summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7643.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc7643.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc7643.txt')
-rw-r--r--doc/rfc/rfc7643.txt5827
1 files changed, 5827 insertions, 0 deletions
diff --git a/doc/rfc/rfc7643.txt b/doc/rfc/rfc7643.txt
new file mode 100644
index 0000000..e3759b2
--- /dev/null
+++ b/doc/rfc/rfc7643.txt
@@ -0,0 +1,5827 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) P. Hunt, Ed.
+Request for Comments: 7643 Oracle
+Category: Standards Track K. Grizzle
+ISSN: 2070-1721 SailPoint
+ E. Wahlstroem
+ Nexus Technology
+ C. Mortimore
+ Salesforce
+ September 2015
+
+
+ System for Cross-domain Identity Management: Core Schema
+
+Abstract
+
+ The System for Cross-domain Identity Management (SCIM) specifications
+ are designed to make identity management in cloud-based applications
+ and services easier. The specification suite builds upon experience
+ with existing schemas and deployments, placing specific emphasis on
+ simplicity of development and integration, while applying existing
+ authentication, authorization, and privacy models. Its intent is to
+ reduce the cost and complexity of user management operations by
+ providing a common user schema and extension model as well as binding
+ documents to provide patterns for exchanging this schema using HTTP.
+
+ This document provides a platform-neutral schema and extension model
+ for representing users and groups and other resource types in JSON
+ format. This schema is intended for exchange and use with cloud
+ service providers.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7643.
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 1]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+Copyright Notice
+
+ Copyright (c) 2015 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction and Overview .......................................3
+ 1.1. Requirements Notation and Conventions ......................4
+ 1.2. Definitions ................................................5
+ 2. SCIM Schema .....................................................6
+ 2.1. Attributes .................................................7
+ 2.2. Attribute Characteristics ..................................8
+ 2.3. Attribute Data Types .......................................8
+ 2.3.1. String ..............................................9
+ 2.3.2. Boolean .............................................9
+ 2.3.3. Decimal ............................................10
+ 2.3.4. Integer ............................................10
+ 2.3.5. DateTime ...........................................10
+ 2.3.6. Binary .............................................10
+ 2.3.7. Reference ..........................................10
+ 2.3.8. Complex ............................................11
+ 2.4. Multi-Valued Attributes ...................................11
+ 2.5. Unassigned and Null Values ................................13
+ 3. SCIM Resources .................................................13
+ 3.1. Common Attributes .........................................16
+ 3.2. Defining New Resource Types ...............................18
+ 3.3. Attribute Extensions to Resources .........................18
+ 4. SCIM Core Resources and Extensions .............................19
+ 4.1. "User" Resource Schema ....................................19
+ 4.1.1. Singular Attributes ................................19
+ 4.1.2. Multi-Valued Attributes ............................23
+ 4.2. "Group" Resource Schema ...................................25
+ 4.3. Enterprise User Schema Extension ..........................26
+ 5. Service Provider Configuration Schema ..........................27
+ 6. ResourceType Schema ............................................29
+ 7. Schema Definition ..............................................30
+
+
+
+
+Hunt, et al. Standards Track [Page 2]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ 8. JSON Representation ............................................34
+ 8.1. Minimal User Representation ...............................34
+ 8.2. Full User Representation ..................................35
+ 8.3. Enterprise User Extension Representation ..................39
+ 8.4. Group Representation ......................................43
+ 8.5. Service Provider Configuration Representation .............44
+ 8.6. Resource Type Representation ..............................46
+ 8.7. Schema Representation .....................................47
+ 8.7.1. Resource Schema Representation .....................47
+ 8.7.2. Service Provider Schema Representation .............74
+ 9. Security Considerations ........................................92
+ 9.1. Protocol ..................................................92
+ 9.2. Passwords and Other Sensitive Security Data ...............92
+ 9.3. Privacy ...................................................92
+ 10. IANA Considerations ...........................................94
+ 10.1. Registration of SCIM URN Sub-namespace and SCIM
+ Registry .................................................94
+ 10.2. URN Sub-namespace for SCIM ...............................94
+ 10.2.1. Specification Template ............................95
+ 10.3. Registering SCIM Schemas .................................97
+ 10.3.1. Registration Procedure ............................97
+ 10.3.2. Schema Registration Template ......................98
+ 10.4. Initial SCIM Schema Registry .............................99
+ 11. References ...................................................100
+ 11.1. Normative References ....................................100
+ 11.2. Informative References ..................................101
+ Acknowledgements .................................................103
+ Authors' Addresses ...............................................104
+
+1. Introduction and Overview
+
+ While there are existing standards for describing and exchanging user
+ information, many of these standards can be difficult to implement
+ and/or use; e.g., their wire protocols do not easily traverse
+ firewalls and/or are not easily layered onto existing web protocols.
+ As a result, many cloud providers implement non-standardized
+ protocols for managing users within their services. This increases
+ both the cost and complexity associated with organizations adopting
+ products and services from multiple cloud providers, as they must
+ perform redundant integration development. Similarly, cloud service
+ providers seeking to interoperate with multiple application
+ marketplaces or cloud identity providers would require pairwise
+ integration.
+
+ SCIM seeks to simplify this problem through an easily implemented
+ specification suite that provides a common user schema and extension
+ model, as well as a SCIM protocol document that defines exchanging
+ this schema via an HTTP-based protocol [RFC7644]. The SCIM
+
+
+
+Hunt, et al. Standards Track [Page 3]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ specifications draw design input and feedback from existing
+ identity-related protocols and schemas from a wide variety of sources
+ including, but not limited to, existing services exposed by cloud
+ providers, PortableContacts [PortableContacts], vCards [RFC6350], and
+ Lightweight Directory Access Protocol (LDAP) directory services
+ [RFC4512].
+
+ The SCIM protocol is an application-level protocol for provisioning
+ and managing identity data specified through SCIM schemas. The
+ protocol supports creation, modification, retrieval, and discovery of
+ core identity resources such as Users and Groups, using a subset of
+ the HTTP methods (GET for retrieval of resources; POST for creation,
+ searching, and bulk modification; PUT for attribute replacement
+ within resources; PATCH for partial update of attributes; and DELETE
+ for removing resources).
+
+ While the SCIM protocol and core schema specifications are intended
+ to cover point-to-point scenarios, implementers and deployers should
+ consider multi-hop and multi-party scenarios such as a service
+ provider acting as a general profile service for in-domain
+ applications (e.g., a directory), as well as scenarios where a
+ service provider in turn passes information to a third-party service
+ provider by acting as either a SCIM client or a SCIM service
+ provider. Implementers and deployers should carefully consider their
+ service level agreements and privacy agreements when distributing or
+ propagating personal information (see Section 9.3).
+
+ This document provides a JSON-based schema and extension model for
+ representing users and groups, as well as service provider
+ configuration. This schema is intended for exchange and use with
+ cloud service providers and other cross-domain scenarios.
+
+1.1. Requirements Notation and Conventions
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+ The key words "REQUIRED" and "OPTIONAL" are used throughout this
+ document to indicate whether an attribute or schema element is
+ required or optional. These key words may be used alone (e.g.,
+ "REQUIRED.") or in a sentence. If not specified, an attribute is
+ considered to be optional.
+
+ The word "DEFAULT" as used in Section 7 indicates that a "keyword"
+ value for an attribute characteristic is the default behavior.
+
+
+
+
+
+Hunt, et al. Standards Track [Page 4]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ Throughout this document, values are quoted to indicate that they are
+ to be taken literally. When using these values in protocol messages,
+ the quotes MUST NOT be used as part of the value.
+
+ Throughout this document, figures may contain spaces and extra line
+ wrapping to improve readability and accommodate space limitations.
+ Similarly, some URIs contained within examples have been shortened
+ for space and readability reasons.
+
+1.2. Definitions
+
+ Service Provider
+ An HTTP web application that provides identity information via the
+ SCIM protocol.
+
+ Client
+ A website or application that uses the SCIM protocol to manage
+ identity data maintained by the service provider. The client
+ initiates SCIM HTTP requests to a target service provider.
+
+ Provisioning Domain
+ A provisioning domain is an administrative domain external to the
+ domain of a service provider for legal or technical reasons. For
+ example, a SCIM client in an enterprise (provisioning client)
+ communicates with a SCIM service provider that is owned or
+ controlled by a different legal entity.
+
+ Resource Type
+ A type of a resource that is managed by a service provider. The
+ resource type defines the resource name, endpoint URL, schemas,
+ and other metadata that indicate where a resource is managed and
+ how it is composed, e.g., "User" or "Group".
+
+ Resource
+ An artifact that is managed by a service provider and that
+ contains one or more attributes, e.g., "User" or "Group".
+
+ Endpoint
+ An endpoint for a service provider is a defined base path relative
+ to the service provider's Base URI (see Section 1.3 of [RFC7644]),
+ over which SCIM operations may be performed against SCIM
+ resources. For example, assuming that the service provider's Base
+ URI is "https://example.com/", "User" resources may be accessed at
+ the "https://example.com/Users" or "https://example.com/v2/Users"
+ endpoint (see Section 3.13 of [RFC7644] for details regarding
+ protocol versioning, e.g., 'v2'). Service provider schemas MAY be
+ returned from the "/Schemas" endpoint.
+
+
+
+
+Hunt, et al. Standards Track [Page 5]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ Schema
+ A collection of attribute definitions that describe the contents
+ of an entire or partial resource, e.g.,
+ "urn:ietf:params:scim:schemas:core:2.0:User". The attribute
+ definitions specify the name of the attribute, and metadata such
+ as type (e.g., string, binary), cardinality (singular, multi,
+ complex), mutability, and returnability.
+
+ Singular Attribute
+ A resource attribute that contains 0..1 values, e.g.,
+ "displayName".
+
+ Multi-valued Attribute
+ A resource attribute that contains 0..n values, e.g., "emails".
+
+ Simple Attribute
+ A singular or multi-valued attribute whose value is a primitive,
+ e.g., "String". A simple attribute MUST NOT contain
+ sub-attributes.
+
+ Complex Attribute
+ A singular or multi-valued attribute whose value is a composition
+ of one or more simple attributes; e.g., "addresses" has the
+ sub-attributes "streetAddress", "locality", "postalCode", and
+ "country".
+
+ Sub-Attribute
+ A simple attribute that is contained within a complex attribute.
+
+2. SCIM Schema
+
+ A SCIM server provides a set of resources, the allowable contents of
+ which are defined by a set of schema URIs and a resource type.
+ SCIM's schema is not a document-centric one such as with
+ [XML-Schema]. Instead, SCIM's support of schema is attribute based,
+ where each attribute may have different type, mutability,
+ cardinality, or returnability. Validation of documents and messages
+ is always performed by an intended receiver, as specified by the SCIM
+ specifications. Validation is performed by the receiver in the
+ context of a SCIM protocol request (see [RFC7644]). For example, a
+ SCIM service provider, upon receiving a request to replace an
+ existing resource with a replacement JSON object, evaluates each
+ asserted attribute based on its characteristics as defined in the
+ relevant schema (e.g., mutability) and decides which attributes may
+ be replaced or ignored.
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 6]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ This specification provides a minimal core schema for representing
+ users and groups (resources), encompassing common attributes found in
+ many existing deployments and schemas. In addition to the minimal
+ core schema, this document also specifies a standardized means by
+ which service providers may extend schemas to define new resources
+ and attributes in both standardized and service-provider-specific
+ cases.
+
+ Resources are categorized into common resource types such as "User"
+ or "Group". Collections of resources of the same type are usually
+ contained within the same "container" ("folder") endpoint.
+
+2.1. Attributes
+
+ A resource is a collection of attributes identified by one or more
+ schemas. Minimally, an attribute consists of the attribute name and
+ at least one simple or complex value, either of which may be
+ multi-valued. For each attribute, a SCIM schema defines the data
+ type, plurality, mutability, and other distinguishing features of an
+ attribute.
+
+ Attribute names are case insensitive and are often "camel-cased"
+ (e.g., "camelCase"). SCIM resources are represented in JSON
+ [RFC7159] format and MUST specify schema via the "schemas" attribute
+ per Section 3.
+
+ Attribute names MUST conform to the following ABNF rules:
+
+ ATTRNAME = ALPHA *(nameChar)
+ nameChar = "$" / "-" / "_" / DIGIT / ALPHA
+
+ Figure 1: ABNF for Attribute Names
+
+ The above rules (and other rules in this specification) use the "Core
+ Rules" from ABNF; see Appendix B of [RFC5234]. Unless otherwise
+ specified in this document, all ABNF strings are case insensitive and
+ the character set for these strings is US-ASCII. For example, all
+ attribute names defined by the above rule are case insensitive.
+
+ When defining attribute names, it should be noted that the hyphen
+ ("-") is not permitted in JavaScript attribute names (or in attribute
+ names for some other languages). While there are no known issues
+ within HTTP protocol and JSON notation, attribute names containing
+ hyphens may need to be escaped when declaring corresponding names of
+ JavaScript attributes.
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 7]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+2.2. Attribute Characteristics
+
+ All attributes have a set of characteristics that describe their type
+ and handling by a service provider; full definitions may be found in
+ Section 7. The characteristics include:
+
+ o "required",
+
+ o "canonicalValues",
+
+ o "caseExact",
+
+ o "mutability",
+
+ o "returned",
+
+ o "uniqueness", and
+
+ o "referenceTypes".
+
+ If not otherwise stated in Section 7, SCIM attributes have the
+ following characteristics:
+
+ o "required" is "false" (i.e., not REQUIRED),
+
+ o "canonicalValues": none assigned (for example, the "type"
+ sub-attribute as described in Section 2.4),
+
+ o "caseExact" is "false" (i.e., case-insensitive),
+
+ o "mutability" is "readWrite" (i.e., modifiable),
+
+ o "returned" is "default" (the attribute value is returned by
+ default),
+
+ o "uniqueness" is "none" (has no uniqueness enforced), and
+
+ o "type" is "string" (Section 2.3.1).
+
+2.3. Attribute Data Types
+
+ Attribute data types are derived from JSON [RFC7159]. The JSON
+ format defines a limited set of data types; hence, where appropriate,
+ alternate JSON representations derived from XML Schema [XML-Schema]
+ are defined below. SCIM extensions SHOULD NOT introduce new data
+ types.
+
+
+
+
+
+Hunt, et al. Standards Track [Page 8]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ Table 1 maps the following SCIM data types to their corresponding
+ SCIM schema type and underlying JSON data type:
+
+ +-----------+-------------+-----------------------------------------+
+ | SCIM Data | SCIM Schema | JSON Type |
+ | Type | "type" | |
+ +-----------+-------------+-----------------------------------------+
+ | String | "string" | String per Section 7 of [RFC7159] |
+ | | | |
+ | Boolean | "boolean" | Value per Section 3 of [RFC7159] |
+ | | | |
+ | Decimal | "decimal" | Number per Section 6 of [RFC7159] |
+ | | | |
+ | Integer | "integer" | Number per Section 6 of [RFC7159] |
+ | | | |
+ | DateTime | "dateTime" | String per Section 7 of [RFC7159] |
+ | | | |
+ | Binary | "binary" | Binary value base64 encoded per Section |
+ | | | 4 of [RFC4648], or with URL and |
+ | | | filename safe alphabet URL per Section |
+ | | | 5 of [RFC4648] that is passed as a JSON |
+ | | | string per Section 7 of [RFC7159] |
+ | | | |
+ | Reference | "reference" | String per Section 7 of [RFC7159] |
+ | | | |
+ | Complex | "complex" | Object per Section 4 of [RFC7159] |
+ +-----------+-------------+-----------------------------------------+
+
+ Table 1: SCIM Data Type to JSON Representation
+
+2.3.1. String
+
+ A sequence of zero or more Unicode characters encoded using UTF-8 as
+ per [RFC2277] and [RFC3629]. The JSON format is defined in Section 7
+ of [RFC7159]. An attribute with SCIM schema type "string" MAY
+ specify a required data format. Additionally, when "canonicalValues"
+ is specified, service providers MAY restrict accepted values to the
+ specified values.
+
+2.3.2. Boolean
+
+ The literal "true" or "false". The JSON format is defined in
+ Section 3 of [RFC7159]. A boolean has no case sensitivity or
+ uniqueness.
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 9]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+2.3.3. Decimal
+
+ A real number with at least one digit to the left and right of the
+ period. The JSON format is defined in Section 6 of [RFC7159]. A
+ decimal has no case sensitivity.
+
+2.3.4. Integer
+
+ A whole number with no fractional digits or decimal. The JSON format
+ is defined in Section 6 of [RFC7159], with the additional constraint
+ that the value MUST NOT contain fractional or exponent parts. An
+ integer has no case sensitivity.
+
+2.3.5. DateTime
+
+ A DateTime value (e.g., 2008-01-23T04:56:22Z). The attribute value
+ MUST be encoded as a valid xsd:dateTime as specified in Section 3.3.7
+ of [XML-Schema] and MUST include both a date and a time. A date time
+ format has no case sensitivity or uniqueness.
+
+ Values represented in JSON format MUST conform to the XML constraints
+ above and are represented as a JSON string per Section 7 of
+ [RFC7159].
+
+2.3.6. Binary
+
+ Arbitrary binary data. The attribute value MUST be base64 encoded as
+ specified in Section 4 of [RFC4648]. In cases where a URL-safe
+ encoding is required, the attribute definition MAY specify that
+ base64 URL encoding be used as per Section 5 of [RFC4648]. Unless
+ otherwise specified in the attribute definition, trailing padding
+ characters MAY be omitted ("=").
+
+ In JSON representation, the encoded values are represented as a JSON
+ string per Section 7 of [RFC7159]. A binary is case exact and has no
+ uniqueness.
+
+2.3.7. Reference
+
+ A URI for a resource. A resource MAY be a SCIM resource, an external
+ link to a resource (e.g., a photo), or an identifier such as a URN.
+ The value MUST be the absolute or relative URI of the target
+ resource. Relative URIs should be resolved as specified in
+ Section 5.2 of [RFC3986]. However, the base URI for relative URI
+ resolution MUST include all URI components and path segments up to,
+ but not including, the Endpoint URI (the SCIM service provider root
+
+
+
+
+
+Hunt, et al. Standards Track [Page 10]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ endpoint); e.g., the base URI for a request to
+ "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
+ would be "https://example.com/v2/", and the relative URI for this
+ resource would be "Users/2819c223-7f76-453a-919d-413861904646".
+
+ In JSON representation, the URI value is represented as a JSON string
+ per Section 7 of [RFC7159]. A reference is case exact. A reference
+ has a "referenceTypes" attribute that indicates what types of
+ resources may be linked, as per Section 7 of this document.
+
+ A reference URI MUST be to an HTTP-addressable resource. An HTTP
+ client performing a GET operation on a reference URI MUST receive the
+ target resource or an appropriate HTTP response code. A SCIM service
+ provider MAY choose to enforce referential integrity for reference
+ types referring to SCIM resources.
+
+ By convention, a reference is commonly represented as a "$ref"
+ sub-attribute in complex or multi-valued attributes; however, this is
+ OPTIONAL.
+
+2.3.8. Complex
+
+ A singular or multi-valued attribute whose value is a composition of
+ one or more simple attributes. The JSON format is defined in
+ Section 4 of [RFC7159]. The order of the component attributes is not
+ significant. Servers and clients MUST NOT require or expect
+ attributes to be in any specific order when an object is either
+ generated or analyzed. A complex attribute has no uniqueness or case
+ sensitivity. A complex attribute MUST NOT contain sub-attributes
+ that have sub-attributes (i.e., that are complex).
+
+2.4. Multi-Valued Attributes
+
+ Multi-valued attributes contain a list of elements using the JSON
+ array format defined in Section 5 of [RFC7159]. Elements can be
+ either of the following:
+
+ o primitive values, or
+
+ o objects with a set of sub-attributes and values, using the JSON
+ object format defined in Section 4 of [RFC7159], in which case
+ they SHALL be considered to be complex attributes. As with
+ complex attributes, the order of sub-attributes is not
+ significant. The predefined sub-attributes listed in this section
+ can be used with multi-valued attribute objects, but these
+ sub-attributes MUST be used with the meanings defined here.
+
+
+
+
+
+Hunt, et al. Standards Track [Page 11]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ If not otherwise defined, the default set of sub-attributes for a
+ multi-valued attribute is as follows:
+
+ type
+ A label indicating the attribute's function, e.g., "work" or
+ "home".
+
+ primary
+ A Boolean value indicating the 'primary' or preferred attribute
+ value for this attribute, e.g., the preferred mailing address or
+ the primary email address. The primary attribute value "true"
+ MUST appear no more than once. If not specified, the value of
+ "primary" SHALL be assumed to be "false".
+
+ display
+ A human-readable name, primarily used for display purposes and
+ having a mutability of "immutable".
+
+ value
+ The attribute's significant value, e.g., email address, phone
+ number.
+
+ $ref
+ The reference URI of a target resource, if the attribute is a
+ reference. URIs are canonicalized per Section 6.2 of [RFC3986].
+ While the representation of a resource may vary in different SCIM
+ protocol API versions (see Section 3.13 of [RFC7644]), URIs for
+ SCIM resources with an API version SHALL be considered comparable
+ to URIs without a version or with a different version. For
+ example, "https://example.com/Users/12345" is equivalent to
+ "https://example.com/v2/Users/12345".
+
+ When returning multi-valued attributes, service providers SHOULD
+ canonicalize the value returned (e.g., by returning a value for the
+ sub-attribute "type", such as "home" or "work") when appropriate
+ (e.g., for email addresses and URLs).
+
+ Service providers MAY return element objects with the same "value"
+ sub-attribute more than once with a different "type" sub-attribute
+ (e.g., the same email address may be used for work and home) but
+ SHOULD NOT return the same (type, value) combination more than once
+ per attribute, as this complicates processing by the client.
+
+ When defining schema for multi-valued attributes, it is considered a
+ good practice to provide a type attribute that MAY be used for the
+ purpose of canonicalization of values. In the schema definition for
+ an attribute, the service provider MAY define the recommended
+ canonical values (see Section 7).
+
+
+
+Hunt, et al. Standards Track [Page 12]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+2.5. Unassigned and Null Values
+
+ Unassigned attributes, the null value, or an empty array (in the case
+ of a multi-valued attribute) SHALL be considered to be equivalent in
+ "state". Assigning an attribute with the value "null" or an empty
+ array (in the case of multi-valued attributes) has the effect of
+ making the attribute "unassigned". When a resource is expressed in
+ JSON format, unassigned attributes, although they are defined in
+ schema, MAY be omitted for compactness.
+
+3. SCIM Resources
+
+ Each SCIM resource is a JSON object that has the following
+ components:
+
+ Resource Type
+ Each resource (or JSON object) in SCIM has a resource type
+ ("meta.resourceType"; see Section 3.1) that defines the resource's
+ core attribute schema and any attribute extension schema, as well
+ as the endpoint where objects of the same type may be found. More
+ information about a resource MAY be found in its resource type
+ definition (see Section 6).
+
+ "Schemas" Attribute
+ The "schemas" attribute is a REQUIRED attribute and is an array of
+ Strings containing URIs that are used to indicate the namespaces
+ of the SCIM schemas that define the attributes present in the
+ current JSON structure. This attribute may be used by parsers to
+ define the attributes present in the JSON structure that is the
+ body to an HTTP request or response. Each String value must be a
+ unique URI. All representations of SCIM schemas MUST include a
+ non-empty array with value(s) of the URIs supported by that
+ representation. The "schemas" attribute for a resource MUST only
+ contain values defined as "schema" and "schemaExtensions" for the
+ resource's defined "resourceType". Duplicate values MUST NOT be
+ included. Value order is not specified and MUST NOT impact
+ behavior.
+
+ Common Attributes
+ A resource's common attributes are those attributes that are part
+ of every SCIM resource, regardless of the value of the "schemas"
+ attribute present in a JSON body. These attributes are not
+ defined in any particular schema but SHALL be assumed to be
+ present in every resource, regardless of the value of the
+ "schemas" attribute. See Section 3.1.
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 13]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ Core Attributes
+ A resource's core attributes are those attributes that sit at the
+ top level of the JSON object together with the common attributes
+ (such as the resource "id"). The list of valid attributes is
+ specified by the resource's resource type "schema" attribute (see
+ Section 6). This same value is also present in the resource's
+ "schemas" attribute.
+
+ Extended Attributes
+ Extended schema attributes are specified by the resource's
+ resource type "schemaExtensions" attribute (see Section 6).
+ Unlike core attributes, extended attributes are kept in their own
+ sub-attribute namespace identified by the schema extension URI.
+ This avoids attribute name conflicts that may arise due to
+ conflicts from separate schema extensions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 14]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ The following example "User" contains the common attributes "id" and
+ "externalId", as well as the complex attribute "meta", which contains
+ the sub-attribute "resourceType". The resource also contains core
+ attributes "userName" and "name", as well as extended enterprise User
+ attributes "employeeNumber" and "costCenter", which are contained in
+ their own JSON substructure identified by their schema URI. Some
+ values have been omitted (...), shortened, or spaced out for clarity.
+
+ {
+ "schemas":
+ ["urn:ietf:params:scim:schemas:core:2.0:User",
+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
+
+ "id": "2819c223-7f76-453a-413861904646",
+ "externalId": "701984",
+
+ "userName": "bjensen@example.com",
+ "name": {
+ "formatted": "Ms. Barbara J Jensen, III",
+ "familyName": "Jensen",
+ "givenName": "Barbara",
+ "middleName": "Jane",
+ "honorificPrefix": "Ms.",
+ "honorificSuffix": "III"
+ },
+ ...
+
+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
+ "employeeNumber": "701984",
+ "costCenter": "4130",
+ ...
+ },
+
+ "meta": {
+ "resourceType": "User",
+ "created": "2010-01-23T04:56:22Z",
+ "lastModified": "2011-05-13T04:42:34Z",
+ "version": "W\/\"3694e05e9dff591\"",
+ "location":
+ "https://example.com/v2/Users/2819c223-7f76-453a-413861904646"
+ }
+ }
+
+ Figure 2: Example JSON Resource Structure
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 15]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+3.1. Common Attributes
+
+ Each SCIM resource (Users, Groups, etc.) includes the following
+ common attributes. With the exception of the "ServiceProviderConfig"
+ and "ResourceType" server discovery endpoints and their associated
+ resources, these attributes MUST be defined for all resources,
+ including any extended resource types. When accepted by a service
+ provider (e.g., after a SCIM create), the attributes "id" and "meta"
+ (and its associated sub-attributes) MUST be assigned values by the
+ service provider. Common attributes are considered to be part of
+ every base resource schema and do not use their own "schemas" URI.
+
+ For backward compatibility, some existing schema definitions MAY list
+ common attributes as part of the schema. The attribute
+ characteristics (see Section 2.2) listed here SHALL take precedence
+ over older definitions that may be included in existing schemas.
+
+ id
+ A unique identifier for a SCIM resource as defined by the service
+ provider. Each representation of the resource MUST include a
+ non-empty "id" value. This identifier MUST be unique across the
+ SCIM service provider's entire set of resources. It MUST be a
+ stable, non-reassignable identifier that does not change when the
+ same resource is returned in subsequent requests. The value of
+ the "id" attribute is always issued by the service provider and
+ MUST NOT be specified by the client. The string "bulkId" is a
+ reserved keyword and MUST NOT be used within any unique identifier
+ value. The attribute characteristics are "caseExact" as "true", a
+ mutability of "readOnly", and a "returned" characteristic of
+ "always". See Section 9 for additional considerations regarding
+ privacy.
+
+ externalId
+ A String that is an identifier for the resource as defined by the
+ provisioning client. The "externalId" may simplify identification
+ of a resource between the provisioning client and the service
+ provider by allowing the client to use a filter to locate the
+ resource with an identifier from the provisioning domain,
+ obviating the need to store a local mapping between the
+ provisioning domain's identifier of the resource and the
+ identifier used by the service provider. Each resource MAY
+ include a non-empty "externalId" value. The value of the
+ "externalId" attribute is always issued by the provisioning client
+ and MUST NOT be specified by the service provider. The service
+ provider MUST always interpret the externalId as scoped to the
+ provisioning domain. While the server does not enforce
+ uniqueness, it is assumed that the value's uniqueness is
+ controlled by the client setting the value. See Section 9 for
+
+
+
+Hunt, et al. Standards Track [Page 16]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ additional considerations regarding privacy. This attribute has
+ "caseExact" as "true" and a mutability of "readWrite". This
+ attribute is OPTIONAL.
+
+ meta
+ A complex attribute containing resource metadata. All "meta"
+ sub-attributes are assigned by the service provider (have a
+ "mutability" of "readOnly"), and all of these sub-attributes have
+ a "returned" characteristic of "default". This attribute SHALL be
+ ignored when provided by clients. "meta" contains the following
+ sub-attributes:
+
+ resourceType The name of the resource type of the resource. This
+ attribute has a mutability of "readOnly" and "caseExact" as
+ "true".
+
+ created The "DateTime" that the resource was added to the service
+ provider. This attribute MUST be a DateTime.
+
+ lastModified The most recent DateTime that the details of this
+ resource were updated at the service provider. If this
+ resource has never been modified since its initial creation,
+ the value MUST be the same as the value of "created".
+
+ location The URI of the resource being returned. This value MUST
+ be the same as the "Content-Location" HTTP response header (see
+ Section 3.1.4.2 of [RFC7231]).
+
+ version The version of the resource being returned. This value
+ must be the same as the entity-tag (ETag) HTTP response header
+ (see Sections 2.1 and 2.3 of [RFC7232]). This attribute has
+ "caseExact" as "true". Service provider support for this
+ attribute is optional and subject to the service provider's
+ support for versioning (see Section 3.14 of [RFC7644]). If a
+ service provider provides "version" (entity-tag) for a
+ representation and the generation of that entity-tag does not
+ satisfy all of the characteristics of a strong validator (see
+ Section 2.1 of [RFC7232]), then the origin server MUST mark the
+ "version" (entity-tag) as weak by prefixing its opaque value
+ with "W/" (case sensitive).
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 17]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+3.2. Defining New Resource Types
+
+ SCIM may be extended to define new classes of resources by defining a
+ resource type. Each resource type defines the name, endpoint, base
+ schema (the attributes), and any schema extensions registered for use
+ with the resource type. In order to offer new types of resources, a
+ service provider defines the new resource type as specified in
+ Section 6 and defines a schema representation (see Section 8.7).
+
+3.3. Attribute Extensions to Resources
+
+ SCIM allows resource types to have extensions in addition to their
+ core schema. This is similar to how "objectClasses" are used in LDAP
+ [RFC4512]. However, unlike LDAP, there is no inheritance model; all
+ extensions are additive (similar to the LDAP auxiliary object class).
+ Each value in the "schemas" attribute indicates additive schema that
+ MAY exist in a SCIM resource representation. The "schemas" attribute
+ MUST contain at least one value, which SHALL be the base schema for
+ the resource. The "schemas" attribute MAY contain additional values
+ indicating extended schemas that are in use. Schema extensions
+ SHOULD avoid redefining any attributes defined in this specification
+ and SHOULD follow conventions defined in this specification. Except
+ for the base object schema, the schema extension URI SHALL be used as
+ a JSON container to distinguish attributes belonging to the extension
+ namespace from base schema attributes. See Figure 5, which is an
+ example of the JSON representation of an enterprise User and is also
+ an example of a User with extended schema.
+
+ In order to determine which URI value in the "schemas" attribute is
+ the base schema and which is an extended schema for any given
+ resource, the resource's "resourceType" attribute value MAY be used
+ to retrieve the resource's "ResourceType" schema (see Section 6).
+ See the "ResourceType" representation in Figure 8 for an example.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 18]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+4. SCIM Core Resources and Extensions
+
+ This section defines the default resource schemas present in a SCIM
+ server. SCIM is not exclusive to these resources and may be extended
+ to support other resource types (see Section 3.2).
+
+4.1. "User" Resource Schema
+
+ SCIM provides a resource type for "User" resources. The core schema
+ for "User" is identified using the following schema URI:
+ "urn:ietf:params:scim:schemas:core:2.0:User". The following
+ attributes are defined in addition to the core schema attributes:
+
+4.1.1. Singular Attributes
+
+ userName
+ A service provider's unique identifier for the user, typically
+ used by the user to directly authenticate to the service provider.
+ Often displayed to the user as their unique identifier within the
+ system (as opposed to "id" or "externalId", which are generally
+ opaque and not user-friendly identifiers). Each User MUST include
+ a non-empty userName value. This identifier MUST be unique across
+ the service provider's entire set of Users. This attribute is
+ REQUIRED and is case insensitive.
+
+ name
+ The components of the user's name. Service providers MAY return
+ just the full name as a single string in the formatted
+ sub-attribute, or they MAY return just the individual component
+ attributes using the other sub-attributes, or they MAY return
+ both. If both variants are returned, they SHOULD be describing
+ the same name, with the formatted name indicating how the
+ component attributes should be combined.
+
+ formatted The full name, including all middle names, titles, and
+ suffixes as appropriate, formatted for display (e.g.,
+ "Ms. Barbara Jane Jensen, III").
+
+ familyName The family name of the User, or last name in most
+ Western languages (e.g., "Jensen" given the full name
+ "Ms. Barbara Jane Jensen, III").
+
+ givenName The given name of the User, or first name in most
+ Western languages (e.g., "Barbara" given the full name
+ "Ms. Barbara Jane Jensen, III").
+
+ middleName The middle name(s) of the User (e.g., "Jane" given the
+ full name "Ms. Barbara Jane Jensen, III").
+
+
+
+Hunt, et al. Standards Track [Page 19]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ honorificPrefix The honorific prefix(es) of the User, or title in
+ most Western languages (e.g., "Ms." given the full name
+ "Ms. Barbara Jane Jensen, III").
+
+ honorificSuffix The honorific suffix(es) of the User, or suffix
+ in most Western languages (e.g., "III" given the full name
+ "Ms. Barbara Jane Jensen, III").
+
+ displayName
+ The name of the user, suitable for display to end-users. Each
+ user returned MAY include a non-empty displayName value. The name
+ SHOULD be the full name of the User being described, if known
+ (e.g., "Babs Jensen" or "Ms. Barbara J Jensen, III") but MAY be a
+ username or handle, if that is all that is available (e.g.,
+ "bjensen"). The value provided SHOULD be the primary textual
+ label by which this User is normally displayed by the service
+ provider when presenting it to end-users.
+
+ nickName
+ The casual way to address the user in real life, e.g., "Bob" or
+ "Bobby" instead of "Robert". This attribute SHOULD NOT be used to
+ represent a User's username (e.g., bjensen or mpepperidge).
+
+ profileUrl
+ A URI that is a uniform resource locator (as defined in
+ Section 1.1.3 of [RFC3986]) and that points to a location
+ representing the user's online profile (e.g., a web page). URIs
+ are canonicalized per Section 6.2 of [RFC3986].
+
+ title
+ The user's title, such as "Vice President".
+
+ userType
+ Used to identify the relationship between the organization and the
+ user. Typical values used might be "Contractor", "Employee",
+ "Intern", "Temp", "External", and "Unknown", but any value may be
+ used.
+
+ preferredLanguage
+ Indicates the user's preferred written or spoken languages and is
+ generally used for selecting a localized user interface. The
+ value indicates the set of natural languages that are preferred.
+ The format of the value is the same as the HTTP Accept-Language
+ header field (not including "Accept-Language:") and is specified
+ in Section 5.3.5 of [RFC7231]. The intent of this value is to
+ enable cloud applications to perform matching of language tags
+ [RFC4647] to the user's language preferences, regardless of what
+ may be indicated by a user agent (which might be shared), or in an
+
+
+
+Hunt, et al. Standards Track [Page 20]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ interaction that does not involve a user (such as in a delegated
+ OAuth 2.0 [RFC6749] style interaction) where normal HTTP
+ Accept-Language header negotiation cannot take place.
+
+ locale
+ Used to indicate the User's default location for purposes of
+ localizing such items as currency, date time format, or numerical
+ representations. A valid value is a language tag as defined in
+ [RFC5646]. Computer languages are explicitly excluded.
+
+ A language tag is a sequence of one or more case-insensitive
+ sub-tags, each separated by a hyphen character ("-", %x2D). For
+ backward compatibility, servers MAY accept tags separated by an
+ underscore character ("_", %x5F). In most cases, a language tag
+ consists of a primary language sub-tag that identifies a broad
+ family of related languages (e.g., "en" = English) and that is
+ optionally followed by a series of sub-tags that refine or narrow
+ that language's range (e.g., "en-CA" = the variety of English as
+ communicated in Canada). Whitespace is not allowed within a
+ language tag. Example tags include:
+
+ fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN
+
+ See [RFC5646] for further information.
+
+ timezone
+ The User's time zone, in IANA Time Zone database format [RFC6557],
+ also known as the "Olson" time zone database format [Olson-TZ]
+ (e.g., "America/Los_Angeles").
+
+ active
+ A Boolean value indicating the user's administrative status. The
+ definitive meaning of this attribute is determined by the service
+ provider. As a typical example, a value of true implies that the
+ user is able to log in, while a value of false implies that the
+ user's account has been suspended.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 21]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ password
+ This attribute is intended to be used as a means to set, replace,
+ or compare (i.e., filter for equality) a password. The cleartext
+ value or the hashed value of a password SHALL NOT be returnable by
+ a service provider. If a service provider holds the value
+ locally, the value SHOULD be hashed. When a password is set or
+ changed by the client, the cleartext password SHOULD be processed
+ by the service provider as follows:
+
+ * Prepare the cleartext value for international language
+ comparison. See Section 7.8 of [RFC7644].
+
+ * Validate the value against server password policy. Note: The
+ definition and enforcement of password policy are beyond the
+ scope of this document.
+
+ * Ensure that the value is encrypted (e.g., hashed). See
+ Section 9.2 for acceptable hashing and encryption handling when
+ storing or persisting for provisioning workflow reasons.
+
+ A service provider that immediately passes the cleartext value on
+ to another system or programming interface MUST pass the value
+ directly over a secured connection (e.g., Transport Layer Security
+ (TLS)). If the value needs to be temporarily persisted for a
+ period of time (e.g., because of a workflow) before provisioning,
+ then the value MUST be protected by some method, such as
+ encryption.
+
+ Testing for an equality match MAY be supported if there is an
+ existing stored hashed value. When testing for equality, the
+ service provider:
+
+ * Prepares the filter value for international language
+ comparison. See Section 7.8 of [RFC7644].
+
+ * Generates the salted hash of the filter value and tests for a
+ match with the locally held value.
+
+ The mutability of the password attribute is "writeOnly",
+ indicating that the value MUST NOT be returned by a service
+ provider in any form (the attribute characteristic "returned" is
+ "never").
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 22]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+4.1.2. Multi-Valued Attributes
+
+ The following multi-valued attributes are defined.
+
+ emails
+ Email addresses for the User. The value SHOULD be specified
+ according to [RFC5321]. Service providers SHOULD canonicalize the
+ value according to [RFC5321], e.g., "bjensen@example.com" instead
+ of "bjensen@EXAMPLE.COM". The "display" sub-attribute MAY be used
+ to return the canonicalized representation of the email value.
+ The "type" sub-attribute is used to provide a classification
+ meaningful to the (human) user. The user interface should
+ encourage the use of basic values of "work", "home", and "other"
+ and MAY allow additional type values to be used at the discretion
+ of SCIM clients.
+
+ phoneNumbers
+ Phone numbers for the user. The value SHOULD be specified
+ according to the format defined in [RFC3966], e.g.,
+ 'tel:+1-201-555-0123'. Service providers SHOULD canonicalize the
+ value according to [RFC3966] format, when appropriate. The
+ "display" sub-attribute MAY be used to return the canonicalized
+ representation of the phone number value. The sub-attribute
+ "type" often has typical values of "work", "home", "mobile",
+ "fax", "pager", and "other" and MAY allow more types to be defined
+ by the SCIM clients.
+
+ ims
+ Instant messaging address for the user. No official
+ canonicalization rules exist for all instant messaging addresses,
+ but service providers SHOULD, when appropriate, remove all
+ whitespace and convert the address to lowercase. The "type"
+ sub-attribute SHOULD take one of the following values: "aim",
+ "gtalk", "icq", "xmpp", "msn", "skype", "qq", "yahoo", or "other"
+ (representing currently popular IM services at the time of this
+ writing). Service providers MAY add further values if new IM
+ services are introduced and MAY specify more detailed
+ canonicalization rules for each possible value.
+
+ photos
+ A URI that is a uniform resource locator (as defined in
+ Section 1.1.3 of [RFC3986]) that points to a resource location
+ representing the user's image. The resource MUST be a file (e.g.,
+ a GIF, JPEG, or PNG image file) rather than a web page containing
+ an image. Service providers MAY return the same image in
+ different sizes, although it is recognized that no standard for
+ describing images of various sizes currently exists. Note that
+ this attribute SHOULD NOT be used to send down arbitrary photos
+
+
+
+Hunt, et al. Standards Track [Page 23]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ taken by this user; instead, profile photos of the user that are
+ suitable for display when describing the user should be sent.
+ Instead of the standard canonical values for type, this attribute
+ defines the following canonical values to represent popular photo
+ sizes: "photo" and "thumbnail".
+
+ addresses
+ A physical mailing address for this user. Canonical type values
+ of "work", "home", and "other". This attribute is a complex type
+ with the following sub-attributes. All sub-attributes are
+ OPTIONAL.
+
+ formatted The full mailing address, formatted for display or use
+ with a mailing label. This attribute MAY contain newlines.
+
+ streetAddress The full street address component, which may
+ include house number, street name, P.O. box, and multi-line
+ extended street address information. This attribute MAY
+ contain newlines.
+
+ locality The city or locality component.
+
+ region The state or region component.
+
+ postalCode The zip code or postal code component.
+
+ country The country name component. When specified, the value
+ MUST be in ISO 3166-1 "alpha-2" code format [ISO3166]; e.g.,
+ the United States and Sweden are "US" and "SE", respectively.
+
+ groups
+ A list of groups to which the user belongs, either through direct
+ membership, through nested groups, or dynamically calculated. The
+ values are meant to enable expression of common group-based or
+ role-based access control models, although no explicit
+ authorization model is defined. It is intended that the semantics
+ of group membership and any behavior or authorization granted as a
+ result of membership are defined by the service provider. The
+ canonical types "direct" and "indirect" are defined to describe
+ how the group membership was derived. Direct group membership
+ indicates that the user is directly associated with the group and
+ SHOULD indicate that clients may modify membership through the
+ "Group" resource. Indirect membership indicates that user
+ membership is transitive or dynamic and implies that clients
+ cannot modify indirect group membership through the "Group"
+ resource but MAY modify direct group membership through the
+ "Group" resource, which may influence indirect memberships. If
+ the SCIM service provider exposes a "Group" resource, the "value"
+
+
+
+Hunt, et al. Standards Track [Page 24]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ sub-attribute MUST be the "id", and the "$ref" sub-attribute must
+ be the URI of the corresponding "Group" resources to which the
+ user belongs. Since this attribute has a mutability of
+ "readOnly", group membership changes MUST be applied via the
+ "Group" Resource (Section 4.2). This attribute has a mutability
+ of "readOnly".
+
+ entitlements
+ A list of entitlements for the user that represent a thing the
+ user has. An entitlement may be an additional right to a thing,
+ object, or service. No vocabulary or syntax is specified; service
+ providers and clients are expected to encode sufficient
+ information in the value so as to accurately and without ambiguity
+ determine what the user has access to. This value has no
+ canonical types, although a type may be useful as a means to scope
+ entitlements.
+
+ roles
+ A list of roles for the user that collectively represent who the
+ user is, e.g., "Student", "Faculty". No vocabulary or syntax is
+ specified, although it is expected that a role value is a String
+ or label representing a collection of entitlements. This value
+ has no canonical types.
+
+ x509Certificates
+ A list of certificates associated with the resource (e.g., a
+ User). Each value contains exactly one DER-encoded X.509
+ certificate (see Section 4 of [RFC5280]), which MUST be base64
+ encoded per Section 4 of [RFC4648]. A single value MUST NOT
+ contain multiple certificates and so does not contain the encoding
+ "SEQUENCE OF Certificate" in any guise.
+
+4.2. "Group" Resource Schema
+
+ SCIM provides a schema for representing groups, identified using the
+ following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group".
+
+ "Group" resources are meant to enable expression of common
+ group-based or role-based access control models, although no explicit
+ authorization model is defined. It is intended that the semantics of
+ group membership, and any behavior or authorization granted as a
+ result of membership, are defined by the service provider; these are
+ considered out of scope for this specification.
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 25]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ The following singular attribute is defined in addition to the common
+ attributes defined in the SCIM core schema:
+
+ displayName
+ A human-readable name for the Group. REQUIRED.
+
+ The following multi-valued attribute is defined in addition to the
+ common attributes defined in the SCIM core schema:
+
+ members
+ A list of members of the Group. While values MAY be added or
+ removed, sub-attributes of members are "immutable". The "value"
+ sub-attribute contains the value of an "id" attribute of a SCIM
+ resource, and the "$ref" sub-attribute must be the URI of a SCIM
+ resource such as a "User", or a "Group". The intention of the
+ "Group" type is to allow the service provider to support nested
+ groups. Service providers MAY require clients to provide a
+ non-empty value by setting the "required" attribute characteristic
+ of a sub-attribute of the "members" attribute in the "Group"
+ resource schema.
+
+4.3. Enterprise User Schema Extension
+
+ The following SCIM extension defines attributes commonly used in
+ representing users that belong to, or act on behalf of, a business or
+ enterprise. The enterprise User extension is identified using the
+ following schema URI:
+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User".
+
+ The following singular attributes are defined:
+
+ employeeNumber
+ A string identifier, typically numeric or alphanumeric, assigned
+ to a person, typically based on order of hire or association with
+ an organization.
+
+ costCenter
+ Identifies the name of a cost center.
+
+ organization
+ Identifies the name of an organization.
+
+ division
+ Identifies the name of a division.
+
+ department
+ Identifies the name of a department.
+
+
+
+
+Hunt, et al. Standards Track [Page 26]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ manager
+ The user's manager. A complex type that optionally allows service
+ providers to represent organizational hierarchy by referencing the
+ "id" attribute of another User.
+
+ value The "id" of the SCIM resource representing the user's
+ manager. RECOMMENDED.
+
+ $ref The URI of the SCIM resource representing the User's
+ manager. RECOMMENDED.
+
+ displayName The displayName of the user's manager. This
+ attribute is OPTIONAL, and mutability is "readOnly".
+
+5. Service Provider Configuration Schema
+
+ SCIM provides a schema for representing the service provider's
+ configuration, identified using the following schema URI:
+ "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig".
+
+ The service provider configuration resource enables a service
+ provider to discover SCIM specification features in a standardized
+ form as well as provide additional implementation details to clients.
+ All attributes have a mutability of "readOnly". Unlike other core
+ resources, the "id" attribute is not required for the service
+ provider configuration resource.
+
+ The following singular attributes are defined in addition to the
+ common attributes defined in the core schema:
+
+ documentationUri
+ An HTTP-addressable URL pointing to the service provider's
+ human-consumable help documentation. OPTIONAL.
+
+ patch
+ A complex type that specifies PATCH configuration options.
+ REQUIRED. See Section 3.5.2 of [RFC7644].
+
+ supported A Boolean value specifying whether or not the operation
+ is supported. REQUIRED.
+
+ bulk
+ A complex type that specifies bulk configuration options. See
+ Section 3.7 of [RFC7644]. REQUIRED.
+
+ supported A Boolean value specifying whether or not the operation
+ is supported. REQUIRED.
+
+
+
+
+Hunt, et al. Standards Track [Page 27]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ maxOperations An integer value specifying the maximum number of
+ operations. REQUIRED.
+
+ maxPayloadSize An integer value specifying the maximum payload
+ size in bytes. REQUIRED.
+
+ filter
+ A complex type that specifies FILTER options. REQUIRED. See
+ Section 3.4.2.2 of [RFC7644].
+
+ supported A Boolean value specifying whether or not the operation
+ is supported. REQUIRED.
+
+ maxResults An integer value specifying the maximum number of
+ resources returned in a response. REQUIRED.
+
+ changePassword
+ A complex type that specifies configuration options related to
+ changing a password. REQUIRED.
+
+ supported A Boolean value specifying whether or not the operation
+ is supported. REQUIRED.
+
+ sort
+ A complex type that specifies Sort configuration options.
+ REQUIRED.
+
+ supported A Boolean value specifying whether or not sorting is
+ supported. REQUIRED.
+
+ etag
+ A complex type that specifies ETag configuration options.
+ REQUIRED.
+
+ supported A Boolean value specifying whether or not the operation
+ is supported. REQUIRED.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 28]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ The following multi-valued attribute is defined in addition to the
+ common attributes defined in the core schema:
+
+ authenticationSchemes
+ A multi-valued complex type that specifies supported
+ authentication scheme properties. To enable seamless discovery of
+ configurations, the service provider SHOULD, with the appropriate
+ security considerations, make the authenticationSchemes attribute
+ publicly accessible without prior authentication. REQUIRED. The
+ following sub-attributes are defined:
+
+ type The authentication scheme. This specification defines the
+ values "oauth", "oauth2", "oauthbearertoken", "httpbasic", and
+ "httpdigest". REQUIRED.
+
+ name The common authentication scheme name, e.g., HTTP Basic.
+ REQUIRED.
+
+ description A description of the authentication scheme.
+ REQUIRED.
+
+ specUri An HTTP-addressable URL pointing to the authentication
+ scheme's specification. OPTIONAL.
+
+ documentationUri An HTTP-addressable URL pointing to the
+ authentication scheme's usage documentation. OPTIONAL.
+
+6. ResourceType Schema
+
+ The "ResourceType" schema specifies the metadata about a resource
+ type. Resource type resources are READ-ONLY and identified using the
+ following schema URI:
+ "urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other
+ core resources, all attributes are REQUIRED unless otherwise
+ specified. The "id" attribute is not required for the resource type
+ resource.
+
+ The following singular attributes are defined:
+
+ id
+ The resource type's server unique id. This is often the same
+ value as the "name" attribute. OPTIONAL.
+
+ name
+ The resource type name. When applicable, service providers MUST
+ specify the name, e.g., "User" or "Group". This name is
+ referenced by the "meta.resourceType" attribute in all resources.
+ REQUIRED.
+
+
+
+Hunt, et al. Standards Track [Page 29]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ description
+ The resource type's human-readable description. When applicable,
+ service providers MUST specify the description. OPTIONAL.
+
+ endpoint
+ The resource type's HTTP-addressable endpoint relative to the Base
+ URL of the service provider, e.g., "Users". REQUIRED.
+
+ schema
+ The resource type's primary/base schema URI, e.g.,
+ "urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal
+ to the "id" attribute of the associated "Schema" resource.
+ REQUIRED.
+
+ schemaExtensions
+ A list of URIs of the resource type's schema extensions.
+ OPTIONAL.
+
+ schema The URI of an extended schema, e.g., "urn:edu:2.0:Staff".
+ This MUST be equal to the "id" attribute of a "Schema"
+ resource. REQUIRED.
+
+ required A Boolean value that specifies whether or not the schema
+ extension is required for the resource type. If true, a
+ resource of this type MUST include this schema extension and
+ also include any attributes declared as required in this schema
+ extension. If false, a resource of this type MAY omit this
+ schema extension. REQUIRED.
+
+7. Schema Definition
+
+ This section defines a way to specify the schema in use by resources
+ available and accepted by a SCIM service provider. For each
+ "schemas" URI value, this schema specifies the defined attribute(s)
+ and their characteristics (mutability, returnability, etc). For
+ every schema URI used in a resource object, there is a corresponding
+ "Schema" resource. "Schema" resources are not modifiable, and their
+ associated attributes have a mutability of "readOnly". Except for
+ "id" (which is always returned), all attributes have a "returned"
+ characteristic of "default". Unless otherwise specified, all schema
+ attributes are case insensitive. These resources have a "schemas"
+ attribute with the following schema URI:
+
+ urn:ietf:params:scim:schemas:core:2.0:Schema
+
+ Unlike other core resources, the "Schema" resource MAY contain a
+ complex object within a sub-attribute, and all attributes are
+ REQUIRED unless otherwise specified.
+
+
+
+Hunt, et al. Standards Track [Page 30]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ The following singular attributes are defined:
+
+ id
+ The unique URI of the schema. When applicable, service providers
+ MUST specify the URI, e.g.,
+ "urn:ietf:params:scim:schemas:core:2.0:User". Unlike most other
+ schemas, which use some sort of Globally Unique Identifier (GUID)
+ for the "id", the schema "id" is a URI so that it can be
+ registered and is portable between different service providers and
+ clients. REQUIRED.
+
+ name
+ The schema's human-readable name. When applicable, service
+ providers MUST specify the name, e.g., "User" or "Group".
+ OPTIONAL.
+
+ description
+ The schema's human-readable description. When applicable, service
+ providers MUST specify the description. OPTIONAL.
+
+ The following multi-valued attribute is defined:
+
+ attributes
+ A complex type that defines service provider attributes and their
+ qualities via the following set of sub-attributes:
+
+ name The attribute's name.
+
+ type The attribute's data type. Valid values are "string",
+ "boolean", "decimal", "integer", "dateTime", "reference", and
+ "complex". When an attribute is of type "complex", there
+ SHOULD be a corresponding schema attribute "subAttributes"
+ defined, listing the sub-attributes of the attribute.
+
+ subAttributes When an attribute is of type "complex",
+ "subAttributes" defines a set of sub-attributes.
+ "subAttributes" has the same schema sub-attributes as
+ "attributes".
+
+ multiValued A Boolean value indicating the attribute's plurality.
+
+ description The attribute's human-readable description. When
+ applicable, service providers MUST specify the description.
+
+ required A Boolean value that specifies whether or not the
+ attribute is required.
+
+
+
+
+
+Hunt, et al. Standards Track [Page 31]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ canonicalValues A collection of suggested canonical values that
+ MAY be used (e.g., "work" and "home"). In some cases, service
+ providers MAY choose to ignore unsupported values. OPTIONAL.
+
+ caseExact A Boolean value that specifies whether or not a string
+ attribute is case sensitive. The server SHALL use case
+ sensitivity when evaluating filters. For attributes that are
+ case exact, the server SHALL preserve case for any value
+ submitted. If the attribute is case insensitive, the server
+ MAY alter case for a submitted value. Case sensitivity also
+ impacts how attribute values MAY be compared against filter
+ values (see Section 3.4.2.2 of [RFC7644]).
+
+ mutability A single keyword indicating the circumstances under
+ which the value of the attribute can be (re)defined:
+
+ readOnly The attribute SHALL NOT be modified.
+
+ readWrite The attribute MAY be updated and read at any time.
+ This is the default value.
+
+ immutable The attribute MAY be defined at resource creation
+ (e.g., POST) or at record replacement via a request (e.g., a
+ PUT). The attribute SHALL NOT be updated.
+
+ writeOnly The attribute MAY be updated at any time. Attribute
+ values SHALL NOT be returned (e.g., because the value is a
+ stored hash). Note: An attribute with a mutability of
+ "writeOnly" usually also has a returned setting of "never".
+
+ returned A single keyword that indicates when an attribute and
+ associated values are returned in response to a GET request or
+ in response to a PUT, POST, or PATCH request. Valid keywords
+ are as follows:
+
+ always The attribute is always returned, regardless of the
+ contents of the "attributes" parameter. For example, "id"
+ is always returned to identify a SCIM resource.
+
+ never The attribute is never returned. This may occur because
+ the original attribute value (e.g., a hashed value) is not
+ retained by the service provider. A service provider MAY
+ allow attributes to be used in a search filter.
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 32]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ default The attribute is returned by default in all SCIM
+ operation responses where attribute values are returned. If
+ the GET request "attributes" parameter is specified,
+ attribute values are only returned if the attribute is named
+ in the "attributes" parameter. DEFAULT.
+
+ request The attribute is returned in response to any PUT,
+ POST, or PATCH operations if the attribute was specified by
+ the client (for example, the attribute was modified). The
+ attribute is returned in a SCIM query operation only if
+ specified in the "attributes" parameter.
+
+ uniqueness A single keyword value that specifies how the service
+ provider enforces uniqueness of attribute values. A server MAY
+ reject an invalid value based on uniqueness by returning HTTP
+ response code 400 (Bad Request). A client MAY enforce
+ uniqueness on the client side to a greater degree than the
+ service provider enforces. For example, a client could make a
+ value unique while the server has uniqueness of "none". Valid
+ keywords are as follows:
+
+ none The values are not intended to be unique in any way.
+ DEFAULT.
+
+ server The value SHOULD be unique within the context of the
+ current SCIM endpoint (or tenancy) and MAY be globally
+ unique (e.g., a "username", email address, or other
+ server-generated key or counter). No two resources on the
+ same server SHOULD possess the same value.
+
+ global The value SHOULD be globally unique (e.g., an email
+ address, a GUID, or other value). No two resources on any
+ server SHOULD possess the same value.
+
+ referenceTypes A multi-valued array of JSON strings that indicate
+ the SCIM resource types that may be referenced. Valid values
+ are as follows:
+
+ + A SCIM resource type (e.g., "User" or "Group"),
+
+ + "external" - indicating that the resource is an external
+ resource (e.g., a photo), or
+
+ + "uri" - indicating that the reference is to a service
+ endpoint or an identifier (e.g., a schema URN).
+
+ This attribute is only applicable for attributes that are of
+ type "reference" (Section 2.3.7).
+
+
+
+Hunt, et al. Standards Track [Page 33]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+8. JSON Representation
+
+8.1. Minimal User Representation
+
+ The following is a non-normative example of the minimal required SCIM
+ representation in JSON format.
+
+{
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "id": "2819c223-7f76-453a-919d-413861904646",
+ "userName": "bjensen@example.com",
+ "meta": {
+ "resourceType": "User",
+ "created": "2010-01-23T04:56:22Z",
+ "lastModified": "2011-05-13T04:42:34Z",
+ "version": "W\/\"3694e05e9dff590\"",
+ "location":
+ "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
+ }
+}
+
+ Figure 3: Example Minimal User JSON Representation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 34]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+8.2. Full User Representation
+
+ The following is a non-normative example of the fully populated SCIM
+ representation in JSON format.
+
+{
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "id": "2819c223-7f76-453a-919d-413861904646",
+ "externalId": "701984",
+ "userName": "bjensen@example.com",
+ "name": {
+ "formatted": "Ms. Barbara J Jensen, III",
+ "familyName": "Jensen",
+ "givenName": "Barbara",
+ "middleName": "Jane",
+ "honorificPrefix": "Ms.",
+ "honorificSuffix": "III"
+ },
+ "displayName": "Babs Jensen",
+ "nickName": "Babs",
+ "profileUrl": "https://login.example.com/bjensen",
+ "emails": [
+ {
+ "value": "bjensen@example.com",
+ "type": "work",
+ "primary": true
+ },
+ {
+ "value": "babs@jensen.org",
+ "type": "home"
+ }
+ ],
+ "addresses": [
+ {
+ "type": "work",
+ "streetAddress": "100 Universal City Plaza",
+ "locality": "Hollywood",
+ "region": "CA",
+ "postalCode": "91608",
+ "country": "USA",
+ "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA",
+ "primary": true
+ },
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 35]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "type": "home",
+ "streetAddress": "456 Hollywood Blvd",
+ "locality": "Hollywood",
+ "region": "CA",
+ "postalCode": "91608",
+ "country": "USA",
+ "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA"
+ }
+ ],
+ "phoneNumbers": [
+ {
+ "value": "555-555-5555",
+ "type": "work"
+ },
+ {
+ "value": "555-555-4444",
+ "type": "mobile"
+ }
+ ],
+ "ims": [
+ {
+ "value": "someaimhandle",
+ "type": "aim"
+ }
+ ],
+ "photos": [
+ {
+ "value":
+ "https://photos.example.com/profilephoto/72930000000Ccne/F",
+ "type": "photo"
+ },
+ {
+ "value":
+ "https://photos.example.com/profilephoto/72930000000Ccne/T",
+ "type": "thumbnail"
+ }
+ ],
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 36]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ "userType": "Employee",
+ "title": "Tour Guide",
+ "preferredLanguage": "en-US",
+ "locale": "en-US",
+ "timezone": "America/Los_Angeles",
+ "active":true,
+ "password": "t1meMa$heen",
+ "groups": [
+ {
+ "value": "e9e30dba-f08f-4109-8486-d5c6a331660a",
+ "$ref":
+"https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
+ "display": "Tour Guides"
+ },
+ {
+ "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5",
+ "$ref":
+"https://example.com/v2/Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5",
+ "display": "Employees"
+ },
+ {
+ "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7",
+ "$ref":
+"https://example.com/v2/Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7",
+ "display": "US Employees"
+ }
+ ],
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 37]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ "x509Certificates": [
+ {
+ "value":
+ "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
+ EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD
+ VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa
+ MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl
+ eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw
+ IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
+ AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc
+ 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i
+ PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ
+ zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3
+ DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr
+ SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV
+ HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
+ Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU
+ dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt
+ Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R
+ C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1
+ +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo="
+ }
+ ],
+ "meta": {
+ "resourceType": "User",
+ "created": "2010-01-23T04:56:22Z",
+ "lastModified": "2011-05-13T04:42:34Z",
+ "version": "W\/\"a330bc54f0671c9\"",
+ "location":
+"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
+ }
+}
+
+ Figure 4: Example Full User JSON Representation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 38]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+8.3. Enterprise User Extension Representation
+
+ The following is a non-normative example of the fully populated User
+ using the enterprise User extension in JSON format.
+
+{
+ "schemas":
+ ["urn:ietf:params:scim:schemas:core:2.0:User",
+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
+ "id": "2819c223-7f76-453a-919d-413861904646",
+ "externalId": "701984",
+ "userName": "bjensen@example.com",
+ "name": {
+ "formatted": "Ms. Barbara J Jensen, III",
+ "familyName": "Jensen",
+ "givenName": "Barbara",
+ "middleName": "Jane",
+ "honorificPrefix": "Ms.",
+ "honorificSuffix": "III"
+ },
+ "displayName": "Babs Jensen",
+ "nickName": "Babs",
+ "profileUrl": "https://login.example.com/bjensen",
+ "emails": [
+ {
+ "value": "bjensen@example.com",
+ "type": "work",
+ "primary": true
+ },
+ {
+ "value": "babs@jensen.org",
+ "type": "home"
+ }
+ ],
+ "addresses": [
+ {
+ "streetAddress": "100 Universal City Plaza",
+ "locality": "Hollywood",
+ "region": "CA",
+ "postalCode": "91608",
+ "country": "USA",
+ "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA",
+ "type": "work",
+ "primary": true
+ },
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 39]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "streetAddress": "456 Hollywood Blvd",
+ "locality": "Hollywood",
+ "region": "CA",
+ "postalCode": "91608",
+ "country": "USA",
+ "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA",
+ "type": "home"
+ }
+ ],
+ "phoneNumbers": [
+ {
+ "value": "555-555-5555",
+ "type": "work"
+ },
+ {
+ "value": "555-555-4444",
+ "type": "mobile"
+ }
+ ],
+ "ims": [
+ {
+ "value": "someaimhandle",
+ "type": "aim"
+ }
+ ],
+ "photos": [
+ {
+ "value":
+ "https://photos.example.com/profilephoto/72930000000Ccne/F",
+ "type": "photo"
+ },
+ {
+ "value":
+ "https://photos.example.com/profilephoto/72930000000Ccne/T",
+ "type": "thumbnail"
+ }
+ ],
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 40]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ "userType": "Employee",
+ "title": "Tour Guide",
+ "preferredLanguage": "en-US",
+ "locale": "en-US",
+ "timezone": "America/Los_Angeles",
+ "active":true,
+ "password": "t1meMa$heen",
+ "groups": [
+ {
+ "value": "e9e30dba-f08f-4109-8486-d5c6a331660a",
+ "$ref": "../Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
+ "display": "Tour Guides"
+ },
+ {
+ "value": "fc348aa8-3835-40eb-a20b-c726e15c55b5",
+ "$ref": "../Groups/fc348aa8-3835-40eb-a20b-c726e15c55b5",
+ "display": "Employees"
+ },
+ {
+ "value": "71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7",
+ "$ref": "../Groups/71ddacd2-a8e7-49b8-a5db-ae50d0a5bfd7",
+ "display": "US Employees"
+ }
+ ],
+ "x509Certificates": [
+ {
+ "value":
+ "MIIDQzCCAqygAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx
+ EzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYD
+ VQQDDAtleGFtcGxlLmNvbTAeFw0xMTEwMjIwNjI0MzFaFw0xMjEwMDQwNjI0MzFa
+ MH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQKDAtl
+ eGFtcGxlLmNvbTEhMB8GA1UEAwwYTXMuIEJhcmJhcmEgSiBKZW5zZW4gSUlJMSIw
+ IAYJKoZIhvcNAQkBFhNiamVuc2VuQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
+ AQEFAAOCAQ8AMIIBCgKCAQEA7Kr+Dcds/JQ5GwejJFcBIP682X3xpjis56AK02bc
+ 1FLgzdLI8auoR+cC9/Vrh5t66HkQIOdA4unHh0AaZ4xL5PhVbXIPMB5vAPKpzz5i
+ PSi8xO8SL7I7SDhcBVJhqVqr3HgllEG6UClDdHO7nkLuwXq8HcISKkbT5WFTVfFZ
+ zidPl8HZ7DhXkZIRtJwBweq4bvm3hM1Os7UQH05ZS6cVDgweKNwdLLrT51ikSQG3
+ DYrl+ft781UQRIqxgwqCfXEuDiinPh0kkvIi5jivVu1Z9QiwlYEdRbLJ4zJQBmDr
+ SGTMYn4lRc2HgHO4DqB/bnMVorHB0CC6AV1QoFK4GPe1LwIDAQABo3sweTAJBgNV
+ HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
+ Y2F0ZTAdBgNVHQ4EFgQU8pD0U0vsZIsaA16lL8En8bx0F/gwHwYDVR0jBBgwFoAU
+ dGeKitcaF7gnzsNwDx708kqaVt0wDQYJKoZIhvcNAQEFBQADgYEAA81SsFnOdYJt
+ Ng5Tcq+/ByEDrBgnusx0jloUhByPMEVkoMZ3J7j1ZgI8rAbOkNngX8+pKfTiDz1R
+ C4+dx8oU6Za+4NJXUjlL5CvV6BEYb1+QAEJwitTVvxB/A67g42/vzgAtoRUeDov1
+ +GFiBZ+GNF/cAYKcMtGcrs2i97ZkJMo="
+ }
+ ],
+
+
+
+
+Hunt, et al. Standards Track [Page 41]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
+ "employeeNumber": "701984",
+ "costCenter": "4130",
+ "organization": "Universal Studios",
+ "division": "Theme Park",
+ "department": "Tour Operations",
+ "manager": {
+ "value": "26118915-6090-4610-87e4-49d8ca9f808d",
+ "$ref": "../Users/26118915-6090-4610-87e4-49d8ca9f808d",
+ "displayName": "John Smith"
+ }
+ },
+ "meta": {
+ "resourceType": "User",
+ "created": "2010-01-23T04:56:22Z",
+ "lastModified": "2011-05-13T04:42:34Z",
+ "version": "W\/\"3694e05e9dff591\"",
+ "location":
+"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
+ }
+}
+
+ Figure 5: Example Enterprise User JSON Representation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 42]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+8.4. Group Representation
+
+ The following is a non-normative example of the SCIM Group
+ representation in JSON format.
+
+ {
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+ "id": "e9e30dba-f08f-4109-8486-d5c6a331660a",
+ "displayName": "Tour Guides",
+ "members": [
+ {
+ "value": "2819c223-7f76-453a-919d-413861904646",
+ "$ref":
+ "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
+ "display": "Babs Jensen"
+ },
+ {
+ "value": "902c246b-6245-4190-8e05-00816be7344a",
+ "$ref":
+ "https://example.com/v2/Users/902c246b-6245-4190-8e05-00816be7344a",
+ "display": "Mandy Pepperidge"
+ }
+ ],
+ "meta": {
+ "resourceType": "Group",
+ "created": "2010-01-23T04:56:22Z",
+ "lastModified": "2011-05-13T04:42:34Z",
+ "version": "W\/\"3694e05e9dff592\"",
+ "location":
+ "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a"
+ }
+ }
+
+ Figure 6: Example Group JSON Representation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 43]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+8.5. Service Provider Configuration Representation
+
+ The following is a non-normative example of the SCIM service provider
+ configuration representation in JSON format.
+
+ {
+ "schemas":
+ ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+ "documentationUri": "http://example.com/help/scim.html",
+ "patch": {
+ "supported":true
+ },
+ "bulk": {
+ "supported":true,
+ "maxOperations":1000,
+ "maxPayloadSize":1048576
+ },
+ "filter": {
+ "supported":true,
+ "maxResults": 200
+ },
+ "changePassword": {
+ "supported":true
+ },
+ "sort": {
+ "supported":true
+ },
+ "etag": {
+ "supported":true
+ },
+ "authenticationSchemes": [
+ {
+ "name": "OAuth Bearer Token",
+ "description":
+ "Authentication scheme using the OAuth Bearer Token Standard",
+ "specUri": "http://www.rfc-editor.org/info/rfc6750",
+ "documentationUri": "http://example.com/help/oauth.html",
+ "type": "oauthbearertoken",
+ "primary": true
+ },
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 44]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name": "HTTP Basic",
+ "description":
+ "Authentication scheme using the HTTP Basic Standard",
+ "specUri": "http://www.rfc-editor.org/info/rfc2617",
+ "documentationUri": "http://example.com/help/httpBasic.html",
+ "type": "httpbasic"
+ }
+ ],
+ "meta": {
+ "location": "https://example.com/v2/ServiceProviderConfig",
+ "resourceType": "ServiceProviderConfig",
+ "created": "2010-01-23T04:56:22Z",
+ "lastModified": "2011-05-13T04:42:34Z",
+ "version": "W\/\"3694e05e9dff594\""
+ }
+ }
+
+ Figure 7: Example Service Provider Configuration JSON Representation
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 45]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+8.6. Resource Type Representation
+
+ The following is a non-normative example of the SCIM resource types
+ in JSON format.
+
+ [{
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+ "id": "User",
+ "name": "User",
+ "endpoint": "/Users",
+ "description": "User Account",
+ "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
+ "schemaExtensions": [
+ {
+ "schema":
+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
+ "required": true
+ }
+ ],
+ "meta": {
+ "location": "https://example.com/v2/ResourceTypes/User",
+ "resourceType": "ResourceType"
+ }
+ },
+ {
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+ "id": "Group",
+ "name": "Group",
+ "endpoint": "/Groups",
+ "description": "Group",
+ "schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
+ "meta": {
+ "location": "https://example.com/v2/ResourceTypes/Group",
+ "resourceType": "ResourceType"
+ }
+ }]
+
+ Figure 8: Example Resource Type JSON Representation
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 46]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+8.7. Schema Representation
+
+ The following sections provide representations of schemas for both
+ SCIM resources and service provider schemas. Note that the JSON
+ representation has been modified for readability and to fit the
+ specification format.
+
+8.7.1. Resource Schema Representation
+
+ The following is intended as an example of the SCIM schema
+ representation in JSON format for SCIM resources. Where permitted,
+ individual values and schema MAY change. This example includes
+ schema representations for "User", "Group", and "EnterpriseUser";
+ other schema representations are possible.
+
+[
+ {
+ "id" : "urn:ietf:params:scim:schemas:core:2.0:User",
+ "name" : "User",
+ "description" : "User Account",
+ "attributes" : [
+ {
+ "name" : "userName",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Unique identifier for the User, typically
+used by the user to directly authenticate to the service provider.
+Each User MUST include a non-empty userName value. This identifier
+MUST be unique across the service provider's entire set of Users.
