| rfc9967v1.txt | rfc9967.txt | |||
|---|---|---|---|---|
| skipping to change at line 20 ¶ | skipping to change at line 20 ¶ | |||
| May 2026 | May 2026 | |||
| System for Cross-Domain Identity Management (SCIM) Profile for Security | System for Cross-Domain Identity Management (SCIM) Profile for Security | |||
| Event Tokens (SETs) | Event Tokens (SETs) | |||
| Abstract | Abstract | |||
| This specification defines a set of System for Cross-domain Identity | This specification defines a set of System for Cross-domain Identity | |||
| Management (SCIM) Security Events using the Security Event Token | Management (SCIM) Security Events using the Security Event Token | |||
| (SET) specification (RFC 8417) to enable the asynchronous exchange of | (SET) specification (RFC 8417) to enable the asynchronous exchange of | |||
| messages between SCIM Service Providers and receivers. | messages between SCIM service providers and receivers. | |||
| This specification updates RFC 7643 by defining additional attributes | This specification updates RFC 7643 by defining additional attributes | |||
| for the "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" | for the "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" | |||
| schema, and it updates RFC 7644 with an optional new Asynchronous | schema, and it updates RFC 7644 with an optional new asynchronous | |||
| SCIM Request capability. | SCIM request capability. | |||
| Status of This Memo | Status of This Memo | |||
| This is an Internet Standards Track document. | This is an Internet Standards Track document. | |||
| This document is a product of the Internet Engineering Task Force | This document is a product of the Internet Engineering Task Force | |||
| (IETF). It represents the consensus of the IETF community. It has | (IETF). It represents the consensus of the IETF community. It has | |||
| received public review and has been approved for publication by the | received public review and has been approved for publication by the | |||
| Internet Engineering Steering Group (IESG). Further information on | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | Internet Standards is available in Section 2 of RFC 7841. | |||
| skipping to change at line 92 ¶ | skipping to change at line 92 ¶ | |||
| 7.1. SCIM Asynchronous Set-Txn Header Registration | 7.1. SCIM Asynchronous Set-Txn Header Registration | |||
| 7.2. Registering Event Capability with SCIM Service Provider | 7.2. Registering Event Capability with SCIM Service Provider | |||
| Configuration | Configuration | |||
| 7.3. Creation of the SCIM Event URIs Registry | 7.3. Creation of the SCIM Event URIs Registry | |||
| 7.4. Initial Contents of the SCIM Event URIs Registry | 7.4. Initial Contents of the SCIM Event URIs Registry | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| 8.2. Informative References | 8.2. Informative References | |||
| Appendix A. Use Cases | Appendix A. Use Cases | |||
| A.1. Domain-Based Replication | A.1. Domain-Based Replication | |||
| A.2. Co-ordinated Provisioning | A.2. Coordinated Provisioning | |||
| Acknowledgements | Acknowledgements | |||
| Authors' Addresses | Authors' Addresses | |||
| 1. Introduction and Overview | 1. Introduction and Overview | |||
| This specification defines Security Events for SCIM Service Providers | This specification defines Security Events for SCIM service providers | |||
| and receivers as specified by Security Event Tokens (SETs) [RFC8417]. | and receivers as specified by Security Event Tokens (SETs) [RFC8417]. | |||
| In this specification, SCIM Security Events include asynchronous | In this specification, SCIM Security Events include asynchronous | |||
| request completion, resource replication, and provisioning co- | request completion, resource replication, and provisioning | |||
| ordination. | coordination. | |||
| This specification defines the use of the HTTP header "Prefer: | This specification defines the use of the HTTP header "Prefer: | |||
| respond-async" [RFC7240] to allow a SCIM Protocol Client [RFC7644] to | respond-async" [RFC7240] to allow a SCIM client [RFC7644] to request | |||
| request an asynchronous response (see Section 2.5.1.1). | an asynchronous response (see Section 2.5.1.1). | |||
| Using the HTTP protocol, a SCIM Protocol Client issues commands to a | Using the HTTP protocol, a SCIM client issues commands to a SCIM | |||
| SCIM Service Provider using HTTP methods such as POST, PATCH, and | service provider using HTTP methods such as POST, PATCH, and DELETE | |||
| DELETE [RFC7644] that cause a state change to a SCIM Resource. When | [RFC7644] that cause a state change to a SCIM resource. When | |||
| multiple independent SCIM Clients update SCIM Resources, individual | multiple independent SCIM clients update SCIM resources, individual | |||
| clients become out of date as state changes occur. Some clients may | clients become out of date as state changes occur. Some clients may | |||
| need to be informed of these changes for co-ordination or | need to be informed of these changes for coordination or | |||
| reconciliation purposes. This could be done using periodic SCIM GET | reconciliation purposes. This could be done using periodic SCIM GET | |||
| requests over time, but this rapidly becomes problematic as the | requests over time, but this rapidly becomes problematic as the | |||
| number of changes and the number of resources increases. | number of changes and the number of resources increases. | |||
| SCIM Events can be shared over an established Event Feed enabling | SCIM Events can be shared over an established event feed enabling | |||
| receivers to monitor and trigger independent asynchronous action. | receivers to monitor and trigger independent asynchronous action. | |||
| This approach enables greater scale and timeliness, where only | This approach enables greater scale and timeliness, where only | |||
| changed information is exchanged between parties. | changed information is exchanged between parties. | |||
| A SET conveys information about a state change that has occurred at a | A SET conveys information about a state change that has occurred at a | |||
| SCIM Service Provider. That SET may be of interest to one or more | SCIM service provider. That SET may be of interest to one or more | |||
| receivers. But instead of interpreting SETs as commands, each Event | receivers. But instead of interpreting SETs as commands, each Event | |||
| Receiver is able to determine the best local follow-up action to take | Receiver is able to determine the best local follow-up action to take | |||
| within its own context. For example, a receiver can reconcile schema | within its own context. For example, a receiver can reconcile schema | |||
| and resource type differences between domains. | and resource type differences between domains. | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| skipping to change at line 171 ¶ | skipping to change at line 171 ¶ | |||
| For this specification, the terms "claims" and "attributes" are | For this specification, the terms "claims" and "attributes" are | |||
| interchangeable. For consistency, JWT and SET attributes registered | interchangeable. For consistency, JWT and SET attributes registered | |||
| by IANA will continue to be called "claims", while event information | by IANA will continue to be called "claims", while event information | |||
| attributes (i.e., those in an event payload) will be referred to as | attributes (i.e., those in an event payload) will be referred to as | |||
| "attributes". | "attributes". | |||
| Additionally, the following terms are defined: | Additionally, the following terms are defined: | |||
| Attributes and Claims: | Attributes and Claims: | |||
| The JWT specification [RFC7519], upon which SET is based, uses the | The JWT specification [RFC7519], upon which SET is based, uses the | |||
| term "claims" to refer to attributes in a JSON token. In | term "claims" to refer to attributes in a JSON Web Token. In | |||
| contrast, SCIM uses the term "attributes" to refer to JSON | contrast, SCIM uses the term "attributes" to refer to JSON | |||
| attributes. For the purposes of this document, the terms | attributes. For the purposes of this document, the terms | |||
| "attributes" and "claims" are equivalent. | "attributes" and "claims" are equivalent. | |||
| Co-ordinated Provisioning (CP): | Coordinated Provisioning (CP): | |||
| As defined in Appendix A.2, in CP relationships, an Event | As defined in Appendix A.2, in CP relationships, an Event | |||
| Publisher and Receiver typically exchange resource change events | Publisher and Receiver typically exchange resource change events | |||
| without exchanging data (see Section 2.4). For a receiver to know | without exchanging data (see Section 2.4). For a receiver to know | |||
| the value of the data, the Event Receiver usually calls back to | the value of the data, the Event Receiver usually calls back to | |||
| the SCIM Event Publisher domain to receive a new copy of data | the SCIM Event Publisher domain to receive a new copy of data | |||
| (e.g., uses a SCIM GET request). | (e.g., uses a SCIM GET request). | |||
