From nobody Mon Sep 11 19:33:02 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C79511328EA for ; Mon, 11 Sep 2017 19:33:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ijzmOeWJb7-V for ; Mon, 11 Sep 2017 19:32:57 -0700 (PDT) Received: from mail-ua0-x232.google.com (mail-ua0-x232.google.com [IPv6:2607:f8b0:400c:c08::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 870E51321DE for ; Mon, 11 Sep 2017 19:32:57 -0700 (PDT) Received: by mail-ua0-x232.google.com with SMTP id s15so13463819uag.1 for ; Mon, 11 Sep 2017 19:32:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lw34qap0rLmI2HLdu/FNMd/zFWYdeSrRvcuCNSuYReU=; b=YkpKWUZVUhhy78C070uzijAIVsrf/wYFplcCXpbpVUI/ydvV9DScZRfYi77kV+RtOW vX95B8PIvebGffHQJcZe26+Hhaxj0kGYmkCUT5T63FU/h/jSXv9uAy6qjftpS25BdR0q dfhXvP6vPFUEEXNuCIRzLUwiisRvqip+XOcqbfqa2ty9QjLMHWkMva0kDLSa2HcS69+3 Ecm0LV0vMl0gQRvxdeiQkP0+9eUzGLcMUEKiN7F2E0KektsJgueuVz0AVyFXY1uuvd0N eK8vHvybHCILbbVkqGnZLCw+CjOFoZxD67E+a2vOk2zYuNuQqcxS3L39uGwPBAgle+lj RDLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lw34qap0rLmI2HLdu/FNMd/zFWYdeSrRvcuCNSuYReU=; b=qrLv68Xau4vSWkjbEMJxh8/HZOWcb2QHRGgCGRiPQPUUe/sQJXVa0sp5kEQqvlxFqc BcgCfvisWYG27lP/v9bxb6tCOuShtSktwd8jhzhjwD7YgP8MocWQ7rusRBeITnKGAOeE FCH06B7AzGjVyYww/4PDGEbXm258nYWn51nyNiYnYHKotaSvYWbER+i4yuFSqBUHDNyF nQCSgvalbwwctXtxUruVOAzRvKWUTltWRT6mWylGtd/AMQEhUIi9q3RE0erhRfmx+rEH KQu/V8FT/qkN4orF/vJoL+TkPak4UVCERnK9L08M6OHKfM7NyFVQHGs1A4gR0LpwpHP5 ByOg== X-Gm-Message-State: AHPjjUjEI7zIfC3UzC0sOUz5Ckvm+h1YS/11x/NXDuUxJJ0V5TQ7BeYe j9mSxkrLBlLm/KU42wFR/beEXAcB8A== X-Google-Smtp-Source: ADKCNb5dfcFsrOMfNCgzRtsUJRU7ZBPZZCLtH3ivwTeXC0X0RaoNgG4EeGY2dHSVp3ZnIJjGYfWoGlAUd6L1qg80+GU= X-Received: by 10.159.39.168 with SMTP id b37mr10747011uab.145.1505183576503; Mon, 11 Sep 2017 19:32:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.68.206 with HTTP; Mon, 11 Sep 2017 19:32:36 -0700 (PDT) In-Reply-To: References: From: Darshana Gunawardana Date: Tue, 12 Sep 2017 08:02:36 +0530 Message-ID: To: Phil Hunt , vindula.13@cse.mrt.ac.lk Cc: Samuel Erdtman , "scim@ietf.org" , Omindu Rathnaweera Content-Type: multipart/alternative; boundary="94eb2c12396c663c5f0558f4dccb" Archived-At: Subject: Re: [scim] Does SCIM 2.0 have a compliance test suite? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Sep 2017 02:33:01 -0000 --94eb2c12396c663c5f0558f4dccb Content-Type: text/plain; charset="UTF-8" Hi all, Giving you an update about on the topic. We were able to get a GSoC project slot for the above proposal and the elected student -Vindula who cc'ed here- was able to come up with a promising implementation on the project. - GSoC Project URL: https://summerofcode.withgoogle.com/projects/#6261985816608768 - VIndula's blog on the project: https://medium.com/@vindulajayawardana/scim-2-0-compliance-test-suite-737fd4ace3cc - Source Repo: https://github.com/wso2-incubator/scim2-compliance-test-suite - Hosted Demo: https://compliance-scim2.wso2apps.com/scimproxycompliance/ With the increasing adoption of the SCIM 2.0, this test suite will be a strong initial step to validate interoperability, yet i'm sure there is much room to improve. So, > Try the hosted demo > If you see have any suggestion to improve, open a git issue on the source repo > If you know the fix, send a PR.. Any kind of feedback would be highly appreciated. Thanks, On Fri, Mar 17, 2017 at 12:19 AM, Darshana Gunawardana < darshanasbg@gmail.com> wrote: > Hi folks, > > Thanks all for your responses. > > On Wed, Mar 1, 2017 at 1:05 AM, Phil Hunt wrote: > >> There has been discussion about having OpenID Foundation host some tests. >> However, so far, nobody has volunteered to write the tests or fund their >> support. If we can generate interest, maybe we can make it happen. >> > > A few of us at WSO2 thought about a suitable way to generate interest on > this. > > WSO2 has been a mentor organization for GSoC for the last three years and > also accepted for the same on this year as well. So we have come up with a > GSoC project proposal on the topic "SCIM 2.0 compliance test suite". You > can find more details of the project proposal on the below link. > > https://docs.wso2.com/display/GSoC/Project+Proposals+for+201 > 7#ProjectProposalsfor2017-Proposal21:[IS]SCIM2.0compliancetestsuite > > Any suggestions on the project proposal are highly appreciated. > > The good news is, we already have one interested applicant on this > project!!! > > Hopefully we will have more applicants.. and a decent student proposal to > proceed with.. > > Thanks, > Darshana > > >> >> Note: The IETF does not seem to handle inter-op test suites and >> certifications. At least not in my experience. >> >> Phil >> >> Oracle Corporation, Identity Cloud Services & Identity Standards >> @independentid >> www.independentid.com >> phil.hunt@oracle.com >> >> >> >> >> >> >> >> On Feb 7, 2017, at 12:15 AM, Darshana Gunawardana >> wrote: >> >> Hi Samuel, >> >> Thanks for the response..! >> >> My colleges from WSO2 are in the process of implementing SCIM 2.0 server >> and currently people working on improving the test coverage on that. >> >> If there is no work done on this, we can check on creating common SCIM >> 2.0 suite and contributing back to the community. Wanted to check whether >> it would be useful to implement common SCIM 2.0 suite thing. >> >> If this is something useful to have, we can check on possible ways of >> getting interested persons... >> >> And can I know references on the implementations on the test suite done >> on SCIM 1.1? So I can get an idea on the current design and effort needed >> to implement in that way. >> >> Thanks, >> Darshana >> >> On Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman wrote: >> >>> There is currently no such tool as far as I know. >>> >>> That it says ongoing is a bit too optimistic, there is no ongoing work >>> as far as I know. >>> >>> You are not the only one asking for this so maybe a few persons could do >>> some cooperation and create something. >>> >>> >>> On Tue, 7 Feb 2017 at 07:37, Darshana Gunawardana >>> wrote: >>> >>>> Hi, >>>> >>>> Is there a test tool that can used to check compliance with the SCIM >>>> 2.0 specification? >>>> >>>> The site [1] specifies that there is an ongoing effort. Is this an open >>>> source effort where someone interested can try prototype versions and >>>> contribute for the development? >>>> >>>> [1] http://www.simplecloud.info/ >>>> [2] "Work on SCIM 2.0 tests is under development and there are >>>> currently no support for the enterprise extension" >>>> >>>> Thanks, >>>> -- >>>> With Regards, >>>> >>>> Darshana Gunawardana, >>>> Alumni : Dept. of Computer Science & Engineering, >>>> University of Moratuwa, >>>> Sri Lanka >>>> _______________________________________________ >>>> scim mailing list >>>> scim@ietf.org >>>> https://www.ietf.org/mailman/listinfo/scim >>>> >>> >> >> >> -- >> With Regards, >> >> Darshana Gunawardana, >> Alumni : Dept. of Computer Science & Engineering, >> University of Moratuwa, >> Sri Lanka >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://www.ietf.org/mailman/listinfo/scim >> >> >> > > > -- > With Regards, > > Darshana Gunawardana, > Alumni : Dept. of Computer Science & Engineering, > University of Moratuwa, > Sri Lanka > -- With Regards, Darshana Gunawardana, Alumni : Dept. of Computer Science & Engineering, University of Moratuwa, Sri Lanka --94eb2c12396c663c5f0558f4dccb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi all,

Giving you an update about on t= he topic.

We were able to get a GSoC project slot = for the above proposal and the elected student -Vindula who cc'ed here-= was able to come up with a promising implementation on the project.
<= div>
=
With the increasing adoption of the SCIM 2.0, this test suite will be = a strong initial step to validate interoperability, yet i'm sure there = is much room to improve. So,
> Try the hosted demo
&= gt; If you see have any suggestion to improve, open a git issue on the sourc= e repo
> If you know the fix, send a PR..

Any kind of feedback would be highly appreciated.

Thanks,


On Fri, Mar 17, 2017 at 12:19 AM, Darshana Gunawardana = <darshanasbg@gmail.com> wrote:
Hi folks,

T= hanks all for your responses.

On Wed, Mar 1, 2017 at 1:05 AM, Phil Hunt <phil= .hunt@oracle.com> wrote:
There has been discuss= ion about having OpenID Foundation host some tests. However, so far, nobody= has volunteered to write the tests or fund their support.=C2=A0 If we can = generate interest, maybe we can make it happen.

=
A few of us at WSO2=C2=A0thought=C2=A0about a suitable way to generate interest on this.

WSO2 has been a mentor organization for GSoC for the= last three years and also accepted for the same on this year as well. So w= e have come up with a GSoC project proposal on the topic "SCIM 2.0 com= pliance test suite". You can find more details of the project proposal= on the below link.

=
Any suggestions on the project proposal are highly appr= eciated.

The good news is, we already have one= interested applicant on this project!!!

Hopefully= we will have more applicants.. and a decent=C2=A0student proposal to proce= ed with..

Thanks,
Darshana
= =C2=A0

Note: The IETF does not seem to = handle inter-op test suites and certifications.=C2=A0 At least not in my ex= perience.

Phil

Oracle Corporation, = Identity Cloud Services & Identity Standards
phil.hunt@oracle.com







On Feb 7, 2017, at 12:15 AM, Darsha= na Gunawardana <darshanasbg@gmail.com> wrote:

Hi Samuel,

Thanks for the response..!

=
My colleges from WSO2 are in the process of implementing SCIM 2.= 0 server and currently people working on improving the test coverage on tha= t.

If there is no work done on this, we can check = on creating common SCIM 2.0 suite and contributing back to the community. W= anted to check whether it would be useful to implement common SCIM 2.0 suit= e thing.

If this is something useful to have, we c= an check on possible ways of getting interested persons...

And can I know references on the implementations on the test suite= done on SCIM 1.1? So I can get an idea on the current design and effort ne= eded to implement in that way.

Thanks,
D= arshana

On Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman=C2=A0<samuel@erdtman.se>=C2=A0wrote:=
There is current= ly no such tool as far as I know.

That it says ong= oing is a bit too optimistic, there is no ongoing work as far as I know.

You are not the only one asking for this so maybe a = few persons could do some cooperation and create something.

<= /div>

On Tue, 7 Feb = 2017 at 07:37, Darshana Gunawardana <darshanasbg@gmail.com> wrote:
Hi,

Is there a test tool that can used to check = compliance with the SCIM 2.0 specification?

