SCIM IETF 123
24 July 2025 12:00-13:00

Chairs: Nancy Cam-Winget, Aaron Parecki
Notetaers: Eliot Lear, Aaron Parecki, Nancy Cam-Winget

Nancy and Aaron convened the meeting.

Usual Code of Conduct slides presented.
Meeting tips presented.
Materials presented.

Agenda presented.

Dean was thanked for being up in the middle of the night to participate.

Agenda was bashed.

Paulo:
draft-ietf-scim-use-cases.

• Good feedback to draft; but would like to see more contributions.
  Need to revamp contributions, update terminology per comment
  feedback.

Open issues:

• when do we talk about security events?

  • we have triggers and actions

  • it's not well defined as to what actions the events are invoking

    the security events authors should review.
    * Mike Kiser offered to review. (Yay!)

• Single signon and just in time provisioning

  • How can that be an action?
  • More feedback and real world examples with JIT and SCIM needed
  • 3.1.5.4 needs more feedback from the authors

• Section 4.x

  • Single vs. Multi-tenant: Pam argued in IETF 120 that there are
    differences, and so it split. They do the same thing, but they
    are described differently. Does it make sense to have two
    separate
    use cases? We need feedback.
  • There are some uses cases where RS is a server and some cases
    where
    RS is also a client.

Eliot: chaining SCIM servers, middle SCIM server might be assigning IDs,
might cause problems. The issue is that sometimes a resource gets
created in this middle SCIM
server when it is doing dispatch. And when the server gets an PATCH or
an UPDATE to
that would cause a downstream CREATE, the id doesn't exist on the
downstream, but is
read only from the client perspective. This needs some discussion.

• Paulo: needs to explain implementer's decisions for the various
  scenarios vs. what needs to be in the protocol; e.g. resource
  subscriber role (e.g. server vs client role)...what if there are
  attributes not managed by the client (if there's an IdP in the
  cloud, with an application like email that handles some of the
  attributes and must know some of the identity attributes in the
  IdP). SCIM passes attributes to the application, but then who
  becomes the authority for those attributes? More reviewers and
  feedback is needed.

It's time to fish or cut bait with this draft. It's been going on for a
while, since on 117.

Nancy: the use cases draft was supposed to document the use cases that
we would use to
update the protocol.
Are we ready for WGLC?
Deb: nothing says you can't do multiple WGLCs or go for early reviews.

Dean: it's good, confusing to read, but not ready for WGLC. Vendors
should spend some
time on it.
Reviewers volunteering: Anjali Sehgal (AWS) will look for someone in AWS
to review, Aaron will find someone at Okta, Mike Kiser is on it, Eliot
Lear will continue to review.

Dean: IPSIE update
interoperatbility across existing specifications.
xkcd 927 doesn't apply. Not trying to write a new standard.
planning on doing a profile of SCIM.
Looking at session and identity lifecycles.
There are some common requirements that will be spread across all IPSIE
profiles
There's an early draft for SCIM at level 1 in the OpenID foundation
repo.
EMail to scim WG to mention all of this.

Eliot:
draft-ietf-scim-device-model.

• there's an issue with the current draft in handling groups. Neeed a
  "groups" to the Device object definition
• Rohit: there's a type value that can be a canonical value
• Eliot asks if implementations swap out canonical values?
• if changes are made will it cause interoperability issue?

• If we do a mini-last call, it's a normative change to draft

• AD: still can do a short WGLC to make sure it clears given its a
  small change; it doesn't have to go thru the whole iesg review again

• Paulo asks if we actually need to change anything RFC 7643)

• Eliot says the text is non-normative; but the device model draft
  could make note of this
• Paulo concerns to creating precendence
• AD: it is in the charter to change RC 7643; there is a WG forming to
  change some of the JSON schemas (not in security).

Dmitry Izumskiy : asks whether SCIM is for enterprise only or can it
consider consumer use cases
Paulo: the use cases is open and SCIM could apply for both, encourages
capturing the consumer usage in the use cases draft