Re: [scim] Is ServiceProviderConfig Required?

Danny Mayer <mayer@pdmconsulting.net> Wed, 13 October 2021 16:45 UTC

Return-Path: <mayer@pdmconsulting.net>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F19F3A005C for <scim@ietfa.amsl.com>; Wed, 13 Oct 2021 09:45:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RnRX6NLMPBwl for <scim@ietfa.amsl.com>; Wed, 13 Oct 2021 09:45:34 -0700 (PDT)
Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13CA73A0045 for <scim@ietf.org>; Wed, 13 Oct 2021 09:45:33 -0700 (PDT)
Received: from newusers-MBP.fios-router.home (pool-108-26-179-179.bstnma.fios.verizon.net [108.26.179.179]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4HTz164hTgzMNQs; Wed, 13 Oct 2021 16:45:30 +0000 (UTC)
To: Phillip Hunt <phil.hunt@independentid.com>
Cc: SCIM WG <scim@ietf.org>
References: <9f90574b-aa33-4f06-209b-6281a3ab6600@pdmconsulting.net> <E45706C7-043E-41E8-A638-58AA452D11E4@independentid.com>
From: Danny Mayer <mayer@pdmconsulting.net>
Message-ID: <20a7cfcb-5e00-6d5c-3629-b26328500cc4@pdmconsulting.net>
Date: Wed, 13 Oct 2021 12:45:29 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <E45706C7-043E-41E8-A638-58AA452D11E4@independentid.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/zGUNFeQ1McWGRaYm-goJsAxhDdk>
Subject: Re: [scim] Is ServiceProviderConfig Required?
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 16:45:41 -0000

Inline too!

On 10/13/21 11:57 AM, Phillip Hunt wrote:
> Inline
>
> Phil
>
>> On Oct 13, 2021, at 8:24 AM, Danny Mayer <mayer@pdmconsulting.net> wrote:
>>
>> I've been looking at some SCIM servers and it seems that some do not provide the ServiceProviderConfig endpoint and at least one Commercial SCIM Client didn't request the endpoint when I was testing it last year. Is it a requirement to provide this endpoint and is the client required to read it and obey the rules laid out in the returned information? Are clients using it?
> ServiceProviderConfig is the standard way to do functionality, schema and resource type discovery.
>
> As a discovery feature it is technically optional. It does seem silly not to implement it since for many its fairly simple to implement.
>
> I have heard of many smarter clients that use it. I2scim.io client does discovery to defines its own schema to match.
I think it should be REQUIRED to both implement and used. Having the 
client know what it can and cannot do seems to be essential especially 
as the client requests will be rejected (hopefully) if the client makes 
a request that it has already been told that it will not allow. Change 
Passwords come to mind as an example.
>> I'm also not sure about the /Me endpoint. That requires that the SCIM server retain state. That should be the SCIM client's responsibility.
> Not sure what you mean here. The server just uses the authorization header to locate what /Me refers to.  Eg matching username or sub claim.

That sounds dangerous from a security point of view. If an employee is 
able to make a call and authenticate themselves they could potentially 
change their own access permissions. On my SCIM Server implementation, 
only the authorized SCIM client was allowed to make any changes (and 
could not do it to their own account).

Danny

>
>> Danny
>>
>>
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim