summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7644.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7644.txt')
-rw-r--r--doc/rfc/rfc7644.txt4987
1 files changed, 4987 insertions, 0 deletions
diff --git a/doc/rfc/rfc7644.txt b/doc/rfc/rfc7644.txt
new file mode 100644
index 0000000..b3e1d89
--- /dev/null
+++ b/doc/rfc/rfc7644.txt
@@ -0,0 +1,4987 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) P. Hunt, Ed.
+Request for Comments: 7644 Oracle
+Category: Standards Track K. Grizzle
+ISSN: 2070-1721 SailPoint
+ M. Ansari
+ Cisco
+ E. Wahlstroem
+ Nexus Technology
+ C. Mortimore
+ Salesforce
+ September 2015
+
+
+ System for Cross-domain Identity Management: Protocol
+
+Abstract
+
+ The System for Cross-domain Identity Management (SCIM) specification
+ is an HTTP-based protocol that makes managing identities in multi-
+ domain scenarios easier to support via a standardized service.
+ Examples include, but are not limited to, enterprise-to-cloud service
+ providers and inter-cloud scenarios. The specification suite seeks
+ to build upon experience with existing schemas and deployments,
+ placing specific emphasis on simplicity of development and
+ integration, while applying existing authentication, authorization,
+ and privacy models. SCIM's intent is to reduce the cost and
+ complexity of user management operations by providing a common user
+ schema, an extension model, and a service protocol defined by this
+ document.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7644.
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 1]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+Copyright Notice
+
+ Copyright (c) 2015 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction and Overview .......................................3
+ 1.1. Intended Audience ..........................................3
+ 1.2. Notational Conventions .....................................4
+ 1.3. Definitions ................................................4
+ 2. Authentication and Authorization ................................5
+ 2.1. Use of Tokens as Authorizations ............................7
+ 2.2. Anonymous Requests .........................................7
+ 3. SCIM Protocol ...................................................8
+ 3.1. Background .................................................8
+ 3.2. SCIM Endpoints and HTTP Methods ............................9
+ 3.3. Creating Resources ........................................11
+ 3.3.1. Resource Types .....................................13
+ 3.4. Retrieving Resources ......................................13
+ 3.4.1. Retrieving a Known Resource ........................14
+ 3.4.2. Query Resources ....................................15
+ 3.4.3. Querying Resources Using HTTP POST .................27
+ 3.5. Modifying Resources .......................................29
+ 3.5.1. Replacing with PUT .................................30
+ 3.5.2. Modifying with PATCH ...............................32
+ 3.6. Deleting Resources ........................................48
+ 3.7. Bulk Operations ...........................................49
+ 3.7.1. Circular Reference Processing ......................51
+ 3.7.2. "bulkId" Temporary Identifiers .....................53
+ 3.7.3. Response and Error Handling ........................58
+ 3.7.4. Maximum Operations .................................63
+ 3.8. Data Input/Output Formats .................................64
+ 3.9. Additional Operation Response Parameters ..................64
+ 3.10. Attribute Notation .......................................66
+ 3.11. "/Me" Authenticated Subject Alias ........................66
+
+
+
+
+
+Hunt, et al. Standards Track [Page 2]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ 3.12. HTTP Status and Error Response Handling ..................67
+ 3.13. SCIM Protocol Versioning .................................71
+ 3.14. Versioning Resources .....................................71
+ 4. Service Provider Configuration Endpoints .......................73
+ 5. Preparation and Comparison of Internationalized Strings ........76
+ 6. Multi-Tenancy ..................................................76
+ 6.1. Associating Clients to Tenants ............................77
+ 6.2. SCIM Identifiers with Multiple Tenants ....................78
+ 7. Security Considerations ........................................78
+ 7.1. HTTP Considerations .......................................78
+ 7.2. TLS Support Considerations ................................78
+ 7.3. Authorization Token Considerations ........................78
+ 7.4. Bearer Token and Cookie Considerations ....................79
+ 7.5. Privacy Considerations ....................................79
+ 7.5.1. Personal Information ...............................79
+ 7.5.2. Disclosure of Sensitive Information in URIs ........80
+ 7.6. Anonymous Requests ........................................80
+ 7.7. Secure Storage and Handling of Sensitive Data .............81
+ 7.8. Case-Insensitive Comparison and International Languages ...82
+ 8. IANA Considerations ............................................82
+ 8.1. Media Type Registration ...................................82
+ 8.2. Registering URIs for SCIM Messages ........................84
+ 9. References .....................................................85
+ 9.1. Normative References ......................................85
+ 9.2. Informative References ....................................87
+ Acknowledgements ..................................................88
+ Contributors ......................................................88
+ Authors' Addresses ................................................89
+
+1. Introduction and Overview
+
+ The SCIM protocol is an application-level HTTP-based protocol for
+ provisioning and managing identity data on the web and in
+ cross-domain environments such as enterprise-to-cloud service
+ providers or inter-cloud scenarios. The protocol supports creation,
+ modification, retrieval, and discovery of core identity resources
+ such as Users and Groups, as well as custom resources and resource
+ extensions.
+
+ The definition of resources, attributes, and overall schema are
+ defined in the SCIM Core Schema document [RFC7643].
+
+1.1. Intended Audience
+
+ This document is intended to serve as a guide to SCIM protocol usage
+ for both SCIM HTTP service providers and HTTP clients who may
+ provision information to service providers or retrieve information
+ from them.
+
+
+
+Hunt, et al. Standards Track [Page 3]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+1.2. Notational Conventions
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119]. These key
+ words are capitalized when used to unambiguously specify requirements
+ of the protocol or application features and behavior that affect the
+ interoperability and security of implementations. When these words
+ are not capitalized, they are meant in their natural-language sense.
+
+ For purposes of readability, examples are not URL encoded.
+ Implementers MUST percent-encode URLs as described in Section 2.1 of
+ [RFC3986].
+
+ Throughout this document, figures may contain spaces and extra line
+ wrapping to improve readability and accommodate space limitations.
+ Similarly, some URIs contained within examples have been shortened
+ for space and readability reasons (as indicated by "...").
+
+1.3. Definitions
+
+ This specification uses the definitions from [RFC7643] and defines
+ the following additional term:
+
+ Base URI
+ The SCIM HTTP protocol is described in terms of a path relative to
+ a Base URI. The Base URI MUST NOT contain a query string, as
+ clients MAY append additional path information and query
+ parameters as part of forming the request. The base URI is a URL
+ that most often consists of the "https" protocol scheme, a domain
+ name, and some initial path [RFC3986]. For example:
+
+ "https://example.com/scim/"
+
+ For readability, all examples in this document assume that the SCIM
+ service root and the server root are the same (no path prefix). It
+ is expected that SCIM servers may be deployed using any URI path
+ prefix. For example, a SCIM server might have a prefix of
+ "https://example.com/" or "https://example.com/scim/tenancypath/".
+ Additionally, a client MAY apply a version number to the server root
+ prefix (see Section 3.13).
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 4]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+2. Authentication and Authorization
+
+ The SCIM protocol is based upon HTTP and does not itself define a
+ SCIM-specific scheme for authentication and authorization. SCIM
+ depends on the use of Transport Layer Security (TLS) and/or standard
+ HTTP authentication and authorization schemes as per [RFC7235]. For
+ example, the following methodologies could be used, among others:
+
+ TLS Client Authentication
+ The SCIM service provider MAY request TLS client authentication
+ (also known as mutual authentication). See Section 7.3 of
+ [RFC5246].
+
+ HOBA Authentication
+ HTTP Origin-Bound Authentication (HOBA) is a variation on TLS
+ client authentication and uses a digital-signature-based design
+ for an HTTP authentication method (see [RFC7486]). The design can
+ also be used in JavaScript-based authentication embedded in HTML.
+ HOBA is an alternative to HTTP authentication schemes that require
+ passwords and therefore avoids all problems related to passwords,
+ such as leakage of server-side password databases.
+
+ Bearer Tokens
+ Bearer tokens [RFC6750] MAY be used when combined with TLS and a
+ token framework such as OAuth 2.0 [RFC6749]. Tokens that are
+ issued based on weak or no authentication of authorizing users
+ and/or OAuth clients SHOULD NOT be used, unless, for example, they
+ are being used as single-use tokens to permit one-time requests
+ such as anonymous registration (see Section 3.3). For security
+ considerations regarding the use of bearer tokens in SCIM, see
+ Section 7.4. While bearer tokens most often represent an
+ authorization, it is assumed that the authorization was based upon
+ a successful authentication of the SCIM client. Accordingly, the
+ SCIM service provider must have a method for validating, parsing,
+ and/or "introspecting" the bearer token for the relevant
+ authentication and authorization information. The method for this
+ is assumed to be defined by the token-issuing system and is beyond
+ the scope of this specification.
+
+ PoP Tokens
+ A proof-of-possession (PoP) token demonstrates that the presenter
+ of the token possesses a particular key and that the recipient can
+ cryptographically confirm proof of possession of the key by the
+ presenter. This property is sometimes also described as the
+ presenter being a holder of the key. See [OAuth-PoP-Arch] for an
+ example of such a token and its use.
+
+
+
+
+
+Hunt, et al. Standards Track [Page 5]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Cookies
+ JavaScript clients MAY assert HTTP cookies over TLS that contain
+ an authentication state that is understood by the SCIM service
+ provider (see [RFC6265]). An example of this is scenarios where
+ web-form authentication has taken place with the user and HTTP
+ cookies were set representing the authentication state. For the
+ purposes of SCIM, the security considerations in Section 7.4
+ apply.
+
+ Basic Authentication
+ Usage of basic authentication should be avoided, due to its use of
+ a single factor that is based upon a relatively static, symmetric
+ secret. Implementers SHOULD combine the use of basic
+ authentication with other factors. The security considerations of
+ HTTP Basic are well documented in [HTTP-BASIC-AUTH]; therefore,
+ implementers are encouraged to use stronger authentication
+ methods. Designating the specific methods of authentication and
+ authorization is out of scope for SCIM; however, this information
+ is provided as a resource to implementers.
+
+ As per Section 4.1 of [RFC7235], a SCIM service provider SHALL
+ indicate supported HTTP authentication schemes via the
+ "WWW-Authenticate" header.
+
+ Regardless of methodology, the SCIM service provider MUST be able to
+ map the authenticated client to an access control policy in order to
+ determine the client's authorization to retrieve and update SCIM
+ resources. For example, while a browser session may have been
+ established via HTTP cookie or TLS client authentication, the unique
+ client MUST be mapped to a security subject (e.g., User). The
+ authorization model and the process by which this is done are beyond
+ the scope of this specification.
+
+ When processing requests, the service provider SHOULD consider the
+ subject performing the request and whether or not the action is
+ appropriate given the subject and the resource affected by the
+ request. The subject performing the request is usually determined
+ directly or indirectly from the "Authorization" header present in the
+ request. For example, a subject MAY be permitted to retrieve and
+ update their own "User" resource but will normally have restricted
+ ability to access resources associated with other Users. In other
+ cases, the SCIM service provider might only grant access to a
+ subject's own associated "User" resource (e.g., for the purpose of
+ updating personal contact attributes).
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 6]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ For illustrative purposes only, SCIM protocol examples show an
+ OAuth 2.0 bearer token value [RFC6750] in the authorization
+ header, e.g.,
+
+ GET /Users/2819c223-7f76-453a-919d-413861904646 HTTP/1.1
+ Host: example.com
+ Authorization: Bearer h480djs93hd8
+
+ This is not intended to imply that bearer tokens are preferred.
+ However, the use of bearer tokens in the specification does reflect
+ common implementation practice.
+
+2.1. Use of Tokens as Authorizations
+
+ When using bearer tokens or PoP tokens that represent an
+ authorization grant, such as a grant issued by OAuth (see [RFC6749]),
+ implementers SHOULD consider the type of authorization granted, any
+ authorized scopes (see Section 3.3 of [RFC6749]), and the security
+ subject(s) that SHOULD be mapped from the authorization when
+ considering local access control rules. Section 6 of [RFC7521]
+ documents common scenarios for authorization, including:
+
+ o A client using an assertion to authenticate and/or act on behalf
+ of itself,
+
+ o A client acting on behalf of a user, and
+
+ o A client acting on behalf of an anonymous user (for example, see
+ Section 2.2).
+
+ When using OAuth authorization tokens, implementers MUST take into
+ account the threats and countermeasures related to the use of client
+ authorizations, as documented in Section 8 of [RFC7521]. When using
+ other token formats or frameworks, implementers MUST take into
+ account similar threats and countermeasures, especially those
+ documented by the relevant specifications.
+
+2.2. Anonymous Requests
+
+ In some SCIM deployments, it MAY be acceptable to permit
+ unauthenticated (anonymous) requests -- for example, a user
+ self-registration request where the service provider chooses to
+ accept a SCIM Create request (see Section 3.3) from an anonymous
+ client. See Section 7.6 for security considerations regarding
+ anonymous requests.
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 7]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3. SCIM Protocol
+
+3.1. Background
+
+ SCIM is a protocol that is based on HTTP [RFC7230]. Along with HTTP
+ headers and URIs, SCIM uses JSON [RFC7159] payloads to convey SCIM
+ resources, as well as protocol-specific payload messages that convey
+ request parameters and response information such as errors. Both
+ resources and messages are passed in the form of JSON-based
+ structures in the message body of an HTTP request or response. To
+ identify this content, SCIM uses a media type of
+ "application/scim+json" (see Section 8.1).
+
+ A SCIM "resource" is a JSON object [RFC7159] that may be created,
+ maintained, and retrieved via HTTP request methods as described in
+ this document. Each JSON resource representation contains a
+ "schemas" attribute that contains a list of one or more URIs that
+ indicate included SCIM schemas that are used to indicate the
+ attributes contained within a resource. Specific information about
+ what attributes are defined within a schema MAY be obtained by
+ querying a SCIM service provider's "/Schemas" endpoint for a schema
+ definition (see Section 8.7 of [RFC7643]). Responses from this
+ endpoint describe the schema supported by a service provider,
+ including attribute characteristics such as cardinality,
+ case-exactness, mutability, uniqueness, returnability, and whether or
+ not attributes are required. While SCIM schemas and an associated
+ extension model are defined in [RFC7643], SCIM clients should expect
+ that some attribute schema may change from service provider to
+ service provider, particularly across administrative domains. In
+ cases where SCIM may be used as an open protocol in front of an
+ application service, it is quite reasonable to expect that some
+ service providers may only support a subset of the schema defined in
+ [RFC7643].
+
+ A SCIM message conveys protocol parameters related to a SCIM request
+ or response; this specification defines these parameters. As with a
+ SCIM resource, a SCIM message is a JSON object [RFC7159] that
+ contains a "schemas" attribute with a URI whose namespace prefix MUST
+ begin with "urn:ietf:params:scim:api:". As SCIM protocol messages
+ are fixed and defined by SCIM specifications and registered
+ extensions, SCIM message schemas using the above prefix URN SHALL NOT
+ be discoverable using the "/Schemas" endpoint.
+
+ As SCIM is intended for use in cross-domain scenarios where schema
+ and implementations may vary, techniques such as document validation
+ (e.g., [XML-Schema]) are not recommended. A SCIM service provider
+ interprets a request in the context of its own schema (which may be
+ different from the client's schema) and following the defined
+
+
+
+Hunt, et al. Standards Track [Page 8]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ processing rules for each request. The sections that follow define
+ the processing rules for SCIM and provide allowances for schema
+ differences where appropriate. For example, in a SCIM PUT request,
+ "readOnly" attributes are ignored, while "readWrite" attributes are
+ updated. There is no need for a SCIM client to discover which
+ attributes are "readOnly", and the client does not need to remove
+ them from a PUT request in order to be accepted. Similarly, a SCIM
+ client SHOULD NOT expect a service provider to return SCIM resources
+ with exactly the same schema and values as submitted. SCIM responses
+ SHALL reflect resource state as interpreted by the SCIM service
+ provider.
