From nobody Thu Feb 2 10:18:30 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70DDC1298CE for ; Thu, 2 Feb 2017 10:18:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZEhQVhFix223 for ; Thu, 2 Feb 2017 10:18:23 -0800 (PST) Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 570EB12994F for ; Thu, 2 Feb 2017 10:18:16 -0800 (PST) Received: by mail-wm0-x22d.google.com with SMTP id c85so102729496wmi.1 for ; Thu, 02 Feb 2017 10:18:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=U8bKa6p5MrtXFDZF7qX2vuLBhsaAxqslueXLGBQT8ZU=; b=bY19COKllJ9MHAvdoY23mgDpNwkb96M3ccOfPsPqN05w5q6Qjsafj6Y7I2tp10Tvax N12bXUUBr2aAM/WNHQ+MaHFmGngkKlLv/Z4guPcfUzu3+4CL55a8rHTK+RjybFTVs0Uw x5EI0jhMYJnQtd/+r8OwTYakqlbroIlIY5dbU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=U8bKa6p5MrtXFDZF7qX2vuLBhsaAxqslueXLGBQT8ZU=; b=CFJSeNIMxBgGuc3IyB4XdV60V7wXtPPcDgWbDm10X3IrkjDeD2OPRUivMtPOWMXyiR Junm8wyn1aO+RDsRZX4eSzl/YbtVzFx35gp1OSrBw5CJ8nHuD8amZjT/Rgbn5Tad5VQB y9OOHB20YZlSrgIxq6u0LiGmJGXv3KEeVID5HTJuy3mRV9KTI2L1ELvhLAeT2AOKdc9R BykItFcUQBW8FeXnaX7tDMxiOdaKatk5I0lN72XoJyPNMk/IPUB6SYLt4HgmrTxZN/so K9tmGU4kZD6tlGIk4zhnoKZkpv8MGZRj4IaxWXTp70w/UJppd9EulKsYxlj2bXgmt15p VVJg== X-Gm-Message-State: AIkVDXILEQbblQZciRziVyAz/hfhQBXTtAqkaOpPrZh5ERx60kfh2ENRQL3xGgGprgcXRRket6P12WnkO9wEnh8P X-Received: by 10.28.24.5 with SMTP id 5mr8714201wmy.1.1486059494690; Thu, 02 Feb 2017 10:18:14 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.134.169 with HTTP; Thu, 2 Feb 2017 10:18:14 -0800 (PST) From: Gayan Gunawardana Date: Thu, 2 Feb 2017 23:48:14 +0530 Message-ID: To: scim@ietf.org Content-Type: multipart/alternative; boundary=001a114690584bec650547903018 Archived-At: Subject: [scim] How to check isUsernameExist for Self Sign Up X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2017 18:18:24 -0000 --001a114690584bec650547903018 Content-Type: text/plain; charset=UTF-8 Hello, According to [1] self sign up can be achieved via sending authenticated request to /Me. What is the proper way to check isUsernameExist before self sign up ? [1]https://tools.ietf.org/html/rfc7644#section-3.11 Thanks, Gayan -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 --001a114690584bec650547903018 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hello,

According to [1] self sign up can = be achieved via sending authenticated request to /Me.

What is the p= roper way to check isUsernameExist before self sign up ?
=C2=A0
[1]<= a href=3D"https://tools.ietf.org/html/rfc7644#section-3.11">https://tools.i= etf.org/html/rfc7644#section-3.11

Thanks,
Gayan
--
Gayan Gunawardana
<= /font>
Software Engineer; WSO2 = Inc.; http://wso2.com/
--001a114690584bec650547903018-- From nobody Thu Feb 2 10:49:52 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA2B12996D for ; Thu, 2 Feb 2017 10:49:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.555 X-Spam-Level: X-Spam-Status: No, score=-8.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.156, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jc6ecYYiIQD7 for ; Thu, 2 Feb 2017 10:49:48 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5A0F129972 for ; Thu, 2 Feb 2017 10:49:43 -0800 (PST) Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v12Ingau018659 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 2 Feb 2017 18:49:43 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.13.8/8.14.4) with ESMTP id v12Inf1R014931 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 2 Feb 2017 18:49:42 GMT Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v12IndBm025072; Thu, 2 Feb 2017 18:49:41 GMT Received: from [10.0.1.30] (/24.86.208.48) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 02 Feb 2017 10:49:39 -0800 Content-Type: multipart/alternative; boundary="Apple-Mail=_B13FA35F-5547-4FC1-A678-A690C56A5777" Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Phil Hunt In-Reply-To: Date: Thu, 2 Feb 2017 10:49:38 -0800 Message-Id: <96ACFE7E-9A4C-4010-B43B-50D4086D0C49@oracle.com> References: To: Gayan Gunawardana X-Mailer: Apple Mail (2.3124) X-Source-IP: aserv0021.oracle.com [141.146.126.233] Archived-At: Cc: scim@ietf.org Subject: Re: [scim] How to check isUsernameExist for Self Sign Up X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2017 18:49:50 -0000 --Apple-Mail=_B13FA35F-5547-4FC1-A678-A690C56A5777 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Gayan, Keep in mind SCIM is just a RESTful api. There are no functional methods = like isUsernameExist. You can=E2=80=A6 1. Just try HTTP POST to create the user and if there is a conflict, it = gets rejected. This is probably easiest. 2. Use GET /Users?filter=3D"(userName eq \=E2=80=9Dval\=E2=80=9D)=E2=80=9D= &attributes=3Did. If you can no records return there were no matches. = If you get a return, it is in use. Note, either way, you will get a = successful response. Note, I suspect it is possible that despite checking with #2, you might = still get a rejection when you POST. This might be due to a reserve or = lock on the username or other identifier. Your rights as an administrative client will also impact what you get = back with the query in particular. For example, if you are querying = anonymously, you might get no matches because the service provider has = determined it is not going to answer your and confirm presence or not of = the match. Likewise, many service providers will have DoS and other security = restrictions on what clients can register. =20 E.g. to moderate the need for =E2=80=9Canonymous=E2=80=9D registration, = a mobile app could register with the service provider to obtain a = =E2=80=9Cpublic=E2=80=9D OAuth client credential that gives the mobile = client the right to register a new user profile on behalf of the user = (e.g. by using profile data from the mobile phone). Phil Oracle Corporation, Identity Cloud Services & Identity Standards @independentid www.independentid.com = phil.hunt@oracle.com = > On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana wrote: >=20 > Hello, >=20 > According to [1] self sign up can be achieved via sending = authenticated request to /Me.=20 >=20 > What is the proper way to check isUsernameExist before self sign up ? > =20 > [1]https://tools.ietf.org/html/rfc7644#section-3.11 = >=20 > Thanks, > Gayan > --=20 > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: gayan@wso2.com =20 > Mobile: +94 (71) 8020933 > <>_______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim --Apple-Mail=_B13FA35F-5547-4FC1-A678-A690C56A5777 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Gayan,

Keep in mind SCIM is just a RESTful api. There are no = functional methods like isUsernameExist.

You can=E2=80=A6
1.  Just try HTTP POST to create the = user and if there is a conflict, it gets rejected.  This is = probably easiest.

2.  Use GET /Users?filter=3D"(userName eq = \=E2=80=9Dval\=E2=80=9D)=E2=80=9D&attributes=3Did.  If you can = no records return there were no matches. If you get a return, it is in = use.  Note, either way, you will get a successful = response.

Note, = I suspect it is possible that despite checking with #2, you might still = get a rejection when you POST. This might be due to a reserve or lock on = the username or other identifier.

Your rights as an administrative client = will also impact what you get back with the query in particular. =  For example, if you are querying anonymously, you might get no = matches because the service provider has determined it is not going to = answer your and confirm presence or not of the match.

Likewise, many service = providers will have DoS and other security restrictions on what clients = can register.  

E.g. to moderate the need for =E2=80=9Canonymous=E2=80=9D = registration, a mobile app could register with the service provider to = obtain a =E2=80=9Cpublic=E2=80=9D OAuth client credential that gives the = mobile client the right to register a new user profile on behalf of the = user (e.g. by using profile data from the mobile phone).

Phil

Oracle Corporation, Identity Cloud = Services & Identity Standards
@independentid
www.independentid.com
phil.hunt@oracle.com







On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana <gayan@wso2.com> = wrote:

Hello,

According to [1] self sign up can be achieved = via sending authenticated request to /Me.

What is the proper way to check isUsernameExist before self = sign up ?
 
[1]https://tools.ietf.org/html/rfc7644#section-3.11

Thanks,
Gayan
--
Gayan Gunawardana
Software = Engineer; WSO2 Inc.; http://wso2.com/
Email: gayan@wso2.com
Mobile: +94 (71) 8020933
_______________________________________________
scim = mailing list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim

= --Apple-Mail=_B13FA35F-5547-4FC1-A678-A690C56A5777-- From nobody Thu Feb 2 11:27:16 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D8AA1294FA for ; Thu, 2 Feb 2017 11:27:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OmconeA9X0eF for ; Thu, 2 Feb 2017 11:27:13 -0800 (PST) Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 419061294F7 for ; Thu, 2 Feb 2017 11:27:13 -0800 (PST) Received: by mail-wm0-x22f.google.com with SMTP id r141so1869386wmg.1 for ; Thu, 02 Feb 2017 11:27:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Xdyn0q0f0c9rNnADv8r0PWFYtcz0bQzHlRYOcRzbePw=; b=OJNts9dpah2QK/DGVyggTrGHFr/xZ7wdbgdLdq8b5zbGf2zJGCJfTumkcgHGMlEc9K ZIjt0lMjTAb9CcDGt1zO0ZEnvMIQPkcLtrfa8cen4J19fHRPvq0g7XVXDUgAif5jCnp0 KqGzJEGWq6twcpM3Z0nhKx4FSLXBJ7hyifnX0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Xdyn0q0f0c9rNnADv8r0PWFYtcz0bQzHlRYOcRzbePw=; b=sxeJ4cMqZKKQE4a97wGzhvrb3qTPfyzV4mX8V2ZJPUg9WLJmXWYQn3IuzpYSK9uIgX ZYwkJkh00SxO2lqsPNLJDD7ZkjudhaoQFqvO6bS8mVy0VIgc6qQz7K/vPM+0tLX92VGi DRpf1krQz33d57ZBfjhtN1Nalre4LQX1ynavSNeWi7WKbcSQ96yv6Z1oS5wfgyYf6Cde C6p09f5Ch5ANsXe2bw00WkEGEI3wncJbrCLmOligNNWByvT8FvPPtP+dNzrzqwSvtY5H GiDoHzto09i7jB14G8gOtvY/N5ijMwngs5nHl5gdmM0t7UGkUwhRZ8jGYJqcj4ySI51P riDA== X-Gm-Message-State: AIkVDXK4nPmdCJv8qmGvBN72/hCbZ21OilXXy5E10/4/4ro2MO+MOH8NBA0U8D55X8na0bSYeH8+3fdljTVcj2wJ X-Received: by 10.223.134.151 with SMTP id 23mr10609855wrx.0.1486063631202; Thu, 02 Feb 2017 11:27:11 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.134.169 with HTTP; Thu, 2 Feb 2017 11:27:10 -0800 (PST) In-Reply-To: <96ACFE7E-9A4C-4010-B43B-50D4086D0C49@oracle.com> References: <96ACFE7E-9A4C-4010-B43B-50D4086D0C49@oracle.com> From: Gayan Gunawardana Date: Fri, 3 Feb 2017 00:57:10 +0530 Message-ID: To: Phil Hunt Content-Type: multipart/alternative; boundary=001a1146ac78da1b8c054791264d Archived-At: Cc: scim@ietf.org Subject: Re: [scim] How to check isUsernameExist for Self Sign Up X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2017 19:27:15 -0000 --001a1146ac78da1b8c054791264d Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Phil, On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt wrote: > Gayan, > > Keep in mind SCIM is just a RESTful api. There are no functional methods > like isUsernameExist. > Yes totally understood. > > You can=E2=80=A6 > > 1. Just try HTTP POST to create the user and if there is a conflict, it > gets rejected. This is probably easiest. > > 2. Use GET /Users?filter=3D"(userName eq \=E2=80=9Dval\=E2=80=9D)=E2=80= =9D&attributes=3Did. If you > can no records return there were no matches. If you get a return, it is i= n > use. Note, either way, you will get a successful response. > Yes both [1],[2] are possible but the problem is self sign up user(before self sign up) does not have valid credentials to perform above operations. > > Note, I suspect it is possible that despite checking with #2, you might > still get a rejection when you POST. This might be due to a reserve or lo= ck > on the username or other identifier. > > Your rights as an administrative client will also impact what you get bac= k > with the query in particular. For example, if you are querying > anonymously, you might get no matches because the service provider has > determined it is not going to answer your and confirm presence or not of > the match. > Is there any security constrains for service providers to behave like that for anonymous requests ? > > Likewise, many service providers will have DoS and other security > restrictions on what clients can register. > > E.g. to moderate the need for =E2=80=9Canonymous=E2=80=9D registration, a= mobile app could > register with the service provider to obtain a =E2=80=9Cpublic=E2=80=9D O= Auth client > credential that gives the mobile client the right to register a new user > profile on behalf of the user (e.g. by using profile data from the mobile > phone). > > Phil > > Oracle Corporation, Identity Cloud Services & Identity Standards > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > > > On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana wrote: > > Hello, > > According to [1] self sign up can be achieved via sending authenticated > request to /Me. > > What is the proper way to check isUsernameExist before self sign up ? > > [1]https://tools.ietf.org/html/rfc7644#section-3.11 > > Thanks, > Gayan > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: gayan@wso2.com > Mobile: +94 (71) 8020933 > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim > > > --=20 Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 --001a1146ac78da1b8c054791264d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Phil,

On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt <phil.hunt@= oracle.com> wrote:
Gayan,

Keep in mind SC= IM is just a RESTful api. There are no functional methods like isUsernameEx= ist.
Yes totally understood.

Y= ou can=E2=80=A6

1.=C2=A0 Just try HTTP POST to create th= e user and if there is a conflict, it gets rejected.=C2=A0 This is probably= easiest.

2.=C2=A0 Use GET /Users?filter=3D"(= userName eq \=E2=80=9Dval\=E2=80=9D)=E2=80=9D&attributes=3Did.=C2=A0 If= you can no records return there were no matches. If you get a return, it i= s in use.=C2=A0 Note, either way, you will get a successful response.
=
Yes both [1],[2] are possible but the problem= is self sign up user(before self sign up) does not have valid credentials = to perform above operations. =C2=A0

Note, I susp= ect it is possible that despite checking with #2, you might still get a rej= ection when you POST. This might be due to a reserve or lock on the usernam= e or other identifier.

Your rights as an administr= ative client will also impact what you get back with the query in particula= r.=C2=A0 For example, if you are querying anonymously, you might get no mat= ches because the service provider has determined it is not going to answer = your and confirm presence or not of the match.
Is there any security constrains for service providers to behave lik= e that for anonymous requests ?

Likewise, many s= ervice providers will have DoS and other security restrictions on what clie= nts can register. =C2=A0

E.g. to moderate the need= for =E2=80=9Canonymous=E2=80=9D registration, a mobile app could register = with the service provider to obtain a =E2=80=9Cpublic=E2=80=9D OAuth client= credential that gives the mobile client the right to register a new user p= rofile on behalf of the user (e.g. by using profile data from the mobile ph= one).

<= div>
Phil

Oracle Corporation, Identity Cl= oud Services & Identity Standards
@independentid
www.independentid.= com
phil.hunt@oracle.com






On Feb 2, 20= 17, at 10:18 AM, Gayan Gunawardana <gayan@wso2.com> wrote:

Hello,

According to [1] self sign up ca= n be achieved via sending authenticated request to /Me.

What is the= proper way to check isUsernameExist before self sign up ?
=C2=A0
[1= ]https://tools.ietf.org/html/rfc7644#section-3.11

Thanks,
Gayan
--
Gayan Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
_______________________________________________
scim mailing listscim@ietf.org
<= a href=3D"https://www.ietf.org/mailman/listinfo/scim" target=3D"_blank">htt= ps://www.ietf.org/mailman/listinfo/scim




--
Gayan= Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
--001a1146ac78da1b8c054791264d-- From nobody Thu Feb 2 11:54:29 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 770E7129524 for ; Thu, 2 Feb 2017 11:54:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.554 X-Spam-Level: X-Spam-Status: No, score=-8.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.156, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id STDfBKHrUupY for ; Thu, 2 Feb 2017 11:54:26 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A29FF1294E3 for ; Thu, 2 Feb 2017 11:54:26 -0800 (PST) Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v12JsPTS010705 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Feb 2017 19:54:26 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v12JsPqa032613 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Feb 2017 19:54:25 GMT Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v12JsOCR030404; Thu, 2 Feb 2017 19:54:25 GMT Received: from [10.0.1.5] (/24.86.208.48) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 02 Feb 2017 11:54:24 -0800 Content-Type: multipart/alternative; boundary=Apple-Mail-D5ACBC4E-2F3C-4875-9940-A0D5445620C9 Mime-Version: 1.0 (1.0) From: "Phil Hunt (IDM)" X-Mailer: iPhone Mail (14D27) In-Reply-To: Date: Thu, 2 Feb 2017 11:54:23 -0800 Content-Transfer-Encoding: 7bit Message-Id: <23158D21-2EC9-4E0B-8592-17779D0E1311@oracle.com> References: <96ACFE7E-9A4C-4010-B43B-50D4086D0C49@oracle.com> To: Gayan Gunawardana X-Source-IP: userv0022.oracle.com [156.151.31.74] Archived-At: Cc: scim@ietf.org Subject: Re: [scim] How to check isUsernameExist for Self Sign Up X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2017 19:54:28 -0000 --Apple-Mail-D5ACBC4E-2F3C-4875-9940-A0D5445620C9 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Inline Phil > On Feb 2, 2017, at 11:27 AM, Gayan Gunawardana wrote: >=20 > Hi Phil, >=20 >> On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt wrote: >> Gayan, >>=20 >> Keep in mind SCIM is just a RESTful api. There are no functional methods l= ike isUsernameExist. > Yes totally understood.=20 >>=20 >> You can=E2=80=A6 >>=20 >> 1. Just try HTTP POST to create the user and if there is a conflict, it g= ets rejected. This is probably easiest. >>=20 >> 2. Use GET /Users?filter=3D"(userName eq \=E2=80=9Dval\=E2=80=9D)=E2=80=9D= &attributes=3Did. If you can no records return there were no matches. If yo= u get a return, it is in use. Note, either way, you will get a successful r= esponse. > Yes both [1],[2] are possible but the problem is self sign up user(before s= elf sign up) does not have valid credentials to perform above operations. As i described an app could register as a developer or use dyn reg.=20 > =20 >>=20 >> Note, I suspect it is possible that despite checking with #2, you might s= till get a rejection when you POST. This might be due to a reserve or lock o= n the username or other identifier. >>=20 >> Your rights as an administrative client will also impact what you get bac= k with the query in particular. For example, if you are querying anonymousl= y, you might get no matches because the service provider has determined it i= s not going to answer your and confirm presence or not of the match. > Is there any security constrains for service providers to behave like that= for anonymous requests ?=20 Yes DoS attacks are a concern that prevent total anonymous registration. You= need some trusted broker like a web or mobile app.=20 Also many IDPs likely have a vetting process to establish some assurance abo= ut claims. Eg when an enterprise calls scim the enterprise is judged authori= tative over employee assertions.=20 Others might do secondary validation (eg email confirmation).=20 All of this is really outside the scope of provisioning protocol but part of= the larger IDM services approaches.=20 >>=20 >> Likewise, many service providers will have DoS and other security restric= tions on what clients can register. =20 >>=20 >> E.g. to moderate the need for =E2=80=9Canonymous=E2=80=9D registration, a= mobile app could register with the service provider to obtain a =E2=80=9Cpu= blic=E2=80=9D OAuth client credential that gives the mobile client the right= to register a new user profile on behalf of the user (e.g. by using profile= data from the mobile phone). >>=20 >> Phil >>=20 >> Oracle Corporation, Identity Cloud Services & Identity Standards >> @independentid >> www.independentid.com >> phil.hunt@oracle.com >>=20 >>=20 >>=20 >>=20 >>=20 >>=20 >>=20 >>> On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana wrote: >>>=20 >>> Hello, >>>=20 >>> According to [1] self sign up can be achieved via sending authenticated r= equest to /Me.=20 >>>=20 >>> What is the proper way to check isUsernameExist before self sign up ? >>> =20 >>> [1]https://tools.ietf.org/html/rfc7644#section-3.11 >>>=20 >>> Thanks, >>> Gayan >>> --=20 >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: gayan@wso2.com=20 >>> Mobile: +94 (71) 8020933 >>> _______________________________________________ >>> scim mailing list >>> scim@ietf.org >>> https://www.ietf.org/mailman/listinfo/scim >>=20 >=20 >=20 >=20 > --=20 > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: gayan@wso2.com=20 > Mobile: +94 (71) 8020933 --Apple-Mail-D5ACBC4E-2F3C-4875-9940-A0D5445620C9 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Inline

Phil

On Fe= b 2, 2017, at 11:27 AM, Gayan Gunawardana <gayan@wso2.com> wrote:

Hi Phil,

On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt <phil.hunt@o= racle.com> wrote:
Gayan,

Keep in mind SCIM is j= ust a RESTful api. There are no functional methods like isUsernameExist.
Yes totally understood.