The site [1]= specifies that there is an ongoing effort. Is this an open source effort w= here someone interested can try prototype versions and contribute for the d= evelopment?=C2=A0

[1]=C2=A0http://www.simplecloud= .info/
[2] "Work on SCIM 2.0= tests is under development and there are currently no support for the ente= rprise extension"

Thanks,
--=C2=A0
With Regards,

Darshana Gunawardana,
Alumni : Dept. of Computer Science & Engineering,
University of Moratuwa,
Sri Lanka
_____________________________________= __________
scim mailing list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim



--=C2=A0
With Regards,

Darshana Gunawardana,
Alumni = : Dept. of Computer Science & Engineering,
University of Moratuwa,Sri Lanka
_____________= __________________________________
sci= m mailing list
scim@ietf= .org
= https://www.ietf.org/mailman/listinfo/scim




--
With Regards,

Darshana Gunawar= dana,
Alumni : Dept. of Computer Science & Engineering,
Universit= y of Moratuwa,
Sri Lanka



--
With Regards,

Darshana Gunawardana,
= Alumni : Dept. of Computer Science & Engineering,
University of Mora= tuwa,
Sri Lanka
--94eb2c12396c663c5f0558f4dccb-- From nobody Mon Sep 18 02:05:48 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B200313420E for ; Mon, 18 Sep 2017 02:05:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70cNRheU9MPQ for ; Mon, 18 Sep 2017 02:05:43 -0700 (PDT) Received: from mail-pg0-x22f.google.com (mail-pg0-x22f.google.com [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92B03134212 for ; Mon, 18 Sep 2017 02:05:42 -0700 (PDT) Received: by mail-pg0-x22f.google.com with SMTP id b11so4625577pgn.12 for ; Mon, 18 Sep 2017 02:05:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5cK8hVvav3JdRs4a4nzZEZdz0WNqfMhVvicC/3b/Qcg=; b=vH3uPIKPiUdFDN2xxvrJUvyQfQV/Z7zFncOBB+VeL7BtVMSnuJjXnMctIqMVmH2Lpo tE3EHhglS1fEgZ64OfFE4Qi9p10X78+NOzzNVbfoQq5AjbjtzfSWUcRXHkHN/R7YYjHX eBIqrH0Txvwym7FsnUGJEmcD51nNoeQqS1RZRskdBeoz3hKWXjWedC2RvJ4Fzt0Q8CbB 22GTY8Tf74Kgpddu6Dc1EimB5I/NEAiW2sxYibfy6+md4+9i4ZSUYAdKFoIRgwTbUJ9Z OCVn4nU/8APn4dxCer/e99Qy+x6yzr87PpLQitKthe6bWEBzLVzvf1tneFSml4e4fBWk ATIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5cK8hVvav3JdRs4a4nzZEZdz0WNqfMhVvicC/3b/Qcg=; b=WUiesekkml6glkW/fD4U06fdAIfeUIUOBRlNqeUE7TyHtTOeClgR+4ajBRRrMgexvP V16CYlHwakmSWUU5A5v/4LpfPLZTE0xe2YEtbJXVpTL27dwCDzHQcCfiZVVtGvl1QaET atjUcgceT0Gey1E4pKyCAqvWlh6+FzaOKmEdWYo6e0i9F/cp5uMSNQCBYXhIHpnsRVpn gRRZLycL92rC5YN13Zrqqf9cF8abrfdeQKxQVarIPUMWHyK3oCDbYeHbcQQpopFIxXNW rxuppU2OVRbqsstfF1P4fSK7eGqQ2Pp7U5tp9YdElLOOuog3BW7q2UzgtsGttooCorMa U9oA== X-Gm-Message-State: AHPjjUiqCzgRb/dejXv0PrgQ4AlI/YWuCxBrMufOCV3rE8D0ee8N0K30 HEARG2OwwBjvowSeoyMgez+SFCSsZWJEZnr6sriPcg== X-Google-Smtp-Source: ADKCNb4a1RR3VmWxlF8FBr8si8XIuwRIwp03zZwBFbakzkJIqDKLspkFLsh0l65aKl822KDkPsCS+KRhCcDFxrF2pMA= X-Received: by 10.99.112.24 with SMTP id l24mr30649604pgc.302.1505725541792; Mon, 18 Sep 2017 02:05:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.154.171 with HTTP; Mon, 18 Sep 2017 02:05:41 -0700 (PDT) In-Reply-To: References: From: Samuel Erdtman Date: Mon, 18 Sep 2017 11:05:41 +0200 Message-ID: To: Darshana Gunawardana Cc: Phil Hunt , vindula.13@cse.mrt.ac.lk, "scim@ietf.org" , Omindu Rathnaweera Content-Type: multipart/alternative; boundary="f403045c7b200c4fa90559730c3b" Archived-At: Subject: Re: [scim] Does SCIM 2.0 have a compliance test suite? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2017 09:05:46 -0000 --f403045c7b200c4fa90559730c3b Content-Type: text/plain; charset="UTF-8" As the main updater of simplecloud.info I think this is an awesome initiative. I will try to find some time to look it through to see if your work could easily be incorporated in simplecloud.info (it might take a few weeks before I have managed to do this) Cheers //Samuel On Tue, Sep 12, 2017 at 4:32 AM, Darshana Gunawardana wrote: > Hi all, > > Giving you an update about on the topic. > > We were able to get a GSoC project slot for the above proposal and the > elected student -Vindula who cc'ed here- was able to come up with a > promising implementation on the project. > > - GSoC Project URL: https://summerofcode.withgoogle.com/projects/# > 6261985816608768 > - VIndula's blog on the project: https://medium.com/@ > vindulajayawardana/scim-2-0-compliance-test-suite-737fd4ace3cc > > - Source Repo: https://github.com/wso2-incubator/scim2-compliance- > test-suite > - Hosted Demo: https://compliance-scim2.wso2apps.com/ > scimproxycompliance/ > > With the increasing adoption of the SCIM 2.0, this test suite will be a > strong initial step to validate interoperability, yet i'm sure there is > much room to improve. So, > > Try the hosted demo > > If you see have any suggestion to improve, open a git issue on the source > repo > > If you know the fix, send a PR.. > > Any kind of feedback would be highly appreciated. > > Thanks, > > > On Fri, Mar 17, 2017 at 12:19 AM, Darshana Gunawardana < > darshanasbg@gmail.com> wrote: > >> Hi folks, >> >> Thanks all for your responses. >> >> On Wed, Mar 1, 2017 at 1:05 AM, Phil Hunt wrote: >> >>> There has been discussion about having OpenID Foundation host some >>> tests. However, so far, nobody has volunteered to write the tests or fund >>> their support. If we can generate interest, maybe we can make it happen. >>> >> >> A few of us at WSO2 thought about a suitable way to generate interest on >> this. >> >> WSO2 has been a mentor organization for GSoC for the last three years and >> also accepted for the same on this year as well. So we have come up with a >> GSoC project proposal on the topic "SCIM 2.0 compliance test suite". You >> can find more details of the project proposal on the below link. >> >> https://docs.wso2.com/display/GSoC/Project+Proposals+for+201 >> 7#ProjectProposalsfor2017-Proposal21:[IS]SCIM2.0compliancetestsuite >> >> Any suggestions on the project proposal are highly appreciated. >> >> The good news is, we already have one interested applicant on this >> project!!! >> >> Hopefully we will have more applicants.. and a decent student proposal to >> proceed with.. >> >> Thanks, >> Darshana >> >> >>> >>> Note: The IETF does not seem to handle inter-op test suites and >>> certifications. At least not in my experience. >>> >>> Phil >>> >>> Oracle Corporation, Identity Cloud Services & Identity Standards >>> @independentid >>> www.independentid.com >>> phil.hunt@oracle.com >>> >>> >>> >>> >>> >>> >>> >>> On Feb 7, 2017, at 12:15 AM, Darshana Gunawardana >>> wrote: >>> >>> Hi Samuel, >>> >>> Thanks for the response..! >>> >>> My colleges from WSO2 are in the process of implementing SCIM 2.0 server >>> and currently people working on improving the test coverage on that. >>> >>> If there is no work done on this, we can check on creating common SCIM >>> 2.0 suite and contributing back to the community. Wanted to check whether >>> it would be useful to implement common SCIM 2.0 suite thing. >>> >>> If this is something useful to have, we can check on possible ways of >>> getting interested persons... >>> >>> And can I know references on the implementations on the test suite done >>> on SCIM 1.1? So I can get an idea on the current design and effort needed >>> to implement in that way. >>> >>> Thanks, >>> Darshana >>> >>> On Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman wr >>> ote: >>> >>>> There is currently no such tool as far as I know. >>>> >>>> That it says ongoing is a bit too optimistic, there is no ongoing work >>>> as far as I know. >>>> >>>> You are not the only one asking for this so maybe a few persons could >>>> do some cooperation and create something. >>>> >>>> >>>> On Tue, 7 Feb 2017 at 07:37, Darshana Gunawardana < >>>> darshanasbg@gmail.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> Is there a test tool that can used to check compliance with the SCIM >>>>> 2.0 specification? >>>>> >>>>> The site [1] specifies that there is an ongoing effort. Is this an >>>>> open source effort where someone interested can try prototype versions and >>>>> contribute for the development? >>>>> >>>>> [1] http://www.simplecloud.info/ >>>>> [2] "Work on SCIM 2.0 tests is under development and there are >>>>> currently no support for the enterprise extension" >>>>> >>>>> Thanks, >>>>> -- >>>>> With Regards, >>>>> >>>>> Darshana Gunawardana, >>>>> Alumni : Dept. of Computer Science & Engineering, >>>>> University of Moratuwa, >>>>> Sri Lanka >>>>> _______________________________________________ >>>>> scim mailing list >>>>> scim@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/scim >>>>> >>>> >>> >>> >>> -- >>> With Regards, >>> >>> Darshana Gunawardana, >>> Alumni : Dept. of Computer Science & Engineering, >>> University of Moratuwa, >>> Sri Lanka >>> _______________________________________________ >>> scim mailing list >>> scim@ietf.org >>> https://www.ietf.org/mailman/listinfo/scim >>> >>> >>> >> >> >> -- >> With Regards, >> >> Darshana Gunawardana, >> Alumni : Dept. of Computer Science & Engineering, >> University of Moratuwa, >> Sri Lanka >> > > > > -- > With Regards, > > Darshana Gunawardana, > Alumni : Dept. of Computer Science & Engineering, > University of Moratuwa, > Sri Lanka > --f403045c7b200c4fa90559730c3b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
As the main updater of simplecloud.info I think this is an awesome initiative.=

I will try to find some time to look it through to see if you= r work could easily be incorporated in = simplecloud.info (it might take a few weeks before I have managed to do= this)

Cheers
//Samuel

On Tue, Sep 12, 2017 at 4:32 AM, Darsh= ana Gunawardana <darshanasbg@gmail.com> wrote:
Hi all,

Giving= you an update about on the topic.

We were able to= get a GSoC project slot for the above proposal and the elected student -Vi= ndula who cc'ed here- was able to come up with a promising implementati= on on the project.
Wit= h the increasing adoption of the SCIM 2.0, this test suite will be a strong= initial step to validate interoperability, yet i'm sure there is much = room to improve. So,
> Try the hosted demo
> If y= ou see have any suggestion to improve, open a git issue on the source repo
> If you know the fix, send a PR..
<= div>
Any kind of feedback would be highly appreciated.
<= div>
Thanks,


On Fri, Mar 17, 2017 a= t 12:19 AM, Darshana Gunawardana <darshanasbg@gmail.com>= wrote:
Hi folks,

Thanks all for your responses.

On Wed, Mar 1, 201= 7 at 1:05 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
=
There has been discussion about having OpenID Foundation host so= me tests. However, so far, nobody has volunteered to write the tests or fun= d their support.=C2=A0 If we can generate interest, maybe we can make it ha= ppen.

A few of us at WSO2=C2= =A0thought=C2=A0about a suitable w= ay to generate interest on this.

WSO2 has been a m= entor organization for GSoC for the last three years and also accepted for = the same on this year as well. So we have come up with a GSoC project propo= sal on the topic "SCIM 2.0 compliance test suite". You can find m= ore details of the project proposal on the below link.

=

Any suggestions on t= he project proposal are highly appreciated.

Th= e good news is, we already have one interested applicant on this project!!!=

Hopefully we will have more applicants.. and a de= cent=C2=A0student proposal to proceed with..

Thanks,
Darshana
=C2=A0

Note: The IETF does not seem to handle inter-op tes= t suites and certifications.=C2=A0 At least not in my experience.

Phil

Oracle Corporation, Identity Cloud Services & Identity Standards
=
@independentid
phil.hunt@oracle.com







Hi Samuel,

Thanks for the respon= se..!

My colleges from WSO2 are in the process of = implementing SCIM 2.0 server and currently people working on improving the = test coverage on that.

If there is no work done on= this, we can check on creating common SCIM 2.0 suite and contributing back= to the community. Wanted to check whether it would be useful to implement = common SCIM 2.0 suite thing.

If this is something = useful to have, we can check on possible ways of getting interested persons= ...

And can I know references on the implementatio= ns on the test suite done on SCIM 1.1? So I can get an idea on the current = design and effort needed to implement in that way.

Thanks,
Darshana

=
On Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman=C2=A0<samuel@erdtman.se>=C2=A0wrote:
There is currently no such = tool as far as I know.

That it says ongoing is a b= it too optimistic, there is no ongoing work as far as I know.
You are not the only one asking for this so maybe a few persons= could do some cooperation and create something.

<= br>
On = Tue, 7 Feb 2017 at 07:37, Darshana Gunawardana <darshanasbg@gmail.com> wrote:
=
Hi,
Is there a test tool that can used to check compliance with the SCIM 2.0 = specification?

The site [1] specifies that there is an ongoing ef= fort. Is this an open source effort where someone interested can try protot= ype versions and contribute for the development?=C2=A0

[1]=C2=A0<= a href=3D"http://www.simplecloud.info/" class=3D"m_-3321851333674847481gmai= l-m_1376985840989271562m_1603289033073655025m_-5872495967044311210gmail-m_9= 045969488578760714gmail-m_-1144345979569978128gmail-m_-4844266541294802224g= mail_msg" target=3D"_blank">http://www.simplecloud.info/
[2] "Work on SCIM 2.0 te= sts is under development and there are currently no support for the enterpr= ise extension"
=
Thanks,
--=C2=A0
With Regards,

Dars= hana Gunawardana,
Alumni : = Dept. of Computer Science & Engineering,
University of Moratuwa,
Sri Lanka
_______________= ________________________________
scim mailing list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim

<= br clear=3D"all">

--=C2=A0=
With Regards,<= /div>

Darshana Gunawardana,
Alumni : Dept. of Computer Sci= ence & Engineering,
University of Moratuwa,
Sri Lanka
=
_______________________________= ________________
scim mailing listscim@ietf.org
https://www.ietf.org/ma= ilman/listinfo/scim

=



--
With Regards,

<= /div>Darshana Gunawardana,
Alumni : Dept. of Computer Science & Engi= neering,
University of Moratuwa,
Sri Lanka



--
With Regards,

Dar= shana Gunawardana,
Alumni : Dept. of Computer Science & Engineering,=
University of Moratuwa,
Sri Lanka

--f403045c7b200c4fa90559730c3b-- From nobody Tue Sep 19 15:16:47 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47A4F133048 for ; Tue, 19 Sep 2017 15:16:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aDUZS-8LqeIT for ; Tue, 19 Sep 2017 15:16:44 -0700 (PDT) Received: from mail.pingpong.net (mail.pingpong.net [79.136.116.202]) by ietfa.amsl.com (Postfix) with ESMTP id 3FBEA132153 for ; Tue, 19 Sep 2017 15:16:43 -0700 (PDT) Received: from [10.0.1.10] (h-158-174-8-242.NA.cust.bahnhof.se [158.174.8.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.pingpong.net (Postfix) with ESMTPSA id 6BDD922A31 for ; Wed, 20 Sep 2017 00:16:39 +0200 (CEST) From: Palle Girgensohn Content-Type: multipart/signed; boundary="Apple-Mail=_49BD9C67-C1B2-4594-9AE3-4720EEE2FEF4"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Message-Id: Date: Wed, 20 Sep 2017 00:16:38 +0200 To: scim@ietf.org X-Mailer: Apple Mail (2.3273) Archived-At: Subject: [scim] Persistent ID:s across services in SCIM X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2017 22:16:46 -0000 --Apple-Mail=_49BD9C67-C1B2-4594-9AE3-4720EEE2FEF4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hello all, I have a question about how to maintain persistent id:s for objects = through differents systems if we use SCIM to sync data between them. Say for example that we have school student register system where = students, classes, study groups etc is managed. Say also that we extend = SCIM with some resource types that define how to decribe time tables for = the school. We have two services that need information from the register; a time = table software (A) and an attendance software (B). The time table software (A) adds information about the time tables and = uses reference ("value" & "$ref") to point out groups and users from the = register for the time table entries. Of course, B needs this = information. Simple setup: Register | | v v A -> B Now, according to SCIM, the id property that may be sent from Register = to A and B should be ignored by A & B. Instead, A & B should make up = their own id:s and return them to the register. This means that A and B = cannot communicate about these objects since they don't hava any common = id to reference. The externalId in SCIM is just for filtering, it cannot = be used in reference attributes. How is this supposed to work? I think that maybe I'm missing something = here? Why can't the Register decide on the id for the object, it seems = so much more logical? A similar question arises even in a simple setup with a register and a = service provider. If the register first provisions a user in the service = provider, it gets the service provider's made up ID in the respoonse. = Then it creates a group and populate it with the user. Should it then = use the id from the service provider in the "members": {"value" and = "$ref" ? It seems a bit backward to me? We need the same "objects" to be synced between more than just two = systems, and to me it is confusing how to keep the id:s intact. Is this = not a job for SCIM at all? Please advice :-) Palle Girgensohn --Apple-Mail=_49BD9C67-C1B2-4594-9AE3-4720EEE2FEF4 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBCAAGBQJZwZdHAAoJEDQn0sf36UlsG+0H/05LjgmVqdYNXV4f/C2WdyWu iTTO2kl/BbVNtWwgVDyIK9Mm0AvqS9N9xE3SyLqVDijUUlFZR0ZG5CehQYVjNN6R b+fSng3/SaICDui36CF09+ttZI31yE3OGk7og7sBMtFaP/k9YIJ4EOA2G+LuXYyC ZEb56sbO5jMC4UAZR4EX5CwVqdJHbxqRuaQFVZkdxPt3V7+CbPmB4hCMzX4JWJ2q RQ6Zwj5tZqweyD7yMwsTyYjj7FceFerwdL9RCTeBvGGUBi5EqlRr98zCokzFxj1q I3FqvqpfmHTNSvpSTwMc+JCLeC3Tq4jgIm3mVguBzXW6DbnDwm35TheiFozUalY= =rKL6 -----END PGP SIGNATURE----- --Apple-Mail=_49BD9C67-C1B2-4594-9AE3-4720EEE2FEF4-- From nobody Tue Sep 19 15:40:13 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41E2713219C for ; Tue, 19 Sep 2017 15:40:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=idauto.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cCsivE9VJyWS for ; Tue, 19 Sep 2017 15:40:10 -0700 (PDT) Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FFB913301C for ; Tue, 19 Sep 2017 15:40:10 -0700 (PDT) Received: by mail-ua0-x233.google.com with SMTP id k23so664307uaf.4 for ; Tue, 19 Sep 2017 15:40:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=idauto.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=J9mghJC8PH/pj82/OMNLGOTg4wH+ONOKh3eWeclaTlM=; b=hP3dhQkTd4hDkOQ5KijSqF9BihLrGcjMPfyPzAfkxhsTuXD17VA0Qr9F9rxGJGpOtI i/YW32Sx7tSazLXlpAhj7sy7hoATQ/Eol0EpWF2GqRRcdGOMpLFaIyxAkv4MWUmPbMBA x6Z2HiHgnQg0JToVA79T7MfP7+kq1BCrkEARI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=J9mghJC8PH/pj82/OMNLGOTg4wH+ONOKh3eWeclaTlM=; b=EcpJTClfoCDdEpLdOaDIrCPtH5VBJxZyMPOWHh2A7VBFu2NB4YrICqgJk009+Tb8oT 3B4euRrVk8m+WwzWtuk/cT3+qcUlsU1dptMwGjml3AWtpzhT58twenXMg3JW2ZtNNzrJ ikJhHfMJqQi4V9z7wUWmc2wEkONmd9USUxyRDC5YZ8fLluj1+eUyYl1TWUKhaVY2bCFi Y6pLHe+zGrQ01+MaaVjKJY7Zsqaqll6nZ7k/e/4espT4x9LAzaSLzkSzAOPHqN+2c4DE l70/v/kzHtmtJbEG+yi8nDugBvo4SXeahTRDuLbG7SOgiGNGc5X9suK6KE3lBfrAF07Y T1YQ== X-Gm-Message-State: AHPjjUhXBfvpxd+bD/eBEeL+cY0VV6UeuP/SA8o/V34EcuYwCoA8CZ2m Wea+kTkVO2843qSeO7dugTPT4V5uSx+pjRDvq9psLTvh X-Google-Smtp-Source: AOwi7QDNb8rk8EaUGy+tw9YdccUYYjUempe1LAZS5VFzOKk50TyOyzj8/OzflRGnMTRr1SaaJsaXgeoQw1qYOZRCmYU= X-Received: by 10.176.80.249 with SMTP id d54mr2717867uaa.178.1505860809040; Tue, 19 Sep 2017 15:40:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.176.3.11 with HTTP; Tue, 19 Sep 2017 15:40:08 -0700 (PDT) In-Reply-To: References: From: "Vella, Shon" Date: Tue, 19 Sep 2017 16:40:08 -0600 Message-ID: To: scim@ietf.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [scim] Persistent ID:s across services in SCIM X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2017 22:40:12 -0000 I believe what you are looking for is externalId for storing the common id. It could be the id from one of the systems or it could be something else completely - whatever the orchestration/synchronization glue needs it to be. Shon Vella Identity Automation On Tue, Sep 19, 2017 at 4:16 PM, Palle Girgensohn wro= te: > > Hello all, > > I have a question about how to maintain persistent id:s for objects throu= gh differents systems if we use SCIM to sync data between them. > > Say for example that we have school student register system where student= s, classes, study groups etc is managed. Say also that we extend SCIM with = some resource types that define how to decribe time tables for the school. > > We have two services that need information from the register; a time tabl= e software (A) and an attendance software (B). > > The time table software (A) adds information about the time tables and us= es reference ("value" & "$ref") to point out groups and users from the regi= ster for the time table entries. Of course, B needs this information. > > Simple setup: > > > Register > > | | > v v > > A -> B > > > Now, according to SCIM, the id property that may be sent from Register to= A and B should be ignored by A & B. Instead, A & B should make up their ow= n id:s and return them to the register. This means that A and B cannot comm= unicate about these objects since they don't hava any common id to referenc= e. The externalId in SCIM is just for filtering, it cannot be used in refer= ence attributes. > > How is this supposed to work? I think that maybe I'm missing something he= re? Why can't the Register decide on the id for the object, it seems so muc= h more logical? > > A similar question arises even in a simple setup with a register and a se= rvice provider. If the register first provisions a user in the service prov= ider, it gets the service provider's made up ID in the respoonse. Then it c= reates a group and populate it with the user. Should it then use the id fro= m the service provider in the "members": {"value" and "$ref" ? It seems a b= it backward to me? > > We need the same "objects" to be synced between more than just two system= s, and to me it is confusing how to keep the id:s intact. Is this not a job= for SCIM at all? > > Please advice :-) > > Palle Girgensohn > > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim > From nobody Tue Sep 19 16:01:23 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48F0F12ECEC for ; Tue, 19 Sep 2017 16:01:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.22 X-Spam-Level: X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TlvCTd-Tnfcb for ; Tue, 19 Sep 2017 16:01:19 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73B09132941 for ; Tue, 19 Sep 2017 16:01:19 -0700 (PDT) Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v8JN1HlY018111 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 19 Sep 2017 23:01:17 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v8JN1HlM015060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 19 Sep 2017 23:01:17 GMT Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v8JN1HbL008575; Tue, 19 Sep 2017 23:01:17 GMT Received: from [25.161.226.95] (/24.114.41.228) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 19 Sep 2017 16:01:16 -0700 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: "Phil Hunt (IDM)" X-Mailer: iPhone Mail (14G60) In-Reply-To: Date: Tue, 19 Sep 2017 16:01:15 -0700 Cc: scim@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <3ECCC834-AC08-4D47-8044-BF59A5278DC2@oracle.com> References: To: "Vella, Shon" X-Source-IP: aserv0022.oracle.com [141.146.126.234] Archived-At: Subject: Re: [scim] Persistent ID:s across services in SCIM X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2017 23:01:21 -0000 The id in scim is a local instance identifier. Its purpose is to give perman= ence to the id. Ie. It never changes which gives referential integrity. The t= imetable system can count on the uri for the student.=20 Technically the client cannot assign the id, but the server can choose to us= e an attribute provided (eg the studentid) for the id value. The challenge i= s not to choose an id value that might change for any reason. It seems to me= student ids are stable. =20 The point is if you were accessing a student in another school you can't cou= nt on id being the student id. Nor that you will be able to keep them the sa= me.=20 When this happens you can use externalid to establish the linkage.=20 Phil > On Sep 19, 2017, at 3:40 PM, Vella, Shon wrote: >=20 > I believe what you are looking for is externalId for storing the > common id. It could be the id from one of the systems or it could be > something else completely - whatever the orchestration/synchronization > glue needs it to be. >=20 > Shon Vella > Identity Automation >=20 >=20 >> On Tue, Sep 19, 2017 at 4:16 PM, Palle Girgensohn w= rote: >>=20 >> Hello all, >>=20 >> I have a question about how to maintain persistent id:s for objects throu= gh differents systems if we use SCIM to sync data between them. >>=20 >> Say for example that we have school student register system where student= s, classes, study groups etc is managed. Say also that we extend SCIM with s= ome resource types that define how to decribe time tables for the school. >>=20 >> We have two services that need information from the register; a time tabl= e software (A) and an attendance software (B). >>=20 >> The time table software (A) adds information about the time tables and us= es reference ("value" & "$ref") to point out groups and users from the regis= ter for the time table entries. Of course, B needs this information. >>=20 >> Simple setup: >>=20 >>=20 >> Register >>=20 >> | | >> v v >>=20 >> A -> B >>=20 >>=20 >> Now, according to SCIM, the id property that may be sent from Register to= A and B should be ignored by A & B. Instead, A & B should make up their own= id:s and return them to the register. This means that A and B cannot commun= icate about these objects since they don't hava any common id to reference. T= he externalId in SCIM is just for filtering, it cannot be used in reference a= ttributes. >>=20 >> How is this supposed to work? I think that maybe I'm missing something he= re? Why can't the Register decide on the id for the object, it seems so much= more logical? >>=20 >> A similar question arises even in a simple setup with a register and a se= rvice provider. If the register first provisions a user in the service provi= der, it gets the service provider's made up ID in the respoonse. Then it cre= ates a group and populate it with the user. Should it then use the id from t= he service provider in the "members": {"value" and "$ref" ? It seems a bit b= ackward to me? >>=20 >> We need the same "objects" to be synced between more than just two system= s, and to me it is confusing how to keep the id:s intact. Is this not a job f= or SCIM at all? >>=20 >> Please advice :-) >>=20 >> Palle Girgensohn >>=20 >>=20 >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailm= an_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&= r=3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8m9x= MtSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D=20 >>=20 >=20 > _______________________________________________ > scim mailing list > scim@ietf.org > https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r= =3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8m9xM= tSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D=20 From nobody Tue Sep 19 16:30:08 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D535133023 for ; Tue, 19 Sep 2017 16:30:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7 X-Spam-Level: X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lEOapBxql5Ra for ; Tue, 19 Sep 2017 16:30:05 -0700 (PDT) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29329132944 for ; Tue, 19 Sep 2017 16:30:05 -0700 (PDT) Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v8JNU20G007318 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 19 Sep 2017 23:30:03 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v8JNU2L5007412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 19 Sep 2017 23:30:02 GMT Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v8JNU0lV007078; Tue, 19 Sep 2017 23:30:01 GMT Received: from [25.161.226.95] (/24.114.41.228) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 19 Sep 2017 16:30:00 -0700 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: "Phil Hunt (IDM)" X-Mailer: iPhone Mail (14G60) In-Reply-To: Date: Tue, 19 Sep 2017 16:29:59 -0700 Cc: scim@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: To: "Vella, Shon" X-Source-IP: aserv0022.oracle.com [141.146.126.234] Archived-At: Subject: Re: [scim] Persistent ID:s across services in SCIM X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2017 23:30:06 -0000 Also. There may be privacy implications of using the student id as the scim i= d because it will be revealed in browser histories etc.=20 Some implementations also assign a different id for each client. This preven= ts two separate clients from doing correlation. This minimizes the PII reper= cussions of the scim id value.=20 Phil > On Sep 19, 2017, at 3:40 PM, Vella, Shon wrote: >=20 > I believe what you are looking for is externalId for storing the > common id. It could be the id from one of the systems or it could be > something else completely - whatever the orchestration/synchronization > glue needs it to be. >=20 > Shon Vella > Identity Automation >=20 >=20 >> On Tue, Sep 19, 2017 at 4:16 PM, Palle Girgensohn w= rote: >>=20 >> Hello all, >>=20 >> I have a question about how to maintain persistent id:s for objects throu= gh differents systems if we use SCIM to sync data between them. >>=20 >> Say for example that we have school student register system where student= s, classes, study groups etc is managed. Say also that we extend SCIM with s= ome resource types that define how to decribe time tables for the school. >>=20 >> We have two services that need information from the register; a time tabl= e software (A) and an attendance software (B). >>=20 >> The time table software (A) adds information about the time tables and us= es reference ("value" & "$ref") to point out groups and users from the regis= ter for the time table entries. Of course, B needs this information. >>=20 >> Simple setup: >>=20 >>=20 >> Register >>=20 >> | | >> v v >>=20 >> A -> B >>=20 >>=20 >> Now, according to SCIM, the id property that may be sent from Register to= A and B should be ignored by A & B. Instead, A & B should make up their own= id:s and return them to the register. This means that A and B cannot commun= icate about these objects since they don't hava any common id to reference. T= he externalId in SCIM is just for filtering, it cannot be used in reference a= ttributes. >>=20 >> How is this supposed to work? I think that maybe I'm missing something he= re? Why can't the Register decide on the id for the object, it seems so much= more logical? >>=20 >> A similar question arises even in a simple setup with a register and a se= rvice provider. If the register first provisions a user in the service provi= der, it gets the service provider's made up ID in the respoonse. Then it cre= ates a group and populate it with the user. Should it then use the id from t= he service provider in the "members": {"value" and "$ref" ? It seems a bit b= ackward to me? >>=20 >> We need the same "objects" to be synced between more than just two system= s, and to me it is confusing how to keep the id:s intact. Is this not a job f= or SCIM at all? >>=20 >> Please advice :-) >>=20 >> Palle Girgensohn >>=20 >>=20 >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailm= an_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&= r=3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8m9x= MtSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D=20 >>=20 >=20 > _______________________________________________ > scim mailing list > scim@ietf.org > https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r= =3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8m9xM= tSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D=20 From nobody Wed Sep 20 00:25:53 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B850132025 for ; Wed, 20 Sep 2017 00:25:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EZxR9IC9yk4G for ; Wed, 20 Sep 2017 00:25:50 -0700 (PDT) Received: from mail.pingpong.net (mail.pingpong.net [79.136.116.202]) by ietfa.amsl.com (Postfix) with ESMTP id D7F6D1286C7 for ; Wed, 20 Sep 2017 00:25:49 -0700 (PDT) Received: from [10.10.83.129] (fss-router.sis.se [195.178.163.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.pingpong.net (Postfix) with ESMTPSA id 5D077234BF; Wed, 20 Sep 2017 09:25:46 +0200 (CEST) From: Palle Girgensohn Message-Id: <6F601D35-6BF1-44A8-A193-010B54B82E8C@pingpong.net> Content-Type: multipart/signed; boundary="Apple-Mail=_5CC52217-B8CA-4C1F-AB3B-D45A6BF2F4CD"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Wed, 20 Sep 2017 09:23:59 +0200 In-Reply-To: Cc: "Vella, Shon" , scim@ietf.org To: "Phil Hunt (IDM)" References: X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [scim] Persistent ID:s across services in SCIM X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 07:25:52 -0000 --Apple-Mail=_5CC52217-B8CA-4C1F-AB3B-D45A6BF2F4CD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii In a general case, there is a strong argument for assigning a different = id for each client. Totally agree. In our scenario the owner of the PII have good control over all = services, so this is not an issue. > 20 sep. 2017 kl. 01:29 skrev Phil Hunt (IDM) : >=20 > Also. There may be privacy implications of using the student id as the = scim id because it will be revealed in browser histories etc. >=20 > Some implementations also assign a different id for each client. This = prevents two separate clients from doing correlation. This minimizes the = PII repercussions of the scim id value. >=20 > Phil >=20 >> On Sep 19, 2017, at 3:40 PM, Vella, Shon wrote: >>=20 >> I believe what you are looking for is externalId for storing the >> common id. It could be the id from one of the systems or it could be >> something else completely - whatever the = orchestration/synchronization >> glue needs it to be. >>=20 >> Shon Vella >> Identity Automation >>=20 >>=20 >>> On Tue, Sep 19, 2017 at 4:16 PM, Palle Girgensohn = wrote: >>>=20 >>> Hello all, >>>=20 >>> I have a question about how to maintain persistent id:s for objects = through differents systems if we use SCIM to sync data between them. >>>=20 >>> Say for example that we have school student register system where = students, classes, study groups etc is managed. Say also that we extend = SCIM with some resource types that define how to decribe time tables for = the school. >>>=20 >>> We have two services that need information from the register; a time = table software (A) and an attendance software (B). >>>=20 >>> The time table software (A) adds information about the time tables = and uses reference ("value" & "$ref") to point out groups and users from = the register for the time table entries. Of course, B needs this = information. >>>=20 >>> Simple setup: >>>=20 >>>=20 >>> Register >>>=20 >>> | | >>> v v >>>=20 >>> A -> B >>>=20 >>>=20 >>> Now, according to SCIM, the id property that may be sent from = Register to A and B should be ignored by A & B. Instead, A & B should = make up their own id:s and return them to the register. This means that = A and B cannot communicate about these objects since they don't hava any = common id to reference. The externalId in SCIM is just for filtering, it = cannot be used in reference attributes. >>>=20 >>> How is this supposed to work? I think that maybe I'm missing = something here? Why can't the Register decide on the id for the object, = it seems so much more logical? >>>=20 >>> A similar question arises even in a simple setup with a register and = a service provider. If the register first provisions a user in the = service provider, it gets the service provider's made up ID in the = respoonse. Then it creates a group and populate it with the user. Should = it then use the id from the service provider in the "members": {"value" = and "$ref" ? It seems a bit backward to me? >>>=20 >>> We need the same "objects" to be synced between more than just two = systems, and to me it is confusing how to keep the id:s intact. Is this = not a job for SCIM at all? >>>=20 >>> Please advice :-) >>>=20 >>> Palle Girgensohn >>>=20 >>>=20 >>> _______________________________________________ >>> scim mailing list >>> scim@ietf.org >>> = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10= &r=3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8= m9xMtSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D= >>>=20 >>=20 >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10= &r=3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8= m9xMtSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D= >=20 > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim --Apple-Mail=_5CC52217-B8CA-4C1F-AB3B-D45A6BF2F4CD Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBCAAGBQJZwhePAAoJEDQn0sf36Ulsf2YH/3rfxv4CI4gP02HJDIBhuPZx rUBeOQjj/ISHHmmeNAxszkRzN7u3/ZYob5kV4ZzBX+0xTmUSbg1k1JBWQjFqBUjc gOvSHG3sC2uU4/W5kv5nL4nYbfpHBbLHjlbXJ+DbXdBFxB4pc0OQlrWDZu/rKQzX uPkc3/vwcx7/JpAWqbj4VaYSP+CU08BFDpj6+Sq7ebE90nIynx0QQcCB6ciG5fxP 5271ecd2ArCDlN+p2kSoupDgXWt93/wzobCXHOM4Qn3YHp8fCev7y5KvRtFu5Ac/ WCpCjM9bpXVe3Nlv0469CAZJovNiDpqUefWx+izmyb1Pzvqe6IsiaAk9UjBZ/fY= =XVB+ -----END PGP SIGNATURE----- --Apple-Mail=_5CC52217-B8CA-4C1F-AB3B-D45A6BF2F4CD-- From nobody Wed Sep 20 01:30:00 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC7F2133070 for ; Wed, 20 Sep 2017 01:29:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cp9PMTIGjgtV for ; Wed, 20 Sep 2017 01:29:57 -0700 (PDT) Received: from mail-pg0-x230.google.com (mail-pg0-x230.google.com [IPv6:2607:f8b0:400e:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4393C1326DF for ; Wed, 20 Sep 2017 01:29:56 -0700 (PDT) Received: by mail-pg0-x230.google.com with SMTP id j16so1324331pga.1 for ; Wed, 20 Sep 2017 01:29:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Zj4zPBMr9ikxQrEctifpVOjMU0/z/OrvSigSUpi2hJo=; b=goEtL7Iv67gC/cE15VjC4CdpnojxuwuvqCx3ZFEGdC8ldzKKCxW0jCv45ssBpzH675 cq1AlguhDJcz2rkC/Q0oTfNmzLJFvcFg3ixCXHSaF5qnWbOn0sFfFjc+FbD6Qk0buztx ZumLVp/RR299v5YbOi9k/syIfDOcYC1svm7s/tekig/ypblQX3z9O8y5B2G8IIdxzntP 6vs7VdWKVhL0qSNxx+3DDICYcOAVg4eqOI0Y1t1f3BtGrE7jI51vUUmFo9dylnZlyUnI Ht+sq5N75VzH9H+MJMKG14lOTqUZlQ/xKlQY1JIzYTVUuWwaE4tQUE3Z25tfWIFcqe9M F9Lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Zj4zPBMr9ikxQrEctifpVOjMU0/z/OrvSigSUpi2hJo=; b=l8TwT+fTAuudxf6x6nEJh6PRPrmpS0SqX+O/Em/ZjbqoCeThOTe/Xv5Dy7we6SsjQO NUoD9IoFWHCbf9IFmoyEkIOsWlM/OCj2+uXbTTcgscQdKXmgaI99VhXQSBhPNoAY7LcD q51tLuEzGzNBHq7j9PtpQKWlKiI5PgltmMUhCYiufE8gV6hOf6ejFzPuhZzvWjKcnipv 6MmuxMpPMXf/LqgEB8Nx8xha6CsImsB6rirUHTZiOdy+UqN202KJkH3BWKEP9svq7tKA e8IVRI+uXhfcUG8J2QIhqrAP7yYLklSNzP4OPN+R+Wu2UD7GgDxEZpuRCsoaIDpkmWp4 RGVg== X-Gm-Message-State: AHPjjUjQ1NyptHBoEOG7DHViKpsVTjM23BNNmETZQfKHdarL1WOYOKY7 66Sd1A1Zg8OcuAaFk3Yljnx621Ik/rn31FPePYRBGQ== X-Google-Smtp-Source: AOwi7QC8/R7P95fCGwMDLGjtcbzygaOoNp6HzUKD7jx2bycnPyr0PnSRmxmcnp8V+V+a+vYW9CaADH+bn61IWb1yRRE= X-Received: by 10.84.233.69 with SMTP id k5mr1352781plt.260.1505896196126; Wed, 20 Sep 2017 01:29:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.154.171 with HTTP; Wed, 20 Sep 2017 01:29:55 -0700 (PDT) In-Reply-To: <6F601D35-6BF1-44A8-A193-010B54B82E8C@pingpong.net> References: <6F601D35-6BF1-44A8-A193-010B54B82E8C@pingpong.net> From: Samuel Erdtman Date: Wed, 20 Sep 2017 10:29:55 +0200 Message-ID: To: Palle Girgensohn Cc: "Phil Hunt (IDM)" , "scim@ietf.org" , "Vella, Shon" Content-Type: multipart/alternative; boundary="089e08213d0cd6f82105599ac73b" Archived-At: Subject: Re: [scim] Persistent ID:s across services in SCIM X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 08:30:00 -0000 --089e08213d0cd6f82105599ac73b Content-Type: text/plain; charset="UTF-8" Hi Palle! Great to see you here on the list and that you are making progress with the SCIM work. I would opt for the solution I think Phil is describing, i.e. having the *register* send an identifier (e.g. student identifier) in the create request and then have the *time table software* and the *attendance software* use that id as the id. I think it would be best to define a new attribute for this id and document that when present this should become the id in the returned object. In this way you would get okay interoperability, not awesome but okay. Cheers //Samuel On Wed, Sep 20, 2017 at 9:23 AM, Palle Girgensohn wrote: > In a general case, there is a strong argument for assigning a different id > for each client. Totally agree. > > In our scenario the owner of the PII have good control over all services, > so this is not an issue. > > > > 20 sep. 2017 kl. 01:29 skrev Phil Hunt (IDM) : > > > > Also. There may be privacy implications of using the student id as the > scim id because it will be revealed in browser histories etc. > > > > Some implementations also assign a different id for each client. This > prevents two separate clients from doing correlation. This minimizes the > PII repercussions of the scim id value. > > > > Phil > > > >> On Sep 19, 2017, at 3:40 PM, Vella, Shon wrote: > >> > >> I believe what you are looking for is externalId for storing the > >> common id. It could be the id from one of the systems or it could be > >> something else completely - whatever the orchestration/synchronization > >> glue needs it to be. > >> > >> Shon Vella > >> Identity Automation > >> > >> > >>> On Tue, Sep 19, 2017 at 4:16 PM, Palle Girgensohn > wrote: > >>> > >>> Hello all, > >>> > >>> I have a question about how to maintain persistent id:s for objects > through differents systems if we use SCIM to sync data between them. > >>> > >>> Say for example that we have school student register system where > students, classes, study groups etc is managed. Say also that we extend > SCIM with some resource types that define how to decribe time tables for > the school. > >>> > >>> We have two services that need information from the register; a time > table software (A) and an attendance software (B). > >>> > >>> The time table software (A) adds information about the time tables and > uses reference ("value" & "$ref") to point out groups and users from the > register for the time table entries. Of course, B needs this information. > >>> > >>> Simple setup: > >>> > >>> > >>> Register > >>> > >>> | | > >>> v v > >>> > >>> A -> B > >>> > >>> > >>> Now, according to SCIM, the id property that may be sent from Register > to A and B should be ignored by A & B. Instead, A & B should make up their > own id:s and return them to the register. This means that A and B cannot > communicate about these objects since they don't hava any common id to > reference. The externalId in SCIM is just for filtering, it cannot be used > in reference attributes. > >>> > >>> How is this supposed to work? I think that maybe I'm missing something > here? Why can't the Register decide on the id for the object, it seems so > much more logical? > >>> > >>> A similar question arises even in a simple setup with a register and a > service provider. If the register first provisions a user in the service > provider, it gets the service provider's made up ID in the respoonse. Then > it creates a group and populate it with the user. Should it then use the id > from the service provider in the "members": {"value" and "$ref" ? It seems > a bit backward to me? > >>> > >>> We need the same "objects" to be synced between more than just two > systems, and to me it is confusing how to keep the id:s intact. Is this not > a job for SCIM at all? > >>> > >>> Please advice :-) > >>> > >>> Palle Girgensohn > >>> > >>> > >>> _______________________________________________ > >>> scim mailing list > >>> scim@ietf.org > >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www. > ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5Y > TpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjW > wlNKe4C_lLIGk&m=TdZHqR-ToFuh_fDFofMC8m9xMtSQi_LtTBpJmvsKWw8&s=mrJ6_ > FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e= > >>> > >> > >> _______________________________________________ > >> scim mailing list > >> scim@ietf.org > >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www. > ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5Y > TpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjW > wlNKe4C_lLIGk&m=TdZHqR-ToFuh_fDFofMC8m9xMtSQi_LtTBpJmvsKWw8&s=mrJ6_ > FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e= > > > > _______________________________________________ > > scim mailing list > > scim@ietf.org > > https://www.ietf.org/mailman/listinfo/scim > > > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim > > --089e08213d0cd6f82105599ac73b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Palle!

Great to see you her= e on the list and that you are making progress with the SCIM work.

<= /div>I would opt for the solution I think Phil is describing, i.e. having t= he register send an identifier (e.g. student identifier) in the crea= te request and then have the time table software and the attenda= nce software use that id as the id. I think it would be best to define = a new attribute for this id and document that when present this should beco= me the id in the returned object. In this way you would get okay interopera= bility, not awesome but okay.

Cheers
//Samu= el




On Wed, Sep 20, 2017 at 9:23 AM, Palle = Girgensohn <girgen@pingpong.net> wrote:
In a general case, there is a strong argument for assigning= a different id for each client. Totally agree.

In our scenario the owner of the PII have good control over all services, s= o this is not an issue.


> 20 sep. 2017 kl. 01:29 skrev Phil Hunt (IDM) <phil.hunt@oracle.com>:
>
> Also. There may be privacy implications of using the student id as the= scim id because it will be revealed in browser histories etc.
>
> Some implementations also assign a different id for each client. This = prevents two separate clients from doing correlation. This minimizes the PI= I repercussions of the scim id value.
>
> Phil
>
>> On Sep 19, 2017, at 3:40 PM, Vella, Shon <svella@idauto.net> wrote:
>>
>> I believe what you are looking for is externalId for storing the >> common id. It could be the id from one of the systems or it could = be
>> something else completely - whatever the orchestration/synchroniza= tion
>> glue needs it to be.
>>
>> Shon Vella
>> Identity Automation
>>
>>
>>> On Tue, Sep 19, 2017 at 4:16 PM, Palle Girgensohn <girgen@pingpong.net> wrote:
>>>
>>> Hello all,
>>>
>>> I have a question about how to maintain persistent id:s for ob= jects through differents systems if we use SCIM to sync data between them.<= br> >>>
>>> Say for example that we have school student register system wh= ere students, classes, study groups etc is managed. Say also that we extend= SCIM with some resource types that define how to decribe time tables for t= he school.
>>>
>>> We have two services that need information from the register; = a time table software (A) and an attendance software (B).
>>>
>>> The time table software (A) adds information about the time ta= bles and uses reference ("value" & "$ref") to point= out groups and users from the register for the time table entries. Of cour= se, B needs this information.
>>>
>>> Simple setup:
>>>
>>>
>>>=C2=A0 Register
>>>
>>>=C2=A0 =C2=A0|=C2=A0 =C2=A0 |
>>>=C2=A0 =C2=A0v=C2=A0 =C2=A0 v
>>>
>>>=C2=A0 =C2=A0A -> B
>>>
>>>
>>> Now, according to SCIM, the id property that may be sent from = Register to A and B should be ignored by A & B. Instead, A & B shou= ld make up their own id:s and return them to the register. This means that = A and B cannot communicate about these objects since they don't hava an= y common id to reference. The externalId in SCIM is just for filtering, it = cannot be used in reference attributes.
>>>
>>> How is this supposed to work? I think that maybe I'm missi= ng something here? Why can't the Register decide on the id for the obje= ct, it seems so much more logical?
>>>
>>> A similar question arises even in a simple setup with a regist= er and a service provider. If the register first provisions a user in the s= ervice provider, it gets the service provider's made up ID in the respo= onse. Then it creates a group and populate it with the user. Should it then= use the id from the service provider in the "members": {"va= lue" and "$ref" ? It seems a bit backward to me?
>>>
>>> We need the same "objects" to be synced between more= than just two systems, and to me it is confusing how to keep the id:s inta= ct. Is this not a job for SCIM at all?
>>>
>>> Please advice :-)
>>>
>>> Palle Girgensohn
>>>
>>>
>>> _______________________________________________
>>> scim mailing list
>>> scim@ietf.org
>>> https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailman_listinfo_scim&d=3DDwICAg&c=3DRoP1YumC= XCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=3DJBm5biRrKugCH0FkITSeG= JxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8m9xMtSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-= 8&e=3D
>>>
>>
>> _______________________________________________
>> scim mailing list
>> scim@ietf.org
>> https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.i= etf.org_mailman_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCga= WHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=3DJBm5biRrKugCH0FkITSeGJxPE= ivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8m9xMtSQi_LtT= BpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&am= p;e=3D
>
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim

_______________________________________________
scim mailing list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim


--089e08213d0cd6f82105599ac73b-- From nobody Wed Sep 20 03:26:30 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 024221342AA for ; Wed, 20 Sep 2017 03:26:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ysGBUEFckD9 for ; Wed, 20 Sep 2017 03:26:21 -0700 (PDT) Received: from mail.pingpong.net (mail.pingpong.net [79.136.116.202]) by ietfa.amsl.com (Postfix) with ESMTP id 417F713428B for ; Wed, 20 Sep 2017 03:26:19 -0700 (PDT) Received: from [10.10.83.129] (fss-router.sis.se [195.178.163.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.pingpong.net (Postfix) with ESMTPSA id 7BBD6225D8; Wed, 20 Sep 2017 12:26:10 +0200 (CEST) From: Palle Girgensohn Message-Id: <13855063-9BCF-416D-90B7-36BE4A48DC33@pingpong.net> Content-Type: multipart/signed; boundary="Apple-Mail=_7F15FD16-7491-4754-AAD7-1BB4BEB380A3"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Wed, 20 Sep 2017 12:16:59 +0200 In-Reply-To: Cc: "Phil Hunt (IDM)" , "scim@ietf.org" , "Vella, Shon" To: Samuel Erdtman References: <6F601D35-6BF1-44A8-A193-010B54B82E8C@pingpong.net> X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [scim] Persistent ID:s across services in SCIM X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 10:26:29 -0000 --Apple-Mail=_7F15FD16-7491-4754-AAD7-1BB4BEB380A3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Samuel, Yes, we are making good progress, thanks! My take was to use the externalId and require that the internal id = *should* be the same if the scim server needs to interact, using scim, = with other service providers. I get that for interoperability reasons, a custom id *could* be better, = but I can't really see the difference from using the scim built in = eternalId? Palle > 20 sep. 2017 kl. 10:29 skrev Samuel Erdtman : >=20 > Hi Palle! >=20 > Great to see you here on the list and that you are making progress = with the SCIM work. >=20 > I would opt for the solution I think Phil is describing, i.e. having = the register send an identifier (e.g. student identifier) in the create = request and then have the time table software and the attendance = software use that id as the id. I think it would be best to define a new = attribute for this id and document that when present this should become = the id in the returned object. In this way you would get okay = interoperability, not awesome but okay. >=20 > Cheers > //Samuel >=20 >=20 >=20 >=20 > On Wed, Sep 20, 2017 at 9:23 AM, Palle Girgensohn = wrote: > In a general case, there is a strong argument for assigning a = different id for each client. Totally agree. >=20 > In our scenario the owner of the PII have good control over all = services, so this is not an issue. >=20 >=20 > > 20 sep. 2017 kl. 01:29 skrev Phil Hunt (IDM) : > > > > Also. There may be privacy implications of using the student id as = the scim id because it will be revealed in browser histories etc. > > > > Some implementations also assign a different id for each client. = This prevents two separate clients from doing correlation. This = minimizes the PII repercussions of the scim id value. > > > > Phil > > > >> On Sep 19, 2017, at 3:40 PM, Vella, Shon wrote: > >> > >> I believe what you are looking for is externalId for storing the > >> common id. It could be the id from one of the systems or it could = be > >> something else completely - whatever the = orchestration/synchronization > >> glue needs it to be. > >> > >> Shon Vella > >> Identity Automation > >> > >> > >>> On Tue, Sep 19, 2017 at 4:16 PM, Palle Girgensohn = wrote: > >>> > >>> Hello all, > >>> > >>> I have a question about how to maintain persistent id:s for = objects through differents systems if we use SCIM to sync data between = them. > >>> > >>> Say for example that we have school student register system where = students, classes, study groups etc is managed. Say also that we extend = SCIM with some resource types that define how to decribe time tables for = the school. > >>> > >>> We have two services that need information from the register; a = time table software (A) and an attendance software (B). > >>> > >>> The time table software (A) adds information about the time tables = and uses reference ("value" & "$ref") to point out groups and users from = the register for the time table entries. Of course, B needs this = information. > >>> > >>> Simple setup: > >>> > >>> > >>> Register > >>> > >>> | | > >>> v v > >>> > >>> A -> B > >>> > >>> > >>> Now, according to SCIM, the id property that may be sent from = Register to A and B should be ignored by A & B. Instead, A & B should = make up their own id:s and return them to the register. This means that = A and B cannot communicate about these objects since they don't hava any = common id to reference. The externalId in SCIM is just for filtering, it = cannot be used in reference attributes. > >>> > >>> How is this supposed to work? I think that maybe I'm missing = something here? Why can't the Register decide on the id for the object, = it seems so much more logical? > >>> > >>> A similar question arises even in a simple setup with a register = and a service provider. If the register first provisions a user in the = service provider, it gets the service provider's made up ID in the = respoonse. Then it creates a group and populate it with the user. Should = it then use the id from the service provider in the "members": {"value" = and "$ref" ? It seems a bit backward to me? > >>> > >>> We need the same "objects" to be synced between more than just two = systems, and to me it is confusing how to keep the id:s intact. Is this = not a job for SCIM at all? > >>> > >>> Please advice :-) > >>> > >>> Palle Girgensohn > >>> > >>> > >>> _______________________________________________ > >>> scim mailing list > >>> scim@ietf.org > >>> = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10= &r=3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8= m9xMtSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D= > >>> > >> > >> _______________________________________________ > >> scim mailing list > >> scim@ietf.org > >> = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10= &r=3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8= m9xMtSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D= > > > > _______________________________________________ > > scim mailing list > > scim@ietf.org > > https://www.ietf.org/mailman/listinfo/scim >=20 >=20 > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim >=20 >=20 --Apple-Mail=_7F15FD16-7491-4754-AAD7-1BB4BEB380A3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBCAAGBQJZwkAcAAoJEDQn0sf36UlsCmUH/09ZarWC0kN1vQbLGJZw/Ttp aPj0qFNybIeoIyRr7mI21JeFS0wmbA3JM5XufVK9vzpVMofXgGJnZtmhKTgNh6QS BVYXN/ClMFNQtkhkreIOjZTAec/whkOu+CcEg000S3Dy7gb0sFj9RqbX5m7mx4dA O6XvbFETvMlszM7KkTfLDY2xrkiuTiKcirXKeR0KSoJxdxD16cfPrWYL2rlOYtZz WdzY9vybKSx5rcKH6vAwtisn0xgCek9aIExkJ3dpxZpE99VhGb2gOO6cMvDjPCsG DrpxkbOBwtUjP+m/F/YKW0oxMRn5D4WYgza93TAqFnqon8Lu42lfRj0a4QFF44M= =8SOZ -----END PGP SIGNATURE----- --Apple-Mail=_7F15FD16-7491-4754-AAD7-1BB4BEB380A3-- From nobody Wed Sep 20 04:06:37 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E3661341F8 for ; Wed, 20 Sep 2017 04:06:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.891 X-Spam-Level: X-Spam-Status: No, score=-1.891 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LsYTjSDSG87n for ; Wed, 20 Sep 2017 04:06:32 -0700 (PDT) Received: from mail.pingpong.net (mail.pingpong.net [79.136.116.202]) by ietfa.amsl.com (Postfix) with ESMTP id 98B421323B8 for ; Wed, 20 Sep 2017 04:06:32 -0700 (PDT) Received: from [10.10.83.129] (fss-router.sis.se [195.178.163.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.pingpong.net (Postfix) with ESMTPSA id 7A99E22ADB for ; Wed, 20 Sep 2017 13:06:31 +0200 (CEST) From: Palle Girgensohn Content-Type: multipart/signed; boundary="Apple-Mail=_2B6DEB29-EBE9-45A5-8E76-CADA54E05B6D"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Wed, 20 Sep 2017 13:06:30 +0200 References: <3ECCC834-AC08-4D47-8044-BF59A5278DC2@oracle.com> To: scim@ietf.org In-Reply-To: <3ECCC834-AC08-4D47-8044-BF59A5278DC2@oracle.com> Message-Id: X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [scim] Persistent ID:s across services in SCIM X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 11:06:35 -0000 --Apple-Mail=_2B6DEB29-EBE9-45A5-8E76-CADA54E05B6D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Our scope it not a solution for a single school but a Swedish national = standard for information exchange between systems within schools. Hence = we shouldn't really step away from the technical rules in the scim = standard, as it would be confusing. In our general use case, the register would probably act both as a = client and as as a (mostly read-only) scim server. Services that don't = require their own storage could be implemented to just GET objects on = demand and toss them once the user logs out. But for now, lets focus on the use case where the student register is a = scim client. Since it is still not crystal clear to me how this is = supposed to work, lets try with an example. The systems below are register.example.com, a.example.com and = b.example.com. First the register creates a new user: register -> a POST /Users HTTP/1.1 Host: a.example.com Accept: application/scim+json Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 Content-Length: ... { "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "userName":"bjensen", "externalId":"a7ff200e-8cca-4532-9e44-56721ee554e6", "name":{ "formatted":"Ms. Barbara J Jensen III", "familyName":"Jensen", "givenName":"Barbara" } } a responds: HTTP/1.1 201 Created Content-Type: application/scim+json Location: https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb ETag: W/"e180ee84f0671b1" { "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "id":"b24dbd91-a874-465f-b916-8c7003403bcb", "externalId":"a7ff200e-8cca-4532-9e44-56721ee554e6", "meta":{ "resourceType":"User", "created":"2011-08-01T21:32:44.882Z", "lastModified":"2011-08-01T21:32:44.882Z", "location": = "https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb", "version":"W\/\"e180ee84f0671b1\"" }, "name":{ "formatted":"Ms. Barbara J Jensen III", "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" } and also the register creates the resource in b.example.com using the = exact same call as above. and b responds: HTTP/1.1 201 Created Content-Type: application/scim+json Location: https://b.example.com/v2/Users/713a3079-99dc-4295-9800-2d6bfcb66202 ETag: W/"e180ee84f0671b1" { "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "id":"713a3079-99dc-4295-9800-2d6bfcb66202", "externalId":"a7ff200e-8cca-4532-9e44-56721ee554e6", "meta":{ "resourceType":"User", "created":"2011-08-01T21:32:44.882Z", "lastModified":"2011-08-01T21:32:44.882Z", "location": = "https://b.example.com/v2/Users/713a3079-99dc-4295-9800-2d6bfcb66202", "version":"W\/\"e180ee84f0671b1\"" }, "name":{ "formatted":"Ms. Barbara J Jensen III", "familyName":"Jensen", "givenName":"Barbara" }, "userName":"bjensen" } Now we have three stable id:s for the user, one for each system. All = three also have a common stable "externalId". Now the register creates a group: register -> a & b POST /Groups HTTP/1.1 Host: a.example.com Accept: application/scim+json Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 Content-Length: ... { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], "externalId": "e9e30dba-f08f-4109-8486-d5c6a331660a", "displayName": "Tour Guides", "members": [ { "value": "a7ff200e-8cca-4532-9e44-56721ee554e6", "$ref": = "https://register.example.com/v2/Users/a7ff200e-8cca-4532-9e44-56721ee554e= 6", "display": "Babs Jensen" } ] } This does make sense if the client is also a scim server. It would be = possible to search the register using scim, and the id:s and references = would be the same. The user's $ref points to the *source*, that is the = student register. In the more narrow use case where the register is only = a client, the reference to the member Babs is not correct here, right? = There is no correspondance to the externalId? a.example.com has never = really seen this id before, so how can it understand that this is the = Babs that was just created, unless we explicitally introduce a = correlation between externalId and id? How should a respond? Should it use it's own id:s for the user and the = group, like this: a -> register: HTTP/1.1 201 Created Content-Type: application/scim+json Location: https://a.example.com/v2/Groups/bfc4daf4-845b-42d8-89c9-d27b2fb87ad9 ETag: W/"e180ee84f0671b1" { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], "id": "bfc4daf4-845b-42d8-89c9-d27b2fb87ad9", "displayName": "Tour Guides", "members": [ { "value": "b24dbd91-a874-465f-b916-8c7003403bcb", "$ref": = "https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb", "display": "Babs Jensen" } ], "meta": { "resourceType": "Group", "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W\/\"3694e05e9dff592\"", "location": = "https://a.example.com/v2/Groups/bfc4daf4-845b-42d8-89c9-d27b2fb87ad9" } } In this case, it seems to me it that the server first has to ask the = client what it means by member "a7ff200e-8cca-4532-9e44-56721ee554e6", = since it has never seen it before. This becomes almost a catch-22. Another way is to let the client create the group but references a:s = id:s for referenced resources. This is how scim is supposed to work: register -> a POST /Groups HTTP/1.1 Host: a.example.com Accept: application/scim+json Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 Content-Length: ... { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], "externalId": "e9e30dba-f08f-4109-8486-d5c6a331660a", "displayName": "Tour Guides", "members": [ { "value": "b24dbd91-a874-465f-b916-8c7003403bcb", "$ref": = "https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb", "display": "Babs Jensen" } ] } But if the register is also a scim server, this is rather confusing. I believe we could, for our profile of the scim standard, require = externalId to bu uuid:s and to never change for any reason, and also = require that the externalId and the "local" id should be treated as = identical. This would require a scim server to always use the externalId = as its own id, and we would be "home safe". Samuel just suggested a = custom attribute instead