+REQUIRED.",
+ "required" : true,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "server"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 47]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "name",
+ "type" : "complex",
+ "multiValued" : false,
+ "description" : "The components of the user's real name.
+Providers MAY return just the full name as a single string in the
+formatted sub-attribute, or they MAY return just the individual
+component attributes using the other sub-attributes, or they MAY
+return both. If both variants are returned, they SHOULD be
+describing the same name, with the formatted name indicating how the
+component attributes should be combined.",
+ "required" : false,
+ "subAttributes" : [
+ {
+ "name" : "formatted",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The full name, including all middle
+names, titles, and suffixes as appropriate, formatted for display
+(e.g., 'Ms. Barbara J Jensen, III').",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "familyName",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The family name of the User, or
+last name in most Western languages (e.g., 'Jensen' given the full
+name 'Ms. Barbara J Jensen, III').",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 48]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "givenName",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The given name of the User, or
+first name in most Western languages (e.g., 'Barbara' given the
+full name 'Ms. Barbara J Jensen, III').",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "middleName",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The middle name(s) of the User
+(e.g., 'Jane' given the full name 'Ms. Barbara J Jensen, III').",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "honorificPrefix",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The honorific prefix(es) of the User, or
+title in most Western languages (e.g., 'Ms.' given the full name
+'Ms. Barbara J Jensen, III').",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 49]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "honorificSuffix",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The honorific suffix(es) of the User, or
+suffix in most Western languages (e.g., 'III' given the full name
+'Ms. Barbara J Jensen, III').",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ }
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "displayName",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The name of the User, suitable for display
+to end-users. The name SHOULD be the full name of the User being
+described, if known.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "nickName",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The casual way to address the user in real
+life, e.g., 'Bob' or 'Bobby' instead of 'Robert'. This attribute
+SHOULD NOT be used to represent a User's username (e.g., 'bjensen' or
+'mpepperidge').",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 50]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "profileUrl",
+ "type" : "reference",
+ "referenceTypes" : ["external"],
+ "multiValued" : false,
+ "description" : "A fully qualified URL pointing to a page
+representing the User's online profile.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "title",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The user's title, such as
+\"Vice President.\"",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "userType",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Used to identify the relationship between
+the organization and the user. Typical values used might be
+'Contractor', 'Employee', 'Intern', 'Temp', 'External', and
+'Unknown', but any value may be used.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 51]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "preferredLanguage",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Indicates the User's preferred written or
+spoken language. Generally used for selecting a localized user
+interface; e.g., 'en_US' specifies the language English and country
+US.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "locale",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Used to indicate the User's default location
+for purposes of localizing items such as currency, date time format, or
+numerical representations.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "timezone",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The User's time zone in the 'Olson' time zone
+database format, e.g., 'America/Los_Angeles'.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 52]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "active",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating the User's
+administrative status.",
+ "required" : false,
+ "mutability" : "readWrite",
+ "returned" : "default"
+ },
+ {
+ "name" : "password",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The User's cleartext password. This
+attribute is intended to be used as a means to specify an initial
+password when creating a new User or to reset an existing User's
+password.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "writeOnly",
+ "returned" : "never",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "emails",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "Email addresses for the user. The value
+SHOULD be canonicalized by the service provider, e.g.,
+'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'.
+Canonical type values of 'work', 'home', and 'other'.",
+ "required" : false,
+ "subAttributes" : [
+ {
+ "name" : "value",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Email addresses for the user. The value
+SHOULD be canonicalized by the service provider, e.g.,
+'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'.
+Canonical type values of 'work', 'home', and 'other'.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+Hunt, et al. Standards Track [Page 53]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "display",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A human-readable name, primarily used
+for display purposes. READ-ONLY.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A label indicating the attribute's
+function, e.g., 'work' or 'home'.",
+ "required" : false,
+ "caseExact" : false,
+ "canonicalValues" : [
+ "work",
+ "home",
+ "other"
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "primary",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating the 'primary'
+or preferred attribute value for this attribute, e.g., the preferred
+mailing address or primary email address. The primary attribute
+value 'true' MUST appear no more than once.",
+ "required" : false,
+ "mutability" : "readWrite",
+ "returned" : "default"
+ }
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+Hunt, et al. Standards Track [Page 54]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "phoneNumbers",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "Phone numbers for the User. The value
+SHOULD be canonicalized by the service provider according to the
+format specified in RFC 3966, e.g., 'tel:+1-201-555-0123'.
+Canonical type values of 'work', 'home', 'mobile', 'fax', 'pager',
+and 'other'.",
+ "required" : false,
+ "subAttributes" : [
+ {
+ "name" : "value",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Phone number of the User.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "display",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A human-readable name, primarily used
+for display purposes. READ-ONLY.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 55]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A label indicating the attribute's
+function, e.g., 'work', 'home', 'mobile'.",
+ "required" : false,
+ "caseExact" : false,
+ "canonicalValues" : [
+ "work",
+ "home",
+ "mobile",
+ "fax",
+ "pager",
+ "other"
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "primary",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating the 'primary'
+or preferred attribute value for this attribute, e.g., the preferred
+phone number or primary phone number. The primary attribute value
+'true' MUST appear no more than once.",
+ "required" : false,
+ "mutability" : "readWrite",
+ "returned" : "default"
+ }
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 56]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "ims",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "Instant messaging addresses for the User.",
+ "required" : false,
+ "subAttributes" : [
+ {
+ "name" : "value",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Instant messaging address for the User.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "display",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A human-readable name, primarily used
+for display purposes. READ-ONLY.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 57]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A label indicating the attribute's
+function, e.g., 'aim', 'gtalk', 'xmpp'.",
+ "required" : false,
+ "caseExact" : false,
+ "canonicalValues" : [
+ "aim",
+ "gtalk",
+ "icq",
+ "xmpp",
+ "msn",
+ "skype",
+ "qq",
+ "yahoo"
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "primary",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating the 'primary'
+or preferred attribute value for this attribute, e.g., the preferred
+messenger or primary messenger. The primary attribute value 'true'
+MUST appear no more than once.",
+ "required" : false,
+ "mutability" : "readWrite",
+ "returned" : "default"
+ }
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 58]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "photos",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "URLs of photos of the User.",
+ "required" : false,
+ "subAttributes" : [
+ {
+ "name" : "value",
+ "type" : "reference",
+ "referenceTypes" : ["external"],
+ "multiValued" : false,
+ "description" : "URL of a photo of the User.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "display",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A human-readable name, primarily used
+for display purposes. READ-ONLY.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 59]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A label indicating the attribute's
+function, i.e., 'photo' or 'thumbnail'.",
+ "required" : false,
+ "caseExact" : false,
+ "canonicalValues" : [
+ "photo",
+ "thumbnail"
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "primary",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating the 'primary'
+or preferred attribute value for this attribute, e.g., the preferred
+photo or thumbnail. The primary attribute value 'true' MUST appear
+no more than once.",
+ "required" : false,
+ "mutability" : "readWrite",
+ "returned" : "default"
+ }
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 60]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "addresses",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "A physical mailing address for this User.
+Canonical type values of 'work', 'home', and 'other'. This attribute
+is a complex type with the following sub-attributes.",
+ "required" : false,
+ "subAttributes" : [
+ {
+ "name" : "formatted",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The full mailing address, formatted for
+display or use with a mailing label. This attribute MAY contain
+newlines.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "streetAddress",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The full street address component,
+which may include house number, street name, P.O. box, and multi-line
+extended street address information. This attribute MAY contain
+newlines.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "locality",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The city or locality component.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+Hunt, et al. Standards Track [Page 61]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "region",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The state or region component.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "postalCode",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The zip code or postal code component.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "country",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The country name component.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 62]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A label indicating the attribute's
+function, e.g., 'work' or 'home'.",
+ "required" : false,
+ "caseExact" : false,
+ "canonicalValues" : [
+ "work",
+ "home",
+ "other"
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ }
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "groups",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "A list of groups to which the user belongs,
+either through direct membership, through nested groups, or
+dynamically calculated.",
+ "required" : false,
+ "subAttributes" : [
+ {
+ "name" : "value",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The identifier of the User's group.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 63]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "$ref",
+ "type" : "reference",
+ "referenceTypes" : [
+ "User",
+ "Group"
+ ],
+ "multiValued" : false,
+ "description" : "The URI of the corresponding 'Group'
+resource to which the user belongs.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "display",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A human-readable name, primarily used
+for display purposes. READ-ONLY.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A label indicating the attribute's
+function, e.g., 'direct' or 'indirect'.",
+ "required" : false,
+ "caseExact" : false,
+ "canonicalValues" : [
+ "direct",
+ "indirect"
+ ],
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ }
+ ],
+ "mutability" : "readOnly",
+ "returned" : "default"
+ },
+
+
+
+Hunt, et al. Standards Track [Page 64]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "entitlements",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "A list of entitlements for the User that
+represent a thing the User has.",
+ "required" : false,
+ "subAttributes" : [
+ {
+ "name" : "value",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The value of an entitlement.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "display",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A human-readable name, primarily used
+for display purposes. READ-ONLY.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A label indicating the attribute's
+function.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 65]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "primary",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating the 'primary'
+or preferred attribute value for this attribute. The primary
+attribute value 'true' MUST appear no more than once.",
+ "required" : false,
+ "mutability" : "readWrite",
+ "returned" : "default"
+ }
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default"
+ },
+ {
+ "name" : "roles",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "A list of roles for the User that
+collectively represent who the User is, e.g., 'Student', 'Faculty'.",
+ "required" : false,
+ "subAttributes" : [
+ {
+ "name" : "value",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The value of a role.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "display",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A human-readable name, primarily used
+for display purposes. READ-ONLY.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+Hunt, et al. Standards Track [Page 66]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A label indicating the attribute's
+function.",
+ "required" : false,
+ "caseExact" : false,
+ "canonicalValues" : [],
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "primary",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating the 'primary'
+or preferred attribute value for this attribute. The primary
+attribute value 'true' MUST appear no more than once.",
+ "required" : false,
+ "mutability" : "readWrite",
+ "returned" : "default"
+ }
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default"
+ },
+ {
+ "name" : "x509Certificates",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "A list of certificates issued to the User.",
+ "required" : false,
+ "caseExact" : false,
+ "subAttributes" : [
+ {
+ "name" : "value",
+ "type" : "binary",
+ "multiValued" : false,
+ "description" : "The value of an X.509 certificate.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+Hunt, et al. Standards Track [Page 67]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "display",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A human-readable name, primarily used
+for display purposes. READ-ONLY.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A label indicating the attribute's
+function.",
+ "required" : false,
+ "caseExact" : false,
+ "canonicalValues" : [],
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "primary",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating the 'primary'
+or preferred attribute value for this attribute. The primary
+attribute value 'true' MUST appear no more than once.",
+ "required" : false,
+ "mutability" : "readWrite",
+ "returned" : "default"
+ }
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default"
+ }
+ ],
+ "meta" : {
+ "resourceType" : "Schema",
+ "location" :
+ "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
+ }
+ },
+
+
+
+
+Hunt, et al. Standards Track [Page 68]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "id" : "urn:ietf:params:scim:schemas:core:2.0:Group",
+ "name" : "Group",
+ "description" : "Group",
+ "attributes" : [
+ {
+ "name" : "displayName",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A human-readable name for the Group.
+REQUIRED.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "members",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "A list of members of the Group.",
+ "required" : false,
+ "subAttributes" : [
+ {
+ "name" : "value",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Identifier of the member of this Group.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "immutable",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 69]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "$ref",
+ "type" : "reference",
+ "referenceTypes" : [
+ "User",
+ "Group"
+ ],
+ "multiValued" : false,
+ "description" : "The URI corresponding to a SCIM resource
+that is a member of this Group.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "immutable",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A label indicating the type of resource,
+e.g., 'User' or 'Group'.",
+ "required" : false,
+ "caseExact" : false,
+ "canonicalValues" : [
+ "User",
+ "Group"
+ ],
+ "mutability" : "immutable",
+ "returned" : "default",
+ "uniqueness" : "none"
+ }
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default"
+ }
+ ],
+ "meta" : {
+ "resourceType" : "Schema",
+ "location" :
+ "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group"
+ }
+ },
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 70]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
+ "name" : "EnterpriseUser",
+ "description" : "Enterprise User",
+ "attributes" : [
+ {
+ "name" : "employeeNumber",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Numeric or alphanumeric identifier assigned
+to a person, typically based on order of hire or association with an
+organization.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "costCenter",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Identifies the name of a cost center.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "organization",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Identifies the name of an organization.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 71]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "division",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Identifies the name of a division.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "department",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Identifies the name of a department.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "manager",
+ "type" : "complex",
+ "multiValued" : false,
+ "description" : "The User's manager. A complex type that
+optionally allows service providers to represent organizational
+hierarchy by referencing the 'id' attribute of another User.",
+ "required" : false,
+ "subAttributes" : [
+ {
+ "name" : "value",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The id of the SCIM resource representing
+the User's manager. REQUIRED.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 72]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "$ref",
+ "type" : "reference",
+ "referenceTypes" : [
+ "User"
+ ],
+ "multiValued" : false,
+ "description" : "The URI of the SCIM resource
+representing the User's manager. REQUIRED.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readWrite",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "displayName",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The displayName of the User's manager.
+OPTIONAL and READ-ONLY.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ }
+ ],
+ "mutability" : "readWrite",
+ "returned" : "default"
+ }
+ ],
+ "meta" : {
+ "resourceType" : "Schema",
+ "location" :
+"/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
+ }
+ }
+]
+
+ Figure 9: Example JSON Representation for Resource Schema
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 73]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+8.7.2. Service Provider Schema Representation
+
+ The following is a representation of the SCIM schema for the fixed
+ service provider schemas: ServiceProviderConfig, ResourceType, and
+ Schema.