| Domain-Based Replication (DBR): | Domain-Based Replication (DBR): | |||
| As defined in Appendix A.1, in the DBR mode, there is an | As defined in Appendix A.1, in the DBR mode, there is an | |||
| administrative relationship spanning multiple operational domains; | administrative relationship spanning multiple operational domains; | |||
| data shared in Events typically uses the "full" mode variation of | data shared in Events typically uses the "full" mode variation of | |||
| change events (see Section 2.4) including the "data" payload | change events (see Section 2.4) including the "data" payload | |||
| attribute. This eliminates the need for a callback to retrieve | attribute. This eliminates the need for a callback to retrieve | |||
| additional data. | additional data. | |||
| Event Feed / Event Stream: | Event Feed / Event Stream: | |||
| An Event Feed (or equivalently an Event Stream) is a logical | An event feed (or equivalently an event stream) is a logical | |||
| series of events shared with a unique receiving client. A SET | series of events shared with a unique receiving client. A SET | |||
| transfer (see [RFC8935] and [RFC8936]) Service Provider may offer | transfer (see [RFC8935] and [RFC8936]) service provider may offer | |||
| to allow Event Receivers to "subscribe" to specific event types or | to allow Event Receivers to "subscribe" to specific event types or | |||
| events about specific resources (see Feed Management events in | events about specific resources (see feed events in Section 2.3). | |||
| Section 2.3). | ||||
| Event Receiver: | Event Receiver: | |||
| An entity typically receives events as described in [RFC8935] and | An entity typically receives events as described in [RFC8935] and | |||
| [RFC8936] or via HTTP GET (see Section 2.5.1.1). In the case of | [RFC8936] or via HTTP GET (see Section 2.5.1.1). In the case of | |||
| SET Push Transfer [RFC8935], the Event Receiver is an HTTP Service | push-based SET delivery [RFC8935], the Event Receiver is an HTTP | |||
| Endpoint that receives requests. In the case of SET Poll-based | endpoint that receives requests. In the case of poll-based SET | |||
| Transfer [RFC8936], the receiver is an HTTP client that initiates | delivery [RFC8936], the receiver is an HTTP client that initiates | |||
| an HTTP request to an Event Publisher endpoint. | HTTP requests to an Event Publisher endpoint. | |||
| Event Publisher: | Event Publisher: | |||
| A system that issues SETs based on a resource state change that | A system that issues SETs based on a resource state change that | |||
| has occurred at a SCIM Service Provider. For example, events may | has occurred at a SCIM service provider. For example, events may | |||
| be the result of a SCIM Create, Modify, or Delete operation as | be the result of a SCIM Create, Modify, or Delete operation as | |||
| defined in Section 3 of [RFC7644]. A SCIM Service Provider may be | defined in Section 3 of [RFC7644]. A SCIM service provider may be | |||
| an Event Publisher or an independent service that aggregates | an Event Publisher or an independent service that aggregates | |||
| events into Event Receiver feeds. As described above, when using | events into Event Receiver feeds. As described above, when using | |||
| [RFC8935], the Event Publisher is an HTTP client that initiates | [RFC8935], the Event Publisher is an HTTP client that initiates | |||
| HTTP POST requests to a defined Event Receiver endpoint. When | HTTP POST requests to a defined Event Receiver endpoint. When | |||
| using [RFC8936], the Event Publisher provides an HTTP endpoint, | using [RFC8936], the Event Publisher provides an HTTP endpoint, | |||
| which a receiver may use to "poll" for Security Events. | which a receiver may use to "poll" for Security Events. | |||
| SCIM Client: | SCIM Client: | |||
| An HTTP client that initiates SCIM protocol [RFC7644] requests and | An HTTP client that initiates SCIM protocol [RFC7644] requests and | |||
| receives responses that may cause SCIM Events to be issued by the | receives responses that may cause SCIM Events to be issued by the | |||
| SCIM Service Provider. A SCIM Client may also be an Event | SCIM service provider. A SCIM client may also be an Event | |||
| Receiver, typically when making an asynchronous SCIM request (see | Receiver, typically when making an asynchronous SCIM request (see | |||
| Section 2.5.1.1). | Section 2.5.1.1). | |||
| SCIM Service Provider: | SCIM Service Provider: | |||
| An HTTP server that implements the SCIM protocol [RFC7644] and | An HTTP server that implements the SCIM protocol [RFC7644] and | |||
| SCIM schema [RFC7643]. Upon processing a state change to a SCIM | SCIM schema [RFC7643]. Upon processing a state change to a SCIM | |||
| Resource, it issues a SCIM Event or causes an Event Publisher to | resource, it issues a SCIM Event or causes an Event Publisher to | |||
| issue a SCIM Event. | issue a SCIM Event. | |||
| Security Event Token (SET): | Security Event Token (SET): | |||
| As defined in [RFC8417]. | As defined in [RFC8417]. | |||
| 2. SCIM Events | 2. SCIM Events | |||
| A SCIM Event is a signal, in the form of a Security Event Token | A SCIM Event is a signal, in the form of a Security Event Token | |||
| [RFC8417], that describes some event that has occurred. A SET event | [RFC8417], that describes some event that has occurred. A SET event | |||
| consists of a set of standard JWT "top-level" claims and an "events" | consists of a set of standard JWT "top-level" claims and an "events" | |||
| skipping to change at line 284 ¶ | skipping to change at line 283 ¶ | |||
| } | } | |||
| } | } | |||
| Figure 1: Example SCIM Subject Id | Figure 1: Example SCIM Subject Id | |||
| Instead of "sub", the top-level claim "sub_id" SHALL be used. | Instead of "sub", the top-level claim "sub_id" SHALL be used. | |||
| "sub_id" contains the subclaim attribute "format" set to "scim" to | "sub_id" contains the subclaim attribute "format" set to "scim" to | |||
| indicate that the attributes present in the "sub_id" object are SCIM | indicate that the attributes present in the "sub_id" object are SCIM | |||
| attributes. The following "sub_id" attributes are defined: | attributes. The following "sub_id" attributes are defined: | |||
| uri | uri: | |||
| The SCIM relative path for the resource that usually consists of | The SCIM relative path for the resource that usually consists of | |||
| the resource type endpoint plus the resource "id" (see Section 3.2 | the resource type endpoint plus the resource "id" (see Section 3.2 | |||
| of [RFC7644]), for example, | of [RFC7644]), for example, | |||
| "/Users/2b2f880af6674ac284bae9381673d462". This attribute MUST be | "/Users/2b2f880af6674ac284bae9381673d462". This attribute MUST be | |||
| provided in a SCIM Event "sub_id" claim. Note that the relative | provided in a SCIM Event "sub_id" claim. Note that the relative | |||
| path is the path component after the SCIM Service Provider Base | path is the path component after the SCIM service provider Base | |||
| URI as defined in Section 1.3 of [RFC7644]. In cases where the | URI as defined in Section 1.3 of [RFC7644]. In cases where the | |||
| Event Receiver is unable to match a URI, the Event Receiver MAY | Event Receiver is unable to match a URI, the Event Receiver MAY | |||
| issue a callback to a previously agreed SCIM Service Provider Base | issue a callback to a previously agreed SCIM service provider Base | |||
| URI plus the relative "uri" value and perform a SCIM GET request | URI plus the relative "uri" value and perform a SCIM GET request | |||
| per Section 3.4.1 of [RFC7644]. | per Section 3.4.1 of [RFC7644]. | |||
| externalId | externalId: | |||
| If known, the "externalId" value (defined in Section 3.1 of | If known, the "externalId" value (defined in Section 3.1 of | |||
| [RFC7643]) of the SCIM Resource that MAY be used by a receiver to | [RFC7643]) of the SCIM resource that MAY be used by a receiver to | |||
| identify the corresponding resource in the Event Receiver's | identify the corresponding resource in the Event Receiver's | |||
| domain. | domain. | |||
| id | id: | |||
| The SCIM Id attribute (defined in Section 3.1 of [RFC7643]) MAY be | The SCIM "id" attribute (defined in Section 3.1 of [RFC7643]) MAY | |||
| used for backwards compatibility reasons in addition to the "uri" | be used for backwards compatibility reasons in addition to the | |||
| claim. | "uri" claim. | |||
| In cases where SCIM identifiers ("id" and "externalId") are not | In cases where SCIM identifiers ("id" and "externalId") are not | |||
| enough to identify a common resource between an Event Publisher and | enough to identify a common resource between an Event Publisher and | |||
| Event Receiver, the "sub_id" object MAY contain attributes whose SCIM | Event Receiver, the "sub_id" object MAY contain attributes whose SCIM | |||
| attribute types have "uniqueness" set to "server" or "global" as per | attribute types have "uniqueness" set to "server" or "global" as per | |||
| Section 7 of [RFC7643]. For example, attributes such as "emails" or | Section 7 of [RFC7643]. For example, attributes such as "emails" or | |||