of externalId. I can't really see how it would = much in terms of interoperability, but I guess you could argue that it = becomes more obvious what it is? Thoughts? Thanks, Palle > 20 sep. 2017 kl. 01:01 skrev Phil Hunt (IDM) : >=20 > The id in scim is a local instance identifier. Its purpose is to give = permanence to the id. Ie. It never changes which gives referential = integrity. The timetable system can count on the uri for the student. >=20 > Technically the client cannot assign the id, but the server can choose = to use an attribute provided (eg the studentid) for the id value. The = challenge is not to choose an id value that might change for any reason. = It seems to me student ids are stable. >=20 > The point is if you were accessing a student in another school you = can't count on id being the student id. Nor that you will be able to = keep them the same. >=20 > When this happens you can use externalid to establish the linkage. >=20 > Phil >=20 >> On Sep 19, 2017, at 3:40 PM, Vella, Shon wrote: >>=20 >> I believe what you are looking for is externalId for storing the >> common id. It could be the id from one of the systems or it could be >> something else completely - whatever the = orchestration/synchronization >> glue needs it to be. >>=20 >> Shon Vella >> Identity Automation >>=20 >>=20 >>> On Tue, Sep 19, 2017 at 4:16 PM, Palle Girgensohn = wrote: >>>=20 >>> Hello all, >>>=20 >>> I have a question about how to maintain persistent id:s for objects = through differents systems if we use SCIM to sync data between them. >>>=20 >>> Say for example that we have school student register system where = students, classes, study groups etc is managed. Say also that we extend = SCIM with some resource types that define how to decribe time tables for = the school. >>>=20 >>> We have two services that need information from the register; a time = table software (A) and an attendance software (B). >>>=20 >>> The time table software (A) adds information about the time tables = and uses reference ("value" & "$ref") to point out groups and users from = the register for the time table entries. Of course, B needs this = information. >>>=20 >>> Simple setup: >>>=20 >>>=20 >>> Register >>>=20 >>> | | >>> v v >>>=20 >>> A -> B >>>=20 >>>=20 >>> Now, according to SCIM, the id property that may be sent from = Register to A and B should be ignored by A & B. Instead, A & B should = make up their own id:s and return them to the register. This means that = A and B cannot communicate about these objects since they don't hava any = common id to reference. The externalId in SCIM is just for filtering, it = cannot be used in reference attributes. >>>=20 >>> How is this supposed to work? I think that maybe I'm missing = something here? Why can't the Register decide on the id for the object, = it seems so much more logical? >>>=20 >>> A similar question arises even in a simple setup with a register and = a service provider. If the register first provisions a user in the = service provider, it gets the service provider's made up ID in the = respoonse. Then it creates a group and populate it with the user. Should = it then use the id from the service provider in the "members": {"value" = and "$ref" ? It seems a bit backward to me? >>>=20 >>> We need the same "objects" to be synced between more than just two = systems, and to me it is confusing how to keep the id:s intact. Is this = not a job for SCIM at all? >>>=20 >>> Please advice :-) >>>=20 >>> Palle Girgensohn >>>=20 >>>=20 >>> _______________________________________________ >>> scim mailing list >>> scim@ietf.org >>> = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10= &r=3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8= m9xMtSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D= >>>=20 >>=20 >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10= &r=3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8= m9xMtSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D= >=20 > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim --Apple-Mail=_2B6DEB29-EBE9-45A5-8E76-CADA54E05B6D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBCAAGBQJZwku2AAoJEDQn0sf36UlsCxUH/jqLvob25Q3jJ0LoIjyaa4NW bNwxPfSUrTnCPqmJCR9tOMmum7PZYA9QoI8Ljr/Uzmq5uJdUkAgsluqkmXcGozVR FgfV1ZYQPVjSxlphIRVnH5Zrl9aF7yMxtf180IGd1VATDYkQ6oivSr5Ng2gB6PJ5 W6yY4ZB3vvcCo4WoLPl23kuB4GLpWtZCaYCTTFyJHwSPVgGGPojjzbHv5g7X5tbT XVQg8VaVfccVuGTu+9MV1VX8zks4E2dzwB4pSHXhjkI2j56MSwo2dpCLOJx+fgIf IFg0NOWptRBFW/9VzDA4TQiXyDVTpIQBg2nS1pVew8zXRDqwdijwi9nERBD8odI= =B+K3 -----END PGP SIGNATURE----- --Apple-Mail=_2B6DEB29-EBE9-45A5-8E76-CADA54E05B6D-- From nobody Wed Sep 20 04:49:31 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A4AB1342E1 for ; Wed, 20 Sep 2017 04:49:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0tSf_AwjmhZv for ; Wed, 20 Sep 2017 04:49:27 -0700 (PDT) Received: from mail.pingpong.net (mail.pingpong.net [79.136.116.202]) by ietfa.amsl.com (Postfix) with ESMTP id 5658F134214 for ; Wed, 20 Sep 2017 04:49:27 -0700 (PDT) Received: from [10.10.83.129] (fss-router.sis.se [195.178.163.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.pingpong.net (Postfix) with ESMTPSA id 0EE0622F57 for ; Wed, 20 Sep 2017 13:49:26 +0200 (CEST) From: Palle Girgensohn Content-Type: multipart/signed; boundary="Apple-Mail=_2F980376-1A0B-482E-85AC-91ACAD19D08D"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Message-Id: <89834582-A7C5-4F68-AEB3-6AAA59E34179@pingpong.net> Date: Wed, 20 Sep 2017 13:49:25 +0200 To: scim@ietf.org X-Mailer: Apple Mail (2.3273) Archived-At: Subject: [scim] time window for members in a group X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 11:49:29 -0000 --Apple-Mail=_2F980376-1A0B-482E-85AC-91ACAD19D08D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, We have the requirement to be able to describe during which time a user = will be active in a group, not by adding and removing her in a timely = manner, but by actually have startDate and endDate attributes on in the = complex members attribute. This is because we need to be able do = describe historical information and also information in advance, about = when a student has attended or will attend a class/group so attendance = records can be correctly maintained. Since scim has a limitation that it does not allow custom schema = elements in complex attributes, sadly his means that a normal scim Group = cannot be used at all. instead we need to define a specific StudentGroup = that mimics the beahviour of the standard group, but has a different = complex attribute, StudentMembers: { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group", ], "id": "e9e30dba-f08f-4109-8486-d5c6a331660a", "externalId": "e9e30dba-f08f-4109-8486-d5c6a331660a", "displayName": "N3A Kurser", "urn:scim:schemas:extension:sis:school:1.0:StudentGroup": { "studentMemberships": [ { "value": "2819c223-7f76-453a-919d-413861904646", "$ref": "/v2/Users/2819c223-7f76-453a-919d-413861904646", "displayName": "Barbara Jensen", "startDate": "2015-01-01", "endDate": "2015-10-30" } ], "studentGroupType": "Undervisning", "schoolType": "GY", "schoolYears": [ 2 ] }, "meta": { "resourceType": "Group", "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W/\"3694e05e9dff592\"", "location": "/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a" } } Would it possibly to discuss an alternative path where startDate and = endDate where part of the complex attribut "members"? This would allow a = much greater interoperability since a scim system that does not know = about the startDate/endDate attributes would just ignore them. Any other ideas or thoughs about this? Thanks, Palle --Apple-Mail=_2F980376-1A0B-482E-85AC-91ACAD19D08D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBCAAGBQJZwlXGAAoJEDQn0sf36UlseDkH/A7Sc7S3AoGoAlCwAkjrEQVU LO0lIO6TDroTGZamU3S2qM9h8Uc8CUeR8DRZPgPDcsTiBteeM8XrzqfiYLAqYOmR h0g9Xm4jRRKMvSkdHDxTXMGpU15uj1h7yEtFkhTJco8V5zjJq03mezlmYQJ+Etdl izWyT8842qojf9JT+hVPjYaCbyIh9OjYA5bLSzaxDgiAeGXfTHAS3j3gp/KNkEf8 JButL5gadNY7WN7rR1KJTFqATZwdJrejgvTTJrh2Tc9CJCo/YLlBsxUUtJl3mCvT tWIQ8cZJxN/psa4ZByvFIJ3dYx0bcbmOSX+ilcw5Fig8nrNJBop4DE7/kd5cjE8= =eybB -----END PGP SIGNATURE----- --Apple-Mail=_2F980376-1A0B-482E-85AC-91ACAD19D08D-- From nobody Wed Sep 20 05:00:52 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AFF6132D8A for ; Wed, 20 Sep 2017 05:00:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1JKht-F6vCY for ; Wed, 20 Sep 2017 05:00:44 -0700 (PDT) Received: from canmail.canarie.ca (canmail.canarie.ca [205.189.33.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D9A5127005 for ; Wed, 20 Sep 2017 05:00:42 -0700 (PDT) Received: from exch01.canarie.local (10.189.34.17) by Thunderchief.canarie.local (10.189.33.17) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 20 Sep 2017 08:00:41 -0400 Received: from THUNDERCHIEF.canarie.local (10.189.33.17) by exch01.canarie.local (10.189.34.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1034.26; Wed, 20 Sep 2017 08:00:39 -0400 Received: from THUNDERCHIEF.canarie.local ([::1]) by Thunderchief.canarie.local ([::1]) with mapi id 15.00.1320.000; Wed, 20 Sep 2017 08:00:39 -0400 From: Chris Phillips To: Palle Girgensohn , "scim@ietf.org" Thread-Topic: [scim] Persistent ID:s across services in SCIM Thread-Index: AQHTMZT9++uGkCPVAkeF9nI6/CkQHaK9EGEAgAAF5oCAAMqiAP//zA6A Date: Wed, 20 Sep 2017 12:00:39 +0000 Message-ID: References: <3ECCC834-AC08-4D47-8044-BF59A5278DC2@oracle.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.7.6.170621 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [207.253.38.186] Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3588739235_2296937" MIME-Version: 1.0 Archived-At: Subject: Re: [scim] Persistent ID:s across services in SCIM X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 12:00:51 -0000 --B_3588739235_2296937 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Palle, When it comes to identifiers in Sweden's education sector I would encourage you to take a look here: https://wiki.swamid.se/display/SWAMID/Attribute+Profile One suggestion is to be consistent with your region's educational sector data dictionary which appears to use eduPersonPrincipalName(ePPN) as an identifier. This appears to be permissible to link across systems but check with SWAMID about it. Storing ePPN in externalId may be your easiest way unless you want to extend the schema for the eduPerson schema which may be beneficial if you are looking at circulating educationally focused attributes. eduPerson schema details: https://www.internet2.edu/products-services/trust-identity/eduperson-eduorg / I see norEduPersonNIN as another identifier but classified as sensitive. While it looks really useful, I encourage you to take care as it would be PII and may have other constraints around it, possibly legal implications in your region. Hope this helps.. C P.s. Quick googling on SCIM and eduperson shows some work be PennState in the US: https://github.com/PennState/SCIMple-Identity And some group management SCIM work by Internet2 as well: https://spaces.internet2.edu/display/Grouper/Grouper+TIER+SCIM+server that may be useful to take a glance at to see if there's previous work to leverage. On 2017-09-20, 7:06 AM, "scim on behalf of Palle Girgensohn" wrote: >Our scope it not a solution for a single school but a Swedish national >standard for information exchange between systems within schools. Hence >we shouldn't really step away from the technical rules in the scim >standard, as it would be confusing. > >In our general use case, the register would probably act both as a client >and as as a (mostly read-only) scim server. Services that don't require >their own storage could be implemented to just GET objects on demand and >toss them once the user logs out. > >But for now, lets focus on the use case where the student register is a >scim client. Since it is still not crystal clear to me how this is >supposed to work, lets try with an example. > >The systems below are register.example.com, a.example.com and >b.example.com. > >First the register creates a new user: > >register -> a > > POST /Users HTTP/1.1 > Host: a.example.com > Accept: application/scim+json > Content-Type: application/scim+json > Authorization: Bearer h480djs93hd8 > Content-Length: ... > > { > "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], > "userName":"bjensen", > "externalId":"a7ff200e-8cca-4532-9e44-56721ee554e6", > "name":{ > "formatted":"Ms. Barbara J Jensen III", > "familyName":"Jensen", > "givenName":"Barbara" > } > } > >a responds: > > HTTP/1.1 201 Created > Content-Type: application/scim+json > Location: > https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb > ETag: W/"e180ee84f0671b1" > > { > "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], > "id":"b24dbd91-a874-465f-b916-8c7003403bcb", > "externalId":"a7ff200e-8cca-4532-9e44-56721ee554e6", > "meta":{ > "resourceType":"User", > "created":"2011-08-01T21:32:44.882Z", > "lastModified":"2011-08-01T21:32:44.882Z", > "location": > "https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb", > "version":"W\/\"e180ee84f0671b1\"" > }, > "name":{ > "formatted":"Ms. Barbara J Jensen III", > "familyName":"Jensen", > "givenName":"Barbara" > }, > "userName":"bjensen" > } > > > >and also the register creates the resource in b.example.com using the >exact same call as above. > >and b responds: > > HTTP/1.1 201 Created > Content-Type: application/scim+json > Location: > https://b.example.com/v2/Users/713a3079-99dc-4295-9800-2d6bfcb66202 > ETag: W/"e180ee84f0671b1" > > { > "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], > "id":"713a3079-99dc-4295-9800-2d6bfcb66202", > "externalId":"a7ff200e-8cca-4532-9e44-56721ee554e6", > "meta":{ > "resourceType":"User", > "created":"2011-08-01T21:32:44.882Z", > "lastModified":"2011-08-01T21:32:44.882Z", > "location": > "https://b.example.com/v2/Users/713a3079-99dc-4295-9800-2d6bfcb66202", > "version":"W\/\"e180ee84f0671b1\"" > }, > "name":{ > "formatted":"Ms. Barbara J Jensen III", > "familyName":"Jensen", > "givenName":"Barbara" > }, > "userName":"bjensen" > } > > > > >Now we have three stable id:s for the user, one for each system. All >three also have a common stable "externalId". > >Now the register creates a group: > >register -> a & b > > POST /Groups HTTP/1.1 > Host: a.example.com > Accept: application/scim+json > Content-Type: application/scim+json > Authorization: Bearer