+
+[
+ {
+ "id" :
+ "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
+ "name" : "Service Provider Configuration",
+ "description" : "Schema for representing the service provider's
+ configuration",
+ "attributes" : [
+ {
+ "name" : "documentationUri",
+ "type" : "reference",
+ "referenceTypes" : ["external"],
+ "multiValued" : false,
+ "description" : "An HTTP-addressable URL pointing to the
+ service provider's human-consumable help documentation.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 74]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "patch",
+ "type" : "complex",
+ "multiValued" : false,
+ "description" : "A complex type that specifies PATCH
+ configuration options.",
+ "required" : true,
+ "returned" : "default",
+ "mutability" : "readOnly",
+ "subAttributes" : [
+ {
+ "name" : "supported",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value specifying whether or not
+ the operation is supported.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ }
+ ]
+ },
+ {
+ "name" : "bulk",
+ "type" : "complex",
+ "multiValued" : false,
+ "description" : "A complex type that specifies bulk
+ configuration options.",
+ "required" : true,
+ "returned" : "default",
+ "mutability" : "readOnly",
+ "subAttributes" : [
+ {
+ "name" : "supported",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value specifying whether or not
+ the operation is supported.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ },
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 75]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "maxOperations",
+ "type" : "integer",
+ "multiValued" : false,
+ "description" : "An integer value specifying the maximum
+ number of operations.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "maxPayloadSize",
+ "type" : "integer",
+ "multiValued" : false,
+ "description" : "An integer value specifying the maximum
+ payload size in bytes.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ }
+ ]
+ },
+ {
+ "name" : "filter",
+ "type" : "complex",
+ "multiValued" : false,
+ "description" : "A complex type that specifies
+ FILTER options.",
+ "required" : true,
+ "returned" : "default",
+ "mutability" : "readOnly",
+ "subAttributes" : [
+ {
+ "name" : "supported",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value specifying whether or not
+ the operation is supported.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ },
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 76]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "maxResults",
+ "type" : "integer",
+ "multiValued" : false,
+ "description" : "An integer value specifying the maximum
+ number of resources returned in a response.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ }
+ ]
+ },
+ {
+ "name" : "changePassword",
+ "type" : "complex",
+ "multiValued" : false,
+ "description" : "A complex type that specifies configuration
+ options related to changing a password.",
+ "required" : true,
+ "returned" : "default",
+ "mutability" : "readOnly",
+ "subAttributes" : [
+ {
+ "name" : "supported",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value specifying whether or not
+ the operation is supported.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ }
+ ]
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 77]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "sort",
+ "type" : "complex",
+ "multiValued" : false,
+ "description" : "A complex type that specifies sort result
+ options.",
+ "required" : true,
+ "returned" : "default",
+ "mutability" : "readOnly",
+ "subAttributes" : [
+ {
+ "name" : "supported",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value specifying whether or not
+ the operation is supported.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ }
+ ]
+ },
+ {
+ "name" : "authenticationSchemes",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "A complex type that specifies supported
+ authentication scheme properties.",
+ "required" : true,
+ "returned" : "default",
+ "mutability" : "readOnly",
+ "subAttributes" : [
+ {
+ "name" : "name",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The common authentication scheme name,
+ e.g., HTTP Basic.",
+ "required" : true,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 78]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "description",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A description of the authentication
+ scheme.",
+ "required" : true,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "specUri",
+ "type" : "reference",
+ "referenceTypes" : ["external"],
+ "multiValued" : false,
+ "description" : "An HTTP-addressable URL pointing to the
+ authentication scheme's specification.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "documentationUri",
+ "type" : "reference",
+ "referenceTypes" : ["external"],
+ "multiValued" : false,
+ "description" : "An HTTP-addressable URL pointing to the
+ authentication scheme's usage documentation.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ }
+ ]
+ }
+ ]
+ },
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 79]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
+ "name" : "ResourceType",
+ "description" : "Specifies the schema that describes a SCIM
+ resource type",
+ "attributes" : [
+ {
+ "name" : "id",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The resource type's server unique id.
+ May be the same as the 'name' attribute.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "name",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The resource type name. When applicable,
+ service providers MUST specify the name, e.g., 'User'.",
+ "required" : true,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "description",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The resource type's human-readable
+ description. When applicable, service providers MUST
+ specify the description.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 80]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "endpoint",
+ "type" : "reference",
+ "referenceTypes" : ["uri"],
+ "multiValued" : false,
+ "description" : "The resource type's HTTP-addressable
+ endpoint relative to the Base URL, e.g., '/Users'.",
+ "required" : true,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "schema",
+ "type" : "reference",
+ "referenceTypes" : ["uri"],
+ "multiValued" : false,
+ "description" : "The resource type's primary/base schema
+ URI.",
+ "required" : true,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "schemaExtensions",
+ "type" : "complex",
+ "multiValued" : false,
+ "description" : "A list of URIs of the resource type's schema
+ extensions.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "subAttributes" : [
+ {
+ "name" : "schema",
+ "type" : "reference",
+ "referenceTypes" : ["uri"],
+ "multiValued" : false,
+ "description" : "The URI of a schema extension.",
+ "required" : true,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+Hunt, et al. Standards Track [Page 81]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "required",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value that specifies whether
+ or not the schema extension is required for the
+ resource type. If true, a resource of this type MUST
+ include this schema extension and also include any
+ attributes declared as required in this schema extension.
+ If false, a resource of this type MAY omit this schema
+ extension.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "id" : "urn:ietf:params:scim:schemas:core:2.0:Schema",
+ "name" : "Schema",
+ "description" : "Specifies the schema that describes a
+ SCIM schema",
+ "attributes" : [
+ {
+ "name" : "id",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The unique URI of the schema.
+ When applicable, service providers MUST specify the URI.",
+ "required" : true,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 82]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "name",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The schema's human-readable name. When
+ applicable, service providers MUST specify the name,
+ e.g., 'User'.",
+ "required" : true,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "description",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The schema's human-readable name. When
+ applicable, service providers MUST specify the name,
+ e.g., 'User'.",
+ "required" : false,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "attributes",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "A complex attribute that includes the
+ attributes of a schema.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "subAttributes" : [
+ {
+ "name" : "name",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The attribute's name.",
+ "required" : true,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+Hunt, et al. Standards Track [Page 83]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The attribute's data type.
+ Valid values include 'string', 'complex', 'boolean',
+ 'decimal', 'integer', 'dateTime', 'reference'.",
+ "required" : true,
+ "canonicalValues" : [
+ "string",
+ "complex",
+ "boolean",
+ "decimal",
+ "integer",
+ "dateTime",
+ "reference"
+ ],
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "multiValued",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating an
+ attribute's plurality.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ },
+ {
+ "name" : "description",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A human-readable description of the
+ attribute.",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 84]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "required",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A boolean value indicating whether or
+ not the attribute is required.",
+ "required" : false,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ },
+ {
+ "name" : "canonicalValues",
+ "type" : "string",
+ "multiValued" : true,
+ "description" : "A collection of canonical values. When
+ applicable, service providers MUST specify the
+ canonical types, e.g., 'work', 'home'.",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "caseExact",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating whether or
+ not a string attribute is case sensitive.",
+ "required" : false,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 85]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "mutability",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Indicates whether or not an attribute
+ is modifiable.",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none",
+ "canonicalValues" : [
+ "readOnly",
+ "readWrite",
+ "immutable",
+ "writeOnly"
+ ]
+ },
+ {
+ "name" : "returned",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Indicates when an attribute is returned
+ in a response (e.g., to a query).",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none",
+ "canonicalValues" : [
+ "always",
+ "never",
+ "default",
+ "request"
+ ]
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 86]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "uniqueness",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Indicates how unique a value must be.",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none",
+ "canonicalValues" : [
+ "none",
+ "server",
+ "global"
+ ]
+ },
+ {
+ "name" : "referenceTypes",
+ "type" : "string",
+ "multiValued" : true,
+ "description" : "Used only with an attribute of type
+ 'reference'. Specifies a SCIM resourceType that a
+ reference attribute MAY refer to, e.g., 'User'.",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 87]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "subAttributes",
+ "type" : "complex",
+ "multiValued" : true,
+ "description" : "Used to define the sub-attributes of a
+ complex attribute.",
+ "required" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "subAttributes" : [
+ {
+ "name" : "name",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The attribute's name.",
+ "required" : true,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "type",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "The attribute's data type.
+ Valid values include 'string', 'complex', 'boolean',
+ 'decimal', 'integer', 'dateTime', 'reference'.",
+ "required" : true,
+ "caseExact" : false,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none",
+ "canonicalValues" : [
+ "string",
+ "complex",
+ "boolean",
+ "decimal",
+ "integer",
+ "dateTime",
+ "reference"
+ ]
+ },
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 88]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "multiValued",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating an
+ attribute's plurality.",
+ "required" : true,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ },
+ {
+ "name" : "description",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "A human-readable description of the
+ attribute.",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+ {
+ "name" : "required",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A boolean value indicating whether or
+ not the attribute is required.",
+ "required" : false,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ },
+ {
+ "name" : "canonicalValues",
+ "type" : "string",
+ "multiValued" : true,
+ "description" : "A collection of canonical values. When
+ applicable, service providers MUST specify the
+ canonical types, e.g., 'work', 'home'.",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ },
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 89]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "caseExact",
+ "type" : "boolean",
+ "multiValued" : false,
+ "description" : "A Boolean value indicating whether or
+ not a string attribute is case sensitive.",
+ "required" : false,
+ "mutability" : "readOnly",
+ "returned" : "default"
+ },
+ {
+ "name" : "mutability",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Indicates whether or not an
+ attribute is modifiable.",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none",
+ "canonicalValues" : [
+ "readOnly",
+ "readWrite",
+ "immutable",
+ "writeOnly"
+ ]
+ },
+ {
+ "name" : "returned",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Indicates when an attribute is
+ returned in a response (e.g., to a query).",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none",
+ "canonicalValues" : [
+ "always",
+ "never",
+ "default",
+ "request"
+ ]
+ },
+
+
+
+
+
+Hunt, et al. Standards Track [Page 90]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ {
+ "name" : "uniqueness",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Indicates how unique a value must be.",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none",
+ "canonicalValues" : [
+ "none",
+ "server",
+ "global"
+ ]
+ },
+ {
+ "name" : "referenceTypes",
+ "type" : "string",
+ "multiValued" : false,
+ "description" : "Used only with an attribute of type
+ 'reference'. Specifies a SCIM resourceType that a
+ reference attribute MAY refer to, e.g., 'User'.",
+ "required" : false,
+ "caseExact" : true,
+ "mutability" : "readOnly",
+ "returned" : "default",
+ "uniqueness" : "none"
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+]
+
+ Figure 10: Representation of Fixed Service Provider Endpoint Schemas
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 91]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+9. Security Considerations
+
+9.1. Protocol
+
+ SCIM data is intended to be exchanged using the SCIM protocol. It is
+ important when handling data to implement the security considerations
+ outlined in Section 7 of [RFC7644].
+
+9.2. Passwords and Other Sensitive Security Data
+
+ Passwords and other attributes related to security credentials are of
+ an extremely sensitive nature and require special handling when
+ transmitted or stored. While the SCIM protocol uses cleartext
+ passwords for value assignment and equality-testing purposes,
+ password values MUST NOT be stored in cleartext form.
+
+ Administrators should undertake industry best practices to protect
+ the storage of credentials and in particular SHOULD follow
+ recommendations outlined in Section 5.1.4.1 of [RFC6819]. These
+ requirements include, but are not limited to, the following:
+
+ o Provide injection attack countermeasures (e.g., by validating all
+ inputs and parameters);
+
+ o Credentials should not be stored in cleartext form;
+
+ o Store credentials using an encrypted protection mechanism (e.g.,
+ hashing); and
+
+ o Where possible, avoid passwords as the sole form of
+ authentication, and consider using credentials that are based on
+ asymmetric cryptography.
+
+9.3. Privacy
+
+ The SCIM core schema defines attributes that are sensitive and may be
+ considered personally identifying information (PII). These privacy
+ considerations should be considered for extensions as well as the
+ schema defined in this specification.
+
+ For the purposes of this specification, PII is defined as any
+ attribute that may be used as a unique key to identify a person
+ (e.g., "User"). Since other information may be used in combination
+ to identify an individual, all attributes in SCIM are considered
+ "sensitive" personal information. Consult regional jurisdictions to
+ see if there are special considerations for the handling of personal
+ information (e.g., PII).
+
+
+
+
+Hunt, et al. Standards Track [Page 92]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ Information should be shared on an as-needed basis. A SCIM client
+ should limit information to what it believes a service provider
+ requires, and a SCIM service provider should only accept information
+ it needs. Clients and service providers should take into
+ consideration that personal information is being conveyed across
+ technical (e.g., protocol and applications), administrative (e.g.,
+ organizational, corporate), and jurisdictional boundaries. In
+ particular, information security and privacy must be considered.
+
+ Security service level agreements for the handling of these
+ attributes are beyond the scope of this document but are to be
+ carefully considered by implementers and deploying organizations.
+
+ Please see the Privacy Considerations section of [RFC7644] for more
+ protocol-specific considerations regarding the handling of SCIM
+ information.
+
+ SCIM defines attributes such as "id", "externalId", and SCIM resource
+ URIs, which cause new PII to be generated; this information is
+ important to the way that the SCIM protocol identifies and locates
+ resources. Where possible, it is suggested that service providers
+ take the following remediations:
+
+ o Where possible, assign and bind identifiers to specific tenants
+ and/or clients. When multiple tenants are able to reference the
+ same resource, they should do so via separate identifiers (id or
+ externalId). This ensures that separate domains linked to the
+ same information cannot perform identifier correlation.
+
+ o In the case of "externalId", if multiple values are supported, use
+ access control to restrict access to the client domain that
+ assigned the "externalId" value.
+
+ o Ensure that access to data is appropriately restricted to
+ authorized parties with a "need to know".
+
+ o When persisted, ensure that the appropriate protection mechanisms
+ are in place to restrict access by unauthorized parties, including
+ administrators or parties with access to backup data.
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 93]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+10. IANA Considerations
+
+10.1. Registration of SCIM URN Sub-namespace and SCIM Registry
+
+ IANA has added an entry to the "IETF URN Sub-namespace for Registered
+ Protocol Parameter Identifiers" registry and created a sub-namespace
+ for the Registered Parameter Identifier as per [RFC3553]:
+ "urn:ietf:params:scim".
+
+ To manage this sub-namespace, IANA has created the "System for
+ Cross-domain Identity Management (SCIM) Schema URIs" registry, which
+ is used to manage entries within the "urn:ietf:params:scim"
+ namespace. The registry description is as follows:
+
+ o Registry name: SCIM
+
+ o Specification: this document (RFC 7643)
+
+ o Repository: See Section 10.2
+
+ o Index value: See Section 10.2
+
+10.2. URN Sub-namespace for SCIM
+
+ SCIM schemas and SCIM messages utilize URIs to identify the schema in
+ use or other relevant context. This section creates and registers an
+ IETF URN Sub-namespace for use in the SCIM specifications and future
+ extensions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 94]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+10.2.1. Specification Template
+
+ Namespace ID:
+
+ The Namespace ID "scim" has been assigned.
+
+ Registration Information:
+
+ Version: 1
+
+ Date: 2015-06-22
+
+ Declared registrant of the namespace:
+
+ Registering organization
+ The Internet Engineering Task Force
+
+ Designated contact
+ A designated expert will monitor the SCIM public mailing list,
+ "scim@ietf.org".
