Internet DRAFT - draft-hunt-scim-discovery

draft-hunt-scim-discovery







Network Working Group                                       P. Hunt, Ed.
Internet-Draft                                                    Oracle
Intended status: Standards Track                        February 3, 2016
Expires: August 6, 2016


         System for Cross-Domain Identity Management: Discovery
                      draft-hunt-scim-discovery-00

Abstract

   The System for Cross-Domain Identity Management (SCIM) specifications
   are designed to enable identity provisioning in cloud based
   applications and web services easier using HTTP protocol.  This
   specification defines a method for discovering a SCIM service
   provider using the "/.well-known" mechanism and optional support for
   WebFinger queries.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 6, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of




Hunt                     Expires August 6, 2016                 [Page 1]

Internet-Draft          draft-hunt-scim-discovery          February 2016


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction and Overview . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Notation and Conventions . . . . . . . . . .   2
     1.2.  Definitions . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Discovery Using '/.well-known'  . . . . . . . . . . . . . . .   3
   3.  Discovery Using WebFinger . . . . . . . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
     4.1.  TLS Requirements  . . . . . . . . . . . . . . . . . . . .   5
     4.2.  Limited Information Disclosure  . . . . . . . . . . . . .   6
   5.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   6
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
     6.1.  Well-Known Registration . . . . . . . . . . . . . . . . .   6
     6.2.  Scim Link Relation Type . . . . . . . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   8
   Appendix B.  Change Log . . . . . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction and Overview

   The System for Cross-Domain Identity Management (SCIM) protocol
   [RFC7644] is designed to enable identity provisioning in web
   applications using the HTTP protocol.  This specification defines two
   methods for discovering a SCIM service provider using the "/.well-
   known" mechanism defined in [RFC5785] and an OPTIONAL WebFinger
   discovery as defined in [RFC7033] that allows the discovery of a
   specific SCIM service provider discovery based on a subject
   identifier.

1.1.  Requirements Notation and Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Throughout this document all figures may contain spaces and extra
   line-wrapping for readability and space reasons.  Similarly, some
   URI's contained within examples, have been shortened for space and
   readability reasons.






Hunt                     Expires August 6, 2016                 [Page 2]

Internet-Draft          draft-hunt-scim-discovery          February 2016


1.2.  Definitions

   Service Provider
      An HTTP web application that provides identity information via the
      SCIM protocol.

   Client
      A website or application that uses the SCIM protocol to manage
      identity data maintained by the service provider.  The client
      initiates SCIM HTTP requests to a target service provider.

   Endpoint
      An endpoint for a service provider is a defined base path relative
      to the service providers Base URI (see Sec 1.3 of [RFC7644]) over
      which SCIM operations may be performed against SCIM resources.

2.  Discovery Using '/.well-known'

   In cases where a client would like to ask where the default SCIM
   endpoint is, the "/.well-known/scim" discovery method MAY be used.
   The discovery service MAY use the client's security context to
   determine the correct SCIM endpoint and MAY require authentication.
   For example, a currently authenticated client may be assigned a
   different SCIM endpoint than another subject as they may be members
   of a different tenancy.

   A SCIM service provider MAY be queried by issuing an HTTP GET request
   at a previously known "/.well-known" discovery end-point [RFC5785]
   using the URI suffix "scim".

   The requesting client would make a request similar to the following
   (with line wraps for display purposes only):

   GET /.well-known/scim  HTTP/1.1
   HOST: example.com

   If a SCIM service provider is known, a response is returned, encoded
   in JSON with mime-type application/json

   HTTP/1.1 200 OK
   Content-Type: application/json

   {
     "issuer":
       "https://example.com",
     "scim_base":
       "https://scim.example.com"
   }



Hunt                     Expires August 6, 2016                 [Page 3]

Internet-Draft          draft-hunt-scim-discovery          February 2016


   The response to a well-known endpoint with the URI suffix "scim"
   SHALL return a JSON structure consisting of the following attributes:

   issuer  The issuer of the discovery information.  The issuer MUST
      correspond to the URL of the discovery location.

   scim_base  The base URL of a SCIM server as defined in Sec 1.3 of
      [RFC7644].  From this point, a client MAY query the SCIM service's
      own configuration endpoints as documented in Section 4 [RFC7644].

   When receiving a response, clients MUST confirm that the URI used to
   retrieve the well-known discovery information matches the returned
   "issuer" attribute.

   If the service provider is able to detect a current security subject,
   the value of scim_base MAY change to match the authenticated subject.
   This may be useful in situations such as multi-tenancy where a
   specific SCIM service is defined for subjects that part of a specific
   security domain.

3.  Discovery Using WebFinger

   A SCIM service provider MAY offer WebFinger [RFC7033] discovery as a
   means of determining the base URL of a SCIM server (as defined in
   Section 1.3 [RFC7644]) assigned based upon a client's knowledge of a
   subject or identifier or other unique account key that has been
   obtained through an out-of-band mechanism.

   When making a WebFinger request, the client SHALL use the following
   parameters:

   rel  Containing the value "scim"; and,

   resource  With a value in the form of a URI whose scheme is "acct" as
      per [RFC7565] and whose suffix corresponds to an attribute of the
      subject which can either be mapped or searched in order to
      determine the appropriate SCIM base URL that corresponds to the
      identified account.

   When the query is submitted, the WebFinger JRD response SHALL include
   an "href" value matching the SCIM base URL endpoint for the matched
   query resource.  A match indicates where a resource MAY exist, it
   does not confirm that the matched resource exists.  The actual
   account URI SHALL NOT be returned (see Section 4).







