INTERNET-DRAFT                                                   P. Hunt
Intended Status: Proposed Standard                                Oracle
Expires: March 10, 2013                                       K. Grizzle
                                                               Sailpoint
                                                       September 6, 2012


                   SCIM Targeted Resource Extension
                      draft-hunt-scim-targeting-01


Abstract

   The core SCIM 1.0 specification is intended to provide updates to a
   single cloud-based application. This extension specifies an extended
   API definition which allows a single SCIM endpoint to support updates
   to multiple cloud-based applications. These extensions enable network
   relationships such as proxy updates, and hub-to-hub-to-spoke
   relationships in addition to the hub-spoke relationship defined in
   the core SCIM 1.0 specification.


Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html


Copyright and License Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors. All rights reserved.



P. Hunt, et al.          Expires March 10, 2013                 [Page 1]


INTERNET DRAFT        draft-hunt-scim-targeting-01     September 6, 2012


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document. Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Table of Contents

   1  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2. Service Provider Types  . . . . . . . . . . . . . . . . . . . .  3
     2.1 Spoke Service Provider . . . . . . . . . . . . . . . . . . .  3
     2.2 Hub Service Provider . . . . . . . . . . . . . . . . . . . .  4
     2.3 Gateway Service Provider . . . . . . . . . . . . . . . . . .  4
   3.  Extended Resource API  . . . . . . . . . . . . . . . . . . . .  4
     3.1 Local Endpoints  . . . . . . . . . . . . . . . . . . . . . .  4
     3.2 Targeted Operations  . . . . . . . . . . . . . . . . . . . .  4
   4 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
     4.1 Attributes (multi-valued)  . . . . . . . . . . . . . . . . .  6
     4.2 SCIM Target Schema . . . . . . . . . . . . . . . . . . . . .  6
   5 JSON Representation  . . . . . . . . . . . . . . . . . . . . . .  6
     5.1 User with Targeted References Representation . . . . . . . .  6
     5.2 Server Config with Targeting Representation  . . . . . . . .  7
     5.3 Target Representation  . . . . . . . . . . . . . . . . . . .  8
     5.4 Target Resource Schema Extensions  . . . . . . . . . . . . .  9
   6 XML Schema Representation  . . . . . . . . . . . . . . . . . . . 11
   7  Security Considerations . . . . . . . . . . . . . . . . . . . . 12
   8  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 12
   9  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 12
     9.1  Normative References  . . . . . . . . . . . . . . . . . . . 12
     9.2  Informative References  . . . . . . . . . . . . . . . . . . 12
   Appendix A - Editors Notes . . . . . . . . . . . . . . . . . . . . 12
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12













P. Hunt, et al.          Expires March 10, 2013                 [Page 2]


INTERNET DRAFT        draft-hunt-scim-targeting-01     September 6, 2012


1  Introduction

   This specification extends the SCIM Protocol [draft-scim-api-00] and
   [draft-scim-core-schema-00] to enable a SCIM service endpoint to act
   as a 'gateway' to process requests intended for other connected cloud
   services called 'targets'. A gateway is essentially a proxy that
   front-ends one or more applications for the purpose of provisioning.
   The gateway may act as a simple proxy, or it may act as a hub storing
   data to be used directly or indirectly by other cloud systems. A
   'target' is a logical representation of a remotely connected system
   to be provision. Such a system may be in-turn, connected via SCIM or
   some other API supported by the gateway node. The targeting extension
   is intended to support all SCIM operations and layers on top of SCIM
   1.0.

   The target resource extensions allow requesting clients to make
   updates to entities within the gateway itself and additionally,
   updates to be routed by the gateway to specific target end-points.

                                         +----------+
                                         |CRM Target|
                                         +--+-------+
                                            |
                +------+          +-------+---+
                |Client|--------->|Gateway/Hub|
                +------+          +-------+---+
                                            |
                                        +---+--------+
                                        |Email Target|
                                        +------------+

   1.1  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2. Service Provider Types The following non-normative section describes
   3 different types of service providers to illustrate how SCIM
   Resource Targeting may be used. With resource targeting, SCIM service
   providers are broken into 3 types: Spoke, Hubs, and Gateways. Each
   service provider has different capabilities and are used together to
   form a complete provisioning infrastructure.

2.1 Spoke Service Provider A spoke service provider is a SCIM service
   provider where accounts are to be provisioned using the SCIM 1.0
   APIs. It usually represents a single logical repository of
   identities.



