rfc9967v1.txt   rfc9967.txt 
skipping to change at line 92 skipping to change at line 92
7.1. SCIM Asynchronous Set-Txn Header Registration 7.1. SCIM Asynchronous Set-Txn Header Registration
7.2. Registering Event Capability with SCIM Service Provider 7.2. Registering Event Capability with SCIM Service Provider
Configuration Configuration
7.3. Creation of the SCIM Event URIs Registry 7.3. Creation of the SCIM Event URIs Registry
7.4. Initial Contents of the SCIM Event URIs Registry 7.4. Initial Contents of the SCIM Event URIs Registry
8. References 8. References
8.1. Normative References 8.1. Normative References
8.2. Informative References 8.2. Informative References
Appendix A. Use Cases Appendix A. Use Cases
A.1. Domain-Based Replication A.1. Domain-Based Replication
A.2. Co-ordinated Provisioning A.2. Coordinated Provisioning
Acknowledgements Acknowledgements
Authors' Addresses Authors' Addresses
1. Introduction and Overview 1. Introduction and Overview
This specification defines Security Events for SCIM Service Providers This specification defines Security Events for SCIM Service Providers
and receivers as specified by Security Event Tokens (SETs) [RFC8417]. and receivers as specified by Security Event Tokens (SETs) [RFC8417].
In this specification, SCIM Security Events include asynchronous In this specification, SCIM Security Events include asynchronous
request completion, resource replication, and provisioning co- request completion, resource replication, and provisioning
ordination. coordination.
This specification defines the use of the HTTP header "Prefer: This specification defines the use of the HTTP header "Prefer:
respond-async" [RFC7240] to allow a SCIM Protocol Client [RFC7644] to respond-async" [RFC7240] to allow a SCIM client [RFC7644] to request
request an asynchronous response (see Section 2.5.1.1). an asynchronous response (see Section 2.5.1.1).
Using the HTTP protocol, a SCIM Protocol Client issues commands to a Using the HTTP protocol, a SCIM client issues commands to a SCIM
SCIM Service Provider using HTTP methods such as POST, PATCH, and Service Provider using HTTP methods such as POST, PATCH, and DELETE
DELETE [RFC7644] that cause a state change to a SCIM Resource. When [RFC7644] that cause a state change to a SCIM Resource. When
multiple independent SCIM Clients update SCIM Resources, individual multiple independent SCIM Clients update SCIM Resources, individual
clients become out of date as state changes occur. Some clients may clients become out of date as state changes occur. Some clients may
need to be informed of these changes for co-ordination or need to be informed of these changes for coordination or
reconciliation purposes. This could be done using periodic SCIM GET reconciliation purposes. This could be done using periodic SCIM GET
requests over time, but this rapidly becomes problematic as the requests over time, but this rapidly becomes problematic as the
number of changes and the number of resources increases. number of changes and the number of resources increases.
SCIM Events can be shared over an established Event Feed enabling SCIM Events can be shared over an established Event Feed enabling
receivers to monitor and trigger independent asynchronous action. receivers to monitor and trigger independent asynchronous action.
This approach enables greater scale and timeliness, where only This approach enables greater scale and timeliness, where only
changed information is exchanged between parties. changed information is exchanged between parties.
A SET conveys information about a state change that has occurred at a A SET conveys information about a state change that has occurred at a
skipping to change at line 171 skipping to change at line 171
For this specification, the terms "claims" and "attributes" are For this specification, the terms "claims" and "attributes" are
interchangeable. For consistency, JWT and SET attributes registered interchangeable. For consistency, JWT and SET attributes registered
by IANA will continue to be called "claims", while event information by IANA will continue to be called "claims", while event information
attributes (i.e., those in an event payload) will be referred to as attributes (i.e., those in an event payload) will be referred to as
"attributes". "attributes".
Additionally, the following terms are defined: Additionally, the following terms are defined:
Attributes and Claims: Attributes and Claims:
The JWT specification [RFC7519], upon which SET is based, uses the The JWT specification [RFC7519], upon which SET is based, uses the
term "claims" to refer to attributes in a JSON token. In term "claims" to refer to attributes in a JSON Web Token. In
contrast, SCIM uses the term "attributes" to refer to JSON contrast, SCIM uses the term "attributes" to refer to JSON
attributes. For the purposes of this document, the terms attributes. For the purposes of this document, the terms
"attributes" and "claims" are equivalent. "attributes" and "claims" are equivalent.
Co-ordinated Provisioning (CP): Coordinated Provisioning (CP):
As defined in Appendix A.2, in CP relationships, an Event As defined in Appendix A.2, in CP relationships, an Event
Publisher and Receiver typically exchange resource change events Publisher and Receiver typically exchange resource change events
without exchanging data (see Section 2.4). For a receiver to know without exchanging data (see Section 2.4). For a receiver to know
the value of the data, the Event Receiver usually calls back to the value of the data, the Event Receiver usually calls back to
the SCIM Event Publisher domain to receive a new copy of data the SCIM Event Publisher domain to receive a new copy of data
(e.g., uses a SCIM GET request). (e.g., uses a SCIM GET request).
