SCIM P. J. Correia Internet-Draft Cisco Systems Intended status: Informational P. Dingle Expires: 25 April 2024 Microsoft Corporation 23 October 2023 System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements draft-correia-scim-use-cases-00 Abstract This document provides definitions, overview and selected use cases of the System for Cross-domain Identity Management (SCIM). It lays out the system's concepts, models, and flows, and it includes use cases, and implementation considerations. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 25 April 2024. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Correia & Dingle Expires 25 April 2024 [Page 1] Internet-Draft SCIM Use Cases October 2023 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. SCIM Components and Architecture . . . . . . . . . . . . . . 4 3.1. Evolution and new Challenges . . . . . . . . . . . . . . 5 3.1.1. Reconciliation . . . . . . . . . . . . . . . . . . . 5 3.1.2. HR Applications . . . . . . . . . . . . . . . . . . . 5 3.1.3. Extra RA for RO . . . . . . . . . . . . . . . . . . . 5 3.2. Implementation Concepts . . . . . . . . . . . . . . . . . 6 3.2.1. Data Model . . . . . . . . . . . . . . . . . . . . . 6 3.2.2. HTTP Client-Server Roles . . . . . . . . . . . . . . 6 3.2.3. Orchestrator Roles . . . . . . . . . . . . . . . . . 7 3.2.4. Triggers . . . . . . . . . . . . . . . . . . . . . . 8 3.2.5. SCIM Actions . . . . . . . . . . . . . . . . . . . . 10 4. SCIM Use Cases . . . . . . . . . . . . . . . . . . . . . . . 18 4.1. Self-Referential Resource Updates via /me . . . . . . . . 18 4.2. Simple Resource Update . . . . . . . . . . . . . . . . . 18 4.3. Resource Updates Originating at a Non-SCIM Source . . . . 19 4.4. Resources from Multiple SCIM Sources Coordinated by a Resource Manager . . . . . . . . . . . . . . . . . . . . 19 4.5. Resources from SCIM and Non-SCIM sources, Coordinated by a Resource Manager . . . . . . . . . . . . . . . . . . . . 20 4.6. Complex sources including Multiple Resource Updaters . . 20 4.7. Complex Multi-directional Object and Resource Management with simple Resource Subscribers . . . . . . . . . . . . 20 4.8. Complex Multi-direction Object/Resource Management with bi-directional Resource Subscriber/Updaters . . . . . . . 21 5. Security Considerations . . . . . . . . . . . . . . . . . . . 21 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 8.1. Normative References . . . . . . . . . . . . . . . . . . 22 8.2. Informative References . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 1. Introduction The System for Cross-domain Identity Management (SCIM) family of specifications [RFC7643] and [RFC7644] is designed to manage resources used in the practice of identity management that need to be communicated across internet domains and services, with users and groups as the default resources supported (and an extensibility model additional resource definition). The specifications have two primary goals: 1) A common representation of a resource object and its attributes, and 2) Standardized patterns for how those resources can be operated on, including "CRUD" operations that create, read, update or delete resource objects and more advanced goals such as search Correia & Dingle Expires 25 April 2024 [Page 2] Internet-Draft SCIM Use Cases October 2023 filters, synchronization of large resource populations, etc. These goals are codified as a data model in [RFC7643] defining resources, attributes and default schema, as well as a protocol definition built on HTTP in [RFC7644]. By standardizing the data model and protocol for resource management, entire ecosystems can achieve better interoperability, security, and scalability. This document provides definitions, overview, concepts, flows, and use cases implementers may need to understand the design and applicability of the SCIM schema [RFC7643] and SCIM protocol [RFC7644]. Unlike the practice of some protocols like Application Bridging for Federated Access Beyond web (ABFAB) and SAML2 WebSSO, SCIM provides provisioning and de-provisioning of resources in a separate context from authentication. While SCIM is a protocol that standardizes movement of data only between two parties in a HTTP client-server model, implementation patterns are discussed in this document that use concepts beyond the core schema and protocol, but that are needed to understand how SCIM actions can fit into greater architectures. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] when they appear in ALL CAPS. These words may also appear in this document in lowercase as plain English words, absent their normative meanings. Here is a list of acronyms and abbreviations used in this document: * CRUD: Create, Read, Update, Delete * RC: Resource Creator * RU: Resource Updater * RM: Resource Manager * RS: Resource Subscriber * RO: Resource Object * RA: Resource Attribute * ERC: External Resource Creator * IaaS: Infrastructure as a Service * JIT: Just In Time Correia & Dingle Expires 25 April 2024 [Page 3] Internet-Draft SCIM Use Cases October 2023 * PaaS: Platform as a Service * SaaS: Software as a Service * IDaaS: Identity as a Service * IdM: Identity Manager * SAML: Security Assertion Markup Language * SCIM: System for Cross-domain Identity Management * SSO: Single Sign-On 3. SCIM Components and Architecture SCIM architecture is a client-server model centered on a normative concept of a "resource". Resources