[scim] Storing "federated" user identifiers using SCIM
Matt Randall <matthew.a.randall@gmail.com> Fri, 20 July 2018 13:56 UTC
Return-Path: <matthew.a.randall@gmail.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39EA3131168 for <scim@ietfa.amsl.com>; Fri, 20 Jul 2018 06:56:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pQPfnc-t-91M for <scim@ietfa.amsl.com>; Fri, 20 Jul 2018 06:56:38 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DCEF1310E1 for <scim@ietf.org>; Fri, 20 Jul 2018 06:56:38 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id s14-v6so9954972wmc.1 for <scim@ietf.org>; Fri, 20 Jul 2018 06:56:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=d8wELqJEyzlnj/8HDNUgMtImMjaApQwmSGc1nRHFJcA=; b=HOqvgAOzuP6VtNQYpWlcdqczaIBzbXsR0Wb32fbjw/MIGeLxtrVvboUdwbRxhXM7AW 07JzhznAfUY4EaQAqwHQUfLRPwUjgmiVHYe8MsPpnnHOG7ZQQuSj5jozdTmdTF0CntI2 qltSbmqfNgEkCRLwJTWN++OnVDkHcSNl60yh/ECKTYU66kgq9XLjhwy7qA43bgZ6PAcA 7PnIMo6MO4BtfYzvXYZPDpziGBt0x4VsMSyT3AgI6SCaTjrdw0PEoRIuuRjp6z5t6Yqx xtJBiEash1PntKnQgjNYvqGDrvSENt2Gg2GEw+gTy7YfYeZBRJaWJ/1pZIv93P83mDVk BgDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=d8wELqJEyzlnj/8HDNUgMtImMjaApQwmSGc1nRHFJcA=; b=S9zHkxdu9PIi9Rvb4SAyeqSiOLoc1rIDQ6lMw5pW3dmfIbpMgaDktoAGxov9054H24 kQ1UGybYG8WyTKvvfM9OjDeJQpDAxjGjYGvpfYgoroeo/8S/yDy4Av3gn5VrLGFhx1Dw lMEUWQo7kTTIG/ibVe9l0vHVIOD8WNPwpp5MeV8sb4siqMIzh/0fb5BFUSB9vGa4vDBG Vnk85/3JqeRitaxBCBrVnEjs33gG+2HUV7k3a2bOXQGSR4VLKXSWFrJplqHLt4oz/eUY PjPeuVQl4f91GN2LOmbh/0X3cFh376E5GYue8rIjPeWM0Pe55aOWbs4Si0F2cSe93RbX rYOQ==
X-Gm-Message-State: AOUpUlHZKn2M0J0x5XrcdDrN8s3Mo1YEIzXU/keVVTXXcJ+2Qx6+wyBd Z0vOk/Sd1lRKab5w+Kw5Ab7+epEhjTq7Q7EeqVl8UA==
X-Google-Smtp-Source: AAOMgpcefcAskcWAE57G/d3yVGmuEWzZ5UsP2rFyyDo42HARKiCPBHFLDObFotx7Dn4gt520/htdQSUuUrDxWJckZRo=
X-Received: by 2002:a1c:8010:: with SMTP id b16-v6mr1714637wmd.41.1532094996249; Fri, 20 Jul 2018 06:56:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:d105:0:0:0:0:0 with HTTP; Fri, 20 Jul 2018 06:56:35 -0700 (PDT)
From: Matt Randall <matthew.a.randall@gmail.com>
Date: Fri, 20 Jul 2018 08:56:35 -0500
Message-ID: <CANDH0ytSNbA0ak4mBpvkgEVseeR=PP739Ms0F58-Q60xL3BWsw@mail.gmail.com>
To: scim@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000380fe05716eaa50"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/xULLvrxaZsGsaAZ9Q4Chin_hnLg>
Subject: [scim] Storing "federated" user identifiers using SCIM
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 13:56:40 -0000
Our company has an interesting use case - I was curious if any members of the group had encountered it when developing their own SaaS platform, if there were perhaps an existing schema / schema attribute that I had overlooked, or if there is some sort of existing convention for the following use case? For our SaaS platform, we want to enable our customers to push users to our platform and enable those users to log in with a potential multiplicity of identity providers (1:M relationship between a user and their individual identities at different identity provider(s)). This would require the storage of both the "issuer" (SAML entity ID, OIDC Issuer) and principal (and, in the case of SAML, potentially the NameID type.) I'd imagine this type of data would be modeled as a multi-valued attribute of user whose values are complex attributes, containing the 2-3 prerequisite data points mentioned above. To date, we had always aligned SCIM as a 1:1 feed with an identity provider, requiring the IdP's asserted principal to match the SCIM username. We're encountering scenarios where it would be useful for customers to have a single feed where users use potentially different identity providers, and where a single user might be serviced by multiples. Does anyone else share our use case in this community, or perhaps encountered an existing pattern for this? Thank you, - Matt Randall