Domain-Based Replication (DBR): Domain-Based Replication (DBR):
As defined in Appendix A.1, in the DBR mode, there is an As defined in Appendix A.1, in the DBR mode, there is an
administrative relationship spanning multiple operational domains; administrative relationship spanning multiple operational domains;
skipping to change at line 203 skipping to change at line 203
An Event Feed (or equivalently an Event Stream) is a logical An Event Feed (or equivalently an Event Stream) is a logical
series of events shared with a unique receiving client. A SET series of events shared with a unique receiving client. A SET
transfer (see [RFC8935] and [RFC8936]) Service Provider may offer transfer (see [RFC8935] and [RFC8936]) Service Provider may offer
to allow Event Receivers to "subscribe" to specific event types or to allow Event Receivers to "subscribe" to specific event types or
events about specific resources (see Feed Management events in events about specific resources (see Feed Management events in
Section 2.3). Section 2.3).
Event Receiver: Event Receiver:
An entity typically receives events as described in [RFC8935] and An entity typically receives events as described in [RFC8935] and
[RFC8936] or via HTTP GET (see Section 2.5.1.1). In the case of [RFC8936] or via HTTP GET (see Section 2.5.1.1). In the case of
SET Push Transfer [RFC8935], the Event Receiver is an HTTP Service push-based SET delivery [RFC8935], the Event Receiver is an HTTP
Endpoint that receives requests. In the case of SET Poll-based endpoint that receives requests. In the case of poll-based SET
Transfer [RFC8936], the receiver is an HTTP client that initiates delivery [RFC8936], the receiver is an HTTP client that initiates
an HTTP request to an Event Publisher endpoint. HTTP requests to an Event Publisher endpoint.
Event Publisher: Event Publisher:
A system that issues SETs based on a resource state change that A system that issues SETs based on a resource state change that
has occurred at a SCIM Service Provider. For example, events may has occurred at a SCIM Service Provider. For example, events may
be the result of a SCIM Create, Modify, or Delete operation as be the result of a SCIM Create, Modify, or Delete operation as
defined in Section 3 of [RFC7644]. A SCIM Service Provider may be defined in Section 3 of [RFC7644]. A SCIM Service Provider may be
an Event Publisher or an independent service that aggregates an Event Publisher or an independent service that aggregates
events into Event Receiver feeds. As described above, when using events into Event Receiver feeds. As described above, when using
[RFC8935], the Event Publisher is an HTTP client that initiates [RFC8935], the Event Publisher is an HTTP client that initiates
HTTP POST requests to a defined Event Receiver endpoint. When HTTP POST requests to a defined Event Receiver endpoint. When
skipping to change at line 284 skipping to change at line 284
} }
} }
Figure 1: Example SCIM Subject Id Figure 1: Example SCIM Subject Id
Instead of "sub", the top-level claim "sub_id" SHALL be used. Instead of "sub", the top-level claim "sub_id" SHALL be used.
"sub_id" contains the subclaim attribute "format" set to "scim" to "sub_id" contains the subclaim attribute "format" set to "scim" to
indicate that the attributes present in the "sub_id" object are SCIM indicate that the attributes present in the "sub_id" object are SCIM
attributes. The following "sub_id" attributes are defined: attributes. The following "sub_id" attributes are defined:
uri uri:
The SCIM relative path for the resource that usually consists of The SCIM relative path for the resource that usually consists of
the resource type endpoint plus the resource "id" (see Section 3.2 the resource type endpoint plus the resource "id" (see Section 3.2
of [RFC7644]), for example, of [RFC7644]), for example,
"/Users/2b2f880af6674ac284bae9381673d462". This attribute MUST be "/Users/2b2f880af6674ac284bae9381673d462". This attribute MUST be
provided in a SCIM Event "sub_id" claim. Note that the relative provided in a SCIM Event "sub_id" claim. Note that the relative
path is the path component after the SCIM Service Provider Base path is the path component after the SCIM Service Provider Base
URI as defined in Section 1.3 of [RFC7644]. In cases where the URI as defined in Section 1.3 of [RFC7644]. In cases where the
Event Receiver is unable to match a URI, the Event Receiver MAY Event Receiver is unable to match a URI, the Event Receiver MAY
issue a callback to a previously agreed SCIM Service Provider Base issue a callback to a previously agreed SCIM Service Provider Base
URI plus the relative "uri" value and perform a SCIM GET request URI plus the relative "uri" value and perform a SCIM GET request
per Section 3.4.1 of [RFC7644]. per Section 3.4.1 of [RFC7644].
externalId externalId:
If known, the "externalId" value (defined in Section 3.1 of If known, the "externalId" value (defined in Section 3.1 of
[RFC7643]) of the SCIM Resource that MAY be used by a receiver to [RFC7643]) of the SCIM Resource that MAY be used by a receiver to
identify the corresponding resource in the Event Receiver's identify the corresponding resource in the Event Receiver's
domain. domain.
id id:
The SCIM Id attribute (defined in Section 3.1 of [RFC7643]) MAY be The SCIM "id" attribute (defined in Section 3.1 of [RFC7643]) MAY
used for backwards compatibility reasons in addition to the "uri" be used for backwards compatibility reasons in addition to the
claim. "uri" claim.