have types (such as a user or a group) and each unique instance of a resource type is represented by a JSON object, actively accessed via a standardized REST API. Each resource object can be managed individually or managed in bulk using actions that by default are specified in [RFC9110] (HTTP GET, PUT, POST etc), but that may expand to concepts in extension documents, for example security event tokens (SETs). This model therefore enables organizations to represent information about user populations and the groups that these user populations are part of using the core specifications and to extend to other important resources using extension drafts in the same family with the high level concepts of performing SCIM actions on resource objects. SCIM actions result in resource object and associated data "moving" between the client and server, as clients actively push and pull information that reflects change over time. This communication of data enables systems within domains and across domains to operate on the freshest possible version of object state. +---------+ +--------+ | SCIM | | | | Server | | SCIM | | | <--- SCIM Action ---> | Client | | /Users | | | | /Groups | | | +---------+ +--------+ The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. The intent of the SCIM specification is to reduce the cost and Correia & Dingle Expires 25 April 2024 [Page 4] Internet-Draft SCIM Use Cases October 2023 complexity of resource management operations by providing a common schemas and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. In essence, make it fast, cheap, and easy to move resources in to, out of, and around the applications. The SCIM scenarios are overviews of user stories designed to help clarify the intended scope of the SCIM effort. 3.1. Evolution and new Challenges As the protocol has been adopt since its introduction in 2012, most of the IDMs and applications started to adopted it, mainly in the replacement of old protocols like LDAPv3. With the implementation the market started to reach more complex topologies, no longer the simple Client Server where there were only two SCIM entities. We start to see many different SCIM entities with different roles and doing its own manipulation of the object (RO) and its attributes (RA). The maturity of the protocol also brought some challenges, that we don't plan to enumeratee all of them, but give a couple of examples. 3.1.1. Reconciliation For some reason, the RO and its RA’s that was push by the Client was change in the Server (by some mechanism that was outside the SCIM agreement), which means that until the RO or one of its RA’s changes in the Client, there will be no “fix” to the RO and its RA that are in the Server. 3.1.2. HR Applications This type of SCIM element doesn’t do any management to the RO and RA information, but it is the creator for RO and RA, most of the times have the RA that are generic to all applications (like firstname, lastname, national ID, office address, home address, etc.), most of the times this elements will not know RA like email, telephone number, etc. This RO and Ra needs to be available in the IdMs, for them to provide it to all the SCIM subscribers application. 3.1.3. Extra RA for RO Some SCIM application that are typically SCIM Servers, are the creators and updaters of specific RA, for example an email server that will be a SCIM server should create the email RA for all the RO, but should only consume the other RA like firstname, lastname, etc. Correia & Dingle Expires 25 April 2024 [Page 5] Internet-Draft SCIM Use Cases October 2023 3.2. Implementation Concepts To understand the use cases we need to understand 4 different concepts of the protocol, that will describe underlying protocol, the different orchestrators roles, how we start the SCIM interaction and what methods we have to execute the actions. 3.2.1. Data Model SCIM defines two types of data entities: resources and attributes. 3.2.1.1. Resource Object (RO) A JSON object representing a user, group (or extension object) to be manipulated through the SCIM protocol. The Resource Object contains attributes defined by schemas such as those defined in [RFC7643] and can be acted on via the endpoints and parameters defined in [RFC7644]. 3.2.1.2. Resource Attribute (RA) A named element of a Resource Object. Attributes are defined in section 2 of [RFC7643] and include characteristics like cardinality (single or multiple values), data types (string, boolean, binary etc) and characteristics (required, unique etc). 3.2.2. HTTP Client-Server Roles HTTP client and server roles are defined in [RFC9110] and [RFC9112]. Any SCIM interaction requires one participant to be a SCIM server and the other to be a SCIM client. 3.2.2.1. SCIM Server (also known as a SCIM Service Provider) An HTTP web application that provides identity information via the SCIM protocol. A SCIM Server is a RESTful API endpoint offering access to a data model that can be used to push or pull data between two parties. SCIM servers have additional responsibilities such as API Security, managing client identifiers & keys as well as performance management such as API throttling. 