Skip to main content

Device Schema Extensions to the SCIM model
draft-ietf-scim-device-model-11

Document Type Active Internet-Draft (scim WG)
Authors Muhammad Shahzad , Hassan Iqbal , Eliot Lear
Last updated 2025-01-07
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Formats
Reviews
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state I-D Exists
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-ietf-scim-device-model-11
Network Working Group                                         M. Shahzad
Internet-Draft                                                  H. Iqbal
Intended status: Standards Track         North Carolina State University
Expires: 11 July 2025                                            E. Lear
                                                           Cisco Systems
                                                          7 January 2025

               Device Schema Extensions to the SCIM model
                    draft-ietf-scim-device-model-11

Abstract

   The initial core schema for SCIM (System for Cross Identity
   Management) was designed for provisioning users.  This memo specifies
   schema extensions that enables provisioning of devices, using various
   underlying bootstrapping systems, such as Wi-fi Easy Connect, FIDO
   device onboarding vouchers, BLE passcodes, and MAC authenticated
   bypass.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 11 July 2025.

Copyright Notice

   Copyright (c) 2025 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Shahzad, et al.           Expires 11 July 2025                  [Page 1]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Why SCIM for devices? . . . . . . . . . . . . . . . . . .   4
     1.2.  Protocol Participants . . . . . . . . . . . . . . . . . .   4
     1.3.  Schema Description  . . . . . . . . . . . . . . . . . . .   5
     1.4.  Schema Representation . . . . . . . . . . . . . . . . . .   5
     1.5.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   6
   2.  ResourceType Device . . . . . . . . . . . . . . . . . . . . .   6
     2.1.  Common Attributes . . . . . . . . . . . . . . . . . . . .   6
   3.  SCIM Core Device Schema . . . . . . . . . . . . . . . . . . .   6
     3.1.  Singular Attributes . . . . . . . . . . . . . . . . . . .   7
   4.  Device Groups . . . . . . . . . . . . . . . . . . . . . . . .   8
   5.  Resource Type EndpointApp . . . . . . . . . . . . . . . . . .   8
   6.  SCIM EndpointApp Schema . . . . . . . . . . . . . . . . . . .   8
     6.1.  Common Attributes . . . . . . . . . . . . . . . . . . . .   9
     6.2.  Singular Attributes . . . . . . . . . . . . . . . . . . .   9
     6.3.  Complex Attributes  . . . . . . . . . . . . . . . . . . .   9
       6.3.1.  certificateInfo . . . . . . . . . . . . . . . . . . .   9
   7.  SCIM Device Extensions  . . . . . . . . . . . . . . . . . . .  11
     7.1.  BLE Extension . . . . . . . . . . . . . . . . . . . . . .  12
       7.1.1.  Singular Attributes . . . . . . . . . . . . . . . . .  12
       7.1.2.  Multivalued Attributes  . . . . . . . . . . . . . . .  13
       7.1.3.  BLE Pairing Method Extensions . . . . . . . . . . . .  13
     7.2.  Wi-Fi Easy Connect Extension  . . . . . . . . . . . . . .  19
       7.2.1.  Singular Attributes . . . . . . . . . . . . . . . . .  19
       7.2.2.  Multivalued Attributes  . . . . . . . . . . . . . . .  19
     7.3.  Ethernet MAB Extension  . . . . . . . . . . . . . . . . .  21
       7.3.1.  Single Attribute  . . . . . . . . . . . . . . . . . .  22
     7.4.  FIDO Device Onboard Extension . . . . . . . . . . . . . .  23
       7.4.1.  Single Attribute  . . . . . . . . . . . . . . . . . .  23
     7.5.  Zigbee Extension  . . . . . . . . . . . . . . . . . . . .  24
       7.5.1.  Singular Attribute  . . . . . . . . . . . . . . . . .  24
       7.5.2.  Multivalued Attribute . . . . . . . . . . . . . . . .  25
     7.6.  The Endpoint Applications Extension Schema  . . . . . . .  26
       7.6.1.  Singular Attributes . . . . . . . . . . . . . . . . .  26
       7.6.2.  Multivalued Attribute . . . . . . . . . . . . . . . .  26
   8.  Schema JSON Representation  . . . . . . . . . . . . . . . . .  28
     8.1.  Resource Schema . . . . . . . . . . . . . . . . . . . . .  29

Shahzad, et al.           Expires 11 July 2025                  [Page 2]
Internet-Draft        SCIM Device Schema Extensions         January 2025

     8.2.  Device Core Schema JSON . . . . . . . . . . . . . . . . .  29
     8.3.  EndpointApp Schema JSON . . . . . . . . . . . . . . . . .  30
     8.4.  BLE Extension Schema JSON . . . . . . . . . . . . . . . .  32
     8.5.  DPP Extension Schema JSON . . . . . . . . . . . . . . . .  37
     8.6.  Ethernet MAB Extension Schema JSON  . . . . . . . . . . .  39
     8.7.  FDO Extension Schema JSON . . . . . . . . . . . . . . . .  40
     8.8.  Zigbee Extension Schema JSON  . . . . . . . . . . . . . .  41
     8.9.  EndpointAppsExt JSON Extension Schema . . . . . . . . . .  42
     8.10. Representation of Schema  . . . . . . . . . . . . . . . .  44
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  52
     9.1.  SCIM operations . . . . . . . . . . . . . . . . . . . . .  52
       9.1.1.  Object Creation . . . . . . . . . . . . . . . . . . .  53
     9.2.  Object Deletion . . . . . . . . . . . . . . . . . . . . .  53
     9.3.  Read operations . . . . . . . . . . . . . . . . . . . . .  53
     9.4.  Update Operations . . . . . . . . . . . . . . . . . . . .  53
     9.5.  Higher level protection for certain systems . . . . . . .  53
     9.6.  Logging . . . . . . . . . . . . . . . . . . . . . . . . .  54
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  54
     10.1.  New Schemas  . . . . . . . . . . . . . . . . . . . . . .  54
     10.2.  Device Schema Extensions . . . . . . . . . . . . . . . .  54
   11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  55
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  55
     12.1.  Normative References . . . . . . . . . . . . . . . . . .  55
     12.2.  Informative References . . . . . . . . . . . . . . . . .  57
   Appendix A.  Changes from Earlier Versions  . . . . . . . . . . .  57
   Appendix B.  OpenAPI representation . . . . . . . . . . . . . . .  58
     B.1.  Device Core Schema OpenAPI Representation . . . . . . . .  58
     B.2.  EndpointApp Schema OpenAPI Representation . . . . . . . .  60
     B.3.  BLE Extension Schema OpenAPI Representation . . . . . . .  63
     B.4.  DPP Extension Schema OpenAPI Representation . . . . . . .  67
     B.5.  Ethernet MAB Extension Schema OpenAPI Representation  . .  69
     B.6.  FDO Extension Schema OpenAPI Representation . . . . . . .  70
     B.7.  Zigbee Extension Schema OpenAPI Representation  . . . . .  70
     B.8.  EndpointAppsExt Extension Schema OpenAPI
           Representation  . . . . . . . . . . . . . . . . . . . . .  71
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  73

1.  Introduction

   The Internet of Things presents a management challenge in many
   dimensions.  One of them is the ability to onboard and manage large
   number of devices.  There are many models for bootstrapping trust
   between devices and network deployments.  Indeed it is expected that
   different manufacturers will make use of different methods.

   SCIM (System for Cross Identity Management) [RFC7643] [RFC7644]
   defines a protocol and a schema for provisioning of users.  However,
   it can easily be extended to provision device credentials and other

Shahzad, et al.           Expires 11 July 2025                  [Page 3]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   attributes into a network.  The protocol and core schema were
   designed to permit just such extensions.  Bulk operations are
   supported.  This is good because often devices are procured in bulk.

   A primary purpose of this specification is to provision the network
   for onboarding and communications access to and from devices within a
   local deployment based on the underlying capabilities of those
   devices.  The underlying security mechanisms of some devices range
   from non-existent such as the Bluetooth Low Energy (BLE) "Just Works"
   pairing method to a robust FIDO Device Onboard (FDO) mechanism.
   Information from the SCIM server is dispatched to control functions
   based on selected schema extensions to enable these communications
   within a network.  The SCIM database is therefore essentially
   equivalent to a network's Authentication, Authorization, and
   Accounting (AAA) database, and should be carefully treated as such.

1.1.  Why SCIM for devices?

   Some might ask why SCIM is well suited for this purpose and not, for
   example, NETCONF [RFC6241] or RESTCONF [RFC8040] with YANG [RFC7950].
   After all, there are all sorts of existing models available.  The
   answer is that the only information being passed about the device is
   neither state nor device configuration information, but only
   information necessary to bootstrap trust so that the device may
   establish connectivity.

1.2.  Protocol Participants

   In the normal SCIM model, it was presumed that large federated
   deployments would be SCIM clients who provision and remove employees
   and contractors as they enter and depart those deployments, and
   federated services such as sales, payment, or conferencing services
   would be the servers.

   In the device model, the roles are reversed, and may be somewhat more
   varied.  A deployment network management system gateway (NMS gateway)
   plays the role of the server, receiving information about devices
   that are expected to be connected to its network.  That server will
   apply appropriate local policies regarding whether/how the device
   should be connected.

   The client may be one of a number of entities:

   *  A vendor who is authorized to add devices to a network as part of
      a sales transaction.  This is similar to the sales integration
      sometimes envisioned by Bootstrapping Remote Key Infrastructure
      (BRSKI) [RFC8995].

Shahzad, et al.           Expires 11 July 2025                  [Page 4]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   *  A client application that administrators or employees use to add,
      remove, or get information about devices.  An example might be an
      tablet or phone app that scans Wi-fi Easy Connect QR codes.

                               +-----------------------------------+
                               |                                   |
       +-----------+   Request |  +---------+                      |
       | onboarding|------------->|  SCIM   |                      |
       |    app    |<-------------| Server  |                      |
       +-----------+  Ctrl Endpt  +---------+                      |
                               |                                   |
       +-----------+           |  +------------+         +-------+ |
       |  Control  |...........|..|    ALG     |.........|device | |
       |    App    |           |  +------------+         +-------+ |
       +-----------+           |                                   |
                               |                                   |
                               +-----------------------------------+

                        Figure 1: Basic Architecture

   In Figure 1, the onboarding app provides the device particulars.  As
   part of the response, the SCIM server might provide additional
   information, especially in the case of non-IP devices, where an
   application-layer gateway may need to be used to communicate with the
   device.  The control endpoint is one among a number of objects that
   may be returned.

1.3.  Schema Description

   RFC 7643 does not prescribe a language to describe a schema.  We have
   chosen the JSON schema language [I-D.bhutton-json-schema] for this
   purpose.  The use of XML for SCIM devices is not supported.

   Several additional schemas specify specific onboarding mechanisms,
   such as BLE and Wi-fi Easy Connect.

1.4.  Schema Representation

   Attributes defined in the device core schema and extensions comprise
   characteristics and SCIM datatypes defined in Sections 2.2 and 2.3 of
   the [RFC7643].  This specifciation does not define new
   characteristics and datatypes for the SCIM attributes.

Shahzad, et al.           Expires 11 July 2025                  [Page 5]
Internet-Draft        SCIM Device Schema Extensions         January 2025

1.5.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  ResourceType Device

   A new resource type 'Device' is specified.  The "ResourceType" schema
   specifies the metadata about a resource type (see section 6 of
   [RFC7643]).  It comprises a core device schema and several extension
   schemas.  The core schema provides a minimal resource representation,
   whereas extension schemas extend the core schema depending on the
   device's capability.  The JSON schema for Device resource type is in
   Section 8.1.

2.1.  Common Attributes

   The Device schema contains three common attributes as defined in the
   [RFC7643].

   id

   An id is a required and unique attribute of the device core schema
   (see section 3.1 of [RFC7643]).

   externalID

   An externalID is an optional attribute (see section 3.1 of
   [RFC7643]).

   meta

   Meta is a complex attribute and is required (see section 3.1 of
   [RFC7643]).

3.  SCIM Core Device Schema

   The core device schema provides the minimal representation of a
   resource "Device".  It contains only those attributes that any device
   may need, and only one attribute is required.  The core schema for
   "Device" is identified using the schema URI:
   "urn:ietf:params:scim:schemas:core:2.0:Device".  The following
   attributes are defined in the device core schema.

Shahzad, et al.           Expires 11 July 2025                  [Page 6]
Internet-Draft        SCIM Device Schema Extensions         January 2025

3.1.  Singular Attributes

   displayName

   This attribute is of type "string" and provides a human-readable name
   for a device.  It is intended to be displayed to end-users and should
   be suitable for that purpose.  The attribute is not required, and is
   not case-sensitive.  It may be modified and SHOULD be returned by
   default.  No uniqueness constraints are imposed on this attribute.

   active

   The "active" attribute is of type "boolean" and is a mutable
   attribute, and is required.  If set to TRUE, it means that this
   device is intended to be operational.  Attempts to control or access
   a device where this value is set to FALSE may fail.  For example,
   when used in conjunction with NIPC [I-D.brinckman-nipc], commands
   such as connect, disconnect, subscribe that control app sends to the
   controller for the devices any command coming from the control app
   for the device will be rejected by the controller.

   mudUrl

   The mudUrl attribute represents the URL to the MUD file associated
   with this device.  This attribute is optional and mutable.  The
   mudUrl value is case sensitive and not unique.  When present, this
   attribute may be used as described in [RFC8520].  This attribute is
   case sensitive and returned by default.

     +=============+=======+=====+=======+=========+========+========+
     | Attribute   | Multi | Req | Case  | Mutable | Return | Unique |
     |             | Value |     | Exact |         |        |        |
     +=============+=======+=====+=======+=========+========+========+
     | displayName | F     | F   | F     | RW      | Def    | None   |
     +-------------+-------+-----+-------+---------+--------+--------+
     | active      | F     | T   | F     | RW      | Def    | None   |
     +-------------+-------+-----+-------+---------+--------+--------+
     | mudUrl      | F     | F   | T     | RW      | Def    | None   |
     +-------------+-------+-----+-------+---------+--------+--------+

       Table 1: Characteristics of device schema attributes.  (Req =
          Required, T = True, F = False, RW = ReadWrite, and Def =
                                  Default)

   An example of a device SCIM object is as follows:

Shahzad, et al.           Expires 11 July 2025                  [Page 7]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   {
           "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device"],
           "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
           "displayName": "BLE Heart Monitor",
           "active": true,
           "meta": {
             "resourceType": "Device",
         "created": "2022-01-23T04:56:22Z",
             "lastModified": "2022-05-13T04:42:34Z",
             "version": "W\/\"a330bc54f0671c9\"",
             "location": "https://example.com/v2/Device/e9e30dba-f08f
                -4109-8486-d5c6a3316111"
           }
   }
   <CODE ENDS>

   The schema for the device is presented in JSON format in
   Section Section 8.2, while the openAPI representation is provided in
   Section Appendix B.1.

4.  Device Groups

   Device groups are created using the SCIM groups as defined in
   [RFC7643] Section 4.2.

5.  Resource Type EndpointApp

   This section defines a new resource type, 'EndpointApp'.  The
   "ResourceType" schema specifies the metadata about a resource type
   (see section 6 of [RFC7643]).  The resource "EndpointApp" represents
   client applications that can control and/or receive data from the
   devices.  The JSON schema for EndpointApp resource type is in
   Section 8.1.

   The attributes comprising EndpointsApp are listed in Section 6.  The
   "EndpointApp" are included in the endpoint applications extension
   ("endpointAppsExt") Section 7.6.

6.  SCIM EndpointApp Schema

   The EndpointApp schema is used to authorize clients control or
   telemetry services for clients.  The schema identifies the
   application and how clients are to authenticate to the various
   services.

Shahzad, et al.           Expires 11 July 2025                  [Page 8]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   The schema for "EndpointApp" is identified using the schema URI:
   "urn:ietf:params:scim:schemas:core:2.0:EndpointApp".  The following
   attributes are defined in this schema.

6.1.  Common Attributes

   The EndpointApp schema contains three common attributes as defined in
   the [RFC7643].

6.2.  Singular Attributes

   applicationType

   This attribute is of type "string" and represents the type of
   application.  It will only contain two values; 'deviceControl' or
   'telemetry'. 'deviceControl' is the application that sends commands
   to control the device. 'telemetry' is the application that receives
   data from the device.  The attribute is required, and is not case-
   sensitive.  The attribute is readOnly and should be returned by
   default.  No uniqueness constraints are imposed on this attribute.

   applicationName

   The "applicationName" attribute is of type "string" and represents a
   human readable name for the application.  This attribute is required
   and mutable.  The attribute should be returned by default and there
   is no uniqueness contraint on the attribute.

   clientToken

   This attribute type string contains a token that the client will use
   to authenticate itself.  Each token may be a string up to 500
   characters in length.  It is not mutable, read-only, generated if no
   certificateInfo object is provisioned, case sensitive and returned by
   default if it exists.  The SCIM server should expect that client
   tokens will be shared by the SCIM client with other components within
   the client's infrastructure.

6.3.  Complex Attributes

6.3.1.  certificateInfo

   It is the complex attribute that contains x509 certificate's subject
   name and root CA information associated with application clients that
   will connect for purposes of device control or telemetry.

   rootCA

Shahzad, et al.           Expires 11 July 2025                  [Page 9]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   This is the base64 encoding a trust anchor certificate as described
   in [rfc4648] Section 4.  This trust anchor is applicable for
   certificates used for client application access.  The object is not
   required, singular, case sensitive, and read/write.  If not present,
   a set of trust anchors MUST be configured out of band.

   subjectName

   If present, this field may contain one of two names:

   *  a distinguished name as that will be present in the certificate
      subject field, as de scribed in Section 4.1.2.4 of [RFC5280]; or

   *  or a dnsName as part of a subjectAlternateName as described in
      Section 4.2.1.6 of [RFC5280].

   In the latter case, servers validating such certificates SHALL reject
   connections when name of the peer as resolved by a DNS reverse lookup
   does not match the dnsName in the certificate.  If multiple dnsNames
   are present, it is left to server implementations to address any
   authorization conflicts associated with those names.  This attribute
   is not required, read write, singular and NOT case sensitive.

    +=================+=======+===+=======+=========+========+========+
    | Attribute       | Multi |Req| Case  | Mutable | Return | Unique |
    |                 | Value |   | Exact |         |        |        |
    +=================+=======+===+=======+=========+========+========+
    | applicationType | F     |T  | F     | R       | Def    | None   |
    +-----------------+-------+---+-------+---------+--------+--------+
    | applicationName | F     |T  | F     | RW      | Def    | None   |
    +-----------------+-------+---+-------+---------+--------+--------+
    | clientToken     | F     |F  | T     | R       | N      | None   |
    +-----------------+-------+---+-------+---------+--------+--------+
    | certificateInfo | F     |F  | F     | RW      | Def    | None   |
    +-----------------+-------+---+-------+---------+--------+--------+
    | rootCA          | F     |F  | T     | RW      | Def    | None   |
    +-----------------+-------+---+-------+---------+--------+--------+
    | subjectName     | F     |T  | T     | RW      | Def    | None   |
    +-----------------+-------+---+-------+---------+--------+--------+

         Table 2: Characteristics of EndpointApp schema attributes.
          (Req = Required, T = True, F = False, R = ReadOnly, RW =
        ReadWrite, Manuf = Manufacturer, N = No, and Def = Default)

   Note that either clientToken and certificateInfo are used for the
   authentication of the application.  If certificateInfo is NOT present
   when an endpointApp is object created, then the server SHOULD return
   a clientToken.  Otherwise, if the server accepts the certificateInfo

Shahzad, et al.           Expires 11 July 2025                 [Page 10]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   object for authentication, it SHOULD NOT return a clientToken.  If
   the server accepts and produces a clientToken, then control and
   telemetry servers MUST validate both.  The SCIM client will know that
   this is the case based on the SCIM object that is returned.

   certificateInfo is preferred in situations where client functions are
   federated such that different clients may connect for different
   purposes.

   <CODE BEGINS>
   {
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:EndpointApp"],
     "id": "e9e30dba-f08f-4109-8486-d5c6a3316212",
     "applicationType": "deviceControl",
     "applicationName": "Device Control App 1",
     "certificateInfo": {
         "rootCA" : "MIIBIjAN...",
         "subjectName": "wwww.example.com"
     },
     "meta": {
       "resourceType": "EndpointApp",
       "created": "2022-01-23T04:56:22Z",
       "lastModified": "2022-05-13T04:42:34Z",
       "version": "W\/\"a330bc54f0671c9\"",
       "location": "https://example.com/v2/EndpointApp/e9e30dba-f08f
          -4109-8486-d5c6a3316212"
     }
   }
   <CODE ENDS>

   The schema for the endpointApp is presented in JSON format in
   Section Section 8.3, while the openAPI representation is provided in
   Section Appendix B.2.

7.  SCIM Device Extensions

   SCIM provides various extension schemas, their attributes, JSON
   representation, and example object.  The core schema is extended with
   a new resource type, as described in Section 8.1.  No
   schemaExtensions list is specified in that definition.  Instead, an
   IANA registry is created, where all values for "required" are set to
   false.  All extensions to the Device schema MUST be registered via
   IANA, as described in Section 10.2.  The schemas below demonstrate
   how this model is to work.

Shahzad, et al.           Expires 11 July 2025                 [Page 11]
Internet-Draft        SCIM Device Schema Extensions         January 2025

7.1.  BLE Extension

   This schema extends the device schema to represent the devices
   supporting BLE.  The extension is identified using the following
   schema URI:

   urn:ietf:params:scim:schemas:extension:ble:2.0:Device

   The attributes are as follows:

7.1.1.  Singular Attributes

   deviceMacAddress

   A string value that represent a public MAC address assigned by the
   manufacturer.  It is a unique 48-bit value.  Ir is required, case
   insensitive, and it is mutable and return as default.  The regex
   pattern is the following:

   ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$

   isRandom

   A boolean flag taken from the BLE core specification, 5.3.  If FALSE,
   the device is using a public MAC address.  If TRUE, the device uses a
   random address.  If an Idenifying Resolving Key (IRK) is present, the
   address represents a resolvable private address.  Otherwise, the
   address is assumed to be a random static address.  Non-resolvable
   private addresses are not supported by this specification.  This
   attribute is not required.  It is mutable, and is returned by
   default.  The default value is FALSE.

   separateBroadcastAddress

   When present, this address is used for broadcasts/advertisements.
   This value MUST NOT be set when an IRK is provided.  Its form is the
   same as deviceMacAddress.  It is not required, multivalued, mutable,
   and returned by default.

   irk

   A string value that specifies the identity resolving key (IRK), which
   is unique to each device.  It is used to resolve private random
   address.  It should only be provisioned when isRandom is TRUE.  It is
   mutable and never returned.  For more information about the use of
   the IRK, see Section 5.4.5 of [BLE54].

   mobility

Shahzad, et al.           Expires 11 July 2025                 [Page 12]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   A boolean attribute to enable BLE device mobility.  If set to TRUE,
   the device could be expected to move within a network of APs.  For
   example, BLE device is connected with AP-1 and moves out of range but
   comes in range of AP-2, it will be disconnected with AP-1 and
   connects with AP-2.  It is returned by default and mutable.

7.1.2.  Multivalued Attributes

   versionSupport

   A multivalued attribute that provides all the BLE versions supported
   by the device in the form of an array.  For example, [4.1, 4.2, 5.0,
   5.1, 5.2, 5.3].  It is required, mutable, and return as default.

   pairingMethods

   An array of pairing methods associated with the BLE device.  The
   pairing methods may require sub-attributes, such as key/password, for
   the device pairing process.  To enable the scalability of pairing
   methods in the future, they are represented as extensions to
   incorporate various attributes that are part of the respective
   pairing process.  Pairing method extensions are nested inside the BLE
   extension.  It is required, case sensitive, mutable, and returned by
   default.

7.1.3.  BLE Pairing Method Extensions

   The details on pairing methods and their associated attributes are in
   section 2.3 of [BLE54].  This memo defines extensions for four
   pairing methods that are nested insided the BLE extension schema.
   Each extension contains the common attributes Section 2.1.  These
   extension are as follows:

   (i) pairingNull extension is identified using the following schema
   URI:

   urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device

   pairingNull does not have any attribute.  It allows pairing for BLE
   devices that do not require a pairing method.

   (ii) pairingJustWorks extension is identified using the following
   schema URI:

   urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device

Shahzad, et al.           Expires 11 July 2025                 [Page 13]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   Just works pairing method does not require a key to pair devices.
   For completeness, the key attribute is included and is set to 'null'.
   Key attribute is required, immutable, and returned by default.

   (iii) pairingPassKey extension is identified using the following
   schema URI:

   urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device

   The passkey pairing method requires a 6-digit key to pair devices.
   This extension has one singular integer attribute, "key", which is
   required, mutable and returned by default.  The key pattern is as
   follows:

   ^[0-9]{6}$

   (iv) pairingOOB extension is identified using the following schema
   URI:

   urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device

   The out-of-band pairing method includes three singular attributes,
   i.e., key, randomNumber, and confirmationNumber.

   key

   The key is string value, required and received from out-of-bond
   sources such as NFC.  It is case sensitive, mutable, and returned by
   default.

   randomNumber

   This attribute represents a nonce added to the key.  It is an integer
   value that is a required attribute.  It is mutable and returned by
   default.

   confirmationNumber

   An integer which some solutions require in RESTful message exchange.
   It is not required.  It is mutable and returned by default if it
   exists.

Shahzad, et al.           Expires 11 July 2025                 [Page 14]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   +==================+=======+===+=======+=========+========+========+
   | Attribute        | Multi |Req| Case  | Mutable | Return | Unique |
   |                  | Value |   | Exact |         |        |        |
   +==================+=======+===+=======+=========+========+========+
   | deviceMacAddress | F     |T  | F     | RW      | Def    | Manuf  |
   +------------------+-------+---+-------+---------+--------+--------+
   | isRandom         | F     |T  | F     | RW      | Def    | None   |
   +------------------+-------+---+-------+---------+--------+--------+
   | sepBroadcastAdd  | T     |F  | F     | RW      | Def    | None   |
   +------------------+-------+---+-------+---------+--------+--------+
   | irk              | F     |F  | F     | WO      | Nev    | Manuf  |
   +------------------+-------+---+-------+---------+--------+--------+
   | versionSupport   | T     |T  | F     | RW      | Def    | None   |
   +------------------+-------+---+-------+---------+--------+--------+
   | mobility         | F     |F  | F     | RW      | Def    | None   |
   +------------------+-------+---+-------+---------+--------+--------+
   | pairingMethods   | T     |T  | T     | RW      | Def    | None   |
   +------------------+-------+---+-------+---------+--------+--------+

       Table 3: Characteristics of BLE extension schema attributes.
      sepBroadcastAdd is short for separateBroadcastAddress.  (Req =
      Required, T = True, F = False, RW = ReadWrite, WO=Write Only,
          Def = Default, Nev = Never, and Manuf = Manufacturer).

   An example of a device object with BLE extension is as follows:

Shahzad, et al.           Expires 11 July 2025                 [Page 15]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   {
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
        "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"],

     "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
     "displayName": "BLE Heart Monitor",
     "active": true,
     "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
       "versionSupport": ["5.3"],
       "deviceMacAddress": "2C:54:91:88:C9:E2",
       "isRandom": false,
       "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77
          :22:12"],
       "mobility": true,
       "pairingMethods": ["urn:ietf:params:scim:schemas:extension
          :pairingPassKey:2.0:Device"],
       "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0
          :Device" : {
         "key": 123456
       }
     },
     "meta": {
       "resourceType": "Device",
         "created": "2022-01-23T04:56:22Z",
       "lastModified": "2022-05-13T04:42:34Z",
       "version": "W\/\"a330bc54f0671c9\"",
       "location": "https://example.com/v2/Device/e9e30dba-f08f-4109
          -8486-d5c6a3316111"
     }
   }
   <CODE ENDS>

   In the above example, the pairing method is "pairingPassKey", which
   implies that this BLE device pairs using only a passkey.  In another
   example below, the pairing method is "pairingOOB", denoting that this
   BLE device uses the out-of-band pairing method.

Shahzad, et al.           Expires 11 July 2025                 [Page 16]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   {
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
        "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"],

     "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
     "displayName": "BLE Heart Monitor",
     "active": true,
     "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
       "versionSupport": ["5.3"],
       "deviceMacAddress": "2C:54:91:88:C9:E2",
       "isRandom": false,
       "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77
          :22:12"],
       "mobility": true,
       "pairingMethods": ["urn:ietf:params:scim:schemas:extension
          :pairingOOB:2.0:Device"],
       "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device":
           {
         "key": "TheKeyvalueRetrievedFromOOB",
         "randomNumber": 238796813516896
       }
     },
     "meta": {
       "resourceType": "Device",
         "created": "2022-01-23T04:56:22Z",
       "lastModified": "2022-05-13T04:42:34Z",
       "version": "W\/\"a330bc54f0671c9\"",
       "location": "https://example.com/v2/Device/e9e30dba-f08f-4109
          -8486-d5c6a3316111"
     }
   }
   <CODE ENDS>

   However, a device can have more than one pairing method.  Support for
   multiple pairing methods is also provided by the multi-valued
   attribute pairingMethods.  In the example below, the BLE device can
   pair with both passkey and OOB pairing methods.

Shahzad, et al.           Expires 11 July 2025                 [Page 17]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   {
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
        "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"],

     "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
     "displayName": "BLE Heart Monitor",
     "active": true,
     "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
       "versionSupport": ["5.3"],
       "deviceMacAddress": "2C:54:91:88:C9:E2",
       "isRandom": false,
       "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77
          :22:12"],
       "mobility": true,
       "pairingMethods": ["urn:ietf:params:scim:schemas:extension
          :pairingPassKey:2.0:Device",
           "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0
              :Device"],
       "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0
          :Device" : {
         "key": 123456
       },
       "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device":
           {
         "key": "TheKeyvalueRetrievedFromOOB",
         "randomNumber": 238796813516896
       }
     },
     "meta": {
       "resourceType": "Device",
         "created": "2022-01-23T04:56:22Z",
       "lastModified": "2022-05-13T04:42:34Z",
       "version": "W\/\"a330bc54f0671c9\"",
       "location": "https://example.com/v2/Device/e9e30dba-f08f-4109
          -8486-d5c6a3316111"
     }
   }
   <CODE ENDS>

   The schema for the BLE extension is presented in JSON format in
   Section Section 8.4, while the openAPI representation is provided in
   Section Appendix B.3.

Shahzad, et al.           Expires 11 July 2025                 [Page 18]
Internet-Draft        SCIM Device Schema Extensions         January 2025

7.2.  Wi-Fi Easy Connect Extension

   A schema that extends the device schema to enable Wi-Fi Easy Connect
   (otherwise known as Device Provisioning Protocol or DPP).  Throughout
   this specification we use the term DPP.  The extension is identified
   using the following schema URI:

   urn:ietf:params:scim:schemas:extension:dpp:2.0:Device

   The attributes in this extension are adopted from [DPP2].  The
   attributes are as follows:

7.2.1.  Singular Attributes

   dppVersion

   An integer that represents the version of DPP the device supports.
   This attribute is required, case insensitive, mutable, and returned
   by default.

   bootstrapKey

   A string value representing Elliptic-Curve Diffie–Hellman (ECDH)
   public key.  The base64 encoded lengths for P-256, P-384, and P-521
   are 80, 96, and 120 characters.  This attribute is required, case-
   sensitive, mutable, and returned by default.

   deviceMacAddress

   The manufacturer assigns the MAC address stored as string.  It is a
   unique 48-bit value.  This attribute is optional, case insensitive,
   mutable, and returned by default.  The regex pattern is as follows:

   ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$

   serialNumber

   An alphanumeric serial number, stored as string, may also be passed
   as bootstrapping information.  This attribute is optional, case
   insensitive, mutable, and returned by default.

7.2.2.  Multivalued Attributes

   bootstrappingMethod

   It is the array of strings of all the bootstrapping methods available
   on the enrollee device.  For example, [QR, NFC].  This attribute is
   optional, case insensitive, mutable, and returned by default.

Shahzad, et al.           Expires 11 July 2025                 [Page 19]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   classChannel

   This attribute is an array of strings of global operating class and
   channel shared as bootstrapping information.  It is formatted as
   class/channel.  For example, ['81/1','115/36'].  This attribute is
   optional, case insensitive, mutable, and returned by default.

    +=====================+=====+===+=====+=========+========+========+
    | Attribute           |Multi|Req|Case | Mutable | Return | Unique |
    |                     |Value|   |Exact|         |        |        |
    +=====================+=====+===+=====+=========+========+========+
    | dppVersion          |F    |T  |F    | RW      | Def    | None   |
    +---------------------+-----+---+-----+---------+--------+--------+
    | bootstrapKey        |F    |T  |T    | WO      | Nev    | None   |
    +---------------------+-----+---+-----+---------+--------+--------+
    | deviceMacAddress    |F    |F  |F    | RW      | Def    | Manuf  |
    +---------------------+-----+---+-----+---------+--------+--------+
    | serialNumber        |F    |F  |F    | RW      | Def    | None   |
    +---------------------+-----+---+-----+---------+--------+--------+
    | bootstrappingMethod |T    |F  |F    | RW      | Def    | None   |
    +---------------------+-----+---+-----+---------+--------+--------+
    | classChannel        |T    |F  |F    | RW      | Def    | None   |
    +---------------------+-----+---+-----+---------+--------+--------+

        Table 4: Characteristics of DPP extension schema attributes.
         (Req = Required, T = True, F = False, RW = ReadWrite, WO =
            Write Only, Def = Default, Nev = Never, and Manuf =
                               Manufacturer).

   An example of a device object with DPP extension is below:

Shahzad, et al.           Expires 11 July 2025                 [Page 20]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   {
           "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
                    "urn:ietf:params:scim:schemas:extension:dpp:2.0
                       :Device"],

           "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
           "displayName": "WiFi Heart Monitor",
           "active": true,
           "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device" : {
                   "dppVersion": 2,
                   "bootstrappingMethod": ["QR"],
                   "bootstrapKey":
                       "MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADURzxmt
                      tZoIRIPWGoQMV00XHWCAQIhXruVWOz0NjlkIA=",
                   "deviceMacAddress": "2C:54:91:88:C9:F2",
                   "classChannel": ["81/1", "115/36"],
                   "serialNumber": "4774LH2b4044"
           },

           "meta": {
             "resourceType": "Device",
         "created": "2022-01-23T04:56:22Z",
             "lastModified": "2022-05-13T04:42:34Z",
             "version": "W\/\"a330bc54f0671c9\"",
             "location": "https://example.com/v2/Device/e9e30dba-f08f
                -4109-8486-d5c6a3316111"
           }
   }
   <CODE ENDS>

   The schema for the DPP extension is presented in JSON format in
   Section Section 8.5, while the openAPI representation is provided in
   Section Appendix B.4.

7.3.  Ethernet MAB Extension

   This extension enables a legacy means of (very) weak authentication,
   known as MAC Authenticated Bypass (MAB), that is supported in many
   wired ethernet solutions.  If the MAC address is known, then the
   device may be permitted (perhaps limited) access.  The extension is
   identified by the following URI:

   urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device

Shahzad, et al.           Expires 11 July 2025                 [Page 21]
Internet-Draft        SCIM Device Schema Extensions         January 2025

7.3.1.  Single Attribute

   This extension has a singular attribute:

   deviceMacAddress

   This is the Ethernet address to be provisioned onto the network.  It
   takes the identical form as found in both the BLE and DPP extensions.

   +==================+=======+===+=======+=========+========+========+
   | Attribute        | Multi |Req| Case  | Mutable | Return | Unique |
   |                  | Value |   | Exact |         |        |        |
   +==================+=======+===+=======+=========+========+========+
   | deviceMacAddress | F     |T  | F     | RW      | Def    | None   |
   +------------------+-------+---+-------+---------+--------+--------+

     Table 5: Characteristics of MAB extension schema attributes (Req
        = Required, T = True, F = False, RW = ReadWrite, and Def =
                                 Default)

   An example of a device object with EthernetMAB extension is shown
   below:

   <CODE BEGINS>
   {
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
        "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0
           :Device"],

     "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
     "displayName": "Some random Ethernet Device",
     "active": true,
     "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device"
        : {
       "deviceMacAddress": "2C:54:91:88:C9:E2"
     },

     "meta": {
       "resourceType": "Device",
         "created": "2022-01-23T04:56:22Z",
       "lastModified": "2022-05-13T04:42:34Z",
       "version": "W\/\"a330bc54f0671c9\"",
       "location": "https://example.com/v2/Device/e9e30dba-f08f-4109
          -8486-d5c6a3316111"
     }
   }
   <CODE ENDS>

Shahzad, et al.           Expires 11 July 2025                 [Page 22]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   The schema for the EthernetMAB extension is presented in JSON format
   in Section Section 8.6, while the openAPI representation is provided
   in Section Appendix B.5.

7.4.  FIDO Device Onboard Extension

   This extension specifies a voucher to be used by the FDO Device
   Onboard (FDO) protocols [FDO11] to complete a trusted transfer of
   ownership and control of the device to the environment.  The SCIM
   server MUST know how to process the voucher, either directly or by
   forwarding it along to an owner process as defined in the FDO
   specification.

   urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device

7.4.1.  Single Attribute

   This extension has a singular attribute:

   fdoVoucher

   The voucher is formated as a PEM-encoded object in accordance with
   [FDO11].

     +============+=======+=====+=======+=========+========+========+
     | Attribute  | Multi | Req | Case  | Mutable | Return | Unique |
     |            | Value |     | Exact |         |        |        |
     +============+=======+=====+=======+=========+========+========+
     | fdoVoucher | F     | T   | F     | WO      | Nev    | None   |
     +------------+-------+-----+-------+---------+--------+--------+

       Table 6: Characteristics of FDO extension schema attributes
        (Req = Required, T = True, F = False, WO = WriteOnly, and
                               Nev = Never)

   An example of a device object with FDO extension is shown below:

Shahzad, et al.           Expires 11 July 2025                 [Page 23]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   {
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Devices",
        "urn:ietf:params:scim:schemas:extension:fido-device-onboard
           :2.0:Devices"],

     "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
     "displayName": "Some random Ethernet Device",
     "active": true,
     "urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0
        :Devices" : {
        "fdoVoucher": "{... voucher ...}"
     },

     "meta": {
       "resourceType": "Device",
         "created": "2022-01-23T04:56:22Z",
       "lastModified": "2022-05-13T04:42:34Z",
       "version": "W\/\"a330bc54f0671c9\"",
       "location": "https://example.com/v2/Device/e9e30dba-f08f-4109
          -8486-d5c6a3316111"
     }
   }
   <CODE ENDS>

   The schema for the FDO extension is presented in JSON format in
   Section Section 8.7, while the openAPI representation is provided in
   Section Appendix B.6.

7.5.  Zigbee Extension

   A schema that extends the device schema to enable the provisioning of
   Zigbee devices.  The extension is identified using the following
   schema URI:

   urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device

   It has one singular attribute and one multivalued attribute.  The
   attributes are as follows:

7.5.1.  Singular Attribute

   deviceEui64Address

   An EUI-64 (Extended Unique Identifier) device address stored as
   string.  This attribute is required, case insensitive, mutable, and
   returned by default.  The regex pattern is as follows:

Shahzad, et al.           Expires 11 July 2025                 [Page 24]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){7}$

7.5.2.  Multivalued Attribute

   versionSupport

   An array of strings of all the Zigbee versions supported by the
   device.  For example, [3.0].  This attribute is required, case
   insensitive, mutable, and returned by default.

   +====================+=====+===+=======+=========+========+========+
   | Attribute          |Multi|Req| Case  | Mutable | Return | Unique |
   |                    |Value|   | Exact |         |        |        |
   +====================+=====+===+=======+=========+========+========+
   | deviceEui64Address |F    |T  | F     | RW      | Def    | None   |
   +--------------------+-----+---+-------+---------+--------+--------+
   | versionSupport     |T    |T  | F     | RW      | Def    | None   |
   +--------------------+-----+---+-------+---------+--------+--------+

     Table 7: Characteristics of Zigbee extension schema attributes.
     (Req = Required, T = True, F = False, RW = ReadWrite, and Def =
                                 Default)

   An example of a device object with Zigbee extension is shown below:

   <CODE BEGINS>
   {
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
        "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device"],

     "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
     "displayName": "Zigbee Heart Monitor",
     "active": true,
     "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device" : {
       "versionSupport": ["3.0"],
       "deviceEui64Address": "50:32:5F:FF:FE:E7:67:28"
     },

     "meta": {
       "resourceType": "Device",
         "created": "2022-01-23T04:56:22Z",
       "lastModified": "2022-05-13T04:42:34Z",
       "version": "W\/\"a330bc54f0671c9\"",
       "location": "https://example.com/v2/Device/e9e30dba-f08f-4109
          -8486-d5c6a3316111"
     }
   }
   <CODE ENDS>

Shahzad, et al.           Expires 11 July 2025                 [Page 25]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   The schema for the Zigbee extension is presented in JSON format in
   Section Section 8.8, while the openAPI representation is provided in
   Section Appendix B.7.

7.6.  The Endpoint Applications Extension Schema

   Sometimes non-IP devices such as those using BLE or Zigbee require an
   application gateway interface to manage them.  SCIM clients MUST NOT
   specify this to describe native IP-based devices.

   endpointAppsExt provides the list application that connect to
   enterprise gateway.  The endpointAppsExt has one multivalued
   attribute and two singular attributes.  The extension is identified
   using the following schema URI:

   urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device

7.6.1.  Singular Attributes

   deviceControlEnterpriseEndpoint

   Device control apps use this URL of the enterprise endpoint to reach
   the enterprise gateway.  When the enterprise receives the SCIM object
   from the onboarding app, it adds this attribute to it and sends it
   back as a response to the onboarding app.  This attribute is
   required, case-sensitive, mutable, and returned by default.  The
   uniqueness is enforced by the enterprise.

   telemetryEnterpriseEndpoint

   Telemetry apps use this URL of the enterprise endpoint to reach the
   enterprise gateway.  When the enterprise receives the SCIM object
   from the onboarding app, it adds this attribute to it and sends it
   back as a response to the onboarding app.  This attribute is
   optional, case-sensitive, mutable, and returned by default.  The
   uniqueness is enforced by the enterprise.  An implementation MUST
   generate an exception if telemetryEnterpriseEndpoint is not returned
   and telemetry is required for the proper functioning of a device.

7.6.2.  Multivalued Attribute

   applications

   This is a complex multivalued attribute.  It represents a list of
   endpoint applications i.e., deviceControl and telemetry.  Each entry
   in the list comprises two attributes including "value" and "$ref".

   value

Shahzad, et al.           Expires 11 July 2025                 [Page 26]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   It is the identifier of the endpoint application formated as UUID.
   It is same as the common attribute "$id" of the resource
   "endpointApp".  It is read/write, required, case insensitive and
   returned by default.

   $ref

   It is the reference to the respective endpointApp resource object
   stored in the SCIM server.  It is readOnly, required, case sensitive
   and returned by default.

   +====================+=====+===+=======+=========+========+========+
   | Attribute          |Multi|Req| Case  | Mutable | Return | Unique |
   |                    |Value|   | Exact |         |        |        |
   +====================+=====+===+=======+=========+========+========+
   | devContEntEndpoint |F    |T  | T     | R       | Def    | Ent    |
   +--------------------+-----+---+-------+---------+--------+--------+
   | telEntEndpoint     |F    |F  | T     | R       | Def    | Ent    |
   +--------------------+-----+---+-------+---------+--------+--------+
   | applications       |T    |T  | F     | RW      | Def    | None   |
   +--------------------+-----+---+-------+---------+--------+--------+
   | value              |F    |T  | F     | RW      | Def    | None   |
   +--------------------+-----+---+-------+---------+--------+--------+
   | $ref               |F    |T  | F     | R       | Def    | None   |
   +--------------------+-----+---+-------+---------+--------+--------+

       Table 8: Characteristics of EndpointAppsExt extension schema
           attributes.  DevContEntEndpoint represents attribute
      deviceControlEnterpriseEndpoint and telEntEndpoint represents
       telemetryEnterpriseEndpoint.  (Req = Required, T = True, F =
     False, R = ReadOnly, RW = ReadWrite, Ent = Enterprise, and Def =
                                Default).

   An example of a device object with endpointAppsExt extension is
   below:

   <CODE BEGINS>
   {
     "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
        "urn:ietf:params:scim:schemas:extension:ble:2.0:Device",
        "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0
           :Device"],
     "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
     "displayName": "BLE Heart Monitor",
     "active": true,
     "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
       "versionSupport": ["5.3"],
       "deviceMacAddress": "2C:54:91:88:C9:E2",

Shahzad, et al.           Expires 11 July 2025                 [Page 27]
Internet-Draft        SCIM Device Schema Extensions         January 2025

       "isRandom": false,
       "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77
          :22:12"],
       "mobility": false,
       "pairingMethods": [
           "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0
              :Device"],
       "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0
          :Device" : {
         "key": 123456
       }
     },
     "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0
        :Device": {
       "applications": [
         {
           "value" : "e9e30dba-f08f-4109-8486-d5c6a3316212",
           "$ref" : "https://example.com/v2/EndpointApp/e9e30dba-f08f
              -4109-8486-d5c6a3316212"
         },
         {
           "value" : "e9e30dba-f08f-4109-8486-d5c6a3316333",
           "$ref" : "https://example.com/v2/EndpointApp/e9e30dba-f08f
              -4109-8486-d5c6a3316333"
         }
       ],
         "deviceControlEnterpriseEndpoint": "https
            ://example.com/device_control_app_endpoint/",
         "telemetryEnterpriseEndpoint": "https
            ://example.com/telemetry_app_endpoint/"
     },
     "meta": {
       "resourceType": "Device",
         "created": "2022-01-23T04:56:22Z",
       "lastModified": "2022-05-13T04:42:34Z",
       "version": "W\/\"a330bc54f0671c9\"",
       "location": "https://example.com/v2/Device/e9e30dba-f08f-4109
          -8486-d5c6a3316111"
     }
   }
   <CODE ENDS>

   The schema for the endpointAppsExt extension along with BLE extension
   is presented in JSON format in Section Section 8.9, while the openAPI
   representation is provided in Section Appendix B.8.

8.  Schema JSON Representation

Shahzad, et al.           Expires 11 July 2025                 [Page 28]
Internet-Draft        SCIM Device Schema Extensions         January 2025

8.1.  Resource Schema

   <CODE BEGINS>
   [
     {
       "schemas": ["urn:ietf:params:scim:schemas:core:2.0
          :ResourceType"],
       "id": "Device",
       "name": "Device",
       "endpoint": "/Devices",
       "description": "Device Account",
       "schema": "urn:ietf:params:scim:schemas:core:2.0:Device",
       "meta": {
         "location": "https://example.com/v2/ResourceTypes/Device",
         "resourceType": "ResourceType"
       }
     },
     {
       "schemas": ["urn:ietf:params:scim:schemas:core:2.0
          :ResourceType"],
       "id": "EndpointApp",
       "name": "EndpointApp",
       "endpoint": "/EndpointApp",
       "description": "Endpoint application such as device control and
           telemetry.",
       "schema": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp",
       "meta": {
         "location": "https
            ://example.com/v2/ResourceTypes/EndpointApp",
         "resourceType": "ResourceType"
       }
     }
   ]
   <CODE ENDS>

8.2.  Device Core Schema JSON

   <CODE BEGINS>
   {
     "id": "urn:ietf:params:scim:schemas:core:2.0:Device",
     "name": "Device",
     "description": "Device account",
     "attributes" : [
       {
         "name": "displayName",
         "type": "string",
         "description": "Human readable name of the device, suitable
             for displaying to end-users. For example, 'BLE Heart

Shahzad, et al.           Expires 11 July 2025                 [Page 29]
Internet-Draft        SCIM Device Schema Extensions         January 2025

             Monitor' etc.",
         "multivalues": false,
         "required": false,
         "caseExact": false,
         "mutability": "readWrite",
         "returned": "default",
         "uniqueness": "none"
       },
       {
         "name": "active",
         "type": "boolean",
         "description": "A mutable boolean value indicating the device
             administrative status. If set TRUE, the commands (such as
             connect, disconnect, subscribe) that control app sends to
             the controller for the devices will be processeed by the
             controller. If set FALSE, any command comming from the
             control app for the device will be rejected by the
             controller.",
         "multivalues": false,
         "required": true,
         "caseExact": false,
         "mutability": "readWrite",
         "returned": "default",
         "uniqueness": "none"
       },
       {
         "name": "mudUrl",
         "type": "reference",
         "description": "A URL to MUD file of the device (RFC 8520).",
         "multivalues": false,
         "required": false,
         "caseExact": true,
         "mutability": "readWrite",
         "returned": "default",
         "uniqueness": "none"
       }
     ],
     "meta" : {
       "resourceType" : "Schema",
       "location" :
         "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device"
     }
   }
   <CODE ENDS>

8.3.  EndpointApp Schema JSON

Shahzad, et al.           Expires 11 July 2025                 [Page 30]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   {
     "id": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp",
     "name": "EndpointApp",
     "description": "Endpoint application and their credentials",
     "attributes" : [
       {
         "name": "applicationType",
         "type": "string",
         "description": "This attribute will only contain two values;
             'deviceControl' or 'telemetry'.",
         "multivalues": false,
         "required": true,
         "caseExact": false,
         "mutability": "readOnly",
         "returned": "default",
         "uniqueness": "none"
       },
       {
         "name": "applicationName",
         "type": "string",
         "description": "Human readable name of the application.",
         "multivalues": false,
         "required": true,
         "caseExact": false,
         "mutability": "readWrite",
         "returned": "default",
         "uniqueness": "none"
       },
       {
         "name": "certificateInfo",
         "type": "complex",
         "description": "Contains x509 certificate's subject name and
             root CA information associated with the device control or
             telemetry app.",
         "multivalues": false,
         "required": false,
         "caseExact": false,
         "mutability": "readWrite",
         "returned": "default",
         "uniqueness": "none",
         "subAttributes" : [
           {
             "name" : "rootCA",
             "type" : "string",
             "description" : "The base64 encoding of the DER encoding
                 of the CA certificate",
             "multiValued" : false,

Shahzad, et al.           Expires 11 July 2025                 [Page 31]
Internet-Draft        SCIM Device Schema Extensions         January 2025

             "required" : false,
             "caseExact" : true,
             "mutability" : "readWrite",
             "returned" : "default",
             "uniqueness" : "none"
           },
           {
             "name" : "subjectName",
             "type" : "string",
             "description" : "A Common Name (CN) of the form of CN =
                 dnsName",
             "multiValued" : false,
             "required" : true,
             "caseExact" : true,
             "mutability" : "readWrite",
             "returned" : "default",
             "uniqueness" : "none"
           }
         ]
       },
       {
         "name": "clientToken",
         "type": "string",
         "description": "This attribute contains a token that the
             client will use to authenticate itself.  Each token may
             be a string up to 500 characters in length.",
         "multivalues": false,
         "required": false,
         "caseExact": true,
         "mutability": "readOnly",
         "returned": "default",
         "uniqueness": "none"
       }
     ],
     "meta" : {
       "resourceType" : "Schema",
       "location" :
         "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device"
     }
   }
   <CODE ENDS>

