F93A0A88 for <scim@ietfa.amsl.com>; Mon, 13 Sep 2021 13:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vfvO83U4me7 for <scim@ietfa.amsl.com>; Mon, 13 Sep 2021 13:27:18 -0700 (PDT)
Received: from chessie.everett.org (chessie.everett.org [IPv6:2001:470:1:205::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 900943A0A90 for <scim@ietf.org>; Mon, 13 Sep 2021 13:27:13 -0700 (PDT)
Received: from newusers-MBP.fios-router.home (pool-108-26-179-179.bstnma.fios.verizon.net [108.26.179.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4H7dLk6Tn5zMNXJ; Mon, 13 Sep 2021 20:27:10 +0000 (UTC)
To: "Matt Peterson (mpeterso)" <Matt.Peterson=40oneidentity.com@dmarc.ietf.org>, "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>, Phil Hunt <phil.hunt@independentid.com>
Cc: "scim@ietf.org" <scim@ietf.org>
References: <9BCA478F-548E-4F6A-9F1B-6D8E15AE9373@cisco.com> <BBE3BC42-F3C5-4B89-A10F-0949D9876E62@independentid.com> <7B200805-50FD-4C77-8F92-E9877F6E70B5@cisco.com> <c131d8dc-8072-f0dc-9ed2-69cffcbae4c7@pdmconsulting.net> <MWHPR19MB0957B822C7CE28EF366EAFA7E1D99@MWHPR19MB0957.namprd19.prod.outlook.com>
From: Danny Mayer <mayer@pdmconsulting.net>
Message-ID: <2b1c1794-137f-6fd7-eb84-9d1715ef7413@pdmconsulting.net>
Date: Mon, 13 Sep 2021 16:27:10 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <MWHPR19MB0957B822C7CE28EF366EAFA7E1D99@MWHPR19MB0957.namprd19.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------80A847D85A0D640DEBFA2110"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/r0B_UE-3oe3-5nivp_QP4E7AxNQ>
Subject: Re: [scim] Call for support on proposed SCIM/SINS (re)charter
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2021 20:27:28 -0000

Matt,

Synchronization and paging are different issues and should be handled 
separately. You may need paging for synchronization but that may not be 
the only case. I don't personally know of other cases but I would like 
to hear other people's experience of this so that the requirements be 
properly included in the draft RFCs.