3.2.2.2. SCIM Client A website or application that uses the SCIM protocol to manage identity data maintained by the service provider. The client initiates SCIM HTTP requests to a target SCIM Server. A SCIM Client is active software that can push or pull data between two parties. Correia & Dingle Expires 25 April 2024 [Page 6] Internet-Draft SCIM Use Cases October 2023 3.2.3. Orchestrator Roles Orchestrators are the operating parties that take part in a SCIM protocol exchange and ensure data is moving in the correct flows. An entity can have one or more orchestrators roles, depending on the overall provisioning architecture. 3.2.3.1. Resource Creator (RC) An entity responsible for creating the Resource Object (RO). Typically we can see this role in HR or resource management applications that are responsible for creating resources and some of its attributes. 3.2.3.2. Resource Updater (RU) An entity responsible for updating specific attributes of a Resource Object (RO) or the RO itself. Typically, this role is used in conjunction with other SCIM roles that allow this SCIM entity to manage a specific Resource Attribute (RA). 3.2.3.3. Resource Manager (RM) An entity that aggregates or transforms resource objects from resource creators/updaters (RC/RU) and make them available for resource subscribers (RS) using multiple SCIM interactions, an example of this role could be an Identity-as-a-Service (IDaaS) cloud platform. 3.2.3.4. Resource Subscriber (RS) An entity that consumes information in resource objects (RO) and typically don't create new objects or attributes. An example of entities that play this role include SaaS applications relying on an IDaaS cloud platform. 3.2.3.5. External Resource Creator (ERC) An entity that has information about resources and its attributes, but does not participate in SCIM flows, examples include databases or internally-facing applications. Correia & Dingle Expires 25 April 2024 [Page 7] Internet-Draft SCIM Use Cases October 2023 +-------------+ +-------------+ +-------------+ +-------------+ |(RO) Resource| |(RA) Resource| |(RO) Resource| |(RA) Resource| | Object1 | | Attribute1 | | Object2 | | Attribute2 | +-------------+ +-------------+ +-------------+ +-------------+ | | | | +-------------+ +-------------+ +-------------+ +-------------+ |(RC) Resource| |(RU) Resource| |(RC) Resource| |(RU) Resource| | Creators | | Updaters | | Creators | | Updaters | +-------------+ +-------------+ +-------------+ +-------------+ | | | | +--------+------+-----------------+-------+--------+ | | v v +----------------+ +----------------+ | (RM) Resource | | (RM) Resource | | Manager | | Manager | +----------------+ +----------------+ | | +----------------+ +----------------+ | | | | v v v v +-------------+ +-------------+ +-------------+ +-------------+ |(RS) Resource| |(RS) Resource| |(RS) Resource| |(RS) Resource| | Subscriber | | Subscriber | | Subscriber | | Subscriber | +-------------+ +-------------+ +-------------+ +-------------+ | | +----------------+ +----------------+ | | | | v v v v +-------------+ +-------------+ +-------------+ +-------------+ |(RO) Resource| |(RO) Resource| |(RO) Resource| |(RO) Resource| | Object1 | | Object2 | | Object1 | | Object2 | +-------------+ +-------------+ +-------------+ +-------------+ Figure 1: SCIM Orchestrators Roles 3.2.4. Triggers Triggers are actions or activities that may cause a SCIM action to occur. Triggers can occur as a result of business processes like a corporate hiring event, but can also be scheduled events such as a unix bash script running as a chron job, or can be just-in-time events such as SAML assertion arriving at a federated relying party that identifies a not-seen-before user. Triggers can also be standardized events, such as those in the OpenID Shared Signals Framework. Triggers used to allow CRUD (Create, Read, Update, Delete) using SCIM Actions or Operations as it is designed to capture a class of use case that makes sense to the actor requesting it rather than to describe a protocol operation. Correia & Dingle Expires 25 April 2024 [Page 8] Internet-Draft SCIM Use Cases October 2023 3.2.4.1. Periodic Intervals A periodic interval trigger is a configured-in-advance agreement where a SCIM client performs an action at a specific time. This trigger is often recurring, and in that case the combination of trigger and action together may be referred to as "polling" the SCIM server. An example of a periodic interval trigger could be a UNIX chron job calling a script. 3.2.4.2. Events Event triggers are activities, contexts or notifications that could happen at any time. A SCIM client may be configured to perform a given SCIM action in response to a specific event occuring such as a specific entry written into an audit log, a signal of a corporate workflow completion, or a device management platform notification. A SCIM action could also be triggered by a Security Event Token (SET) as described in [RFC8417] or a SCIM event corresponding to [SCIM_Profile_for_Security_Event_Tokens]; for example an application acting as a resource subscriber and SCIM client could receive a SCIM event denoting creation of a new user object, triggering a SCIM action to fetch all the attributes for that user. 3.2.4.3. Application Triggers Application triggers occur when administrative or end-user interfaces are manipulated. An example of an application trigger might be a user modifying their profile information, resulting in a SCIM client performing an HTTP POST to update the user's resource object at the SCIM server. 