| "username" (defined in Section 4 of [RFC7643]) are unique within a | "userName" (defined in Section 4 of [RFC7643]) are unique within a | |||
| SCIM Service Provider. Such attributes should allow an Event | SCIM service provider. Such attributes should allow an Event | |||
| Publisher and Event Receiver to identify a commonly understood | Publisher and Event Receiver to identify a commonly understood | |||
| subject resource of an event. | subject resource of an event. | |||
| 2.2. Common Event Attributes | 2.2. Common Event Attributes | |||
| The following attributes are available for all events defined. Some | The following attributes are available for all events defined. Some | |||
| attributes are defined as SET/JWT claims, while others are "Event | attributes are defined as SET/JWT claims, while others are "event | |||
| Payload" claims as defined in Section 1.2 of [RFC8417]. Only one of | payload" claims as defined in Section 1.2 of [RFC8417]. Only one of | |||
| the claims, "data" or "attributes", MUST be provided depending on the | the claims, "data" or "attributes", MUST be provided depending on the | |||
| event definition. | event definition. | |||
| txn | txn: | |||
| A SET-defined claim with a STRING value (see Section 2.2 of | A SET-defined claim with a STRING value (see Section 2.2 of | |||
| [RFC8417]) that uniquely identifies a transaction originating at a | [RFC8417]) that uniquely identifies a transaction originating at a | |||
| SCIM Service Provider and/or its underlying data repository or | SCIM service provider and/or its underlying data repository or | |||
| database where one or more SCIM Events may be subsequently issued. | database where one or more SCIM Events may be subsequently issued. | |||
| In contrast to a "jti" claim (see Section 4.1.7 of [RFC7519]), | In contrast to a "jti" claim (see Section 4.1.7 of [RFC7519]), | |||
| which uniquely identifies a token, the "txn" remains the same when | which uniquely identifies a token, the "txn" remains the same when | |||
| one or more SETs are generated for various purposes such as | one or more SETs are generated for various purposes such as | |||
| retransmission, publication to multiple receivers, etc. A | retransmission, publication to multiple receivers, etc. A | |||
| distinct state change or transaction within a SCIM Service | distinct state change or transaction within a SCIM service | |||
| Provider MAY result in multiple SETs issued each with distinct | provider MAY result in multiple SETs issued each with distinct | |||
| "jit" values and a common "txn" value. "txn" is REQUIRED to | "jit" values and a common "txn" value. "txn" is REQUIRED to | |||
| support asynchronous SCIM requests, CP, and replication to | support asynchronous SCIM requests, CP, and replication to | |||
| disambiguate or detect duplicate SETs regarding the same | disambiguate or detect duplicate SETs regarding the same | |||
| underlying transaction. | underlying transaction. | |||
| version | version: | |||
| The ETag version of the resource as a result of the event. | The ETag version of the resource as a result of the event. | |||
| Corresponds to the ETag response header described in Section 3.14 | Corresponds to the ETag response header described in Section 3.14 | |||
| of [RFC7644]. | of [RFC7644]. | |||
| data | data: | |||
| An event payload attribute that contains information described in | An event payload attribute that contains information described in | |||
| the SCIM Bulk Operations "data" attribute in Section 3.7 of | the SCIM Bulk Operations "data" attribute in Section 3.7 of | |||
| [RFC7644]. The JSON object contains the equivalent SCIM command | [RFC7644]. The JSON object contains the equivalent SCIM command | |||
| processed by the SCIM Service Provider. For example, after | processed by the SCIM service provider. For example, after | |||
| processing a SCIM Create operation, the data contained includes | processing a SCIM Create operation, the data contained includes | |||
| the final representation of the entity created by the SCIM Service | the final representation of the entity created by the SCIM service | |||
| Provider including the assigned "id" value. | provider including the assigned "id" value. | |||
| attributes | attributes: | |||
| A payload that contains an array of attributes that were added, | A payload that contains an array of attributes that were added, | |||
| revised, or removed. Names of modified attributes SHOULD conform | revised, or removed. Names of modified attributes SHOULD conform | |||
| to the ABNF syntax rule for "path" (Section 3.5.2 of [RFC7644]). | to the ABNF syntax rule for "path" (Section 3.5.2 of [RFC7644]). | |||
| For example: "attributes": | For example: "attributes": | |||
| ["username","emails","name.familyName"]. | ["userName","emails","name.familyName"]. | |||
| 2.3. SCIM Feed Events | 2.3. SCIM Feed Events | |||
| This section defines events related to changes in the content of an | This section defines events related to changes in the content of an | |||
| event feed such as SCIM Resources that are being added or removed | event feed such as SCIM resources that are being added or removed | |||
| from an event feed or events used in Co-operative Provisioning | from an event feed or events used in Coordinated Provisioning | |||
| scenarios where only a subset of entities are shared across an Event | scenarios where only a subset of entities are shared across an event | |||
| Feed. The URI prefix for these events is | feed. The URI prefix for these events is | |||
| "urn:ietf:params:scim:event:feed". | "urn:ietf:params:scim:event:feed". | |||
| 2.3.1. urn:ietf:params:scim:event:feed:add | 2.3.1. urn:ietf:params:scim:event:feed:add | |||
| The specified resource has been added to the Event Feed. A | The specified resource has been added to the event feed. A | |||
| "feed:add" does not indicate that a resource is new or has been | "feed:add" does not indicate that a resource is new or has been | |||
| recently created. For example, an existing user has had a new role | recently created. For example, an existing user has had a new role | |||
| (e.g., CRM_User) added to their profile, which has caused their | (e.g., CRM_User) added to their profile, which has caused their | |||
| resource to join a feed. | resource to join a feed. | |||
| { | { | |||
| "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", | "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", | |||
| "txn": "b7b953f11cc6489bbfb87834747cc4c1", | "txn": "b7b953f11cc6489bbfb87834747cc4c1", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "scim", | "format": "scim", | |||
| skipping to change at line 427 ¶ | skipping to change at line 426 ¶ | |||
| "aud":[ | "aud":[ | |||
| "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" | "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" | |||
| ] | ] | |||
| } | } | |||
| Figure 3: Example SCIM Feed Remove Event | Figure 3: Example SCIM Feed Remove Event | |||
| 2.4. SCIM Provisioning Events | 2.4. SCIM Provisioning Events | |||
| This section defines resource changes that have occurred within a | This section defines resource changes that have occurred within a | |||
| SCIM Service Provider. These events are used in both Domain-Based | SCIM service provider. These events are used in both Domain-Based | |||
| Replication (DBR) and Co-operative Provisioning (CP) mode. The URI | Replication (DBR) and Coordinated Provisioning (CP) mode. The URI | |||
| prefix for these events is "urn:ietf:params:scim:event:prov". | prefix for these events is "urn:ietf:params:scim:event:prov". | |||
| When the "data" payload attribute is included for each of the | When the "data" payload attribute is included for each of the | |||
| following events, the event URI MUST end with "full"; otherwise, the | following events, the event URI MUST end with "full"; otherwise, the | |||
| event URI ends with "notice". In "full" mode, the set of values | event URI ends with "notice". In "full" mode, the set of values | |||
| reflecting the final representation of the resource (such as would be | reflecting the final representation of the resource (such as would be | |||
| returned in a SCIM protocol response) at the Service Provider are | returned in a SCIM protocol response) at the service provider are | |||
| provided using the "data" attribute (see Figure 4). In "notice" | provided using the "data" attribute (see Figure 4). In "notice" | |||
| mode, the "attributes" attribute is returned and lists the set of | mode, the "attributes" attribute is returned and lists the set of | |||
| attributes created or modified in the request (see Figure 5). | attributes created or modified in the request (see Figure 5). | |||
| Exactly one of the payload attributes, "data" or "attributes", MUST | Exactly one of the payload attributes, "data" or "attributes", MUST | |||
| be present. Both MUST NOT be present simultaneously. | be present. Both MUST NOT be present simultaneously. | |||
| 2.4.1. urn:ietf:params:scim:event:prov:create:{notice|full} | 2.4.1. urn:ietf:params:scim:event:prov:create:{notice|full} | |||