Hunt                     Expires August 6, 2016                 [Page 4]

Internet-Draft          draft-hunt-scim-discovery          February 2016


   The following example uses the "rel" parameter to request links for a
   SCIM service provider (spaces and line-breaks added for read-
   ability):

   GET /.well-known/webfinger?
   resource=acct%3Abob%40example.com&
   rel=scim HTTP/1.1
   Host: example.com

   The following example shows a corresponding response in JRD form
   (spaces and line-breaks added for read-ability):

   HTTP/1.1 200 OK
   Access-Control-Allow-Origin: *
   Content-Type: application/jrd+json

   {
      "subject" : "acct:bob@example.com",
      "links" :
          [
            {
              "rel" : "scim",
              "href" : "https://scim.example.com/tenant/b939a93/"
            }
          ]
   }

   Upon receiving the response, the client MAY query the discovered SCIM
   service's own configuration endpoints as documented in Section 4
   [RFC7644].  Using the href value provided, the client MAY do a SCIM
   Query to locate the actual URI of the account requested if one
   exists.

4.  Security Considerations

4.1.  TLS Requirements

   This specification requires the use of transport-layer security when
   communicating with service providers.  The service provider MUST
   support TLS 1.2 [RFC5246] and MAY support additional transport-layer
   security mechanisms meetings its security requirements.  When using
   TLS, the client MUST perform a TLS/SSL server identity check as per
   [RFC6125].  Implementation security considerations for TLS can be
   found in [RFC7525].







Hunt                     Expires August 6, 2016                 [Page 5]

Internet-Draft          draft-hunt-scim-discovery          February 2016


4.2.  Limited Information Disclosure

   The intent of WebFinger discovery is to disclose only the correct
   SCIM endpoint for a potential account identifier.  WebFinger is not
   intended be used to discover actual account URIs or to confirm their
   existence.

   It is the intention of this specification that clients SHALL make a
   second query to the returned SCIM endpoint to discover the actual
   account URI if it exists.  In the context of SCIM discovery,
   WebFinger is not intended as a secondary query protocol for SCIM due
   to the sensitive information contained in SCIM service providers (see
   Section 5).

5.  Privacy Considerations

   In cases where the WebFinger discovery method is used, it is
   important to consider that the account query contains personally
   identifiable information.  Appropriate measure must be taken to keep
   this information confidential such as the use of Transport Layer
   Security.

   Implementers SHOULD consider the privacy considerations outlined in
   Section 9.3 [RFC7643] when passing account query information.

6.  IANA Considerations

6.1.  Well-Known Registration

   This section registers the well-known URI suffix "scim" as per
   Section 5.1 of [RFC5785].

   URI suffix:  The name requested for the well-known URI, relative to
      "/.well-known/" is "scim".

   Change controller:  IETF.

   Specification document(s):  This document.

6.2.  Scim Link Relation Type

   This section registers the link relation type "scim" as per
   Section 6.2.1 of [RFC5988].

   Relation Name:  scim

   Description:  Refers to a SCIM endpoint corresponding to a WebFinger
      query.



Hunt                     Expires August 6, 2016                 [Page 6]

Internet-Draft          draft-hunt-scim-discovery          February 2016


   Reference:  Section 3

7.  References

7.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246,
              DOI 10.17487/RFC5246, August 2008,
              <http://www.rfc-editor.org/info/rfc5246>.

   [RFC5785]  Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known
              Uniform Resource Identifiers (URIs)", RFC 5785,
              DOI 10.17487/RFC5785, April 2010,
              <http://www.rfc-editor.org/info/rfc5785>.

   [RFC5988]  Nottingham, M., "Web Linking", RFC 5988,
              DOI 10.17487/RFC5988, October 2010,
              <http://www.rfc-editor.org/info/rfc5988>.

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
              2011, <http://www.rfc-editor.org/info/rfc6125>.

   [RFC7033]  Jones, P., Salgueiro, G., Jones, M., and J. Smarr,
              "WebFinger", RFC 7033, DOI 10.17487/RFC7033, September
              2013, <http://www.rfc-editor.org/info/rfc7033>.

   [RFC7565]  Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565,
              DOI 10.17487/RFC7565, May 2015,
              <http://www.rfc-editor.org/info/rfc7565>.

   [RFC7643]  Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C.
              Mortimore, "System for Cross-domain Identity Management:
              Core Schema", RFC 7643, DOI 10.17487/RFC7643, September
              2015, <http://www.rfc-editor.org/info/rfc7643>.







Hunt                     Expires August 6, 2016                 [Page 7]

Internet-Draft          draft-hunt-scim-discovery          February 2016


   [RFC7644]  Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
              and C. Mortimore, "System for Cross-domain Identity
              Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
              September 2015, <http://www.rfc-editor.org/info/rfc7644>.

7.2.  Informative References

   [RFC7525]  Sheffer, Y., Holz, R., and P. Saint-Andre,
              "Recommendations for Secure Use of Transport Layer
              Security (TLS) and Datagram Transport Layer Security
              (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May
              2015, <http://www.rfc-editor.org/info/rfc7525>.

Appendix A.  Acknowledgements

Appendix B.  Change Log

   [[This section to be removed prior to publication as an RFC]]

   Draft 00 - PH - Initial Draft

Author's Address

   Phil Hunt (editor)
   Oracle Corporation

   Email: phil.hunt@yahoo.com
























Hunt                     Expires August 6, 2016                 [Page 8]