3.2.4.4. SSO (Single Sign-on) Single Sign-on triggers occur when a user authenticates via federated protocols such as SAML 2.0 or OpenID Connect. If a federated assertion arrives for a user who has not yet been provisioned into the destination application, the application may be triggered to perform just-in-time (JIT) provisioning. This trigger occurs in scenarios where a Single Sign-On flow happens, but not all the resource attributes for the user object are passed in the federated assertion, resulting in a SCIM action to push or pull remaining needed attributes. Correia & Dingle Expires 25 April 2024 [Page 9] Internet-Draft SCIM Use Cases October 2023 +---------------+ +---------------+ | | | | | | | | | | | SCIM | | Client | (1) | Server | | | <-------------------------------> | | | (typically | | (typically an | | an IdM) | (2) | SaaS | | | <-------------------------------> | Application) | | | | | | RC/RU/RM | | RS | | | | | +---------------+ +---------------+ Figure 2: SCIM Flow and Entities map 1. SSO trigger that creates the user and might create some RA (Resource Attributes) of a RO (Resource Object) 2. SCIM actions that will complement the attributes created before with an SSO JIT with additional RA (Resource Attributes) of the RO (Resource Objects) created before. This use case combines the SCIM protocol with other protocols used for Single Sign-On, specially in the use case of JIT (Just in time Provision), specially useful with protocols like SAML that is limit by the number of characters in the URL. 3.2.5. SCIM Actions The SCIM protocol defines interactions between two standardized parties that conform to HTTP RESTful conventions. The protocol enables CRUD operations by corresponding those activities to HTTP verbs such as POST, PUT, GET, DELETE etc. The protocol itself doesn't assume a direction of data flow, and use cases discussed in section 4 are created using the orchestrator roles and an SCIM entity can have multiple roles, depending on the objective of the use case that we are describing. 3.2.5.1. Client active Push A SCIM client uses HTTP verbs POST, PUT or PATCH to create or update objects and/or attributes at a SCIM server. The SCIM client is actively "pushing" the data to the endpoint. This SCIM action can occur when the SCIM client is the primary resource creator/updater. Correia & Dingle Expires 25 April 2024 [Page 10] Internet-Draft SCIM Use Cases October 2023 3.2.5.1.1. Resource Object creation/update from Client to Server In this model we will have a Client that is going to provide information about a RO and its RA to a Server, that can also be called as SCIM Server in [RFC7643] and [RFC7644]. +----------------+ +----------------+ | | (1) | | | | --------------------------------> | | | | | | | | (2) | SCIM | | Client | <-------------------------------- | Server | | (typically | | (typically a | | an IdM) | (3) | Application) | | | --------------------------------> | | | RM/RC/RU | | RS | | | (4) | | | | <-------------------------------- | | +----------------+ +----------------+ Figure 3: SCIM Flow and Orchestrator roles maps 1. Before creating/updating a RO/RA the SCIM client will always do a HTTP GET to get current information from the SCIM Server. 2. SCIM Server will provide the current information on the resources asked by the SCIM Client. 3. Based on the RO and RA returned by the Server, there will be a HTTP POST, PUT, PATCH depending on the operation that the Client want to achieve. 4. The Service Provider will return the RO/RA with additional metadata information to allow for audit. The SCIM client will map to the RM/RC/RU and the Server will map into RS. 3.2.5.1.2. Resource Object creation from a Creation Entity In this model we will have a Client that is going to provide information about a RO and its RA to a Server, can also be called as Service Provider in [RFC7643] and [RFC7644], in this model the Client is just responsible for a limit set of attributes and do not do any management overall, and the Resource management function resides on the Server. Correia & Dingle Expires 25 April 2024 [Page 11] Internet-Draft SCIM Use Cases October 2023 +--------------+ +---------------+ | | (1) | | | | --------------------------------> | | | | | | | | (2) | SCIM | | Client | <-------------------------------- | Server | | (typically | | (typically an | | an HR | (3) | IdM) | | Application) | --------------------------------> | | | | | RM/RS | | RC/RU | (4) | | | | <-------------------------------- | | +--------------+ +---------------+ Figure 4: SCIM Flow and Orchestrator roles maps 1. Before creating/updating a RO/RA the SCIM client will always do a HTTP GET to get current information from the SCIM Server. 2. SCIM Server will provide the current information on the resources asked by the SCIM Client. 3. Based on the RO and RA returned by the Server, there will be a HTTP POST, PUT, PATCH depending on the operation that the Client want to achieve. 