+
+3.2. SCIM Endpoints and HTTP Methods
+
+ The SCIM protocol specifies well-known endpoints and HTTP methods for
+ managing resources defined in the SCIM Core Schema document
+ ([RFC7643]); i.e., "User" and "Group" resources correspond to
+ "/Users" and "/Groups", respectively. Service providers that support
+ extended resources SHOULD define resource endpoints using the
+ convention of pluralizing the resource name defined in the extended
+ schema, by appending an 's'. Given that there are cases where
+ resource pluralization is ambiguous, e.g., a resource named "Person"
+ is legitimately "Persons" and "People", clients SHOULD discover
+ resource endpoints via the "/ResourceTypes" endpoint.
+
+ HTTP SCIM Usage
+ Method
+ ------ --------------------------------------------------------------
+ GET Retrieves one or more complete or partial resources.
+
+ POST Depending on the endpoint, creates new resources, creates a
+ search request, or MAY be used to bulk-modify resources.
+
+ PUT Modifies a resource by replacing existing attributes with a
+ specified set of replacement attributes (replace). PUT
+ MUST NOT be used to create new resources.
+
+ PATCH Modifies a resource with a set of client-specified changes
+ (partial update).
+
+ DELETE Deletes a resource.
+
+ Table 1: SCIM HTTP Methods
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 9]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Resource Endpoint Operations Description
+ -------- ---------------- ---------------------- --------------------
+ User /Users GET (Section 3.4.1), Retrieve, add,
+ POST (Section 3.3), modify Users.
+ PUT (Section 3.5.1),
+ PATCH (Section 3.5.2),
+ DELETE (Section 3.6)
+
+ Group /Groups GET (Section 3.4.1), Retrieve, add,
+ POST (Section 3.3), modify Groups.
+ PUT (Section 3.5.1),
+ PATCH (Section 3.5.2),
+ DELETE (Section 3.6)
+
+ Self /Me GET, POST, PUT, PATCH, Alias for operations
+ DELETE (Section 3.11) against a resource
+ mapped to an
+ authenticated
+ subject (e.g.,
+ User).
+
+ Service /ServiceProvider GET (Section 4) Retrieve service
+ provider Config provider's
+ config. configuration.
+
+ Resource /ResourceTypes GET (Section 4) Retrieve supported
+ type resource types.
+
+ Schema /Schemas GET (Section 4) Retrieve one or more
+ supported schemas.
+
+ Bulk /Bulk POST (Section 3.7) Bulk updates to one
+ or more resources.
+
+ Search [prefix]/.search POST (Section 3.4.3) Search from system
+ root or within a
+ resource endpoint
+ for one or more
+ resource types using
+ POST.
+
+ Table 2: Defined Endpoints
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 10]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ All requests to the service provider are made via HTTP methods as per
+ Section 4.3 of [RFC7231] on a URL derived from the Base URL.
+ Responses are returned in the body of the HTTP response, formatted as
+ JSON. Error status codes SHOULD be transmitted via the HTTP status
+ code of the response (if possible) and SHOULD also be specified in
+ the body of the response (see Section 3.12).
+
+3.3. Creating Resources
+
+ To create new resources, clients send HTTP POST requests to the
+ resource endpoint, such as "/Users" or "/Groups", as defined by the
+ associated resource type endpoint discovery (see Section 4).
+
+ The server SHALL process attributes according to the following
+ mutability rules:
+
+ o In the request body, attributes whose mutability is "readOnly"
+ (see Sections 2.2 and 7 of [RFC7643]) SHALL be ignored.
+
+ o Attributes whose mutability is "readWrite" (see Section 2.2 of
+ [RFC7643]) and that are omitted from the request body MAY be
+ assumed to be not asserted by the client. The service provider
+ MAY assign a default value to non-asserted attributes in the final
+ resource representation.
+
+ o Service providers MAY take into account whether or not a client
+ has access to all of the resource's attributes when deciding
+ whether or not non-asserted attributes should be defaulted.
+
+ o Clients that intend to override existing or server-defaulted
+ values for attributes MAY specify "null" for a single-valued
+ attribute or an empty array "[]" for a multi-valued attribute to
+ clear all values.
+
+ When the service provider successfully creates the new resource, an
+ HTTP response SHALL be returned with HTTP status code 201 (Created).
+ The response body SHOULD contain the service provider's
+ representation of the newly created resource. The URI of the created
+ resource SHALL include, in the HTTP "Location" header and the HTTP
+ body, a JSON representation [RFC7159] with the attribute
+ "meta.location". Since the server is free to alter and/or ignore
+ POSTed content, returning the full representation can be useful to
+ the client, enabling it to correlate the client's and server's views
+ of the new resource.
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 11]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ If the service provider determines that the creation of the requested
+ resource conflicts with existing resources (e.g., a "User" resource
+ with a duplicate "userName"), the service provider MUST return HTTP
+ status code 409 (Conflict) with a "scimType" error code of
+ "uniqueness", as per Section 3.12.
+
+ In the following example, a client sends a POST request containing a
+ "User" to the "/Users" endpoint.
+
+ POST /Users HTTP/1.1
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ Content-Length: ...
+
+ {
+ "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "userName":"bjensen",
+ "externalId":"bjensen",
+ "name":{
+ "formatted":"Ms. Barbara J Jensen III",
+ "familyName":"Jensen",
+ "givenName":"Barbara"
+ }
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 12]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ In response to the example request above, the server signals a
+ successful creation with an HTTP status code 201 (Created) and
+ returns a representation of the resource created:
+
+ HTTP/1.1 201 Created
+ Content-Type: application/scim+json
+ Location:
+ https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
+ ETag: W/"e180ee84f0671b1"
+
+ {
+ "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "id":"2819c223-7f76-453a-919d-413861904646",
+ "externalId":"bjensen",
+ "meta":{
+ "resourceType":"User",
+ "created":"2011-08-01T21:32:44.882Z",
+ "lastModified":"2011-08-01T21:32:44.882Z",
+ "location":
+ "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
+ "version":"W\/\"e180ee84f0671b1\""
+ },
+ "name":{
+ "formatted":"Ms. Barbara J Jensen III",
+ "familyName":"Jensen",
+ "givenName":"Barbara"
+ },
+ "userName":"bjensen"
+ }
+
+3.3.1. Resource Types
+
+ When adding a resource to a specific endpoint, the meta attribute
+ "resourceType" SHALL be set by the HTTP service provider to the
+ corresponding resource type for the endpoint. For example, a POST to
+ the endpoint "/Users" will set "resourceType" to "User", and
+ "/Groups" will set "resourceType" to "Group".
+
+3.4. Retrieving Resources
+
+ Resources MAY be retrieved via opaque, unique URLs or via queries
+ (see Section 3.4.2). The attributes returned are defined in the
+ server's attribute schema (see Section 8.7 of [RFC7643]) and may be
+ modified by request parameters (see Section 3.9). By default,
+ resource attributes returned in a response are those attributes whose
+ characteristic "returned" setting is "always" or "default" (see
+ Section 2.2 of [RFC7643]).
+
+
+
+
+Hunt, et al. Standards Track [Page 13]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.4.1. Retrieving a Known Resource
+
+ To retrieve a known resource, clients send GET requests to the
+ resource endpoint, e.g., "/Users/{id}", "/Groups/{id}", or
+ "/Schemas/{id}", where "{id}" is a resource identifier (for example,
+ the value of the "id" attribute).
+
+ If the resource exists, the server responds with HTTP status code 200
+ (OK) and includes the result in the body of the response.
+
+ The example below retrieves a single User via the "/Users" endpoint.
+
+ GET /Users/2819c223-7f76-453a-919d-413861904646
+ Host: example.com
+ Accept: application/scim+json
+ Authorization: Bearer h480djs93hd8
+
+ The server responds with:
+
+ HTTP/1.1 200 OK
+ Content-Type: application/scim+json
+ Location:
+ https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
+ ETag: W/"f250dd84f0671c3"
+
+ {
+ "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "id":"2819c223-7f76-453a-919d-413861904646",
+ "externalId":"bjensen",
+ "meta":{
+ "resourceType":"User",
+ "created":"2011-08-01T18:29:49.793Z",
+ "lastModified":"2011-08-01T18:29:49.793Z",
+ "location":
+ "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
+ "version":"W\/\"f250dd84f0671c3\""
+ },
+ "name":{
+ "formatted":"Ms. Barbara J Jensen III",
+ "familyName":"Jensen",
+ "givenName":"Barbara"
+ },
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 14]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ "userName":"bjensen",
+ "phoneNumbers":[
+ {
+ "value":"555-555-8377",
+ "type":"work"
+ }
+ ],
+ "emails":[
+ {
+ "value":"bjensen@example.com",
+ "type":"work"
+ }
+ ]
+ }
+
+3.4.2. Query Resources
+
+ The SCIM protocol defines a standard set of query parameters that can
+ be used to filter, sort, and paginate to return zero or more
+ resources in a query response. Queries MAY be made against a single
+ resource or a resource type endpoint (e.g., "/Users"), or the service
+ provider Base URI. SCIM service providers MAY support additional
+ query parameters not specified here and SHOULD ignore any query
+ parameters they do not recognize instead of rejecting the query for
+ versioning compatibility reasons.
+
+ Responses MUST be identified using the following URI:
+ "urn:ietf:params:scim:api:messages:2.0:ListResponse". The following
+ attributes are defined for responses:
+
+ totalResults The total number of results returned by the list or
+ query operation. The value may be larger than the number of
+ resources returned, such as when returning a single page (see
+ Section 3.4.2.4) of results where multiple pages are available.
+ REQUIRED.
+
+ Resources A multi-valued list of complex objects containing the
+ requested resources. This MAY be a subset of the full set of
+ resources if pagination (Section 3.4.2.4) is requested. REQUIRED
+ if "totalResults" is non-zero.
+
+ startIndex The 1-based index of the first result in the current set
+ of list results. REQUIRED when partial results are returned due
+ to pagination.
+
+ itemsPerPage The number of resources returned in a list response
+ page. REQUIRED when partial results are returned due to
+ pagination.
+
+
+
+Hunt, et al. Standards Track [Page 15]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ A query that does not return any matches SHALL return success (HTTP
+ status code 200) with "totalResults" set to a value of 0.
+
+ The example query below requests the userName for all Users:
+
+ GET /Users?attributes=userName
+ Host: example.com
+ Accept: application/scim+json
+ Authorization: Bearer h480djs93hd8
+
+ The following is an example response to the query above:
+
+ HTTP/1.1 200 OK
+ Content-Type: application/scim+json
+
+ {
+ "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+ "totalResults":2,
+ "Resources":[
+ {
+ "id":"2819c223-7f76-453a-919d-413861904646",
+ "userName":"bjensen"
+ },
+ {
+ "id":"c75ad752-64ae-4823-840d-ffa80929976c",
+ "userName":"jsmith"
+ }
+ ]
+ }
+
+ Note that in the above example, "id" is returned because the "id"
+ attribute has the "returned" characteristic of "always".
+
+3.4.2.1. Query Endpoints
+
+ Queries MAY be performed against a SCIM resource object, a resource
+ type endpoint, or a SCIM server root. For example:
+
+ "/Users/{id}"
+
+ "/Users"
+
+ "/Groups"
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 16]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ A query against a server root indicates that all resources within the
+ server SHALL be included, subject to filtering. A filter expression
+ using "meta.resourceType" MAY be used to restrict results to one or
+ more specific resource types (to exclude others). For example:
+
+ filter=(meta.resourceType eq User) or (meta.resourceType eq Group)
+
+ If a SCIM service provider determines that too many results would be
+ returned (e.g., because a client queried a resource type endpoint or
+ the server base URI), the server SHALL reject the request by
+ returning an HTTP response with HTTP status code 400 (Bad Request)
+ and JSON attribute "scimType" set to "tooMany" (see Table 9).
+
+ When processing query operations using endpoints that include more
+ than one SCIM resource type (e.g., a query from the server root
+ endpoint), filters MUST be processed as outlined in Section 3.4.2.2.
+ For filtered attributes that are not part of a particular resource
+ type, the service provider SHALL treat the attribute as if there is
+ no attribute value. For example, a presence or equality filter for
+ an undefined attribute evaluates to false.
+
+3.4.2.2. Filtering
+
+ Filtering is an OPTIONAL parameter for SCIM service providers.
+ Clients MAY discover service provider filter capabilities by looking
+ at the "filter" attribute of the "ServiceProviderConfig" endpoint
+ (see Section 4). Clients MAY request a subset of resources by
+ specifying the "filter" query parameter containing a filter
+ expression. When specified, only those resources matching the filter
+ expression SHALL be returned. The expression language that is used
+ with the filter parameter supports references to attributes and
+ literals.
+
+ Attribute names and attribute operators used in filters are case
+ insensitive. For example, the following two expressions will
+ evaluate to the same logical value:
+
+ filter=userName Eq "john"
+
+ filter=Username eq "john"
+
+ The filter parameter MUST contain at least one valid expression (see
+ Table 3). Each expression MUST contain an attribute name followed by
+ an attribute operator and optional value. Multiple expressions MAY
+ be combined using logical operators (see Table 4). Expressions MAY
+ be grouped together using round brackets "(" and ")" (see Table 5).
+
+
+
+
+
+Hunt, et al. Standards Track [Page 17]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The operators supported in the expression are listed in Table 3.