| The specified resource indicates that a new SCIM resource has been | The specified resource indicates that a new SCIM resource has been | |||
| created by the SCIM Service Provider and has been added to the Event | created by the SCIM service provider and has been added to the event | |||
| Feed. Note that because the event may be used for replication, the | feed. Note that because the event may be used for replication, the | |||
| "id" attribute that was assigned by the SCIM Service Provider is | "id" attribute that was assigned by the SCIM service provider is | |||
| shared so that all replicas in the domain MAY use the same resource | shared so that all replicas in the domain MAY use the same resource | |||
| identifier. | identifier. | |||
| { | { | |||
| "jti": "4d3559ec67504aaba65d40b0363faad8", | "jti": "4d3559ec67504aaba65d40b0363faad8", | |||
| "iat": 1458496404, | "iat": 1458496404, | |||
| "iss":"https://scim.example.com", | "iss":"https://scim.example.com", | |||
| "aud":[ | "aud":[ | |||
| "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754", | "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754", | |||
| "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7" | "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7" | |||
| skipping to change at line 645 ¶ | skipping to change at line 644 ¶ | |||
| "iss":"https://scim.example.com", | "iss":"https://scim.example.com", | |||
| "aud":[ | "aud":[ | |||
| "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" | "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" | |||
| ] | ] | |||
| } | } | |||
| Figure 9: Example SCIM Put Event (Notice) | Figure 9: Example SCIM Put Event (Notice) | |||
| 2.4.4. urn:ietf:params:scim:event:prov:delete | 2.4.4. urn:ietf:params:scim:event:prov:delete | |||
| The specified resource has been deleted from the SCIM Service | The specified resource has been deleted from the SCIM service | |||
| Provider. The resource is also removed from the feed. When a DELETE | provider. The resource is also removed from the feed. When a DELETE | |||
| is sent, a corresponding "feedRemove" SHALL NOT be issued. A delete | is sent, a corresponding "feedRemove" SHALL NOT be issued. A delete | |||
| event has no payload attributes. Note that because the delete event | event has no payload attributes. Note that because the delete event | |||
| has no attributes, the qualifiers "full" and "notice" SHALL NOT be | has no attributes, the qualifiers "full" and "notice" SHALL NOT be | |||
| used. | used. | |||
| { | { | |||
| "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", | "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "scim", | "format": "scim", | |||
| "uri": "/Users/2b2f880af6674ac284bae9381673d462", | "uri": "/Users/2b2f880af6674ac284bae9381673d462", | |||
| skipping to change at line 675 ¶ | skipping to change at line 674 ¶ | |||
| "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" | "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" | |||
| ] | ] | |||
| } | } | |||
| Figure 10: Example SCIM Delete Event | Figure 10: Example SCIM Delete Event | |||
| 2.4.5. urn:ietf:params:scim:event:prov:activate | 2.4.5. urn:ietf:params:scim:event:prov:activate | |||
| The specified resource (e.g., User) has been "activated". This does | The specified resource (e.g., User) has been "activated". This does | |||
| not necessarily reflect any particular state change at the SCIM | not necessarily reflect any particular state change at the SCIM | |||
| Service Provider but may simply indicate that the account defined by | service provider but may simply indicate that the account defined by | |||
| the SCIM resource is ready for use as agreed upon by the Event | the SCIM resource is ready for use as agreed upon by the Event | |||
| Publisher and Event Receiver. For example, an activated resource can | Publisher and Event Receiver. For example, an activated resource can | |||
| represent an account that may be logged in. | represent an account that may be logged in. | |||
| { | { | |||
| "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", | "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "scim", | "format": "scim", | |||
| "uri": "/Users/2b2f880af6674ac284bae9381673d462" | "uri": "/Users/2b2f880af6674ac284bae9381673d462" | |||
| }, | }, | |||
| skipping to change at line 708 ¶ | skipping to change at line 707 ¶ | |||
| 2.4.6. urn:ietf:params:scim:event:prov:deactivate | 2.4.6. urn:ietf:params:scim:event:prov:deactivate | |||
| The specified resource (e.g., User) has been deactivated and | The specified resource (e.g., User) has been deactivated and | |||
| disabled. The exact meaning SHOULD be agreed to by the Event | disabled. The exact meaning SHOULD be agreed to by the Event | |||
| Publisher and its corresponding Event Receiver. Typically, this | Publisher and its corresponding Event Receiver. Typically, this | |||
| means the subject may no longer have an active security session. | means the subject may no longer have an active security session. | |||
| 2.5. Miscellaneous Events | 2.5. Miscellaneous Events | |||
| This section defines related miscellaneous events such as | This section defines related miscellaneous events such as | |||
| Asynchronous Request completion that has occurred within a SCIM | asynchronous request completion that has occurred within a SCIM | |||
| Service Provider. The URI prefix for these events is | service provider. The URI prefix for these events is | |||
| "urn:ietf:params:scim:event:misc". | "urn:ietf:params:scim:event:misc". | |||
| 2.5.1. Asynchronous Events | 2.5.1. Asynchronous Events | |||
| 2.5.1.1. Making an Asynchronous SCIM Request | 2.5.1.1. Making an Asynchronous SCIM Request | |||
| A SCIM Client making SCIM HTTP requests defined in Section 3 of | A SCIM client making SCIM HTTP requests defined in Section 3 of | |||
| [RFC7644] MAY request asynchronous processing using the "Prefer" HTTP | [RFC7644] MAY request asynchronous processing using the "Prefer" HTTP | |||
| header as defined in Section 4.1 of [RFC7240]. The client may do | header as defined in Section 4.1 of [RFC7240]. The client may do | |||
| this for a number of reasons such as avoiding holding HTTP | this for a number of reasons such as avoiding holding HTTP | |||
| connections open during long requests because the result of the | connections open during long requests because the result of the | |||
| request is not needed or the result is delivered to another entity | request is not needed or the result is delivered to another entity | |||
| for further action for co-ordination reasons. | for further action for coordination reasons. | |||
| To initiate an asynchronous SCIM request, a normal SCIM protocol | To initiate an asynchronous SCIM request, a normal SCIM protocol | |||
| POST, PUT, PATCH, or DELETE request is performed with the HTTP | POST, PUT, PATCH, or DELETE request is performed with the HTTP | |||
| "Prefer" header set to "respond-async" (Section 4.1 of [RFC7240]). | "Prefer" header set to "respond-async" (Section 4.1 of [RFC7240]). | |||
| The HTTP "Accept" header MUST be ignored for purposes of an | The HTTP "Accept" header MUST be ignored for purposes of an | |||
| asynchronous response. Additionally, per Section 4.3 of [RFC7240], | asynchronous response. Additionally, per Section 4.3 of [RFC7240], | |||
| the "wait" preference SHOULD be supported to establish a maximum time | the "wait" preference SHOULD be supported to establish a maximum time | |||
| before a SCIM Service Provider MAY choose to respond asynchronously. | before a SCIM service provider MAY choose to respond asynchronously. | |||
| In response, the SCIM Service Provider returns either a normal SCIM | In response, the SCIM service provider returns either a normal SCIM | |||
| response or HTTP Status 202 (Accepted). The asynchronous response | response or HTTP status code 202 (Accepted). The asynchronous | |||
| MUST contain no response body. To enable correlation of the future | response MUST contain no response body. To enable correlation of the | |||
| event, the HTTP response header "Set-Txn" (see Section 3) is returned | future event, the HTTP response header "Set-Txn" (see Section 3) is | |||
| with a value that MUST match the "txn" claim in a subsequent Security | returned with a value that MUST match the "txn" claim in a subsequent | |||
| Event Token. Per [RFC7240], Section 3, the response will also | Security Event Token. Per [RFC7240], Section 3, the response will | |||
| include the "Preference-Applied" header. The "Location" header value | also include the "Preference-Applied" header. The "Location" header | |||
| MUST be one of the following: (a) a URI where the completion SCIM | value MUST be one of the following: (a) a URI where the completion | |||
| Event Token MAY be retrieved using HTTP GET or (b) the normal SCIM | SCIM Event Token MAY be retrieved using HTTP GET or (b) the normal | |||
| location header response specified by [RFC7644]. | SCIM location header response specified by [RFC7644]. | |||
| In the following non-normative example, a "Prefer" header is set to | In the following non-normative example, a "Prefer" header is set to | |||