4. The Service Provider will return the RO/RA with additional metadata information to allow for audit. The SCIM client will map to the RC/RU and the Server will map into RM/RS. The SCIM client is sometimes called as the "HR Application", because it responsibilities are only on be the creator and updater of the RO and specific number of its RA, the client in this case has no responsibilities on the management of Resources, typically done by an IdM. 3.2.5.1.3. Resource Object creation from a Creation Entity and consumption from an Application In this model we will have a Client that is going to provide information about a RO and its RA to a Server, this Client is just responsible for a limit set of attributes and do not do any management overall the RO. This SCIM element that is going to manage the RO will then be the Client for other SCIM services that will consume the RO/RA, that might have more RA than the original RO provided by the originator of the RO. Correia & Dingle Expires 25 April 2024 [Page 12] Internet-Draft SCIM Use Cases October 2023 +--------+ +---------------+ +---------+ | | (1) | | (1) | | | | -------------> | | --------------> | | | Client | |SCIM Server | | | | | (2) | | (2) | SCIM | | | <------------- | | <-------------- | Server | | | | Client| | | | | (3) | | (3) | | | | -------------> | | --------------> | | | | | RM/RS/RC/RU | | | | RC/RU | (4) | | (4) | RS | | | <------------- | | <-------------- | | +--------+ +---------------+ +---------+ Figure 5: SCIM Flow and Orchestrator roles maps 1. Before creating/updating a RO/RA the SCIM client will always do a HTTP GET to get current information from the SCIM Server. 2. SCIM Server will provide the current information on the resources asked by the SCIM Client. 3. Based on the RO and RA returned by the Server, there will be a HTTP POST, PUT, PATCH depending on the operation that the Client want to achieve. 4. The Service Provider will return the RO/RA with additional metadata information to allow for audit. The SCIM client on the left will map to the RC/RU and the Server in the middle will map into RM/RS, the SCIM client on the left is also sometimes called as the "HR Application", because it responsibilities are only on be the creator and updater of the RO and specific number of its RA, the client in this case has no responsibilities in doing any management of the Resources, typically done by an IdM. The center component as describe is the Server for the client on the left, will act as the Client for the server on the right, which typically is an SaaS application that want to consume RO and its RA from an RM. Correia & Dingle Expires 25 April 2024 [Page 13] Internet-Draft SCIM Use Cases October 2023 3.2.5.1.4. Resource Object creation from a Creation Entity and consumption from an Application when different Resource Attributes are generated in different entities In this model we will have a Client that is going to provide information about a RO and its RA to a Server, this Client is just responsible for a limit set of attributes and do not do any management overall the RO. This SCIM element that is going to manage the RO will then be the Client for other SCIM services that will consume the RO/RA, that might have more RA than the original RO provided by the originator of the RO. Now the right SCIM element will have it own RA that needs to be updated in the RM (Resource Manager), that will also update the SCIM element on the left. +----------+ +---------------+ +--------+ | | -----(1)----> | | -----(1)-----> | | | Client | <----(2)----- |SCIM | <----(2)------ | SCIM | | | -----(3)----> |Server | -----(3)-----> | Server | | | <----(4)----- | Client| <----(4)------ | | | | | | | | | | | | | | | RC/RU/RS | <----(1)----- | RM/RS/RC/RU | <----(1)------ | RS | | | -----(2)----> |Client | -----(2)-----> | | | SCIM | <----(3)----- | SCIM| <----(3)------ | Client | | Server | -----(4)----> | Server| -----(4)-----> | | +----------+ +---------------+ +--------+ Figure 6: SCIM Flow and Orchestrator roles maps 1. Before creating/updating a RO/RA the SCIM client will always do a HTTP GET to get current information from the SCIM Server. 2. SCIM Server will provide the current information on the resources asked by the SCIM Client. 3. Based on the RO and RA returned by the Server, there will be a HTTP POST, PUT, PATCH depending on the operation that the Client want to achieve. 4. The Service Provider will return the RO/RA with additional metadata information to allow for audit. The SCIM client on the left will map to the RC/RU and the Server in the middle will map into RM/RS, the SCIM client on the left is also sometimes called as the "HR Application", because it responsibilities are only on be the creator and updater of the RO and specific number of its RA, the client in this case has no responsibilities in doing any management of the Resources, typically done by an IdM. The center component as describe is the Server for the client on the Correia & Dingle Expires 25 April 2024 [Page 14] Internet-Draft SCIM Use Cases October 2023 left, will act as the Client for the server on the right, which typically is an SaaS application that want to consume RO and its RA from an RM. In addition to the models seen before now the "HR Application" also subscribe to RA that are created by the RS and reported by the RM, the Application will be the creator of specific attributes. So we will see that the 3 SCIM elements will be RC/RU/RS for each RO/ RA. 3.2.5.2. Client Active Pull A SCIM client uses the HTTP GET verb to ask for data from a SCIM Server. A client active pull can be used to fetch one object, a subset of objects, or all objects from a SCIM server. In cases where the client is a resource updater, it may perform an active pull of an object or objects in order to determine whether an active push of new data is necessary. Client active pulls can be used in situations where a client needs to maintain a synchronized large body of objects, such as a device list or user address book, but where there isn't any need to track individual RO/RA. Another example of a client active pull would be a client that needs to have details of a specific device [Device_Schema_Extensions_to_the_SCIM_model] that was onboarded by a mobile application and that need to provide the RO/RA information on the behalf of the device. 