+
+ +----------+-------------+------------------------------------------+
+ | Operator | Description | Behavior |
+ +----------+-------------+------------------------------------------+
+ | eq | equal | The attribute and operator values must |
+ | | | be identical for a match. |
+ | | | |
+ | ne | not equal | The attribute and operator values are |
+ | | | not identical. |
+ | | | |
+ | co | contains | The entire operator value must be a |
+ | | | substring of the attribute value for a |
+ | | | match. |
+ | | | |
+ | sw | starts with | The entire operator value must be a |
+ | | | substring of the attribute value, |
+ | | | starting at the beginning of the |
+ | | | attribute value. This criterion is |
+ | | | satisfied if the two strings are |
+ | | | identical. |
+ | | | |
+ | ew | ends with | The entire operator value must be a |
+ | | | substring of the attribute value, |
+ | | | matching at the end of the attribute |
+ | | | value. This criterion is satisfied if |
+ | | | the two strings are identical. |
+ | | | |
+ | pr | present | If the attribute has a non-empty or |
+ | | (has value) | non-null value, or if it contains a |
+ | | | non-empty node for complex attributes, |
+ | | | there is a match. |
+ | | | |
+ | gt | greater | If the attribute value is greater than |
+ | | than | the operator value, there is a match. |
+ | | | The actual comparison is dependent on |
+ | | | the attribute type. For string |
+ | | | attribute types, this is a |
+ | | | lexicographical comparison, and for |
+ | | | DateTime types, it is a chronological |
+ | | | comparison. For integer attributes, it |
+ | | | is a comparison by numeric value. |
+ | | | Boolean and Binary attributes SHALL |
+ | | | cause a failed response (HTTP status |
+ | | | code 400) with "scimType" of |
+ | | | "invalidFilter". |
+ | | | |
+
+
+
+
+Hunt, et al. Standards Track [Page 18]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ | ge | greater | If the attribute value is greater than |
+ | | than or | or equal to the operator value, there is |
+ | | equal to | a match. The actual comparison is |
+ | | | dependent on the attribute type. For |
+ | | | string attribute types, this is a |
+ | | | lexicographical comparison, and for |
+ | | | DateTime types, it is a chronological |
+ | | | comparison. For integer attributes, it |
+ | | | is a comparison by numeric value. |
+ | | | Boolean and Binary attributes SHALL |
+ | | | cause a failed response (HTTP status |
+ | | | code 400) with "scimType" of |
+ | | | "invalidFilter". |
+ | | | |
+ | lt | less than | If the attribute value is less than the |
+ | | | operator value, there is a match. The |
+ | | | actual comparison is dependent on the |
+ | | | attribute type. For string attribute |
+ | | | types, this is a lexicographical |
+ | | | comparison, and for DateTime types, it |
+ | | | is a chronological comparison. For |
+ | | | integer attributes, it is a comparison |
+ | | | by numeric value. Boolean and Binary |
+ | | | attributes SHALL cause a failed response |
+ | | | (HTTP status code 400) with "scimType" |
+ | | | of "invalidFilter". |
+ | | | |
+ | le | less than | If the attribute value is less than or |
+ | | or equal to | equal to the operator value, there is a |
+ | | | match. The actual comparison is |
+ | | | dependent on the attribute type. For |
+ | | | string attribute types, this is a |
+ | | | lexicographical comparison, and for |
+ | | | DateTime types, it is a chronological |
+ | | | comparison. For integer attributes, it |
+ | | | is a comparison by numeric value. |
+ | | | Boolean and Binary attributes SHALL |
+ | | | cause a failed response (HTTP status |
+ | | | code 400) with "scimType" of |
+ | | | "invalidFilter". |
+ +----------+-------------+------------------------------------------+
+
+ Table 3: Attribute Operators
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 19]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ +----------+-------------+------------------------------------------+
+ | Operator | Description | Behavior |
+ +----------+-------------+------------------------------------------+
+ | and | Logical | The filter is only a match if both |
+ | | "and" | expressions evaluate to true. |
+ | | | |
+ | or | Logical | The filter is a match if either |
+ | | "or" | expression evaluates to true. |
+ | | | |
+ | not | "Not" | The filter is a match if the expression |
+ | | function | evaluates to false. |
+ +----------+-------------+------------------------------------------+
+
+ Table 4: Logical Operators
+
+
+ +----------+-------------+------------------------------------------+
+ | Operator | Description | Behavior |
+ +----------+-------------+------------------------------------------+
+ | ( ) | Precedence | Boolean expressions MAY be grouped using |
+ | | grouping | parentheses to change the standard order |
+ | | | of operations, i.e., to evaluate logical |
+ | | | "or" operators before logical "and" |
+ | | | operators. |
+ | | | |
+ | [ ] | Complex | Service providers MAY support complex |
+ | | attribute | filters where expressions MUST be |
+ | | filter | applied to the same value of a parent |
+ | | grouping | attribute specified immediately before |
+ | | | the left square bracket ("["). The |
+ | | | expression within square brackets ("[" |
+ | | | and "]") MUST be a valid filter |
+ | | | expression based upon sub-attributes of |
+ | | | the parent attribute. Nested |
+ | | | expressions MAY be used. See examples |
+ | | | below. |
+ +----------+-------------+------------------------------------------+
+
+ Table 5: Grouping Operators
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 20]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ SCIM filters MUST conform to the following ABNF [RFC5234] rules as
+ specified below:
+
+ FILTER = attrExp / logExp / valuePath / *1"not" "(" FILTER ")"
+
+ valuePath = attrPath "[" valFilter "]"
+ ; FILTER uses sub-attributes of a parent attrPath
+
+ valFilter = attrExp / logExp / *1"not" "(" valFilter ")"
+
+ attrExp = (attrPath SP "pr") /
+ (attrPath SP compareOp SP compValue)
+
+ logExp = FILTER SP ("and" / "or") SP FILTER
+
+ compValue = false / null / true / number / string
+ ; rules from JSON (RFC 7159)
+
+ compareOp = "eq" / "ne" / "co" /
+ "sw" / "ew" /
+ "gt" / "lt" /
+ "ge" / "le"
+
+ attrPath = [URI ":"] ATTRNAME *1subAttr
+ ; SCIM attribute name
+ ; URI is SCIM "schema" URI
+
+ ATTRNAME = ALPHA *(nameChar)
+
+ nameChar = "-" / "_" / DIGIT / ALPHA
+
+ subAttr = "." ATTRNAME
+ ; a sub-attribute of a complex attribute
+
+ Figure 1: ABNF Specification of SCIM Filters
+
+ In the above ABNF rules, the "compValue" (comparison value) rule is
+ built on JSON Data Interchange format ABNF rules as specified in
+ [RFC7159], "DIGIT" and "ALPHA" are defined per Appendix B.1 of
+ [RFC5234], and "URI" is defined per Appendix A of [RFC3986].
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 21]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Filters MUST be evaluated using the following order of operations, in
+ order of precedence:
+
+ 1. Grouping operators
+
+ 2. Logical operators - where "not" takes precedence over "and",
+ which takes precedence over "or"
+
+ 3. Attribute operators
+
+ If the specified attribute in a filter expression is a multi-valued
+ attribute, the filter matches if any of the values of the specified
+ attribute match the specified criterion; e.g., if a User has multiple
+ "emails" values, only one has to match for the entire User to match.
+ For complex attributes, a fully qualified sub-attribute MUST be
+ specified using standard attribute notation (Section 3.10). For
+ example, to filter by userName, the parameter value is "userName".
+ To filter by first name, the parameter value is "name.givenName".
+
+ When applying a comparison (e.g., "eq") or presence filter (e.g.,
+ "pr") to a defaulted attribute, the service provider SHALL use the
+ value that was returned to the client that last created or modified
+ the attribute.
+
+ Providers MAY support additional filter operations if they choose.
+ Providers MUST decline to filter results if the specified filter
+ operation is not recognized and return an HTTP 400 error with a
+ "scimType" error of "invalidFilter" and an appropriate human-readable
+ response as per Section 3.12. For example, if a client specified an
+ unsupported operator named 'regex', the service provider should
+ specify an error response description identifying the client error,
+ e.g., 'The operator 'regex' is not supported.'
+
+ When comparing attributes of type String, the case sensitivity for
+ String type attributes SHALL be determined by the attribute's
+ "caseExact" characteristic (see Section 2.2 of [RFC7643]).
+
+ Clients MAY query by schema or schema extensions by using a filter
+ expression including the "schemas" attribute (as shown in Figure 2).
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 22]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The following are examples of valid filters. Some attributes (e.g.,
+ rooms and rooms.number) are hypothetical extensions and are not part
+ of the SCIM core schema:
+
+filter=userName eq "bjensen"
+
+filter=name.familyName co "O'Malley"
+
+filter=userName sw "J"
+
+filter=urn:ietf:params:scim:schemas:core:2.0:User:userName sw "J"
+
+filter=title pr
+
+filter=meta.lastModified gt "2011-05-13T04:42:34Z"
+
+filter=meta.lastModified ge "2011-05-13T04:42:34Z"
+
+filter=meta.lastModified lt "2011-05-13T04:42:34Z"
+
+filter=meta.lastModified le "2011-05-13T04:42:34Z"
+
+filter=title pr and userType eq "Employee"
+
+filter=title pr or userType eq "Intern"
+
+filter=
+ schemas eq "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
+
+filter=userType eq "Employee" and (emails co "example.com" or
+ emails.value co "example.org")
+
+filter=userType ne "Employee" and not (emails co "example.com" or
+ emails.value co "example.org")
+
+filter=userType eq "Employee" and (emails.type eq "work")
+
+filter=userType eq "Employee" and emails[type eq "work" and
+ value co "@example.com"]
+
+filter=emails[type eq "work" and value co "@example.com"] or
+ ims[type eq "xmpp" and value co "@foo.com"]
+
+ Figure 2: Example Filters
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 23]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.4.2.3. Sorting
+
+ Sort is OPTIONAL. Clients MAY discover sort capability by looking at
+ the "sort" attribute of the service provider configuration (see
+ Section 4). Sorting allows clients to specify the order in which
+ resources are returned by specifying a combination of "sortBy" and
+ "sortOrder" URL parameters.
+
+ sortBy The "sortBy" parameter specifies the attribute whose value
+ SHALL be used to order the returned responses. If the "sortBy"
+ attribute corresponds to a singular attribute, resources are
+ sorted according to that attribute's value; if it's a multi-valued
+ attribute, resources are sorted by the value of the primary
+ attribute (see Section 2.4 of [RFC7643]), if any, or else the
+ first value in the list, if any. If the attribute is complex, the
+ attribute name must be a path to a sub-attribute in standard
+ attribute notation (Section 3.10), e.g., "sortBy=name.givenName".
+ For all attribute types, if there is no data for the specified
+ "sortBy" value, they are sorted via the "sortOrder" parameter,
+ i.e., they are ordered last if ascending and first if descending.
+
+ sortOrder The order in which the "sortBy" parameter is applied.
+ Allowed values are "ascending" and "descending". If a value for
+ "sortBy" is provided and no "sortOrder" is specified, "sortOrder"
+ SHALL default to ascending. String type attributes are case
+ insensitive by default, unless the attribute type is defined as a
+ case-exact string. "sortOrder" MUST sort according to the
+ attribute type; i.e., for case-insensitive attributes, sort the
+ result using case-insensitive Unicode alphabetic sort order with
+ no specific locale implied, and for case-exact attribute types,
+ sort the result using case-sensitive Unicode alphabetic sort
+ order.
+
+3.4.2.4. Pagination
+
+ Pagination parameters can be used together to "page through" large
+ numbers of resources so as not to overwhelm the client or service
+ provider. Because pagination is not stateful, clients MUST be
+ prepared to handle inconsistent results. For example, a request for
+ a list of 10 resources beginning with a startIndex of 1 MAY return
+ different results when repeated, since resources on the service
+ provider may have changed between requests. Pagination parameters
+ and general behavior are derived from the OpenSearch Protocol
+ [OpenSearch].
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 24]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Table 6 describes the URL pagination parameters.
+
+ +------------+----------------------------+-------------------------+
+ | Parameter | Description | Default |
+ +------------+----------------------------+-------------------------+
+ | startIndex | The 1-based index of the | 1 |
+ | | first query result. A | |
+ | | value less than 1 SHALL be | |
+ | | interpreted as 1. | |
+ | | | |
+ | count | Non-negative integer. | None. When specified, |
+ | | Specifies the desired | the service provider |
+ | | maximum number of query | MUST NOT return more |
+ | | results per page, e.g., | results than specified, |
+ | | 10. A negative value | although it MAY return |
+ | | SHALL be interpreted as | fewer results. If |
+ | | "0". A value of "0" | unspecified, the |
+ | | indicates that no resource | maximum number of |
+ | | results are to be returned | results is set by the |
+ | | except for "totalResults". | service provider. |
+ +------------+----------------------------+-------------------------+
+
+ Table 6: Pagination Request Parameters
+
+
+ Table 7 describes the query response pagination attributes specified
+ by the service provider.
+
+ +--------------+----------------------------------------------------+
+ | Element | Description |
+ +--------------+----------------------------------------------------+
+ | itemsPerPage | Non-negative integer. Specifies the number of |
+ | | query results returned in a query response page, |
+ | | e.g., 10. |
+ | | |
+ | totalResults | Non-negative integer. Specifies the total number |
+ | | of results matching the client query, e.g., 1000. |
+ | | |
+ | startIndex | The 1-based index of the first result in the |
+ | | current set of query results, e.g., 1. |
+ +--------------+----------------------------------------------------+
+
+ Table 7: Pagination Response Elements
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 25]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ For example, to retrieve the first 10 Users, set the startIndex to 1
+ and the count to 10:
+
+ GET /Users?startIndex=1&count=10
+ Host: example.com
+ Accept: application/scim+json
+ Authorization: Bearer h480djs93hd8
+
+ The response to the query above returns metadata regarding paging
+ similar to the following example (actual resources removed for
+ brevity):
+
+ {
+ "totalResults":100,
+ "itemsPerPage":10,
+ "startIndex":1,
+ "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+ "Resources":[{
+ ...
+ }]
+ }
+
+ Figure 3: ListResponse Format for Returning Multiple Resources
+
+ Given the example above, to continue paging, set the startIndex to 11
+ and re-fetch, i.e., /Users?startIndex=11&count=10.
+
+3.4.2.5. Attributes
+
+ The following attributes control which attributes SHALL be returned
+ with a returned resource. SCIM clients MAY use one of these two
+ OPTIONAL parameters, which MUST be supported by SCIM service
+ providers:
+
+ attributes A multi-valued list of strings indicating the names of
+ resource attributes to return in the response, overriding the set
+ of attributes that would be returned by default. Attribute names
+ MUST be in standard attribute notation (Section 3.10) form. See
+ Section 3.9 for additional retrieval query parameters.
+
+ excludedAttributes A multi-valued list of strings indicating the
+ names of resource attributes to be removed from the default set of
+ attributes to return. This parameter SHALL have no effect on
+ attributes whose schema "returned" setting is "always" (see
+ Sections 2.2 and 7 of [RFC7643]). Attribute names MUST be in
+ standard attribute notation (Section 3.10) form. See Section 3.9
+ for additional retrieval query parameters.
+
+
+
+
+Hunt, et al. Standards Track [Page 26]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.4.3. Querying Resources Using HTTP POST
+
+ Clients MAY execute queries without passing parameters on the URL by
+ using the HTTP POST verb combined with the "/.search" path extension.
+ The inclusion of "/.search" on the end of a valid SCIM endpoint SHALL
+ be used to indicate that the HTTP POST verb is intended to be a query
+ operation.
+
+ To create a new query result set, a SCIM client sends an HTTP POST
+ request to the desired SCIM resource endpoint (ending in "/.search").
+ The body of the POST request MAY include any of the parameters
+ defined in Section 3.4.2.
+
+ Query requests MUST be identified using the following URI:
+ "urn:ietf:params:scim:api:messages:2.0:SearchRequest". The following
+ attributes are defined for query requests:
+
+ attributes A multi-valued list of strings indicating the names of
+ resource attributes to return in the response, overriding the set
+ of attributes that would be returned by default. Attribute names
+ MUST be in standard attribute notation (Section 3.10) form. See
+ Section 3.9 for additional retrieval query parameters. OPTIONAL.
+
+ excludedAttributes A multi-valued list of strings indicating the
+ names of resource attributes to be removed from the default set of
+ attributes to return. This parameter SHALL have no effect on
+ attributes whose schema "returned" setting is "always" (see
+ Sections 2.2 and 7 of [RFC7643]). Attribute names MUST be in
+ standard attribute notation (Section 3.10) form. See Section 3.9
+ for additional retrieval query parameters. OPTIONAL.
+
+ filter The filter string used to request a subset of resources. The
+ filter string MUST be a valid filter (Section 3.4.2.2) expression.
+ OPTIONAL.
+
+ sortBy A string indicating the attribute whose value SHALL be used
+ to order the returned responses. The "sortBy" attribute MUST be
+ in standard attribute notation (Section 3.10) form. See
+ Section 3.4.2.3. OPTIONAL.
+
+ sortOrder A string indicating the order in which the "sortBy"
+ parameter is applied. Allowed values are "ascending" and
+ "descending". See Section 3.4.2.3. OPTIONAL.
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 27]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ startIndex An integer indicating the 1-based index of the first
+ query result. See Section 3.4.2.4. OPTIONAL.
+
+ count An integer indicating the desired maximum number of query
+ results per page. See Section 3.4.2.4. OPTIONAL.
+
+ After receiving an HTTP POST request, a response is returned as
+ specified in Section 3.4.2.
+
+ The following example shows an HTTP POST Query request with search
+ parameters "attributes", "filter", and "count" included:
+
+ POST /.search
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ Content-Length: ...
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"],
+ "attributes": ["displayName", "userName"],
+ "filter":
+ "displayName sw \"smith\"",
+ "startIndex": 1,
+ "count": 10
+ }
+
+ Figure 4: Example POST Query Request
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 28]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The example below shows a query response with the first page of
+ results. For brevity, only two matches are shown: one User and
+ one Group.
+
+ HTTP/1.1 200 OK
+ Content-Type: application/scim+json
+ Location: https://example.com/.search
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+ "totalResults":100,
+ "itemsPerPage":10,
+ "startIndex":1,
+ "Resources":[
+ {
+ "id":"2819c223-7f76-413861904646",
+ "userName":"jsmith",
+ "displayName":"Smith, James"
+ },
+ {
+ "id":"c8596b90-7539-4f20968d1908",
+ "displayName":"Smith Family"
+ },
+ ...
+ ]
+ }
+
+ Figure 5: Example POST Query Response
+
+3.5. Modifying Resources
+
+ Resources can be modified in whole or in part using HTTP PUT or HTTP
+ PATCH, respectively. Implementers MUST support HTTP PUT as specified
+ in Section 4.3 of [RFC7231]. Resources such as Groups may be very
+ large; hence, implementers SHOULD support HTTP PATCH [RFC5789] to
+ enable partial resource modifications. Service provider support for
+ HTTP PATCH may be discovered by querying the service provider
+ configuration (see Section 4).