You can=E2=80= =A6

1.  Just try HTTP POST to create the user and if= there is a conflict, it gets rejected.  This is probably easiest.

2.  Use GET /Users?filter=3D"(userName eq \=E2=80=9D= val\=E2=80=9D)=E2=80=9D&attributes=3Did.  If you can no records ret= urn there were no matches. If you get a return, it is in use.  Note, ei= ther way, you will get a successful response.
=
Yes both [1],[2] are possible but the problem is self sign up user(befo= re self sign up) does not have valid credentials to perform above operations= .

As i descri= bed an app could register as a developer or use dyn reg. 
 

Note, I suspect i= t is possible that despite checking with #2, you might still get a rejection= when you POST. This might be due to a reserve or lock on the username or ot= her identifier.

Your rights as an administrative cl= ient will also impact what you get back with the query in particular.  = For example, if you are querying anonymously, you might get no matches becau= se the service provider has determined it is not going to answer your and co= nfirm presence or not of the match.
Is th= ere any security constrains for service providers to behave like that for an= onymous requests ?

Yes DoS attacks are a concern that prevent total anonymous regist= ration. You need some trusted broker like a web or mobile app. 
Also many IDPs likely have a vetting process to establish some a= ssurance about claims. Eg when an enterprise calls scim the enterprise is ju= dged authoritative over employee assertions. 

= Others might do secondary validation (eg email confirmation). 

All of this is really outside the scope of provisioning pro= tocol but part of the larger IDM services approaches. 

Likewise, many service providers will have D= oS and other security restrictions on what clients can register.  

E.g. to moderate the need for =E2=80=9Canonymous=E2=80=9D= registration, a mobile app could register with the service provider to obta= in a =E2=80=9Cpublic=E2=80=9D OAuth client credential that gives the mobile c= lient the right to register a new user profile on behalf of the user (e.g. b= y using profile data from the mobile phone).

Phil

Oracle Corporation, Identity Cloud Services= & Identity Standards
@independentid
<= /div>
phil.hunt@oracle.com






=

On Feb 2, 201= 7, at 10:18 AM, Gayan Gunawardana <gayan@wso2.com> wrote:

Hello,

According to [1] self sign up can be a= chieved via sending authenticated request to /Me.

What is the proper= way to check isUsernameExist before self sign up ?
 
[1]http= s://tools.ietf.org/html/rfc7644#section-3.11

Thanks,
Gayan
--
Gayan Gunawardana
Software Engineer; WSO2 I= nc.; http://wso2.com/
=
_______________________________________________
scim mailing listscim@ietf.org
https:/= /www.ietf.org/mailman/listinfo/scim



--
Gayan Gunaward= ana
Software Engineer; WSO2 I= nc.; http://wso2.com/
=
= --Apple-Mail-D5ACBC4E-2F3C-4875-9940-A0D5445620C9-- From nobody Sat Feb 4 20:25:29 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 546B9129466 for ; Sat, 4 Feb 2017 20:25:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dwtBCK7owj4W for ; Sat, 4 Feb 2017 20:25:26 -0800 (PST) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D21A127A90 for ; Sat, 4 Feb 2017 20:25:25 -0800 (PST) Received: by mail-wm0-x235.google.com with SMTP id b65so84568352wmf.0 for ; Sat, 04 Feb 2017 20:25:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FvMVfRwwmhIS7P1tzR8oaADhH9vN8sRUScbtVO5IdrY=; b=ILXBq2TD5XLCMlywI9a2czsH5HRYpcFV0xvniTEinuxBEYNxAp/cBUi9Y1uLekJbL+ ytyjf2e9JY1y7/5Ed5riFJ3yFji/nfHXMYlG1ZXEeNPiYVB0nAHKVRy24PGuqZH0xzrU zT7xHQrN7inKxBj7MWhY3EO/u0uvXfhIflvJs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FvMVfRwwmhIS7P1tzR8oaADhH9vN8sRUScbtVO5IdrY=; b=RRxIL8b7b/DgM7wNZHQGIcFGDDdVe/jMqLvPpG3tTSkFGV0IupwJkTGhPp8j38W2kA npL2b1pT82QKjNv5TBgMsJ6UwOtF1JWCH1kfLODj9gLT28wb2z62k2Ety1b1Vi+TUt9R Wm7xffFmy3lW5BBPdmBYuzgh0/DOJXPpE8D9X4VOq8urj/+imM9MsIrU4qq6sm7JqFTp GLZpJx0CEsvgdC4a6pT/+5YIqcU5Hh5Awd/QEKiCdybbIAmGqqiF1UfNmTx4Q/V9fAD3 BJ8SbCyW6r5dG0LZmU0BH2yqj2i+hwv5g7Afyc0eKOLQ3V2+LV5ABW609xyjuFUu9B60 ptTg== X-Gm-Message-State: AMke39mOhKmg8kEKiSRS0HgzYstsAJHYa/VHNNLw7wGtsOOc6IbF99C7g6CNOxFaPL5gKT+hYHAqv9qbk22VGXGS X-Received: by 10.28.222.11 with SMTP id v11mr3510157wmg.1.1486268723881; Sat, 04 Feb 2017 20:25:23 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.134.169 with HTTP; Sat, 4 Feb 2017 20:25:23 -0800 (PST) In-Reply-To: <23158D21-2EC9-4E0B-8592-17779D0E1311@oracle.com> References: <96ACFE7E-9A4C-4010-B43B-50D4086D0C49@oracle.com> <23158D21-2EC9-4E0B-8592-17779D0E1311@oracle.com> From: Gayan Gunawardana Date: Sun, 5 Feb 2017 09:55:23 +0530 Message-ID: To: "Phil Hunt (IDM)" Content-Type: multipart/alternative; boundary=001a114b17ee53ff7a0547c0e759 Archived-At: Cc: scim@ietf.org Subject: Re: [scim] How to check isUsernameExist for Self Sign Up X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Feb 2017 04:25:28 -0000 --001a114b17ee53ff7a0547c0e759 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Fri, Feb 3, 2017 at 1:24 AM, Phil Hunt (IDM) wrote: > Inline > > Phil > > On Feb 2, 2017, at 11:27 AM, Gayan Gunawardana wrote: > > Hi Phil, > > On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt wrote: > >> Gayan, >> >> Keep in mind SCIM is just a RESTful api. There are no functional methods >> like isUsernameExist. >> > Yes totally understood. > >> >> You can=E2=80=A6 >> >> 1. Just try HTTP POST to create the user and if there is a conflict, it >> gets rejected. This is probably easiest. >> >> 2. Use GET /Users?filter=3D"(userName eq \=E2=80=9Dval\=E2=80=9D)=E2=80= =9D&attributes=3Did. If you >> can no records return there were no matches. If you get a return, it is = in >> use. Note, either way, you will get a successful response. >> > Yes both [1],[2] are possible but the problem is self sign up user(before > self sign up) does not have valid credentials to perform above operations= . > > > As i described an app could register as a developer or use dyn reg. > I guess you are referencing to dynamic client registration in OIDC right ? > > >> >> Note, I suspect it is possible that despite checking with #2, you might >> still get a rejection when you POST. This might be due to a reserve or l= ock >> on the username or other identifier. >> >> Your rights as an administrative client will also impact what you get >> back with the query in particular. For example, if you are querying >> anonymously, you might get no matches because the service provider has >> determined it is not going to answer your and confirm presence or not of >> the match. >> > Is there any security constrains for service providers to behave like tha= t > for anonymous requests ? > > > Yes DoS attacks are a concern that prevent total anonymous registration. > You need some trusted broker like a web or mobile app. > Yes having some trusted broker like a web or mobile app would resolve many problems. Many Thanks Phil. > > Also many IDPs likely have a vetting process to establish some assurance > about claims. Eg when an enterprise calls scim the enterprise is judged > authoritative over employee assertions. > > Others might do secondary validation (eg email confirmation). > > All of this is really outside the scope of provisioning protocol but part > of the larger IDM services approaches. > > >> Likewise, many service providers will have DoS and other security >> restrictions on what clients can register. >> >> E.g. to moderate the need for =E2=80=9Canonymous=E2=80=9D registration, = a mobile app >> could register with the service provider to obtain a =E2=80=9Cpublic=E2= =80=9D OAuth client >> credential that gives the mobile client the right to register a new user >> profile on behalf of the user (e.g. by using profile data from the mobil= e >> phone). >> >> Phil >> >> Oracle Corporation, Identity Cloud Services & Identity Standards >> @independentid >> www.independentid.com >> phil.hunt@oracle.com >> >> >> >> >> >> >> >> On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana wrote: >> >> Hello, >> >> According to [1] self sign up can be achieved via sending authenticated >> request to /Me. >> >> What is the proper way to check isUsernameExist before self sign up ? >> >> [1]https://tools.ietf.org/html/rfc7644#section-3.11 >> >> Thanks, >> Gayan >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: gayan@wso2.com >> Mobile: +94 (71) 8020933 >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://www.ietf.org/mailman/listinfo/scim >> >> >> > > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: gayan@wso2.com > Mobile: +94 (71) 8020933 > > --=20 Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 --001a114b17ee53ff7a0547c0e759 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Fri, Feb 3, 2017 at 1:24 AM, Phil Hunt (IDM) <<= a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank">phil.hunt@oracle.c= om> wrote:
Inline

Phil

On Feb 2, 2017, at= 11:27 AM, Gayan Gunawardana <gayan@wso2.com> wrote:

Hi Phil,
On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
Gayan,

Keep= in mind SCIM is just a RESTful api. There are no functional methods like i= sUsernameExist.
Yes totally understood.

<= /div>
You can=E2=80=A6

1.=C2=A0 Just try HTTP POST t= o create the user and if there is a conflict, it gets rejected.=C2=A0 This = is probably easiest.

2.=C2=A0 Use GET /Users?filte= r=3D"(userName eq \=E2=80=9Dval\=E2=80=9D)=E2=80=9D&attributes=3Di= d.=C2=A0 If you can no records return there were no matches. If you get a r= eturn, it is in use.=C2=A0 Note, either way, you will get a successful resp= onse.
Yes both [1],[2] are possible but = the problem is self sign up user(before self sign up) does not have valid c= redentials to perform above operations.
=

As i described an app could register as = a developer or use dyn reg.=C2=A0
I guess you are referencing to dynamic client registration in OID= C right ?
=C2=A0

Note, I suspect it is possible that despite checking with #2, you = might still get a rejection when you POST. This might be due to a reserve o= r lock on the username or other identifier.

Your r= ights as an administrative client will also impact what you get back with t= he query in particular.=C2=A0 For example, if you are querying anonymously,= you might get no matches because the service provider has determined it is= not going to answer your and confirm presence or not of the match.
Is there any security constrains for service pr= oviders to behave like that for anonymous requests ?
=

Yes DoS attacks are a = concern that prevent total anonymous registration. You need some trusted br= oker like a web or mobile app.=C2=A0
Yes having some= trusted broker like a web or mobile app would resolve many problems. Many = Thanks Phil.

Also many IDPs likely have a vetting process to establish = some assurance about claims. Eg when an enterprise calls scim the enterpris= e is judged authoritative over employee assertions.=C2=A0

Others might do secondary validation (eg email confirmation).=C2=A0=

All of this is really outside the scope of provis= ioning protocol but part of the larger IDM services approaches.=C2=A0
<= div class=3D"h5">
<= div class=3D"gmail_extra">

Likew= ise, many service providers will have DoS and other security restrictions o= n what clients can register. =C2=A0

E.g. to modera= te the need for =E2=80=9Canonymous=E2=80=9D registration, a mobile app coul= d register with the service provider to obtain a =E2=80=9Cpublic=E2=80=9D O= Auth client credential that gives the mobile client the right to register a= new user profile on behalf of the user (e.g. by using profile data from th= e mobile phone).

Phil

Oracle Co= rporation, Identity Cloud Services & Identity Standards
@inde= pendentid
phil.hunt@oracle.com







On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana <gayan@wso2.com> wrote:
Hello,

According to [1] self sign up can be achi= eved via sending authenticated request to /Me.

What is the proper w= ay to check isUsernameExist before self sign up ?
=C2=A0
[1]htt= ps://tools.ietf.org/html/rfc7644#section-3.11

Thanks,=
Gayan
--
Gayan Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
_______________________________________________
scim mailing listscim@ietf.org
<= a href=3D"https://www.ietf.org/mailman/listinfo/scim" target=3D"_blank">htt= ps://www.ietf.org/mailman/listinfo/scim




--
Gayan Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/



--
Gayan Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
--001a114b17ee53ff7a0547c0e759-- From nobody Sat Feb 4 21:12:54 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17C3D1294F7 for ; Sat, 4 Feb 2017 21:12:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N9G1zDztjXqT for ; Sat, 4 Feb 2017 21:12:51 -0800 (PST) Received: from mail-wr0-x235.google.com (mail-wr0-x235.google.com [IPv6:2a00:1450:400c:c0c::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86F2A12009C for ; Sat, 4 Feb 2017 21:12:51 -0800 (PST) Received: by mail-wr0-x235.google.com with SMTP id 89so6972523wrr.2 for ; Sat, 04 Feb 2017 21:12:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=O9YS26Np9CD8UilYJOSr2a92wPf61WTW9nNxM1kmVAk=; b=GU/WxInC1hE2mq9y2mhDKg7HXvk2z+VrvNmycn2+0kTV7H7hFB1xdEwu59ssg3elpu X0SYSx3Gd1JNCmt+UaWLERCq2K3li72kJh3Z7+7X/doKFUKmnD9B4T7cY/TRuQzEU7nV Xp5dEvZADzfhqOCYzuyNhWdURuGRYJf157Xqw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=O9YS26Np9CD8UilYJOSr2a92wPf61WTW9nNxM1kmVAk=; b=rtjE83BgyFJbEo2qwgiAEUOoqmAm4OsQXJuqhkPcw7Ucr/RJQU9D0Sce0Qxq6P0QQW GkZlVJWafcKesub+p6U9eDVgBj6LHzwS4GEDXaR6f6aZD+OEu5YFTlxbuAmm7Pl0uMrT ZUrVorwBP3OLHVEPENNSuQ6cUsDqnEYJIBdOc2Cnnyk0YKOUKgY3TVhCnV2bIOtF/kfI WpeCELRtFzQsL8rlPUpTmnFB4sQ1TP2unKtqeiFcs+JnEYfgfI3qTKavrpjFHLdTH1gH m0q+SYIUfFpT4GSh1t8PIwjIHaTcIfT+io8eEByxIZjJaYu2LHl/uJXwV9pS7ptQRpkB MdwQ== X-Gm-Message-State: AIkVDXJcGJPJ8TdudHOaKtwSRaaiiNJp8IFIYHh1Ip7PA6xTaVvPzrP1DJAN1Tfe72hAsn+onCDz+DwC1SfGSTa2 X-Received: by 10.223.134.151 with SMTP id 23mr5000107wrx.0.1486271569794; Sat, 04 Feb 2017 21:12:49 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.134.169 with HTTP; Sat, 4 Feb 2017 21:12:49 -0800 (PST) From: Gayan Gunawardana Date: Sun, 5 Feb 2017 10:42:49 +0530 Message-ID: To: scim@ietf.org Content-Type: multipart/alternative; boundary=001a1146ac78f52e9f0547c190e4 Archived-At: Subject: [scim] Unique Attributes X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Feb 2017 05:12:53 -0000 --001a1146ac78f52e9f0547c190e4 Content-Type: text/plain; charset=UTF-8 According to [1] userName seems to be an unique attribute where duplicate resources identified with userName. Similarly Is Group "displayName" an unique attribute ? If answer is no, Does implementation have flexibility to decide uniqueness ? [1]https://tools.ietf.org/html/rfc7644#section-3.3 Thanks, Gayan -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 --001a1146ac78f52e9f0547c190e4 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
According to [1] userName seems to be an unique attri= bute where duplicate resources identified with userName. Similarly

= Is Group "displayName" an unique attribute ?

If answ= er is no, Does implementation have flexibility to decide uniqueness ?