3.2.5.2.1. Resource Object Creation or Update In this model we will have a Client that is going to pull information about a RO/RA from a Server. In this model the Client is going to management all the RO (Resource Objects) and its RA (Resource Attributes), that are provided by the Server, and the RM (Resource Management) function resides on the Client. +----------+ +----------+ | | | | | | | | | | | | | SCIM | (1) | SCIM | | Client | --------------------------------> | Server | | | | | | | (2) | | | | <-------------------------------- | | | RS/RM | | RC/RU | | | | | | | | | +----------+ +----------+ Figure 7: SCIM Flow and Orchestrator roles maps Correia & Dingle Expires 25 April 2024 [Page 15] Internet-Draft SCIM Use Cases October 2023 1. The SCIM client will do an HTTP GET to obtain the RO/RA that will be available in the Server. 2. The SCIM Server will return the RO/RA with additional metadata information to allow for audit. A typical example of this use case is a device that is going to use a mobile application or browser base to enroll devices and gathers its attributes, that mobile application or browser after enrollment process is finish will do a trigger to notify the client that is ready to provide the RO/RA of the device. It is the SCIM client that will do al the Resource management for all the devices. Another example could be a SCIM client that has the role of an IDM that is not the owner of a specific RA and gets it from the Server, for this kind of scenarios the SCIM server would need to create an change database for the attributes that are own by the server 3.2.5.2.2. Resources Subscription In this model we will have the Client that is going to pull information about a RO/RA from the Server. In this model, the Client has is no status/change database, and it gets a list of all the RO/RA based on filters provided by the client, so there will be a full update every synchronization cycle. +----------+ +----------+ | | | | | | | | | | | | | SCIM | (1) | | | Server | <-------------------------------- | Client | | | | | | | (2) | | | | --------------------------------> | | | RC/RU/RM | | RS | | | | | | | | | +----------+ +----------+ Figure 8: SCIM Flow and Orchestrator roles maps 1. The SCIM client will do an HTTP GET to obtain the selected list of RO (Resource Object) and its RA (Resource Attributes). 2. The SCIM Service Provider will return the RO and its RA with additional metadata information to allow for audit. Correia & Dingle Expires 25 April 2024 [Page 16] Internet-Draft SCIM Use Cases October 2023 A good example would be SaaS service that needs to consume a list of contacts or devices, this SaaS service will need to know the relevant RO/RA, this operation will happen periodically and every time will get a full list of all the RO (Resource Objects). 3.2.5.2.3. Resource Object Creation or Update and Subscription In this model we will bring together both of the two previous SCIM actions for pull information, where a typically a device can be the creator or their own attributes and will allow an SaaS service to subscribe to all the different RO/RA and deliver additional services for itself and other devices. It isn't expected from any of the SCIM clients in the Active pull model to create any status database of attributes changes, so the clients will always do a pull on one or many RO (Resource Objects) based on triggers. +----------+ +---------------+ +--------+ | | | | | | | | | | | | | | | | | | | SCIM | (1) |Client | (3) | | | Server | <-------------- | SCIM| <------------ | Client | | | | Server| | | | | (2) | | (4) | | | | --------------> | | ------------> | | | | | RM/RS/RC/RU | | | | RC/RU | | | | RS | | | | | | | +----------+ +---------------+ +--------+ Figure 9: SCIM Flow and Orchestrator roles maps 1. The SCIM client will do an HTTP GET to obtain the RO/RA that will be available in the Server. 2. The SCIM Server will return the RO/RA with additional metadata information to allow for audit. 3. The SCIM client will do an HTTP GET to obtain the selected list of RO (Resource Object) and its RA (Resource Attributes). 4. The SCIM Service Provider will return the RO and its RA with additional metadata information to allow for audit. A typical example of this use case is a device that is going to use a mobile application or browser base to enroll devices and gathers its attributes, that mobile application or browser after enrollment process is finish will do a trigger to notify the client that is ready to provide the RO/RA of the device. It is the SCIM client that Correia & Dingle Expires 25 April 2024 [Page 17] Internet-Draft SCIM Use Cases October 2023 will do all the Resource management for all the devices. This SCIM element in the center will also provide list list of contacts or devices, that can be consume by different SCIM entities, this operation will happen when a specific trigger will be execute by the client on the right, to get a list RO (Resource Objects) and RA (Resource Attributes) that will be defined by the filter on the client in the right. 