+
+ Declaration of Syntactic Structure:
+
+ The Namespace Specific String (NSS) of all URNs that use the
+ "scim" Namespace ID shall have the following structure:
+
+ urn:ietf:params:scim:{type}:{name}{:other}
+
+ The keywords have the following meaning:
+
+ type
+ The entity type, which is either "schemas" or "api".
+
+ name
+ A required US-ASCII string that conforms to the URN syntax
+ requirements (see [RFC2141]) and defines a major namespace of a
+ schema used within SCIM (e.g., "core", which is reserved for
+ SCIM specifications). The value MAY also be an industry name
+ or organization name.
+
+ other
+ Any US-ASCII string that conforms to the URN syntax
+ requirements (see [RFC2141]) and defines the sub-namespace
+ (which MAY be further broken down in namespaces delimited by
+ colons) as needed to uniquely identify a schema.
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 95]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ Relevant Ancillary Documentation:
+
+ None
+
+ Identifier Uniqueness Considerations:
+
+ The designated contact shall be responsible for reviewing and
+ enforcing uniqueness.
+
+ Identifier Persistence Considerations:
+
+ Once a name has been allocated, it MUST NOT be reallocated for a
+ different purpose. The rules provided for assignments of values
+ within a sub-namespace MUST be constructed so that the meanings of
+ values cannot change. This registration mechanism is not
+ appropriate for naming values whose meanings may change over time.
+
+ As the SCIM specifications are updated and the SCIM protocol
+ version is adjusted, a new registration will be made when
+ significant changes are made -- for example,
+ "urn:ietf:params:scim:schemas:core:1.0 (externally defined, not
+ previously registered)" and
+ "urn:ietf:params:scim:schemas:core:2.0".
+
+ Process of Identifier Assignment:
+
+ Identifiers with namespace type "schema" (e.g.,
+ "urn:ietf:params:scim:schemas") are assigned after the review of
+ the assigned contact via the SCIM public mailing list,
+ "scim@ietf.org", as documented in Section 10.3.
+
+ Namespaces with type "api" (e.g., "urn:ietf:params:scim:api") and
+ "param" (e.g., "urn:ietf:params:scim:param") are reserved for
+ IETF-approved SCIM specifications.
+
+ Process of Identifier Resolution:
+
+ The namespace is not currently listed with a Resolution Discovery
+ System (RDS), but nothing about the namespace prohibits the future
+ definition of appropriate resolution methods or listing with an
+ RDS.
+
+ Rules for Lexical Equivalence:
+
+ No special considerations; the rules for lexical equivalence
+ specified in [RFC2141] apply.
+
+
+
+
+
+Hunt, et al. Standards Track [Page 96]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ Conformance with URN Syntax:
+
+ No special considerations.
+
+ Validation Mechanism:
+
+ None specified.
+
+ Scope:
+
+ Global.
+
+10.3. Registering SCIM Schemas
+
+ This section defines the process for registering new SCIM schemas
+ with IANA in the "System for Cross-domain Identity Management (SCIM)
+ Schema URIs" registry (see Section 10.1). A schema URI is used as a
+ value in the "schemas" attribute (Section 3) for the purpose of
+ distinguishing extensions used in a SCIM resource.
+
+10.3.1. Registration Procedure
+
+ The IETF has created a mailing list, scim@ietf.org, which can be used
+ for public discussion of SCIM schema proposals prior to registration.
+ Use of the mailing list is strongly encouraged. The IESG has
+ appointed a designated expert [RFC5226] who will monitor the
+ scim@ietf.org mailing list and review registrations.
+
+ Registration of new "core" schemas (e.g., in the namespace
+ "urn:ietf:params:scim:schemas:core") and "API" schemas (e.g., in the
+ namespace "urn:ietf:params:scim:api") MUST be reviewed by the
+ designated expert and published in an RFC. An RFC is REQUIRED for
+ the registration of new value data types that modify existing
+ properties. An RFC is also REQUIRED for registration of SCIM schema
+ URIs that modify SCIM schema previously documented in an existing
+ RFC. URNs within "urn:ietf:params:scim" but outside the above
+ namespaces MAY be registered with a simple review (e.g., check for
+ spam) by the designated expert on a first-come-first-served basis.
+
+ The registration procedure begins when a completed registration
+ template, defined in the sections below, is sent to scim@ietf.org and
+ iana@iana.org. Within two weeks, the designated expert is expected
+ to tell IANA and the submitter of the registration whether the
+ registration is approved, approved with minor changes, or rejected
+ with cause. When a registration is rejected with cause, it can be
+ resubmitted if the concerns listed in the cause are addressed.
+
+
+
+
+
+Hunt, et al. Standards Track [Page 97]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ Decisions made by the designated expert can be appealed to the IESG
+ Applications Area Director, then to the IESG. They follow the normal
+ appeals procedure for IESG decisions.
+
+ Once the registration procedure concludes successfully, IANA creates
+ or modifies the corresponding record in the SCIM schema registry.
+ The completed registration template is discarded.
+
+ An RFC specifying one or more new schema URIs MUST include the
+ completed registration templates, which MAY be expanded with
+ additional information. These completed templates are intended to go
+ in the body of the document, not in the IANA Considerations section.
+ The RFC SHOULD include any attributes defined.
+
+10.3.2. Schema Registration Template
+
+ A SCIM schema URI is defined by completing the following template:
+
+ Schema URI: A unique URI for the SCIM schema extension.
+
+ Schema Name: A descriptive name of the schema extension (e.g.,
+ "Generic Device").
+
+ Intended or Associated Resource Type: A value defining the resource
+ type (e.g., "Device").
+
+ Purpose: A description of the purpose of the extension and/or its
+ intended use.
+
+ Single-value Attributes: A list and description of single-valued
+ attributes defined, including complex attributes.
+
+ Multi-valued Attributes: A list and description of multi-valued
+ attributes defined, including complex attributes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 98]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+10.4. Initial SCIM Schema Registry
+
+ The IANA has populated the "System for Cross-domain Identity
+ Management (SCIM) Schema URIs" registry with the following registries
+ for SCIM schema URIs, with pointers to appropriate reference
+ documents. Note: The schema URIs listed below are broken into two
+ lines for readability.
+
+ +-----------------------------------+-----------------+-------------+
+ | Schema URI | Name | Reference |
+ +-----------------------------------+-----------------+-------------+
+ | urn:ietf:params:scim:schemas: | User Resource | See Section |
+ | core:2.0:User | | 4.1 |
+ | | | |
+ | urn:ietf:params:scim:schemas: | Enterprise User | See Section |
+ | extension:enterprise:2.0:User | Extension | 4.3 |
+ | | | |
+ | urn:ietf:params:scim:schemas: | Group Resource | See Section |
+ | core:2.0:Group | | 4.2 |
+ +-----------------------------------+-----------------+-------------+
+
+ SCIM Schema URIs for Data Resources
+
+ +-----------------------------------+-------------------+-----------+
+ | Schema URI | Name | Reference |
+ +-----------------------------------+-------------------+-----------+
+ | urn:ietf:params:scim:schemas: | Service Provider | See |
+ | core:2.0:ServiceProviderConfig | Configuration | Section 5 |
+ | | Schema | |
+ | | | |
+ | urn:ietf:params:scim:schemas: | Resource Type | See |
+ | core:2.0:ResourceType | Configuration | Section 6 |
+ | | | |
+ | urn:ietf:params:scim:schemas: | Schema | See |
+ | core:2.0:Schema | Definitions | Section 7 |
+ | | Schema | |
+ +-----------------------------------+-------------------+-----------+
+
+ SCIM Server-Related Schema URIs
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 99]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+11. References
+
+11.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC2141] Moats, R., "URN Syntax", RFC 2141, DOI 10.17487/RFC2141,
+ May 1997, <http://www.rfc-editor.org/info/rfc2141>.
+
+ [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne,
+ "An IETF URN Sub-namespace for Registered Protocol
+ Parameters", BCP 73, RFC 3553, DOI 10.17487/RFC3553,
+ June 2003, <http://www.rfc-editor.org/info/rfc3553>.
+
+ [RFC3629] Yergeau, F., "UTF-8, a transformation format of
+ ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629,
+ November 2003, <http://www.rfc-editor.org/info/rfc3629>.
+
+ [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers",
+ RFC 3966, DOI 10.17487/RFC3966, December 2004,
+ <http://www.rfc-editor.org/info/rfc3966>.
+
+ [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+ Resource Identifier (URI): Generic Syntax", STD 66,
+ RFC 3986, DOI 10.17487/RFC3986, January 2005,
+ <http://www.rfc-editor.org/info/rfc3986>.
+
+ [RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags",
+ BCP 47, RFC 4647, DOI 10.17487/RFC4647, September 2006,
+ <http://www.rfc-editor.org/info/rfc4647>.
+
+ [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
+ Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
+ <http://www.rfc-editor.org/info/rfc4648>.
+
+ [RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for
+ Syntax Specifications: ABNF", STD 68, RFC 5234,
+ DOI 10.17487/ RFC5234, January 2008,
+ <http://www.rfc-editor.org/info/rfc5234>.
+
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
+ Housley, R., and W. Polk, "Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation List
+ (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
+ <http://www.rfc-editor.org/info/rfc5280>.
+
+
+
+Hunt, et al. Standards Track [Page 100]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
+ DOI 10.17487/RFC5321, October 2008,
+ <http://www.rfc-editor.org/info/rfc5321>.
+
+ [RFC5646] Phillips, A., Ed., and M. Davis, Ed., "Tags for
+ Identifying Languages", BCP 47, RFC 5646,
+ DOI 10.17487/RFC5646, September 2009,
+ <http://www.rfc-editor.org/info/rfc5646>.
+
+ [RFC6557] Lear, E. and P. Eggert, "Procedures for Maintaining the
+ Time Zone Database", BCP 175, RFC 6557,
+ DOI 10.17487/RFC6557, February 2012,
+ <http://www.rfc-editor.org/info/rfc6557>.
+
+ [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
+ Interchange Format", RFC 7159, DOI 10.17487/RFC7159,
+ March 2014, <http://www.rfc-editor.org/info/rfc7159>.
+
+ [RFC7231] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
+ Transfer Protocol (HTTP/1.1): Semantics and Content",
+ RFC 7231, DOI 10.17487/RFC7231, June 2014,
+ <http://www.rfc-editor.org/info/rfc7231>.
+
+ [RFC7232] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
+ Transfer Protocol (HTTP/1.1): Conditional Requests",
+ RFC 7232, DOI 10.17487/RFC7232, June 2014,
+ <http://www.rfc-editor.org/info/rfc7232>.
+
+ [RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
+ and C. Mortimore, "System for Cross-domain Identity
+ Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
+ September 2015, <http://www.rfc-editor.org/info/rfc7644>.
+
+11.2. Informative References
+
+ [ISO3166] International Organization for Standardization, "Codes for
+ the representation of names of countries and their
+ subdivisions - Part 1: Country codes", ISO 3166-1:2013,
+ November 2013, <http://www.iso.org>.
+
+ [Olson-TZ] Internet Assigned Numbers Authority, "IANA Time Zone
+ Database", <https://www.iana.org/time-zones>.
+
+ [PortableContacts]
+ Smarr, J., "Portable Contacts 1.0 Draft C - Schema Only",
+ August 2008,
+ <http://www.portablecontacts.net/draft-spec.html>.
+
+
+
+
+Hunt, et al. Standards Track [Page 101]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+ [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and
+ Languages", BCP 18, RFC 2277, DOI 10.17487/RFC2277,
+ January 1998, <http://www.rfc-editor.org/info/rfc2277>.
+
+ [RFC4512] Zeilenga, K., Ed., "Lightweight Directory Access Protocol
+ (LDAP): Directory Information Models", RFC 4512,
+ DOI 10.17487/RFC4512, June 2006,
+ <http://www.rfc-editor.org/info/rfc4512>.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ DOI 10.17487/RFC5226, May 2008,
+ <http://www.rfc-editor.org/info/rfc5226>.
+
+ [RFC6350] Perreault, S., "vCard Format Specification", RFC 6350,
+ DOI 10.17487/RFC6350, August 2011,
+ <http://www.rfc-editor.org/info/rfc6350>.
+
+ [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
+ RFC 6749, DOI 10.17487/RFC6749, October 2012,
+ <http://www.rfc-editor.org/info/rfc6749>.
+
+ [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
+ Threat Model and Security Considerations", RFC 6819,
+ DOI 10.17487/RFC6819, January 2013,
+ <http://www.rfc-editor.org/info/rfc6819>.
+
+ [XML-Schema]
+ Peterson, D., Gao, S., Malhotra, A., Sperberg-McQueen, C.,
+ and H. Thompson, "XML Schema Definition Language (XSD) 1.1
+ Part 2: Datatypes", April 2012,
+ <http://www.w3.org/TR/xmlschema11-2/>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 102]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+Acknowledgements
+
+ The editor would like to acknowledge the contribution and work of the
+ editors of draft versions of this document:
+
+ Chuck Mortimore, Salesforce
+
+ Patrick Harding, Ping
+
+ Paul Madsen, Ping
+
+ Trey Drake, UnboundID
+
+ The SCIM Community would like to thank the following people for the
+ work they've done in the research, formulation, drafting, editing,
+ and support of this specification.
+
+ Morteza Ansari (morteza.ansari@cisco.com)
+
+ Sidharth Choudhury (schoudhury@salesforce.com)
+
+ Samuel Erdtman (samuel@erdtman.se)
+
+ Kelly Grizzle (kelly.grizzle@sailpoint.com)
+
+ Chris Phillips (cjphillips@gmail.com)
+
+ Erik Wahlstroem (erik.wahlstrom@nexusgroup.com)
+
+ Phil Hunt (phil.hunt@yahoo.com)
+
+ Special thanks to Joseph Smarr, whose excellent work on the Portable
+ Contacts Specification [PortableContacts] provided a basis for the
+ SCIM schema structure and text.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 103]
+
+RFC 7643 SCIM Core Schema September 2015
+
+
+Authors' Addresses
+
+ Phil Hunt (editor)
+ Oracle Corporation
+
+ Email: phil.hunt@yahoo.com
+
+
+ Kelly Grizzle
+ SailPoint
+
+ Email: kelly.grizzle@sailpoint.com
+
+
+ Erik Wahlstroem
+ Nexus Technology
+
+ Email: erik.wahlstrom@nexusgroup.com
+
+
+ Chuck Mortimore
+ Salesforce.com
+
+ Email: cmortimore@salesforce.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 104]
+