In cases where SCIM identifiers ("id" and "externalId") are not In cases where SCIM identifiers ("id" and "externalId") are not
enough to identify a common resource between an Event Publisher and enough to identify a common resource between an Event Publisher and
Event Receiver, the "sub_id" object MAY contain attributes whose SCIM Event Receiver, the "sub_id" object MAY contain attributes whose SCIM
attribute types have "uniqueness" set to "server" or "global" as per attribute types have "uniqueness" set to "server" or "global" as per
Section 7 of [RFC7643]. For example, attributes such as "emails" or Section 7 of [RFC7643]. For example, attributes such as "emails" or
"username" (defined in Section 4 of [RFC7643]) are unique within a "userName" (defined in Section 4 of [RFC7643]) are unique within a
SCIM Service Provider. Such attributes should allow an Event SCIM Service Provider. Such attributes should allow an Event
Publisher and Event Receiver to identify a commonly understood Publisher and Event Receiver to identify a commonly understood
subject resource of an event. subject resource of an event.
2.2. Common Event Attributes 2.2. Common Event Attributes
The following attributes are available for all events defined. Some The following attributes are available for all events defined. Some
attributes are defined as SET/JWT claims, while others are "Event attributes are defined as SET/JWT claims, while others are "Event
Payload" claims as defined in Section 1.2 of [RFC8417]. Only one of Payload" claims as defined in Section 1.2 of [RFC8417]. Only one of
the claims, "data" or "attributes", MUST be provided depending on the the claims, "data" or "attributes", MUST be provided depending on the
event definition. event definition.
txn txn:
A SET-defined claim with a STRING value (see Section 2.2 of A SET-defined claim with a STRING value (see Section 2.2 of
[RFC8417]) that uniquely identifies a transaction originating at a [RFC8417]) that uniquely identifies a transaction originating at a
SCIM Service Provider and/or its underlying data repository or SCIM Service Provider and/or its underlying data repository or
database where one or more SCIM Events may be subsequently issued. database where one or more SCIM Events may be subsequently issued.
In contrast to a "jti" claim (see Section 4.1.7 of [RFC7519]), In contrast to a "jti" claim (see Section 4.1.7 of [RFC7519]),
which uniquely identifies a token, the "txn" remains the same when which uniquely identifies a token, the "txn" remains the same when
one or more SETs are generated for various purposes such as one or more SETs are generated for various purposes such as
retransmission, publication to multiple receivers, etc. A retransmission, publication to multiple receivers, etc. A
distinct state change or transaction within a SCIM Service distinct state change or transaction within a SCIM Service
Provider MAY result in multiple SETs issued each with distinct Provider MAY result in multiple SETs issued each with distinct
"jit" values and a common "txn" value. "txn" is REQUIRED to "jit" values and a common "txn" value. "txn" is REQUIRED to
support asynchronous SCIM requests, CP, and replication to support asynchronous SCIM requests, CP, and replication to
disambiguate or detect duplicate SETs regarding the same disambiguate or detect duplicate SETs regarding the same
underlying transaction. underlying transaction.
version version:
The ETag version of the resource as a result of the event. The ETag version of the resource as a result of the event.
Corresponds to the ETag response header described in Section 3.14 Corresponds to the ETag response header described in Section 3.14
of [RFC7644]. of [RFC7644].
data data:
An event payload attribute that contains information described in An event payload attribute that contains information described in
the SCIM Bulk Operations "data" attribute in Section 3.7 of the SCIM Bulk Operations "data" attribute in Section 3.7 of
[RFC7644]. The JSON object contains the equivalent SCIM command [RFC7644]. The JSON object contains the equivalent SCIM command
processed by the SCIM Service Provider. For example, after processed by the SCIM Service Provider. For example, after
processing a SCIM Create operation, the data contained includes processing a SCIM Create operation, the data contained includes
the final representation of the entity created by the SCIM Service the final representation of the entity created by the SCIM Service
Provider including the assigned "id" value. Provider including the assigned "id" value.
attributes attributes:
A payload that contains an array of attributes that were added, A payload that contains an array of attributes that were added,
revised, or removed. Names of modified attributes SHOULD conform revised, or removed. Names of modified attributes SHOULD conform
to the ABNF syntax rule for "path" (Section 3.5.2 of [RFC7644]). to the ABNF syntax rule for "path" (Section 3.5.2 of [RFC7644]).
For example: "attributes": For example: "attributes":
["username","emails","name.familyName"]. ["userName","emails","name.familyName"].
2.3. SCIM Feed Events 2.3. SCIM Feed Events
This section defines events related to changes in the content of an This section defines events related to changes in the content of an
event feed such as SCIM Resources that are being added or removed event feed such as SCIM Resources that are being added or removed
from an event feed or events used in Co-operative Provisioning from an event feed or events used in Coordinated Provisioning
scenarios where only a subset of entities are shared across an Event scenarios where only a subset of entities are shared across an Event
Feed. The URI prefix for these events is Feed. The URI prefix for these events is
"urn:ietf:params:scim:event:feed". "urn:ietf:params:scim:event:feed".