4. SCIM Use Cases This section describes some common SCIM use cases, explaining when, where, why and how we find them in the cross-domain environment. The ultimate goal is guidance for developers working on common models, explaining challenges and components. Because SCIM is a protocol where two entities exchange information about resources across domains, the use cases explain how the different components can interact to allow from simple to complex architectures for cross domain resource management. Orchestrators roles are mapped to the use cases to simplify the task of explaining the multiple functions of the SCIM elements. Use cases build on each other, starting with simple cases, and ending with the most complex ones. 4.1. Self-Referential Resource Updates via /me Get information about persona /me endpoint. A use case cover in [RFC7644] where a SCIM client can do CRUD operation on the entity of the user, in this use case the SCIM client that is the RM (Resource Manager), RC (Resource Creator) and RU (Resource Updater), will be able to read, create, update the RO (Resource Object) and its RA (Resource Attributes) in the RS (Resource Subscriber). the RS will provide an /me URI to achieve this. Special considerations exist from authorization perspective; unlike other listed CRUD use cases, the authorization for this use case only allows access to the RO (Resource Object) of the resource owner. 4.2. Simple Resource Update Single RM/RC/RU and multiple RS. This is a very common and simple SCIM use case, we have the IdM/ Device Managers/etc. do all CRUD operation with the resources, then after the trigger mechanisms the resources information RO/RA reach the RS (Resource Subscribers), also know as the SaaS Application. The RS (Resource Subscriber) will take the decision on which RA (Resource Attributes) to consider and how the RO (Resource Object) will show in its resource database. Typically we will find this kind of use case in small to mid size organization, where there is no structure method to handle the Correia & Dingle Expires 25 April 2024 [Page 18] Internet-Draft SCIM Use Cases October 2023 resources and typically in Organization that start with a blank sheet of paper in a greenfield deployment. 4.3. Resource Updates Originating at a Non-SCIM Source One or more ERC with single RM/RC/RU and multiple RS. This is another common use case, because it allow the organization to adopt SCIM protocol for CRUD operations of their resources. In this use case the organization already have an existent database of resources that is going to be the source of truth for the Resource Manager. Normally this ERC, specially if we are talking about user Identity, will have a User database that can be accessible using LDAP, some times the ERC can provide RO/RA using SAML Single Sign-On using Just in time Provision. We also see some IDaaS providing softwares that allow them to exchange resource information by using proprietary protocols, very common using HTTP REST to get the information from the ERC to the RM. Typically in this use case the RM will become the new source of truth for the resources of our Organization, will add extra RA (Resource Attributes) and ignore other RA that existed in the ERC. Some organization that already realize that going forward in the SCIM path, the RM will manage the RO/RA, will also start create new RO in the RM. The Resource Subscribers will consume all or a subset of the RO/RA from the RM. Typically we will see this use case in small to mid size organization where resources were organized in a non standardize platform for Resources Management, where it isn't possible to cut/replace everything with a new system. 4.4. Resources from Multiple SCIM Sources Coordinated by a Resource Manager One or more RC/RU, with single RM/RC/RU/RS and multiple RS. In this use case, the the CRUD operation for the RO (Resource Object) and its RA (Resource Attributes) does not belong to the RM (Resource Manager), this is done in a separate SCIM entity, the Resource Creator/Resource Updater. A good example of this is use case are Organization that have their HR application, and the lifecycle of the resource (typically groups and Users) is done by that application. We could also have devices where the creation and update operations are always done by the device itself or by a mobile application/web server on their behalf, in this use case the roles of RC/RU moves away from the RM. We could also have this use case where the RM is extended with the Roles of RC/RU for extra RA (Resources Attributes), but the RO (Resource Object) is typically created by the "HR Correia & Dingle Expires 25 April 2024 [Page 19] Internet-Draft SCIM Use Cases October 2023 System"/device. Typically we will see this use case in mid to large organization where no structure method to handle the resources start with a blank sheet of paper in a greenfield deployment. 4.5. Resources from SCIM and Non-SCIM sources, Coordinated by a Resource Manager One or more ERC, one or more RC/RU, with single RM/RC/RU/RS and multiple RS. In this use case, one source of the Resource information is an ERC (External Resource Creator), or the entity that has the role of RC/RU (such as an HR System). In some cases the HR system can also consume information from the ERC and complement it. This doesn't mean that the RM will not need to consolidate RO/RA from the SCIM and non SCIM entities and consolidate and aggregate RO/RAs for those multiple sources. The RM gets its RO (Resource Object) from both systems the RC/RU and from the ERC, and need to define rules which ones to take and to ignore. 