[1]https= ://tools.ietf.org/html/rfc7644#section-3.3

Thanks,
Gayan

--
Gayan Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
--001a1146ac78f52e9f0547c190e4-- From nobody Mon Feb 6 09:43:24 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A9A0128B44 for ; Mon, 6 Feb 2017 09:43:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.087 X-Spam-Level: X-Spam-Status: No, score=-6.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.887, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rbdVy12712Hb for ; Mon, 6 Feb 2017 09:43:21 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F80B12946D for ; Mon, 6 Feb 2017 09:43:21 -0800 (PST) Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v16HhJ0w002576 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 6 Feb 2017 17:43:20 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v16HhIKl009355 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 6 Feb 2017 17:43:19 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v16HhIQw003517; Mon, 6 Feb 2017 17:43:18 GMT Received: from [25.188.161.128] (/24.114.26.54) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 06 Feb 2017 09:43:17 -0800 Content-Type: multipart/alternative; boundary=Apple-Mail-3BCE0900-74C6-4AA8-8001-3C279BC1C958 Mime-Version: 1.0 (1.0) From: "Phil Hunt (IDM)" X-Mailer: iPhone Mail (14D27) In-Reply-To: Date: Mon, 6 Feb 2017 09:43:11 -0800 Content-Transfer-Encoding: 7bit Message-Id: <90E3A155-A2CE-474D-A5F9-FBCC30605FFB@oracle.com> References: <96ACFE7E-9A4C-4010-B43B-50D4086D0C49@oracle.com> <23158D21-2EC9-4E0B-8592-17779D0E1311@oracle.com> To: Gayan Gunawardana X-Source-IP: aserv0022.oracle.com [141.146.126.234] Archived-At: Cc: scim@ietf.org Subject: Re: [scim] How to check isUsernameExist for Self Sign Up X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2017 17:43:23 -0000 --Apple-Mail-3BCE0900-74C6-4AA8-8001-3C279BC1C958 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Dyn reg in oauth. But oidc may also apply depending on what you are doing.=20= Phil > On Feb 4, 2017, at 8:25 PM, Gayan Gunawardana wrote: >=20 >=20 >=20 >> On Fri, Feb 3, 2017 at 1:24 AM, Phil Hunt (IDM) wr= ote: >> Inline >>=20 >> Phil >>=20 >>> On Feb 2, 2017, at 11:27 AM, Gayan Gunawardana wrote: >>>=20 >>> Hi Phil, >>>=20 >>>> On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt wrote= : >>>> Gayan, >>>>=20 >>>> Keep in mind SCIM is just a RESTful api. There are no functional method= s like isUsernameExist. >>> Yes totally understood.=20 >>>>=20 >>>> You can=E2=80=A6 >>>>=20 >>>> 1. Just try HTTP POST to create the user and if there is a conflict, i= t gets rejected. This is probably easiest. >>>>=20 >>>> 2. Use GET /Users?filter=3D"(userName eq \=E2=80=9Dval\=E2=80=9D)=E2=80= =9D&attributes=3Did. If you can no records return there were no matches. If= you get a return, it is in use. Note, either way, you will get a successfu= l response. >>> Yes both [1],[2] are possible but the problem is self sign up user(befor= e self sign up) does not have valid credentials to perform above operations.= >>=20 >> As i described an app could register as a developer or use dyn reg.=20 > I guess you are referencing to dynamic client registration in OIDC right ?= =20 >>> =20 >>>>=20 >>>> Note, I suspect it is possible that despite checking with #2, you might= still get a rejection when you POST. This might be due to a reserve or lock= on the username or other identifier. >>>>=20 >>>> Your rights as an administrative client will also impact what you get b= ack with the query in particular. For example, if you are querying anonymou= sly, you might get no matches because the service provider has determined it= is not going to answer your and confirm presence or not of the match. >>> Is there any security constrains for service providers to behave like th= at for anonymous requests ?=20 >>=20 >> Yes DoS attacks are a concern that prevent total anonymous registration. Y= ou need some trusted broker like a web or mobile app.=20 > Yes having some trusted broker like a web or mobile app would resolve many= problems. Many Thanks Phil.=20 >>=20 >> Also many IDPs likely have a vetting process to establish some assurance a= bout claims. Eg when an enterprise calls scim the enterprise is judged autho= ritative over employee assertions.=20 >>=20 >> Others might do secondary validation (eg email confirmation).=20 >>=20 >> All of this is really outside the scope of provisioning protocol but part= of the larger IDM services approaches.=20 >>=20 >>>>=20 >>>> Likewise, many service providers will have DoS and other security restr= ictions on what clients can register. =20 >>>>=20 >>>> E.g. to moderate the need for =E2=80=9Canonymous=E2=80=9D registration,= a mobile app could register with the service provider to obtain a =E2=80=9C= public=E2=80=9D OAuth client credential that gives the mobile client the rig= ht to register a new user profile on behalf of the user (e.g. by using profi= le data from the mobile phone). >>>>=20 >>>> Phil >>>>=20 >>>> Oracle Corporation, Identity Cloud Services & Identity Standards >>>> @independentid >>>> www.independentid.com >>>> phil.hunt@oracle.com >>>>=20 >>>>=20 >>>>=20 >>>>=20 >>>>=20 >>>>=20 >>>>=20 >>>>> On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana wrote:= >>>>>=20 >>>>> Hello, >>>>>=20 >>>>> According to [1] self sign up can be achieved via sending authenticate= d request to /Me.=20 >>>>>=20 >>>>> What is the proper way to check isUsernameExist before self sign up ? >>>>> =20 >>>>> [1]https://tools.ietf.org/html/rfc7644#section-3.11 >>>>>=20 >>>>> Thanks, >>>>> Gayan >>>>> --=20 >>>>> Gayan Gunawardana >>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>> Email: gayan@wso2.com=20 >>>>> Mobile: +94 (71) 8020933 >>>>> _______________________________________________ >>>>> scim mailing list >>>>> scim@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/scim >>>>=20 >>>=20 >>>=20 >>>=20 >>> --=20 >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: gayan@wso2.com=20 >>> Mobile: +94 (71) 8020933 >=20 >=20 >=20 > --=20 > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: gayan@wso2.com=20 > Mobile: +94 (71) 8020933 --Apple-Mail-3BCE0900-74C6-4AA8-8001-3C279BC1C958 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Dyn reg in oauth. But oidc may also ap= ply depending on what you are doing. 

Phil

On Feb 4= , 2017, at 8:25 PM, Gayan Gunawardana <= gayan@wso2.com> wrote:



On Fri, Feb 3, 2017 at 1:24 AM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote:
= Inline

Phil
<= div dir=3D"ltr">Hi Phil,

On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt &= lt;phil.hunt@oracl= e.com> wrote:
Gayan,

Keep in mind SCIM is ju= st a RESTful api. There are no functional methods like isUsernameExist.
Yes totally understood.

You can=E2=80= =A6

1.  Just try HTTP POST to create the user and if= there is a conflict, it gets rejected.  This is probably easiest.

2.  Use GET /Users?filter=3D"(userName eq \=E2=80=9D= val\=E2=80=9D)=E2=80=9D&attributes=3Did.  If you can no records ret= urn there were no matches. If you get a return, it is in use.  Note, ei= ther way, you will get a successful response.
=
Yes both [1],[2] are possible but the problem is self sign up user(befo= re self sign up) does not have valid credentials to perform above operations= .

As i= described an app could register as a developer or use dyn reg. 
I guess you are referencing to d= ynamic client registration in OIDC right ?
 

Note, I suspect it is possible that despit= e checking with #2, you might still get a rejection when you POST. This migh= t be due to a reserve or lock on the username or other identifier.

Your rights as an administrative client will also impact wha= t you get back with the query in particular.  For example, if you are q= uerying anonymously, you might get no matches because the service provider h= as determined it is not going to answer your and confirm presence or not of t= he match.
Is there any security constrain= s for service providers to behave like that for anonymous requests ?

Yes DoS a= ttacks are a concern that prevent total anonymous registration. You need som= e trusted broker like a web or mobile app. 
Yes h= aving some trusted broker like a web or mobile app would resolve many proble= ms. Many Thanks Phil.

Also many IDPs likely have a vetting process to esta= blish some assurance about claims. Eg when an enterprise calls scim the ente= rprise is judged authoritative over employee assertions. 
Others might do secondary validation (eg email confirmation).&nb= sp;

All of this is really outside the scope of prov= isioning protocol but part of the larger IDM services approaches. 
=

<= div class=3D"gmail_extra">

Likewise= , many service providers will have DoS and other security restrictions on wh= at clients can register.  

E.g. to moderate th= e need for =E2=80=9Canonymous=E2=80=9D registration, a mobile app could regi= ster with the service provider to obtain a =E2=80=9Cpublic=E2=80=9D OAuth cl= ient credential that gives the mobile client the right to register a new use= r profile on behalf of the user (e.g. by using profile data from the mobile p= hone).

Phil

Oracle Corporation, I= dentity Cloud Services & Identity Standards
phil.hunt@oracle.com







On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana <gayan@wso2.com> wrote:

Hello,

According to [1] self sign up can be achieved v= ia sending authenticated request to /Me.

What is the proper way to c= heck isUsernameExist before self sign up ?
 
[1]https://tools= .ietf.org/html/rfc7644#section-3.11

Thanks,
G= ayan
--
Gayan Gunawardana
Software Engineer; WSO2 I= nc.; http://wso2.com/
=
_______________________________________________
scim mailing listscim@ietf.org
https:/= /www.ietf.org/mailman/listinfo/scim



--
Gayan Gunawardana
Software Engineer; WSO2 I= nc.; http://wso2.com/
=



--
Gayan Gunawardana
Software Engineer; WSO2 I= nc.; http://wso2.com/
=
= --Apple-Mail-3BCE0900-74C6-4AA8-8001-3C279BC1C958-- From nobody Mon Feb 6 10:07:07 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 985EA1295A5 for ; Mon, 6 Feb 2017 10:07:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.087 X-Spam-Level: X-Spam-Status: No, score=-6.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.887, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R8pbjEmO0T4N for ; Mon, 6 Feb 2017 10:07:01 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5BE129428 for ; Mon, 6 Feb 2017 10:07:01 -0800 (PST) Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v16I70En004394 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 6 Feb 2017 18:07:00 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v16I7082010336 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 6 Feb 2017 18:07:00 GMT Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v16I6xP5031398; Mon, 6 Feb 2017 18:06:59 GMT Received: from [10.0.53.147] (/209.53.70.79) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 06 Feb 2017 10:06:59 -0800 Content-Type: multipart/alternative; boundary=Apple-Mail-9A6EEC41-E838-48BF-8E90-B79A92A588DD Mime-Version: 1.0 (1.0) From: "Phil Hunt (IDM)" X-Mailer: iPhone Mail (14D27) In-Reply-To: <90E3A155-A2CE-474D-A5F9-FBCC30605FFB@oracle.com> Date: Mon, 6 Feb 2017 10:06:53 -0800 Content-Transfer-Encoding: 7bit Message-Id: <2457A99D-1CBA-4158-8CA7-A43EABA92991@oracle.com> References: <96ACFE7E-9A4C-4010-B43B-50D4086D0C49@oracle.com> <23158D21-2EC9-4E0B-8592-17779D0E1311@oracle.com> <90E3A155-A2CE-474D-A5F9-FBCC30605FFB@oracle.com> To: Gayan Gunawardana X-Source-IP: userv0021.oracle.com [156.151.31.71] Archived-At: Cc: scim@ietf.org Subject: Re: [scim] How to check isUsernameExist for Self Sign Up X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2017 18:07:03 -0000 --Apple-Mail-9A6EEC41-E838-48BF-8E90-B79A92A588DD Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable There is also a scim profile in oidc. See drafts section.=20 Phil > On Feb 6, 2017, at 9:43 AM, Phil Hunt (IDM) wrote: >=20 > Dyn reg in oauth. But oidc may also apply depending on what you are doing.= =20 >=20 > Phil >=20 >> On Feb 4, 2017, at 8:25 PM, Gayan Gunawardana wrote: >>=20 >>=20 >>=20 >>> On Fri, Feb 3, 2017 at 1:24 AM, Phil Hunt (IDM) w= rote: >>> Inline >>>=20 >>> Phil >>>=20 >>>> On Feb 2, 2017, at 11:27 AM, Gayan Gunawardana wrote: >>>>=20 >>>> Hi Phil, >>>>=20 >>>>> On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt wrot= e: >>>>> Gayan, >>>>>=20 >>>>> Keep in mind SCIM is just a RESTful api. There are no functional metho= ds like isUsernameExist. >>>> Yes totally understood.=20 >>>>>=20 >>>>> You can=E2=80=A6 >>>>>=20 >>>>> 1. Just try HTTP POST to create the user and if there is a conflict, i= t gets rejected. This is probably easiest. >>>>>=20 >>>>> 2. Use GET /Users?filter=3D"(userName eq \=E2=80=9Dval\=E2=80=9D)=E2=80= =9D&attributes=3Did. If you can no records return there were no matches. If= you get a return, it is in use. Note, either way, you will get a successfu= l response. >>>> Yes both [1],[2] are possible but the problem is self sign up user(befo= re self sign up) does not have valid credentials to perform above operations= . >>>=20 >>> As i described an app could register as a developer or use dyn reg.=20 >> I guess you are referencing to dynamic client registration in OIDC right ?= =20 >>>> =20 >>>>>=20 >>>>> Note, I suspect it is possible that despite checking with #2, you migh= t still get a rejection when you POST. This might be due to a reserve or loc= k on the username or other identifier. >>>>>=20 >>>>> Your rights as an administrative client will also impact what you get b= ack with the query in particular. For example, if you are querying anonymou= sly, you might get no matches because the service provider has determined it= is not going to answer your and confirm presence or not of the match. >>>> Is there any security constrains for service providers to behave like t= hat for anonymous requests ?=20 >>>=20 >>> Yes DoS attacks are a concern that prevent total anonymous registration.= You need some trusted broker like a web or mobile app.=20 >> Yes having some trusted broker like a web or mobile app would resolve man= y problems. Many Thanks Phil.=20 >>>=20 >>> Also many IDPs likely have a vetting process to establish some assurance= about claims. Eg when an enterprise calls scim the enterprise is judged aut= horitative over employee assertions.=20 >>>=20 >>> Others might do secondary validation (eg email confirmation).=20 >>>=20 >>> All of this is really outside the scope of provisioning protocol but par= t of the larger IDM services approaches.=20 >>>=20 >>>>>=20 >>>>> Likewise, many service providers will have DoS and other security rest= rictions on what clients can register. =20 >>>>>=20 >>>>> E.g. to moderate the need for =E2=80=9Canonymous=E2=80=9D registration= , a mobile app could register with the service provider to obtain a =E2=80=9C= public=E2=80=9D OAuth client credential that gives the mobile client the rig= ht to register a new user profile on behalf of the user (e.g. by using profi= le data from the mobile phone). >>>>>=20 >>>>> Phil >>>>>=20 >>>>> Oracle Corporation, Identity Cloud Services & Identity Standards >>>>> @independentid >>>>> www.independentid.com >>>>> phil.hunt@oracle.com >>>>>=20 >>>>>=20 >>>>>=20 >>>>>=20 >>>>>=20 >>>>>=20 >>>>>=20 >>>>>> On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana wrote= : >>>>>>=20 >>>>>> Hello, >>>>>>=20 >>>>>> According to [1] self sign up can be achieved via sending authenticat= ed request to /Me.=20 >>>>>>=20 >>>>>> What is the proper way to check isUsernameExist before self sign up ?= >>>>>> =20 >>>>>> [1]https://tools.ietf.org/html/rfc7644#section-3.11 >>>>>>=20 >>>>>> Thanks, >>>>>> Gayan >>>>>> --=20 >>>>>> Gayan Gunawardana >>>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>>> Email: gayan@wso2.com=20 >>>>>> Mobile: +94 (71) 8020933 >>>>>> _______________________________________________ >>>>>> scim mailing list >>>>>> scim@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/scim >>>>>=20 >>>>=20 >>>>=20 >>>>=20 >>>> --=20 >>>> Gayan Gunawardana >>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>> Email: gayan@wso2.com=20 >>>> Mobile: +94 (71) 8020933 >>=20 >>=20 >>=20 >> --=20 >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: gayan@wso2.com=20 >> Mobile: +94 (71) 8020933 > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim --Apple-Mail-9A6EEC41-E838-48BF-8E90-B79A92A588DD Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
There is also a scim profile in oidc. S= ee drafts section. 

Phil

On Feb 6, 2017, at 9:43 A= M, Phil Hunt (IDM) <phil.hunt@ora= cle.com> wrote:

Dyn reg= in oauth. But oidc may also apply depending on what you are doing. 
Phil

On Feb 4, 2017, at 8:25 PM, Gayan Gunawardana <gayan@wso2.com> wrote:

<= blockquote type=3D"cite">


On Fri, Feb 3, 2017 at 1:24 AM, Phil Hunt (= IDM) <phil.hunt@oracle.com> wrote:
Inline

Phil

On Feb 2, 2017, at 11:27 AM, Gayan Gunawardana <gayan@wso2.com> wrote:

=
Hi Phil,

On Fri, Feb 3, 2017 at 12:19 AM= , Phil Hunt <phil.hunt@oracle.com> wrote:
Gayan,
Keep in mind SCIM is just a RESTful api. There are no functional met= hods like isUsernameExist.
Yes totally understood.

You can=E2=80=A6

1.  Just try HTTP= POST to create the user and if there is a conflict, it gets rejected. = This is probably easiest.

2.  Use GET /Users?= filter=3D"(userName eq \=E2=80=9Dval\=E2=80=9D)=E2=80=9D&attributes=3Did= .  If you can no records return there were no matches. If you get a ret= urn, it is in use.  Note, either way, you will get a successful respons= e.
Yes both [1],[2] are possible but the p= roblem is self sign up user(before self sign up) does not have valid credent= ials to perform above operations.

As i described an app could register as a develo= per or use dyn reg. 
I guess you are referencing to dynamic client registration in OIDC right ? <= br>
 

Note, I s= uspect it is possible that despite checking with #2, you might still get a r= ejection when you POST. This might be due to a reserve or lock on the userna= me or other identifier.

Your rights as an administr= ative client will also impact what you get back with the query in particular= .  For example, if you are querying anonymously, you might get no match= es because the service provider has determined it is not going to answer you= r and confirm presence or not of the match.
Is there any security constrains for service providers to behave like tha= t for anonymous requests ?

Yes DoS attacks are a concern that prevent total a= nonymous registration. You need some trusted broker like a web or mobile app= . 
Yes having some trusted broker like a web or m= obile app would resolve many problems. Many Thanks Phil.

Also many IDPs li= kely have a vetting process to establish some assurance about claims. Eg whe= n an enterprise calls scim the enterprise is judged authoritative over emplo= yee assertions. 

Others might do secondary val= idation (eg email confirmation). 

All of this i= s really outside the scope of provisioning protocol but part of the larger I= DM services approaches. 


Likewise, many service providers will have DoS and= other security restrictions on what clients can register.  
=
E.g. to moderate the need for =E2=80=9Canonymous=E2=80=9D reg= istration, a mobile app could register with the service provider to obtain a= =E2=80=9Cpublic=E2=80=9D OAuth client credential that gives the mobile clie= nt the right to register a new user profile on behalf of the user (e.g. by u= sing profile data from the mobile phone).

Phil

Oracle Corporation, I= dentity Cloud Services & Identity Standards
phil.hunt@oracle.com







On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana <gayan@wso2.com> wrote:

Hello,

According to [1] self sign up can be achieved v= ia sending authenticated request to /Me.

What is the proper way to c= heck isUsernameExist before self sign up ?
 
[1]https://tools= .ietf.org/html/rfc7644#section-3.11

Thanks,
G= ayan
--
Gayan Gunawardana
Software Engineer; WSO2 I= nc.; http://wso2.com/
=
_______________________________________________
scim mailing listscim@ietf.org
https:/= /www.ietf.org/mailman/listinfo/scim



--
Gayan Gunawardana
Software Engineer; WSO2 I= nc.; http://wso2.com/
=



--
Gayan Gunawardana
Software Engineer; WSO2 I= nc.; http://wso2.com/
=
_= ______________________________________________
scim mailing l= ist
scim@ietf.org
https://ww= w.ietf.org/mailman/listinfo/scim
= --Apple-Mail-9A6EEC41-E838-48BF-8E90-B79A92A588DD-- From nobody Mon Feb 6 10:23:00 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1FF61295B6 for ; Mon, 6 Feb 2017 10:22:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qca4D9-CxiRr for ; Mon, 6 Feb 2017 10:22:56 -0800 (PST) Received: from mail-wr0-x22b.google.com (mail-wr0-x22b.google.com [IPv6:2a00:1450:400c:c0c::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 418991295B0 for ; Mon, 6 Feb 2017 10:22:56 -0800 (PST) Received: by mail-wr0-x22b.google.com with SMTP id k90so25546626wrc.3 for ; Mon, 06 Feb 2017 10:22:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=iTPMmwXG+0jPIzHT4YT1afXRylpHNY9+M+S2rgPmNhs=; b=GKOktX02oFsxQcKbm84BYMrXPgG/f6APBnvb3ULISilQBF4MuRF9MAE+5prwOlHb5o q5Oin1oZPhWiSMxwWFQ5R09jJ/lkQN8PdxpoQj5ePGFfYLraLkrOEpykaXkAJ+4T8KGd Gjf2ojWthXINis74W/Qnb7ceiXuBKcx2m6F1g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=iTPMmwXG+0jPIzHT4YT1afXRylpHNY9+M+S2rgPmNhs=; b=l2azymcf94n1tthwF87P9rnQTMNguU0mH+pxJid3mofpxY0KP53WdfyNgkZfHDRaBT KUgBBhyUkTjsZm15HNq18siYxaCGVY2U5MftngSBT0yWkF3czEfaFxEPG7jiZYWK68T2 Bqi8pw3zsUVKRE4oXU/UagdNqvqtGG0ovGRsLeHG/j+/VcKeymGDHJ45nP8R5qZIeniB 5Y8R8YwB6XgoGJYEFiLVaQLgIIIjUY1iPSWsYMiGXjObrdPGnR0/+KNcVBjyBigeYHzi 8/qm3McjBC4vbXud6uDkZ8Ppop6dUuL9y9raSF35JNRtzlH760pCTy7xPTnkiuLfGw56 +W6Q== X-Gm-Message-State: AIkVDXKc0EbFPkEbHyvMbgdzNDMLsZX9xAf0gVnXfXvttldXHwCJO3Wj9eSV9fZUFMvOT7YNf3hPnp5eygjz3KRU X-Received: by 10.223.131.34 with SMTP id 31mr12960815wrd.119.1486405374600; Mon, 06 Feb 2017 10:22:54 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.134.169 with HTTP; Mon, 6 Feb 2017 10:22:54 -0800 (PST) In-Reply-To: <2457A99D-1CBA-4158-8CA7-A43EABA92991@oracle.com> References: <96ACFE7E-9A4C-4010-B43B-50D4086D0C49@oracle.com> <23158D21-2EC9-4E0B-8592-17779D0E1311@oracle.com> <90E3A155-A2CE-474D-A5F9-FBCC30605FFB@oracle.com> <2457A99D-1CBA-4158-8CA7-A43EABA92991@oracle.com> From: Gayan Gunawardana Date: Mon, 6 Feb 2017 23:52:54 +0530 Message-ID: To: "Phil Hunt (IDM)" Content-Type: multipart/alternative; boundary=94eb2c0d106e587c1d0547e0b838 Archived-At: Cc: scim@ietf.org Subject: Re: [scim] How to check isUsernameExist for Self Sign Up X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2017 18:22:59 -0000 --94eb2c0d106e587c1d0547e0b838 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Mon, Feb 6, 2017 at 11:36 PM, Phil Hunt (IDM) wrote: > There is also a scim profile in oidc. See drafts section. > Thanks Phil. I guess this is the one [1]. [1]http://openid.net/specs/openid-connect-scim-profile-1_0.html > > Phil > > On Feb 6, 2017, at 9:43 AM, Phil Hunt (IDM) wrote: > > Dyn reg in oauth. But oidc may also apply depending on what you are doing= . > > Phil > > On Feb 4, 2017, at 8:25 PM, Gayan Gunawardana wrote: > > > > On Fri, Feb 3, 2017 at 1:24 AM, Phil Hunt (IDM) > wrote: > >> Inline >> >> Phil >> >> On Feb 2, 2017, at 11:27 AM, Gayan Gunawardana wrote: >> >> Hi Phil, >> >> On Fri, Feb 3, 2017 at 12:19 AM, Phil Hunt wrote: >> >>> Gayan, >>> >>> Keep in mind SCIM is just a RESTful api. There are no functional method= s >>> like isUsernameExist. >>> >> Yes totally understood. >> >>> >>> You can=E2=80=A6 >>> >>> 1. Just try HTTP POST to create the user and if there is a conflict, i= t >>> gets rejected. This is probably easiest. >>> >>> 2. Use GET /Users?filter=3D"(userName eq \=E2=80=9Dval\=E2=80=9D)=E2= =80=9D&attributes=3Did. If you >>> can no records return there were no matches. If you get a return, it is= in >>> use. Note, either way, you will get a successful response. >>> >> Yes both [1],[2] are possible but the problem is self sign up user(befor= e >> self sign up) does not have valid credentials to perform above operation= s. >> >> >> As i described an app could register as a developer or use dyn reg. >> > I guess you are referencing to dynamic client registration in OIDC right = ? > >> >> >>> >>> Note, I suspect it is possible that despite checking with #2, you might >>> still get a rejection when you POST. This might be due to a reserve or = lock >>> on the username or other identifier. >>> >>> Your rights as an administrative client will also impact what you get >>> back with the query in particular. For example, if you are querying >>> anonymously, you might get no matches because the service provider has >>> determined it is not going to answer your and confirm presence or not o= f >>> the match. >>> >> Is there any security constrains for service providers to behave like >> that for anonymous requests ? >> >> >> Yes DoS attacks are a concern that prevent total anonymous registration. >> You need some trusted broker like a web or mobile app. >> > Yes having some trusted broker like a web or mobile app would resolve man= y > problems. Many Thanks Phil. > >> >> Also many IDPs likely have a vetting process to establish some assurance >> about claims. Eg when an enterprise calls scim the enterprise is judged >> authoritative over employee assertions. >> >> Others might do secondary validation (eg email confirmation). >> >> All of this is really outside the scope of provisioning protocol but par= t >> of the larger IDM services approaches. >> >> >>> Likewise, many service providers will have DoS and other security >>> restrictions on what clients can register. >>> >>> E.g. to moderate the need for =E2=80=9Canonymous=E2=80=9D registration,= a mobile app >>> could register with the service provider to obtain a =E2=80=9Cpublic=E2= =80=9D OAuth client >>> credential that gives the mobile client the right to register a new use= r >>> profile on behalf of the user (e.g. by using profile data from the mobi= le >>> phone). >>> >>> Phil >>> >>> Oracle Corporation, Identity Cloud Services & Identity Standards >>> @independentid >>> www.independentid.com >>> phil.hunt@oracle.com >>> >>> >>> >>> >>> >>> >>> >>> On Feb 2, 2017, at 10:18 AM, Gayan Gunawardana wrote: >>> >>> Hello, >>> >>> According to [1] self sign up can be achieved via sending authenticated >>> request to /Me. >>> >>> What is the proper way to check isUsernameExist before self sign up ? >>> >>> [1]https://tools.ietf.org/html/rfc7644#section-3.11 >>> >>> Thanks, >>> Gayan >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: gayan@wso2.com >>> Mobile: +94 (71) 8020933 >>> _______________________________________________ >>> scim mailing list >>> scim@ietf.org >>> https://www.ietf.org/mailman/listinfo/scim >>> >>> >>> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: gayan@wso2.com >> Mobile: +94 (71) 8020933 >> >> > > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: gayan@wso2.com > Mobile: +94 (71) 8020933 > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim > > --=20 Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 --94eb2c0d106e587c1d0547e0b838 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Mon, Feb 6, 2017 at 11:36 PM, Phil Hunt (IDM) <= phil.hunt@oracle.= com> wrote:
There is also a scim profile in oidc. See drafts= section.=C2=A0
Thanks Phil. I guess this is the o= ne [1].
<= div dir=3D"auto">
=
Phil

On Feb 6,= 2017, at 9:43 AM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote:

Dyn reg in oauth. But oidc may also apply d= epending on what you are doing.=C2=A0

Phil

On Feb 4, 2= 017, at 8:25 PM, Gayan Gunawardana <gayan@wso2.com> wrote:



On Fri, Feb 3, 2017 at 1:24 AM, Phil Hunt (IDM) <phi= l.hunt@oracle.com> wrote:
Inline

Phil

On Feb 2, 2017, at 11:27 AM, Gayan Gunawardana <gayan@wso2.com> wrote:

Hi Phil,

On Fri, Feb 3, 2017 at 12:= 19 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
Gayan,

Keep in mind SCIM is just a RESTf= ul api. There are no functional methods like isUsernameExist.
Yes totally understood.

You can=E2=80=A6

1.=C2=A0 Just try HTTP POST to cr= eate the user and if there is a conflict, it gets rejected.=C2=A0 This is p= robably easiest.

2.=C2=A0 Use GET /Users?filter=3D= "(userName eq \=E2=80=9Dval\=E2=80=9D)=E2=80=9D&attributes=3Did.= =C2=A0 If you can no records return there were no matches. If you get a ret= urn, it is in use.=C2=A0 Note, either way, you will get a successful respon= se.
Yes both [1],[2] are possible but th= e problem is self sign up user(before self sign up) does not have valid cre= dentials to perform above operations.

As i described an app could register as a = developer or use dyn reg.=C2=A0
I g= uess you are referencing to dynamic client registration in OIDC right ?
=
=C2=A0

Note, I suspect it is possible that despite che= cking with #2, you might still get a rejection when you POST. This might be= due to a reserve or lock on the username or other identifier.
Your rights as an administrative client will also impact what = you get back with the query in particular.=C2=A0 For example, if you are qu= erying anonymously, you might get no matches because the service provider h= as determined it is not going to answer your and confirm presence or not of= the match.
Is there any security constr= ains for service providers to behave like that for anonymous requests ?

Yes= DoS attacks are a concern that prevent total anonymous registration. You n= eed some trusted broker like a web or mobile app.=C2=A0
<= div>Yes having some trusted broker like a web or mobile app would resolve m= any problems. Many Thanks Phil.

Also many IDPs likel= y have a vetting process to establish some assurance about claims. Eg when = an enterprise calls scim the enterprise is judged authoritative over employ= ee assertions.=C2=A0

Others might do secondary val= idation (eg email confirmation).=C2=A0

All of this= is really outside the scope of provisioning protocol but part of the large= r IDM services approaches.=C2=A0


=
Likewise, many service providers will have DoS and other securit= y restrictions on what clients can register. =C2=A0

E.g. to moderate the need for =E2=80=9Canonymous=E2=80=9D registration, a= mobile app could register with the service provider to obtain a =E2=80=9Cp= ublic=E2=80=9D OAuth client credential that gives the mobile client the rig= ht to register a new user profile on behalf of the user (e.g. by using prof= ile data from the mobile phone).

Phil
=
Oracle Corporation, Identity Cloud Services & Identity S= tandards
@independentid
phil.hun= t@oracle.com







On Feb 2, 2017, at 10:18 AM, Gayan Gun= awardana <gayan@wso2= .com> wrote:

<= div dir=3D"ltr">
Hello,

According to [1] self sign up can b= e achieved via sending authenticated request to /Me.

What is the pr= oper way to check isUsernameExist before self sign up ?
=C2=A0
[1]https://tools.ietf.org/html/rfc7644#section-3.11

Th= anks,
Gayan
--
Gayan= Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
_______________________________________________
scim mailing listscim@ietf.org
<= a href=3D"https://www.ietf.org/mailman/listinfo/scim" target=3D"_blank">htt= ps://www.ietf.org/mailman/listinfo/scim




--
Gayan Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/



--
Gayan Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
= _______________________________________________
scim m= ailing list
scim@ietf.org
https://www.ietf.org/mailman/listi= nfo/scim



--
Gaya= n Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
--94eb2c0d106e587c1d0547e0b838-- From nobody Mon Feb 6 21:22:02 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D625D129509 for ; Mon, 6 Feb 2017 21:22:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.219 X-Spam-Level: X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wFlOcW8Kp6U8 for ; Mon, 6 Feb 2017 21:21:59 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 400B81294FE for ; Mon, 6 Feb 2017 21:21:59 -0800 (PST) Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v175LuvF001770 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 7 Feb 2017 05:21:57 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.13.8/8.14.4) with ESMTP id v175LuWC001743 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 7 Feb 2017 05:21:56 GMT Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v175Ltk9001172; Tue, 7 Feb 2017 05:21:55 GMT Received: from [25.161.156.7] (/24.114.45.99) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 06 Feb 2017 21:21:55 -0800 Content-Type: multipart/alternative; boundary=Apple-Mail-DBF02BB8-77F5-4DE2-921A-DD99EFC1A290 Mime-Version: 1.0 (1.0) From: "Phil Hunt (IDM)" X-Mailer: iPhone Mail (14D27) In-Reply-To: Date: Mon, 6 Feb 2017 21:21:50 -0800 Content-Transfer-Encoding: 7bit Message-Id: <82A7E941-516E-4556-A601-C599D3D53D3C@oracle.com> References: To: Gayan Gunawardana X-Source-IP: aserv0021.oracle.com [141.146.126.233] Archived-At: Cc: scim@ietf.org Subject: Re: [scim] Unique Attributes X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Feb 2017 05:22:01 -0000 --Apple-Mail-DBF02BB8-77F5-4DE2-921A-DD99EFC1A290 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sorry I missed this one earlier.=20 IMO The schema in the spec sets the default expectations and what clients wi= ll typically expect.=20 But yes you can change uniqueness-the uniqueness for each attribute should b= e discoverable in your schemas endpoint.=20 Phil > On Feb 4, 2017, at 9:12 PM, Gayan Gunawardana wrote: >=20 > According to [1] userName seems to be an unique attribute where duplicate r= esources identified with userName. Similarly=20 >=20 > Is Group "displayName" an unique attribute ? >=20 > If answer is no, Does implementation have flexibility to decide uniqueness= ? >=20 > [1]https://tools.ietf.org/html/rfc7644#section-3.3 >=20 > Thanks, > Gayan >=20 > --=20 > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: gayan@wso2.com=20 > Mobile: +94 (71) 8020933 > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim --Apple-Mail-DBF02BB8-77F5-4DE2-921A-DD99EFC1A290 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Sorry I missed this one earlier. =

IMO The schema in the spec sets the default expectations and what clients w= ill typically expect. 

But yes you can change uniqueness-the uniquenes= s for each attribute should be discoverable in your schemas endpoint. <= br>
Phil

On Feb 4, 2017, at 9:12 PM, Gayan Gunawardana <= gayan@wso2.com> wrote:

According to [1] userN= ame seems to be an unique attribute where duplicate resources identified wit= h userName. Similarly

Is Group "displayName" an unique attribute ?
If answer is no, Does implementation have flexibility to decide u= niqueness ?
=
Thanks,
Gayan

-= -
Gayan Gunawardana
Software Engineer; WSO2 I= nc.; http://wso2.com/
=
____________________= ___________________________
scim mailing list
scim@ietf.org
https://www.ietf.org/mailman= /listinfo/scim
= --Apple-Mail-DBF02BB8-77F5-4DE2-921A-DD99EFC1A290-- From nobody Mon Feb 6 22:37:06 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AEDA1293FD for ; Mon, 6 Feb 2017 22:37:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTE6sCObwfvA for ; Mon, 6 Feb 2017 22:37:03 -0800 (PST) Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9EC71293F3 for ; Mon, 6 Feb 2017 22:37:02 -0800 (PST) Received: by mail-qk0-x22b.google.com with SMTP id u25so78598853qki.2 for ; Mon, 06 Feb 2017 22:37:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=UxIAR+g4F3fYdY2SYiz1FLMlgtamTfnTLSmcYLQp6lY=; b=nZq7XIEfc/SgC/zHkut0c2/L3thc/EaoJaEcUNx/bfVG+f4lK9EYomKctxkdnE2TI9 5HEYT8Ec7KR3INNfFLEh391Mf/IPDj+1CMxj5nBzeuS9lLaqyE2ZzgQXI2+tPfPpyIWK ubeCFIoLADRzcETD3rChyLmY/XpP0GTJzRabShapbA2c4IGuu4J43saSTaltBq+plfiq 83CCxWmAdeRpPeAKNpQyGfgtH8GqvzZeyt5xB6uvgaRtpQx+fBYncGYe9/+wEDnjszuR n44G/I5M6GAm9P2df5wR+nLQaM8YGRpbZNSEy98O/pE4HhSoNJM8GKDk/zHft5SP94g7 n7Sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=UxIAR+g4F3fYdY2SYiz1FLMlgtamTfnTLSmcYLQp6lY=; b=N1ODWyYGODUh0mUueZiI0K7iN2USiCL/BMh7WqR+iUT8ZzhqOtTHKv6o4HxF671BTX XK/9b0+z1D5aBVVkTCWuBeuTHvx76Kk/AOaDRVhW7yLvUiM0Y8SC6pY0eC3g8jsh64v7 pyEre1V+bYRdQVCfeKyQx3BevQmkcvVEeY25il4pirjBWXeK7t0YTkNFcY0/EEu8ixVs ffTktcMqsPBRkkuiODYV2XhR/8ZzqMVaI02zsUYVwzTUr6Jd1FU06vRHR89AeZqurP0V /YeNRmZvY3Cyp83v3nPTDIeePMy5f2G0fH1+KwVbmV5EKq9wPr6QC10NCPLnNEwk2fAC I2gw== X-Gm-Message-State: AMke39mBnv4JgCzOXE9fL9LPra6nEZ7APaJYZ1W4nTqyLO2a25ctWwSJgTgl8i/ajRPWvK1FhEX3zf6SDONX5w== X-Received: by 10.55.16.67 with SMTP id a64mr12813983qkh.226.1486449422021; Mon, 06 Feb 2017 22:37:02 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.155.164 with HTTP; Mon, 6 Feb 2017 22:36:41 -0800 (PST) From: Darshana Gunawardana Date: Tue, 7 Feb 2017 12:06:41 +0530 Message-ID: To: "scim@ietf.org" Content-Type: multipart/alternative; boundary=001a1146f2c2c6d8d70547eaf9c0 Archived-At: Cc: omindu.dishan@gmail.com Subject: [scim] Does SCIM 2.0 have a compliance test suite? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Feb 2017 06:37:04 -0000 --001a1146f2c2c6d8d70547eaf9c0 Content-Type: text/plain; charset=UTF-8 Hi, Is there a test tool that can used to check compliance with the SCIM 2.0 specification? The site [1] specifies that there is an ongoing effort. Is this an open source effort where someone interested can try prototype versions and contribute for the development? [1] http://www.simplecloud.info/ [2] "Work on SCIM 2.0 tests is under development and there are currently no support for the enterprise extension" Thanks, -- With Regards, Darshana Gunawardana, Alumni : Dept. of Computer Science & Engineering, University of Moratuwa, Sri Lanka --001a1146f2c2c6d8d70547eaf9c0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,

Is there a test tool that can used = to check compliance with the SCIM 2.0 specification?

The site [1] specifies that there is an ongoing effort. Is this an open = source effort where someone interested can try prototype versions and contr= ibute for the development?=C2=A0

[2] "Work on SCIM 2.0 tests is under development and there are curre= ntly no support for the enterprise extension"

Thanks,
--
Wit= h Regards,

Darshana Gunawardana,
Alumni : Dept. of C= omputer Science & Engineering,
University of Moratuwa,
Sri Lanka<= /div>
--001a1146f2c2c6d8d70547eaf9c0-- From nobody Mon Feb 6 23:36:52 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB375129A9A for ; Mon, 6 Feb 2017 23:36:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kx8ekRea31BZ for ; Mon, 6 Feb 2017 23:36:46 -0800 (PST) Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34AC012009C for ; Mon, 6 Feb 2017 23:36:46 -0800 (PST) Received: by mail-oi0-x22e.google.com with SMTP id j15so60305401oih.2 for ; Mon, 06 Feb 2017 23:36:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aYGR1wcUYbqJ4GqRrYBncM28sdLvt5Il8SDdV+bSXYg=; b=B2CKRPT31rL7ZXI2XKkogNulnbWOYdyZPK7EQXRdUTLlembziXsT9bmYw+ynr4w9TJ xbqYJ0efQoI5y86FCrZLjbH7+/FlJDFf0ye5GOYqqxM2cRMghqw9//yBHY4tROWHNOUe 5N1JvWTb/UuA7GQZaB4AuNAG7q1kNzp7CGJAO6aXBwbPQH4uhnCv34GK4ZdzLP88s/xL RR7TvCA1qTgHaKFJRLH+oAyzvIaBErG4V5zjMoXMfgSK+Az0MmgzQDJc9wR3ZEz+5akL thPu8P+G/Hwlxc7IoToUuZUwco5/rcPmcAG4mPvcgE7vbFriLsiy1AgTMUpr3PImPpOW jTRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aYGR1wcUYbqJ4GqRrYBncM28sdLvt5Il8SDdV+bSXYg=; b=o4G/4K5n9+eMnnWVbzf01vRXg/cOFwNoWrZeOnJ98MwttAUyq0SwrJBGdfPVSKE5pq kB37yMLtzfx9DMtdNLsDS0uW5ynfQMPeieo4aHyX5YcoZLEMbLrsepBpsxt2w3NQ4HKb LjiK+L2ISVVlmUagSUxlEUUoknfinTAUBuu1NUthVNKvqzPWFYmwS8UmilVUIykGBL1t zC7RblHf/XPGNkpzlo5Rg8jTZhNaBhXGlBYAKRC5sS+dptboFEXIvXx7qth6ILKlEPAS cbj23yh1qe4lYPS+zCSAOcWxbHZBRDjLtH+RXgClRAJTLcznksHwuz5jiIYH4A0yHVxB ZZBA== X-Gm-Message-State: AMke39mxeXLmsFpBSLmf6M8IhQ1D6slaDQVNaZChuZopEJkmsRKvbRYD5b9HpTQXEG7FfhaVsf2dN0EG4vSbFA== X-Received: by 10.202.8.71 with SMTP id 68mr7331015oii.59.1486453005550; Mon, 06 Feb 2017 23:36:45 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Samuel Erdtman Date: Tue, 07 Feb 2017 07:36:34 +0000 Message-ID: To: Darshana Gunawardana , "scim@ietf.org" Content-Type: multipart/alternative; boundary=94eb2c12f8b45f2a290547ebcf9c Archived-At: Cc: omindu.dishan@gmail.com Subject: Re: [scim] Does SCIM 2.0 have a compliance test suite? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Feb 2017 07:36:52 -0000 --94eb2c12f8b45f2a290547ebcf9c Content-Type: text/plain; charset=UTF-8 There is currently no such tool as far as I know. That it says ongoing is a bit too optimistic, there is no ongoing work as far as I know. You are not the only one asking for this so maybe a few persons could do some cooperation and create something. On Tue, 7 Feb 2017 at 07:37, Darshana Gunawardana wrote: > Hi, > > Is there a test tool that can used to check compliance with the SCIM 2.0 > specification? > > The site [1] specifies that there is an ongoing effort. Is this an open > source effort where someone interested can try prototype versions and > contribute for the development? > > [1] http://www.simplecloud.info/ > [2] "Work on SCIM 2.0 tests is under development and there are currently > no support for the enterprise extension" > > Thanks, > -- > With Regards, > > Darshana Gunawardana, > Alumni : Dept. of Computer Science & Engineering, > University of Moratuwa, > Sri Lanka > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim > --94eb2c12f8b45f2a290547ebcf9c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
There is currently no such tool as far as I know.