2.3.1. urn:ietf:params:scim:event:feed:add 2.3.1. urn:ietf:params:scim:event:feed:add
The specified resource has been added to the Event Feed. A The specified resource has been added to the Event Feed. A
"feed:add" does not indicate that a resource is new or has been "feed:add" does not indicate that a resource is new or has been
recently created. For example, an existing user has had a new role recently created. For example, an existing user has had a new role
(e.g., CRM_User) added to their profile, which has caused their (e.g., CRM_User) added to their profile, which has caused their
skipping to change at line 428 skipping to change at line 428
"https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754"
] ]
} }
Figure 3: Example SCIM Feed Remove Event Figure 3: Example SCIM Feed Remove Event
2.4. SCIM Provisioning Events 2.4. SCIM Provisioning Events
This section defines resource changes that have occurred within a This section defines resource changes that have occurred within a
SCIM Service Provider. These events are used in both Domain-Based SCIM Service Provider. These events are used in both Domain-Based
Replication (DBR) and Co-operative Provisioning (CP) mode. The URI Replication (DBR) and Coordinated Provisioning (CP) mode. The URI
prefix for these events is "urn:ietf:params:scim:event:prov". prefix for these events is "urn:ietf:params:scim:event:prov".
When the "data" payload attribute is included for each of the When the "data" payload attribute is included for each of the
following events, the event URI MUST end with "full"; otherwise, the following events, the event URI MUST end with "full"; otherwise, the
event URI ends with "notice". In "full" mode, the set of values event URI ends with "notice". In "full" mode, the set of values
reflecting the final representation of the resource (such as would be reflecting the final representation of the resource (such as would be
returned in a SCIM protocol response) at the Service Provider are returned in a SCIM protocol response) at the Service Provider are
provided using the "data" attribute (see Figure 4). In "notice" provided using the "data" attribute (see Figure 4). In "notice"
mode, the "attributes" attribute is returned and lists the set of mode, the "attributes" attribute is returned and lists the set of
attributes created or modified in the request (see Figure 5). attributes created or modified in the request (see Figure 5).
skipping to change at line 722 skipping to change at line 722
2.5.1. Asynchronous Events 2.5.1. Asynchronous Events
2.5.1.1. Making an Asynchronous SCIM Request 2.5.1.1. Making an Asynchronous SCIM Request
A SCIM Client making SCIM HTTP requests defined in Section 3 of A SCIM Client making SCIM HTTP requests defined in Section 3 of
[RFC7644] MAY request asynchronous processing using the "Prefer" HTTP [RFC7644] MAY request asynchronous processing using the "Prefer" HTTP
header as defined in Section 4.1 of [RFC7240]. The client may do header as defined in Section 4.1 of [RFC7240]. The client may do
this for a number of reasons such as avoiding holding HTTP this for a number of reasons such as avoiding holding HTTP
connections open during long requests because the result of the connections open during long requests because the result of the
request is not needed or the result is delivered to another entity request is not needed or the result is delivered to another entity
for further action for co-ordination reasons. for further action for coordination reasons.
To initiate an asynchronous SCIM request, a normal SCIM protocol To initiate an asynchronous SCIM request, a normal SCIM protocol
POST, PUT, PATCH, or DELETE request is performed with the HTTP POST, PUT, PATCH, or DELETE request is performed with the HTTP
"Prefer" header set to "respond-async" (Section 4.1 of [RFC7240]). "Prefer" header set to "respond-async" (Section 4.1 of [RFC7240]).
The HTTP "Accept" header MUST be ignored for purposes of an The HTTP "Accept" header MUST be ignored for purposes of an
asynchronous response. Additionally, per Section 4.3 of [RFC7240], asynchronous response. Additionally, per Section 4.3 of [RFC7240],
the "wait" preference SHOULD be supported to establish a maximum time the "wait" preference SHOULD be supported to establish a maximum time
before a SCIM Service Provider MAY choose to respond asynchronously. before a SCIM Service Provider MAY choose to respond asynchronously.
In response, the SCIM Service Provider returns either a normal SCIM In response, the SCIM Service Provider returns either a normal SCIM
response or HTTP Status 202 (Accepted). The asynchronous response response or HTTP status code 202 (Accepted). The asynchronous
MUST contain no response body. To enable correlation of the future response MUST contain no response body. To enable correlation of the
event, the HTTP response header "Set-Txn" (see Section 3) is returned future event, the HTTP response header "Set-Txn" (see Section 3) is
with a value that MUST match the "txn" claim in a subsequent Security returned with a value that MUST match the "txn" claim in a subsequent
Event Token. Per [RFC7240], Section 3, the response will also Security Event Token. Per [RFC7240], Section 3, the response will
include the "Preference-Applied" header. The "Location" header value also include the "Preference-Applied" header. The "Location" header
MUST be one of the following: (a) a URI where the completion SCIM value MUST be one of the following: (a) a URI where the completion
Event Token MAY be retrieved using HTTP GET or (b) the normal SCIM SCIM Event Token MAY be retrieved using HTTP GET or (b) the normal
location header response specified by [RFC7644]. SCIM location header response specified by [RFC7644].