| "respond-async": | "respond-async": | |||
| PUT /Users/2819c223-7f76-453a-919d-413861904646 | PUT /Users/2819c223-7f76-453a-919d-413861904646 | |||
| Host: scim.example.com | Host: scim.example.com | |||
| Prefer: respond-async | Prefer: respond-async | |||
| Content-Type: application/scim+json | Content-Type: application/scim+json | |||
| Authorization: Bearer h480djs93hd8 | Authorization: Bearer h480djs93hd8 | |||
| skipping to change at line 770 ¶ | skipping to change at line 769 ¶ | |||
| "roles":[], | "roles":[], | |||
| "emails":[ | "emails":[ | |||
| { | { | |||
| "value":"bjensen@example.com" | "value":"bjensen@example.com" | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| Figure 12: Example Asynchronous SCIM Protocol Request | Figure 12: Example Asynchronous SCIM Protocol Request | |||
| The SCIM Service Provider responds with HTTP 202 Accepted and | The SCIM service provider responds with HTTP status code 202 | |||
| includes the Set-Txn header: | (Accepted) and includes the Set-Txn header: | |||
| HTTP/1.1 202 Accepted | HTTP/1.1 202 Accepted | |||
| Set-Txn: 734f0614e3274f288f93ac74119dcf78 | Set-Txn: 734f0614e3274f288f93ac74119dcf78 | |||
| Preference-Applied: respond-async | Preference-Applied: respond-async | |||
| Location: | Location: | |||
| "/Users/2819c223-7f76-453a-919d-413861904646" | "/Users/2819c223-7f76-453a-919d-413861904646" | |||
| Figure 13 | Figure 13: Async SCIM Request with Prefer Header | |||
| 2.5.1.2. Asynchronous Bulk Endpoint Requests | 2.5.1.2. Asynchronous Bulk Endpoint Requests | |||
| Section 3.7 of [RFC7644] provides the ability to submit multiple SCIM | Section 3.7 of [RFC7644] provides the ability to submit multiple SCIM | |||
| operations in a single "bulk" request. When an asynchronous response | operations in a single "bulk" request. When an asynchronous response | |||
| is requested, a single Asynchronous Request Completion Event MUST be | is requested, a single Asynchronous Request Completion Event MUST be | |||
| generated for each requested operation. For example, if a single | generated for each requested operation. For example, if a single | |||
| "bulk" request had 10 operations, then 10 Asynchronous Event | "bulk" request had 10 operations, then 10 Asynchronous Event | |||
| completion events would be generated. | completion events would be generated. | |||
| The "txn" claim MUST be set to the value originally returned to the | The "txn" claim MUST be set to the value originally returned to the | |||
| requesting SCIM Client (see Section 2.5.1.1) appended with a colon | requesting SCIM client (see Section 2.5.1.1) appended with a colon | |||
| ":" and the zero-based array index of the operation expressed in the | ":" and the zero-based array index of the operation expressed in the | |||
| "Operations" attribute of the original bulk request. The "bulkId" | "Operations" attribute of the original bulk request. The "bulkId" | |||
| parameter MUST NOT be used for this purpose as it is a temporary | parameter MUST NOT be used for this purpose as it is a temporary | |||
| identifier and is not required for every operation. | identifier and is not required for every operation. | |||
| For example, if a SCIM Service Provider received a bulk request with | For example, if a SCIM service provider received a bulk request with | |||
| two or more operations, and had a "txn" claim value of | two or more operations, and had a "txn" claim value of | |||
| "2d80e537a3f64622b0347b641ebc8f44", then the first Asynchronous | "2d80e537a3f64622b0347b641ebc8f44", then the first Asynchronous | |||
| Response Event Token representing the first operation has a "txn" | Response Event Token representing the first operation has a "txn" | |||
| claim value of "2d80e537a3f64622b0347b641ebc8f44:0", the second | claim value of "2d80e537a3f64622b0347b641ebc8f44:0", the second | |||
| operation has a value of "2d80e537a3f64622b0347b641ebc8f44:1", and so | operation has a value of "2d80e537a3f64622b0347b641ebc8f44:1", and so | |||
| on. | on. | |||
| If a SCIM Service Provider optimizes the sequence of operations (per | If a SCIM service provider optimizes the sequence of operations (per | |||
| Section 3.7 of [RFC7644]), the Asynchronous Request Completion events | Section 3.7 of [RFC7644]), the Asynchronous Request Completion Events | |||
| MAY be generated out of sequence from the original request. In this | MAY be generated out of sequence from the original request. In this | |||
| case, the "txn" claims in those events MUST use operation numbers | case, the "txn" claims in those events MUST use operation numbers | |||
| that correspond to the order in the original request. | that correspond to the order in the original request. | |||
| 2.5.1.3. urn:ietf:params:scim:event:misc:asyncresp | 2.5.1.3. urn:ietf:params:scim:event:misc:asyncresp | |||
| The Asynchronous Response event signals the completion of a SCIM | The Asynchronous Response Event signals the completion of a SCIM | |||
| request. The event payload contains the attributes defined in | request. The event payload contains the attributes defined in | |||
| Section 3.7 of [RFC7644] and is the same as a single SCIM Bulk | Section 3.7 of [RFC7644] and is the same as a single SCIM Bulk | |||
| Response Operation as per Section 3.7.3 of [RFC7644]. In the event, | Response Operation as per Section 3.7.3 of [RFC7644]. In the event, | |||
| the "txn" claim MUST be set to the value originally returned to the | the "txn" claim MUST be set to the value originally returned to the | |||
| requesting SCIM Client (see Section 2.5.1.1). | requesting SCIM client (see Section 2.5.1.1). | |||
| { | { | |||
| "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", | "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "scim", | "format": "scim", | |||
| "uri": "/Users/2819c223-7f76-453a-919d-413861904646" | "uri": "/Users/2819c223-7f76-453a-919d-413861904646" | |||
| }, | }, | |||
| "txn": "734f0614e3274f288f93ac74119dcf78", | "txn": "734f0614e3274f288f93ac74119dcf78", | |||
| "events":{ | "events":{ | |||
| "urn:ietf:params:scim:event:misc:asyncresp": { | "urn:ietf:params:scim:event:misc:asyncresp": { | |||
| skipping to change at line 881 ¶ | skipping to change at line 880 ¶ | |||
| }, | }, | |||
| "iat": 1458505044, | "iat": 1458505044, | |||
| "iss":"https://scim.example.com", | "iss":"https://scim.example.com", | |||
| "aud":[ | "aud":[ | |||
| "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" | "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" | |||
| ] | ] | |||
| } | } | |||
| Figure 15: Example SCIM Asynchronous Error Response Event | Figure 15: Example SCIM Asynchronous Error Response Event | |||
| The following four figures show Asynchronous Completion events for | The following four figures show asynchronous completion events for | |||
| the example in Section 3.7.3 of [RFC7644]. | the example in Section 3.7.3 of [RFC7644]. | |||
| { | { | |||
| "jti": "dbae9d7506b34329aa7f2f0d3827848b", | "jti": "dbae9d7506b34329aa7f2f0d3827848b", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "scim", | "format": "scim", | |||
| "uri": "/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a" | "uri": "/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a" | |||
| }, | }, | |||
| "txn": "2d80e537a3f64622b0347b641ebc8f44:1", | "txn": "2d80e537a3f64622b0347b641ebc8f44:1", | |||
| "events":{ | "events":{ | |||
| skipping to change at line 985 ¶ | skipping to change at line 984 ¶ | |||
| } | } | |||
| Figure 19: Example SCIM Asynchronous Response Event Operation (4 | Figure 19: Example SCIM Asynchronous Response Event Operation (4 | |||
| of 4) | of 4) | |||
| 3. Set-Txn HTTP Response Header for Asynchronous Requests | 3. Set-Txn HTTP Response Header for Asynchronous Requests | |||
| This specification defines a new HTTP header field, "Set-Txn", which | This specification defines a new HTTP header field, "Set-Txn", which | |||
| serves the purpose of conveying request completion information to | serves the purpose of conveying request completion information to | |||
| SCIM HTTP clients that request an asynchronous response as described | SCIM HTTP clients that request an asynchronous response as described | |||
| in Section 2.5.1.1. The header field MUST be used in SCIM Responses | in Section 2.5.1.1. The header field MUST be used in SCIM responses | |||
| when HTTP Status 202 Accepted is being returned with no message body. | when HTTP status code 202 (Accepted) is being returned with no | |||
| message body. | ||||
| The "Set-Txn" HTTP header field value is a unique STRING (e.g., a | The "Set-Txn" HTTP header field value is a unique STRING (e.g., a | |||
| Globally Unique Identifier (GUID)) used by the SCIM HTTP client to | Globally Unique Identifier (GUID)) used by the SCIM HTTP client to | |||
| look for a matching SET event with a matching "txn" claim (see | look for a matching SET event with a matching "txn" claim (see | |||
| Section 2 of [RFC8417]) confirming the request completion status as | Section 2 of [RFC8417]) confirming the request completion status as | |||