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 29]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.5.1. Replacing with PUT
+
+ HTTP PUT is used to replace a resource's attributes. For example,
+ clients that have previously retrieved the entire resource in advance
+ and revised it MAY replace the resource using an HTTP PUT. Because
+ SCIM resource identifiers are assigned by the service provider, HTTP
+ PUT MUST NOT be used to create new resources.
+
+ As the operation's intent is to replace all attributes, SCIM clients
+ MAY send all attributes, regardless of each attribute's mutability.
+ The server will apply attribute-by-attribute replacements according
+ to the following attribute mutability rules:
+
+ readWrite, writeOnly Any values provided SHALL replace the existing
+ attribute values.
+
+ Attributes whose mutability is "readWrite" that are omitted from
+ the request body MAY be assumed to be not asserted by the client.
+ The service provider MAY assume that any existing values are to be
+ cleared, or the service provider MAY assign a default value to the
+ final resource representation. Service providers MAY take into
+ account whether or not a client has access to, or understands, all
+ of the resource's attributes when deciding whether non-asserted
+ attributes SHALL be removed or defaulted. Clients that want to
+ override a server's defaults MAY specify "null" for a
+ single-valued attribute, or an empty array "[]" for a multi-valued
+ attribute, to clear all values.
+
+ immutable If one or more values are already set for the attribute,
+ the input value(s) MUST match, or HTTP status code 400 SHOULD be
+ returned with a "scimType" error code of "mutability". If the
+ service provider has no existing values, the new value(s) SHALL be
+ applied.
+
+ readOnly Any values provided SHALL be ignored.
+
+ If an attribute is "required", clients MUST specify the attribute in
+ the PUT request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 30]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Unless otherwise specified, a successful PUT operation returns a 200
+ OK response code and the entire resource within the response body,
+ enabling the client to correlate the client's and the service
+ provider's views of the updated resource. For example:
+
+ PUT /Users/2819c223-7f76-453a-919d-413861904646
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"a330bc54f0671c9"
+
+ {
+ "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "id":"2819c223-7f76-453a-919d-413861904646",
+ "userName":"bjensen",
+ "externalId":"bjensen",
+ "name":{
+ "formatted":"Ms. Barbara J Jensen III",
+ "familyName":"Jensen",
+ "givenName":"Barbara",
+ "middleName":"Jane"
+ },
+ "roles":[],
+ "emails":[
+ {
+ "value":"bjensen@example.com"
+ },
+ {
+ "value":"babs@jensen.org"
+ }
+ ]
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 31]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The service responds with the entire updated User:
+
+ HTTP/1.1 200 OK
+ Content-Type: application/scim+json
+ ETag: W/"b431af54f0671a2"
+ Location:
+ "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
+
+ {
+ "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "id":"2819c223-7f76-453a-919d-413861904646",
+ "userName":"bjensen",
+ "externalId":"bjensen",
+ "name":{
+ "formatted":"Ms. Barbara J Jensen III",
+ "familyName":"Jensen",
+ "givenName":"Barbara",
+ "middleName":"Jane"
+ },
+ "emails":[
+ {
+ "value":"bjensen@example.com"
+ },
+ {
+ "value":"babs@jensen.org"
+ }
+ ],
+ "meta": {
+ "resourceType":"User",
+ "created":"2011-08-08T04:56:22Z",
+ "lastModified":"2011-08-08T08:00:12Z",
+ "location":
+ "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
+ "version":"W\/\"b431af54f0671a2\""
+ }
+ }
+
+3.5.2. Modifying with PATCH
+
+ HTTP PATCH is an OPTIONAL server function that enables clients to
+ update one or more attributes of a SCIM resource using a sequence of
+ operations to "add", "remove", or "replace" values. Clients may
+ discover service provider support for PATCH by querying the service
+ provider configuration (see Section 4).
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 32]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The general form of the SCIM PATCH request is based on JSON Patch
+ [RFC6902]. One difference between SCIM PATCH and JSON Patch is that
+ SCIM servers do not support array indexing and do not support
+ [RFC6902] operation types relating to array element manipulation,
+ such as "move".
+
+ The body of each request MUST contain the "schemas" attribute with
+ the URI value of "urn:ietf:params:scim:api:messages:2.0:PatchOp".
+
+ The body of an HTTP PATCH request MUST contain the attribute
+ "Operations", whose value is an array of one or more PATCH
+ operations. Each PATCH operation object MUST have exactly one "op"
+ member, whose value indicates the operation to perform and MAY be one
+ of "add", "remove", or "replace". The semantics of each operation
+ are defined in the following subsections.
+
+ The following is an example representation of a PATCH request showing
+ the basic JSON structure (non-normative):
+
+ { "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations":[
+ {
+ "op":"add",
+ "path":"members",
+ "value":[
+ {
+ "display": "Babs Jensen",
+ "$ref":
+ "https://example.com/v2/Users/2819c223...413861904646",
+ "value": "2819c223-7f76-453a-919d-413861904646"
+ }
+ ]
+ },
+ ... + additional operations if needed ...
+ ]
+ }
+
+ Figure 6: Example JSON Body for SCIM PATCH Request
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 33]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The "path" attribute value is a String containing an attribute path
+ describing the target of the operation. The "path" attribute is
+ OPTIONAL for "add" and "replace" and is REQUIRED for "remove"
+ operations. See relevant operation sections below for details.
+
+ The "path" attribute is described by the following ABNF syntax rule:
+
+ PATH = attrPath / valuePath [subAttr]
+
+ Figure 7: SCIM PATCH PATH Rule
+
+ The ABNF rules "attrPath", "valuePath", and "subAttr" are defined in
+ Section 3.4.2.2. The "valuePath" rule allows specific values of a
+ complex multi-valued attribute to be selected.
+
+ Valid examples of "path" are as follows:
+
+ "path":"members"
+
+ "path":"name.familyName"
+
+ "path":"addresses[type eq \"work\"]"
+
+ "path":"members[value eq
+ \"2819c223-7f76-453a-919d-413861904646\"]"
+
+ "path":"members[value eq
+ \"2819c223-7f76-453a-919d-413861904646\"].displayName"
+
+ Figure 8: Example Path Values
+
+ Each operation against an attribute MUST be compatible with the
+ attribute's mutability and schema as defined in Sections 2.2 and 2.3
+ of [RFC7643]. For example, a client MUST NOT modify an attribute
+ that has mutability "readOnly" or "immutable". However, a client MAY
+ "add" a value to an "immutable" attribute if the attribute had no
+ previous value. An operation that is not compatible with an
+ attribute's mutability or schema SHALL return the appropriate HTTP
+ response status code and a JSON detail error response as defined in
+ Section 3.12.
+
+ The attribute notation rules described in Section 3.10 apply for
+ describing attribute paths. For all operations, the value of the
+ "schemas" attribute on the SCIM service provider's representation of
+ the resource SHALL be assumed by default. If one of the PATCH
+ operations modifies the "schemas" attribute, subsequent operations
+ SHALL assume the modified state of the "schemas" attribute. Clients
+ MAY implicitly modify the "schemas" attribute by adding (or
+
+
+
+Hunt, et al. Standards Track [Page 34]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ replacing) an attribute with its fully qualified name, including
+ schema URN. For example, adding the attribute "urn:ietf:params:scim:
+ schemas:extension:enterprise:2.0:User:employeeNumber" automatically
+ adds the value
+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" to the
+ resource's "schemas" attribute.
+
+ Each PATCH operation represents a single action to be applied to the
+ same SCIM resource specified by the request URI. Operations are
+ applied sequentially in the order they appear in the array. Each
+ operation in the sequence is applied to the target resource; the
+ resulting resource becomes the target of the next operation.
+ Evaluation continues until all operations are successfully applied or
+ until an error condition is encountered.
+
+ For multi-valued attributes, a PATCH operation that sets a value's
+ "primary" sub-attribute to "true" SHALL cause the server to
+ automatically set "primary" to "false" for any other values in the
+ array.
+
+ A PATCH request, regardless of the number of operations, SHALL be
+ treated as atomic. If a single operation encounters an error
+ condition, the original SCIM resource MUST be restored, and a failure
+ status SHALL be returned.
+
+ If a request fails, the server SHALL return an HTTP response status
+ code and a JSON detail error response as defined in Section 3.12.
+
+ On successful completion, the server either MUST return a 200 OK
+ response code and the entire resource within the response body,
+ subject to the "attributes" query parameter (see Section 3.9), or MAY
+ return HTTP status code 204 (No Content) and the appropriate response
+ headers for a successful PATCH request. The server MUST return a 200
+ OK if the "attributes" parameter is specified in the request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 35]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.5.2.1. Add Operation
+
+ The "add" operation is used to add a new attribute value to an
+ existing resource.
+
+ The operation MUST contain a "value" member whose content specifies
+ the value to be added. The value MAY be a quoted value, or it may be
+ a JSON object containing the sub-attributes of the complex attribute
+ specified in the operation's "path".
+
+ The result of the add operation depends upon what the target location
+ indicated by "path" references:
+
+ o If omitted, the target location is assumed to be the resource
+ itself. The "value" parameter contains a set of attributes to be
+ added to the resource.
+
+ o If the target location does not exist, the attribute and value are
+ added.
+
+ o If the target location specifies a complex attribute, a set of
+ sub-attributes SHALL be specified in the "value" parameter.
+
+ o If the target location specifies a multi-valued attribute, a new
+ value is added to the attribute.
+
+ o If the target location specifies a single-valued attribute, the
+ existing value is replaced.
+
+ o If the target location specifies an attribute that does not exist
+ (has no value), the attribute is added with the new value.
+
+ o If the target location exists, the value is replaced.
+
+ o If the target location already contains the value specified, no
+ changes SHOULD be made to the resource, and a success response
+ SHOULD be returned. Unless other operations change the resource,
+ this operation SHALL NOT change the modify timestamp of the
+ resource.
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 36]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The following example shows how to add a member to a group. Some
+ text was removed for readability (indicated by "..."):
+
+ PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"a330bc54f0671c9"
+
+ { "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations":[
+ {
+ "op":"add",
+ "path":"members",
+ "value":[
+ {
+ "display": "Babs Jensen",
+ "$ref":
+ "https://example.com/v2/Users/2819c223...413861904646",
+ "value": "2819c223-7f76-453a-919d-413861904646"
+ }
+ ]
+ }
+ ]
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 37]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ If the user was already a member of this group, no changes should be
+ made to the resource, and a success response should be returned.
+ The server responds with either the entire updated Group or no
+ response body:
+
+ HTTP/1.1 204 No Content
+ Authorization: Bearer h480djs93hd8
+ ETag: W/"b431af54f0671a2"
+ Location:
+ "https://example.com/Groups/acbf3ae7-8463-...-9b4da3f908ce"
+
+ The following example shows how to add one or more attributes to a
+ User resource without using a "path" attribute.
+
+ PATCH /Users/2819c223-7f76-453a-919d-413861904646
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"a330bc54f0671c9"
+
+ {
+ "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations":[{
+ "op":"add",
+ "value":{
+ "emails":[
+ {
+ "value":"babs@jensen.org",
+ "type":"home"
+ }
+ ],
+ "nickname":"Babs"
+ }]
+ }
+
+ In the above example, an additional value is added to the
+ multi-valued attribute "emails". The second attribute, "nickname",
+ is added to the User resource. If the resource already had an
+ existing "nickname", the value is replaced per the processing rules
+ above for single-valued attributes.
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 38]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.5.2.2. Remove Operation
+
+ The "remove" operation removes the value at the target location
+ specified by the required attribute "path". The operation performs
+ the following functions, depending on the target location specified
+ by "path":
+
+ o If "path" is unspecified, the operation fails with HTTP status
+ code 400 and a "scimType" error code of "noTarget".
+
+ o If the target location is a single-value attribute, the attribute
+ and its associated value is removed, and the attribute SHALL be
+ considered unassigned.
+
+ o If the target location is a multi-valued attribute and no filter
+ is specified, the attribute and all values are removed, and the
+ attribute SHALL be considered unassigned.
+
+ o If the target location is a multi-valued attribute and a complex
+ filter is specified comparing a "value", the values matched by the
+ filter are removed. If no other values remain after removal of
+ the selected values, the multi-valued attribute SHALL be
+ considered unassigned.
+
+ o If the target location is a complex multi-valued attribute and a
+ complex filter is specified based on the attribute's
+ sub-attributes, the matching records are removed. Sub-attributes
+ whose values have been removed SHALL be considered unassigned. If
+ the complex multi-valued attribute has no remaining records, the
+ attribute SHALL be considered unassigned.
+
+ If an attribute is removed or becomes unassigned and is defined as a
+ required attribute or a read-only attribute, the server SHALL return
+ an HTTP response status code and a JSON detail error response as
+ defined in Section 3.12, with a "scimType" error code of
+ "mutability".
+
+ The following example shows how to remove a member from a group. As
+ with the previous example, the "display" sub-attribute is optional.
+ If the user was not a member of this group, no changes should be made
+ to the resource, and a success response should be returned.
+
+ Note that server responses have been omitted for the rest of the
+ PATCH examples.
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 39]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Remove a single member from a group. Some text was removed for
+ readability (indicated by "..."):
+
+ PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"a330bc54f0671c9"
+
+ {
+ "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations":[{
+ "op":"remove",
+ "path":"members[value eq \"2819c223-7f76-...413861904646\"]"
+ }]
+ }
+
+ Remove all members of a group:
+
+ PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"a330bc54f0671c9"
+
+ { "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations":[{
+ "op":"remove","path":"members"
+ }]
+ }
+
+ Removal of a value from a complex multi-valued attribute (request
+ headers removed for brevity):
+
+ {
+ "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations": [{
+ "op":"remove",
+ "path":"emails[type eq \"work\" and value ew \"example.com\"]"
+ }]
+ }
+
+
+
+
+
+Hunt, et al. Standards Track [Page 40]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Example request to remove and add a member. Some text was removed
+ for readability (indicated by "..."):
+
+ PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"a330bc54f0671c9"
+
+ { "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations": [
+ {
+ "op":"remove",
+ "path":
+ "members[value eq\"2819c223...919d-413861904646\"]"
+ },
+ {
+ "op":"add",
+ "path":"members",
+ "value": [
+ {
+ "display": "James Smith",
+ "$ref":
+ "https://example.com/v2/Users/08e1d05d...473d93df9210",
+ "value": "08e1d05d...473d93df9210"
+ }
+ ]
+ }
+ ]
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 41]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The following example shows how to replace all of the members of a
+ group with a different members list. Some text was removed for
+ readability (indicated by "..."):
+
+ PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"a330bc54f0671c9"
+
+ {
+ "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations": [
+ {
+ "op":"remove","path":"members"
+ },
+ {
+ "op":"add",
+ "path":"members",
+ "value":[
+ {
+ "display": "Babs Jensen",
+ "$ref":
+ "https://example.com/v2/Users/2819c223...413861904646",
+ "value": "2819c223-7f76-453a-919d-413861904646"
+ },
+ {
+ "display": "James Smith",
+ "$ref":
+ "https://example.com/v2/Users/08e1d05d...473d93df9210",
+ "value": "08e1d05d-121c-4561-8b96-473d93df9210"
+ }]
+ }
+ ]
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 42]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.5.2.3. Replace Operation
+
+ The "replace" operation replaces the value at the target location
+ specified by the "path". The operation performs the following
+ functions, depending on the target location specified by "path":
+
+ o If the "path" parameter is omitted, the target is assumed to be
+ the resource itself. In this case, the "value" attribute SHALL
+ contain a list of one or more attributes that are to be replaced.
+
+ o If the target location is a single-value attribute, the attributes
+ value is replaced.
+
+ o If the target location is a multi-valued attribute and no filter
+ is specified, the attribute and all values are replaced.
+
+ o If the target location path specifies an attribute that does not
+ exist, the service provider SHALL treat the operation as an "add".
+
+ o If the target location specifies a complex attribute, a set of
+ sub-attributes SHALL be specified in the "value" parameter, which
+ replaces any existing values or adds where an attribute did not
+ previously exist. Sub-attributes that are not specified in the
+ "value" parameter are left unchanged.