In the following non-normative example, a "Prefer" header is set to In the following non-normative example, a "Prefer" header is set to
"respond-async": "respond-async":
PUT /Users/2819c223-7f76-453a-919d-413861904646 PUT /Users/2819c223-7f76-453a-919d-413861904646
Host: scim.example.com Host: scim.example.com
Prefer: respond-async Prefer: respond-async
Content-Type: application/scim+json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
skipping to change at line 770 skipping to change at line 770
"roles":[], "roles":[],
"emails":[ "emails":[
{ {
"value":"bjensen@example.com" "value":"bjensen@example.com"
} }
] ]
} }
Figure 12: Example Asynchronous SCIM Protocol Request Figure 12: Example Asynchronous SCIM Protocol Request
The SCIM Service Provider responds with HTTP 202 Accepted and The SCIM Service Provider responds with HTTP status code 202
includes the Set-Txn header: (Accepted) and includes the Set-Txn header:
HTTP/1.1 202 Accepted HTTP/1.1 202 Accepted
Set-Txn: 734f0614e3274f288f93ac74119dcf78 Set-Txn: 734f0614e3274f288f93ac74119dcf78
Preference-Applied: respond-async Preference-Applied: respond-async
Location: Location:
"/Users/2819c223-7f76-453a-919d-413861904646" "/Users/2819c223-7f76-453a-919d-413861904646"
Figure 13 Figure 13: Async SCIM Request with Prefer Header
2.5.1.2. Asynchronous Bulk Endpoint Requests 2.5.1.2. Asynchronous Bulk Endpoint Requests
Section 3.7 of [RFC7644] provides the ability to submit multiple SCIM Section 3.7 of [RFC7644] provides the ability to submit multiple SCIM
operations in a single "bulk" request. When an asynchronous response operations in a single "bulk" request. When an asynchronous response
is requested, a single Asynchronous Request Completion Event MUST be is requested, a single Asynchronous Request Completion Event MUST be
generated for each requested operation. For example, if a single generated for each requested operation. For example, if a single
"bulk" request had 10 operations, then 10 Asynchronous Event "bulk" request had 10 operations, then 10 Asynchronous Event
completion events would be generated. completion events would be generated.
skipping to change at line 986 skipping to change at line 986
Figure 19: Example SCIM Asynchronous Response Event Operation (4 Figure 19: Example SCIM Asynchronous Response Event Operation (4
of 4) of 4)
3. Set-Txn HTTP Response Header for Asynchronous Requests 3. Set-Txn HTTP Response Header for Asynchronous Requests
This specification defines a new HTTP header field, "Set-Txn", which This specification defines a new HTTP header field, "Set-Txn", which
serves the purpose of conveying request completion information to serves the purpose of conveying request completion information to
SCIM HTTP clients that request an asynchronous response as described SCIM HTTP clients that request an asynchronous response as described
in Section 2.5.1.1. The header field MUST be used in SCIM Responses in Section 2.5.1.1. The header field MUST be used in SCIM Responses
when HTTP Status 202 Accepted is being returned with no message body. when HTTP status code 202 (Accepted) is being returned with no
message body.
The "Set-Txn" HTTP header field value is a unique STRING (e.g., a The "Set-Txn" HTTP header field value is a unique STRING (e.g., a
Globally Unique Identifier (GUID)) used by the SCIM HTTP client to Globally Unique Identifier (GUID)) used by the SCIM HTTP client to
look for a matching SET event with a matching "txn" claim (see look for a matching SET event with a matching "txn" claim (see
Section 2 of [RFC8417]) confirming the request completion status as Section 2 of [RFC8417]) confirming the request completion status as
described in Section 2.5.1.1. described in Section 2.5.1.1.
Intermediaries SHOULD NOT insert, modify, or delete the field's Intermediaries SHOULD NOT insert, modify, or delete the field's
value. value.
skipping to change at line 1008 skipping to change at line 1009
completion is not required. For example, a SCIM client may simply completion is not required. For example, a SCIM client may simply
not want to wait for synchronous completion. not want to wait for synchronous completion.
4. Events Discovery Schema for Service Provider Configuration 4. Events Discovery Schema for Service Provider Configuration
Section 5 of [RFC7643] defines SCIM Service Provider configuration Section 5 of [RFC7643] defines SCIM Service Provider configuration
schemas. This section defines additional attributes that enable a schemas. This section defines additional attributes that enable a
SCIM Client to discover the additional capabilities defined by this SCIM Client to discover the additional capabilities defined by this
specification. specification.