| described in Section 2.5.1.1. | described in Section 2.5.1.1. | |||
| Intermediaries SHOULD NOT insert, modify, or delete the field's | Intermediaries SHOULD NOT insert, modify, or delete the field's | |||
| value. | value. | |||
| SCIM clients MAY ignore the header in cases where confirmation of | SCIM clients MAY ignore the header in cases where confirmation of | |||
| completion is not required. For example, a SCIM client may simply | completion is not required. For example, a SCIM client may simply | |||
| not want to wait for synchronous completion. | not want to wait for synchronous completion. | |||
| 4. Events Discovery Schema for Service Provider Configuration | 4. Events Discovery Schema for Service Provider Configuration | |||
| Section 5 of [RFC7643] defines SCIM Service Provider configuration | Section 5 of [RFC7643] defines SCIM service provider configuration | |||
| schemas. This section defines additional attributes that enable a | schemas. This section defines additional attributes that enable a | |||
| SCIM Client to discover the additional capabilities defined by this | SCIM client to discover the additional capabilities defined by this | |||
| specification. | specification. | |||
| securityEvents | securityEvents: | |||
| A SCIM Complex attribute that specifies the available capabilities | A SCIM complex attribute that specifies the available capabilities | |||
| related to asynchronous Security Events based on [RFC8417]. This | related to asynchronous Security Events based on [RFC8417]. This | |||
| attribute is OPTIONAL, and when absent, it indicates the SCIM | attribute is OPTIONAL, and when absent, it indicates the SCIM | |||
| Service Provider does not support or is not currently configured | service provider does not support or is not currently configured | |||
| for Security Events. The following sub-attributes are defined: | for Security Events. The following sub-attributes are defined: | |||
| asyncRequest | asyncRequest: | |||
| A case-insensitive string value specifying one of the | A case-insensitive string value specifying one of the | |||
| following: | following: | |||
| * "none" indicates that asynchronous SCIM requests defined in | * "none" indicates that asynchronous SCIM requests defined in | |||
| Section 2.5.1.1 are not supported; | Section 2.5.1.1 are not supported; | |||
| * "long" indicates that the server completes requests | * "long" indicates that the server completes requests | |||
| asynchronously at the server's discretion (e.g., based on a | asynchronously at the server's discretion (e.g., based on a | |||
| max wait time); and | max wait time); and | |||
| * "request" indicates that the server completes requests | * "request" indicates that the server completes requests | |||
| asynchronously when requested by the SCIM Client. | asynchronously when requested by the SCIM client. | |||
| eventUris | eventUris: | |||
| A multivalued string listing the SET Event URIs (defined in | A multivalued string listing the SET Event URIs (defined in | |||
| [RFC8417]) that the server is capable of generating and | [RFC8417]) that the server is capable of generating and | |||
| delivering via a SET Stream (see [RFC8935] and [RFC8936]). | delivering via a SET Stream (see [RFC8935] and [RFC8936]). | |||
| This information is informational only. Stream registration | This information is informational only. Stream registration | |||
| and configuration are out of scope of this specification. | and configuration are out of scope of this specification. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| As this specification is based upon the SETs specification and the | As this specification is based upon the SETs specification and the | |||
| associated delivery specifications, the following security | associated delivery specifications, the following security | |||
| skipping to change at line 1053 ¶ | skipping to change at line 1053 ¶ | |||
| * Section 5 of [RFC8935] (Push-Based SET Delivery Using HTTP) | * Section 5 of [RFC8935] (Push-Based SET Delivery Using HTTP) | |||
| * Section 4 of [RFC8936] (Poll-Based SET Delivery Using HTTP) | * Section 4 of [RFC8936] (Poll-Based SET Delivery Using HTTP) | |||
| SETs may contain sensitive information, including Personally | SETs may contain sensitive information, including Personally | |||
| Identifiable Information (PII). In such cases, SET Transmitters and | Identifiable Information (PII). In such cases, SET Transmitters and | |||
| SET Recipients MUST protect the confidentiality of the SET contents | SET Recipients MUST protect the confidentiality of the SET contents | |||
| in transit using TLS [BCP195]. | in transit using TLS [BCP195]. | |||
| When co-ordinating provisioning between entities, the long-term | When coordinating provisioning between entities, the long-term series | |||
| series of changes may be critical to the information integrity and | of changes may be critical to the information integrity and recovery | |||
| recovery requirements of both sides. To address this, Event | requirements of both sides. To address this, Event Publishers can | |||
| Publishers can make events available for receivers for longer periods | make events available for receivers for longer periods of time than | |||
| of time than might typically be used for recovering from momentary | might typically be used for recovering from momentary delivery | |||
| delivery failures and retries per [RFC8935] or [RFC8936]. Similarly, | failures and retries per [RFC8935] or [RFC8936]. Similarly, Event | |||
| Event Receivers MUST ensure events are persisted directly or | Receivers MUST ensure events are persisted directly or indirectly to | |||
| indirectly to meet local recovery needs before acknowledging the SET | meet local recovery needs before acknowledging the SET Events were | |||
| Events were received. | received. | |||
| An attacker might leverage transaction and/or signal information | An attacker might leverage transaction and/or signal information | |||
| contained in a SET Event Publisher or Receiver system. To mitigate | contained in a SET Event Publisher or Receiver system. To mitigate | |||
| this, access to event recovery and forwarding MUST be limited to the | this, access to event recovery and forwarding MUST be limited to the | |||
| parties needed to support recovery or SET forwarding. | parties needed to support recovery or SET forwarding. | |||
| When SET Events are transferred in such a way that the Event | When SET Events are transferred in such a way that the Event | |||
| Publisher is not communicating directly to the Event Receiver, it may | Publisher is not communicating directly to the Event Receiver, it may | |||
| become possible for an attacker or other system to insert an event. | become possible for an attacker or other system to insert an event. | |||
| To mitigate, Event Receivers MUST verify the originator of a SET | To mitigate, Event Receivers MUST verify the originator of a SET | |||
| using JSON Web Signature (JWS) [RFC7515] signatures when the Event | using JSON Web Signature (JWS) [RFC7515] signatures when the Event | |||
| Publisher is not communicating directly with the Event Receiver. | Publisher is not communicating directly with the Event Receiver. | |||
| Validating event signatures may also be useful for auditing purposes | Validating event signatures may also be useful for auditing purposes | |||
| as signed SET Events are protected from tampering in the event that | as signed SET Events are protected from tampering in the event that | |||
| an intermediate system, such as a TLS-terminating proxy, decrypts the | an intermediate system, such as a TLS-terminating proxy, decrypts the | |||
| SET payload before sending it onward to its intended recipient. | SET payload before sending it onward to its intended recipient. | |||
| In operation, some SCIM Resources such as SCIM Groups may have a high | In operation, some SCIM resources such as SCIM Groups may have a high | |||
| rate of change. For example, groups with more than a few thousand | rate of change. For example, groups with more than a few thousand | |||
| member values could lead to excessive change rates, which could lead | member values could lead to excessive change rates, which could lead | |||
| to a loss of SET Events between Event Publishers and Event Receivers. | to a loss of SET Events between Event Publishers and Event Receivers. | |||
| To mitigate this risk, consider the following to help with throughput | To mitigate this risk, consider the following to help with throughput | |||
| issues: | issues: | |||
| * The use of SCIM PUT (Section 3.5.1 of [RFC7644]), particularly | * The use of SCIM PUT (Section 3.5.1 of [RFC7644]), particularly | |||
| with large SCIM Groups, can result in excessive data being | with large SCIM Groups, can result in excessive data being | |||
| conveyed in Security Event payloads. Instead, it is RECOMMENDED | conveyed in Security Event payloads. Instead, it is RECOMMENDED | |||
| to use SCIM PATCH (Section 3.5.2 of [RFC7644]) to focus on | to use SCIM PATCH (Section 3.5.2 of [RFC7644]) to focus on | |||