=
That it says ongoing is a bit too optimistic, there is no ongoing work= as far as I know.

You are not the only one asking= for this so maybe a few persons could do some cooperation and create somet= hing.


On Tue, 7 Feb 2017 at 07:37, Darshana Gunawardana <darshanasbg@gmail.com> wrote:
Hi,

Is there a test t= ool that can used to check compliance with the SCIM 2.0 specification?

The site [1] specifies that there is an ongoing effort. Is this an op= en source effort where someone interested can try prototype versions and co= ntribute for the development?=C2=A0

[1]=C2=A0http://www.simpl= ecloud.info/
[2] "Work on SCIM 2.0 t= ests is under development and there are currently no support for the enterp= rise extension"

=
Thanks,
--
With Regards,

Darshana Gunawardana,Alumni : Dept. of Computer Science & Engineering,<= br class=3D"gmail_msg">University of Moratuwa,
Sri L= anka
_______________________________________________
scim mailing list
scim= @ietf.org
https://www.ietf.org/mailman/listinfo/= scim
--94eb2c12f8b45f2a290547ebcf9c-- From nobody Tue Feb 7 00:15:41 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 991B7129488 for ; Tue, 7 Feb 2017 00:15:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ThDt5Gs9ANi8 for ; Tue, 7 Feb 2017 00:15:38 -0800 (PST) Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 199E51270B4 for ; Tue, 7 Feb 2017 00:15:38 -0800 (PST) Received: by mail-qk0-x22a.google.com with SMTP id 11so80609770qkl.3 for ; Tue, 07 Feb 2017 00:15:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zW6vlK30eWODM50pneR52DN2GIdqLpT+C8Qx9WjSE6U=; b=XhU5rAtam0HpMQhQCxgJFQwMKUDV0BtHjNl3bt17VDjhnoJy8E2DLFZeP9bUe74jnL 1U8HnkhP9nhbEpXwSvbmpkA2WjH2dP6e+75zxF7qmk0HtRhvWLqoNRQghTr04/mID/Z+ O+VznKE77lJ20JVJAAZpd5e/Zcynplm2rtJ9ePSr0uPlYTXWQu1HTQI0bI9gvB+VmraC MRKt4AXdFmibsihYKv1M4g2ef9GhYcmNc1xse7zUHBMFN2LS4Zvihk4kdeHPlH4o6cxv q3NrmDCMoql9UYu+zssOlAUx0kftqUaQPCgZswda/955N1GVmis86zHxQwTsjL3cUWyd /9yQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zW6vlK30eWODM50pneR52DN2GIdqLpT+C8Qx9WjSE6U=; b=E/CNyqNh/r6W3blzyge/Fl1q/oE8oop/H536jJkvfcruXIRWWOkDyuZ+hkabXYjSXJ 5ZYGptaZgQcBV1M5uqJXcuNTkj2HO+OSvTJ6ZihKKlN8UC1aLVndFn/k+i/BYsBdh0ij mKeGhnnl1HPF/urw+cVwShz3ZPLigiByM1fKgk8eZW8jEtVGNeJkargokQGuSNtZo+5s aJ3OA+yMPMWTONdfwBFBDYGgRa9URxBjOJwS35fFtnJ+khHEN2NEbIwRlRrqRV62k8jk vjGvYJiioXFljcjwdcs7be010Boj0uMqrcJdFGaPrzW8GpE8hMQYqHpoHujXfySTSNG8 ItmQ== X-Gm-Message-State: AMke39kATwLBVICkUY1qXcCEmMrUX8tN4Fu5O+Mt5QrX5E23SY0egKndkfREJphp+ZTcgNmifUoXMBl/+ATR7w== X-Received: by 10.55.214.86 with SMTP id t83mr14478100qki.23.1486455337239; Tue, 07 Feb 2017 00:15:37 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.155.164 with HTTP; Tue, 7 Feb 2017 00:15:16 -0800 (PST) In-Reply-To: References: From: Darshana Gunawardana Date: Tue, 7 Feb 2017 13:45:16 +0530 Message-ID: To: Samuel Erdtman Content-Type: multipart/alternative; boundary=001a114997a659cd110547ec5ada Archived-At: Cc: "scim@ietf.org" , omindu.dishan@gmail.com Subject: Re: [scim] Does SCIM 2.0 have a compliance test suite? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Feb 2017 08:15:39 -0000 --001a114997a659cd110547ec5ada Content-Type: text/plain; charset=UTF-8 Hi Samuel, Thanks for the response..! My colleges from WSO2 are in the process of implementing SCIM 2.0 server and currently people working on improving the test coverage on that. If there is no work done on this, we can check on creating common SCIM 2.0 suite and contributing back to the community. Wanted to check whether it would be useful to implement common SCIM 2.0 suite thing. If this is something useful to have, we can check on possible ways of getting interested persons... And can I know references on the implementations on the test suite done on SCIM 1.1? So I can get an idea on the current design and effort needed to implement in that way. Thanks, Darshana On Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman wrote: > There is currently no such tool as far as I know. > > That it says ongoing is a bit too optimistic, there is no ongoing work as > far as I know. > > You are not the only one asking for this so maybe a few persons could do > some cooperation and create something. > > > On Tue, 7 Feb 2017 at 07:37, Darshana Gunawardana > wrote: > >> Hi, >> >> Is there a test tool that can used to check compliance with the SCIM 2.0 >> specification? >> >> The site [1] specifies that there is an ongoing effort. Is this an open >> source effort where someone interested can try prototype versions and >> contribute for the development? >> >> [1] http://www.simplecloud.info/ >> [2] "Work on SCIM 2.0 tests is under development and there are currently >> no support for the enterprise extension" >> >> Thanks, >> -- >> With Regards, >> >> Darshana Gunawardana, >> Alumni : Dept. of Computer Science & Engineering, >> University of Moratuwa, >> Sri Lanka >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://www.ietf.org/mailman/listinfo/scim >> > -- With Regards, Darshana Gunawardana, Alumni : Dept. of Computer Science & Engineering, University of Moratuwa, Sri Lanka --001a114997a659cd110547ec5ada Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Samuel,

Thanks for the response..!

My colleges from WSO2 are in the process of impleme= nting SCIM 2.0 server and currently people working on improving the test co= verage on that.

If there is no work done on this, = we can check on creating common SCIM 2.0 suite and contributing back to the= community. Wanted to check whether it would be useful to implement common = SCIM 2.0 suite thing.

If this is something useful = to have, we can check on possible ways of getting interested persons...

And can I know references on the implementations on t= he test suite done on SCIM 1.1? So I can get an idea on the current design = and effort needed to implement in that way.

Thanks= ,
Darshana

On Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman <samuel= @erdtman.se> wrote:
There is currently no such tool as far as I know.

That it says ongoing is a bit too optimistic, there is no = ongoing work as far as I know.

You are not the onl= y one asking for this so maybe a few persons could do some cooperation and = create something.


On Tue, 7 Feb 2017 at 07:37, Da= rshana Gunawardana <darshanasbg@gmail.com> wrote:
Hi,

Is there a = test tool that can used to check compliance with the SCIM 2.0 specification= ?

The site [1] specifies that there is an ongoing effort= . Is this an open source effort where someone interested can try prototype = versions and contribute for the development?=C2=A0

[1]= =C2=A0http://www.simplecloud.info/=
[2] "Work o= n SCIM 2.0 tests is under development and there are currently no support fo= r the enterprise extension"

<= div class=3D"gmail-m_-4844266541294802224gmail_msg">Thanks,
--
With Regards,

Darsh= ana Gunawardana,
Alumni = : Dept. of Computer Science & Engineering,
University of Moratuwa,
Sri Lanka
_______________________________________________
scim mailing list
scim@ietf.org
https://ww= w.ietf.org/mailman/listinfo/scim



--
With Regards,

Darshana Gunawardana,
Alumni : Dept. of Computer Science & Enginee= ring,
University of Moratuwa,
Sri Lanka
--001a114997a659cd110547ec5ada-- From nobody Tue Feb 7 08:51:08 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 531D512956D for ; Tue, 7 Feb 2017 08:51:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qNhblYhilG0 for ; Tue, 7 Feb 2017 08:51:05 -0800 (PST) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FE17129D6C for ; Tue, 7 Feb 2017 08:51:02 -0800 (PST) Received: by mail-wm0-x22c.google.com with SMTP id v77so162960117wmv.0 for ; Tue, 07 Feb 2017 08:51:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=DfUxj37yuLv7Wzfz/Wumul7UfS/VLN7piGiCs5q36oQ=; b=MdRmzfJeZ+mmdOWPkvH0mcyUkzXARluxTuWpJKO3bLJfEF3J6CEVlz6CWQsgbIqtFo pPogpnhdiByhcvpEVAtvAmMPHP2nPpFv25Qs2EcJ/5AbCzKWCol2FQii5gsImth7XMYG EcoGQoW+PNxZcVDhiCSVLQxn98B4jMDxu4rmg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=DfUxj37yuLv7Wzfz/Wumul7UfS/VLN7piGiCs5q36oQ=; b=kepUSrXgBRKibJJaJeExyVNuA5o1JGNJvMQxxIHQ6x2UasfvdwEVBbhiwIjoaCHfFO EdsshrJuSEsN61Wiv8k2KuphgAOGbCJt5irW90JqsQ7QmssOn5k0Va3L0sD+XcFD7q1/ Tf0omYXG5HaqLIfFl9aklqmZtIcKVxUAzyN2sQ1Esxwp0rJMkXixvxaafm4eELyywOPJ O+Tns8y9T+S57BseqAy2RdbmaeiV4GpkVAIkX0nFB4GxU018s3YjFsvSs6zXX1SfP8FI U0CIEyn4WyHjfwLipj+vKhTsh/iKk1Ub9jUKJBW7rvcXwIHL6igP6PmeSYMSby1ipJiA iblg== X-Gm-Message-State: AIkVDXIOWqosC6DcUjIOHvM/RUe4CFIq28WluuCXSr9GJ3QdBG17megECSZlzUSpTpt6sOSDSytwZ9+q9bU9mrax X-Received: by 10.223.131.34 with SMTP id 31mr18373478wrd.119.1486486260694; Tue, 07 Feb 2017 08:51:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.134.169 with HTTP; Tue, 7 Feb 2017 08:51:00 -0800 (PST) In-Reply-To: <82A7E941-516E-4556-A601-C599D3D53D3C@oracle.com> References: <82A7E941-516E-4556-A601-C599D3D53D3C@oracle.com> From: Gayan Gunawardana Date: Tue, 7 Feb 2017 22:21:00 +0530 Message-ID: To: "Phil Hunt (IDM)" Content-Type: multipart/alternative; boundary=94eb2c0d106e88579e0547f38dfc Archived-At: Cc: scim@ietf.org Subject: Re: [scim] Unique Attributes X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Feb 2017 16:51:07 -0000 --94eb2c0d106e88579e0547f38dfc Content-Type: text/plain; charset=UTF-8 On Tue, Feb 7, 2017 at 10:51 AM, Phil Hunt (IDM) wrote: > Sorry I missed this one earlier. > > IMO The schema in the spec sets the default expectations and what clients > will typically expect. > > But yes you can change uniqueness-the uniqueness for each attribute should > be discoverable in your schemas endpoint. > Yes this is more logical. Thanks Phil. > > Phil > > On Feb 4, 2017, at 9:12 PM, Gayan Gunawardana wrote: > > According to [1] userName seems to be an unique attribute where duplicate > resources identified with userName. Similarly > > Is Group "displayName" an unique attribute ? > > If answer is no, Does implementation have flexibility to decide uniqueness > ? > > [1]https://tools.ietf.org/html/rfc7644#section-3.3 > > Thanks, > Gayan > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: gayan@wso2.com > Mobile: +94 (71) 8020933 > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim > > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 --94eb2c0d106e88579e0547f38dfc Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Tue, Feb 7, 2017 at 10:51 AM, Phil Hunt (IDM) <= phil.hunt@oracle.= com> wrote:
Sorry I missed this one earlier.=C2=A0

IMO The schema in the spec sets the default expectations = and what clients will typically expect.=C2=A0

But yes you can change uniqueness-the uniqueness for each = attribute should be discoverable in your schemas endpoint.=C2=A0
<= /div>
Yes this is more logical. Thanks Phil.

Phil

On Fe= b 4, 2017, at 9:12 PM, Gayan Gunawardana <gayan@wso2.com> wrote:

According to [1] userName seems = to be an unique attribute where duplicate resources identified with userNam= e. Similarly

Is Group "displayName" an unique attribute ?=

If answer is no, Does implementation have flexibility to deci= de uniqueness ?
Thanks,
Gayan

--
Gayan Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
_______= ________________________________________
scim mailing = list
sci= m@ietf.org
https://www.ietf.org/mailman/listinfo/sci= m



--
Gayan Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
--94eb2c0d106e88579e0547f38dfc-- From nobody Thu Feb 9 23:52:51 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60DEB12A04B for ; Thu, 9 Feb 2017 23:52:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGfihhpeFMFl for ; Thu, 9 Feb 2017 23:52:39 -0800 (PST) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8367712A04A for ; Thu, 9 Feb 2017 23:52:39 -0800 (PST) Received: by mail-wm0-x22b.google.com with SMTP id v186so102645620wmd.0 for ; Thu, 09 Feb 2017 23:52:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=QW1D4ysFw0/r3IQmZl+f47pGIMEDxhMDJelIBDtKu0Q=; b=Ie9BsY+OB3gn8tUZQMW3Rv2dLWpYMGyPHtbY7LACMQ96ixD+x4vD+UdBz5al2AXCoe j1ng6SKg1U//0rdcdipwrXj3dT7oxkYglWupXp8vGscZb14H6ispSwlohTECJTC/HgVx 6xOTBBjTxWdKlvpbx9D7w1+OyBCRHcywnLxWk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=QW1D4ysFw0/r3IQmZl+f47pGIMEDxhMDJelIBDtKu0Q=; b=IVoytU0PPL1HDi8mAJIsXAUsAkJr0fAZkJy2V8x37wM+NrkNvgf0nK8irEjm6OfRtH ZqdQGAcwNVSILfPeaYfGBwnqko0c6RC8agem0yvNtTSFMAP5QTqv3OFIA17G0fBTWUo2 eHrvh6JJvvCh9aDRXjWlqZlAgBavwBTlIQsBR0Rysji5l72iF6K7T90QrRL+taJfUkYC mveIgVTrnYmLP7FC9Rr6Bd/ENP/dcpGslKCbrGsiiHluoJxrffj6CQVyVKRcEJcl6t7G cz/ZWbehUMN3zw1ZX7uYq7foE17Yp4HqDRCO/2eOCiPoePKvGuaxdHWm8szQnZzlA3Dr vRNw== X-Gm-Message-State: AMke39l8R7p2IsI2+Uz5WRt7zcoQEjyQEsculEIGMMpJNEV+hbgRUjZ9oue/hIy5fxa5ccsKmRyneyH5kdXgOlp6 X-Received: by 10.28.191.208 with SMTP id o77mr6039795wmi.117.1486713157791; Thu, 09 Feb 2017 23:52:37 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.134.169 with HTTP; Thu, 9 Feb 2017 23:52:37 -0800 (PST) From: Gayan Gunawardana Date: Fri, 10 Feb 2017 13:22:37 +0530 Message-ID: To: scim@ietf.org Content-Type: multipart/alternative; boundary=94eb2c064512a746ae0548286123 Archived-At: Subject: [scim] Question regarding multiple User Stores X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Feb 2017 07:52:43 -0000 --94eb2c064512a746ae0548286123 Content-Type: text/plain; charset=UTF-8 For given SCIM implementation if I have multiple user stores underneath. Idea of multiple user stores from organizational perspective, suppose I have LDAP for employee information and separate AD for customer information. How can I list or filter result from customer user store ? Similarly how can I add a user to customer user store ? What is the best way to specify user store domain in the SCIM request? -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 --94eb2c064512a746ae0548286123 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
For given SCIM implementation if I have multiple user= stores underneath.

Idea of multiple user stores from organizationa= l perspective, suppose I have LDAP for employee information and separate AD= for customer information.

How can I list or filter resu= lt from customer user store ?

Similarly how can I add a u= ser to customer user store ?

=C2=A0What is the best way = to specify user store domain in the SCIM request?
--
Gayan Guna= wardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
--94eb2c064512a746ae0548286123-- From nobody Sun Feb 12 00:13:09 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0843F129459 for ; Sun, 12 Feb 2017 00:13:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q6S3XaXd-IjJ for ; Sun, 12 Feb 2017 00:13:06 -0800 (PST) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5251D129443 for ; Sun, 12 Feb 2017 00:13:06 -0800 (PST) Received: by mail-wm0-x233.google.com with SMTP id c85so288194760wmi.1 for ; Sun, 12 Feb 2017 00:13:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=vCSCZW3vGz0fi0TPtLLvBBYQPVrewCj+j1d4QJG5GkM=; b=jy7oZlxttW+W5j3rjdyLf56Dpo1+f3JkcgMgNE2sZ60C9xV4ue6RoCeoWaCB6tKiEd onX110sepluAuHL4Whx5iYcTl5HegvvEsRsXD+YcDZeKlXiCCC/o/KRY0mE6yyjZwbCh gAaTAO/PWgB9bt6J2QNKHZNrTY+2fSvTU8I0s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=vCSCZW3vGz0fi0TPtLLvBBYQPVrewCj+j1d4QJG5GkM=; b=BUhwV1pdLZZsP8vIK0eUCUQEAF9mkHuzGtGZwFPVf2VolrGleYGVt5UUqa5hUASOxh tKG5aAQG6SvL4jVtGg5Eglg1Kq5JISnucBlyWgcTi8q17Y72HmOKD/DngAFeMhhOp7kR OOrx5N8deLUoNsNtdvilYw6gVMhqiYV6b1czQlTloEr/yZaNiAUP1Nk0xkrTs4L6PQQW FQ4fa9dg/ndiXZBJnq7rrHxUSYNaIMRJNecDLiVBvr8Qwo4jm4KBZpZBTY37TXmX3adH 0gKpHeosit+S5Z4O5ykOXYT6ulmI0x5Z5lWKbnU9eJ96wJ8J1xmGEZ77Xf6Z5v6V5nsW 43QA== X-Gm-Message-State: AMke39k0Myc0rC7kRWf+86NuxnS778tXvZNUs/qE/cAsEWMK5C8FlXAdYlir7s7H+ZBuJblBCwqrbdGWzbAn19wg X-Received: by 10.28.222.11 with SMTP id v11mr31948212wmg.1.1486887184757; Sun, 12 Feb 2017 00:13:04 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.134.169 with HTTP; Sun, 12 Feb 2017 00:13:04 -0800 (PST) In-Reply-To: References: From: Gayan Gunawardana Date: Sun, 12 Feb 2017 13:43:04 +0530 Message-ID: To: scim@ietf.org, Phil Hunt Content-Type: multipart/alternative; boundary=001a114b17ee780ba1054850e69d Archived-At: Subject: Re: [scim] Question regarding multiple User Stores X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Feb 2017 08:13:08 -0000 --001a114b17ee780ba1054850e69d Content-Type: text/plain; charset=UTF-8 On Fri, Feb 10, 2017 at 1:22 PM, Gayan Gunawardana wrote: > For given SCIM implementation if I have multiple user stores underneath. > > Idea of multiple user stores from organizational perspective, suppose I > have LDAP for employee information and separate AD for customer > information. > > How can I list or filter result from customer user store ? > > Similarly how can I add a user to customer user store ? > > What is the best way to specify user store domain in the SCIM request? > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: gayan@wso2.com > Mobile: +94 (71) 8020933 > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 --001a114b17ee780ba1054850e69d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Fri, Feb 10, 2017 at 1:22 PM, Gayan Gunawardana <gayan@wso2.com<= /a>> wrote:
For given SCIM implementation if I have multiple user stores underneath.=

Idea of multiple user stores from organizational perspective, supp= ose I have LDAP for employee information and separate AD for customer infor= mation.

How can I list or filter result from customer us= er store ?

Similarly how can I add a user to customer use= r store ?

=C2=A0What is the best way to specify user sto= re domain in the SCIM request?
--



--
Gayan Gunawardana
<= div> Software Engineer; WSO2 = Inc.; http://wso2.com/
--001a114b17ee780ba1054850e69d-- From nobody Tue Feb 14 10:44:33 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 869D5129547 for ; Tue, 14 Feb 2017 10:44:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.788 X-Spam-Level: X-Spam-Status: No, score=-3.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.887, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sailpoint.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FI-QBhB3weBA for ; Tue, 14 Feb 2017 10:44:29 -0800 (PST) Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0132.outbound.protection.outlook.com [104.47.41.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87889129570 for ; Tue, 14 Feb 2017 10:44:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sailpoint.onmicrosoft.com; s=selector1-sailpoint-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Gxl7D6PSNlPhIFb2BfPhaBx7kDbM7/eF71nSiIdUFzI=; b=kLFSNNBX/p1Ceon6KowaXmFJQa4SuSHs2hpIw7wRVVtyKDJbLFcRReCZZOOPettBJ3yb7dNcqvzIJrnHdb4py2vBZem1UZlJMW1FUwwkO+2xYMyOF0kPqFeW88cVukuoGwypQhqUaQ+g+OFSq2WxEJW7HQe+cc8UHyw/3Y9NKRY= Received: from CY1PR04MB2363.namprd04.prod.outlook.com (10.167.10.143) by CY1PR04MB2362.namprd04.prod.outlook.com (10.167.10.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Tue, 14 Feb 2017 18:44:27 +0000 Received: from CY1PR04MB2363.namprd04.prod.outlook.com ([10.167.10.143]) by CY1PR04MB2363.namprd04.prod.outlook.com ([10.167.10.143]) with mapi id 15.01.0888.030; Tue, 14 Feb 2017 18:44:27 +0000 From: Kelly Grizzle To: Gayan Gunawardana , "scim@ietf.org" , Phil Hunt Thread-Topic: [scim] Question regarding multiple User Stores Thread-Index: AQHSg3KyBjFlMBvWp0+GQNL0wlRiGaFlCMUAgAPT5CA= Date: Tue, 14 Feb 2017 18:44:27 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=kelly.grizzle@sailpoint.com; x-originating-ip: [2605:ed00:f006:716:19ef:fb08:91bb:1d42] x-ms-office365-filtering-correlation-id: d105fdf8-1abc-4524-7020-08d455098102 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY1PR04MB2362; x-microsoft-exchange-diagnostics: 1; CY1PR04MB2362; 7:gcUsye4AEpBwXeASPQjj5fc5Y8bd9ZtxiCmVr7pZJYK+SFFvlMSfbxpqfcn1OIgvlrEYjdOff0OEBdIJcCaMhoO7KhA/Q1MrL70IdsEeYJOJW4jaD1E9lA687IQACm7gFgRnxTr3d6g7oV1b9Rm2UY918IKI63ICkh/rGAKigH9jFNy/8VN1nGr2Eqi7lvU/DJkM7bIGLJ2Q1pmpENkrpZAqKFvvsYtUEcADCZPDb0s1VGRYvYXwm4P9z6Xlvpde6eKK0hX0QdcITBnHWs3ghZg1dDO8RduKCZlagzgkpGg/VEiLgtFBcsAS1gD4ysbmQ+lX7gazHlR0TLMnBDv+M+76/L7WJ3FGv3Mlh7x0q0j7Dc7Gc/VHCOAWOQQLGVCMLFRsUcAC2n+j9CMZYDoEh6Kw6d2Erbz9IynolT2Paiw8+7By3yi2OQnPhIyCc5LEy1BfCU5PsvvkVUZfJH8e9QHAv3C8pWCBEnb7YVF4fwn4nqW9ONOA56HPHnbva2DxhWzrNNWCyphL4PfjuQgphg== x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(139090996175007)(21748063052155)(146099531331640); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6041248)(20161123562025)(20161123564025)(20161123555025)(20161123558025)(20161123560025)(6072148); SRVR:CY1PR04MB2362; BCL:0; PCL:0; RULEID:; SRVR:CY1PR04MB2362; x-forefront-prvs: 0218A015FA x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39450400003)(377454003)(189002)(24454002)(199003)(252514010)(106356001)(53936002)(966004)(76176999)(50986999)(54356999)(8936002)(19609705001)(53376002)(7906003)(6246003)(86362001)(105586002)(106116001)(25786008)(68736007)(81003)(81156014)(81166006)(38730400002)(77096006)(74316002)(7736002)(101416001)(8676002)(2950100002)(6116002)(7696004)(92566002)(790700001)(229853002)(102836003)(6436002)(6506006)(606005)(33656002)(3280700002)(55016002)(99286003)(5660300001)(2906002)(122556002)(97736004)(2501003)(6306002)(9686003)(54896002)(236005)(3660700001)(2900100001)(189998001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR04MB2362; H:CY1PR04MB2363.namprd04.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: sailpoint.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_CY1PR04MB2363E529EB9A3C99874440F4E2580CY1PR04MB2363namp_" MIME-Version: 1.0 X-OriginatorOrg: sailpoint.com X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Feb 2017 18:44:27.2008 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 9c848b2a-49ba-4c39-9749-118d06717a84 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR04MB2362 Archived-At: Subject: Re: [scim] Question regarding multiple User Stores X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2017 18:44:32 -0000 --_000_CY1PR04MB2363E529EB9A3C99874440F4E2580CY1PR04MB2363namp_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhlcmUgYXJlIGRpZmZlcmVudCBvcHRpb25zIGhlcmUgZGVwZW5kaW5nIG9uIHdoZXRoZXIgaXQg aXMgZmVhc2libGUgZm9yIHRoZSBzZXJ2ZXIgdG8gcHJlc2VudCBhIHNpbmdsZSAvVXNlcnMgZW5k cG9pbnQgYWNyb3NzIGJvdGggc3RvcmVzIChmb3IgZXhhbXBsZSwgY2FuIHlvdSBxdWVyeSwgc29y dCwgYW5kIHBhZ2UgYmV0d2VlbiBib3RoIHN0b3JlcyB3aGVuIHNvbWVvbmUgbWFrZXMgYSByZXF1 ZXN0IGFnYWluc3QgL1VzZXJzKS4NCg0KSWYgcG9zc2libGUsIEkgd291bGQgc2F5IHRoYXQgaXQg d291bGQgYmUgcHJlZmVyYWJsZSB0byBpbmNsdWRlIGJvdGggdW5kZXIgdGhlIC9Vc2VycyBlbmRw b2ludC4gIFlvdSBjb3VsZCBkZWZpbmUgYSBuZXcgYXR0cmlidXRlIGluIGFuIGV4dGVuZGVkIHNj aGVtYSB0aGF0IGluZGljYXRlcyB3aGljaCBzdG9yZSB0aGUgdXNlciBpcyBhIHBhcnQgb2YuDQoN CklmIHVzaW5nIGEgc2luZ2xlLCB1bmlmaWVkIC9Vc2VycyBlbmRwb2ludCBpcyBub3QgdGVjaG5p Y2FsbHkgZmVhc2libGUsIHRoZW4geW914oCZbGwgcHJvYmFibHkgbmVlZCB0byBjcmVhdGUgYSBu ZXcgUmVzb3VyY2VUeXBlIGZvciBvbmUgb2YgdGhlc2UuDQoNCi0tS2VsbHkNCg0KRnJvbTogc2Np bSBbbWFpbHRvOnNjaW0tYm91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIEdheWFuIEd1bmF3 YXJkYW5hDQpTZW50OiBTdW5kYXksIEZlYnJ1YXJ5IDEyLCAyMDE3IDI6MTMgQU0NClRvOiBzY2lt QGlldGYub3JnOyBQaGlsIEh1bnQgPHBoaWwuaHVudEBvcmFjbGUuY29tPg0KU3ViamVjdDogUmU6 IFtzY2ltXSBRdWVzdGlvbiByZWdhcmRpbmcgbXVsdGlwbGUgVXNlciBTdG9yZXMNCg0KDQoNCk9u IEZyaSwgRmViIDEwLCAyMDE3IGF0IDE6MjIgUE0sIEdheWFuIEd1bmF3YXJkYW5hIDxnYXlhbkB3 c28yLmNvbTxtYWlsdG86Z2F5YW5Ad3NvMi5jb20+PiB3cm90ZToNCkZvciBnaXZlbiBTQ0lNIGlt cGxlbWVudGF0aW9uIGlmIEkgaGF2ZSBtdWx0aXBsZSB1c2VyIHN0b3JlcyB1bmRlcm5lYXRoLg0K DQpJZGVhIG9mIG11bHRpcGxlIHVzZXIgc3RvcmVzIGZyb20gb3JnYW5pemF0aW9uYWwgcGVyc3Bl Y3RpdmUsIHN1cHBvc2UgSSBoYXZlIExEQVAgZm9yIGVtcGxveWVlIGluZm9ybWF0aW9uIGFuZCBz ZXBhcmF0ZSBBRCBmb3IgY3VzdG9tZXIgaW5mb3JtYXRpb24uDQpIb3cgY2FuIEkgbGlzdCBvciBm aWx0ZXIgcmVzdWx0IGZyb20gY3VzdG9tZXIgdXNlciBzdG9yZSA/DQpTaW1pbGFybHkgaG93IGNh biBJIGFkZCBhIHVzZXIgdG8gY3VzdG9tZXIgdXNlciBzdG9yZSA/DQoNCiBXaGF0IGlzIHRoZSBi ZXN0IHdheSB0byBzcGVjaWZ5IHVzZXIgc3RvcmUgZG9tYWluIGluIHRoZSBTQ0lNIHJlcXVlc3Q/ DQotLQ0KR2F5YW4gR3VuYXdhcmRhbmENClNvZnR3YXJlIEVuZ2luZWVyOyBXU08yIEluYy47IGh0 dHA6Ly93c28yLmNvbS8NCkVtYWlsOiBnYXlhbkB3c28yLmNvbTxtYWlsdG86Z2F5YW5Ad3NvMi5j b20+DQpNb2JpbGU6ICs5NCAoNzEpIDgwMjA5MzMNCg0KDQoNCi0tDQpHYXlhbiBHdW5hd2FyZGFu YQ0KU29mdHdhcmUgRW5naW5lZXI7IFdTTzIgSW5jLjsgaHR0cDovL3dzbzIuY29tLw0KRW1haWw6 IGdheWFuQHdzbzIuY29tPG1haWx0bzpnYXlhbkB3c28yLmNvbT4NCk1vYmlsZTogKzk0ICg3MSkg ODAyMDkzMw0K --_000_CY1PR04MB2363E529EB9A3C99874440F4E2580CY1PR04MB2363namp_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9 DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj b2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpw dXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLm1zb25vcm1hbDAsIGxpLm1z b25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCglt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTIuMHB0Ow0K CWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4uaG9lbnpiDQoJe21z by1zdHlsZS1uYW1lOmhvZW56Yjt9DQpzcGFuLkVtYWlsU3R5bGUxOQ0KCXttc28tc3R5bGUtdHlw ZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCglj b2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9y dC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCkBwYWdlIFdvcmRT ZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4g MS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0 eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRp dCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5 XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVk aXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hl YWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2 IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNl cmlmIj5UaGVyZSBhcmUgZGlmZmVyZW50IG9wdGlvbnMgaGVyZSBkZXBlbmRpbmcgb24gd2hldGhl ciBpdCBpcyBmZWFzaWJsZSBmb3IgdGhlIHNlcnZlciB0byBwcmVzZW50IGEgc2luZ2xlIC9Vc2Vy cyBlbmRwb2ludCBhY3Jvc3MgYm90aCBzdG9yZXMgKGZvciBleGFtcGxlLCBjYW4geW91IHF1ZXJ5 LCBzb3J0LA0KIGFuZCBwYWdlIGJldHdlZW4gYm90aCBzdG9yZXMgd2hlbiBzb21lb25lIG1ha2Vz IGEgcmVxdWVzdCBhZ2FpbnN0IC9Vc2VycykuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPklmIHBvc3NpYmxlLCBJ IHdvdWxkIHNheSB0aGF0IGl0IHdvdWxkIGJlIHByZWZlcmFibGUgdG8gaW5jbHVkZSBib3RoIHVu ZGVyIHRoZSAvVXNlcnMgZW5kcG9pbnQuJm5ic3A7IFlvdSBjb3VsZCBkZWZpbmUgYSBuZXcgYXR0 cmlidXRlIGluIGFuIGV4dGVuZGVkIHNjaGVtYSB0aGF0IGluZGljYXRlcyB3aGljaA0KIHN0b3Jl IHRoZSB1c2VyIGlzIGEgcGFydCBvZi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+SWYgdXNpbmcgYSBzaW5nbGUs IHVuaWZpZWQgL1VzZXJzIGVuZHBvaW50IGlzIG5vdCB0ZWNobmljYWxseSBmZWFzaWJsZSwgdGhl biB5b3XigJlsbCBwcm9iYWJseSBuZWVkIHRvIGNyZWF0ZSBhIG5ldyBSZXNvdXJjZVR5cGUgZm9y IG9uZSBvZiB0aGVzZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+LS1LZWxseTxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5G cm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4gc2NpbSBbbWFpbHRvOnNjaW0tYm91bmNl c0BpZXRmLm9yZ10NCjxiPk9uIEJlaGFsZiBPZiA8L2I+R2F5YW4gR3VuYXdhcmRhbmE8YnI+DQo8 Yj5TZW50OjwvYj4gU3VuZGF5LCBGZWJydWFyeSAxMiwgMjAxNyAyOjEzIEFNPGJyPg0KPGI+VG86 PC9iPiBzY2ltQGlldGYub3JnOyBQaGlsIEh1bnQgJmx0O3BoaWwuaHVudEBvcmFjbGUuY29tJmd0 Ozxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW3NjaW1dIFF1ZXN0aW9uIHJlZ2FyZGluZyBtdWx0 aXBsZSBVc2VyIFN0b3JlczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gRnJp LCBGZWIgMTAsIDIwMTcgYXQgMToyMiBQTSwgR2F5YW4gR3VuYXdhcmRhbmEgJmx0OzxhIGhyZWY9 Im1haWx0bzpnYXlhbkB3c28yLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmdheWFuQHdzbzIuY29tPC9h PiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5v bmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYu MHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowaW4iPg0KPGRpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPkZvciBnaXZl biBTQ0lNIGltcGxlbWVudGF0aW9uIGlmIEkgaGF2ZSBtdWx0aXBsZSB1c2VyIHN0b3JlcyB1bmRl cm5lYXRoLg0KPGJyPg0KPGJyPg0KSWRlYSBvZiBtdWx0aXBsZSB1c2VyIHN0b3JlcyBmcm9tIG9y Z2FuaXphdGlvbmFsIHBlcnNwZWN0aXZlLCBzdXBwb3NlIEkgaGF2ZSBMREFQIGZvciBlbXBsb3ll ZSBpbmZvcm1hdGlvbiBhbmQgc2VwYXJhdGUgQUQgZm9yIGN1c3RvbWVyIGluZm9ybWF0aW9uLg0K PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPkhvdyBjYW4gSSBsaXN0IG9yIGZpbHRlciByZXN1bHQg ZnJvbSBjdXN0b21lciB1c2VyIHN0b3JlID88bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNpbWlsYXJseSBob3cgY2FuIEkgYWRkIGEgdXNlciB0byBj dXN0b21lciB1c2VyIHN0b3JlID8gPG86cD4NCjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCiZuYnNwO1doYXQgaXMgdGhlIGJlc3Qgd2F5IHRvIHNw ZWNpZnkgdXNlciBzdG9yZSBkb21haW4gaW4gdGhlIFNDSU0gcmVxdWVzdD88bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xv cjojODg4ODg4Ij4tLSA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZx dW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6Izg4ODg4OCI+R2F5YW4gR3VuYXdhcmRh bmE8L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6 JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojODg4ODg4Ij5Tb2Z0d2FyZSBFbmdp bmVlcjsgV1NPMiBJbmMuOw0KPGEgaHJlZj0iaHR0cDovL3dzbzIuY29tLyIgdGFyZ2V0PSJfYmxh bmsiPmh0dHA6Ly93c28yLmNvbS88L2E+PC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4 Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJp Zjtjb2xvcjojODg4ODg4Ij5FbWFpbDoNCjxhIGhyZWY9Im1haWx0bzpnYXlhbkB3c28yLmNvbSIg dGFyZ2V0PSJfYmxhbmsiPmdheWFuQHdzbzIuY29tPC9hPiA8L3NwYW4+PHNwYW4gc3R5bGU9ImNv bG9yOiM4ODg4ODgiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90 OyxzYW5zLXNlcmlmO2NvbG9yOiM4ODg4ODgiPk1vYmlsZTogJiM0Mzs5NCAoNzEpIDgwMjA5MzM8 L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K PC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnIgY2xl YXI9ImFsbCI+DQo8YnI+DQotLSA8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojODg4ODg4Ij5HYXlhbiBHdW5hd2FyZGFu YTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjoj ODg4ODg4Ij5Tb2Z0d2FyZSBFbmdpbmVlcjsgV1NPMiBJbmMuOw0KPGEgaHJlZj0iaHR0cDovL3dz bzIuY29tLyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly93c28yLmNvbS88L2E+PC9zcGFuPjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6Izg4ODg4 OCI+RW1haWw6DQo8YSBocmVmPSJtYWlsdG86Z2F5YW5Ad3NvMi5jb20iIHRhcmdldD0iX2JsYW5r Ij5nYXlhbkB3c28yLmNvbTwvYT4gPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0Fy aWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6Izg4ODg4OCI+TW9iaWxlOiAmIzQzOzk0ICg3MSkg ODAyMDkzMzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_CY1PR04MB2363E529EB9A3C99874440F4E2580CY1PR04MB2363namp_-- From nobody Sat Feb 18 05:54:46 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC6D1129516 for ; Sat, 18 Feb 2017 05:54:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0zAj-ZqcLaD for ; Sat, 18 Feb 2017 05:54:42 -0800 (PST) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5E791294FD for ; Sat, 18 Feb 2017 05:54:41 -0800 (PST) Received: by mail-wm0-x233.google.com with SMTP id r141so26361026wmg.1 for ; Sat, 18 Feb 2017 05:54:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=C88+BnjWv7dKkPxgjTST+YpRehQXwujE6WNBFp0FZNo=; b=jYXW7rTd33a18ApeznehiW4JvBKMN8XjFOJRc1lvsHDpm1/dvqQE9x/7ZTIXlDzZ7C co4asHhusvYXb8hTuv4YEOLnidz3xceQg+Pky5W2qS2hC9IaAd58nRpnQCAUINa7/kIX OmREPkOLADwAAaZDOP+uzGEafYc2HgQr9cop8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=C88+BnjWv7dKkPxgjTST+YpRehQXwujE6WNBFp0FZNo=; b=KLMz/3GpYl28mOWKF8sQo2Wr+UthwgDPF5EdabmP6l4SQGY8XEmfWH8yD9P6m4M6nm VzWaMFOtWtqu/gbWq2FNRQzlacc1k32Zv7vvQozfViuADp+4hqGhWjGGjpf/apsPxfA8 djx52N5L2g340/3Kb2QJI9/8g8Bc0ZDpIhE2yu3LUB03WsrKhFjdSGkp9blDD5tIXJv3 vIOVs0VNonq6e/1Y5Ra/scNJAzcOn1Z/xksTvPbV7jfgza5PJ/rdSYiSKkaZVZyRdJHS Bjs9rZnpfqi92Aj6HE5me2RegtUTLF6da1sK/Q2f/Z7aPf4YGt59gYBRt23ymN9+HAuT ZLUw== X-Gm-Message-State: AMke39nG2KmXqEL+eSILLgsMfJPbE24k6vPXz9iaTDOweDT4LQkQm+WJzFp/5oX134LLHy/JYmWe8V+kr5FFPhxz X-Received: by 10.28.109.70 with SMTP id i67mr8902854wmc.102.1487426080011; Sat, 18 Feb 2017 05:54:40 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.134.169 with HTTP; Sat, 18 Feb 2017 05:54:39 -0800 (PST) In-Reply-To: References: From: Gayan Gunawardana Date: Sat, 18 Feb 2017 19:24:39 +0530 Message-ID: To: Kelly Grizzle Content-Type: multipart/alternative; boundary=001a11468c7e21163b0548ce5faf Archived-At: Cc: "scim@ietf.org" , Phil Hunt Subject: Re: [scim] Question regarding multiple User Stores X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Feb 2017 13:54:45 -0000 --001a11468c7e21163b0548ce5faf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable HI Kelly, On Wed, Feb 15, 2017 at 12:14 AM, Kelly Grizzle wrote: > There are different options here depending on whether it is feasible for > the server to present a single /Users endpoint across both stores (for > example, can you query, sort, and page between both stores when someone > makes a request against /Users). > Yes. Idea is to present single /Users endpoint across both stores. > > > If possible, I would say that it would be preferable to include both unde= r > the /Users endpoint. You could define a new attribute in an extended > schema that indicates which store the user is a part of. > Of course this is great. Thanks Kelly. > > > If using a single, unified /Users endpoint is not technically feasible, > then you=E2=80=99ll probably need to create a new ResourceType for one of= these. > > > > --Kelly > > > > *From:* scim [mailto:scim-bounces@ietf.org] *On Behalf Of *Gayan > Gunawardana > *Sent:* Sunday, February 12, 2017 2:13 AM > *To:* scim@ietf.org; Phil Hunt > *Subject:* Re: [scim] Question regarding multiple User Stores > > > > > > > > On Fri, Feb 10, 2017 at 1:22 PM, Gayan Gunawardana wrote= : > > For given SCIM implementation if I have multiple user stores underneath. > > Idea of multiple user stores from organizational perspective, suppose I > have LDAP for employee information and separate AD for customer > information. > > How can I list or filter result from customer user store ? > > Similarly how can I add a user to customer user store ? > > > What is the best way to specify user store domain in the SCIM request? > > -- > > Gayan Gunawardana > > Software Engineer; WSO2 Inc.; http://wso2.com/ > > Email: gayan@wso2.com > > Mobile: +94 (71) 8020933 <+94%2071%20802%200933> > > > > > -- > > Gayan Gunawardana > > Software Engineer; WSO2 Inc.; http://wso2.com/ > > Email: gayan@wso2.com > > Mobile: +94 (71) 8020933 <+94%2071%20802%200933> > --=20 Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 --001a11468c7e21163b0548ce5faf Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
HI Kelly,