8.4.  BLE Extension Schema JSON

Shahzad, et al.           Expires 11 July 2025                 [Page 32]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   [
     {
       "id": "urn:ietf:params:scim:schemas:extension:ble:2.0:Device",
       "name": "bleExtension",
       "description": "Ble extension for device account",
       "attributes" : [
         {
           "name": "versionSupport",
           "type": "string",
           "description": "Provides a list of all the BLE versions
               supported by the device. For example, [4.1, 4.2, 5.0,
               5.1, 5.2, 5.3].",
           "multivalues": true,
           "required": true,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         },
         {
           "name": "deviceMacAddress",
           "type": "string",
           "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$",
           "description": "A unique public MAC address assigned by the
               manufacturer.",
           "multivalues": false,
           "required": true,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "Manufacturer"
         },
         {
           "name": "isRandom",
           "type": "boolean",
             "description": "The isRandom flag is taken from the BLE
                 core specifications 5.3. If TRUE, device is using a
                 random address.  Default value is false.",
           "multivalues": false,
           "required": false,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         },
         {
           "name": "separateBroadcastAddress",

Shahzad, et al.           Expires 11 July 2025                 [Page 33]
Internet-Draft        SCIM Device Schema Extensions         January 2025

           "type": "string",
           "description": "When present, this address is used for
               broadcasts/advertisements.  This value MUST NOT be set
               when an IRK is provided.  Its form is the same as
               deviceMa`cAddress.",
           "multivalues": true,
           "required": false,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         },
         {
           "name": "irk",
           "type": "string",
           "description": "Identity resolving key, which is unique for
               every device. It is used to resolve random address.
               This value MUST NOT be set when
               separateBroadcastAddress is set.",
           "multivalues": false,
           "required": false,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "Manufacturer"
         },
         {
           "name": "mobility",
           "type": "bool",
           "description": "If set to True, the BLE device will
               automatically connect to the closest AP. For example,
               BLE device is connected with AP-1 and moves out of
               range but comes in range of AP-2, it will be
               disconnected with AP-1 and connects with AP-2.",
           "multivalues": false,
           "required": false,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         },
         {
           "name": "pairingMethods",
           "type": "string",
           "description": "List of pairing methods associated with the
               ble device, stored as schema URI.",
           "multivalues": true,
           "required": true,

Shahzad, et al.           Expires 11 July 2025                 [Page 34]
Internet-Draft        SCIM Device Schema Extensions         January 2025

           "caseExact": true,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         }
       ],
       "meta" : {
         "resourceType" : "Schema",
         "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
            :extension:ble:2.0:Device"
       }
     },
     {
       "id": "urn:ietf:params:scim:schemas:extension:pairingNull:2.0
          :Device",
       "name": "nullPairing",
       "description": "Null pairing method for ble. It is included for
           the devices that do not have a pairing method.",
       "meta" : {
         "resourceType" : "Schema",
         "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
            :extension:pairingNull:2.0:Device"
       }
     },
     {
       "id": "urn:ietf:params:scim:schemas:extension:pairingJustWorks
          :2.0:Device",
       "name": "pairingJustWorks",
       "description": "Just works pairing method for ble.",
       "attributes" : [
         {
           "name": "key",
           "type": "integer",
           "description": "Just works does not have any key value. For
               completeness, it is added with a key value 'null'.",
           "multivalues": false,
           "required": true,
           "caseExact": false,
           "mutability": "immutable",
           "returned": "default",
           "uniqueness": "none"
         }
       ],
       "meta" : {
         "resourceType" : "Schema",
         "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
            :extension:pairingJustWorks:2.0:Device"
       }

Shahzad, et al.           Expires 11 July 2025                 [Page 35]
Internet-Draft        SCIM Device Schema Extensions         January 2025

     },
     {
       "id": "urn:ietf:params:scim:schemas:extension:pairingPassKey
          :2.0:Device",
       "name": "pairingPassKey",
       "description": "Pass key pairing method for ble.",
       "attributes" : [
         {
           "name": "key",
           "type": "integer",
           "description": "A six digit passkey for ble device. The
               pattern of key is ^[0-9]{6}$.",
           "multivalues": false,
           "required": true,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         }
       ],
       "meta" : {
         "resourceType" : "Schema",
         "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
            :extension:pairingPassKey:2.0:Device"
       }
     },
     {
       "id": "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0
          :Device",
       "name": "pairingOOB",
       "description": "Pass key pairing method for ble.",
       "attributes" : [
         {
           "name": "key",
           "type": "string",
           "description": "A key value retrieved from out of band
               source such as NFC.",
           "multivalues": false,
           "required": true,
           "caseExact": true,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         },
         {
           "name": "randomNumber",
           "type": "integer",
           "description": "Nonce added to the key.",

Shahzad, et al.           Expires 11 July 2025                 [Page 36]
Internet-Draft        SCIM Device Schema Extensions         January 2025

           "multivalues": false,
           "required": true,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         },
         {
           "name": "confirmationNumber",
           "type": "integer",
           "description": "Some solutions require confirmation number
               in RESTful message exchange.",
           "multivalues": false,
           "required": false,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         }
       ],
       "meta" : {
         "resourceType" : "Schema",
         "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
            :extension:pairingOOB:2.0:Device"
       }
     }
   ]
   <CODE ENDS>

8.5.  DPP Extension Schema JSON

   <CODE BEGINS>
   {
       "id": "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device",
       "name": "dppExtension",
       "description": "Device extension schema for Wi-Fi Easy Connect
           / Device Provisioning Protocol (DPP)",
       "attributes" : [
         {
           "name": "dppVersion",
           "type": "integer",
           "description": "Version of DPP this device supports.",
           "multivalues": false,
           "required": true,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"

Shahzad, et al.           Expires 11 July 2025                 [Page 37]
Internet-Draft        SCIM Device Schema Extensions         January 2025

         },
         {
           "name": "bootstrappingMethod",
           "type": "string",
           "description": "The list of all the bootstrapping methods
               available on the enrollee device. For example, [QR,
               NFC].",
           "multivalues": true,
           "required": false,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         },
         {
           "name": "bootstrapKey",
           "type": "string",
           "description": "This key is Elliptic-Curve Diffie–Hellman
              (ECDH) public key. The base64 encoded length for P-256,
               P-384, and P-521 is 80, 96, and 120 characters.",
           "multivalues": false,
           "required": true,
           "caseExact": true,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         },
         {
           "name": "deviceMacAddress",
           "type": "string",
           "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$",
           "description": "A unique public MAC address assigned by the
               manufacturer.",
           "multivalues": false,
           "required": false,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "Manufacturer"
         },
         {
           "name": "classChannel",
           "type": "string",
           "description": "A list of global operating class and
               channel shared as bootstrapping information. It is
               formatted as class/channel. For example, '81/1',
               '115/36'.",
           "multivalues": true,

Shahzad, et al.           Expires 11 July 2025                 [Page 38]
Internet-Draft        SCIM Device Schema Extensions         January 2025

           "required": false,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         },
         {
           "name": "serialNumber",
           "type": "string",
           "description": "An alphanumeric serial number that may also
               be passed as bootstrapping information.",
           "multivalues": false,
           "required": false,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "none"
         }

       ],
       "meta" : {
         "resourceType" : "Schema",
         "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
            :extension:dpp:2.0:Device"
       }
     }
   <CODE ENDS>

8.6.  Ethernet MAB Extension Schema JSON

Shahzad, et al.           Expires 11 July 2025                 [Page 39]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   {
     "id": "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0
        :Device",
     "name": "ethernetMabExtension",
     "description": "Device extension schema for MAC authentication
         Bypass.",
     "attributes" : [
         {
           "name": "deviceMacAddress",
           "type": "string",
           "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$",
           "description": "A MAC address assigned by the manufacturer",
           "multivalues": false,
           "required": true,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "Manufacturer"
         }
     ],
     "meta" : {
       "resourceType" : "Schema",
       "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
          :extension:ethernet-mab:2.0:Device"
     }
   }
   <CODE ENDS>

8.7.  FDO Extension Schema JSON

Shahzad, et al.           Expires 11 July 2025                 [Page 40]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   {
     "id": "urn:ietf:params:scim:schemas:extension:fido-device-onboard
        :2.0:Devices",
     "name": "FDOExtension",
     "description": "Device extension schema for FIDO Device Onboard
        (FDO).",
     "attributes" : [
         {
           "name": "fdoVoucher",
           "type": "string",
           "description": "A voucher as defined in the FDO
               specification",
           "multivalues": false,
           "required": true,
           "caseExact": false,
           "mutability": "readWrite",
           "returned": "default",
           "uniqueness": "Manufacturer"
         }
     ],
     "meta" : {
       "resourceType" : "Schema",
       "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
          :extension:fido-device-onboard:2.0:Devices"
     }
   }
   <CODE ENDS>

8.8.  Zigbee Extension Schema JSON

Shahzad, et al.           Expires 11 July 2025                 [Page 41]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   {
     "id": "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device",
     "name": "zigbeeExtension",
     "description": "Device extension schema for zigbee.",
     "attributes" : [
       {
         "name": "versionSupport",
         "type": "string",
         "description": "Provides a list of all the zigbee versions
             supported by the device. For example, [3.0].",
         "multivalues": true,
         "required": true,
         "caseExact": false,
         "mutability": "readWrite",
         "returned": "default",
         "uniqueness": "none"
       },
       {
         "name": "deviceEui64Address",
         "type": "string",
         "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){7}$",
         "description": "The EUI-64 (Extended Unique Identifier)
             device address.",
         "multivalues": false,
         "required": true,
         "caseExact": false,
         "mutability": "readWrite",
         "returned": "default",
         "uniqueness": "none"
       }
     ],
     "meta" : {
       "resourceType" : "Schema",
       "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
          :extension:zigbee:2.0:Device"
     }
   }
   <CODE ENDS>

8.9.  EndpointAppsExt JSON Extension Schema

   <CODE BEGINS>
   {
     "id": "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0
        :Device",
     "name": "endpointAppsExt",
     "description": "Extension for partner endpoint applications that

Shahzad, et al.           Expires 11 July 2025                 [Page 42]
Internet-Draft        SCIM Device Schema Extensions         January 2025

         can onboard, control, and communicate with the device.",
     "attributes" : [
       {
         "name": "applications",
         "type": "complex",
         "description": "Includes references to two types of
             application that connect with entrprise, i.e.,
             deviceControl and telemetry.",
         "multivalues": true,
         "required": true,
         "caseExact": false,
         "mutability": "readWrite",
         "returned": "default",
         "uniqueness": "none",
         "subAttributes" : [
           {
             "name" : "value",
             "type" : "string",
             "description" : "The identifier of the endpointApp.",
             "multiValued" : false,
             "required" : true,
             "caseExact" : false,
             "mutability" : "readWrite",
             "returned" : "default",
             "uniqueness" : "none"
           },
           {
             "name" : "$ref",
             "type" : "reference",
             "referenceTypes" : "EndpointApps",
             "description" : "The URI of the corresponding
                 'EndpointApp' resource which will control or obtain
                 data from the device.",
             "multiValued" : false,
             "required" : false,
             "caseExact" : true,
             "mutability" : "readOnly",
             "returned" : "default",
             "uniqueness" : "none"
           }
         ]
       },
       {
         "name": "deviceControlEnterpriseEndpoint",
         "type": "reference",
         "description": "The URL of the enterprise endpoint which
             device control apps use to reach enterprise network
             gateway.",

Shahzad, et al.           Expires 11 July 2025                 [Page 43]
Internet-Draft        SCIM Device Schema Extensions         January 2025

         "multivalues": false,
         "required": true,
         "caseExact": true,
         "mutability": "readOnly",
         "returned": "default",
         "uniqueness": "Enterprise"
       },
       {
         "name": "telemetryEnterpriseEndpoint",
         "type": "reference",
         "description": "The URL of the enterprise endpoint which
             telemetry apps use to reach enterprise network gateway.",
         "multivalues": false,
         "required": false,
         "caseExact": true,
         "mutability": "readOnly",
         "returned": "default",
         "uniqueness": "Enterprise"
       }
     ],
     "meta" : {
       "resourceType" : "Schema",
       "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
          :extension:endpointAppsExt:2.0:Device"
     }
   }
   <CODE ENDS>

8.10.  Representation of Schema

   The following is the JSON representation of the Schema.  Implementors
   MUST NOT vary from the schema definitions in their implementations.
   They may choose not to implement a particular extension, but if they
   do, they MUST implement all mandatory elements, and they must
   implement optional elements as specified.