| updating and notifying about changed information. Alternatively, | updating and notifying about changed information. Alternatively, | |||
| use SCIM PUT Event Notice | use SCIM PUT Event Notice | |||
| (urn:ietf:params:scim:event:prov:put:notice) as a trigger to later | (urn:ietf:params:scim:event:prov:put:notice) as a trigger to later | |||
| retrieve the full information when needed. | retrieve the full information when needed. | |||
| * Use SCIM Patch Event Notice | * Use SCIM Patch Event Notice | |||
| (urn:ietf:params:scim:event:prov:patch:notice) to reduce event | (urn:ietf:params:scim:event:prov:patch:notice) to reduce event | |||
| content combined with periodic SCIM GETs (see Section 3.4 of | content combined with periodic SCIM GETs (see Section 3.4 of | |||
| [RFC7644]) to retrieve current group state. | [RFC7644]) to retrieve current group state. | |||
| * Aggregate multiple PATCH Events into a single event. Providing | * Aggregate multiple PATCH Events into a single event. If providing | |||
| the exact date of each membership change is not critical but | the exact date of each membership change is not critical, consider | |||
| instead that the information content remains intact. | using a PATCH to aggregate multiple membership changes into a | |||
| single event. | ||||
| When using Asynchronous SCIM Requests (see Section 2.5.1.1), a SCIM | When using asynchronous SCIM requests (see Section 2.5.1.1), a SCIM | |||
| Service Provider returns a SCIM Accepted response with a URI for | service provider returns a SCIM Accepted response with a URI for | |||
| retrieving the event result. An unauthorized entity or attacker | retrieving the event result. An unauthorized entity or attacker | |||
| could obtain asynchronous request completion event information by | could obtain Asynchronous Request Completion Event information by | |||
| querying the asynchronous operation result endpoint used by a SCIM | querying the asynchronous operation result endpoint used by a SCIM | |||
| Service Provider. To mitigate, the returned URI endpoint MUST be | service provider. To mitigate, the returned URI endpoint MUST be | |||
| protected and requires an HTTP Authorization header or some other | protected and requires an HTTP Authorization header or some other | |||
| form of client authentication. | form of client authentication. | |||
| 6. Privacy Considerations | 6. Privacy Considerations | |||
| As this specification is based upon the SET specification and the | As this specification is based upon the SET specification and the | |||
| associated delivery specifications, the following privacy | associated delivery specifications, the following privacy | |||
| considerations are also applicable to this specification: | considerations are also applicable to this specification: | |||
| * Section 6 of [RFC8417] (Security Event Token) | * Section 6 of [RFC8417] (Security Event Token) | |||
| skipping to change at line 1132 ¶ | skipping to change at line 1133 ¶ | |||
| * Section 5 of [RFC8936] (Poll-Based SET Delivery Using HTTP) | * Section 5 of [RFC8936] (Poll-Based SET Delivery Using HTTP) | |||
| This specification enables the sharing of information between | This specification enables the sharing of information between | |||
| domains; therefore, it is assumed that implementers and deployers are | domains; therefore, it is assumed that implementers and deployers are | |||
| operating under one of the following scenarios: | operating under one of the following scenarios: | |||
| * A common administrative domain where there is one administrative | * A common administrative domain where there is one administrative | |||
| owner of the data. In these cases, the goal is to protect privacy | owner of the data. In these cases, the goal is to protect privacy | |||
| and security of the owner and user data by keeping information | and security of the owner and user data by keeping information | |||
| systems co-ordinated and up to date. For example, the domains | systems coordinated and up to date. For example, the domains | |||
| decide to use DBR mode to keep employee information synchronized. | decide to use DBR mode to keep employee information synchronized. | |||
| * In a co-operative or co-ordinated relationship, parties have | * In a cooperative or coordinated relationship, parties have decided | |||
| decided to share a limited amount of data and/or signals for the | to share a limited amount of data and/or signals for the benefits | |||
| benefits of their users. Depending on end-user consent, | of their users. Depending on end-user consent, information is | |||
| information is shared on an as-authorized and/or as-needed basis. | shared on an as-authorized and/or as-needed basis. For example, | |||
| For example, the domains agree to use CP mode that exchanges | the domains agree to use CP mode that exchanges things such as | |||
| things such as account status or specific minimal attribute | account status or specific minimal attribute information that must | |||
| information that must be fetched on request after receiving notice | be fetched on request after receiving notice of a change. This | |||
| of a change. This enables authorization to be verified each time | enables authorization to be verified each time data is | |||
| data is transferred. | transferred. | |||
| In general, the sharing of SCIM Event information falls within a pre- | In general, the sharing of SCIM Event information falls within a pre- | |||
| existing SCIM Client and Service Provider relationship and carries no | existing SCIM client and service provider relationship and carries no | |||
| additional personal information. | additional personal information. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| 7.1. SCIM Asynchronous Set-Txn Header Registration | 7.1. SCIM Asynchronous Set-Txn Header Registration | |||
| This specification registers the HTTP "Set-Txn" field name in the | This specification registers the HTTP "Set-Txn" field name in the | |||
| "Hypertext Transfer Protocol (HTTP) Field Name Registry" defined in | "Hypertext Transfer Protocol (HTTP) Field Name Registry" defined in | |||
| Section 16.3.1 of [RFC9110]. | Section 16.3.1 of [RFC9110]. | |||
| skipping to change at line 1200 ¶ | skipping to change at line 1201 ¶ | |||
| "urn:ietf:params:scim:event:{class}:{name}:{other}" | "urn:ietf:params:scim:event:{class}:{name}:{other}" | |||
| The keywords have the following meaning: | The keywords have the following meaning: | |||
| class | class | |||
| The class of events, which is one of: "feed", "prov", or | The class of events, which is one of: "feed", "prov", or | |||
| "misc". | "misc". | |||
| name | name | |||
| A US-ASCII string that conforms to URN syntax requirements (see | A ASCII string that conforms to URN syntax requirements (see | |||
| [RFC8141]) and defines a descriptive event name (e.g., | [RFC8141]) and defines a descriptive event name (e.g., | |||
| "create"). | "create"). | |||
| other | other | |||
| An optional US-ASCII string that conforms to URN syntax | An optional ASCII string that conforms to URN syntax | |||
| requirements (see [RFC8141]) and serves as an additional sub- | requirements (see [RFC8141]) and serves as an additional sub- | |||
| category or qualifier, for example, "full" and "notice". | category or qualifier, for example, "full" and "notice". | |||
| Identifier Uniqueness Considerations: | Identifier Uniqueness Considerations: | |||
| The designated contact is responsible for reviewing and enforcing | The designated contact is responsible for reviewing and enforcing | |||
| uniqueness. | uniqueness. | |||
| Identifier Persistence Considerations: | Identifier Persistence Considerations: | |||
| Once a name has been allocated, it MUST NOT be reallocated for a | Once a name has been allocated, it MUST NOT be reallocated for a | |||
| different purpose. The rules provided for the assignment of | different purpose. The rules provided for the assignment of | |||
| skipping to change at line 1395 ¶ | skipping to change at line 1396 ¶ | |||
| 1_0.html>. | 1_0.html>. | |||
| Appendix A. Use Cases | Appendix A. Use Cases | |||
| SCIM Events may be used in a number of ways. The following non- | SCIM Events may be used in a number of ways. The following non- | |||
| normative sections describe some of the expected uses. | normative sections describe some of the expected uses. | |||
| A.1. Domain-Based Replication | A.1. Domain-Based Replication | |||
| The objective of DBR events is to synchronize resource changes | The objective of DBR events is to synchronize resource changes | |||
| between SCIM Service Providers in a common administrative domain. In | between SCIM service providers in a common administrative domain. In | |||
| this mode, complete information about modified resources are shared | this mode, complete information about modified resources are shared | |||
| between replicas for immediate processing. | between replicas for immediate processing. | |||
| +----------------+ | +-------------+ +---------------------+ +------------------------+ | |||
| | SCIM Client A | | |SCIM Client A| |SCIM Service Provider| |Service Provider Replica| | |||