P. Hunt, et al.          Expires March 10, 2013                 [Page 3]


INTERNET DRAFT        draft-hunt-scim-targeting-01     September 6, 2012


2.2 Hub Service Provider A hub service provider offers the same features
   of a spoke, but it can also provision resources to connected service
   providers known as "targets". A "target" is a SCIM service provider
   that implements SCIM protocol or another protocol in such a way that
   it appears to accept SCIM transactions. Resources stored in the hub
   can be associated with "target" provisioned resources through the use
   of a complex attribute "accountRefs" which links hub resources to
   resources in target service providers.

2.3 Gateway Service Provider A gateway is similar to a SCIM hub except
   that it has no local repository and is therefore stateless. Typically
   a gateway is used as an architectural component to firewall direct
   access to individual SCIM Service Provider endpoints by allowing
   transactions to flow through a common gateway.

3.  Extended Resource API

   The SCIM protocol specifies well known endpoints and HTTP methods for
   managing Resources defined in the core schema such as User and Group
   resources. The core schema defines key Relative Resource URLs which
   can be used to perform SCIM operations.

   In addition to the endpoints defined in section 3 of [draft-scim-api-
   00], the following endpoints are defined:

3.1 Local Endpoints

   In SCIM 1.0, all operations are presumed to occur on the current end-
   point. SCIM Hub and Gateway servers have additional server endpoints
   that enable discovery of Target entities where transactions can be
   routed.

   /Targets
   [Operations: GET]
      Use in GET operations to retrieve a list of logical target
      entities available within the current SCIM server. The information
      can be used by the client to discover provisioning end-points
      accessible via the current SCIM service provider.

   /Targets/{target_id}
   [Operations: GET]
      Use in GET operations to retrieve information about a particular
      Target identified by {target_id}.


3.2 Targeted Operations

      Targeting extends the SCIM protocol so that SCIM operations can be



P. Hunt, et al.          Expires March 10, 2013                 [Page 4]


INTERNET DRAFT        draft-hunt-scim-targeting-01     September 6, 2012


      routed to a  logical server. Targeting adds a prefix to the
      endpoint path to all normal SCIM operations as follows.

   /Targets/{target_id}/{scim-endpoint-url}
   [Operations: All]
      This general pattern indicates that a transaction is to be routed
      to a target identified by {target_id}. {scim-endpoint-url} is any
      valid SCIM 1.0 relative endpoint URL. The routed operation MAY in
      turn be another SCIM protocol call. However it MAY ALSO be over a
      different protocol as long as it behaves within the hub or gateway
      as a SCIM operation.

      For example:
      /Targets/crm/Users/2819c223-7f76-453a-919d-413861904646

   /Targets/{target_id}/ServerProviderConfigs
   [Operations: Get]
      Retrieves the service provider configuration of the target
      identified by the logical target identifier {target_id}. Included
      in the server configuration MAY be the 'type' attribute which
      specifies the server type of 'spoke', 'gateway', or 'hub' and
      defaults to 'spoke'. If target communication is not via SCIM, the
      target 'connector' should behave as if it was. The
      ServerProviderConfig returned SHOULD reflect the real SCIM
      endpoint configuration, or the equivalent if SCIM protocol is not
      used to connect the Target Service Provider.

   /Targets/{target_id}/Schemas
   [Operations: Get]
      Retrieves the targeted service provider's schema. The schema
      returned should reflect the Target Service Provider's schema or
      the equivalent if SCIM protocol is not used to connect the Target
      Service Provider.

   /Targets/{target_id}/Users
   /Targets/{target_id}/Groups
   [Operations: All]
      Retrieves/updates the User or Group entities from {target_id} as
      if the request was sent directly to {target_id}.

   /Targets/{target_id}/Users/{user_id}'
   [Operations: All]
      References the User entity {user_id} within the Target identified
      by {target_id}.

   /Targets/{target_id}/Bulk
   [Operations: ALL]
      Perform bulk operations on a specified target service provider.



P. Hunt, et al.          Expires March 10, 2013                 [Page 5]


INTERNET DRAFT        draft-hunt-scim-targeting-01     September 6, 2012


4 Schema

      To supported targeted operations, additional schema is defined to
      support new schema objects namely "targets" and to support
      extensions to User and Group objects. To support targeted
      operations, the SCIM schema is extended per section 4 of [draft-
      scim-core-schema-00].

      When extending schema to support targeting, the following URI MUST
      be added to the "schemas" attribute URI:
      'urn:scim:schemas:extension:targeted:1.0'.

4.1 Attributes (multi-valued)

   accountRefs  A complex multi-valued attribute containing references
      to associated resources in other targets. Each reference consists
      of a target identifier and a User object identifier. For each
      targetId, there may be one or more related object identifiers
      within each target. An individual identifier can be designated as
      a primary within a target.

4.2 SCIM Target Schema The Target extension provides a schema for
      representing the Service Provider's configured target entities
      identified using the following URI:
      'urn:scim:schemas:extension:targeted:1.0'.

      The Target Resource enables a Service Provider to expose the
      addressable targets reachable within the Service Provider as
      gatewayed entities. All attributes are READ-ONLY.

5 JSON Representation

5.1 User with Targeted References Representation

      The following is a non-normative example of a minimal SCIM
      representation of a User extended with targeted references in JSON
      format. The example user has 2 email accounts and one CRM account.

      {
        "schemas":
          [
            "urn:scim:schemas:core:1.0",
            "urn:scim:schemas:extensions:targeted:1.0:resourceRef"
          ],
        "id": "2819c223-7f76-453a-919d-413861904646",
        "userName": "bjensen@example.com"
        "urn:scim:schemas:extensions:targeted:1.0":{
          "accountRefs":[



P. Hunt, et al.          Expires March 10, 2013                 [Page 6]


INTERNET DRAFT        draft-hunt-scim-targeting-01     September 6, 2012


           {
              "targetId":"mail"
              "Display":"Cloud Email Service"
              "references":[
                {
                  "type":"User",
                  "value":"bjensen@example.com",
                  "primary":true
                },
                {
                  "type":"User",
                  "value":"b.jensen@example.com"
                }
              ]
            },
            {
              "targetId":"crm"
              "Display":"Customer Relationship Management Service"
              "references":[
                {
                  "type":"User",
                  "value":"2819c223-7f76-453a-919d-413861904646",
                  "primary":true
                }
              ]
            }
          ]
        }
      }

      [[Does it make sense to reference Group objects? Others?]]

5.2 Server Config with Targeting Representation The following is a non-
      normative example of server configuration with targeting schema
      (indicating the server is a SCIM provisioning "hub") in JSON
      format.

      {
       "schemas": ["urn:scim:schemas:core:1.0",
         "urn:scim:schemas:extensions:targeted:1.0"],
       "documentationUrl":"http://example.com/help/scim.html",
       "patch": {
         "supported":true
       },
       "bulk": {
         "supported":true,
         "maxOperations":1000,
         "maxPayloadSize":1048576



P. Hunt, et al.          Expires March 10, 2013                 [Page 7]


INTERNET DRAFT        draft-hunt-scim-targeting-01     September 6, 2012


       },
       "filter": {
         "supported":true,
         "maxResults": 200
       },
       "changePassword" : {
         "supported":true
       },
       "sort": {
         "supported":true
       },
       "etag": {
         "supported":true
       },
       "xmlDataFormat": {
         "supported":true
       },
       "authenticationSchemes": [
         {
           "name": "OAuth Bearer Token",
           "description":
             "Authentication Scheme using the OAuth Bearer Token",
           "specUrl":
             "http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-01",
           "documentationUrl":"http://example.com/help/oauth.html",
           "type":"oauthbearertoken",
           "primary": true
         },
         {
           "name": "HTTP Basic",
           "description": "Authentication Scheme using the Http Basic",
           "specUrl":"http://www.ietf.org/rfc/rfc2617.txt",
           "documentationUrl":"http://example.com/help/httpBasic.html",
           "type":"httpbasic"
          }
       ],
       "urn:scim:schemas:extensions:targeted:1.0": [
         {
           "type":"hub"
         }
       ]
      }

5.3 Target Representation

      The following is a non-normative example of the representation of
      a Target object in JSON format.




P. Hunt, et al.          Expires March 10, 2013                 [Page 8]


INTERNET DRAFT        draft-hunt-scim-targeting-01     September 6, 2012


      {
        "schemas":["urn:scim:schemas:core:1.0",
          "urn:scim:extensions:targeted:1.0"],
        "id" : "mail",
        "description" : "Corporate imap service",
        "type" : "spoke"
      }

5.4 Target Resource Schema Extensions

      The following is a normative example of the SCIM Targeted schema
      extension representation in JSON format.

      {
        "id":
          "urn:scim:schemas:extensions:targeted:1.0:resourceRef",
        "name":"Targeted",
        "description":"Targeted Resource Extension",
        "schema":
          [
            "urn:scim:schemas:core:1.0",
            "urn:scim:schemas:extensions:targeted:1.0"
          ],
        "attributes":[
          {
            "name":"accountRefs",
            "type":"complex",
            "multiValued":true,
            "multiValuedAttributeChildName":"targetId",
            "schema":[
              "urn:scim:schemas:core:1.0",
              "urn:scim:schemas:extensions:targeted:1.0"
            ]
            "readOnly":false,
            "required":false,
            "caseExact":true,
            "subAttributes":[
              {
                "name":"targetId",
                "type":"string",
                "multiValued":false,
                "description":"Identifier of target system where
                               one or more related resources can
                               be found",
                "readOnly":false,
                "required":true,
         "caseExact":false
              },



P. Hunt, et al.          Expires March 10, 2013                 [Page 9]


INTERNET DRAFT        draft-hunt-scim-targeting-01     September 6, 2012


              {
                "name":"display",
                "type":"string",
                "multiValued":false,
                "description":"A human readable description of
                               target used for display purposes",
                "readOnly":true,
                "required":false,
         "caseExact":false
              },
              {
                "name":"references",
                "type":"complex",
                "multiValued":true,
                "description":"A set of one or more target references
                               for the object within the target.
                "readOnly":false,
                "required":true,
         "caseExact":false
                "subAttributes":[
                  {
                    "name":"type",
                    "type": "string",
                    "multiValued":false,
                    "required":true,
                    "canonicalValues":["User","Group"]
                  },
                  {
                    "name":"value",
                    "type":"string",
                    "multiValued":true,
                    "description":"Unique identifier for the SCIM
                             resource as defined within a target.
                             defined by the Service Provider. Each
                             representation of the resource MUST
                             include a non-empty id value. This
                             identifier MUST be unique across the
                             Target's entire set of resources. It
                             MUST be a stable, non-reassignable
                             identifier that does not change when
                             the same resource is returned in
                             subsequent requests. The value of the id
                             attribute is always issued by the Target
                             Provider and MUST never be specified by
                             the Target Service Consumer. REQUIRED.",
                    "schema":"urn:scim:schemas:core:1.0",
                    "readOnly":true,
                    "required":true,



P. Hunt, et al.          Expires March 10, 2013                [Page 10]


INTERNET DRAFT        draft-hunt-scim-targeting-01     September 6, 2012


                    "caseExact":false
                  },
                  {
                    "name":"primary",
                    "type":"boolean",
                    "multiValued:false,
                    "description":"A Boolean value indicating the
                                  'primary' or default targeted object
                                  for the parent object",
                   "readOnly":false,
                   "required":false,
                   "caseExact":false
                  }

                ]
              }
      [[TBD: what about flags such as isWriteable, etc]]
            ]

          }
        ]
      }


6 XML Schema Representation [[ TO BE DETERMINED]]


























P. Hunt, et al.          Expires March 10, 2013                [Page 11]


INTERNET DRAFT        draft-hunt-scim-targeting-01     September 6, 2012


7  Security Considerations

      [[TBD]]

      No additional security considerations other than those listed in
      [draft-scim-api-00].


8  IANA Considerations

      <IANA considerations text>


9  References

9.1  Normative References

   [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [draft-scim-api-00] Drake, T., "Simple Cloud Identity Management:
              Protocol 1.0", March 15 2012

   [draft-scim-core-schema-00] Mortimore, C., "Simple Cloud Identity
              Management: Core Schema 1.0", March 15 2012

9.2  Informative References


Appendix A - Editors Notes
   The editor would like to thank Gary Cole for his extensive advice and
   wisdom in advising on how to add Target functions to the SCIM 1.0.
   The SCIM Target proposal builds in large part on his proposal work in
   the OASIS RESTpml work, and is shared with his agreement.

   Change History

   Draft 01 is an administrative update to refresh expiry dates.

Authors' Addresses


   Phil Hunt
   Oracle Corporation

   EMail: phil.hunt@yahoo.com





P. Hunt, et al.          Expires March 10, 2013                [Page 12]