Re: [scim] Discovery support for SCIM
Ian Glazer <iglazer@salesforce.com> Tue, 29 September 2015 19:29 UTC
Return-Path: <iglazer@salesforce.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35D581B4CAF for <scim@ietfa.amsl.com>; Tue, 29 Sep 2015 12:29:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A6SudpFt9NxF for <scim@ietfa.amsl.com>; Tue, 29 Sep 2015 12:29:25 -0700 (PDT)
Received: from mail-ig0-f173.google.com (mail-ig0-f173.google.com [209.85.213.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EC971B4B98 for <scim@ietf.org>; Tue, 29 Sep 2015 12:29:25 -0700 (PDT)
Received: by igbni9 with SMTP id ni9so14863240igb.0 for <scim@ietf.org>; Tue, 29 Sep 2015 12:29:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=eKbePpYpMMo66fdjV2WCrAr8QHLH6XrZYUESYDlAFP4=; b=jFVH9/gSetq4/W6eUU89EWXk8RDA7/8D8RKMfOIeCC14PkjR83amZhIe9kUbmFD8vV c/gxFl+kpUcEP1HHf05hRgyt4zARAF6W5fa0Tfn1HTQjcjeBN4tDoslRD84HXMhhg+XY pqUHq8axb92IleCdkvdyiccG/cC9G9OxEwPpnZsIQEfmW7I32qNmuzKKPs4w+gQzzhy+ PT2lqU9gr/e7xRdDQeNoBB4SxMcucXnsRvVogX8PWoyOOxF9zXu5hv+RP9bFEOjRaXEt Tmvi+Ej6jh4hZDfbyJyyeBPtxEwpVkNNxYldKSoeRMObje2EvJPwP3kwqBixA3B21GKo QC9Q==
X-Gm-Message-State: ALoCoQmGv6dkF1D0PYjjGrjFzBuo1eUgDh1ECy4Zym7BVPsqjczk64jZzpEj+ulviiP4uS6z9Txl
X-Received: by 10.50.78.231 with SMTP id e7mr540236igx.88.1443554964676; Tue, 29 Sep 2015 12:29:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.46.196 with HTTP; Tue, 29 Sep 2015 12:29:05 -0700 (PDT)
In-Reply-To: <8EE2BEE7-8873-410B-8E17-FBA34C77A9FF@oracle.com>
References: <CD73F905-2D21-4A2B-AB6D-BA2C51258F89@oracle.com> <CAKzGp_6t_YZdzOu3EZkvBf==bM8JcpyCgQpu-urP4-sXe9BE+A@mail.gmail.com> <8EE2BEE7-8873-410B-8E17-FBA34C77A9FF@oracle.com>
From: Ian Glazer <iglazer@salesforce.com>
Date: Tue, 29 Sep 2015 15:29:05 -0400
Message-ID: <CAOJ9JzQAfMEseMj7DVBDD=Ku_Af=twt30sc--KbyG7ZoTGtw4w@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="089e013c649ee25a830520e7d4f9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/scim/wIfR8ZAmJKa3yJOZ0kmDmwJxZFM>
Cc: SCIM WG <scim@ietf.org>, Chuck Mortimore <charliemortimore@gmail.com>
Subject: Re: [scim] Discovery support for SCIM
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2015 19:29:28 -0000
I like that approach Phil On Tue, Sep 29, 2015 at 2:10 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > Chuck, > > Thanks. That too was my main objective. > > Is there anything else that should be returned other than the URL for the > SCIM server? E.g. do we want a JSON structure that might convey multiple > pieces of information? E.g. authentication requirements and endpoints. > > I am leaning towards just returning a URL and keeping the response simple > since SCIM already has its own service specific discovery endpoints (e.g. > /ServiceProviderConfig). > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > On Sep 28, 2015, at 12:37 PM, Chuck Mortimore <charliemortimore@gmail.com> > wrote: > > We're interested, in the service discovery aspect. Less so on the > profile discovery / webfinger > > On Mon, Sep 28, 2015 at 11:58 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > >> It’s now Monday after completion of the SCIM RFCs and I have already >> received a new enhancement request. BTW thanks to everyone in the WG for >> all your efforts! >> >> The request is to define discovery for SCIM. For example using the >> Well-known mechanism (RFC5785) and potentially WebFinger (RFC7033). >> >> For example, a SCIM client may send the following query: >> >> GET https://www.example.com/.well-known/scim >> >> For which the server might respond with a URL to the appropriate SCIM >> server and path to the server root (e.g. "profile.example.com/scim”). >> >> In a more complex version with a webfinger (RFC7033) query: >> >> GET >> https://www.example.com/.well-known/webfinger?resource=acct%3Abob%40example.com& >> rel=scim-profile >> >> Which responds: >> HTTP/1.1 200 OK >> Access-Control-Allow-Origin: * >> Content-Type: application/jrd+json >> >> { >> "subject" : "acct:bob@example.com", >> "links" : >> [ >> { >> "rel" : “scim-profile", >> "href" : "https://www.example.com/sciim/Users/bob-id" >> } >> ] >> } >> >> >> Overall, I see a few different use-cases: >> >> 1. A SCIM client simply wants to know where the SCIM Profile service is >> for a specific domain (e.g. tenacy.example.com). >> >> 2. A SCIM client might be looking for a user’s profile service. So it >> asks example.com where is phil.hunt@acme.com? This would be a WebFinger >> style query based on the well-known endpoint. The same WebFinger query >> could also return the OIDC endpoints as well as the SCIM endpoints for the >> user. This may be useful for cases where service providers have multiple >> tenancies and there is a need to have a generic, tenancy neutral lookup >> service. >> >> 3. A SCIM client that has the service endpoint for a SaaS service (e.g. >> CRM, HCM, Finance) may be looking for the provisioning endpoint and the >> ResourceType and schemas relevant to the application. For example, a >> client that wants to provision to a User to a Finance system, wants know >> where the Finance app provisioning endpoint is. It could be an Finance >> SCIM endpoint or it may a profile service endpoint. >> >> Questions: >> >> A. Are there members of the WG interested in this? >> >> B. From a protocol standpoint, it should not matter whether a client is >> talking to SCIM that is deployed in front of a business application (like >> CRM, Finance), vs. SCIM as a general User profile service. However, due to >> possible difference in the higher-level logic of the client, would it be >> important to distinguish between say “scim-provisioning” and “scim-profile” >> as distinct types of services? If so, what do we think defines that >> difference? >> >> Thanks, >> >> Phil >> >> @independentid >> www.independentid.com >> phil.hunt@oracle.com >> >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://www.ietf.org/mailman/listinfo/scim >> > > > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim > > -- Ian Glazer Senior Director, Identity +1 202 255 3166 @iglazer <https://twitter.com/iglazer>
- [scim] Discovery support for SCIM Phil Hunt
- Re: [scim] Discovery support for SCIM Chuck Mortimore
- Re: [scim] Discovery support for SCIM Phil Hunt
- Re: [scim] Discovery support for SCIM Ian Glazer
- Re: [scim] Discovery support for SCIM Kelly Grizzle