| +----------------+ | +-------------+ +---------------------+ +------------------------+ | |||
| | | | | | | |||
| [1] SCIM Operation | | [1] SCIM Operation | | | |||
| | | |-------------------->| | | |||
| v | | [2] SCIM Response | | | |||
| +----------------+ | |<--------------------| | | |||
| | Service | | | | | | |||
| | Provider | | | | [3] Event SCIM:prov:<op> | | |||
| +----------------+ | | | id:xyz | | |||
| ^ | | |- - - - - - - - - - - - - >| | |||
| [2] SCIM Response | | | | | |||
| | | | | [4] Update local node |--+ | |||
| | | | | | | | |||
| v | | | |<-+ | |||
| +------------------------+ | | | | | |||
| | Service Provider | | v v v | |||
| | Replica | | ||||
| +------------------------+ | ||||
| | | ||||
| [3] Event SCIM:prov:<op> id=xyz | ||||
| | | ||||
| v | ||||
| +----------------+ | ||||
| | Update local | | ||||
| | node [4] | | ||||
| +----------------+ | ||||
| Figure 20: Domain-Based Replication Sequence | Figure 20: Domain-Based Replication Sequence | |||
| From a security perspective, it is assumed that servers sharing DBR | From a security perspective, it is assumed that servers sharing DBR | |||
| events are secured by a common access policy and all servers are | events are secured by a common access policy and all servers are | |||
| required to be up to date. From a privacy perspective, because all | required to be up to date. From a privacy perspective, because all | |||
| servers are in the same administrative domain, the primary objective | servers are in the same administrative domain, the primary objective | |||
| is to keep individual Service Provider nodes or clusters | is to keep individual service provider nodes or clusters | |||
| synchronized. | synchronized. | |||
| A.2. Co-ordinated Provisioning | A.2. Coordinated Provisioning | |||
| In CP, SCIM resource change events perform the function of change | In CP, SCIM resource change events perform the function of change | |||
| notification without the need to provide raw data. In any Event | notification without the need to provide raw data. In any Event | |||
| Publisher and Receiver relationship, the set of SCIM Resources (e.g., | Publisher and Receiver relationship, the set of SCIM resources (e.g., | |||
| Users) that are linked or co-ordinated is managed within the context | Users) that are linked or coordinated is managed within the context | |||
| of an event feed and may be a subset of the total set of resources on | of an event feed and may be a subset of the total set of resources on | |||
| either side. For example, an event feed could be limited to users | either side. For example, an event feed could be limited to users | |||
| who have consented to the sharing of information between domains. To | who have consented to the sharing of information between domains. To | |||
| support capability, "feed" specific events are defined to indicate | support capability, "feed" specific events are defined to indicate | |||
| the addition and removal of SCIM Resources from a feed. For example, | the addition and removal of SCIM resources from a feed. For example, | |||
| when a user consents to the sharing of information between domains, | when a user consents to the sharing of information between domains, | |||
| events about the User may be added to the feed between the Event | events about the User may be added to the feed between the Event | |||
| Publisher and Receiver. | Publisher and Receiver. | |||
| +-----------+ +---------------+ +---------------+ +---------------+ | +-----------+ +---------------+ +-----------------+ +---------------+ | |||
| | SCIM Clnt | | SCIM Service | | Client A Co-op| | Co-op Action | | |SCIM Client| | SCIM Service | | Event Receiver | | Coord. Action | | |||
| | (CA) | | Provider (SP) | | Receiver (ER) | | Endpoint(LEP) | | | | | Provider | | | | Endpoint | | |||
| +-----------+ +---------------+ +---------------+ +---------------+ | +-----------+ +---------------+ +-----------------+ +---------------+ | |||
| | | | | | | | | | | |||
| | "SCIM Operation" | | | | | [1] SCIM | | | | |||
| +----------------->| | | | | Operation | | | | |||
| |<-----------------+ "SCIM Response" | | | |--------------->| | | | |||
| | | | | | | | | | | |||
| | |--> "Event SCIM:prov:<op>, id=xyz" --->| | | [2] SCIM | | | | |||
| | | | | | | Response | | | | |||
| | | | Note: Receiver | | |<---------------| | | | |||
| | | | may accumulate | | | | | | | |||
| | | | events for | | | +=== loop ==========+===================+ | |||
| | | | periodic action | | | | | | | |||
| | |<------------------+ "SCIM GET <id>" | | | | [3] Event | | | |||
| | |------------------>| "Filtered | | | | SCIM:prov:<op> | | | |||
| | | | Resource Resp." | | | | id:xyz | | | |||
| | | | | | | |- - - - - - - - - >| | | |||
| | | +------------------>| | | | | | | |||
| | | | "Co-ord Action" | | | | | Note: Receiver | | |||
| | | | | | | | | may accumulate | | |||
| | | | events for | | ||||
| | | | periodic action. | | ||||
| | | | | | ||||
| | | [4] SCIM GET <id> | | | ||||
| | |<------------------| | | ||||
| | | | | | ||||
| | | [5] Filtered | | | ||||
| | | Resource | | | ||||
| | | Response | | | ||||
| | |------------------>| | | ||||
| | | | | | ||||
| | | | [6] Coordinated | | ||||
| | | | Action | | ||||
| | | |------------------>| | ||||
| | | | | | ||||
| | +=== end loop ======+===================+ | ||||
| v v v v | ||||
| Figure 21: Co-ordinated Provisioning Sequence | Figure 21: Coordinated Provisioning Sequence | |||
| In CP mode, the receiver of an event must call back to the | In CP mode, the receiver of an event must call back to the | |||
| originating SCIM Service Provider (e.g., using a SCIM GET request) to | originating SCIM service provider (e.g., using a SCIM GET request) to | |||
| reconcile the newly changed resource in order to obtain the changes. | reconcile the newly changed resource in order to obtain the changes. | |||
| CP has the following benefits: | CP has the following benefits: | |||
| * Differences in schema (e.g., attributes) between domains. For | * Differences in schema (e.g., attributes) between domains. For | |||
| example, a receiving domain may only be interested in or allowed | example, a receiving domain may only be interested in or allowed | |||
| to access to a few attributes (e.g., role-based access data) to | to access to a few attributes (e.g., role-based access data) to | |||
| enable access to an application. | enable access to an application. | |||
| * Different Event Receivers may have differing needs when accessing | * Different Event Receivers may have differing needs when accessing | |||
| skipping to change at line 1513 ¶ | skipping to change at line 1521 ¶ | |||
| A disadvantage of the CP approach is that it may be considered costly | A disadvantage of the CP approach is that it may be considered costly | |||
| in the sense that each event received might trigger a callback to the | in the sense that each event received might trigger a callback to the | |||
| event issuer. This cost should be weighed against the cost producing | event issuer. This cost should be weighed against the cost producing | |||
| filtered information in each event for each receiver. Furthermore, a | filtered information in each event for each receiver. Furthermore, a | |||
| receiver is not required to make a callback on every provisioning | receiver is not required to make a callback on every provisioning | |||
| event. | event. | |||
| It is assumed that an underlying relationship between domains exists | It is assumed that an underlying relationship between domains exists | |||
| that permits the exchange of personal information and credentials. | that permits the exchange of personal information and credentials. | |||
| For example, in a cross-domain scenario, a SCIM Service Provider | For example, in a cross-domain scenario, a SCIM service provider | |||
| would have been previously authorized to perform SCIM provisioning | would have been previously authorized to perform SCIM provisioning | |||
| operations and publish change events. As such, appropriate | operations and publish change events. As such, appropriate | |||
| confidentiality and privacy agreements should be in place between the | confidentiality and privacy agreements should be in place between the | |||
| domains. | domains. | |||
| When sharing information between parties, CP Events minimize the | When sharing information between parties, CP Events minimize the | |||
| information shared in each message and require the Security Event | information shared in each message and require the Security Event | |||
| Receiver to receive more information from the Event Publisher as | Receiver to receive more information from the Event Publisher as | |||
| needed. In this way, the Event Receiver is able to have regular | needed. In this way, the Event Receiver is able to have regular | |||
| access to information through normal SCIM protocol access | access to information through normal SCIM protocol access | |||
| End of changes. 87 change blocks. | ||||
| 193 lines changed or deleted | 201 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||