securityEvents securityEvents:
A SCIM Complex attribute that specifies the available capabilities A SCIM Complex attribute that specifies the available capabilities
related to asynchronous Security Events based on [RFC8417]. This related to asynchronous Security Events based on [RFC8417]. This
attribute is OPTIONAL, and when absent, it indicates the SCIM attribute is OPTIONAL, and when absent, it indicates the SCIM
Service Provider does not support or is not currently configured Service Provider does not support or is not currently configured
for Security Events. The following sub-attributes are defined: for Security Events. The following sub-attributes are defined:
asyncRequest asyncRequest:
A case-insensitive string value specifying one of the A case-insensitive string value specifying one of the
following: following:
* "none" indicates that asynchronous SCIM requests defined in * "none" indicates that asynchronous SCIM requests defined in
Section 2.5.1.1 are not supported; Section 2.5.1.1 are not supported;
* "long" indicates that the server completes requests * "long" indicates that the server completes requests
asynchronously at the server's discretion (e.g., based on a asynchronously at the server's discretion (e.g., based on a
max wait time); and max wait time); and
* "request" indicates that the server completes requests * "request" indicates that the server completes requests
asynchronously when requested by the SCIM Client. asynchronously when requested by the SCIM Client.
eventUris eventUris:
A multivalued string listing the SET Event URIs (defined in A multivalued string listing the SET Event URIs (defined in
[RFC8417]) that the server is capable of generating and [RFC8417]) that the server is capable of generating and
delivering via a SET Stream (see [RFC8935] and [RFC8936]). delivering via a SET Stream (see [RFC8935] and [RFC8936]).
This information is informational only. Stream registration This information is informational only. Stream registration
and configuration are out of scope of this specification. and configuration are out of scope of this specification.
5. Security Considerations 5. Security Considerations
As this specification is based upon the SETs specification and the As this specification is based upon the SETs specification and the
associated delivery specifications, the following security associated delivery specifications, the following security
skipping to change at line 1053 skipping to change at line 1054
* Section 5 of [RFC8935] (Push-Based SET Delivery Using HTTP) * Section 5 of [RFC8935] (Push-Based SET Delivery Using HTTP)
* Section 4 of [RFC8936] (Poll-Based SET Delivery Using HTTP) * Section 4 of [RFC8936] (Poll-Based SET Delivery Using HTTP)
SETs may contain sensitive information, including Personally SETs may contain sensitive information, including Personally
Identifiable Information (PII). In such cases, SET Transmitters and Identifiable Information (PII). In such cases, SET Transmitters and
SET Recipients MUST protect the confidentiality of the SET contents SET Recipients MUST protect the confidentiality of the SET contents
in transit using TLS [BCP195]. in transit using TLS [BCP195].
When co-ordinating provisioning between entities, the long-term When coordinating provisioning between entities, the long-term series
series of changes may be critical to the information integrity and of changes may be critical to the information integrity and recovery
recovery requirements of both sides. To address this, Event requirements of both sides. To address this, Event Publishers can
Publishers can make events available for receivers for longer periods make events available for receivers for longer periods of time than
of time than might typically be used for recovering from momentary might typically be used for recovering from momentary delivery
delivery failures and retries per [RFC8935] or [RFC8936]. Similarly, failures and retries per [RFC8935] or [RFC8936]. Similarly, Event
Event Receivers MUST ensure events are persisted directly or Receivers MUST ensure events are persisted directly or indirectly to
indirectly to meet local recovery needs before acknowledging the SET meet local recovery needs before acknowledging the SET Events were
Events were received. received.
An attacker might leverage transaction and/or signal information An attacker might leverage transaction and/or signal information
contained in a SET Event Publisher or Receiver system. To mitigate contained in a SET Event Publisher or Receiver system. To mitigate
this, access to event recovery and forwarding MUST be limited to the this, access to event recovery and forwarding MUST be limited to the
parties needed to support recovery or SET forwarding. parties needed to support recovery or SET forwarding.
When SET Events are transferred in such a way that the Event When SET Events are transferred in such a way that the Event
Publisher is not communicating directly to the Event Receiver, it may Publisher is not communicating directly to the Event Receiver, it may
become possible for an attacker or other system to insert an event. become possible for an attacker or other system to insert an event.
To mitigate, Event Receivers MUST verify the originator of a SET To mitigate, Event Receivers MUST verify the originator of a SET
skipping to change at line 1100 skipping to change at line 1101
updating and notifying about changed information. Alternatively, updating and notifying about changed information. Alternatively,
use SCIM PUT Event Notice use SCIM PUT Event Notice
(urn:ietf:params:scim:event:prov:put:notice) as a trigger to later (urn:ietf:params:scim:event:prov:put:notice) as a trigger to later
retrieve the full information when needed. retrieve the full information when needed.
* Use SCIM Patch Event Notice * Use SCIM Patch Event Notice
(urn:ietf:params:scim:event:prov:patch:notice) to reduce event (urn:ietf:params:scim:event:prov:patch:notice) to reduce event
content combined with periodic SCIM GETs (see Section 3.4 of content combined with periodic SCIM GETs (see Section 3.4 of
[RFC7644]) to retrieve current group state. [RFC7644]) to retrieve current group state.
* Aggregate multiple PATCH Events into a single event. Providing * Aggregate multiple PATCH Events into a single event. If providing
the exact date of each membership change is not critical but the exact date of each membership change is not critical, consider
instead that the information content remains intact. using a PATCH to aggregate multiple membership changes into a
single event.