Danny

On 9/13/21 11:02 AM, Matt Peterson (mpeterso) wrote:
>
> Danny,
>
> One of the goals of the workgroup is to understand what the pagination 
> use cases are (besides initial loading of object set to be synchronized).
>
> I’m eager to start keeping track of pagination use cases.  Can you 
> posting to the list the use cases that you are thinking of you’d need 
> pagination for? Thanks!
>
> *From:* scim <scim-bounces@ietf.org> *On Behalf Of * Danny Mayer
> *Sent:* Friday, September 10, 2021 6:11 PM
> *To:* Nancy Cam-Winget (ncamwing) 
> <ncamwing=40cisco.com@dmarc.ietf.org>; Phil Hunt 
> <phil.hunt@independentid.com>
> *Cc:* scim@ietf.org
> *Subject:* Re: [scim] Call for support on proposed SCIM/SINS (re)charter
>
> *CAUTION:*This email originated from outside of the organization. Do 
> not follow guidance, click links, or open attachments unless you 
> recognize the sender and know the content is safe.
>
> Pagination and synchronization are really different issues. 
> Synchronization MAY need pagination but not necessarily. There are 
> other reasons why pagination may be necessary.
>
> Danny
>
> On 9/10/21 8:00 PM, Nancy Cam-Winget (ncamwing) wrote:
>
>     Thanks for the feedback Phil.  I’m trying to determine proposed
>     changes to the charter text…..I suspect there might have been a
>     translation issue for synchronization being more about pagination
>     than paging?
>
>     If you can provide suggested updates, it will be helpful to rally
>     agreement for the updates too.
>
>     Best, Nancy
>
>     *From: *Phil Hunt <phil.hunt@independentid.com>
>     <mailto:phil.hunt@independentid.com>
>     *Date: *Wednesday, September 8, 2021 at 6:34 PM
>     *To: *ncamwing <ncamwing@cisco.com> <mailto:ncamwing@cisco.com>
>     *Cc: *"scim@ietf.org" <mailto:scim@ietf.org> <scim@ietf.org>
>     <mailto:scim@ietf.org>
>     *Subject: *Re: [scim] Call for support on proposed SCIM/SINS
>     (re)charter
>
>     Nancy,
>
>     Thanks for putting this together.
>
>     For this go around my interest lies mainly in Events and
>     Synchronization and profiles.  I am willing to provide updated
>     drafts for this process after some initial agreement on cases.
>      Drafts already in the archive (they may be fairly out of date!):
>
>     * SCIM Events - draft-hunt-idevent-scim
>     <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-hunt-idevent-scim&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559076639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=aTbIFVma5fAKXT1IFSNi0VMxhpHgwPxbzLLP8Lyfleg%3D&reserved=0>
>     (needs to be updated to reflect the work we did in RFC8417)
>
>     * OpenId Connect Profile for SCIM -
>     https://openid.net/specs/openid-connect-scim-profile-1_0.html
>     <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-scim-profile-1_0.html&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559086635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dpdcId61OuqI2BznbvQYF%2BCM1xr3mDhbNeLra8R%2FFYk%3D&reserved=0>
>
>     Regarding the MV-Paging draft.  This draft has nothing to do with
>     synchronization and is intended for clients who need to pull a
>     limited number of values in a multi-valued-attribute in situations
>     such as large groups. Most typical use would be in building a user
>     interface allowing the searching of MVAs.
>
>     As far as exploring using paging as a synchronization approach is
>     not something we should explore (ie in the charter). IMHO this
>     appraoch an anti-pattern.  If its needed, I am happy to add text
>     in the best practices or elsewhere as to why this isn’t a great
>     approach from the perspective of security, DoS, timeliness, scale,
>     and cost.
>
>     That said, a couple people indicated they wanted stateful paging.
>     Unfortunately they didn’t elaborate on a use case.
>
>     Phil Hunt
>
>     @independentid
>
>     phil.hunt@independentid.com <mailto:phil.hunt@independentid.com>
>
>
>
>
>         On Sep 8, 2021, at 5:21 PM, Nancy Cam-Winget (ncamwing)
>         <ncamwing=40cisco.com@dmarc.ietf.org
>         <mailto:ncamwing=40cisco.com@dmarc.ietf.org>> wrote:
>
>         Hello SCIM participants,
>
>         After some virtual meetings (thank you Pam for hosting these!)
>         and discussion, there is a new proposed charter that addresses
>         the points raised at the IETF 111 SINS session.
>
>         This is a call for support of the charter defined below,
>         please provide your response by Sept. 24, 2021.
>
>         As you respond in support for the charter, please also specify
>         if you are willing to produce, review and/or implement the
>         resulting documents.
>
>         Otherwise, do provide feedback in the time window if there are
>         concerns or issues you see with the charter below:
>
>
>           Charter
>
>         The System for Cross-domain Identity Management (SCIM)
>         specification is an HTTP-based protocol that makes managing
>         identities in multi-domain scenarios easier. SCIM was last
>         published in 2015 and has seen growing adoption.
>
>         One goal for this working group is to shepherd SCIM, currently
>         RFC series 7642
>         <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc7642&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559086635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oAINKBwQkQ7brNWd9N3RS1L7kclX1ES9%2BXzMXINnMzQ%3D&reserved=0>,
>         7643
>         <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc7643&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559096631%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hA9V7rnyX9ueO9RCfWtIea3YUnvA1tXL8zFIbrWZPZ4%3D&reserved=0>,
>         7644
>         <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc7644&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559106629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=N129Lu9sJF8uld90ch7n5bznb%2BkT1pq9C5%2B6UBzIHUg%3D&reserved=0>,
>         through the Internet Standard process. The group will deliver
>         revised specifications for the SCIM requirements as
>         Informational, and for the SCIM protocol and base schema
>         suitable for consideration as a Standard. This work will be
>         based upon the existing RFCs, errata and interoperabilty
>         feedback, and incorporate current security and privacy best
>         practices.
>
>         In addition to revising the requirements, protocol and base
>         schema RFCs, the group will also consider additional
>         specifications as extensions to SCIM that have found broad
>         adoption and are ready for standards track. This includes
>         profiles and schemas for interoperability in additional
>         scenarios. The working group will develop additional Proposed
>         Standard RFCs based on outcomes of the following work:
>
>          1. Revision of the informational RFC 7642 will:
>
>              1. Focus on Use cases and implementation patterns
>
>                  1. Pull vs. Push based use cases
>                  2. Events and signals use cases
>                  3. Deletion use cases
>
>              2. New use cases may be added to the revised RFC
>
>          2. Revision of RFC 7643/44 will include:
>
>              1. Profiling SCIM relationships with other
>                 identity-centric protocols such as OAuth 2.0, OpenID
>                 Connect, Shared Signals, and Fastfed
>              2. Updates to the evolution of the externalid usage
>
>          3. Document SCIM support for synchronization-related goals
>             between domains focused on:
>
>              1. Handling returning large result sets through paging,
>                 based on [draft-hunt-scim-mv-paging-00]
>              2. Incremental approaches to synchronization
>
>          4. Support for deletion-related goals including:
>
>              1. Handling Deletes in SCIM Servers that don’t allow
>                 Deletes (Soft Deletes) - based on
>                 [draft-ansari-scim-soft-delete-00]
>
>          5. Support for advanced automation scenarios such as:
>
>              1. Discovery and negotiation of client credentials
>              2. Attribute mapping
>              3. Per-attribute schema negotiation
>
>          6. Enhance the existing schema to support exchanging of HR,
>             Enterprise group and privileged access management (using
>             draft-grizzle-scim-pam
>             <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fid%2Fdraft-grizzle-scim-pam-ext-00.html&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559106629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=uP8dDJjH%2FI%2Bhy5AoAOt6imwhj8N7sdC7lUlbDml2DN0%3D&reserved=0> as
>             a base)
>
>         Best, Nancy (as one of the BoF chairs)
>
>         _______________________________________________
>         scim mailing list
>         scim@ietf.org <mailto:scim@ietf.org>
>         https://www.ietf.org/mailman/listinfo/scim
>         <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559116621%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DpSg289QfIVbN1KOPrHy2UzcI0lPpXQ0dGR3NnPtXII%3D&reserved=0>
>
>
>
>     _______________________________________________
>
>     scim mailing list
>
>     scim@ietf.org  <mailto:scim@ietf.org>
>
>     https://www.ietf.org/mailman/listinfo/scim  <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fscim&data=04%7C01%7Cmatt.peterson%40oneidentity.com%7Cf724206102d841ce536508d974b89ea7%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637669158559126620%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BkQqK3IdyA2D7Y%2F4OtSTbjlgsBS3U8VPTt3aEJv8gs0%3D&reserved=0>
>
>
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim