Note Takers:
Use cases
Rifaat - how do you device a device
Everything but general purpose computers
Draft contains examples - device provisioning, BLE, Zigbee etc.
Goal is to have a small core and then use extension
Updated to -01 version, now includes references to the core
Question on chat
Leif
Phil and others have given feedback
WiFi schema is more of a device provisioning protocol
Application level is a different consideration
Darryl Miller
Danny Zollner
Happy to help with representing this in the SCIM schema
Interested in parallel for non-physical devices/machines
Eliot Lear (Cisco) spoke about SCIM for devices (draft-shahzad-scim-device-model-01). Lear presented a series of questions about provisioning new devices into infrastructure, establishing bootstrap credentials, providing ancillary information (such as SBOMs), and get access to non-IP-based infrastructure (think various L2 protocols). A device could be a lightbulb, refrigerator, or similar things. Basically, not general purposes computers that have displays and keyboards. The proposed solution is “SCIM for devices”. There are even initial examples such as (Wi-Fi Alliance’s) DPP, BT LE, and ZigBee. YANG/NETCONF/RESTCONF and SNMP are not considered suitable. The proposal is to use the core elements (id, meta, schemas, etc.) of SCIM augmented with a few extensions. The authors are not hard over on what elements are used and are looking for input on what makes sense. They want the “CRUD” (Create, Read, Update, Delete) operations more than all the definitions that would come with YANG/NETCONF, etc. Comments have already been provided by Phil Hunt. The authors are already considering OpenAPI for schema descriptions for reasons of readability. And what is called a Wi-Fi schema is really a DPP schema, so at least the name should be corrected. FiDo and perhaps Matter would make sense for onboarding purposes as well. The authors are technology agnostic. The GitHub repository for the document can be found at https://github.com/iot-onboarding/scim-devices. Adoption is targeted for next year.
Danny Zollner (Microsoft) volunteered to help with representing the SCIM for Devices schema in the SCIM schema language. Danny and several others have been looking at representing non-physical devices or machine identities (workload identities or service identities) as well. That might make sense to be joined with the SCIM for Devices Internet-Draft or it could be separate.
Question for the group about External IDs and Provisioning domains
There should be a different provisioning ID for every domain
Is anyone running a SCIM server that maps different external IDs to different domains
Pamela Dingle (Microsoft) provided a small update on the forthcoming use cases document. A provisioning domain is defined in RFC 7643 as an administrative domain external to the domain of the service provider. An external ID is defined relative to the provisioning domain. There is a local mapping between the identifier of the provisioning domain and the SCIM server. This implies that there should be a separate external ID for every provisioning domain that a SCIM server serves. But that doesn’t seem to be how things are done in practice. The question to the group: Is there anyone who runs a SCIM server who is mapping different external IDs to different provisioning IDs? [No responses in the room.] Dingle will take the question to the mailing list. The hope is to have reviews of the document leading to adoption by July 2023.
Feedback in expanding the attributes to add equivalent of roles
Request for feedback
Danny Zollner spoke about SCIM roles and entitlements (draft-zollner-scim-roles-entitlements-extension). The proposed new endpoints allow for client discovery of user resource roles and entitlement attributes. The Internet-Draft is in a WG Call for Adoption (ending towards the end of the month), so comments or support on the mailing list would be appreciated. There are some planned updates including allowing multiple “members” to be provisioned for and inhabit a role. Guidance for role/entitlement sub-attributes will be provided. There will also be guidance added on roles and entitlements ordering dependencies and whether some combinations clash.
Dean Saxe: No way to filter on a parameter e.g. "isManager".
Sees a need for only requesting subsets on queries.
Dean - question is really about filtering to limit the number of returned users
Nancy, is this in a different draft instead?
Danny - are there other new Schema properties
Pam question about reference value
Nancy - draft is still evolving?
Zollner then spoke about Reference Value Location Internet-Draft (draft-zollner-scim-referential-value-location). This is an extension of the SCIM core 2.0 schema. It limits the set of values that can be assigned to attributes to prevent nonsensical assignments. Dean Saxe (Amazon) asked if the spec would add a filtering capability for referential values. Zollner believes this could be a different extension to the core schema. Nancy Cam-Winget (Cisco, WG co-chair) suggested this was something for a different Internet-Draft – SCIM Events or Cursor Paging. Saxe will reach out to Zollner and perhaps Phil Hunt about this topic. Zollner asks if other schema properties are needed such as cardinality or multi-valued attributes, or even broader schema properties extensions. He is concerned about overcomplicating things. Dingle asked if there are security limitations that need to be added to limit the destination for a GET, for example. Zollner has not attempted to do so in the current document, but it’s not clear this is a problem the way the document is written. Feedback and comments are solicited – Zollner is not looking for adoption yet.
3 updates since -01
Spent considerable time debating expansion of pagination and potential overlap between Pagination and SCIM Events and Delta Query
Cursor paged pagination
Events
Query Drafts
Darryl Miller
Challenges with events
Send notification that there is new data and then make the query
Danny propose to put out a call for adoption in the next couple of weeks.
Aaron - what about upcoming work?
Darryl
Aaron - need to make sure use cases are clear so readers know which document to choose.
Dean Saxe
Anjali Sehgal
Zollner next addressed cursor-based pagination (draft-peterson-scim-cursor-pagination). An update from the original personal Internet-Draft has been uploaded. It fixes some syntax problems, incorporates a previousCursor parameter to allow bidirectional paging, and improves the ServiceProviderConfig entry for pagination discoverability. A version -02 of the document is expected within the next week or so, although this will be a minor increment. Feedback is desired.
There has been some concern over perceived overlap of the pagination, SCIM events, and an upcoming delta query document. Zollner doesn’t agree that there is overlap. He describes the difference as:
Darrel Miller (Microsoft) noted that Microsoft Graph API combines SCIM Events and Delta Query to signal the client that a change has happened. The client then can use Delta Query to get those changes. He suggests that Zollner consider the combination instead of only looking at the options separately. Zollner also suggests delta queries can be combined with pagination for results that return large sets. He would like to see a watermark-based delta query that can return results since a supplied point, which would allow re-retrieval. Miller indicates that this is a high-fidelity mechanism that is expensive for the server to execute, so it shouldn’t be the only thing made available. The upshot of all these points is that all three Internet-Drafts have roles to play, do not really overlap substantially, and even work well together.
In terms of upcoming work, Zollner will focus on a generalized HR “worker/employer” schema, change detection for delta querying, a security BCP, and how to authorize access to an Internet-accessible reference attribute URL (e.g., that points to a profile photograph) in a standardized way.
Anjali Sehgal (AWS) asked about the use case for the future HR schema. Zollner said that identity systems have started to shift to where HR is the source of authority of most user data, such as name, work location, and employment status. When trying to move that HR data into other systems, the lack of standardization for that data is problematic. Sehgal will reach out to Zollner to work together on the schema.
There will be a SCIM side meeting on Wednesday at 4 p.m.