When using Asynchronous SCIM Requests (see Section 2.5.1.1), a SCIM When using Asynchronous SCIM Requests (see Section 2.5.1.1), a SCIM
Service Provider returns a SCIM Accepted response with a URI for Service Provider returns a SCIM Accepted response with a URI for
retrieving the event result. An unauthorized entity or attacker retrieving the event result. An unauthorized entity or attacker
could obtain asynchronous request completion event information by could obtain asynchronous request completion event information by
querying the asynchronous operation result endpoint used by a SCIM querying the asynchronous operation result endpoint used by a SCIM
Service Provider. To mitigate, the returned URI endpoint MUST be Service Provider. To mitigate, the returned URI endpoint MUST be
protected and requires an HTTP Authorization header or some other protected and requires an HTTP Authorization header or some other
form of client authentication. form of client authentication.
skipping to change at line 1132 skipping to change at line 1134
* Section 5 of [RFC8936] (Poll-Based SET Delivery Using HTTP) * Section 5 of [RFC8936] (Poll-Based SET Delivery Using HTTP)
This specification enables the sharing of information between This specification enables the sharing of information between
domains; therefore, it is assumed that implementers and deployers are domains; therefore, it is assumed that implementers and deployers are
operating under one of the following scenarios: operating under one of the following scenarios:
* A common administrative domain where there is one administrative * A common administrative domain where there is one administrative
owner of the data. In these cases, the goal is to protect privacy owner of the data. In these cases, the goal is to protect privacy
and security of the owner and user data by keeping information and security of the owner and user data by keeping information
systems co-ordinated and up to date. For example, the domains systems coordinated and up to date. For example, the domains
decide to use DBR mode to keep employee information synchronized. decide to use DBR mode to keep employee information synchronized.
* In a co-operative or co-ordinated relationship, parties have * In a cooperative or coordinated relationship, parties have decided
decided to share a limited amount of data and/or signals for the to share a limited amount of data and/or signals for the benefits
benefits of their users. Depending on end-user consent, of their users. Depending on end-user consent, information is
information is shared on an as-authorized and/or as-needed basis. shared on an as-authorized and/or as-needed basis. For example,
For example, the domains agree to use CP mode that exchanges the domains agree to use CP mode that exchanges things such as
things such as account status or specific minimal attribute account status or specific minimal attribute information that must
information that must be fetched on request after receiving notice be fetched on request after receiving notice of a change. This
of a change. This enables authorization to be verified each time enables authorization to be verified each time data is
data is transferred. transferred.
In general, the sharing of SCIM Event information falls within a pre- In general, the sharing of SCIM Event information falls within a pre-
existing SCIM Client and Service Provider relationship and carries no existing SCIM Client and Service Provider relationship and carries no
additional personal information. additional personal information.
7. IANA Considerations 7. IANA Considerations
7.1. SCIM Asynchronous Set-Txn Header Registration 7.1. SCIM Asynchronous Set-Txn Header Registration
This specification registers the HTTP "Set-Txn" field name in the This specification registers the HTTP "Set-Txn" field name in the
skipping to change at line 1200 skipping to change at line 1202
"urn:ietf:params:scim:event:{class}:{name}:{other}" "urn:ietf:params:scim:event:{class}:{name}:{other}"
The keywords have the following meaning: The keywords have the following meaning:
class class
The class of events, which is one of: "feed", "prov", or The class of events, which is one of: "feed", "prov", or
"misc". "misc".
name name
A US-ASCII string that conforms to URN syntax requirements (see A ASCII string that conforms to URN syntax requirements (see
[RFC8141]) and defines a descriptive event name (e.g., [RFC8141]) and defines a descriptive event name (e.g.,
"create"). "create").
other other
An optional US-ASCII string that conforms to URN syntax An optional ASCII string that conforms to URN syntax
requirements (see [RFC8141]) and serves as an additional sub- requirements (see [RFC8141]) and serves as an additional sub-
category or qualifier, for example, "full" and "notice". category or qualifier, for example, "full" and "notice".
Identifier Uniqueness Considerations: Identifier Uniqueness Considerations:
The designated contact is responsible for reviewing and enforcing The designated contact is responsible for reviewing and enforcing
uniqueness. uniqueness.
Identifier Persistence Considerations: Identifier Persistence Considerations:
Once a name has been allocated, it MUST NOT be reallocated for a Once a name has been allocated, it MUST NOT be reallocated for a
different purpose. The rules provided for the assignment of different purpose. The rules provided for the assignment of
skipping to change at line 1399 skipping to change at line 1401
SCIM Events may be used in a number of ways. The following non- SCIM Events may be used in a number of ways. The following non-
normative sections describe some of the expected uses. normative sections describe some of the expected uses.
A.1. Domain-Based Replication A.1. Domain-Based Replication
The objective of DBR events is to synchronize resource changes The objective of DBR events is to synchronize resource changes
between SCIM Service Providers in a common administrative domain. In between SCIM Service Providers in a common administrative domain. In
this mode, complete information about modified resources are shared this mode, complete information about modified resources are shared
between replicas for immediate processing. between replicas for immediate processing.
