SCIM @ IETF 121
Tuesday 2024-11-05 16:30Z
Notetakers: Bart Brinckman, Darrel Miller
Agenda Bash - chairs (5min)
SCIM Use Cases - 15 min (Pam and Paulo)
https://datatracker.ietf.org/doc/draft-correia-scim-use-cases/
Device Models - 10 min (Eliot)
https://datatracker.ietf.org/doc/draft-ietf-scim-device-model/
Agenda Gardening
Review agenda: SCIM use case + device models
new topic: cursor pagination update
SCIM Use Cases
draft not yet accepted by the working group, seeking adoption
new draft
goal: orient implementers to guide what to use scim for
SCIM basics:
- Resource type: users,groups, device + extensions
- Resource objects: e.g. user groups
- Resource attributes: claims in objects
Orchestrator roles:
- Use cases discuss SCIM actions in aggregate raterh than protocol
Provisioning domains & SCIM Actions/Triggers
- Implementer point of view, orchestrator roles talk about
directionality of data, not client vs server
- Pulling data vs pushign data: polling vs SCIM events
Resource manager: implementation options
- Focus on specific implementations that have been seen in the SCIM
community
- Partner device registry: device provisioning from manufacturer,
either push or pull
- Commissioning: Generating device identity, with active push to SCIM
server
- Client gets directory services: active pull to client
- Credential push in order to manage devices
- Simple enterprise apps with basic SCIM client that just pulls data
- Creating and updating attributes that reside in SaaS App. Client can
be SCIM server and client at the same time -or- client performs active
push and delta pulls
- Reconciliation: bringing consistency between IdM and enterprise app:
active push, delta pull, and active push when record is found out of
sync
Paulo calls for reviewers
Goal of the draft is to agree on the terms for implementers
Eliot:
- draft is much more than just use cases: also describes SCIM
architecture, adds value
- these are well-envisioned use cases. It demonstrates that SCIM is
doing a good job in expanding its capabilities. pls reference RFC5218.
Use cases are streched beyond initially envisioned use cases
- this is not the definitive list of use cases. make clear this work is
non-normative
- Eliot supports adoption by the working group
Aaron:
- Did not see the simple use case of enterprise use case of exchanging
user dat with an application
Pam:
- We do have this section in the document, enterprise last mile, but in
the enterprise world there are connectors, and wanted to describe
Aaron: Looking for clarification on the goals
Paulo: Skipped use case 1-3 in the presentation.
Mike: Agrees with Eliot. Terms that are used are better than what we
have used. This approach is better than one off connectors. Will review.
Paulo: Looking for good examples.
Nancy:
Device Models
Has been presented multiple times before and a WG last call has been
issued.
SCIM device model recap
- core device model is really slim
- examples are BLE, Zigbee, Wi-fi DPP, FIDO, Ethernet MAB
Since IETF 121
- Initial security review finished and update done based on feedback
- IoT directorate review
- Last call review: good comments from ppl at Cisco and Philips, caught
some errors, which were fixed
- OSS implementation is available and one other implementation.
Issues left:
- Allow SubjectAltnames in client certs: draft mentions DNS-based SANs.
Should we do reverse lookup and validate the dns name is the endpoint we
are speaking to. Comments welcome
- Review what is mandatory and what is optional. e.g. can
telemetryEndpoint be optional? Some devices don't need this.
- Client devices? need to be made aware that telemetryEndpoint is not
supported
Next steps:
- new draft
- shepherd review
- Monty and Eliot will work on an extension document on x509 iDevIDs
No questions or comments
Chairs agree with next steps
Update to cursor pagination
Nancy:
Cisco has implemented the client side of cursor pagination using the
reference implementation for the server at scim.dev and it appears to be
interoperable. The server side is not complete, but the exercise at
least allowed for interoperability, though error conditions and bounds
are not checked.
Aaron: SCIM events will move to shepherds writeup
Mike: Hearing that multiple implementations are imminent
Nancy: We did have a couple implementations
Chairs call for other business: no other business