+
+ o If the target location is a multi-valued attribute and a value
+ selection ("valuePath") filter is specified that matches one or
+ more values of the multi-valued attribute, then all matching
+ record values SHALL be replaced.
+
+ o If the target location is a complex multi-valued attribute with a
+ value selection filter ("valuePath") and a specific sub-attribute
+ (e.g., "addresses[type eq "work"].streetAddress"), the matching
+ sub-attribute of all matching records is replaced.
+
+ o If the target location is a multi-valued attribute for which a
+ value selection filter ("valuePath") has been supplied and no
+ record match was made, the service provider SHALL indicate failure
+ by returning HTTP status code 400 and a "scimType" error code of
+ "noTarget".
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 43]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The following example shows how to replace all of the members of a
+ group with a different members list in a single replace operation.
+ Some text was removed for readability (indicated by "..."):
+
+ PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"a330bc54f0671c9"
+
+ {
+ "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations": [{
+ "op":"replace",
+ "path":"members",
+ "value":[
+ {
+ "display": "Babs Jensen",
+ "$ref":
+ "https://example.com/v2/Users/2819c223...413861904646",
+ "value": "2819c223...413861904646"
+ },
+ {
+ "display": "James Smith",
+ "$ref":
+ "https://example.com/v2/Users/08e1d05d...473d93df9210",
+ "value": "08e1d05d...473d93df9210"
+ }
+ ]
+ }]
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 44]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The following example shows how to change a User's entire "work"
+ address, using a "valuePath" filter. Note that by setting "primary"
+ to "true", the service provider will reset "primary" to "false" for
+ any other existing values of "addresses".
+
+ PATCH /Users/2819c223-7f76-453a-919d-413861904646
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"a330bc54f0671c9"
+
+ {
+ "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations": [{
+ "op":"replace",
+ "path":"addresses[type eq \"work\"]",
+ "value":
+ {
+ "type": "work",
+ "streetAddress": "911 Universal City Plaza",
+ "locality": "Hollywood",
+ "region": "CA",
+ "postalCode": "91608",
+ "country": "US",
+ "formatted":
+ "911 Universal City Plaza\nHollywood, CA 91608 US",
+ "primary": true
+ }
+ }]
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 45]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The following example shows how to change a specific sub-attribute
+ "streetAddress" of complex attribute "emails" selected by a
+ "valuePath" filter:
+
+ PATCH /Users/2819c223-7f76-453a-919d-413861904646
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"a330bc54f0671c9"
+
+ {
+ "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations": [{
+ "op":"replace",
+ "path":"addresses[type eq \"work\"].streetAddress",
+ "value":"1010 Broadway Ave"
+ }]
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 46]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The following example shows how to replace all values of one or more
+ specific attributes of a User resource. Note that other attributes
+ are unaffected.
+
+ PATCH /Users/2819c223-7f76-453a-919d-413861904646
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"a330bc54f0671c9"
+
+ {
+ "schemas":
+ ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+ "Operations": [{
+ "op":"replace",
+ "value":{
+ "emails":[
+ {
+ "value":"bjensen@example.com",
+ "type":"work",
+ "primary":true
+ },
+ {
+ "value":"babs@jensen.org",
+ "type":"home"
+ }
+ ],
+ "nickname":"Babs"
+ }]
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 47]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.6. Deleting Resources
+
+ Clients request resource removal via DELETE. Service providers MAY
+ choose not to permanently delete the resource but MUST return a 404
+ (Not Found) error code for all operations associated with the
+ previously deleted resource. Service providers MUST omit the
+ resource from future query results. In addition, the service
+ provider SHOULD NOT consider the deleted resource in conflict
+ calculation. For example, if a User resource is deleted, a CREATE
+ request for a User resource with the same userName as the previously
+ deleted resource SHOULD NOT fail with a 409 error due to userName
+ conflict.
+
+ DELETE /Users/2819c223-7f76-453a-919d-413861904646
+ Host: example.com
+ Authorization: Bearer h480djs93hd8
+ If-Match: W/"c310cd84f0281b7"
+
+ In response to a successful DELETE, the server SHALL return a
+ successful HTTP status code 204 (No Content). A non-normative
+ example response:
+
+ HTTP/1.1 204 No Content
+
+ Example: Client's attempt to retrieve the previously deleted User
+
+ GET /Users/2819c223-7f76-453a-919d-413861904646
+ Host: example.com
+ Authorization: Bearer h480djs93hd8
+
+ Server response:
+
+ HTTP/1.1 404 Not Found
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
+ "detail":"Resource 2819c223-7f76-453a-919d-413861904646 not found",
+ "status": "404"
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 48]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.7. Bulk Operations
+
+ The SCIM bulk operation is an optional server feature that enables
+ clients to send a potentially large collection of resource operations
+ in a single request. Support for bulk requests can be discovered by
+ querying the service provider configuration (see Section 4). The
+ body of a bulk operation contains a set of HTTP resource operations
+ using one of the HTTP methods supported by the API, i.e., POST, PUT,
+ PATCH, or DELETE.
+
+ Bulk requests are identified using the following schema URI:
+ "urn:ietf:params:scim:api:messages:2.0:BulkRequest". Bulk responses
+ are identified using the following URI:
+ "urn:ietf:params:scim:api:messages:2.0:BulkResponse". Bulk requests
+ and bulk responses share many attributes. Unless otherwise
+ specified, each attribute below is present in both bulk requests and
+ bulk responses.
+
+ The following singular attribute is defined, in addition to the
+ common attributes defined in [RFC7643].
+
+ failOnErrors
+ An integer specifying the number of errors that the service
+ provider will accept before the operation is terminated and an
+ error response is returned. OPTIONAL in a request. Not valid in
+ a response.
+
+ The following complex multi-valued attribute is defined, in addition
+ to the common attributes defined in [RFC7643].
+
+ Operations
+ Defines operations within a bulk job. Each operation corresponds
+ to a single HTTP request against a resource endpoint. REQUIRED.
+ The Operations attribute has the following sub-attributes:
+
+ method The HTTP method of the current operation. Possible values
+ are "POST", "PUT", "PATCH", or "DELETE". REQUIRED.
+
+ bulkId The transient identifier of a newly created resource,
+ unique within a bulk request and created by the client. The
+ bulkId serves as a surrogate resource id enabling clients to
+ uniquely identify newly created resources in the response and
+ cross-reference new resources in and across operations within a
+ bulk request. REQUIRED when "method" is "POST".
+
+ version The current resource version. Version MAY be used if the
+ service provider supports entity-tags (ETags) (Section 2.3 of
+ [RFC7232]) and "method" is "PUT", "PATCH", or "DELETE".
+
+
+
+Hunt, et al. Standards Track [Page 49]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ path The resource's relative path to the SCIM service provider's
+ root. If "method" is "POST", the value must specify a resource
+ type endpoint, e.g., /Users or /Groups, whereas all other
+ "method" values must specify the path to a specific resource,
+ e.g., /Users/2819c223-7f76-453a-919d-413861904646. REQUIRED in
+ a request.
+
+ data The resource data as it would appear for a single SCIM POST,
+ PUT, or PATCH operation. REQUIRED in a request when "method"
+ is "POST", "PUT", or "PATCH".
+
+ location The resource endpoint URL. REQUIRED in a response,
+ except in the event of a POST failure.
+
+ response The HTTP response body for the specified request
+ operation. When indicating a response with an HTTP status
+ other than a 200-series response, the response body MUST be
+ included. For normal completion, the server MAY elect to omit
+ the response body.
+
+ status The HTTP response status code for the requested operation.
+ When indicating an error, the "response" attribute MUST contain
+ the detail error response as per Section 3.12.
+
+ If a bulk job is processed successfully, HTTP response code 200 OK
+ MUST be returned; otherwise, an appropriate HTTP error code MUST be
+ returned.
+
+ The service provider MUST continue performing as many changes as
+ possible and disregard partial failures. The client MAY override
+ this behavior by specifying a value for the "failOnErrors" attribute.
+ The "failOnErrors" attribute defines the number of errors that the
+ service provider should accept before failing the remaining
+ operations returning the response.
+
+ To be able to reference a newly created resource, the bulkId
+ attribute MAY be specified when creating new resources. The "bulkId"
+ is defined by the client as a surrogate identifier in a POST
+ operation (see Section 3.7.2). The service provider MUST return the
+ same "bulkId" together with the newly created resource. The "bulkId"
+ can then be used by the client to map the service provider id with
+ the "bulkId" of the created resource.
+
+ A SCIM service provider MAY elect to optimize the sequence of
+ operations received (e.g., to improve processing performance). When
+ doing so, the service provider MUST ensure that the client's intent
+ is preserved and the same stateful result is achieved as for
+
+
+
+
+Hunt, et al. Standards Track [Page 50]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ non-optimized processing. For example, before a "User" can be added
+ to a "Group", they must first be created. Processing these requests
+ out of order might result in a failure to add the new "User" to the
+ "Group".
+
+3.7.1. Circular Reference Processing
+
+ The service provider MUST try to resolve circular cross-references
+ between resources in a single bulk job but MAY stop after a failed
+ attempt and instead return HTTP status code 409 (Conflict). The
+ following example exhibits the potential conflict.
+
+ POST /v2/Bulk
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ Content-Length: ...
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
+ "Operations": [
+ {
+ "method": "POST",
+ "path": "/Groups",
+ "bulkId": "qwerty",
+ "data": {
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+ "displayName": "Group A",
+ "members": [
+ {
+ "type": "Group",
+ "value": "bulkId:ytrewq"
+ }
+ ]
+ }
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 51]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ {
+ "method": "POST",
+ "path": "/Groups",
+ "bulkId": "ytrewq",
+ "data": {
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+ "displayName": "Group B",
+ "members": [
+ {
+ "type": "Group",
+ "value": "bulkId:qwerty"
+ }
+ ]
+ }
+ }
+ ]
+ }
+
+ If the service provider resolved the above circular references, the
+ following is returned from a subsequent GET request.
+
+ GET /v2/Groups?filter=displayName sw 'Group'
+ Host: example.com
+ Accept: application/scim+json
+ Authorization: Bearer h480djs93hd8
+
+ HTTP/1.1 200 OK
+ Content-Type: application/scim+json
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+ "totalResults": 2,
+ "Resources": [
+ {
+ "id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+ "displayName": "Group A",
+ "meta": {
+ "resourceType": "Group",
+ "created": "2011-08-01T18:29:49.793Z",
+ "lastModified": "2011-08-01T18:29:51.135Z",
+ "location":
+ "https://example.com/v2/Groups/c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
+ "version": "W\/\"mvwNGaxB5SDq074p\""
+ },
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 52]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ "members": [
+ {
+ "value": "6c5bb468-14b2-4183-baf2-06d523e03bd3",
+ "$ref":
+ "https://example.com/v2/Groups/6c5bb468-14b2-4183-baf2-06d523e03bd3",
+ "type": "Group"
+ }
+ ]
+ },
+ {
+ "id": "6c5bb468-14b2-4183-baf2-06d523e03bd3",
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+ "displayName": "Group B",
+ "meta": {
+ "resourceType": "Group",
+ "created": "2011-08-01T18:29:50.873Z",
+ "lastModified": "2011-08-01T18:29:50.873Z",
+ "location":
+ "https://example.com/v2/Groups/6c5bb468-14b2-4183-baf2-06d523e03bd3",
+ "version": "W\/\"wGB85s2QJMjiNnuI\""
+ },
+ "members": [
+ {
+ "value": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
+ "$ref":
+ "https://example.com/v2/Groups/c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
+ "type": "Group"
+ }
+ ]
+ }
+ ]
+ }
+
+3.7.2. "bulkId" Temporary Identifiers
+
+ A SCIM client can, within one bulk operation, create a new "User",
+ create a new "Group", and add the newly created "User" to the newly
+ created "Group". In order to add the new "User" to the "Group", the
+ client must use the surrogate id attribute, "bulkId", to reference
+ the User. The "bulkId" attribute value must be prepended with the
+ literal "bulkId:"; e.g., if the bulkId is 'qwerty', the value is
+ "bulkId:qwerty". The service provider MUST replace the string
+ "bulkId:qwerty" with the permanent resource id once created.
+
+ To create multiple distinct requests, each with their own "bulkId",
+ the SCIM client specifies different "bulkId" values for each separate
+ request.
+
+
+
+
+Hunt, et al. Standards Track [Page 53]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The following example creates a User with the "userName" 'Alice' and
+ a "Group" with "displayName", with a value of "Tour Guides" with
+ Alice as a member. Notice that each operation has its own "bulkId"
+ value. However, the second operation (whose "bulkId" is "ytrewq")
+ refers to the "bulkId" of "qwerty" in order to add Alice to the new
+ 'Tour Guides' group.
+
+ POST /v2/Bulk
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ Content-Length: ...
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
+ "Operations": [
+ {
+ "method": "POST",
+ "path": "/Users",
+ "bulkId": "qwerty",
+ "data": {
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "userName": "Alice"
+ }
+ },
+ {
+ "method": "POST",
+ "path": "/Groups",
+ "bulkId": "ytrewq",
+ "data": {
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+ "displayName": "Tour Guides",
+ "members": [
+ {
+ "type": "User",
+ "value": "bulkId:qwerty"
+ }
+ ]
+ }
+ }
+ ]
+ }
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 54]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The service provider returns the following response:
+
+ HTTP/1.1 200 OK
+ Content-Type: application/scim+json
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
+ "Operations": [
+ {
+ "location":
+ "https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a",
+ "method": "POST",
+ "bulkId": "qwerty",
+ "version": "W\/\"4weymrEsh5O6cAEK\"",
+ "status": {
+ "code": "201"
+ }
+ },
+ {
+ "location":
+ "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
+ "method": "POST",
+ "bulkId": "ytrewq",
+ "version": "W\/\"lha5bbazU3fNvfe5\"",
+ "status": {
+ "code": "201"
+ }
+ }
+ ]
+ }
+
+ In the above example, the "Alice" User resource has an "id" of
+ "92b725cd-9465-4e7d-8c16-01f8e146b87a" and the 'Tour Guides' Group
+ has an "id" of "e9e30dba-f08f-4109-8486-d5c6a331660a".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 55]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ A subsequent GET request for the 'Tour Guides' Group (with an "id" of
+ "e9e30dba-f08f-4109-8486-d5c6a331660a") returns the following, with
+ Alice's "id" as the value for the member in the Group 'Tour Guides':
+
+ HTTP/1.1 200 OK
+ Content-Type: application/scim+json
+ Location:
+ https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a
+ ETag: W/"lha5bbazU3fNvfe5"
+
+ {
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+ "id": "e9e30dba-f08f-4109-8486-d5c6a331660a",
+ "displayName": "Tour Guides",
+ "meta": {
+ "resourceType": "Group",
+ "created": "2011-08-01T18:29:49.793Z",
+ "lastModified": "2011-08-01T20:31:02.315Z",
+ "location":
+ "https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
+ "version": "W\/\"lha5bbazU3fNvfe5\""
+ },
+ "members": [
+ {
+ "value": "92b725cd-9465-4e7d-8c16-01f8e146b87a",
+ "$ref":
+ "https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a",
+ "type": "User"
+ }
+ ]
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 56]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Extensions that include references to other resources MUST be handled
+ in the same way by the service provider. The following example uses
+ the bulkId attribute within the enterprise extension managerId
+ attribute.
+
+ POST /v2/Bulk
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ Content-Length: ...
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
+ "Operations": [
+ {
+ "method": "POST",
+ "path": "/Users",
+ "bulkId": "qwerty",
+ "data": {
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "userName": "Alice"
+ }
+ },
+ {
+ "method": "POST",
+ "path": "/Users",
+ "bulkId": "ytrewq",
+ "data": {
+ "schemas": [
+ "urn:ietf:params:scim:schemas:core:2.0:User",
+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
+ ],
+ "userName": "Bob",
+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
+ "employeeNumber": "11250",
+ "manager": {
+ "value": "bulkId:qwerty"
+ }
+ }
+ }
+ }
+ ]
+ }
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 57]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.7.3. Response and Error Handling
+
+ The service provider response MUST include the result of all
+ processed operations. A "location" attribute that includes the
+ resource's endpoint MUST be returned for all operations except for
+ failed POST operations (which have no location). The status
+ attribute includes information about the success or failure of one
+ operation within the bulk job. The status attribute MUST include the
+ code attribute that holds the HTTP response code that would have been
+ returned if a single HTTP request would have been used. If an error
+ occurred, the status MUST also include the description attribute
+ containing a human-readable explanation of the error.
+
+ "status": "201"
+
+ The following is an example of a status in a failed operation.
+
+ "status": "400",
+ "response":{
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
+ "scimType":"invalidSyntax"
+ "detail":
+ "Request is unparsable, syntactically incorrect, or violates schema.",
+ "status":"400"
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 58]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The following example shows how to add, update, and remove a user.
+ The "failOnErrors" attribute is set to '1', indicating that the
+ service provider will stop processing and return results after one
+ error. The POST operation's bulkId value is set to 'qwerty',
+ enabling the client to match the new User with the returned
+ resource "id" of
+ "92b725cd-9465-4e7d-8c16-01f8e146b87a".
+
+ POST /v2/Bulk
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ Content-Length: ...
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
+ "failOnErrors":1,
+ "Operations":[
+ {
+ "method":"POST",
+ "path":"/Users",
+ "bulkId":"qwerty",
+ "data":{
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:User"],
+ "userName":"Alice"
+ }
+ },
+ {
+ "method":"PUT",
+ "path":"/Users/b7c14771-226c-4d05-8860-134711653041",
+ "version":"W\/\"3694e05e9dff591\"",
+ "data":{
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "id":"b7c14771-226c-4d05-8860-134711653041",
+ "userName":"Bob"
+ }
+ },
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 59]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ {
+ "method": "PATCH",
+ "path": "/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc",
+ "version": "W/\"edac3253e2c0ef2\"",
+ "data": {[
+ {
+ "op": "remove",
+ "path": "nickName"
+ },
+ {
+ "op": "add",
+ "path": "userName",
+ "value": "Dave"
+ }
+ ]}
+ },
+ {
+ "method":"DELETE",
+ "path":"/Users/e9025315-6bea-44e1-899c-1e07454e468b",
+ "version":"W\/\"0ee8add0a938e1a\""
+ }
+ ]
+ }
+
+ The service provider returns the following response:
+
+ HTTP/1.1 200 OK
+ Content-Type: application/scim+json
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
+ "Operations": [
+ {
+ "location":
+ "https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a",
+ "method": "POST",
+ "bulkId": "qwerty",
+ "version": "W\/\"oY4m4wn58tkVjJxK\"",
+ "status": "201"
+ },
+ {
+ "location":
+ "https://example.com/v2/Users/b7c14771-226c-4d05-8860-134711653041",
+ "method": "PUT",
+ "version": "W\/\"huJj29dMNgu3WXPD\"",
+ "status": "200"
+ },
+
+
+
+
+Hunt, et al. Standards Track [Page 60]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ {
+ "location":
+ "https://example.com/v2/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc",
+ "method": "PATCH",
+ "version": "W\/\"huJj29dMNgu3WXPD\"",
+ "status": "200"
+ },
+ {
+ "location":
+ "https://example.com/v2/Users/e9025315-6bea-44e1-899c-1e07454e468b",
+ "method": "DELETE",
+ "status": "204"
+ }
+ ]
+ }
+
+ The following response is returned if an error occurred when
+ attempting to create the User 'Alice'. The service provider stops
+ processing the bulk operation and immediately returns a response to
+ the client. The response contains the error and any successful
+ results prior to the error.
+
+ HTTP/1.1 200 OK
+ Content-Type: application/scim+json
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
+ "Operations": [
+ {
+ "method": "POST",
+ "bulkId": "qwerty",
+ "status": "400",
+ "response":{
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
+ "scimType":"invalidSyntax"
+ "detail":
+ "Request is unparsable, syntactically incorrect, or violates schema.",
+ "status":"400"
+ }
+ }
+ ]
+ }
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 61]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ If the "failOnErrors" attribute is not specified or the service
+ provider has not reached the error limit defined by the client, the
+ service provider will continue to process all operations. The
+ following is an example in which all operations failed.
+
+ HTTP/1.1 200 OK
+ Content-Type: application/scim+json
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
+ "Operations": [
+ {
+ "method": "POST",
+ "bulkId": "qwerty",
+ "status": "400",
+ "response":{
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
+ "scimType":"invalidSyntax"
+ "detail":
+ "Request is unparsable, syntactically incorrect, or violates schema.",
+ "status":"400"
+ }
+ },
+ {
+ "location":
+ "https://example.com/v2/Users/b7c14771-226c-4d05-8860-134711653041",
+ "method": "PUT",
+ "status": "412",
+ "response":{
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
+ "detail":
+ "Failed to update. Resource changed on the server.",
+ "status":"412"
+ }
+ },
+ {
+ "location":
+ "https://example.com/v2/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc",
+ "method": "PATCH",
+ "status": "412",
+ "response":{
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
+ "detail":
+ "Failed to update. Resource changed on the server.",
+ "status":"412"
+ }
+ },
+
+
+
+
+Hunt, et al. Standards Track [Page 62]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ {
+ "location":
+ "https://example.com/v2/Users/e9025315-6bea-44e1-899c-1e07454e468b",
+ "method": "DELETE",
+ "status": "404",
+ "response":{
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
+ "detail":"Resource does not exist.",
+ "status":"404"
+ }
+ }
+ ]
+ }
+
+3.7.4. Maximum Operations
+
+ The service provider MUST define the maximum number of operations and
+ maximum payload size a client may send in a single request. These
+ limits MAY be retrieved from the service provider configuration (see
+ 'bulk' in Sections 5 and 8.5 of [RFC7643]). If either limit is
+ exceeded, the service provider MUST return HTTP response code 413
+ (Payload Too Large). The returned response MUST specify the limit
+ exceeded in the body of the error response.
+
+ In the following example, the client sent a request exceeding the
+ service provider's maximum payload size of 1 megabyte:
+
+ POST /v2/Bulk
+ Host: example.com
+ Accept: application/scim+json
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ Content-Length: 4294967296
+
+ ...
+
+ The server sends the following error in response to the oversized
+ request:
+
+ HTTP/1.1 413 Payload Too Large
+ Content-Type: application/scim+json
+
+ {
+ "schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],
+ "status": "413",
+ "detail":
+ "The size of the bulk operation exceeds the maxPayloadSize (1048576)."
+ }
+
+
+
+Hunt, et al. Standards Track [Page 63]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.8. Data Input/Output Formats
+
+ Servers MUST accept requests and be able to return JSON-structured
+ responses using UTF-8 encoding [RFC3629]. UTF-8 SHALL be the default
+ encoding format. Other media types MAY be supported by service
+ providers but are beyond the scope of this specification.
+
+ Clients using other encodings MUST specify the format in which the
+ data is submitted via an HTTP "Content-Type" header as specified in
+ Section 3.1.1.5 of [RFC7231] and MAY specify the desired response
+ data format via an HTTP "Accept" header (Section 5.3.2 of [RFC7231]),
+ e.g., "Accept: application/scim+json", or via URI suffix:
+
+ GET /Users/2819c223-7f76-453a-919d-413861904646.scim
+ Host: example.com
+
+ Service providers MUST support the "Accept" header
+ "Accept: application/scim+json" and SHOULD support the header
+ "Accept: application/json", both of which specify JSON documents
+ conforming to [RFC7159]. The format defaults to
+ "application/scim+json" if no format is specified.
+
+ Singular attributes are encoded as string name-value pairs in
+ JSON, e.g.,
+
+ "attribute": "value"
+
+ Multi-valued attributes in JSON are encoded as arrays, e.g.,
+
+ "attributes": [ "value1", "value2" ]
+
+ Elements with nested elements are represented as objects in
+ JSON, e.g.,
+
+ "attribute": { "subattribute1": "value1", "subattribute2": "value2" }
+
+3.9. Additional Operation Response Parameters
+
+ For any SCIM operation where a resource representation is returned
+ (e.g., HTTP GET), the attributes returned are defined as the minimum
+ attribute set plus default attribute set. The minimum set is
+ composed of those attributes that have their "returned"
+ characteristic set to "always" (see Section 2.2 of [RFC7643]). The
+ default attribute set is composed of those attributes that have the
+ "returned" characteristic set to "default".
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 64]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Clients MAY request a partial resource representation on any
+ operation that returns a resource within the response by specifying
+ either of the mutually exclusive URL query parameters "attributes" or
+ "excludedAttributes", as follows:
+
+ attributes When specified, the default list of attributes SHALL be
+ overridden, and each resource returned MUST contain the
+ minimum set of resource attributes and any attributes or
+ sub-attributes explicitly requested by the "attributes"
+ parameter. The query parameter attributes value is a
+ comma-separated list of resource attribute names in standard
+ attribute notation (Section 3.10) form (e.g., userName, name,
+ emails).
+
+ excludedAttributes When specified, each resource returned MUST
+ contain the minimum set of resource attributes.
+ Additionally, the default set of attributes minus those
+ attributes listed in "excludedAttributes" is returned. The
+ query parameter attributes value is a comma-separated list of
+ resource attribute names in standard attribute notation
+ (Section 3.10) form (e.g., userName, name, emails).
+
+ GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=userName
+ Host: example.com
+ Accept: application/scim+json
+ Authorization: Bearer h480djs93hd8
+
+ The following response is returned:
+
+ HTTP/1.1 200 OK
+ Content-Type: application/scim+json
+ Location:
+ https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
+ ETag: W/"a330bc54f0671c9"
+
+ {
+ "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "id":"2819c223-7f76-453a-919d-413861904646",
+ "userName":"bjensen"
+ }
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 65]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.10. Attribute Notation
+
+ All operations share a common scheme for referencing simple and
+ complex attributes. In general, attributes are uniquely identified
+ by prefixing the attribute name with its schema URN separated by a
+ colon (":") character; e.g., the core User resource attribute
+ 'userName' is identified as
+ "urn:ietf:params:scim:schemas:core:2.0:User:userName". Clients MAY
+ omit core schema attribute URN prefixes but SHOULD fully qualify
+ extended attributes with the associated schema extension URN to avoid
+ naming conflicts. For example, the attribute 'age' defined in
+ "urn:ietf:params:scim:schemas:exampleCo:2.0:hr" is uniquely
+ identified as "urn:ietf:params:scim:schemas:exampleCo:2.0:hr:age".
+ Complex attributes' sub-attributes are referenced via nested dot
+ ('.') notation, i.e., {urn}:{Attribute name}.{Sub-Attribute name}.
+ For example, the fully qualified path for a User's givenName is
+ "urn:ietf:params:scim:schemas:core:2.0:User:name.givenName". All
+ facets (URN, attribute, and sub-attribute name) of the fully encoded
+ attribute name are case insensitive.
+
+3.11. "/Me" Authenticated Subject Alias
+
+ A client MAY use a URL of the form "<base-URI>/Me" as a URI alias for
+ the User or other resource associated with the currently
+ authenticated subject for any SCIM operation. A service provider MAY
+ respond in one of three ways:
+
+ o A service provider that does NOT support this feature SHOULD
+ respond with HTTP status code 501 (Not Implemented).
+
+ o A service provider MAY choose to redirect the client using HTTP
+ status code 308 (Permanent Redirect) to the resource associated
+ with the authenticated subject. The client MAY then repeat the
+ request at the indicated location.
+
+ o A service provider MAY process the SCIM request directly. In any
+ response, the HTTP "Location" header MUST be the permanent
+ location of the aliased resource associated with the authenticated
+ subject.
+
+ When using the SCIM Create Resource command (HTTP POST) with the
+ "/Me" alias, the desired resourceType being created is at the
+ discretion of the service provider, based on the authenticated
+ subject (if not anonymous) making the request and any request body
+ attributes (e.g., "schemas"). See Section 7.6 for information on
+ security considerations related to this operation.
+
+
+
+
+
+Hunt, et al. Standards Track [Page 66]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+3.12. HTTP Status and Error Response Handling
+
+ The SCIM protocol uses the HTTP response status codes defined in
+ Section 6 of [RFC7231] to indicate operation success or failure. In
+ addition to returning an HTTP response code, implementers MUST return
+ the errors in the body of the response in a JSON format, using the
+ attributes described below. Error responses are identified using the
+ following "schema" URI:
+ "urn:ietf:params:scim:api:messages:2.0:Error". The following
+ attributes are defined for a SCIM error response using a JSON body:
+
+ status
+ The HTTP status code (see Section 6 of [RFC7231]) expressed as a
+ JSON string. REQUIRED.
+
+ scimType
+ A SCIM detail error keyword. See Table 9. OPTIONAL.
+
+ detail
+ A detailed human-readable message. OPTIONAL.
+
+ Implementers SHOULD handle the identified HTTP status codes as
+ described below.
+
+ +----------------+---------------+----------------------------------+
+ | Status | Applicability | Suggested Explanation |
+ +----------------+---------------+----------------------------------+
+ | 307 (Temporary | GET, POST, | The client is directed to repeat |
+ | Redirect) | PUT, PATCH, | the same HTTP request at the |
+ | | DELETE | location identified. The client |
+ | | | SHOULD NOT use the location |
+ | | | provided in the response as a |
+ | | | permanent reference to the |
+ | | | resource and SHOULD continue to |
+ | | | use the original request URI |
+ | | | [RFC7231]. |
+ | | | |
+ | 308 (Permanent | GET, POST, | The client is directed to repeat |
+ | Redirect) | PUT, PATCH, | the same HTTP request at the |
+ | | DELETE | location identified. The client |
+ | | | SHOULD use the location provided |
+ | | | in the response as the permanent |
+ | | | reference to the resource |
+ | | | [RFC7538]. |
+ | | | |
+ | 400 (Bad | GET, POST, | Request is unparsable, |
+ | Request) | PUT, PATCH, | syntactically incorrect, or |
+ | | DELETE | violates schema. |
+
+
+
+Hunt, et al. Standards Track [Page 67]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ | | | |
+ | 401 | GET, POST, | Authorization failure. The |
+ | (Unauthorized) | PUT, PATCH, | authorization header is invalid |
+ | | DELETE | or missing. |
+ | | | |
+ | 403 | GET, POST, | Operation is not permitted based |
+ | (Forbidden) | PUT, PATCH, | on the supplied authorization. |
+ | | DELETE | |
+ | | | |
+ | 404 (Not | GET, POST, | Specified resource (e.g., User) |
+ | Found) | PUT, PATCH, | or endpoint does not exist. |
+ | | DELETE | |
+ | | | |
+ | 409 (Conflict) | POST, PUT, | The specified version number |
+ | | PATCH, DELETE | does not match the resource's |
+ | | | latest version number, or a |
+ | | | service provider refused to |
+ | | | create a new, duplicate |
+ | | | resource. |
+ | | | |
+ | 412 | PUT, PATCH, | Failed to update. Resource has |
+ | (Precondition | DELETE | changed on the server. |
+ | Failed) | | |
+ | | | |
+ | 413 (Payload | POST | {"maxOperations": |
+ | Too Large) | | 1000,"maxPayloadSize": 1048576} |
+ | | | |
+ | 500 (Internal | GET, POST, | An internal error. Implementers |
+ | Server Error) | PUT, PATCH, | SHOULD provide descriptive |
+ | | DELETE | debugging advice. |
+ | | | |
+ | 501 (Not | GET, POST, | Service provider does not |
+ | Implemented) | PUT, PATCH, | support the request operation, |
+ | | DELETE | e.g., PATCH. |
+ +----------------+---------------+----------------------------------+
+
+ Table 8: SCIM HTTP Status Code Usage
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 68]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ For HTTP status code 400 (Bad Request) responses, the following
+ detail error types are defined:
+
+ +---------------+--------------------------------+------------------+
+ | scimType | Description | Applicability |
+ +---------------+--------------------------------+------------------+
+ | invalidFilter | The specified filter syntax | GET (Section |
+ | | was invalid (does not comply | 3.4.2), POST |
+ | | with Figure 1), or the | (Search - |
+ | | specified attribute and filter | Section 3.4.3), |
+ | | comparison combination is not | PATCH (Path |
+ | | supported. | Filter - Section |
+ | | | 3.5.2) |
+ | | | |
+ | tooMany | The specified filter yields | GET (Section |
+ | | many more results than the | 3.4.2), POST |
+ | | server is willing to calculate | (Search - |
+ | | or process. For example, a | Section 3.4.3) |
+ | | filter such as "(userName pr)" | |
+ | | by itself would return all | |
+ | | entries with a "userName" and | |
+ | | MAY not be acceptable to the | |
+ | | service provider. | |
+ | | | |
+ | uniqueness | One or more of the attribute | POST (Create - |
+ | | values are already in use or | Section 3.3), |
+ | | are reserved. | PUT (Section |
+ | | | 3.5.1), PATCH |
+ | | | (Section 3.5.2) |
+ | | | |
+ | mutability | The attempted modification is | PUT (Section |
+ | | not compatible with the target | 3.5.1), PATCH |
+ | | attribute's mutability or | (Section 3.5.2) |
+ | | current state (e.g., | |
+ | | modification of an "immutable" | |
+ | | attribute with an existing | |
+ | | value). | |
+ | | | |
+ | invalidSyntax | The request body message | POST (Search - |
+ | | structure was invalid or did | Section 3.4.3, |
+ | | not conform to the request | Create - Section |
+ | | schema. | 3.3, Bulk - |
+ | | | Section 3.7), |
+ | | | PUT (Section |
+ | | | 3.5.1) |
+ | | | |
+
+
+
+
+
+Hunt, et al. Standards Track [Page 69]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ | invalidPath | The "path" attribute was | PATCH (Section |
+ | | invalid or malformed (see | 3.5.2) |
+ | | Figure 7). | |
+ | | | |
+ | noTarget | The specified "path" did not | PATCH (Section |
+ | | yield an attribute or | 3.5.2) |
+ | | attribute value that could be | |
+ | | operated on. This occurs when | |
+ | | the specified "path" value | |
+ | | contains a filter that yields | |
+ | | no match. | |
+ | | | |
+ | invalidValue | A required value was missing, | GET (Section |
+ | | or the value specified was not | 3.4.2), POST |
+ | | compatible with the operation | (Create - |
+ | | or attribute type (see Section | Section 3.3, |
+ | | 2.2 of [RFC7643]), or resource | Query - Section |
+ | | schema (see Section 4 of | 3.4.3), PUT |
+ | | [RFC7643]). | (Section 3.5.1), |
+ | | | PATCH (Section |
+ | | | 3.5.2) |
+ | | | |
+ | invalidVers | The specified SCIM protocol | GET (Section |
+ | | version is not supported (see | 3.4.2), POST |
+ | | Section 3.13). | (ALL), PUT |
+ | | | (Section 3.5.1), |
+ | | | PATCH (Section |
+ | | | 3.5.2), DELETE |
+ | | | (Section 3.6) |
+ | | | |
+ | sensitive | The specified request cannot | GET (Section |
+ | | be completed, due to the | 3.4.2) |
+ | | passing of sensitive (e.g., | |
+ | | personal) information in a | |
+ | | request URI. For example, | |
+ | | personal information SHALL NOT | |
+ | | be transmitted over request | |
+ | | URIs. See Section 7.5.2. | |
+ +---------------+--------------------------------+------------------+
+
+ Table 9: SCIM Detail Error Keyword Values
+
+ Note that in Table 9 above, the information in the Applicability
+ column applies to the normal HTTP method but MAY apply within a SCIM
+ bulk operation (via HTTP POST).