+----------------+ +-------------+ +---------------------+ +------------------------+
| SCIM Client A | |SCIM Client A| |SCIM Service Provider| |Service Provider Replica|
+----------------+ +-------------+ +---------------------+ +------------------------+
| | | |
[1] SCIM Operation | [1] SCIM Operation | |
| |-------------------->| |
v | [2] SCIM Response | |
+----------------+ |<--------------------| |
| Service | | | |
| Provider | | | [3] Event SCIM:prov:<op> |
+----------------+ | | id:xyz |
^ | |- - - - - - - - - - - - - >|
[2] SCIM Response | | |
| | | [4] Update local node |--+
| | | | |
v | | |<-+
+------------------------+ | | |
| Service Provider | v v v
| Replica |
+------------------------+
|
[3] Event SCIM:prov:<op> id=xyz
|
v
+----------------+
| Update local |
| node [4] |
+----------------+
Figure 20: Domain-Based Replication Sequence Figure 20: Domain-Based Replication Sequence
From a security perspective, it is assumed that servers sharing DBR From a security perspective, it is assumed that servers sharing DBR
events are secured by a common access policy and all servers are events are secured by a common access policy and all servers are
required to be up to date. From a privacy perspective, because all required to be up to date. From a privacy perspective, because all
servers are in the same administrative domain, the primary objective servers are in the same administrative domain, the primary objective
is to keep individual Service Provider nodes or clusters is to keep individual Service Provider nodes or clusters
synchronized. synchronized.
A.2. Co-ordinated Provisioning A.2. Coordinated Provisioning
In CP, SCIM resource change events perform the function of change In CP, SCIM resource change events perform the function of change
notification without the need to provide raw data. In any Event notification without the need to provide raw data. In any Event
Publisher and Receiver relationship, the set of SCIM Resources (e.g., Publisher and Receiver relationship, the set of SCIM Resources (e.g.,
Users) that are linked or co-ordinated is managed within the context Users) that are linked or coordinated is managed within the context
of an event feed and may be a subset of the total set of resources on of an event feed and may be a subset of the total set of resources on
either side. For example, an event feed could be limited to users either side. For example, an event feed could be limited to users
who have consented to the sharing of information between domains. To who have consented to the sharing of information between domains. To
support capability, "feed" specific events are defined to indicate support capability, "feed" specific events are defined to indicate
the addition and removal of SCIM Resources from a feed. For example, the addition and removal of SCIM Resources from a feed. For example,
when a user consents to the sharing of information between domains, when a user consents to the sharing of information between domains,
events about the User may be added to the feed between the Event events about the User may be added to the feed between the Event
Publisher and Receiver. Publisher and Receiver.
+-----------+ +---------------+ +---------------+ +---------------+ +-----------+ +---------------+ +-----------------+ +---------------+
| SCIM Clnt | | SCIM Service | | Client A Co-op| | Co-op Action | |SCIM Client| | SCIM Service | | Event Receiver | | Co-op Action |
| (CA) | | Provider (SP) | | Receiver (ER) | | Endpoint(LEP) | | | | Provider | | | | Endpoint |
+-----------+ +---------------+ +---------------+ +---------------+ +-----------+ +---------------+ +-----------------+ +---------------+
| | | | | | | |
| "SCIM Operation" | | | | [1] SCIM | | |
+----------------->| | | | Operation | | |
|<-----------------+ "SCIM Response" | | |--------------->| | |
| | | | | | | |
| |--> "Event SCIM:prov:<op>, id=xyz" --->| | [2] SCIM | | |
| | | | | Response | | |
| | | Note: Receiver | |<---------------| | |
| | | may accumulate | | | | |
| | | events for | | | [3] Event | |
| | | periodic action | | | SCIM:prov:<op> | |
| |<------------------+ "SCIM GET <id>" | | | id:xyz | |
| |------------------>| "Filtered | | |- - - - - - - - - >| |
| | | Resource Resp." | | | | |
| | | | | | | Note: Receiver |
| | +------------------>| | | | may accumulate |
| | | "Co-ord Action" | | | | events for |
| | | | | | | periodic action. |
| | | |
| | [4] SCIM GET <id> | |
| |<------------------| |
| | | |
| | [5] Filtered | |
| | Resource | |
| | Response | |
| |------------------>| |
| | | |
| | | [6] Coordinated |
| | | Action |
| | |------------------>|
| | | |
v v v v
Figure 21: Co-ordinated Provisioning Sequence Figure 21: Coordinated Provisioning Sequence
In CP mode, the receiver of an event must call back to the In CP mode, the receiver of an event must call back to the
originating SCIM Service Provider (e.g., using a SCIM GET request) to originating SCIM Service Provider (e.g., using a SCIM GET request) to
reconcile the newly changed resource in order to obtain the changes. reconcile the newly changed resource in order to obtain the changes.
CP has the following benefits: CP has the following benefits:
* Differences in schema (e.g., attributes) between domains. For * Differences in schema (e.g., attributes) between domains. For
example, a receiving domain may only be interested in or allowed example, a receiving domain may only be interested in or allowed
to access to a few attributes (e.g., role-based access data) to to access to a few attributes (e.g., role-based access data) to
 End of changes. 39 change blocks. 
124 lines changed or deleted 130 lines changed or added

This html diff was produced by rfcdiff 1.48.