   <CODE BEGINS>
   {
     "id" : "urn:ietf:params:scim:schemas:core:2.0:Schema",
     "name" : "Schema",
     "description" : "Specifies the schema that describes a SCIM
         schema",
     "attributes" : [
       {
         "name" : "id",
         "type" : "string",
         "multiValued" : false,
         "description" : "The unique URI of the schema. When

Shahzad, et al.           Expires 11 July 2025                 [Page 44]
Internet-Draft        SCIM Device Schema Extensions         January 2025

             applicable, service providers MUST specify the URI.",
         "required" : true,
         "caseExact" : false,
         "mutability" : "readOnly",
         "returned" : "default",
         "uniqueness" : "none"
       },
       {
         "name" : "name",
         "type" : "string",
         "multiValued" : false,
         "description" : "The schema's human-readable name.  When
             applicable, service providers MUST specify the name,
             e.g., 'Device'.",
         "required" : true,
         "caseExact" : false,
         "mutability" : "readOnly",
         "returned" : "default",
         "uniqueness" : "none"
       },
       {
         "name" : "description",
         "type" : "string",
         "multiValued" : false,
         "description" : "Human-readable description of the schema,
             e.g., 'Device account'.",
         "required" : false,
         "caseExact" : false,
         "mutability" : "readOnly",
         "returned" : "default",
         "uniqueness" : "none"
       },
       {
         "name" : "attributes",
         "type" : "complex",
         "multiValued" : true,
         "description" : "A complex attribute that includes the
             attributes of a schema.",
         "required" : true,
         "mutability" : "readOnly",
         "returned" : "default",
         "subAttributes" : [
           {
             "name" : "name",
             "type" : "string",
             "multiValued" : false,
             "description" : "The attribute's name, e.g.,
                 'displayName'.",

Shahzad, et al.           Expires 11 July 2025                 [Page 45]
Internet-Draft        SCIM Device Schema Extensions         January 2025

             "required" : true,
             "caseExact" : true,
             "mutability" : "readOnly",
             "returned" : "default",
             "uniqueness" : "none"
           },
           {
             "name" : "type",
             "type" : "string",
             "multiValued" : false,
             "description" : "The attribute's data type. Valid values
                 include 'string', 'complex', 'boolean', 'decimal',
                 'integer', 'dateTime', 'reference'.",
             "required" : true,
             "caseExact" : false,
             "mutability" : "readOnly",
             "returned" : "default",
             "uniqueness" : "none",
             "canonicalValues" : [
               "string",
               "complex",
               "boolean",
               "decimal",
               "integer",
               "dateTime",
               "reference"
             ]
           },
           {
             "name" : "multiValued",
             "type" : "boolean",
             "multiValued" : false,
             "description" : "A Boolean value indicating an
                 attribute's plurality.",
             "required" : true,
             "mutability" : "readOnly",
             "returned" : "default"
           },
           {
             "name" : "description",
             "type" : "string",
             "multiValued" : false,
             "description" : "A human-readable description of the
                 attribute.",
             "required" : true,
             "caseExact" : false,
             "mutability" : "readOnly",
             "returned" : "default",

Shahzad, et al.           Expires 11 July 2025                 [Page 46]
Internet-Draft        SCIM Device Schema Extensions         January 2025

             "uniqueness" : "none"
           },
           {
             "name" : "required",
             "type" : "boolean",
             "multiValued" : false,
             "description" : "A boolean value indicating whether or
               not the attribute is required.",
             "required" : true,
             "mutability" : "readOnly",
             "returned" : "default"
           },
           {
             "name" : "canonicalValues",
             "type" : "string",
             "multiValued" : true,
             "description" : "A collection of canonical values.  When
                 applicable, service providers MUST specify the
                 canonical types, e.g., mutability of an attribute,
                 return type, uniqueness.",
             "required" : false,
             "caseExact" : true,
             "mutability" : "readOnly",
             "returned" : "default",
             "uniqueness" : "none"
           },
           {
             "name" : "caseExact",
             "type" : "boolean",
             "multiValued" : false,
             "description" : "A Boolean value indicating whether or
                 not a string attribute is case sensitive.",
             "required" : false,
             "mutability" : "readOnly",
             "returned" : "default"
           },
            {
             "name" : "mutability",
             "type" : "string",
             "multiValued" : false,
             "description" : "Indicates whether or not an attribute is
                 modifiable.",
             "required" : false,
             "caseExact" : true,
             "mutability" : "readOnly",
             "returned" : "default",
             "uniqueness" : "none",
             "canonicalValues" : [

Shahzad, et al.           Expires 11 July 2025                 [Page 47]
Internet-Draft        SCIM Device Schema Extensions         January 2025

               "readOnly",
               "readWrite",
               "immutable",
               "writeOnly"
             ]
           },
           {
             "name" : "returned",
             "type" : "string",
             "multiValued" : false,
             "description" : "Indicates when an attribute is returned
                 in a response (e.g., to a query).",
             "required" : false,
             "caseExact" : true,
             "mutability" : "readOnly",
             "returned" : "default",
             "uniqueness" : "none",
             "canonicalValues" : [
               "always",
               "never",
               "default",
               "request"
             ]
           },
           {
             "name" : "uniqueness",
             "type" : "string",
             "multiValued" : false,
             "description" : "Indicates how unique a value must be.",
             "required" : false,
             "caseExact" : true,
             "mutability" : "readOnly",
             "returned" : "default",
             "uniqueness" : "none",
             "canonicalValues" : [
               "none",
               "Enterprise",
               "Manufacturer"
             ]
           },
           {
             "name" : "referenceTypes",
             "type" : "string",
             "multiValued" : false,
             "description" : "Used only with an attribute of type
                 'reference'.  Specifies a SCIM resourceType that a
                 reference attribute MAY refer to, e.g.,
                 'EndpointApp'.",

Shahzad, et al.           Expires 11 July 2025                 [Page 48]
Internet-Draft        SCIM Device Schema Extensions         January 2025

             "required" : false,
             "caseExact" : true,
             "mutability" : "readOnly",
             "returned" : "default",
             "uniqueness" : "none"
           },
           {
             "name" : "subAttributes",
             "type" : "complex",
             "multiValued" : true,
             "description" : "Used to define the sub-attributes of a
                 complex attribute.",
             "required" : false,
             "mutability" : "readOnly",
             "returned" : "default",
             "subAttributes" : [
               {
                 "name" : "name",
                 "type" : "string",
                 "multiValued" : false,
                 "description" : "The attribute's name.",
                 "required" : true,
                 "caseExact" : true,
                 "mutability" : "readOnly",
                 "returned" : "default",
                 "uniqueness" : "none"
               },
               {
                 "name" : "type",
                 "type" : "string",
                 "multiValued" : false,
                 "description" : "The attribute's data type. Valid
                     values include 'string', 'complex', 'boolean',
                     'decimal', 'integer', 'dateTime', 'reference'.",
                 "required" : true,
                 "caseExact" : false,
                 "mutability" : "readOnly",
                 "returned" : "default",
                 "uniqueness" : "none",
                 "canonicalValues" : [
                   "string",
                   "complex",
                   "boolean",
                   "decimal",
                   "integer",
                   "dateTime",
                   "reference"
                 ]

Shahzad, et al.           Expires 11 July 2025                 [Page 49]
Internet-Draft        SCIM Device Schema Extensions         January 2025

               },
               {
                 "name" : "multiValued",
                 "type" : "boolean",
                 "multiValued" : false,
                 "description" : "A Boolean value indicating an
                     attribute's plurality.",
                 "required" : true,
                 "mutability" : "readOnly",
                 "returned" : "default"
               },
               {
                 "name" : "description",
                 "type" : "string",
                 "multiValued" : false,
                 "description" : "A human-readable description of the
                     attribute.",
                 "required" : true,
                 "caseExact" : false,
                 "mutability" : "readOnly",
                 "returned" : "default",
                 "uniqueness" : "none"
               },
               {
                 "name" : "required",
                 "type" : "boolean",
                 "multiValued" : false,
                 "description" : "A boolean value indicating whether
                     or not the attribute is required.",
                 "required" : true,
                 "mutability" : "readOnly",
                 "returned" : "default"
               },
               {
                 "name" : "canonicalValues",
                 "type" : "string",
                 "multiValued" : true,
                 "description" : "A collection of canonical values.
                     When applicable, service providers MUST specify
                     the canonical types, e.g., mutability of an
                     attribute, return type, uniqueness.",
                 "required" : false,
                 "caseExact" : true,
                 "mutability" : "readOnly",
                 "returned" : "default",
                 "uniqueness" : "none"
               },
               {

Shahzad, et al.           Expires 11 July 2025                 [Page 50]
Internet-Draft        SCIM Device Schema Extensions         January 2025

                 "name" : "caseExact",
                 "type" : "boolean",
                 "multiValued" : false,
                 "description" : "A Boolean value indicating whether
                     or not a string attribute is case sensitive.",
                 "required" : false,
                 "mutability" : "readOnly",
                 "returned" : "default"
               },
               {
                 "name" : "mutability",
                 "type" : "string",
                 "multiValued" : false,
                 "description" : "Indicates whether or not an
                     attribute is modifiable.",
                 "required" : false,
                 "caseExact" : true,
                 "mutability" : "readOnly",
                 "returned" : "default",
                 "uniqueness" : "none",
                 "canonicalValues" : [
                   "readOnly",
                   "readWrite",
                   "immutable",
                   "writeOnly"
                 ]
               },
               {
                 "name" : "returned",
                 "type" : "string",
                 "multiValued" : false,
                 "description" : "Indicates when an attribute is
                     returned in a response (e.g., to a query).",
                 "required" : false,
                 "caseExact" : true,
                 "mutability" : "readOnly",
                 "returned" : "default",
                 "uniqueness" : "none",
                 "canonicalValues" : [
                   "always",
                   "never",
                   "default",
                   "request"
                 ]
               },
               {
                 "name" : "uniqueness",
                 "type" : "string",

Shahzad, et al.           Expires 11 July 2025                 [Page 51]
Internet-Draft        SCIM Device Schema Extensions         January 2025

                 "multiValued" : false,
                 "description" : "Indicates how unique a value must
                     be.",
                 "required" : false,
                 "caseExact" : true,
                 "mutability" : "readOnly",
                 "returned" : "default",
                 "uniqueness" : "none",
                 "canonicalValues" : [
                   "none",
                   "Enterprise",
                   "Manufacturer"
                 ]
               },
               {
                 "name" : "referenceTypes",
                 "type" : "string",
                 "multiValued" : false,
                 "description" : "Used only with an attribute of type
                     'reference'.  Specifies a SCIM resourceType that
                     a reference attribute MAY refer to, e.g.,
                     'EndpointApp'.",
                 "required" : false,
                 "caseExact" : true,
                 "mutability" : "readOnly",
                 "returned" : "default",
                 "uniqueness" : "none"
               }
             ]
           }
         ]
       }
     ]
   }
   <CODE ENDS>

9.  Security Considerations

   Because provisioning operations are sensitive, each client must be
   appropriately authenticated.  Certain objects may be read-only or not
   visible based on who is connected.

9.1.  SCIM operations

   An attacker that has authenticated to a trusted SCIM client could
   manipulate portions of the SCIM database.  To be clear on the risks,
   we discuss each operation below:

Shahzad, et al.           Expires 11 July 2025                 [Page 52]
Internet-Draft        SCIM Device Schema Extensions         January 2025

9.1.1.  Object Creation

   Object creation in this framework grants a device access to the
   infrastructure and will to a greater or lesser extent grant the
   infrastructure access to the device.  When IP-layer access is
   provisioned, then the access will be at the IP layer.  For non-IP
   layer access, such as provisioning of BLE devices, the access may be
   to the entire device.  The explicit grant is made when the
   credentials of the device are shared with the SCIM server.

9.2.  Object Deletion

   Once granted, even if the object is removed, the server may or may
   not act on that removal.  The deletion of the object is a signal of
   intent by the application that it no longer expects the device to be
   on the network.  It is strictly up to the SCIM server and its back
   end policy to decide whether or not to revoke access to the
   infrastructure.  Any access grant by the device must be separately
   handled.

9.3.  Read operations

   Read operations are necessary in order for an application to sync its
   state to know what devices it is expected to manage.  An attacker
   with access to SCIM objects may gain access to the devices
   themselves.  To prevent one SCIM client from interfering with devices
   that it has no business managing, only clients that have created
   objects or those they authorize SHOULD have the ability to read those
   objects.

9.4.  Update Operations

   Update operations may be necessary if a device has been modified in
   some way.  Attackers with update access may be able to disable
   network access to devices or device access to networks.  To avoid
   this, the same access control policy for read operations is
   RECOMMENDED here.

9.5.  Higher level protection for certain systems

   Devices provisioned with this model may be completely controlled by
   the administrator of the SCIM server, depending on how those systems
   are defined.  For instance, if BLE passkeys are provided, the device
   can be connected to, and perhaps paired with.  Any additional
   security must be provided at higher application layers.  For example,
   if client applications wish to keep private information to and from
   the device, they should encrypt that information over-the-top.