On Wed, Feb 15, 2017 at 12:14 AM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:

There are different options here depending on wheth= er it is feasible for the server to present a single /Users endpoint across= both stores (for example, can you query, sort, and page between both stores when someone makes a request against /Users).=

Yes. Idea is to present single /Us= ers endpoint across both stores.
<= div link=3D"blue" vlink=3D"purple" lang=3D"EN-US">

=C2=A0

If possible, I would say that it would be preferabl= e to include both under the /Users endpoint.=C2=A0 You could define a new a= ttribute in an extended schema that indicates which store the user is a part of.

Of co= urse this is great. Thanks Kelly. =C2=A0

=C2=A0

If using a single, unified /Users endpoint is not t= echnically feasible, then you=E2=80=99ll probably need to create a new Reso= urceType for one of these.

=C2=A0

--Kelly

=C2=A0

From: scim [mailto:scim-bounces@ietf.org] On Behalf Of Gayan Gunawardana
Sent: Sunday, February 12, 2017 2:13 AM
To: scim@ietf.org= ; Phil Hunt <phil.hunt@oracle.com>
Subject: Re: [scim] Question regarding multiple User Stores

=C2=A0

=C2=A0

=C2=A0

On Fri, Feb 10, 2017 at 1:22 PM, Gayan Gunawardana &= lt;gayan@wso2.com&g= t; wrote:

For given SCIM implem= entation if I have multiple user stores underneath.

Idea of multiple user stores from organizational perspective, suppose I hav= e LDAP for employee information and separate AD for customer information.

How can I list or fil= ter result from customer user store ?

Similarly how can I add a user to customer user stor= e ?


=C2=A0What is the best way to specify user store domain in the SCIM request= ?

--

Gayan Gunawardana

Software Engineer; WSO2 Inc.; http://wso2.com/<= span style=3D"color:#888888">




--

Gayan Gunawardana

Software Engineer; WSO2 Inc.; http://wso2.com/<= u>




--
Gayan Gunawardana
<= div> Software Engineer; WSO2 = Inc.; http://wso2.com/
--001a11468c7e21163b0548ce5faf-- From nobody Tue Feb 28 08:47:47 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B645112962F for ; Tue, 28 Feb 2017 08:47:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozYUFJXo0c6i for ; Tue, 28 Feb 2017 08:47:43 -0800 (PST) Received: from mail-ot0-x231.google.com (mail-ot0-x231.google.com [IPv6:2607:f8b0:4003:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B38A1129634 for ; Tue, 28 Feb 2017 08:47:43 -0800 (PST) Received: by mail-ot0-x231.google.com with SMTP id w44so11632653otw.2 for ; Tue, 28 Feb 2017 08:47:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YCeXSJXNX2d365sRBC9Z1encmqWgAehD/01UbBLMIF0=; b=HA7JVBbwbcXyLiNPE+8KytZ+/WPbiFdLG7W/eL3BwhiM83uLoSbcz+OAsESm8U0i+N Lm5x16tb8JkQ1hw9ktAi+5m4b+sGS1McoEBaBIhfDCGMuxEj5Pv3YwEFZ8FoXcJkix8S YKjklqWQf2VXNZEvzdBZ0AbHZcMZEgAEj1M2Rq05QMvz2p9fhkS5S3PGwsirELNGCwck NWm/ydyYhR0AKuSNdmFlZigyMuchP6P+YjpyuqXDw57RZp7QNJT0K9+SnwzZdIC5Ir2y CCIuvjXm1mLdB9AVzwR5RSQI6unLzyF8oGzZ9G4jXyK4KdcR/BtpBKE47isd52nbdvC5 dYDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YCeXSJXNX2d365sRBC9Z1encmqWgAehD/01UbBLMIF0=; b=tad2mP2tkAP0RFId1PTlNzALpasEwwtoh4Lz7bBgSlX6Hmq3fPHhdQAlr0vMvNNoBw zSf2ppgLThgcTyTQM8U2eS6tQcU8GmSBl3byDVZRYu3xk5M1tig5X1uqJtkVOmwsa5bv L/XGcaIcxtYahlTva2gFX+xkdWTtEJ5bBbMdqd9Qx5GtvHWqQXyb6xpgJBKAdUXXoCfH oDNPBVwDxedCZB3OE2/+9UwdBumMEz3HnI2pd8OeQ6OxMHyRup6TQx9dkv+kTNn4SyIU 8zZAE+DOADB+y+ZqyMq9AuPIacKfK8RkqT+als+cJ8Y6SnoFYVkDV2LJHv4kIwQBZ/Ne FdiA== X-Gm-Message-State: AMke39llJQF13WMwVGD0InQ+I2Kz4aIOIemiY979i1zvowQUwKSgNDvwWSuH54rhrQHzWN7NNKaXrX4eWVm0nA== X-Received: by 10.157.34.120 with SMTP id o111mr1851587ota.164.1488300462609; Tue, 28 Feb 2017 08:47:42 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.125.40 with HTTP; Tue, 28 Feb 2017 08:47:42 -0800 (PST) In-Reply-To: References: From: Samuel Erdtman Date: Tue, 28 Feb 2017 17:47:42 +0100 Message-ID: To: Darshana Gunawardana Content-Type: multipart/alternative; boundary=001a113c2b1e64ad04054999f4bb Archived-At: Cc: "scim@ietf.org" , Omindu Rathnaweera Subject: Re: [scim] Does SCIM 2.0 have a compliance test suite? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2017 16:47:45 -0000 --001a113c2b1e64ad04054999f4bb Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable The SCIM 1.1 tests where made by me and Erik Wahlstr=C3=B6m. The code can be found here and here Don=C2=B4t think you should rely to much on the structure setup there. //Samuel On Tue, Feb 7, 2017 at 9:15 AM, Darshana Gunawardana wrote: > Hi Samuel, > > Thanks for the response..! > > My colleges from WSO2 are in the process of implementing SCIM 2.0 server > and currently people working on improving the test coverage on that. > > If there is no work done on this, we can check on creating common SCIM 2.= 0 > suite and contributing back to the community. Wanted to check whether it > would be useful to implement common SCIM 2.0 suite thing. > > If this is something useful to have, we can check on possible ways of > getting interested persons... > > And can I know references on the implementations on the test suite done o= n > SCIM 1.1? So I can get an idea on the current design and effort needed to > implement in that way. > > Thanks, > Darshana > > On Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman wrote: > >> There is currently no such tool as far as I know. >> >> That it says ongoing is a bit too optimistic, there is no ongoing work a= s >> far as I know. >> >> You are not the only one asking for this so maybe a few persons could do >> some cooperation and create something. >> >> >> On Tue, 7 Feb 2017 at 07:37, Darshana Gunawardana >> wrote: >> >>> Hi, >>> >>> Is there a test tool that can used to check compliance with the SCIM 2.= 0 >>> specification? >>> >>> The site [1] specifies that there is an ongoing effort. Is this an open >>> source effort where someone interested can try prototype versions and >>> contribute for the development? >>> >>> [1] http://www.simplecloud.info/ >>> [2] "Work on SCIM 2.0 tests is under development and there are currentl= y >>> no support for the enterprise extension" >>> >>> Thanks, >>> -- >>> With Regards, >>> >>> Darshana Gunawardana, >>> Alumni : Dept. of Computer Science & Engineering, >>> University of Moratuwa, >>> Sri Lanka >>> _______________________________________________ >>> scim mailing list >>> scim@ietf.org >>> https://www.ietf.org/mailman/listinfo/scim >>> >> > > > -- > With Regards, > > Darshana Gunawardana, > Alumni : Dept. of Computer Science & Engineering, > University of Moratuwa, > Sri Lanka > --001a113c2b1e64ad04054999f4bb Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
The SCIM 1.1 tests where made by me and Eri= k Wahlstr=C3=B6m.

The code can be found here and here

Don=C2=B4t think you should rely t= o much on the structure setup there.

//Samuel

On Tue, Feb 7, 2017 at 9= :15 AM, Darshana Gunawardana <darshanasbg@gmail.com> wro= te:
Hi Samuel,

<= /div>
Thanks for the response..!

My colleges f= rom WSO2 are in the process of implementing SCIM 2.0 server and currently p= eople working on improving the test coverage on that.

<= div>If there is no work done on this, we can check on creating common SCIM = 2.0 suite and contributing back to the community. Wanted to check whether i= t would be useful to implement common SCIM 2.0 suite thing.

<= /div>
If this is something useful to have, we can check on possible way= s of getting interested persons...

And can I know = references on the implementations on the test suite done on SCIM 1.1? So I = can get an idea on the current design and effort needed to implement in tha= t way.

Thanks,
Darshana

On Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman <= samuel@erdtman.se> wrote:
There is currently no such tool as far as I know.

That it says ongoing is a bit too optimistic, there is no ongoing work a= s far as I know.



Hi,

Is there a test tool that can used to check= compliance with the SCIM 2.0 specification?

The site [1] specifi= es that there is an ongoing effort. Is this an open source effort where som= eone interested can try prototype versions and contribute for the developme= nt?=C2=A0

[1]=C2=A0http://www.simplecloud.info/
[2] "Work on SCIM 2= .0 tests is under development and there are currently no support for the en= terprise extension"

Thanks,
--
With Regards,
<= div class=3D"m_-4371476814579939738gmail-m_-4844266541294802224gmail_msg"><= br class=3D"m_-4371476814579939738gmail-m_-4844266541294802224gmail_msg">Darshana Gunawardana,
Alumni : Dept. of Computer Science & Engineerin= g,
University of Moratuwa,
Sri Lanka
_______________________________________________
scim mailing list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim



--
With Regar= ds,

Darshana Gunawardana,
Alumni : Dept. of Computer= Science & Engineering,
University of Moratuwa,
Sri Lanka

--001a113c2b1e64ad04054999f4bb-- From nobody Tue Feb 28 09:30:24 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16263129618 for ; Tue, 28 Feb 2017 09:30:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o3ejxAl8z-e7 for ; Tue, 28 Feb 2017 09:30:21 -0800 (PST) Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 639B81295EF for ; Tue, 28 Feb 2017 09:30:21 -0800 (PST) Received: by mail-wm0-x22e.google.com with SMTP id u199so17613708wmd.1 for ; Tue, 28 Feb 2017 09:30:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=SkeHcgmiIdvgW1XW0eu6tIB0l5Nt2jQ2qv4LVAiQOCM=; b=esTOib7kev2E3FHCYFZD1dby4d/F1ZBKjVQ9sHU9LhVVegrIKFVH/XBwtgoZ+fKtQO qJj4KN3E19aBWaWIBz87GDEZqBRAbU5WOimCD+F2kV48MLZR7ppX5q5XcJlW6ApDaDSU IAJVGQkF0Ix1NFu2DdaCQ1CSDTvraGpl4twI0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=SkeHcgmiIdvgW1XW0eu6tIB0l5Nt2jQ2qv4LVAiQOCM=; b=ePhVaUGnEFyzpJQDogaMUf5/YlHF1AF8t6N4qer0CFzrl8m9TlvHpeCTs88oK70+Qk QTYvgC4cn01+FcG34yVHVPKDJ9FBTxxd+2xIESkELHY2nj4C5tY8++uVdxOCtqXhr4GZ e24atUwMFTdawerlEMn3RQypxynHhYxufgbuDf6xRmYYvnCWktk5FCkXxnrOSyLTbatj R7auiu5JzAa/RjuwAHgM62/FeVqACLwOvjoM2u5Po42J/aucVzNwizp4KlqbHzxYQV34 axQn6O8Af++2uH1jaauvJZWAt90LYXlCNrl50XeTdwFWlD9OlGQ+uM+QGiEROSQVtAsk MuVw== X-Gm-Message-State: AMke39nKAjC1juKgLEXryA9N++AJ46zEXS3x7uFM5p7/Ny5SuwRzBXDPg1S+7Vyu+BQ7EGwdYpED7TSnUstO/5p3 X-Received: by 10.28.94.8 with SMTP id s8mr18806512wmb.117.1488303019590; Tue, 28 Feb 2017 09:30:19 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.143.109 with HTTP; Tue, 28 Feb 2017 09:30:18 -0800 (PST) From: Gayan Gunawardana Date: Tue, 28 Feb 2017 23:00:18 +0530 Message-ID: To: scim@ietf.org Content-Type: multipart/alternative; boundary=001a11469304cd979805499a8c1d Archived-At: Subject: [scim] Addition attributes for SCIM meta data X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2017 17:30:23 -0000 --001a11469304cd979805499a8c1d Content-Type: text/plain; charset=UTF-8 Hi All, According to [1] available meta data attributes are resourceType, created, lastModified, location and version. Is there any flexibility to define custom meta data attributes ? Suppose I want to put new attribute called "state" under meta data, which says whether user is in active state or inactive state. How can I achieve such a requirement ? [1] https://tools.ietf.org/html/rfc7643#section-3.1 -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 --001a11469304cd979805499a8c1d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi All,

According to [1] avail= able meta data attributes are resourceType, created, lastModified, location= and version. Is there any flexibility to define custom meta data attribute= s ?

Suppose I want to put new attribute called "state&quo= t; under meta data, which says whether user is in active state or inactive = state.

How can I achieve such a requirement ?=C2=A0
=


[1] https://tools.ietf.org/html/rfc7643#section-3.1
--
<= div class=3D"gmail_signature">
Gayan Gunawardana
Software Engineer; WSO2 = Inc.; http://wso2.com/
--001a11469304cd979805499a8c1d-- From nobody Tue Feb 28 11:35:33 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06138129699 for ; Tue, 28 Feb 2017 11:35:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.202 X-Spam-Level: X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r5ZwmaW7Lwrg for ; Tue, 28 Feb 2017 11:35:30 -0800 (PST) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40AB912969F for ; Tue, 28 Feb 2017 11:35:30 -0800 (PST) Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v1SJZQRY000799 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 28 Feb 2017 19:35:27 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v1SJZP0v006123 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 28 Feb 2017 19:35:25 GMT Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v1SJZNcQ031756; Tue, 28 Feb 2017 19:35:23 GMT Received: from [10.0.1.30] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 28 Feb 2017 11:35:23 -0800 Content-Type: multipart/alternative; boundary="Apple-Mail=_F5F2ED68-D074-4E54-9648-D16C6C8883AE" Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Phil Hunt In-Reply-To: Date: Tue, 28 Feb 2017 11:35:20 -0800 Message-Id: References: To: Darshana Gunawardana X-Mailer: Apple Mail (2.3124) X-Source-IP: userv0022.oracle.com [156.151.31.74] Archived-At: Cc: Samuel Erdtman , omindu.dishan@gmail.com, "scim@ietf.org" Subject: Re: [scim] Does SCIM 2.0 have a compliance test suite? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2017 19:35:32 -0000 --Apple-Mail=_F5F2ED68-D074-4E54-9648-D16C6C8883AE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii There has been discussion about having OpenID Foundation host some = tests. However, so far, nobody has volunteered to write the tests or = fund their support. If we can generate interest, maybe we can make it = happen. Note: The IETF does not seem to handle inter-op test suites and = certifications. At least not in my experience. Phil Oracle Corporation, Identity Cloud Services & Identity Standards @independentid www.independentid.com = phil.hunt@oracle.com = > On Feb 7, 2017, at 12:15 AM, Darshana Gunawardana = wrote: >=20 > Hi Samuel, >=20 > Thanks for the response..! >=20 > My colleges from WSO2 are in the process of implementing SCIM 2.0 = server and currently people working on improving the test coverage on = that. >=20 > If there is no work done on this, we can check on creating common SCIM = 2.0 suite and contributing back to the community. Wanted to check = whether it would be useful to implement common SCIM 2.0 suite thing. >=20 > If this is something useful to have, we can check on possible ways of = getting interested persons... >=20 > And can I know references on the implementations on the test suite = done on SCIM 1.1? So I can get an idea on the current design and effort = needed to implement in that way. >=20 > Thanks, > Darshana >=20 > On Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman > wrote: > There is currently no such tool as far as I know. >=20 > That it says ongoing is a bit too optimistic, there is no ongoing work = as far as I know. >=20 > You are not the only one asking for this so maybe a few persons could = do some cooperation and create something. >=20 >=20 > On Tue, 7 Feb 2017 at 07:37, Darshana Gunawardana = > wrote: > Hi, >=20 > Is there a test tool that can used to check compliance with the SCIM = 2.0 specification? >=20 > The site [1] specifies that there is an ongoing effort. Is this an = open source effort where someone interested can try prototype versions = and contribute for the development?=20 >=20 > [1] http://www.simplecloud.info/ > [2] "Work on SCIM 2.0 tests is under development and there are = currently no support for the enterprise extension" >=20 > Thanks, > --=20 > With Regards, >=20 > Darshana Gunawardana, > Alumni : Dept. of Computer Science & Engineering, > University of Moratuwa, > Sri Lanka > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim = >=20 >=20 >=20 > --=20 > With Regards, >=20 > Darshana Gunawardana, > Alumni : Dept. of Computer Science & Engineering, > University of Moratuwa, > Sri Lanka > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim = --Apple-Mail=_F5F2ED68-D074-4E54-9648-D16C6C8883AE Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii There has been discussion about having OpenID Foundation host = some tests. However, so far, nobody has volunteered to write the tests = or fund their support.  If we can generate interest, maybe we can = make it happen.

Note: = The IETF does not seem to handle inter-op test suites and = certifications.  At least not in my experience.

Phil

Oracle Corporation, Identity Cloud = Services & Identity Standards
@independentid
www.independentid.com
phil.hunt@oracle.com







On Feb 7, 2017, at 12:15 AM, Darshana Gunawardana <darshanasbg@gmail.com> wrote:

Hi Samuel,

Thanks for the response..!

