Network Working Group P. Hunt, Ed.
Internet-Draft Oracle
Intended status: Standards Track W. Denniss
Expires: September 21, 2016 Google
M. Ansari
Cisco
March 20, 2016
SCIM Event Extension
draft-hunt-idevent-scim-00
Abstract
This specification profiles the Identity Event Token specification to
define a set of identity events to be used with SCIM.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 21, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Hunt, et al. Expires September 21, 2016 [Page 1]
Internet-Draft draft-hunt-idevent-scim March 2016
Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 2
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 2
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3
2. SCIM Events . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Common Event Attributes . . . . . . . . . . . . . . . . . 3
2.2. Disclosure Profiles . . . . . . . . . . . . . . . . . . . 4
2.3. SCIM Events . . . . . . . . . . . . . . . . . . . . . . . 4
2.3.1. urn:ietf:params:event:SCIM:add . . . . . . . . . . . 4
2.3.2. urn:ietf:params:event:SCIM:create . . . . . . . . . . 5
2.3.3. urn:ietf:params:event:SCIM:activate . . . . . . . . . 7
2.3.4. urn:ietf:params:event:SCIM:modify . . . . . . . . . . 8
2.3.5. urn:ietf:params:event:SCIM:deactivate . . . . . . . . 8
2.3.6. urn:ietf:params:event:SCIM:delete . . . . . . . . . . 8
2.3.7. urn:ietf:params:event:SCIM:remove . . . . . . . . . . 9
2.3.8. urn:ietf:params:event:SCIM:password . . . . . . . . . 9
3. Security Considerations . . . . . . . . . . . . . . . . . . . 11
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Normative References . . . . . . . . . . . . . . . . . . 12
5.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 13
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 13
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction and Overview
This specification profiles the Identity Event Token [idevent-token]
to define events for SCIM Protocol [RFC7644].
1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. These
keywords are capitalized when used to unambiguously specify
requirements of the protocol or application features and behavior
that affect the interoperability and security of implementations.
When these words are not capitalized, they are meant in their
natural-language sense.
For purposes of readability examples are not URL encoded.
Implementers MUST percent encode URLs as described in Section 2.1 of
[RFC3986].
Hunt, et al. Expires September 21, 2016 [Page 2]
Internet-Draft draft-hunt-idevent-scim March 2016
Throughout this documents all figures MAY contain spaces and extra
line-wrapping for readability and space limitations. Similarly, some
URI's contained within examples, have been shortened for space and
readability reasons.
1.2. Definitions
This specification uses definitions from the specification
[idevent-token].
2. SCIM Events
SCIM events JSON objects that are encoded in JWT form as per
[idevent-token]. An event includes a eventUri which indicates the
type of event and the event specific attributes. An event also
includes standard JWT attributes "iss", "aud", "jti", and "iat" which
indicates the event publisher (issuer), the the event feeds
(audience), a token identifier, and the date of issue (iat).
2.1. Common Event Attributes
The following attributes are defined for all events defined in
Section 2.3 or any schema defined within the uri namespace
"urn:ietf:params:events:SCIM".
id
An optional multi-valued SCIM "id" value of the affected
resource(s) as defined in Section 3.1 [RFC7643]. If provided the
identifiers MUST correspond to the values referenced in
"resourceUris".
attributes
A multi-valued list of affected SCIM attributes. Each attribute
listed may be a fully-qualified attribute name or an attribute
"path" as defined in Figure 7 of Section 3.3.2 of [RFC7644]
values
A JSON object structure containing the affected attributes and
their associated values. If the "values" attribute is supplied,
the event message MUST be encrypted. Service providers SHOULD
take care to ensure that eligible subscribers are able to see
attribute values. Alternatively, subscribers MAY use the
resourceURIs to retrieve the final attribute values. When doing
so, the SCIM service provider can then assess the subscribers
right to obtain the actual attribute values.
Hunt, et al. Expires September 21, 2016 [Page 3]
Internet-Draft draft-hunt-idevent-scim March 2016
For a password change event, in maximal disclosure mode ( see
Section 2.2), the clear text password attribute value MAY be
included in the values"values" attribute.
2.2. Disclosure Profiles
SCIM events are intended to disclose the minimum amount of
information required to provide co-ordination between asynchronous
systems. This has the effect of eliminating most error signaling
conditions and simplifies privacy and security considerations.
For each event type, the following levels of disclosure are defined,
for which different security considerations may apply:
Minimal
In general, the main information content is the event description
itself. The event contents typically includes only REQUIRED
attributes. Because no data content is exchanged, encryption of
the event message is not required.
Default
In general the default information is exchanged. This includes
the "sub" attribute and a list of affected SCIM attributes.
Typically attribute values are not provided. Encryption of the
event message is typically not required unless otherwise stated.
Maximal
In maximal mode, all data involved in the state change is
exchanged. To prevent leakage of information, implementers SHOULD
encrypt events that convey attributes about resources. This
profile should typically be used when co-ordinating information
between tightly-coupled systems that are part of a common
administrative domain.
In the case of "minimal" and "default" disclosures, a subscriber MAY
use a follow-up SCIM GET (see Section 3.4 [RFC7644] to obtain the
current state of the resource (sub) following the event. While this
may be seen as costly (as a second call), using SCIM GET enables
simpler error signalling, access control, distribution enforcement by
the event publisher.
2.3. SCIM Events
2.3.1. urn:ietf:params:event:SCIM:add
The specified resource URI was added to the feed. An add does not
indicate a resource is new or has been recently created. For
example, an existing user has had a new role (e.g. CRM_User) added
to their profile which has caused their resource to join a feed.
Hunt, et al. Expires September 21, 2016 [Page 4]
Internet-Draft draft-hunt-idevent-scim March 2016
The following is an example of a minimal disclosure Add Event
message(it has been modified for readability):
{
"jti": "6164f3bbf6ff41a88dc94f18cb0620e8",
"eventUris":[
"urn:ietf:params:event:SCIM:add"
],
"iat": 1458505044,
"iss":"https://scim.example.com",
"aud":[
"https://scim.example.com/Feeds/98d52461fa5bbc879593b7754"
],
"sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462",
}
Figure 1: Example SCIM Add Event
2.3.2. urn:ietf:params:event:SCIM:create
The new resource URI has been created at the service provider and has
been added to the feed. When a CREATE event is sent, a corresponding
ADD event is not issued. In "minimal" disclosure mode, event
specific data is returned. In "default" disclosure, the "attributes"
attribute is returned disclosing what attributes were created at the
publisher. In "maximal" disclosure mode, set of values reflecting
the final state of the resource at the service provider are provided
in the "values" attribute and MUST be encrypted as a JWE (see
[idevent-token]).
Hunt, et al. Expires September 21, 2016 [Page 5]
Internet-Draft draft-hunt-idevent-scim March 2016
The following is an example SCIM Create event message(it has been
modified for readability) and uses maximal disclosure:
{
"jti": "4d3559ec67504aaba65d40b0363faad8",
"eventUris":[
"urn:ietf:params:event:SCIM:create"
],
"iat": 1458496404,
"iss":"https://scim.example.com",
"aud":[
"https://scim.example.com/Feeds/98d52461fa5bbc879593b7754",
"https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7"
],
"sub": "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9",
"urn:ietf:params:event:SCIM:create":{
"attributes":["id","name","userName","password","emails"],
"values":{
"emails":[
{"type":"work","value":"jdoe@example.com"}
],
"password":"not4u2no",
"userName":"jdoe",
"id":"44f6142df96bd6ab61e7521d9",
"name":{
"givenName":"John",
"familyName":"Doe"
}
}
}
}
Figure 2: Example SCIM Create Event (Maximal Disclosure)
In the above example, the user "jdoe" is created with values an email
address, an initial password, and a name. Note that when raw data is
sent, it is advisable to protect the event using JWE (see Section 2.2
[idevent-token]).
Hunt, et al. Expires September 21, 2016 [Page 6]
Internet-Draft draft-hunt-idevent-scim March 2016
The following is an example SCIM Create event message(it has been
modified for readability) and uses default disclosure:
{
"jti": "4d3559ec67504aaba65d40b0363faad8",
"eventUris":[
"urn:ietf:params:event:SCIM:create"
],
"iat": 1458496404,
"iss":"https://scim.example.com",
"aud":[
"https://scim.example.com/Feeds/98d52461fa5bbc879593b7754",
"https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7"
],
"sub": "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9",
"urn:ietf:params:event:SCIM:create":{
"attributes":["id","name","userName","password","emails"],
}
}
The event above notifies the subscriber which attributes are
available from the SCIM event publisher, but does not convey the
actual information. The subscriber MAY retrieve that information by
performing a SCIM GET to the "sub" value specified.
Figure 3: Example SCIM Create Event (Default Disclosure)
2.3.3. urn:ietf:params:event:SCIM:activate
The specified resource (e.g. User) has been activated. This
optional event is used to indicate a high-level change in state as
agreed between the publisher and subscriber. For example, an
activated resource is one that can now have an active session (may
log in) from a security perspective (may log in). Typically this
event discloses only minimal information.
Hunt, et al. Expires September 21, 2016 [Page 7]
Internet-Draft draft-hunt-idevent-scim March 2016
The following is an example of a minimal disclosure Activate Event
message(it has been modified for readability):
{
"jti": "6164f3bbf6ff41a88dc94f18cb0620e8",
"eventUris":[
"urn:ietf:params:event:SCIM:activate"
],
"iat": 1458505044,
"iss":"https://scim.example.com",
"aud":[
"https://scim.example.com/Feeds/98d52461fa5bbc879593b7754"
],
"sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462",
}
Figure 4: Example SCIM Activate Event
2.3.4. urn:ietf:params:event:SCIM:modify
The specified resource has been updated (e.g. one or more attributes
has changed). As with the create event, this event MAY be expressed
in minimal, default, and maximal modes.
2.3.5. urn:ietf:params:event:SCIM:deactivate
The specified resource (e.g. User) has been deactivated and
disabled. The exact meaning must be agreed to by a SCIM publisher
and its corresponding subscriber. Typically this means the sub may
no longer have an active security session. As with the activate
event, this event has minimal disclosure requirements.
2.3.6. urn:ietf:params:event:SCIM:delete
The specified resource has been deleted from the SCIM publisher. The
resource is also removed from the feed. When a DELETE is sent, a
corresponding REMOVE is not issued. A delete event has minimal
disclosure profile only.
Hunt, et al. Expires September 21, 2016 [Page 8]
Internet-Draft draft-hunt-idevent-scim March 2016
The following is an example of a minimal disclosure Delete Event
message(it has been modified for readability):
{
"jti": "6164f3bbf6ff41a88dc94f18cb0620e8",
"eventUris":[
"urn:ietf:params:event:SCIM:delete"
],
"iat": 1458505044,
"iss":"https://scim.example.com",
"aud":[
"https://scim.example.com/Feeds/98d52461fa5bbc879593b7754"
],
"sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462",
}
Figure 5: Example SCIM Delete Event
2.3.7. urn:ietf:params:event:SCIM:remove
The specified resource has been removed from the feed. Removal does
not indicate that the resource was deleted or otherwise deactivated.
This event has minimal disclosure.
The following is an example of a minimal disclosure Remove Event
message(it has been modified for readability):
{
"jti": "6164f3bbf6ff41a88dc94f18cb0620e8",
"eventUris":[
"urn:ietf:params:event:SCIM:remove"
],
"iat": 1458505044,
"iss":"https://scim.example.com",
"aud":[
"https://scim.example.com/Feeds/98d52461fa5bbc879593b7754"
],
"sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462",
}
Figure 6: Example SCIM Remove Event
2.3.8. urn:ietf:params:event:SCIM:password
The specified resource (e.g. User) has changed its password or the
password has been reset. When the password has changed, the
"attributes" attribute is supplied with the value "password".
Hunt, et al. Expires September 21, 2016 [Page 9]
Internet-Draft draft-hunt-idevent-scim March 2016
The following is a non-normative example showing a password change
event using minimal disclosure:
{
"jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
"eventUris":[
"urn:ietf:params:event:SCIM:password"
],
"iat": 1458496025,
"iss": "https://scim.example.com",
"aud":[
"https://jhub.example.com/Feeds/98d52461fa5bbc879593b7754",
"https://jhub.example.com/Feeds/5d7604516b1d08641d7676ee7"
],
"sub":
"https://scim.example.com/Users/44f6142df96bd6ab61e7521d9",
}
Figure 7: Example SCIM Password Change Event
The password event MAY be extended to conveys a password reset, the
event MAY include an additional eventUri value of
"urn:ietf:params:event:extension:example.com:password" which includes
the attribute "resetAttempts". "resetAttempts" indicates the current
number of reset attempts since the last successful login by the
subject.
Hunt, et al. Expires September 21, 2016 [Page 10]
Internet-Draft draft-hunt-idevent-scim March 2016
The following is a non-normative example showing a password reset
event:
{
"jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
"eventUris":[
"urn:ietf:params:event:SCIM:password",
"urn:ietf:params:event:extension:example.com:password"
],
"iat": 1458496025,
"iss": "https://scim.example.com",
"aud":[
"https://jhub.example.com/Feeds/98d52461fa5bbc879593b7754",
"https://jhub.example.com/Feeds/5d7604516b1d08641d7676ee7"
],
"sub":
"https://scim.example.com/Users/44f6142df96bd6ab61e7521d9",
"urn:ietf:params:event:SCIM:password":{
"id":"44f6142df96bd6ab61e7521d9",
},
"urn:ietf:params:event:extension:example.com:password":{
"resetAttempts":4
}
}
Figure 8: Example SCIM Password Reset Event
3. Security Considerations
[[TO BE COMPLETED]]
4. IANA Considerations
This section registers the schema extensions found in Section 2.3 in
the "Event" registry as per Section 4.2 [idevent-token].
Schema URI: See Section 2.3.
Schema Name: See corresponding names under Section 2.3.
Intented ResourceType: N/A. Events are not intended to be persisted
in SCIM.
Purpose: See each description in Section 2.3.
Single-valued Attributes: None.
Hunt, et al. Expires September 21, 2016 [Page 11]
Internet-Draft draft-hunt-idevent-scim March 2016
Multi-valued Attributes: All schemas in this specification share the
same attributes. See Section 2.1.
Summary of schema URI registrations:
+---------------------------------------+-------------+-------------+
| Schema URI | Name | Reference |
+---------------------------------------+-------------+-------------+
| urn:ietf:params:event:SCIM:add | Resource | Section 2.3 |
| | added to | |
| | Feed Event | |
| urn:ietf:params:event:SCIM:remove | Resource | Section 2.3 |
| | Removal | |
| | From Feed | |
| | Event | |
| urn:ietf:params:event:SCIM:create | New | Section 2.3 |
| | Resource | |
| | Event | |
| urn:ietf:params:event:SCIM:modify | Resource | Section 2.3 |
| | Modified | |
| | Event | |
| urn:ietf:params:event:SCIM:delete | Resource | Section 2.3 |
| | Deleted | |
| | Event | |
| urn:ietf:params:event:SCIM:activate | Resource | Section 2.3 |
| | Activated | |
| | Event | |
| urn:ietf:params:event:SCIM:deactivate | Resource | Section 2.3 |
| | Deactivated | |
| | Event | |
| urn:ietf:params:event:SCIM:password | Password | Section 2.3 |
| | Change | |
| | Event | |
+---------------------------------------+-------------+-------------+
5. References
5.1. Normative References
[idevent-subscription]
Oracle Corporation, "Identity Event Subscription Protocol
(work in progress)".
[idevent-token]
Oracle Corporation, "Identity Event Token (work in
progress)".
Hunt, et al. Expires September 21, 2016 [Page 12]
Internet-Draft draft-hunt-idevent-scim March 2016
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>.
[RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C.
Mortimore, "System for Cross-domain Identity Management:
Core Schema", RFC 7643, DOI 10.17487/RFC7643, September
2015, <http://www.rfc-editor.org/info/rfc7643>.
5.2. Informative References
[RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
and C. Mortimore, "System for Cross-domain Identity
Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
September 2015, <http://www.rfc-editor.org/info/rfc7644>.
Appendix A. Contributors
Appendix B. Acknowledgments
The editor would like to thank the participants in the the SCIM
working group and the id-event list for their support of this
specification.
Appendix C. Change Log
Draft 00 - PH - First Draft
Authors' Addresses
Phil Hunt (editor)
Oracle Corporation
Email: phil.hunt@yahoo.com
William Denniss
Salesforce.com
Email: wdenniss@google.com
Hunt, et al. Expires September 21, 2016 [Page 13]
Internet-Draft draft-hunt-idevent-scim March 2016
Morteza Ansari
Cisco
Email: morteza.ansari@cisco.com
Hunt, et al. Expires September 21, 2016 [Page 14]