Shahzad, et al.           Expires 11 July 2025                 [Page 53]
Internet-Draft        SCIM Device Schema Extensions         January 2025

9.6.  Logging

   An attacker could learn what devices are on a network by examining
   SCIM logs.  Due to the sensitive nature of SCIM operations, logs
   SHOILD be encrypted both on the disk and in transit.

10.  IANA Considerations

10.1.  New Schemas

   The IANA is requested to add the following additions to the "SCIM
   Schema URIs for Data Resources" registry as follows:

     +====================================+=============+============+
     | URN                                | Name        | Reference  |
     +====================================+=============+============+
     | urn:ietf:params:scim:schemas:core: | Core Device | This memo, |
     | 2.0:Device                         | Schema      | Section 3  |
     +------------------------------------+-------------+------------+
     | urn:ietf:params:scim:schemas:core: | Endpoint    | This memo, |
     | 2.0:EndpointApp                    | Application | Section 6  |
     +------------------------------------+-------------+------------+

                                  Table 9

   Note that the line break in URNs should be removed, as should this
   comment.

10.2.  Device Schema Extensions

   IANA is requested to create a separate table for Device Schema
   Extensions, as described in Section 7, with the following columns:

   *  schemaExtensionURI

   *  Short Description

   *  Reference

   The policy for entries into this table shall be and "Specification
   Required", as specified in [RFC8126].  Designated experts shall check
   that each schema is produced in the format described in [RFC7643],
   and that the semantics of the schema are clear and unambiguous.  It
   is also RECOMMENDED that schemas be made available in OpenAPI.

   The initial table entries shall be as follows:

Shahzad, et al.           Expires 11 July 2025                 [Page 54]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   +=========================================+=============+===========+
   | URN                                     | Description |Reference  |
   +=========================================+=============+===========+
   | urn:ietf:params:scim:schemas:extension: | BLE         |This memo, |
   | ble:2.0:Device                          | Extension   |Section    |
   |                                         |             |7.1        |
   +-----------------------------------------+-------------+-----------+
   | urn:ietf:params:scim:schemas:extension: | Ethernet    |This memo, |
   | ethernet-mab:2.0:Device                 | MAB         |Section    |
   |                                         |             |7.3        |
   +-----------------------------------------+-------------+-----------+
   | urn:ietf:params:scim:schemas:extension: | FIDO Device |This memo, |
   | fido-device-onboard:2.0:Device          | Onboard     |Section    |
   |                                         |             |7.4        |
   +-----------------------------------------+-------------+-----------+
   | urn:ietf:params:scim:schemas:extension: | Wi-fi Easy  |This memo, |
   | dpp:2.0:Device                          | Connect     |Section    |
   |                                         |             |7.2        |
   +-----------------------------------------+-------------+-----------+
   | urn:ietf:params:scim:schemas:extension: | Application |This memo, |
   | endpointAppsExt:2.0:Device              | Endpoint    |Section    |
   |                                         | Extension   |7.1.3      |
   +-----------------------------------------+-------------+-----------+
   | urn:ietf:params:scim:schemas:extension: | Just Works  |This memo, |
   | pairingJustWorks:2.0:Device             | Auth BLE    |Section    |
   |                                         |             |7.1.3      |
   +-----------------------------------------+-------------+-----------+
   | urn:ietf:params:scim:schemas:extension: | Out of Band |This memo, |
   | pairingOOB:2.0:Device                   | Pairing for |Section    |
   |                                         | BLE         |7.1.3      |
   +-----------------------------------------+-------------+-----------+
   | urn:ietf:params:scim:schemas:extension: | Passkey     |This memo, |
   | pairingPassKey:2.0:Device               | Pairing for |Section    |
   |                                         | BLE         |7.1.3      |
   +-----------------------------------------+-------------+-----------+

                                  Table 10

11.  Acknowledgments

   The authors would like to thank Bart Brinckman, Rohit Mohan, Lars
   Streubesand, Christian Amsüss, Jason Livingwood, Mike Ounsworth,
   Monty Wiseman, Geoffrey Cooper, and Phil Hunt for their reviews.

12.  References

12.1.  Normative References

Shahzad, et al.           Expires 11 July 2025                 [Page 55]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   [BLE54]    Bluetooth SIG, "Bluetooth Core Specification, Version
              5.4", 2023.

   [DPP2]     Wi-Fi Alliance, "Wi-Fi Easy Connect Specification, Version
              2.0", 2020.

   [FDO11]    FIDO Alliance, "FIDO Device Onboard Specification 1.1",
              April 2022.

   [I-D.bhutton-json-schema]
              Wright, A., Andrews, H., Hutton, B., and G. Dennis, "JSON
              Schema: A Media Type for Describing JSON Documents", Work
              in Progress, Internet-Draft, draft-bhutton-json-schema-01,
              10 June 2022, <https://datatracker.ietf.org/doc/html/
              draft-bhutton-json-schema-01>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [rfc4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
              <https://www.rfc-editor.org/rfc/rfc4648>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/rfc/rfc5280>.

   [RFC7643]  Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C.
              Mortimore, "System for Cross-domain Identity Management:
              Core Schema", RFC 7643, DOI 10.17487/RFC7643, September
              2015, <https://www.rfc-editor.org/rfc/rfc7643>.

   [RFC7644]  Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
              and C. Mortimore, "System for Cross-domain Identity
              Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
              September 2015, <https://www.rfc-editor.org/rfc/rfc7644>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/rfc/rfc8126>.

Shahzad, et al.           Expires 11 July 2025                 [Page 56]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [RFC8520]  Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
              Description Specification", RFC 8520,
              DOI 10.17487/RFC8520, March 2019,
              <https://www.rfc-editor.org/rfc/rfc8520>.

12.2.  Informative References

   [I-D.brinckman-nipc]
              Brinckman, B., Mohan, R., and B. Sanford, "An Application
              Layer Interface for Non-IP device control (NIPC)", Work in
              Progress, Internet-Draft, draft-brinckman-nipc-01, 21
              April 2024, <https://datatracker.ietf.org/doc/html/draft-
              brinckman-nipc-01>.

   [RFC6241]  Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
              and A. Bierman, Ed., "Network Configuration Protocol
              (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
              <https://www.rfc-editor.org/rfc/rfc6241>.

   [RFC7950]  Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
              RFC 7950, DOI 10.17487/RFC7950, August 2016,
              <https://www.rfc-editor.org/rfc/rfc7950>.

   [RFC8040]  Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
              Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
              <https://www.rfc-editor.org/rfc/rfc8040>.

   [RFC8995]  Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
              and K. Watsen, "Bootstrapping Remote Secure Key
              Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995,
              May 2021, <https://www.rfc-editor.org/rfc/rfc8995>.

Appendix A.  Changes from Earlier Versions

   [RFC Editor to remove this section.]

   Draft -09: * last call comments, bump BLE version, add
   acknowledgments.  * Also, recapture Rohit comments and those of
   Christian.

   Drafts 04-08: * Lots of cleanup * Security review responses * Removal
   of a tab * Dealing with certificate stuff

Shahzad, et al.           Expires 11 July 2025                 [Page 57]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   Draft -03: * Add MAB, FDO * Some grammar improvements * fold OpenAPI
   * IANA considerations

   Draft -02: * Clean up examples * Move openapi to appendix Draft -01:

   *  Doh!  We forgot the core device scheme!

   Draft -00:

   *  Initial revision

Appendix B.  OpenAPI representation

   The following sections are provided for informational purposes.

B.1.  Device Core Schema OpenAPI Representation

   OpenAPI representation of device core schema is as follows:

   <CODE BEGINS>
   components:
     schemas:
       Device:
         title: Device
         description: Device account
         type: object
         properties:
           displayName:
             type: string
             description: "Human readable name of the device, suitable
                           for displaying to end-users. For example,
                          'BLE Heart Monitor' etc."
             nullable: true
             readOnly: false
             writeOnly: false
           active:
             type: boolean
             description: A mutable boolean value indicating the device
                          administrative status. If set TRUE, the
                          commands (such as connect, disconnect,
                          subscribe) that control app sends to the
                          controller for the devices will be processeed
                          by the controller.  If set FALSE, any command
                          comming from the control app for the device
                          will be rejected by the controller.
             nullable: false
             readOnly: false
             writeOnly: false

Shahzad, et al.           Expires 11 July 2025                 [Page 58]
Internet-Draft        SCIM Device Schema Extensions         January 2025

           mudUrl:
             type: string
             format: uri
             description: A URL to MUD file of the device (RFC 8520).
                 It
                          is added for future use. Current usage is not
                          defined yet.
             nullable: true
             readOnly: false
             writeOnly: false
         required:
           - active
         additionalProperties: false
         allOf:
           - $ref: '#/components/schemas/CommonAttributes'
       CommonAttributes:
         type: object
         properties:
           schemas:
             type: array
             items:
               type: string
               enum:
                 - urn:ietf:params:scim:schemas:core:2.0:Device
             description: The list of schemas that define the resource.
             nullable: false
           id:
             type: string
             format: uri
             description: The unique identifier for a resource.
             nullable: false
             readOnly: true
             writeOnly: false
           externalId:
             type: string
             description: An identifier for the resource that is
                 defined
                          by the provisioning client.
             nullable: true
             readOnly: false
             writeOnly: false
           meta:
             type: object
             readOnly: true
             properties:
               resourceType:
                 type: string
                 description: The name of the resource type of the

Shahzad, et al.           Expires 11 July 2025                 [Page 59]
Internet-Draft        SCIM Device Schema Extensions         January 2025

                              resource.
                 nullable: false
                 readOnly: true
                 writeOnly: false
               location:
                 type: string
                 format: uri
                 description: The URI of the resource being returned.
                 nullable: false
                 readOnly: true
                 writeOnly: false
               created:
                 type: string
                 format: date-time
                 description: The date and time the resource was added
                              to the service provider.
                 nullable: false
                 readOnly: true
                 writeOnly: false
               lastModified:
                 type: string
                 format: date-time
                 description: The most recent date and time that the
                              details of this resource were updated at
                              the service provider.
                 nullable: false
                 readOnly: true
                 writeOnly: false
               version:
                 type: string
                 description: The version of the resource.
                 nullable: true
                 readOnly: true
                 writeOnly: false
             additionalProperties: false
   <CODE ENDS>

B.2.  EndpointApp Schema OpenAPI Representation

   OpenAPI representation of endpointApp schema is as follows:

   <CODE BEGINS>
   components:
     schemas:
       EndpointApp:
         title: EndpointApp
         description: Endpoint application resource
         type: object

Shahzad, et al.           Expires 11 July 2025                 [Page 60]
Internet-Draft        SCIM Device Schema Extensions         January 2025

         properties:
           applicationType:
             type: string
             description: "This attribute will only contain two values;
                          'deviceControl' or 'telemetry'."
             nullable: false
             readOnly: false
             writeOnly: false

           applicationName:
             type: string
             description: Human readable name of the application.
             nullable: false
             readOnly: false
             writeOnly: false

         required:
           - applicationType
           - applicationName

         additionalProperties: true
         oneOf:
           - $ref: '#/components/schemas/clientToken'
           - $ref: '#/components/schemas/certificateInfo'

         allOf:
           - $ref: '#/components/schemas/CommonAttributes'

       clientToken:
         type: string
         description: "This attribute contains a token that the client
                       will use to authenticate itself. Each token may
                       be a string up to 500 characters in length."
         nullable: true
         readOnly: true
         writeOnly: false

       certificateInfo:
         type: object
         description: "Contains x509 certificate's subject name and
                       root CA information associated with the device
                       control or telemetry app."
         properties:
           rootCA:
             type: string
             description: "The base64 encoding of a trust anchor
                           certificate,as per RFC 4648 Section 4."
             nullable: false

Shahzad, et al.           Expires 11 July 2025                 [Page 61]
Internet-Draft        SCIM Device Schema Extensions         January 2025

             readOnly: false
             writeOnly: false

           subjectName:
             type: string
             description: "Also known as the Common Name (CN), the
                           Subject Name is a field in the X.509
                           certificate that identifies the primary
                           domain or IP address for which the
                           certificate is issued."
             nullable: false
             readOnly: false
             writeOnly: false

         required:
         - subjectName

       CommonAttributes:
         type: object
         properties:
           schemas:
             type: array
             items:
               type: string
               enum:
                 - urn:ietf:params:scim:schemas:core:2.0:EndpointApp
             description: The list of schemas that define the resource.
             nullable: false
           id:
             type: string
             format: uri
             description: The unique identifier for a resource.
             nullable: false
             readOnly: true
             writeOnly: false
           meta:
             type: object
             readOnly: true
             properties:
               resourceType:
                 type: string
                 description: The name of the resource type of the
                              resource.
                 nullable: false
                 readOnly: true
                 writeOnly: false
               location:
                 type: string