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 70]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Example of an error in response to a non-existent GET request:
+
+ HTTP/1.1 404 Not Found
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
+ "detail":"Resource 2819c223-7f76-453a-919d-413861904646 not found",
+ "status": "404"
+ }
+
+ Example of an error in response to a PUT request:
+
+ HTTP/1.1 400 Bad Request
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
+ "scimType":"mutability"
+ "detail":"Attribute 'id' is readOnly",
+ "status": "400"
+ }
+
+3.13. SCIM Protocol Versioning
+
+ The Base URL MAY be appended with a version identifier as a separate
+ segment in the URL path. At the time of this writing, the identifier
+ is 'v2'. If specified, the version identifier MUST appear in the URL
+ path immediately preceding the resource endpoint and conform to the
+ following scheme: the character 'v' followed by the desired SCIM
+ version number, e.g., a version 'v2' User request is specified as
+ /v2/Users. When specified, service providers MUST perform the
+ operation using the desired version or reject the request. When
+ omitted, service providers SHOULD perform the operation using the
+ most recent SCIM protocol version supported by the service provider.
+
+3.14. Versioning Resources
+
+ The SCIM protocol supports resource versioning via standard HTTP
+ ETags (Section 2.3 of [RFC7232]). Service providers MAY support weak
+ ETags as the preferred mechanism for performing conditional
+ retrievals and ensuring that clients do not inadvertently overwrite
+ each other's changes, respectively. When supported, SCIM ETags MUST
+ be specified as an HTTP header and SHOULD be specified within the
+ 'version' attribute contained in the resource's 'meta' attribute.
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 71]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Example create request:
+
+ POST /Users HTTP/1.1
+ Host: example.com
+ Content-Type: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ Content-Length: ...
+
+ {
+ "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "userName":"bjensen",
+ "externalId":"bjensen",
+ "name":{
+ "formatted":"Ms. Barbara J Jensen III",
+ "familyName":"Jensen",
+ "givenName":"Barbara"
+ }
+ }
+
+ The server responds with an ETag in the response header and meta
+ structure:
+
+ HTTP/1.1 201 Created
+ Content-Type: application/scim+json
+ Location:
+ https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
+ ETag: W/"e180ee84f0671b1"
+
+ {
+ "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
+ "id":"2819c223-7f76-453a-919d-413861904646",
+ "meta":{
+ "resourceType":"User",
+ "created":"2011-08-01T21:32:44.882Z",
+ "lastModified":"2011-08-01T21:32:44.882Z",
+ "location":
+ "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
+ "version":"W\/\"e180ee84f0671b1\""
+ },
+ "name":{
+ "formatted":"Ms. Barbara J Jensen III",
+ "familyName":"Jensen",
+ "givenName":"Barbara"
+ },
+ "userName":"bjensen"
+ }
+
+
+
+
+
+Hunt, et al. Standards Track [Page 72]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ With the returned ETag, clients MAY choose to retrieve the resource
+ only if the resource has been modified.
+
+ An example of conditional retrieval, using the If-None-Match header
+ (Section 3.2 of [RFC7232]):
+
+ GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=displayName
+ Host: example.com
+ Accept: application/scim+json
+ Authorization: Bearer h480djs93hd8
+ If-None-Match: W/"e180ee84f0671b1"
+
+ If the resource has not changed, the service provider simply returns
+ an empty body with a 304 (Not Modified) response code.
+
+ If the service provider supports versioning of resources, the client
+ MAY supply an If-Match header (Section 3.1 of [RFC7232]) for PUT and
+ PATCH operations to ensure that the requested operation succeeds only
+ if the supplied ETag matches the latest service provider resource,
+ e.g., If-Match: W/"e180ee84f0671b1".
+
+4. Service Provider Configuration Endpoints
+
+ SCIM defines three endpoints to facilitate discovery of SCIM service
+ provider features and schema that MAY be retrieved using HTTP GET:
+
+ /ServiceProviderConfig
+ An HTTP GET to this endpoint will return a JSON structure that
+ describes the SCIM specification features available on a service
+ provider. This endpoint SHALL return responses with a JSON object
+ using a "schemas" attribute of
+ "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig".
+ The attributes returned in the JSON object are defined in
+ Section 5 of [RFC7643]. An example representation of SCIM service
+ provider configuration may be found in Section 8.5 of [RFC7643].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 73]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ /Schemas
+ An HTTP GET to this endpoint is used to retrieve information about
+ resource schemas supported by a SCIM service provider. An HTTP
+ GET to the endpoint "/Schemas" SHALL return all supported schemas
+ in ListResponse format (see Figure 3). Individual schema
+ definitions can be returned by appending the schema URI to the
+ /Schemas endpoint. For example:
+
+ /Schemas/urn:ietf:params:scim:schemas:core:2.0:User
+
+ The contents of each schema returned are described in Section 7 of
+ [RFC7643]. An example representation of SCIM schemas may be found
+ in Section 8.7 of [RFC7643].
+
+ /ResourceTypes
+ An HTTP GET to this endpoint is used to discover the types of
+ resources available on a SCIM service provider (e.g., Users and
+ Groups). Each resource type defines the endpoints, the core
+ schema URI that defines the resource, and any supported schema
+ extensions. The attributes defining a resource type can be found
+ in Section 6 of [RFC7643], and an example representation can be
+ found in Section 8.6 of [RFC7643].
+
+ In cases where a request is for a specific "ResourceType" or
+ "Schema", the single JSON object is returned in the same way that a
+ single User or Group is retrieved, as per Section 3.4.1. When
+ returning multiple ResourceTypes or Schemas, the message form
+ described by the "urn:ietf:params:scim:api:messages:2.0:ListResponse"
+ (ListResponse) form SHALL be used as shown in Figure 3 and in
+ Figure 9 below. Query parameters described in Section 3.4.2, such as
+ filtering, sorting, and pagination, SHALL be ignored. If a "filter"
+ is provided, the service provider SHOULD respond with HTTP status
+ code 403 (Forbidden) to ensure that clients cannot incorrectly assume
+ that any matching conditions specified in a filter are true.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 74]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The following is a non-normative example of an HTTP GET to the
+ /ResourceTypes endpoint:
+
+ {
+ "totalResults":2,
+ "itemsPerPage":10,
+ "startIndex":1,
+ "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+ "Resources":[{
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+ "id":"User",
+ "name":"User",
+ "endpoint": "/Users",
+ "description": "User Account",
+ "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
+ "schemaExtensions": [{
+ "schema":
+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
+ "required": true
+ }],
+ "meta": {
+ "location":"https://example.com/v2/ResourceTypes/User",
+ "resourceType": "ResourceType"
+ }
+ },
+ {
+ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+ "id":"Group",
+ "name":"Group",
+ "endpoint": "/Groups",
+ "description": "Group",
+ "schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
+ "meta": {
+ "location":"https://example.com/v2/ResourceTypes/Group",
+ "resourceType": "ResourceType"
+ }
+ }]
+ }
+
+ Figure 9: Example Resource Type JSON Representation
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 75]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+5. Preparation and Comparison of Internationalized Strings
+
+ To increase the likelihood that the input and comparison of usernames
+ and passwords will work in ways that make sense for typical users
+ throughout the world, there are rules for preparing, enforcing, and
+ comparing internationalized strings that represent usernames and
+ passwords. Before comparing or evaluating the uniqueness of a
+ "userName" or "password" attribute, service providers MUST use the
+ preparation, enforcement, and comparison of internationalized strings
+ (PRECIS) preparation and comparison rules described in Sections 3 and
+ 4, respectively, of [RFC7613], which is based on the PRECIS framework
+ specification [RFC7564]. See Section 3.4 of [RFC7613] for discussion
+ on "Case Mapping vs. Case Preparation" regarding "userName"
+ attributes.
+
+6. Multi-Tenancy
+
+ A single service provider may expose the SCIM protocol to multiple
+ clients. Depending on the nature of the service, the clients may
+ have authority to access and alter resources initially created by
+ other clients. Alternatively, clients may expect to access disjoint
+ sets of resources and may expect that their resources are
+ inaccessible to other clients. These scenarios are called
+ "multi-tenancy", where each client is understood to be or represent
+ a "tenant" of the service provider. Clients may also be
+ multi-tenanted.
+
+ The following common cases may occur:
+
+ 1. All clients share all resources (no tenancy).
+
+ 2. Each single client creates and accesses a private subset of
+ resources (1 client:1 Tenant).
+
+ 3. Sets of clients share sets of resources (M clients:1 Tenant).
+
+ 4. One client can create and access several private subsets of
+ resources (1 client:M Tenants).
+
+ Service providers may implement any subset of the above cases.
+
+ Multi-tenancy is OPTIONAL. The SCIM protocol does not define a
+ scheme for multi-tenancy.
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 76]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ The SCIM protocol does not prescribe the mechanisms whereby clients
+ and service providers interact for the following:
+
+ o Registering or provisioning Tenants
+
+ o Associating a subset of clients with a subset of the Tenants
+
+ o Indicating which tenant is associated with the data in a request
+ or response, or indicating which Tenant is the subject of a query
+
+6.1. Associating Clients to Tenants
+
+ The service provider MAY use one of the authentication mechanisms
+ discussed in Section 2 to determine the identity of the client and
+ thus infer the associated Tenant.
+
+ For implementations where a client is associated with more than one
+ Tenant, the service provider MAY use one of the three methods below
+ for explicit specification of the Tenant.
+
+ If any of these methods of allowing the client to explicitly specify
+ the Tenant are employed, the service provider should ensure that
+ access controls are in place to prevent or allow cross-tenant use
+ cases.
+
+ The service provider should consider precedence in cases where a
+ client may explicitly specify a Tenant while being implicitly
+ associated with a different Tenant.
+
+ In all of these methods, the {tenant_id} is a unique identifier for
+ the Tenant as defined by the service provider.
+
+ o A URL prefix: "https://www.example.com/Tenants/{tenant_id}/v2/
+ Users".
+
+ o A sub-domain: "https://{tenant_id}.example.com/v2/Groups".
+
+ o An HTTP header: The service provider may recognize a {tenant_id}
+ provided by the client in an HTTP header as the indicator of the
+ desired target Tenant.
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 77]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+6.2. SCIM Identifiers with Multiple Tenants
+
+ Considerations for a multi-tenant implementation:
+
+ o The service provider may choose to implement SCIM ids that are
+ unique across all resources for all Tenants, but this is not
+ required.
+
+ o The externalId, defined by the client, is required to be unique
+ ONLY within the resources associated with the associated Tenant.
+
+7. Security Considerations
+
+7.1. HTTP Considerations
+
+ The SCIM protocol layers on top of HTTP and is thus subject to the
+ security considerations of HTTP (Section 9 of [RFC7230]) and its
+ related specifications.
+
+ As stated in Section 2.7.1 of [RFC7230], a SCIM client MUST NOT
+ generate the "userinfo" (i.e., username and password) component
+ (and its "@" delimiter) when an "http" URI reference is generated
+ with a message, as userinfo and its "@" delimiter are now disallowed
+ in HTTP.
+
+7.2. TLS Support Considerations
+
+ SCIM resources (e.g., Users and Groups) contain sensitive
+ information, including passwords. Therefore, SCIM clients and
+ service providers MUST require the use of a transport-layer security
+ mechanism when communicating with SCIM service providers. The SCIM
+ service provider MUST support TLS 1.2 [RFC5246] and MAY support
+ additional transport-layer mechanisms meeting its security
+ requirements. When using TLS, the client MUST perform a TLS/SSL
+ server identity check, per [RFC6125]. Implementation security
+ considerations for TLS can be found in [RFC7525].
+
+7.3. Authorization Token Considerations
+
+ When using authorization tokens such as those issued by OAuth 2.0
+ [RFC6749], implementers MUST take into account threats and
+ countermeasures as documented in Section 8 of [RFC7521].
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 78]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+7.4. Bearer Token and Cookie Considerations
+
+ Since the possession of a bearer token or cookie MAY authorize the
+ holder to potentially read, modify, or delete resources, bearer
+ tokens and cookies MUST contain sufficient entropy to prevent a
+ random guessing attack; for example, see Section 5.2 of [RFC6750] and
+ Section 5.1.4.2.2 of [RFC6819].
+
+ As with all SCIM communications, bearer tokens and HTTP cookies MUST
+ be exchanged using TLS.
+
+ Bearer tokens MUST have a limited lifetime that can be determined
+ directly or indirectly (e.g., by checking with a validation service)
+ by the service provider. By expiring tokens, clients are forced to
+ obtain a new token (which usually involves re-authentication) for
+ continued authorized access. For example, in OAuth 2.0, a client MAY
+ use OAuth token refresh to obtain a new bearer token after
+ authenticating to an authorization server. See Section 6 of
+ [RFC6749].