My colleges from WSO2 = are in the process of implementing SCIM 2.0 server and currently people = working on improving the test coverage on that.

If there is no work done on this, we = can check on creating common SCIM 2.0 suite and contributing back to the = community. Wanted to check whether it would be useful to implement = common SCIM 2.0 suite thing.

If this is something useful to have, we = can check on possible ways of getting interested persons...

And can I know = references on the implementations on the test suite done on SCIM 1.1? So = I can get an idea on the current design and effort needed to implement = in that way.

Thanks,
Darshana

On = Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman <samuel@erdtman.se> wrote:
There is currently no such tool as far as I know.

That it says ongoing is = a bit too optimistic, there is no ongoing work as far as I = know.

You are = not the only one asking for this so maybe a few persons could do some = cooperation and create something.


On Tue, 7 Feb 2017 at 07:37, Darshana Gunawardana <darshanasbg@gmail.com> wrote:
Hi,

Is there a test tool = that can used to check compliance with the SCIM 2.0 = specification?

The site [1] specifies = that there is an ongoing effort. Is this an open source effort where = someone interested can try prototype versions and contribute for the = development? 

[1] http://www.simplecloud.info/
[2] "Work on SCIM 2.0 = tests is under development and there are currently no support for the = enterprise extension"

Thanks,
-- 
With Regards,

Darshana = Gunawardana,
Alumni : = Dept. of Computer Science & Engineering,
University of = Moratuwa,
Sri = Lanka
_______________________________________________
scim mailing list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim
<= /blockquote>



-- 
With= Regards,

Darshana = Gunawardana,
Alumni : Dept. of Computer Science & = Engineering,
University of Moratuwa,
Sri = Lanka
_______________________________________________
scim mailing = list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim

= --Apple-Mail=_F5F2ED68-D074-4E54-9648-D16C6C8883AE-- From nobody Tue Feb 28 13:01:43 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CDE11296EE for ; Tue, 28 Feb 2017 13:01:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.202 X-Spam-Level: X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id laOipvbVlMJz for ; Tue, 28 Feb 2017 13:01:40 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCBE31295B5 for ; Tue, 28 Feb 2017 13:01:40 -0800 (PST) Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v1SL1dte015247 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 28 Feb 2017 21:01:40 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v1SL1cvO003026 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 28 Feb 2017 21:01:39 GMT Received: from abhmp0004.oracle.com (abhmp0004.oracle.com [141.146.116.10]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v1SL1cxg028748; Tue, 28 Feb 2017 21:01:38 GMT Received: from [10.0.1.30] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 28 Feb 2017 13:01:37 -0800 Content-Type: multipart/alternative; boundary="Apple-Mail=_726A828D-E3B4-4793-A0F4-12B82C987B0D" Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Phil Hunt In-Reply-To: Date: Tue, 28 Feb 2017 13:01:36 -0800 Message-Id: <1DCA2539-8890-4F3D-9D9D-2961F9707F2D@oracle.com> References: To: Gayan Gunawardana X-Mailer: Apple Mail (2.3124) X-Source-IP: aserv0022.oracle.com [141.146.126.234] Archived-At: Cc: scim@ietf.org Subject: Re: [scim] Addition attributes for SCIM meta data X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2017 21:01:42 -0000 --Apple-Mail=_726A828D-E3B4-4793-A0F4-12B82C987B0D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii meta attributes are defined in the core spec as common to every object. = Extension would require an RFC which would include requirements for = discovery and versioning, etc. Phil Oracle Corporation, Identity Cloud Services & Identity Standards @independentid www.independentid.com = phil.hunt@oracle.com = > On Feb 28, 2017, at 9:30 AM, Gayan Gunawardana wrote: >=20 > Hi All, >=20 > According to [1] available meta data attributes are resourceType, = created, lastModified, location and version. Is there any flexibility to = define custom meta data attributes ? >=20 > Suppose I want to put new attribute called "state" under meta data, = which says whether user is in active state or inactive state.=20 >=20 > How can I achieve such a requirement ? =20 >=20 >=20 > [1] https://tools.ietf.org/html/rfc7643#section-3.1 = > --=20 > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: gayan@wso2.com =20 > Mobile: +94 (71) 8020933 > <>_______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim --Apple-Mail=_726A828D-E3B4-4793-A0F4-12B82C987B0D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii meta attributes are defined in the core spec as common to = every object. Extension would require an RFC which would include = requirements for discovery and versioning, etc.

Phil

Oracle Corporation, Identity Cloud = Services & Identity Standards
@independentid
www.independentid.com
phil.hunt@oracle.com







On Feb 28, 2017, at 9:30 AM, Gayan Gunawardana <gayan@wso2.com> = wrote:

Hi = All,

According to [1] available meta = data attributes are resourceType, created, lastModified, location and = version. Is there any flexibility to define custom meta data attributes = ?

Suppose I want to put new attribute = called "state" under meta data, which says whether user is in active = state or inactive state.

How can I = achieve such a requirement ? 


[1] https://tools.ietf.org/html/rfc7643#section-3.1
--
Gayan Gunawardana
Software = Engineer; WSO2 Inc.; http://wso2.com/
Email: gayan@wso2.com
Mobile: +94 (71) 8020933
_______________________________________________
scim = mailing list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim

= --Apple-Mail=_726A828D-E3B4-4793-A0F4-12B82C987B0D-- From nobody Tue Feb 28 13:05:54 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 911DD1296FA for ; Tue, 28 Feb 2017 13:05:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sailpoint.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xbYQJsh8hjr for ; Tue, 28 Feb 2017 13:05:51 -0800 (PST) Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0097.outbound.protection.outlook.com [104.47.32.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3E88129706 for ; Tue, 28 Feb 2017 13:05:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sailpoint.onmicrosoft.com; s=selector1-sailpoint-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=9zJJRYNRCWCYXZ9ix83sqHgzvL29bCZqrp2VG12YcnI=; b=Mmw1TykqMIWYsfWpNdIekk89na0WI5On8HH2pQQLTi8Lc1IAmfPInZ6BATfLh+YPjgLfgHe+QLjVbWc9Fa4hKJX4h3NqxlYw9QsTERXBF4ghGvLyXEbIG7hQnb3iy4JV4E6xMceM47mqXzjVE07arx2+PpZVn+1BeDCyiZU8XTs= Received: from CY1PR04MB2363.namprd04.prod.outlook.com (10.167.10.143) by CY1PR04MB2364.namprd04.prod.outlook.com (10.167.10.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.933.12; Tue, 28 Feb 2017 21:05:46 +0000 Received: from CY1PR04MB2363.namprd04.prod.outlook.com ([10.167.10.143]) by CY1PR04MB2363.namprd04.prod.outlook.com ([10.167.10.143]) with mapi id 15.01.0933.016; Tue, 28 Feb 2017 21:05:46 +0000 From: Kelly Grizzle To: Phil Hunt , Gayan Gunawardana Thread-Topic: [scim] Addition attributes for SCIM meta data Thread-Index: AQHSkehcU/h8l3P7EUmzHwDuPv4gTKF+5+EAgAAA7ZA= Date: Tue, 28 Feb 2017 21:05:46 +0000 Message-ID: References: <1DCA2539-8890-4F3D-9D9D-2961F9707F2D@oracle.com> In-Reply-To: <1DCA2539-8890-4F3D-9D9D-2961F9707F2D@oracle.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=kelly.grizzle@sailpoint.com; x-originating-ip: [2605:ed00:f006:716:1c38:678c:84f7:5ae3] x-ms-office365-filtering-correlation-id: e18feca1-d340-4aba-d566-08d4601d90bc x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:CY1PR04MB2364; x-microsoft-exchange-diagnostics: 1; CY1PR04MB2364; 7:6nCIZM7U2h//d1IMfBYmKnjhNFGl818846lkLZYLahk4ADpkedOJfUgzrj+52H036sT+sDQE3BLvvoNFuuRl4ZUz+AXA/XJ6+fR9wzmVed0Ub43Jk0G1PmBWRmR1ym/1j1Uk18s6TVtq709T5Qn0W9i1EwsT4lCuO8UM0RCwcBm7dx+ZTG/59nAQX3ET5qjeNYjUwW1qtujfBEn5KQ6u15eGX8vUOwDWMzCDY8us3jaR6OJTqfpe0EMmuLR/SIm3ZhuOCQnmFtMJkhOCn9Qj9Crk/KVT8OArEcyS0W2fFJ1Fl6oBFG6TcMXiRy8dux1aFzKnAf26Nf7HoqJsY0J7pQ== x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(139090996175007)(21748063052155)(146099531331640); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041248)(20161123558025)(20161123560025)(20161123562025)(20161123564025)(20161123555025)(6072148); SRVR:CY1PR04MB2364; BCL:0; PCL:0; RULEID:; SRVR:CY1PR04MB2364; x-forefront-prvs: 0232B30BBC x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39450400003)(189002)(53754006)(252514010)(199003)(24454002)(377454003)(53386004)(106116001)(105586002)(53376002)(53546006)(86362001)(38730400002)(606005)(54356999)(33656002)(6436002)(76176999)(6506006)(106356001)(6116002)(966004)(1680700002)(53936002)(2950100002)(790700001)(102836003)(8676002)(6246003)(68736007)(101416001)(5660300001)(122556002)(6306002)(189998001)(54896002)(81156014)(8936002)(2900100001)(81166006)(92566002)(2906002)(9686003)(99286003)(50986999)(3280700002)(7696004)(3660700001)(25786008)(55016002)(77096006)(19609705001)(7906003)(229853002)(7736002)(97736004)(236005)(4326008)(74316002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR04MB2364; H:CY1PR04MB2363.namprd04.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: sailpoint.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_CY1PR04MB23639403136AEA4D445A832AE2560CY1PR04MB2363namp_" MIME-Version: 1.0 X-OriginatorOrg: sailpoint.com X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Feb 2017 21:05:46.2883 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 9c848b2a-49ba-4c39-9749-118d06717a84 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR04MB2364 Archived-At: Cc: "scim@ietf.org" Subject: Re: [scim] Addition attributes for SCIM meta data X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2017 21:05:53 -0000 --_000_CY1PR04MB23639403136AEA4D445A832AE2560CY1PR04MB2363namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Can you just use the "active" attribute on User? If not, another option is to add a schema extension that exposes a "state" = attribute, but doesn't put it in the meta attribute. --Kelly From: scim [mailto:scim-bounces@ietf.org] On Behalf Of Phil Hunt Sent: Tuesday, February 28, 2017 3:02 PM To: Gayan Gunawardana Cc: scim@ietf.org Subject: Re: [scim] Addition attributes for SCIM meta data meta attributes are defined in the core spec as common to every object. Ext= ension would require an RFC which would include requirements for discovery = and versioning, etc. Phil Oracle Corporation, Identity Cloud Services & Identity Standards @independentid www.independentid.com phil.hunt@oracle.com On Feb 28, 2017, at 9:30 AM, Gayan Gunawardana > wrote: Hi All, According to [1] available meta data attributes are resourceType, created, = lastModified, location and version. Is there any flexibility to define cust= om meta data attributes ? Suppose I want to put new attribute called "state" under meta data, which s= ays whether user is in active state or inactive state. How can I achieve such a requirement ? [1] https://tools.ietf.org/html/rfc7643#section-3.1 -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 _______________________________________________ scim mailing list scim@ietf.org https://www.ietf.org/mailman/listinfo/scim --_000_CY1PR04MB23639403136AEA4D445A832AE2560CY1PR04MB2363namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Can you just use the “active” attribute= on User?

 

If not, another option is to add a schema extension= that exposes a “state” attribute, but doesn’t put it in = the meta attribute.

 

--Kelly

 

From: scim [mailto:scim-bounces@ietf= .org] On Behalf Of Phil Hunt
Sent: Tuesday, February 28, 2017 3:02 PM
To: Gayan Gunawardana <gayan@wso2.com>
Cc: scim@ietf.org
Subject: Re: [scim] Addition attributes for SCIM meta data

 

meta attributes are defined in the core spec as comm= on to every object. Extension would require an RFC which would include requ= irements for discovery and versioning, etc.

 

Phil

 =

Oracle Corporation, Iden= tity Cloud Services & Identity Standards

@independentid

phil.hunt@oracle.com

 =

 =

 =

 =

 

 

On Feb 28, 2017, at 9:30 AM, Gayan Gunawardana <<= a href=3D"mailto:gayan@wso2.com">gayan@wso2.com> wrote:

 

Hi All,

According to [1] avai= lable meta data attributes are resourceType, created, lastModified, locatio= n and version. Is there any flexibility to define custom meta data attribut= es ?

Suppose I want to put= new attribute called "state" under meta data, which says whether= user is in active state or inactive state.

How can I achieve such a requirement ? 

 


[1] https://too= ls.ietf.org/html/rfc7643#section-3.1

--

Gayan Gunawardana

Software Engineer; WSO2 Inc.; http://wso2.com/<= o:p>

Mobile: +94 (71) 8020933

_______________________________________________
scim mailing list
scim@ietf.org
https://www.ietf.org= /mailman/listinfo/scim

 

--_000_CY1PR04MB23639403136AEA4D445A832AE2560CY1PR04MB2363namp_-- From nobody Tue Feb 28 17:40:00 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC9F1129407 for ; Tue, 28 Feb 2017 17:39:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RMnTgXcCVkSa for ; Tue, 28 Feb 2017 17:39:56 -0800 (PST) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 644321293DA for ; Tue, 28 Feb 2017 17:39:56 -0800 (PST) Received: by mail-wm0-x234.google.com with SMTP id u199so25222969wmd.1 for ; Tue, 28 Feb 2017 17:39:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1TRjjmXl8MWjBO5tbs6i2GZ2osyUabahEqPkmsXOfmg=; b=kLCl8C+xEY4huSSc9PtuGWUNLYxLOwa+gIAvHC9zaBJlCToECZSX79OnUuBAor5R3d t8L+TBK/91zhvNluZIACf8dqLiwnHGIun+U5HY9FpFuwBu8TcjKCcvkatYUpP2aqAC/O L4IjWSuUPBq0yCcyhbz2tnD66vStiwECkrowk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1TRjjmXl8MWjBO5tbs6i2GZ2osyUabahEqPkmsXOfmg=; b=dumyVW3uqfQQSQ6SPdz0c+Nbrn7LLC+4p8MqArHjqqAQvr2wgNOe45joHYgXSkxwKb ENJWoU4dT0Ip6Ym1afpEwvuDROaZF/m6s7JeyslODsgy5GA79iJBX/LMJU+NXEa+Xbh5 wy49vfCGrjEMIQKAsISVDYyCL5wgAJgrLb89C9jg21KtPmLI+k0Hu7bE0ortld2fMTUW Dls9ZK+sYwltWHjrwL/Mi9/TsEpXp/ThM967Lmg/+z53Y+yptlh148YzFV18qeUKb0Wb b6DD/UtTFIeJ96WlAxScTJujj5gIrrZMC9qyujAfxD01c5g3SqzH7SJx/Y3YUs/c0KBG jLXg== X-Gm-Message-State: AMke39k5KZGSxaYvqoYrABj9rNq0clFsBhaWyhcdS92sYoSaON6uoq9FYdh7NlC0EVlOL7wpu2eQa3+9cZpOVqAk X-Received: by 10.28.101.68 with SMTP id z65mr1028705wmb.102.1488332394688; Tue, 28 Feb 2017 17:39:54 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.143.109 with HTTP; Tue, 28 Feb 2017 17:39:54 -0800 (PST) In-Reply-To: References: <1DCA2539-8890-4F3D-9D9D-2961F9707F2D@oracle.com> From: Gayan Gunawardana Date: Wed, 1 Mar 2017 07:09:54 +0530 Message-ID: To: Kelly Grizzle Content-Type: multipart/alternative; boundary=001a114b300ab189740549a1630c Archived-At: Cc: "scim@ietf.org" , Phil Hunt Subject: Re: [scim] Addition attributes for SCIM meta data X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Mar 2017 01:39:59 -0000 --001a114b300ab189740549a1630c Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Mar 1, 2017 at 2:35 AM, Kelly Grizzle wrote: > Can you just use the =E2=80=9Cactive=E2=80=9D attribute on User? > According to schema definition "active" attribute is a boolean. In my case I have couple of value under attribute "state" (not only active and inactive). > > > If not, another option is to add a schema extension that exposes a =E2=80= =9Cstate=E2=80=9D > attribute, but doesn=E2=80=99t put it in the meta attribute. > Yes this seems to be a good option. > > > --Kelly > > > > *From:* scim [mailto:scim-bounces@ietf.org] *On Behalf Of *Phil Hunt > *Sent:* Tuesday, February 28, 2017 3:02 PM > *To:* Gayan Gunawardana > *Cc:* scim@ietf.org > *Subject:* Re: [scim] Addition attributes for SCIM meta data > > > > meta attributes are defined in the core spec as common to every object. > Extension would require an RFC which would include requirements for > discovery and versioning, etc. > > > > Phil > > > > Oracle Corporation, Identity Cloud Services & Identity Standards > > @independentid > > www.independentid.com > > phil.hunt@oracle.com > > > > > > > > > > > > > > On Feb 28, 2017, at 9:30 AM, Gayan Gunawardana wrote: > > > > Hi All, > > According to [1] available meta data attributes are resourceType, created= , > lastModified, location and version. Is there any flexibility to define > custom meta data attributes ? > > Suppose I want to put new attribute called "state" under meta data, which > says whether user is in active state or inactive state. > > How can I achieve such a requirement ? > > > > > [1] https://tools.ietf.org/html/rfc7643#section-3.1 > > -- > > Gayan Gunawardana > > Software Engineer; WSO2 Inc.; http://wso2.com/ > > Email: gayan@wso2.com > > Mobile: +94 (71) 8020933 <+94%2071%20802%200933> > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim > > > --=20 Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: gayan@wso2.com Mobile: +94 (71) 8020933 --001a114b300ab189740549a1630c Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Wed, Mar 1, 2017 at 2:35 AM, Kelly Grizzle <= kelly.grizzle@sailpoint.com> wrote:

Can you just use the =E2=80=9Cactive=E2=80=9D attri= bute on User?

According to schema d= efinition "active" attribute is a boolean. In my case I have coup= le of value under attribute "state" (not only active and inactive= ). =C2=A0
=

=C2=A0

If not, another option is to add a schema extension= that exposes a =E2=80=9Cstate=E2=80=9D attribute, but doesn=E2=80=99t put = it in the meta attribute.

Yes this = seems to be a good option. =C2=A0
=

=C2=A0

--Kelly

=C2=A0

From: scim [mailto:scim-bounces@ietf.org] On Behalf Of Phil Hunt
Sent: Tuesday, February 28, 2017 3:02 PM
To: Gayan Gunawardana <gayan@wso2.com>
Cc: scim@ietf.org=
Subject: Re: [scim] Addition attributes for SCIM meta data=

=C2=A0

meta attributes are defined in the core spec as comm= on to every object. Extension would require an RFC which would include requ= irements for discovery and versioning, etc.

=C2=A0

Phil

=C2=A0

Oracle Corporation, Iden= tity Cloud Services & Identity Standards

@independentid=

phil.hunt@oracle.com

=C2=A0

=C2=A0

=C2=A0

=C2=A0

=C2=A0<= /p>

=C2=A0

On Feb 28, 2017, at 9:30 AM, Gayan Gunawardana <<= a href=3D"mailto:gayan@wso2.com" target=3D"_blank">gayan@wso2.com> w= rote:

=C2=A0

Hi All,=

According to [1] avai= lable meta data attributes are resourceType, created, lastModified, locatio= n and version. Is there any flexibility to define custom meta data attribut= es ?

Suppose I want to put= new attribute called "state" under meta data, which says whether= user is in active state or inactive state.

How can I achieve such a requirement ?=C2=A0 =

=C2=A0


[1] https://tools.ietf.org/html/rfc7643#section-3.1

--

Gayan Gunawardana

Software Engineer; WSO2 Inc.; http://wso2.com/<= u>

_______________________________________________=
scim mailing list
scim@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/scim

=C2=A0




--
Gayan Gunawardana
<= div> Software Engineer; WSO2 = Inc.; http://wso2.com/
--001a114b300ab189740549a1630c--