Network Working Group M. Wahl Internet Draft Microsoft Intended status: Proposed Standard May 7, 2014 Expires: November 2014 SCIM Profile For Enhancing Just-In-Time Provisioning draft-wahl-scim-jit-profile-02.txt Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on November 7, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Wahl Expires November 7, 2014 [Page 1]
Internet-Draft SCIM Profile for use with JIT May 2014 Abstract This document specifies a profile of the System for Cross-Domain Identity Management Protocol (SCIM). Servers which implement protocols such as SAML or OpenID Connect receive user identities through those protocols and often cache them, and this profile of SCIM defines how an identity provider can notify a SCIM server of changes to user accounts. Table of Contents 1. Introduction...................................................2 1.1. Conventions used in this document.........................4 2. Events in the SCIM Client Database.............................4 2.1. User is added to the SCIM client database.................4 2.1.1. SCIM client does not support SCIM user creation......4 2.1.2. SCIM client supports SCIM user creation..............4 2.2. User's username changes...................................5 2.3. User's display name or other descriptive attributes change5 2.4. User's account is disabled................................6 2.5. User's account is re-enabled..............................6 2.6. User's account is purged..................................7 3. SCIM Interaction Profile.......................................7 3.1. Locating a user by their user name........................8 3.2. Modifying a user..........................................9 3.3. Deleting a user..........................................10 3.4. Creating a User..........................................11 4. Schema Profile................................................12 4.1. Relationship to SAML.....................................12 4.2. Relationship to OpenID Connect...........................13 5. SCIM Client Authentication....................................14 5.1. Obtaining an OAuth Bearer Token..........................14 6. Security Considerations.......................................15 7. IANA Considerations...........................................15 8. References....................................................16 8.1. Normative References.....................................16 8.2. Informative References...................................16 1. Introduction The SCIM protocol [1] is an application-level, REST protocol for provisioning and managing identity data on the web. SCIM can be leveraged for numerous use cases, including transfer of attributes to a relying party web site (see [3] section 3). Wahl Expires November 7, 2014 [Page 2]
Internet-Draft SCIM Profile for use with JIT May 2014 This profile of SCIM illustrates the interactions between a SCIM client and a SCIM server, in the following scenario: o The SCIM client has an associated database (SCIM client database) of user records, and that SCIM client database is leveraged by an identity provider for user authentication. o The SCIM server has a different associated database (SCIM server database) of user records, and that SCIM server database is leveraged by a service provider (an application). o The service provider trusts the identity provider to authenticate users, and a user's username and other attributes as stored in the SCIM client database are transferred using a federation or authentication protocol (such as SAML or OpenID Connect -- not SCIM) from the identity provider to the service provider each time a user logs into the service provider. o Optionally, when the service provider receives a user identity from the identity provider in that federation or authentication protocol, and the service provider cannot find a user record with matching username in the SCIM server database, then the service provider creates a new record in the SCIM server database. o An identity management system associated with the SCIM client database makes changes to users in the SCIM client database, for instance to de-activate a user, or change the user's display names. These changes are of interest to the service provider as it enables the application to be responsive to user changes even when the user is not logged in. This profile enables the SCIM client to notify the SCIM server of changes to users in the SCIM client database, so that the SCIM server can make corresponding changes in the SCIM server database, which are part of the service provider. For example, if the identity provider deletes a user, this deletion event can be transferred to the service provider via SCIM, so that the service provider can clean up any data associated with a user who won't be accessing that service provider again. Or if the user changes their username, then this can be made known to the service provider, so that subsequent requests by that user will be associated to the same account in the SCIM server database. This profile is not intended to be a comprehensive replication protocol; instead, it provides basic consistency for user records for in two domain's databases, for all users who choose to access the service provider. This profile also does not cover establishing Wahl Expires November 7, 2014 [Page 3]
Internet-Draft SCIM Profile for use with JIT May 2014 common index keys of usernames between a SCIM client and a SCIM server. Finally, management of other object types besides users, and additional attributes beyond basic user status and name, is outside the scope of this profile. 1.1. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [2]. Throughout this document, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value. 2. Events in the SCIM Client Database A SCIM client will, either upon specific change in the SCIM client database, or at intervals, provide one or more changes to the SCIM server. 2.1. User is added to the SCIM client database This profile provides two options for the SCIM client, and support for user creation via SCIM in the SCIM server is OPTIONAL. 2.1.1. SCIM client does not support SCIM user creation The SCIM client does not notify the SCIM server of this event. (In this profile, user creation is assumed to occur out of band from SCIM, such as through a "just in time" operation in a federation protocol such as SAML [6].) 2.1.2. SCIM client supports SCIM user creation Support for this procedure is OPTIONAL. When a user is added in the SCIM client database, then the SCIM client can perform the following procedure. o The SCIM client will attempt to locate the user in the SCIM server using the user's username, as described in section 3.1 of this document. o If the user exists in the SCIM server database, then the procedure ends. Wahl Expires November 7, 2014 [Page 4]
Internet-Draft SCIM Profile for use with JIT May 2014 o Otherwise, if the user's record was not found in the SCIM server, then the SCIM client will send a POST, as described in section 3.4 of this document, to create the user representation in the SCIM server. o If the SCIM server returns a 400-series error indication from the POST, then the SCIM client SHOULD NOT retry the operation. 2.2. User's username changes When a user's username changes in the SCIM client database, then the SCIM client will perform the following procedure. o The SCIM client will attempt to locate the user in the SCIM server using the old username, as described in section 3.1 of this document. o If the user could not be located (no matching record is returned from the GET request), then the procedure ends. o Otherwise, if the user's record was found in the SCIM server, then the SCIM client will send a patch, as described in section 3.2 of this document, to set the value of the username attribute to the new username. o If the SCIM server returns a 400-series error indication from the patch, then the SCIM client SHOULD NOT retry the operation. However, this will indicate to the SCIM client that the representations of the user between the SCIM client database and the SCIM server database are inconsistent and an administrator might be needed to reconcile the difference (e.g., if there was already another user in the SCIM server database who was from another identity provider but had the same user name). 2.3. User's display name or other descriptive attributes change When one or more of a user's descriptive attribute such as display name changes to a new value in the SCIM client database, then the SCIM client will perform the following procedure. o The SCIM client will attempt to locate the user in the SCIM server using the user's username, as described in section 3.1 of this document. o If the user could not be located (no matching record is returned from the GET request), then the procedure ends. Wahl Expires November 7, 2014 [Page 5]
Internet-Draft SCIM Profile for use with JIT May 2014 o Otherwise, if the user's record was found in the SCIM server, then the SCIM client will send a patch, as described in section 3.2 of this document, to set the value of the intended attribute, such as "displayName", or OPTIONALLY the value(s) of sub-attribute(s) of an attribute the "name" attribute, to the new value. o If the SCIM server returns a 400-series error indication from the patch, then the SCIM client SHOULD NOT retry the operation. Note that this profile does not define process for a SCIM client to perform a removal of a user's attributes. 2.4. User's account is disabled When a user's account is disabled in the SCIM client database, then the SCIM client will perform the following procedure. o The SCIM client will attempt to locate the user in the SCIM server using the user's username, as described in section 3.1 of this document. o If the user could not be located (no matching record is returned from the GET request), then the procedure ends. o If the user's record was found in the SCIM server, and the GET returned the "active" attribute type in that record and that attribute had the value false, then the procedure ends. o Otherwise, then the SCIM client will send a patch, as described in section 3.2 of this document, to set the value of the active attribute to false. o If the SCIM server returns a 400-series error indication from the patch, then the SCIM client SHOULD NOT retry the operation. However, this will indicate to the SCIM client that the representations of the user between the SCIM client database and the SCIM server database are inconsistent and an administrator might be needed to determine why a user could not be disabled in the target system. 2.5. User's account is re-enabled When a user's account is re-enabled in the SCIM client database after having previously been disabled, then the SCIM client will perform the following procedure. Wahl Expires November 7, 2014 [Page 6]
Internet-Draft SCIM Profile for use with JIT May 2014 o The SCIM client will attempt to locate the user in the SCIM server using the user's username, as described in section 3.1 of this document. o If the user could not be located (no matching record is returned from the GET request), then the procedure ends. o If the user's record was found in the SCIM server, and the GET returned the "active" attribute type in that record and that attribute had the value true, then the procedure ends. o Otherwise, then the SCIM client will send a patch, as described in section 3.2 of this document, to set the value of the active attribute to true. o If the SCIM server returns a 400-series error indication from the patch, then the SCIM client SHOULD NOT retry the operation. However, this will indicate to the SCIM client that the representations of the user between the SCIM client database and the SCIM server database are inconsistent and an administrator might be needed to determine why a user could not be enabled in the target system. 2.6. User's account is purged When a user's account is purged in the SCIM client, then the SCIM client will perform the following procedure. o The SCIM client will attempt to locate the user in the SCIM server using the user's username, as described in section 3.1 of this document. o If the user could not be located (no matching record is returned from the GET request), then the procedure ends. o Otherwise, then the SCIM client will send a delete, as described in section 3.3 of this document. o If the SCIM server returns a 400-series error indication from the delete, then the SCIM client SHOULD NOT retry the operation. 3. SCIM Interaction Profile A SCIM client is REQUIRED to be configured with the following configuration settings prior to communication with the relying party application of the SCIM server: Wahl Expires November 7, 2014 [Page 7]
Internet-Draft SCIM Profile for use with JIT May 2014 o Confidential client authentication material (for example, an token to authenticate the SCIM client to a SCIM server, or a client identifier and client secret password to authenticate the SCIM client to an OAuth2 server) o If the client does not have a valid token, an OAuth2 server HTTPS URL (for example "https://example.com/TBD/oauthbase/token") along with any supporting data needed to validate the authenticity of the responding HTTP server o SCIM endpoint HTTPS URL prefix (for example, "https://example.com/TBD/scimbase/"), along with any supporting data needed to validate the authenticity of the responding HTTP server The interactions in this section require the SCIM client to have a valid OAuth2 token, such as a bearer token [8]. If the SCIM client does not have a bearer token, it MUST obtain one using either an OAuth Refresh token or the procedure described in section 5 of this document to obtain an access token. If a SCIM client supports multiple tenants, the SCIM client SHOULD maintain distinct set of configuration settings for each tenant. 3.1. Locating a user by their user name In order to modify or delete a user record in a SCIM server, the SCIM client needs to first discover the id of that record as stored in the SCIM server. This is done by searching for the userName attribute, which is defined in section 6.1 of the SCIM Schema [3]. This will also cause an ETag, if versioning is required by the SCIM server, to be returned. The client can issue a SCIM query request for the namespace ending with /Users with a query parameter of a filter for userName matching for equality the user name. For example, a search for a user name of "matt@example.com" (lines wrapped for clarity): GET /TBD/scimbase/Users?filter=username%20eq%20%22matt@example.co m%22&attributes=userName,active HTTP/1.1 Host: example.com Accept: application/json Authorization: Bearer deadbeef The SCIM server when performing this search MUST use a case insensitive match for the user. Note that as userName is required to Wahl Expires November 7, 2014 [Page 8]
Internet-Draft SCIM Profile for use with JIT May 2014 be unique across all users known to the SCIM server, at most one result resource would be returned. If found, the server will respond with a HTTP 200 message containing a single result resource, with one or more attributes: HTTP/1.1 200 OK Content-Type: application/json { "schemas":["urn:scim:schemas:core:2.0:ListResponse"], "totalResults":1, "Resources":[ { "schemas":["urn:scim:schemas:core:2.0:User"], "id":"2819c223-7f76-453a-919d-413861904646", ... "userName":"matt@example.com", "meta":{ "resourceType":"User", ... "version":"W\/\"e180ee84f0671b1\"" } } ] } If not found, the SCIM server will respond with a HTTP 200 message containing zero result resources. If the SCIM server requires the SCIM client to support versioning with ETag, then the SCIM server MUST include a version attribute in the meta section of the result resource. 3.2. Modifying a user For this interaction, the SCIM client needs the id, and OPTIONALLY the version, of the user as represented in the SCIM server database. If the SCIM client does not already have id, the SCIM client can obtain the id of the user as described in section 3.1. If the SCIM client can locate the user record, then the client will modify the attributes of the user in the SCIM server by issuing a POST with an override to PATCH. Wahl Expires November 7, 2014 [Page 9]
Internet-Draft SCIM Profile for use with JIT May 2014 If the SCIM server returned a version attribute in response to the GET request from section 3.1, then the SCIM client MUST include an If-Match header in the POST. The body of the POST request will be a JSON array with one or more elements, each a structure with an "op" key, a "path" key with a value of such as "userName", "displayName", "active" or "name", and "value" key. For example (lines wrapped for clarity) POST /TBD/scimbase/Users/acbf3ae7-8463-4692-b4fd-9b4da3f908ce HTTP/1.1 Host: example.com Accept: application/json Content-Type: application/json Authorization: Bearer deadbeef X-HTTP-Method-Override: PATCH Content-Length: 70 { "op":"replace", "path":"displayName", "value":"Babs Jensen" } If successful, the SCIM server will return either a 200 or a 204 status code in the response. If the POST request included an If-Match header and the SCIM server returns status code 412 indicating precondition failed, then the SCIM client SHOULD re-retrieve the resource using GET, and then re-issue the POST, updating the If-Match header with the new value. 3.3. Deleting a user For this interaction, the SCIM client needs the id of the user. If it does not already have it, it can obtain the id of the user as described in section 3.1. If the SCIM client can locate the user record, then the client can request deletion of user in the server by issuing a POST with an override to DELETE. If the SCIM server returned a version attribute in response to the GET request from section 3.1, then the SCIM client MUST include an If-Match header in the POST. Wahl Expires November 7, 2014 [Page 10]
Internet-Draft SCIM Profile for use with JIT May 2014 For example (lines wrapped for clarity) POST /TBD/scimbase/Users/acbf3ae7-8463-4692-b4fd-9b4da3f908ce HTTP/1.1 Host: example.com Authorization: Bearer deadbeef X-HTTP-Method-Override: DELETE If the user cannot be found, the server will return error code 404. Otherwise, if the user is deleted, then the server will return error code 200. 3.4. Creating a User Support for this operation is OPTIONAL. The SCIM client issues a POST (without an override) to the Users subpath. The body of the POST request MUST contain the "schemas" and "username" attributes, MAY contain the "displayName", "active" and "name" attributes, and MAY contain additional attributes supported by the SCIM server. For example (lines wrapped for clarity): POST /TBD/scimbase/Users Host: example.com Accept: application/json Content-Type: application/json Authorization: Bearer deadbeef Content-Length: 100 { "schemas": ["urn:scim:schemas:core:2.0:User"], "userName": "bjensen@example.com", "displayName": "Babs Jensen" } If the operation was successful, the SCIM server will respond with status code 201 and a response resource containing at least the "id" attribute. The SCIM server MUST return an error if the requested username would match (ignoring case) with the username of another user resource already present. Wahl Expires November 7, 2014 [Page 11]
Internet-Draft SCIM Profile for use with JIT May 2014 4. Schema Profile A server that implements this profile is REQUIRED to recognize and store in its database the "userName" attribute of the SCIM User Schema. (This attribute is described in section 6 of the SCIM Schema [3].) This values of this attribute are REQUIRED to be unique across all objects queryable by a SCIM client. The SCIM server MUST recognize and SHOULD store the "displayName" and "active" attributes of the SCIM User Schema. The SCIM server MUST recognize and MAY store the "name" attribute with components "givenName", "middleName" and "familyName" sub-attributes of the SCIM User Schema. If the SCIM server does not store one or more of those attributes, then any changes to them requested by the SCIM client SHOULD be silently discarded. The SCIM server MUST recognize the "schemas" attribute of the SCIM Core Schema (in section 5.2 of the SCIM Schema [3]), but the value is not modified by the SCIM client in this profile. The User password and externalId attributes, and other resources, are not used in this profile. 4.1. Relationship to SAML This section is informational and only applicable to an identity provider or a service provider which implements SAML [6] for user identification. The value supplied by the SCIM client in the "username" attribute SHOULD be the same as the value included by the identity provider as the subject name identifier inside a SAML assertion. For example, if an identity provider uses emailAddress format subject name identifiers, then after the SCIM client provisions a user with username scott@example.org, the identity provider could send in a SAML message (lines wrapped for clarity): Wahl Expires November 7, 2014 [Page 12]
Internet-Draft SCIM Profile for use with JIT May 2014 <Response ...> ... <Assertion ...> ... <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> scott@example.org </NameID> ... </Subject> ... </Assertion> </Response> 4.2. Relationship to OpenID Connect This section is informational and only applicable to an identity provider or a service provider which implements OpenID Connect [7] for user identification. The value supplied by the SCIM client in the "username" attribute SHOULD be the same as the value included by the identity provider as the subject identifier ("sub" field) in the ID token. The value supplied by the SCIM client in the "displayName" attribute SHOULD be the same as in the OpenID Connect "name" claim. Similarly, the SCIM "name" attribute "givenName" sub-attribute corresponds to the OpenID Connect "given_name" claim, the SCIM "name" attribute "familyName" sub-attribute to the "family_name" claim, and the SCIM "name" attribute "middleName" sub-attribute to the "middle_name" claim. For example, if an identity provider has a user with these attributes that it returns in an OpenID Connect userinfo response: { "sub": "janedoe@example.com", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "middle_name": "Barbara", ... } Wahl Expires November 7, 2014 [Page 13]
Internet-Draft SCIM Profile for use with JIT May 2014 then that identity provider could provision a user to a SCIM server as (lines wrapped for clarity): POST /TBD/scimbase/Users Host: example.com Accept: application/json Content-Type: application/json Authorization: Bearer deadbeef Content-Length: 213 { "schemas": ["urn:scim:schemas:core:2.0:User"], "userName": "janedoe@example.com", "displayName": "Jane Doe", "name": { "familyName": "Doe", "givenName": "Barbara", "middleName": "Jane" } } 5. SCIM Client Authentication How the SCIM client locates an OAuth endpoint and is registered to that server is currently outside the scope of this document. 5.1. Obtaining an OAuth Bearer Token A SCIM client can obtain a bearer token from the OAuth server to which it has been registered by generating a token request. The format of the request is a POST, as described in sections 3.2.1 and 4.4.2 of OAuth2 [4], with parameter grant_type having value "client_credentials". If the SCIM client authenticates itself to the OAuth endpoint using a username and password, then the POST header MUST include an Authorization header, with a value encoding the combination of a client username and client password as described in section 2.3.1 of OAuth2. For example, for a SCIM client with username "s6BhdRkqt3" and client secret "gX1fBat3bV" to request a token, Wahl Expires November 7, 2014 [Page 14]
Internet-Draft SCIM Profile for use with JIT May 2014 POST /TBD/oauthbase/token HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Accept: application/json grant_type=client_credentials A successful response is a JSON encoded structure containing an access_token field, as shown in section 4.4.3 of OAuth2 [4]. The value access_token is the OAuth bearer token used in subsequent SCIM interactions. The bearer token MUST be valid for at least 60 minutes from the time it is issued. HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", ... } 6. Security Considerations Both the SCIM and OAuth2 interactions are to be protected using TLS. The OAuth URL, and the SCIM endpoint URL, MUST both be HTTPS URLs. As described in OAuth2 [4], access token credentials MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource server the access token is valid for, and the client to whom the access token is issued. For both SCIM and OAuth2 interactions, the client MUST negotiate sufficient TLS protection mechanisms to ensure that the content cannot be modified during transmission, prior to sending the HTTP payload. Furthermore, the client MUST validate the HTTP server authenticity prior to sending the first HTTP request, to avoid disclosing its client secret or bearer token to an unauthorized server. 7. IANA Considerations There are no IANA considerations in this document. Wahl Expires November 7, 2014 [Page 15]
Internet-Draft SCIM Profile for use with JIT May 2014 8. References 8.1. Normative References [1] Grizzle, K., Hunt, P., Ansari, M., Wahlstroem, E., Mortimore, C., "System for Cross-Domain Identity Management:Protocol", draft-ietf-scim-api-04, April 2014. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [3] Grizzle, K., Hunt, P., Wahlstroem, E., Mortimore, C., "System for Cross-Domain Identity Management: Core Schema", draft-ietf- scim-core-schema-04, April 2014. [4] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, October 2012. 8.2. Informative References [5] Hunt, P., Khasnabish, B., Nadalin, A., Li, K., Zeltsan, Z., "SCIM Use Cases", draft-ietf-scim-use-cases-01, March 2014. [6] Cantor, S., Kemp, J., Philpott, R., Maler, E., "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0", http://docs.oasis- open.org/security/saml/v2.0/saml-core-2.0-os.pdf , March 2005. [7] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C., "OpenID Connect Basic Client Profile 1.0", http://openid.net/specs/openid-connect-basic-1_0.html , February 2014. [8] Jones, M., Hardt, D., "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, October 2012. Authors' Addresses Mark Wahl Microsoft Corporation 1 Microsoft Way Redmond WA 98052 USA Email: mark.wahl@microsoft.com Wahl Expires November 7, 2014 [Page 16]