4.6. Complex sources including Multiple Resource Updaters One or more ERC, one or more RC/RU, with single RM/RC/RU/RS and multiple RS/RU. In this use case we add the capability of the Resource Subscriber to be also an Resource Update, it is very common that an SaaS application can be the source of truth for specifics RA and add extra details to the RO. Typically we will see this use case in large organization where resources were organized in a non standardize platform for Resources Management and it isn't possible to cut/replace everything with a new system. Those organization start to adopt many application that brings new attributes to the different resources that already exist in the system. 4.7. Complex Multi-directional Object and Resource Management with simple Resource Subscribers One or more ERC, one or more RC/RU/RS, with single RM/RC/RU/RS and multiple RS/RU. In this use case we introduce the possibility of the RC/RU (example given before the HR System) be interested in the attribute that was created updated by the RS/RU (also known as the SaaS application), an example could be adding the business email that was created by the mail service (that came from RS/RU) to the HR information service (the RC/RU/RS element). Typically we will see this use case in large organization where resources were organized in a non standardize platform for Resources Correia & Dingle Expires 25 April 2024 [Page 20] Internet-Draft SCIM Use Cases October 2023 Management and it isn't possible to cut/replace everything with a new system. Those organization start to adopt many application that brings attributes to the different resources that already exist in the system, but they need to have all the important attributes of Resources in a application in our examples "HR application". 4.8. Complex Multi-direction Object/Resource Management with bi- directional Resource Subscriber/Updaters One or more ERC, one or more RC/RU/RS, with one or more RM/RC/RU/RS and multiple RS/RU. In this use case we introduce the possibility of having multiple Resource Managers, where the information from the RO/RA is consolidated across different domains/services. Typically we will see this use case in large organizations, or between organizations that have their own business to business communication and have the need to exchange information about Resources. This example also happens during mergers or acquisitions, where multiple RMs exist and IT departments have to manage each RM in parallel. 5. Security Considerations Authentication and authorization must be guaranteed for the SCIM operations to ensure that only authenticated entities can perform the SCIM requests and the requested SCIM operations are authorized. SCIM resources (e.g., Users and Groups) can contain sensitive information. Thus, data confidentiality MUST be guaranteed at the transport layer. There can be privacy issues that go beyond transport security, e.g., moving personally identifying information (PII) offshore between different SCIM elements. Regulatory requirements shall be met when migrating identity information between jurisdictional regions (e.g., countries and states may have differing regulations on privacy). Additionally, privacy-sensitive data elements may be omitted or obscured in SCIM transactions or stored records to protect these data elements for a user. For instance, a role-based identifier might be used in place of an individual's name. Detailed security considerations are specified in Section 7 of the SCIM protocol [RFC7644] and Section 9 of the SCIM schema [RFC7643]. 6. IANA Considerations There are no additional IANA considerations to those specified [RFC7643] and [RFC7644]. Correia & Dingle Expires 25 April 2024 [Page 21] Internet-Draft SCIM Use Cases October 2023 7. Acknowledgements 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . 8.2. Informative References [RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C. Mortimore, "System for Cross-domain Identity Management: Core Schema", RFC 7643, DOI 10.17487/RFC7643, September 2015, . [RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E., and C. Mortimore, "System for Cross-domain Identity Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, September 2015, . [RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, June 2022, . [RFC9112] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP/1.1", STD 99, RFC 9112, DOI 10.17487/RFC9112, June 2022, . [RFC8417] Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari, "Security Event Token (SET)", RFC 8417, DOI 10.17487/RFC8417, July 2018, . [Device_Schema_Extensions_to_the_SCIM_model] Shahzad, M., Iqbal, H., and E. Lear, "Device Schema Extensions to the SCIM model", July 2023, . [SCIM_Profile_for_Security_Event_Tokens] Hunt, P., Cam-Winget, N., and M. Kiser, "Device Schema Extensions to the SCIM model", July 2023, . Correia & Dingle Expires 25 April 2024 [Page 22] Internet-Draft SCIM Use Cases October 2023 Authors' Addresses Paulo Jorge Correia Cisco Systems Email: paucorre@cisco.com Pamela Dingle Microsoft Corporation Email: pamela.dingle@microsoft.com Correia & Dingle Expires 25 April 2024 [Page 23]