Shahzad, et al.           Expires 11 July 2025                 [Page 62]
Internet-Draft        SCIM Device Schema Extensions         January 2025

                 format: uri
                 description: The URI of the resource being returned.
                 nullable: false
                 readOnly: true
                 writeOnly: false
               created:
                 type: string
                 format: date-time
                 description: The date and time the resource was added
                              to the service provider.
                 nullable: false
                 readOnly: true
                 writeOnly: false
               lastModified:
                 type: string
                 format: date-time
                 description: The most recent date and time that the
                              details of this resource were updated at
                              the service provider.
                 nullable: false
                 readOnly: true
                 writeOnly: false
               version:
                 type: string
                 description: The version of the resource.
                 nullable: true
                 readOnly: true
                 writeOnly: false
             additionalProperties: false
   <CODE ENDS>

B.3.  BLE Extension Schema OpenAPI Representation

   OpenAPI representation of BLE extension schema is as follows:

   <CODE BEGINS>
   components:
     schemas:
       BleDevice:
         type: object
         description: BLE Device schema.
         properties:
           schemas:
             type: array
             items:
               type: string
               enum:
                 - urn:ietf:params:scim:schemas:extension:ble:2.0

Shahzad, et al.           Expires 11 July 2025                 [Page 63]
Internet-Draft        SCIM Device Schema Extensions         January 2025

                    :Device
           urn:ietf:params:scim:schemas:extension:ble:2.0:Device:
             $ref: '#/components/schemas/BleDeviceExtension'
             required: true
       BleDeviceExtension:
         type: object
         properties:
           versionSupport:
             type: array
             items:
               type: string
             description: Provides a list of all the BLE versions
                          supported by the device. For example,
                          [4.1, 4.2, 5.0, 5.1, 5.2, 5.3].
             nullable: false
             readOnly: false
             writeOnly: false

           deviceMacAddress:
             type: string
             description: It is the public MAC address assigned by the
                          manufacturer. It is unique 48 bit value. The
                          regex pattern is
                          ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
             nullable: false
             readOnly: false
             writeOnly: false

           isRandom:
             type: boolean
             description: AddressType flag is taken from the BLE core
                          specifications 5.3. If FALSE, the device is
                          using public MAC address. If TRUE, device is
                          using a random address.
             nullable: false
             readOnly: false
             writeOnly: false

           separateBroadcastAddress:
             type: string
             description: "When present, this address is used for
                           broadcasts/advertisements.  This value MUST
                               NOT
                           be set when an IRK is provided.  Its form is
                           the same as deviceMa`cAddress."
             nullable: false
             readOnly: false
             writeOnly: false

Shahzad, et al.           Expires 11 July 2025                 [Page 64]
Internet-Draft        SCIM Device Schema Extensions         January 2025

           irk:
             type: string
             description: Identity resolving key, which is unique for
                          every device. It is used to resolve random
                          address.
             nullable: true
             readOnly: false
             writeOnly: true
           mobility:
             type: boolean
             description: If set to True, the BLE device will
                          automatically connect to the closest AP. For
                          example, BLE device is connected with AP-1
                              and
                          moves out of range but comes in range of AP
                             -2,
                          it will be disconnected with AP-1 and
                              connects
                          with AP-2.
             nullable: false
             readOnly: false
             writeOnly: false
           pairingMethods:
             type: array
             items:
               type: string
             description: List of pairing methods associated with the
                          ble device, stored as schema URI.
             nullable: true
             readOnly: false
             writeOnly: false
           urn:ietf:params:scim:schemas:extension:pairingNull:2.0
              :Device:
             $ref: '#/components/schemas/NullPairing'
             required: false
           urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0
              :Device:
             $ref: '#/components/schemas/PairingJustWorks'
             required: false
           urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0
              :Device:
             $ref: '#/components/schemas/PairingPassKey'
             required: false
           urn:ietf:params:scim:schemas:extension:pairingOOB:2.0
              :Device:
             $ref: '#/components/schemas/PairingOOB'
             required: false
         required:

Shahzad, et al.           Expires 11 July 2025                 [Page 65]
Internet-Draft        SCIM Device Schema Extensions         January 2025

           - versionSupport
           - deviceMacAddress
           - AddressType
           - pairingMethods
         additionalProperties: false

       NullPairing:
         type: object

       PairingJustWorks:
         type: object
         description: Just works pairing method for ble
         properties:
           key:
             type: integer
             description: Just works does not have any key value. For
                          completeness, it is added with a key value
                          'null'.
             nullable: false
             readOnly: false
             writeOnly: false
         required:
           - key

       PairingPassKey:
         type: object
         description: Pass key pairing method for ble
         properties:
           key:
             type: integer
             description: A six digit passkey for ble device.
                          The pattern of key is ^[0-9]{6}$.
             nullable: false
             readOnly: false
             writeOnly: true
         required:
           - key

       PairingOOB:
         type: object
         description: Out-of-band pairing method for BLE
         properties:
           key:
             type: string
             description: The OOB key value for ble device.
             nullable: false
             readOnly: false
             writeOnly: false

Shahzad, et al.           Expires 11 July 2025                 [Page 66]
Internet-Draft        SCIM Device Schema Extensions         January 2025

           randomNumber:
             type: integer
             description: Nonce added to the key
             nullable: false
             readOnly: false
             writeOnly: true
           confirmationNumber:
             type: integer
             description: Some solutions require a confirmation number
                          in the RESTful message exchange.
             nullable: true
             readOnly: false
             writeOnly: true
         required:
           - key
           - randomNumber
   <CODE ENDS>

B.4.  DPP Extension Schema OpenAPI Representation

   OpenAPI representation of DPP extension schema is as follows:

   <CODE BEGINS>
   components:
     schemas:
       DppDevice:
         type: object
         description: Wi-Fi Easy Connect (DPP) device extension schema
         properties:
           schemas:
             type: array
             items:
               type: string
               enum:
                 - urn:ietf:params:scim:schemas:extension:dpp:2.0
                    :Device
           urn:ietf:params:scim:schemas:extension:dpp:2.0:Device:
             $ref: '#/components/schemas/DppDeviceExtension'
             required: true
       DppDeviceExtension:
         type: object
         properties:
           dppVersion:
             type: integer
             description: Version of DPP this device supports.
             nullable: false
             readOnly: false
             writeOnly: false

Shahzad, et al.           Expires 11 July 2025                 [Page 67]
Internet-Draft        SCIM Device Schema Extensions         January 2025

           bootstrappingMethod:
             type: array
             items:
               type: string
             description: The list of all the bootstrapping methods
                          available on the enrollee device. For
                          example, [QR, NFC].
             nullable: true
             readOnly: false
             writeOnly: false
           bootstrapKey:
             type: string
             description: This key is Elliptic-Curve Diffie–Hellman
                          (ECDH) public key. The base64 encoded length
                          for P-256, P-384, and P-521 is 80, 96, and
                              120
                          characters.
             nullable: false
             readOnly: false
             writeOnly: true
           deviceMacAddress:
             type: string
             description: The MAC address assigned by the manufacturer.
                          The regex pattern is
                          ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
             nullable: false
             readOnly: false
             writeOnly: false
           classChannel:
             type: array
             items:
               type: string
             description: A list of global operating class and channel
                          shared as bootstrapping information. It is
                          formatted as class/channel. For example,
                          '81/1', '115/36'.
             nullable: false
             readOnly: false
             writeOnly: false
           serialNumber:
             type: string
             description: An alphanumeric serial number that may also
                 be
                          passed as bootstrapping information.
             nullable: false
             readOnly: false
             writeOnly: false
         required:

Shahzad, et al.           Expires 11 July 2025                 [Page 68]
Internet-Draft        SCIM Device Schema Extensions         January 2025

           - dppVersion
           - bootstrapKey
         additionalProperties: false
   <CODE ENDS>

B.5.  Ethernet MAB Extension Schema OpenAPI Representation

   OpenAPI representation of Ethernet MAB extension schema is as
   follows:

   <CODE BEGINS>
   components:
     schemas:
       EthernetMABDevice:
         type: object
         description: Ethernet MAC Authenticated Bypass
         properties:
           schemas:
             type: array
             items:
               type: string
               enum:
                 - urn:ietf:params:scim:schemas:extension:ethernet-mab
                    :2.0:Device
           urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0
              :Device:
             $ref: '#/components/schemas/EthernetMABDeviceExtension'
             required: true
       EthernetMABDeviceExtension:
         type: object
         properties:
           deviceMacAddress:
             type: string
             description: It is the public MAC address assigned by the
                          manufacturer. It is unique 48 bit value. The
                          regex pattern is
                          ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
             nullable: false
             readOnly: false
             writeOnly: false
         required:
           - deviceMacAddress
         description: Device extension schema for Ethernet-MAB
   <CODE ENDS>

Shahzad, et al.           Expires 11 July 2025                 [Page 69]
Internet-Draft        SCIM Device Schema Extensions         January 2025

B.6.  FDO Extension Schema OpenAPI Representation

   OpenAPI representation of FDO extension schema is as follows:

   <CODE BEGINS>
   components:
     schemas:
       FDODevice:
         type: object
         description: FIDO Device Onboarding Extension
         properties:
           schemas:
             type: array
             items:
               type: string
               enum:
                 - urn:ietf:params:scim:schemas:extension:fido-device
                    -onboard:2.0:Devices
           urn:ietf:params:scim:schemas:extension:fido-device-onboard
              :2.0:Devices:
             $ref: '#/components/schemas/FDODeviceExtension'
             required: true
       FDODeviceExtension:
         type: object
         properties:
           fdoVoucher:
             type: string
             description: A FIDO Device Onboard (FDO) Voucher
             nullable: false
             readOnly: false
             writeOnly: false
         required:
           - fdoVoucher
         description: Device Extension for a FIDO Device Onboard (FDO)
   <CODE ENDS>

B.7.  Zigbee Extension Schema OpenAPI Representation

   OpenAPI representation of zigbee extension schema is as follows:

Shahzad, et al.           Expires 11 July 2025                 [Page 70]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   components:
     schemas:
       ZigbeeDevice:
         type: object
         description: Zigbee Device schema.
         properties:
           schemas:
             type: array
             items:
               type: string
               enum:
                 - urn:ietf:params:scim:schemas:extension:zigbee:2.0
                    :Device
           urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device:
             $ref: '#/components/schemas/ZigbeeDeviceExtension'
             required: true
       ZigbeeDeviceExtension:
         type: object
         properties:
           versionSupport:
             type: array
             items:
               type: string
             description: Provides a list of all the Zigbee versions
                          supported by the device. For example, [3.0].
             nullable: false
             readOnly: false
             writeOnly: false
           deviceEui64Address:
             type: string
             description: The EUI-64 (Extended Unique Identifier)
                 device
                          address. The regex pattern is
                          ^[0-9A-Fa-f]{16}$.
             nullable: false
             readOnly: false
             writeOnly: false
         required:
           - versionSupport
           - deviceEui64Address
         description: Device extension schema for Zigbee.
   <CODE ENDS>

B.8.  EndpointAppsExt Extension Schema OpenAPI Representation

   OpenAPI representation of endpoint Apps extension schema is as
   follows:

Shahzad, et al.           Expires 11 July 2025                 [Page 71]
Internet-Draft        SCIM Device Schema Extensions         January 2025

   <CODE BEGINS>
   components:
     schemas:
       EndpointAppsExt:
         type: object
         properties:
           applications:
             $ref: '#/components/schemas/applications'

           deviceControlEnterpriseEndpoint:
             type: string
             format: url
             description: The URL of the enterprise endpoint which
                 device
                          control apps use to reach enterprise network
                          gateway.
             nullable: false
             readOnly: true
             writeOnly: false

           telemetryEnterpriseEndpoint:
             type: string
             format: url
             description: The URL of the enterprise endpoint which
                          telemetry apps use to reach enterprise
                              network
                          gateway.
             nullable: false
             readOnly: true
             writeOnly: false

         required:
           - applications
           - deviceControlEnterpriseEndpoint

       applications:
         type: array
         items:
           value:
             type: string
             description: The identifier of the endpointApp.
             nullable: false
             readOnly: false
             writeOnly: false
           ref:
             type: string
             format: uri
             description: The URI of the corresponding 'EndpointApp'

Shahzad, et al.           Expires 11 July 2025                 [Page 72]
Internet-Draft        SCIM Device Schema Extensions         January 2025

                         resource which will control or obtain data
                             from
                         the device.
             nullable: false
             readOnly: true
             writeOnly: false
         required:
           - value
           - ref
   <CODE ENDS>

Authors' Addresses

   Muhammad Shahzad
   North Carolina State University
   Department of Computer Science
   890 Oval Drive
   Campus Box 8206
   Raleigh, NC,  27695-8206
   United States of America
   Email: mshahza@ncsu.edu

   Hassan Iqbal
   North Carolina State University
   Department of Computer Science
   890 Oval Drive
   Campus Box 8206
   Raleigh, NC,  27695-8206
   United States of America
   Email: hassaniqbal931@gmail.com

   Eliot Lear
   Cisco Systems
   Richtistrasse 7
   CH-8304 Wallisellen
   Switzerland
   Phone: +41 44 878 9200
   Email: lear@cisco.com

Shahzad, et al.           Expires 11 July 2025                 [Page 73]