+
+ As with bearer tokens, an HTTP cookie SHOULD last no longer than the
+ lifetime of a browser session. An expiry time should be set that
+ limits session cookie lifetime as per Section 5.2.1 of [RFC6265].
+
+ Implementations supporting OAuth bearer tokens need to factor in
+ security considerations of this authorization method [RFC7521].
+ Since security is only as good as the weakest link, implementers also
+ need to consider authentication choices coupled with OAuth bearer
+ tokens. The security considerations of the default authentication
+ method for OAuth bearer tokens, HTTP Basic, are well documented in
+ [HTTP-BASIC-AUTH]; therefore, implementers are encouraged to use
+ stronger authentication methods. Designating the specific methods of
+ authentication and authorization is out of scope for SCIM; however,
+ this information is provided as a resource to implementers.
+
+7.5. Privacy Considerations
+
+7.5.1. Personal Information
+
+ The SCIM Core Schema specification [RFC7643] defines attributes that
+ may contain personally identifying information as well as other
+ sensitive personal data. The privacy considerations in the Security
+ Considerations section of [RFC7643] MUST be considered.
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 79]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+7.5.2. Disclosure of Sensitive Information in URIs
+
+ As mentioned in Section 9.4 of [RFC7231], SCIM clients requesting
+ information using query filters that use HTTP GET SHOULD give
+ consideration to the information content of the filters and whether
+ or not their exposure in a URI would represent a breach of security
+ or confidentiality through leakage in web browsers or server logs.
+ This is particularly true for information that is legally considered
+ "personally identifiable information" or is otherwise restricted by
+ privacy laws. In these situations, to ensure maximum security and
+ confidentiality, clients SHOULD query using HTTP POST (see
+ Section 3.4.3).
+
+ Servers that receive HTTP GET requests using filters that contain
+ sensitive or confidential personal information SHOULD respond with
+ HTTP status code 403 to indicate that the operation is forbidden. A
+ "scimType" error code of "sensitive" may be returned to indicate that
+ the request must be submitted using POST. The following is a
+ non-normative example:
+
+ HTTP/1.1 403 Forbidden
+
+ {
+ "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
+ "detail":
+ "Query filter involving 'name' is restricted or confidential",
+ "scimType": "sensitive",
+ "status": "404"
+ }
+
+7.6. Anonymous Requests
+
+ If a SCIM service provider accepts anonymous requests such as SCIM
+ resource creation requests (via HTTP POST), appropriate security
+ measures should be put in place to prevent or limit exposure to
+ attacks. The following countermeasures MAY be used:
+
+ o Try to authenticate web user interface components that formulate
+ the SCIM creation request. While the end-user may be anonymous,
+ the web user interface component often has its own way to
+ authenticate to the SCIM service provider (e.g., has an OAuth
+ client credential [RFC6749]), and the web user interface component
+ may implement its own measures (e.g., the Completely Automated
+ Public Turing test to tell Computers and Humans Apart (CAPTCHA))
+ to ensure that a legitimate request is being made.
+
+ o Limit the number of requests that any particular client MAY make
+ in a period of time.
+
+
+
+Hunt, et al. Standards Track [Page 80]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ o For User resources, default newly created resources with an
+ "active" setting of "false", and use a secondary confirmation
+ process (e.g., email confirmation) to ensure that the resource
+ created is real.
+
+7.7. Secure Storage and Handling of Sensitive Data
+
+ An attacker may obtain valid username/password combinations from the
+ SCIM service provider's underlying database by gaining access to the
+ database and/or launching injection attacks. This could lead to
+ unintended disclosure of username/password combinations. The impact
+ may extend beyond the domain of the SCIM service provider if the data
+ was provisioned from other domains.
+
+ Administrators should undertake industry best practices to protect
+ the storage of credentials and, in particular, SHOULD follow
+ recommendations outlined in Section 5.1.4.1 of [RFC6819]. These
+ recommendations include, but are not limited to, the following:
+
+ o Provide injection attack countermeasures (e.g., by validating all
+ inputs and parameters);
+
+ o Credentials should not be stored in cleartext form;
+
+ o Store credentials using an encrypted protection mechanism (e.g.,
+ hashing); and
+
+ o Where possible, avoid passwords as the sole form of
+ authentication, and consider using credentials that are based on
+ asymmetric cryptography.
+
+ As outlined in Section 5.1.4.2 of [RFC6819], administrators SHOULD
+ take countermeasures such as the following, to prevent online attacks
+ on secrets:
+
+ o Utilize a secure password policy in order to increase user
+ password entropy, which will in turn hinder online attacks and
+ password guessing;
+
+ o Mitigate attacks on passwords by locking respective accounts that
+ have a number of failed attempts;
+
+ o Use "tar pit" techniques by temporarily locking a respective
+ account and delaying responses for a certain duration. The
+ duration may increase with the number of failed attempts; and
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 81]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ o Use authentication systems that use CAPTCHAs and other factors for
+ authenticating users, to further reduce the possibility of
+ automated attacks.
+
+ Service providers SHOULD define an access control model that
+ differentiates between individual client applications and their
+ specific need to access information, and any User self-service rights
+ to review and update personal profile information. This may include
+ OAuth 2.0 delegation profiles that allow client systems to act on
+ behalf of users with their permission.
+
+7.8. Case-Insensitive Comparison and International Languages
+
+ When comparing Unicode strings such as those in query filters or
+ testing for uniqueness of usernames and passwords, strings MUST be
+ appropriately prepared before comparison. See Section 5.
+
+8. IANA Considerations
+
+8.1. Media Type Registration
+
+ To: ietf-types@iana.org
+
+ Subject: Registration of media type application/scim+json
+
+ Type name: application
+
+ Subtype name: scim+json
+
+ Required parameters: none
+
+ Optional parameters: none
+
+ Encoding considerations: 8bit
+
+ Security considerations: See Section 7 of this document (RFC 7644)
+
+ Interoperability considerations: The "application/scim+json" media
+ type is intended to identify JSON structure data that conforms to
+ the SCIM protocol and schema specifications. Older versions of
+ SCIM are known to informally use "application/json".
+
+ Published specification: this document (RFC 7644)
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 82]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ Applications that use this media type: It is expected that
+ applications that use this type may be special-purpose
+ applications intended for inter-domain provisioning. Clients may
+ also be applications (e.g., mobile applications) that need to use
+ SCIM for self-registration of user accounts. SCIM services may be
+ offered by web applications that offer support for standards-based
+ provisioning or may be a dedicated SCIM service provider such as a
+ "cloud directory". Content may be treated as equivalent to the
+ "application/json" type for the purpose of displaying in web
+ browsers.
+
+ Additional information:
+
+ Magic number(s):
+
+ File extension(s): .scim .scm
+
+ Macintosh file type code(s):
+
+ Person & email address to contact for further information: SCIM
+ mailing list "<scim@ietf.org>"
+
+ Intended usage: COMMON* (see restrictions)
+
+ Restrictions on usage: For most client types, it is sufficient to
+ recognize the content as equivalent to "application/json".
+ Applications intending to use the SCIM protocol SHOULD use the
+ "application/scim+json" media type.
+
+ Author: Phil Hunt
+
+ Change controller: IETF
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 83]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+8.2. Registering URIs for SCIM Messages
+
+ As per the "SCIM Schema URIs for Data Resources" registry established
+ by [RFC7643], the following defines and registers the SCIM protocol
+ request/response JSON schema URN identifier prefix of
+ "urn:ietf:params:scim:api:messages:2.0", which is part of the
+ URN sub-namespace for SCIM. There is no specific associated
+ resource type.
+
+ +---------------------------------+-----------------+---------------+
+ | Schema URI | Name | Reference |
+ +---------------------------------+-----------------+---------------+
+ | urn:ietf:params:scim:api: | List/Query | See Section |
+ | messages:2.0:ListResponse | Response | 3.4.2 |
+ | | | |
+ | urn:ietf:params:scim:api: | POST Query | See Section |
+ | messages:2.0:SearchRequest | Request | 3.4.3 |
+ | | | |
+ | urn:ietf:params:scim:api: | PATCH Operation | See Section |
+ | messages:2.0:PatchOp | | 3.5.2 |
+ | | | |
+ | urn:ietf:params:scim:api: | Bulk Operations | See Section |
+ | messages:2.0:BulkRequest | Request | 3.7 |
+ | | | |
+ | urn:ietf:params:scim:api: | Bulk Operations | See Section |
+ | messages:2.0:BulkResponse | Response | 3.7 |
+ | | | |
+ | urn:ietf:params:scim:api: | Error Response | See Section |
+ | messages:2.0:Error | | 3.12 |
+ +---------------------------------+-----------------+---------------+
+
+ Table 10: SCIM Schema URIs for Data Resources
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 84]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC3629] Yergeau, F., "UTF-8, a transformation format of
+ ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629,
+ November 2003, <http://www.rfc-editor.org/info/rfc3629>.
+
+ [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+ Resource Identifier (URI): Generic Syntax", STD 66,
+ RFC 3986, DOI 10.17487/RFC3986, January 2005,
+ <http://www.rfc-editor.org/info/rfc3986>.
+
+ [RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for
+ Syntax Specifications: ABNF", STD 68, RFC 5234,
+ DOI 10.17487/RFC5234, January 2008,
+ <http://www.rfc-editor.org/info/rfc5234>.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.2", RFC 5246,
+ DOI 10.17487/RFC5246, August 2008,
+ <http://www.rfc-editor.org/info/rfc5246>.
+
+ [RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP",
+ RFC 5789, DOI 10.17487/RFC5789, March 2010,
+ <http://www.rfc-editor.org/info/rfc5789>.
+
+ [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
+ Verification of Domain-Based Application Service Identity
+ within Internet Public Key Infrastructure Using X.509
+ (PKIX) Certificates in the Context of Transport Layer
+ Security (TLS)", RFC 6125, DOI 10.17487/RFC6125,
+ March 2011, <http://www.rfc-editor.org/info/rfc6125>.
+
+ [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
+ RFC 6749, DOI 10.17487/RFC6749, October 2012,
+ <http://www.rfc-editor.org/info/rfc6749>.
+
+ [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
+ Framework: Bearer Token Usage", RFC 6750,
+ DOI 10.17487/RFC6750, October 2012,
+ <http://www.rfc-editor.org/info/rfc6750>.
+
+
+
+
+Hunt, et al. Standards Track [Page 85]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
+ Interchange Format", RFC 7159, DOI 10.17487/RFC7159,
+ March 2014, <http://www.rfc-editor.org/info/rfc7159>.
+
+ [RFC7230] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
+ Transfer Protocol (HTTP/1.1): Message Syntax and Routing",
+ RFC 7230, DOI 10.17487/RFC7230, June 2014,
+ <http://www.rfc-editor.org/info/rfc7230>.
+
+ [RFC7231] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
+ Transfer Protocol (HTTP/1.1): Semantics and Content",
+ RFC 7231, DOI 10.17487/RFC7231, June 2014,
+ <http://www.rfc-editor.org/info/rfc7231>.
+
+ [RFC7232] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
+ Transfer Protocol (HTTP/1.1): Conditional Requests",
+ RFC 7232, DOI 10.17487/RFC7232, June 2014,
+ <http://www.rfc-editor.org/info/rfc7232>.
+
+ [RFC7235] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext
+ Transfer Protocol (HTTP/1.1): Authentication", RFC 7235,
+ DOI 10.17487/RFC7235, June 2014,
+ <http://www.rfc-editor.org/info/rfc7235>.
+
+ [RFC7538] Reschke, J., "The Hypertext Transfer Protocol Status
+ Code 308 (Permanent Redirect)", RFC 7538,
+ DOI 10.17487/RFC7538, April 2015,
+ <http://www.rfc-editor.org/info/rfc7538>.
+
+ [RFC7613] Saint-Andre, P. and A. Melnikov, "Preparation,
+ Enforcement, and Comparison of Internationalized Strings
+ Representing Usernames and Passwords", RFC 7613,
+ DOI 10.17487/RFC7613, August 2015,
+ <http://www.rfc-editor.org/info/rfc7613>.
+
+ [RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and
+ C. Mortimore, "System for Cross-domain Identity
+ Management: Core Schema", RFC 7643, DOI 10.17487/RFC7643,
+ September 2015, <http://www.rfc-editor.org/info/rfc7643>.
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 86]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+9.2. Informative References
+
+ [HTTP-BASIC-AUTH]
+ Reschke, J., "The 'Basic' HTTP Authentication Scheme",
+ Work in Progress, draft-ietf-httpauth-basicauth-update-07,
+ February 2015.
+
+ [OAuth-PoP-Arch]
+ Hunt, P., Ed., Richer, J., Mills, W., Mishra, P., and H.
+ Tschofenig, "OAuth 2.0 Proof-of-Possession (PoP) Security
+ Architecture", Work in Progress,
+ draft-ietf-oauth-pop-architecture-02, July 2015.
+
+ [OpenSearch]
+ Clinton, D., "OpenSearch Protocol 1.1, Draft 5",
+ December 2005, <http://www.opensearch.org/Specifications/
+ OpenSearch/1.1>.
+
+ [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
+ DOI 10.17487/RFC6265, April 2011,
+ <http://www.rfc-editor.org/info/rfc6265>.
+
+ [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
+ Threat Model and Security Considerations", RFC 6819,
+ DOI 10.17487/RFC6819, January 2013,
+ <http://www.rfc-editor.org/info/rfc6819>.
+
+ [RFC6902] Bryan, P., Ed., and M. Nottingham, Ed., "JavaScript Object
+ Notation (JSON) Patch", RFC 6902, DOI 10.17487/RFC6902,
+ April 2013, <http://www.rfc-editor.org/info/rfc6902>.
+
+ [RFC7486] Farrell, S., Hoffman, P., and M. Thomas, "HTTP Origin-
+ Bound Authentication (HOBA)", RFC 7486,
+ DOI 10.17487/RFC7486, March 2015,
+ <http://www.rfc-editor.org/info/rfc7486>.
+
+ [RFC7521] Campbell, B., Mortimore, C., Jones, M., and Y. Goland,
+ "Assertion Framework for OAuth 2.0 Client Authentication
+ and Authorization Grants", RFC 7521, DOI 10.17487/RFC7521,
+ May 2015, <http://www.rfc-editor.org/info/rfc7521>.
+
+ [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre,
+ "Recommendations for Secure Use of Transport Layer
+ Security (TLS) and Datagram Transport Layer Security
+ (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525,
+ May 2015, <http://www.rfc-editor.org/info/rfc7525>.
+
+
+
+
+
+Hunt, et al. Standards Track [Page 87]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+ [RFC7564] Saint-Andre, P. and M. Blanchet, "PRECIS Framework:
+ Preparation, Enforcement, and Comparison of
+ Internationalized Strings in Application Protocols",
+ RFC 7564, DOI 10.17487/RFC7564, May 2015,
+ <http://www.rfc-editor.org/info/rfc7564>.
+
+ [XML-Schema]
+ Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes
+ Second Edition", W3C Recommendation, October 2004,
+ <http://www.w3.org/TR/xmlschema-2/>.
+
+Acknowledgements
+
+ The editor would like to acknowledge the contribution and work of the
+ editors of draft versions of this document:
+
+ Trey Drake, UnboundID
+
+ Chuck Mortimore, Salesforce
+
+ The editor would like to thank the participants in the SCIM working
+ group for their support of this specification.
+
+Contributors
+
+ Samuel Erdtman (samuel@erdtman.se)
+
+ Patrick Harding (pharding@pingidentity.com)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 88]
+
+RFC 7644 SCIM Protocol Specification September 2015
+
+
+Authors' Addresses
+
+ Phil Hunt (editor)
+ Oracle Corporation
+
+ Email: phil.hunt@yahoo.com
+
+
+ Kelly Grizzle
+ SailPoint
+
+ Email: kelly.grizzle@sailpoint.com
+
+
+ Morteza Ansari
+ Cisco
+
+ Email: morteza.ansari@cisco.com
+
+
+ Erik Wahlstroem
+ Nexus Technology
+
+ Email: erik.wahlstrom@nexusgroup.com
+
+
+ Chuck Mortimore
+ Salesforce.com
+
+ Email: cmortimore@salesforce.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hunt, et al. Standards Track [Page 89]
+