Re: [scim] Discovery support for SCIM
Phil Hunt <phil.hunt@oracle.com> Tue, 29 September 2015 18:10 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90C3C1ACF09 for <scim@ietfa.amsl.com>; Tue, 29 Sep 2015 11:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KRg_4WLrUsNG for <scim@ietfa.amsl.com>; Tue, 29 Sep 2015 11:10:37 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB0001ACF16 for <scim@ietf.org>; Tue, 29 Sep 2015 11:10:36 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t8TIAWT5021698 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 29 Sep 2015 18:10:35 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id t8TIAW7j027616 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 29 Sep 2015 18:10:32 GMT
Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id t8TIAVwE027799; Tue, 29 Sep 2015 18:10:32 GMT
Received: from [10.0.1.22] (/24.86.216.17) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 29 Sep 2015 11:10:31 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_38819D38-73EA-4F50-9721-7C6F4B104630"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <CAKzGp_6t_YZdzOu3EZkvBf==bM8JcpyCgQpu-urP4-sXe9BE+A@mail.gmail.com>
Date: Tue, 29 Sep 2015 11:10:27 -0700
Message-Id: <8EE2BEE7-8873-410B-8E17-FBA34C77A9FF@oracle.com>
References: <CD73F905-2D21-4A2B-AB6D-BA2C51258F89@oracle.com> <CAKzGp_6t_YZdzOu3EZkvBf==bM8JcpyCgQpu-urP4-sXe9BE+A@mail.gmail.com>
To: Chuck Mortimore <charliemortimore@gmail.com>
X-Mailer: Apple Mail (2.2104)
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <http://mailarchive.ietf.org/arch/msg/scim/sYTu2liraxfIikiglVVGS01BKw8>
Cc: SCIM WG <scim@ietf.org>
Subject: Re: [scim] Discovery support for SCIM
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2015 18:10:39 -0000
Chuck, Thanks. That too was my main objective. Is there anything else that should be returned other than the URL for the SCIM server? E.g. do we want a JSON structure that might convey multiple pieces of information? E.g. authentication requirements and endpoints. I am leaning towards just returning a URL and keeping the response simple since SCIM already has its own service specific discovery endpoints (e.g. /ServiceProviderConfig). Phil @independentid www.independentid.com phil.hunt@oracle.com > On Sep 28, 2015, at 12:37 PM, Chuck Mortimore <charliemortimore@gmail.com> wrote: > > We're interested, in the service discovery aspect. Less so on the profile discovery / webfinger > > On Mon, Sep 28, 2015 at 11:58 AM, Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote: > It’s now Monday after completion of the SCIM RFCs and I have already received a new enhancement request. BTW thanks to everyone in the WG for all your efforts! > > The request is to define discovery for SCIM. For example using the Well-known mechanism (RFC5785) and potentially WebFinger (RFC7033). > > For example, a SCIM client may send the following query: > > GET https://www.example.com/.well-known/scim <https://www.example.com/.well-known/scim> > > For which the server might respond with a URL to the appropriate SCIM server and path to the server root (e.g. "profile.example.com/scim <http://profile.example.com/scim>”). > > In a more complex version with a webfinger (RFC7033) query: > > GET https://www.example.com/.well-known/webfinger?resource=acct%3Abob%40example.com& <https://www.example.com/.well-known/webfinger?resource=acct%3Abob%40example.com&> > rel=scim-profile > > Which responds: > HTTP/1.1 200 OK > Access-Control-Allow-Origin: * > Content-Type: application/jrd+json > > { > "subject" : "acct:bob@example.com <mailto:acct%3Abob@example.com>", > "links" : > [ > { > "rel" : “scim-profile", > "href" : "https://www.example.com/sciim/Users/bob-id <https://www.example.com/sciim/Users/bob-id>" > } > ] > } > > > Overall, I see a few different use-cases: > > 1. A SCIM client simply wants to know where the SCIM Profile service is for a specific domain (e.g. tenacy.example.com <http://tenacy.example.com/>). > > 2. A SCIM client might be looking for a user’s profile service. So it asks example.com <http://example.com/> where is phil.hunt@acme.com <mailto:phil.hunt@acme.com>? This would be a WebFinger style query based on the well-known endpoint. The same WebFinger query could also return the OIDC endpoints as well as the SCIM endpoints for the user. This may be useful for cases where service providers have multiple tenancies and there is a need to have a generic, tenancy neutral lookup service. > > 3. A SCIM client that has the service endpoint for a SaaS service (e.g. CRM, HCM, Finance) may be looking for the provisioning endpoint and the ResourceType and schemas relevant to the application. For example, a client that wants to provision to a User to a Finance system, wants know where the Finance app provisioning endpoint is. It could be an Finance SCIM endpoint or it may a profile service endpoint. > > Questions: > > A. Are there members of the WG interested in this? > > B. From a protocol standpoint, it should not matter whether a client is talking to SCIM that is deployed in front of a business application (like CRM, Finance), vs. SCIM as a general User profile service. However, due to possible difference in the higher-level logic of the client, would it be important to distinguish between say “scim-provisioning” and “scim-profile” as distinct types of services? If so, what do we think defines that difference? > > Thanks, > > Phil > > @independentid > www.independentid.com <http://www.independentid.com/> > phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > > _______________________________________________ > scim mailing list > scim@ietf.org <mailto:scim@ietf.org> > https://www.ietf.org/mailman/listinfo/scim <https://www.ietf.org/mailman/listinfo/scim> >
- [scim] Discovery support for SCIM Phil Hunt
- Re: [scim] Discovery support for SCIM Chuck Mortimore
- Re: [scim] Discovery support for SCIM Phil Hunt
- Re: [scim] Discovery support for SCIM Ian Glazer
- Re: [scim] Discovery support for SCIM Kelly Grizzle