h480djs93hd8 > Content-Length: ... > > { > "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], > "externalId": "e9e30dba-f08f-4109-8486-d5c6a331660a", > "displayName": "Tour Guides", > "members": [ > { > "value": "a7ff200e-8cca-4532-9e44-56721ee554e6", > "$ref": > >"https://register.example.com/v2/Users/a7ff200e-8cca-4532-9e44-56721ee554e >6", > "display": "Babs Jensen" > } > ] > } > > > > >This does make sense if the client is also a scim server. It would be >possible to search the register using scim, and the id:s and references >would be the same. The user's $ref points to the *source*, that is the >student register. In the more narrow use case where the register is only >a client, the reference to the member Babs is not correct here, right? >There is no correspondance to the externalId? a.example.com has never >really seen this id before, so how can it understand that this is the >Babs that was just created, unless we explicitally introduce a >correlation between externalId and id? > > >How should a respond? Should it use it's own id:s for the user and the >group, like this: > >a -> register: > > > HTTP/1.1 201 Created > Content-Type: application/scim+json > Location: > https://a.example.com/v2/Groups/bfc4daf4-845b-42d8-89c9-d27b2fb87ad9 > ETag: W/"e180ee84f0671b1" > > { > "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], > "id": "bfc4daf4-845b-42d8-89c9-d27b2fb87ad9", > "displayName": "Tour Guides", > "members": [ > { > "value": "b24dbd91-a874-465f-b916-8c7003403bcb", > "$ref": > "https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb", > "display": "Babs Jensen" > } > ], > "meta": { > "resourceType": "Group", > "created": "2010-01-23T04:56:22Z", > "lastModified": "2011-05-13T04:42:34Z", > "version": "W\/\"3694e05e9dff592\"", > "location": > "https://a.example.com/v2/Groups/bfc4daf4-845b-42d8-89c9-d27b2fb87ad9" > } > } > > >In this case, it seems to me it that the server first has to ask the >client what it means by member "a7ff200e-8cca-4532-9e44-56721ee554e6", >since it has never seen it before. This becomes almost a catch-22. > > >Another way is to let the client create the group but references a:s id:s >for referenced resources. This is how scim is supposed to work: > > >register -> a > > POST /Groups HTTP/1.1 > Host: a.example.com > Accept: application/scim+json > Content-Type: application/scim+json > Authorization: Bearer h480djs93hd8 > Content-Length: ... > > { > "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], > "externalId": "e9e30dba-f08f-4109-8486-d5c6a331660a", > "displayName": "Tour Guides", > "members": [ > { > "value": "b24dbd91-a874-465f-b916-8c7003403bcb", > "$ref": > "https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb", > "display": "Babs Jensen" > } > ] > } > > >But if the register is also a scim server, this is rather confusing. > > >I believe we could, for our profile of the scim standard, require >externalId to bu uuid:s and to never change for any reason, and also >require that the externalId and the "local" id should be treated as >identical. This would require a scim server to always use the externalId >as its own id, and we would be "home safe". Samuel just suggested a >custom attribute instead of externalId. I can't really see how it would >much in terms of interoperability, but I guess you could argue that it >becomes more obvious what it is? > >Thoughts? > >Thanks, >Palle > > >> 20 sep. 2017 kl. 01:01 skrev Phil Hunt (IDM) : >> >> The id in scim is a local instance identifier. Its purpose is to give >>permanence to the id. Ie. It never changes which gives referential >>integrity. The timetable system can count on the uri for the student. >> >> Technically the client cannot assign the id, but the server can choose >>to use an attribute provided (eg the studentid) for the id value. The >>challenge is not to choose an id value that might change for any reason. >>It seems to me student ids are stable. >> >> The point is if you were accessing a student in another school you >>can't count on id being the student id. Nor that you will be able to >>keep them the same. >> >> When this happens you can use externalid to establish the linkage. >> >> Phil >> >>> On Sep 19, 2017, at 3:40 PM, Vella, Shon wrote: >>> >>> I believe what you are looking for is externalId for storing the >>> common id. It could be the id from one of the systems or it could be >>> something else completely - whatever the orchestration/synchronization >>> glue needs it to be. >>> >>> Shon Vella >>> Identity Automation >>> >>> >>>> On Tue, Sep 19, 2017 at 4:16 PM, Palle Girgensohn >>>> wrote: >>>> >>>> Hello all, >>>> >>>> I have a question about how to maintain persistent id:s for objects >>>>through differents systems if we use SCIM to sync data between them. >>>> >>>> Say for example that we have school student register system where >>>>students, classes, study groups etc is managed. Say also that we >>>>extend SCIM with some resource types that define how to decribe time >>>>tables for the school. >>>> >>>> We have two services that need information from the register; a time >>>>table software (A) and an attendance software (B). >>>> >>>> The time table software (A) adds information about the time tables >>>>and uses reference ("value" & "$ref") to point out groups and users >>>>from the register for the time table entries. Of course, B needs this >>>>information. >>>> >>>> Simple setup: >>>> >>>> >>>> Register >>>> >>>> | | >>>> v v >>>> >>>> A -> B >>>> >>>> >>>> Now, according to SCIM, the id property that may be sent from >>>>Register to A and B should be ignored by A & B. Instead, A & B should >>>>make up their own id:s and return them to the register. This means >>>>that A and B cannot communicate about these objects since they don't >>>>hava any common id to reference. The externalId in SCIM is just for >>>>filtering, it cannot be used in reference attributes. >>>> >>>> How is this supposed to work? I think that maybe I'm missing >>>>something here? Why can't the Register decide on the id for the >>>>object, it seems so much more logical? >>>> >>>> A similar question arises even in a simple setup with a register and >>>>a service provider. If the register first provisions a user in the >>>>service provider, it gets the service provider's made up ID in the >>>>respoonse. Then it creates a group and populate it with the user. >>>>Should it then use the id from the service provider in the "members": >>>>{"value" and "$ref" ? It seems a bit backward to me? >>>> >>>> We need the same "objects" to be synced between more than just two >>>>systems, and to me it is confusing how to keep the id:s intact. Is >>>>this not a job for SCIM at all? >>>> >>>> Please advice :-) >>>> >>>> Palle Girgensohn >>>> >>>> >>>> _______________________________________________ >>>> scim mailing list >>>> scim@ietf.org >>>> >>>>https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailm >>>>an_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10 >>>>&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=TdZHqR-ToFuh_fDFofMC8m >>>>9xMtSQi_LtTBpJmvsKWw8&s=mrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e= >>>> >>> >>> _______________________________________________ >>> scim mailing list >>> scim@ietf.org >>> >>>https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailma >>>n_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r >>>=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=TdZHqR-ToFuh_fDFofMC8m9xM >>>tSQi_LtTBpJmvsKWw8&s=mrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e= >> >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://www.ietf.org/mailman/listinfo/scim > --B_3588739235_2296937 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIVRwYJKoZIhvcNAQcCoIIVODCCFTQCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0B BwGgghLrMIIFNDCCBBygAwIBAgIQLOXpnh8gmmyBE1VbNlujOzANBgkqhkiG9w0BAQsFADB1 MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMgU3RhcnRD b20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0Q29tIENsYXNzIDEg Q2xpZW50IENBMB4XDTE2MTEwMzEyMDcwN1oXDTIwMDIwMzEyMDcwN1owdjEmMCQGA1UEDQwd Rm9yIGxvZ2luIGF1dGhlbnRpY2F0aW9uIG9ubHkxIjAgBgNVBAMMGWNocmlzLnBoaWxsaXBz QGNhbmFyaWUuY2ExKDAmBgkqhkiG9w0BCQEWGWNocmlzLnBoaWxsaXBzQGNhbmFyaWUuY2Ew ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmMCHkltV6KA39l4U4TEsjtZ5IaBHv xtnKzbeQEK6NeEFD6sXH8sgSojZcwB2Qfgw00P6kFZnSLE5HombcCA630ChY3wG5VFZtz5te 2zae9wJjEKb2u5NAqwBqO2FFdDW6ilj6T1Aseh9aiagQO4XpHl2+jpa5eAcnLdf9JoGbAbIC WxOvaudcsfm5Ecdh3XR4LYGgiIJ65VKnXLgrO8kAHULIhw0wwsEcBZJk5MKYrjl/prMDDr8R tSaPKRs0YbISREmpUGx6L7HtZ6TSLKQ86fxqk26QR1LG8pmQyS5S/EqJmfwwnTEG1sp6FucJ vRdaz9pZaBbfVjVErcgkl+27AgMBAAGjggG9MIIBuTAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMAkGA1UdEwQCMAAwHQYDVR0OBBYEFHSoYF5L9VlX I9qlYm6hUzArBaqGMB8GA1UdIwQYMBaAFCSBbDlhvkkPj7cbRivJKLUnSG1oMG8GCCsGAQUF BwEBBGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29tMDkGCCsGAQUF BzAChi1odHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zY2EuY2xpZW50MS5jcnQwOAYD VR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2NhLWNsaWVudDEuY3Js MCQGA1UdEQQdMBuBGWNocmlzLnBoaWxsaXBzQGNhbmFyaWUuY2EwIwYDVR0SBBwwGoYYaHR0 cDovL3d3dy5zdGFydHNzbC5jb20vMEcGA1UdIARAMD4wPAYLKwYBBAGBtTcBAgUwLTArBggr BgEFBQcCARYfaHR0cHM6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG9w0BAQsF AAOCAQEAS9vU61rEWXQ7mxAWToiPv2IxpZe5trlOhGXWl6MblcBclSvstar10wI8IEY6UXbT ufam96MxZNsMn0lhV1/m137bkHwdWQUwxQvrt4CZvFqshFcezaXE0a1VelZvy+iLV2r529e3 xDSGxq4n87t9+Ob7d0yf6HByTWFnIqO36IujFjlG6MsrorNd76jo3g/J56+QoE2jL+a2+QD+ p8573CQra0j3cjUIMCdXWay8KJiLMnAMz0iMVTSKL2sIYbDIdr+Rwx+fmR5+/QIGqS6e1/OX gWyQmip6nuiPh1mr+kPcApwEvMFIjTPqS6yjwx/LQWivsCTykWH6BezeIB+AHjCCBeIwggPK oAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwx FjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp ZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9y aXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMCSUwxFjAU BgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmvmCSsu1d5 2DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnmVkS6Iye8 wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4D8ZnAqDt VB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PIdopmykwv IjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuuN0jhrxK1 ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggr BgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzApMCegJaAj hiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEEWjBYMCQG CCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKGJGh0dHA6 Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+SQ+PtxtG K8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0gBDgwNjA0 BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTAN BgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY0JdOruKb rWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpFNjDmQbcM 3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9uRbhjTu/ b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p6q/CW+uV rZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOvZ3UDsTDT agXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOumZhLP+SW JQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7RX6gVr0f QoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO/ZskmSY8 wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsNJQJewM7S 4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MwggfJMIIFsaAD AgECAgEBMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkw JwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjA5MTcxOTQ2 MzZaFw0zNjA5MTcxOTQ2MzZaMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBM dGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYD VQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEB BQADggIPADCCAgoCggIBAMGI2wm8bEZ8eJ+Ve7UzkPJyYtbBNiAiJF7O6XfyQwqiBmSkzI42 +DjmI/BubbE83XKjhRyh0z20MyvTL6/+6rBBWWe2xAZ9Cp50hdZ5TIA3et85BVJZ9/QbRkOk 0oWF0sNx83ViNLosin8ej+7tNNARx5bNUj26M9bdTd4LO0pLn8ImL/q1FhxyNXfKPF3myuEm ixo2dlwB23QUJf7ttaCID914yi0fB5cwAS1yefpG1hMqqLmmq4NJHeXy793kAY4YCo9jUxaF YqkOGTrMtWamwmt0B+Qr4XY+tG3Y9kThc2IfO8S+oFNWJWxRCfeqq8q/dv1tm/Od2789ZrwM VqqvmEiVOkvfp1hQ2Th1qVvqQwwC/5nr6GxNcFspZZzdql3MrwEx7Azr0o3o6px75m73J2YM GkjXbkLjP94hPnvhDXD7Y6qobBpUtFwlesmiyYsWprssfhdeBU1YbhIdAe4SEA3GMn8Y//z0 +s1ukeg2Sb4aSGmLwpZNGhKyaRfBCpDW+nkiSL+6e2n4cMf6ejfY2A3Sdk9X/5C345HS3e/C YLdnOt3+qpzw1It/ciLOxp+XtviviqAQqNn7GMa2tVxSPIm2GSpzAQoPA7MSYPJ6L4Hbo27/ JjCX9YvdiVe2rT2zryvFt3YC8KXWK5qGFCpy9uMzjF0JSxPfu4x0E1JLAgMBAAGjggJSMIIC TjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBrjAdBgNVHQ4EFgQUTgvvGqRAW6UXaYcwyjRo Q9BBrvIwZAYDVR0fBF0wWzAsoCqgKIYmaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3Nmc2Nh LWNybC5jcmwwK6ApoCeGJWh0dHA6Ly9jcmwuc3RhcnRjb20ub3JnL3Nmc2NhLWNybC5jcmww ggFdBgNVHSAEggFUMIIBUDCCAUwGCysGAQQBgbU3AQEBMIIBOzAvBggrBgEFBQcCARYjaHR0 cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwNQYIKwYBBQUHAgEWKWh0dHA6Ly9j ZXJ0LnN0YXJ0Y29tLm9yZy9pbnRlcm1lZGlhdGUucGRmMIHQBggrBgEFBQcCAjCBwzAnFiBT dGFydCBDb21tZXJjaWFsIChTdGFydENvbSkgTHRkLjADAgEBGoGXTGltaXRlZCBMaWFiaWxp dHksIHJlYWQgdGhlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRD b20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8v Y2VydC5zdGFydGNvbS5vcmcvcG9saWN5LnBkZjARBglghkgBhvhCAQEEBAMCAAcwOAYJYIZI AYb4QgENBCsWKVN0YXJ0Q29tIEZyZWUgU1NMIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MA0G CSqGSIb3DQEBBQUAA4ICAQAWbJn0Zgw09dCFXn0K7NoQTjgcXt+mJQVLkTLB6DvxPd1ECVsH SYopy2YCt7Ga9yWYCTyOG+HdNocrS7to0zlmPaAmx/I5kR1Rq4J7ftXOWuTiA1dwaZcI+V5Y pgrfjAaaRRYWOApeV/Zix3oCBea8HrXynvSpKYP4shTjbiiHRMOQGt44qTysQ01kRc7dKKlc 8nN7BPgX6Kux8y5cZG5zMToSuLyzEeR9j4FRmjuNifRNk2Z7PAPt05odmvNlUPWg0HWfL6/w 6oJDmPhpnIl5xEOORnLjZDYSr/clHjiJkHd+w2tqucPLREuseJCL58csHksRRMg0UifNCl2f hcGJ1Rp48pUQUzLdgIRmddm1aCj7YS6+hKg4wJkShqUeZ2StBi4vqXCFx5YPfIll9Y5DVA6r 3aWAOZRgwDTJlnAsoxL1H0h7vRx+a7edkPQiO674/CrK+oJSoO+vS1WT68G18CKLrDROJiIE oYcsdUq35X0T17gMZMA20skvhhKMIwnBG4I7c0mjaleHlOXWeMWZQ2PjTeB3LeFlmXJpBBpH CeYPAVYk+x+/DnmpWC65xAkBfpW6bQAGPrLqShA52NAr9b/sdb+XAsUJGwjcVTfigfs3hENi IMrnVktl6v5swSSTJKE06wX/miKum30/8WVRCqYwarP0iByADfxyiuiDXjGCAiAwggIcAgEB MIGJMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBT dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xh c3MgMSBDbGllbnQgQ0ECECzl6Z4fIJpsgRNVWzZbozswDQYJYIZIAWUDBAIBBQCgaTAvBgkq hkiG9w0BCQQxIgQgBnoNBLLj71cohdJdOtSZQCvMPbIJbSf0E4Vb4m83WvMwGAYJKoZIhvcN AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcwOTIwMTIwMDM1WjANBgkqhkiG 9w0BAQEFAASCAQAujez/0PrcSoacyKfbwX4Pap+0cWsZK7qInV0W+76W9bVi6p3vrwgdV+5q hIVm3QHPf2ZyVBv3RzwN+Iidq0UXHu5pQP1cua9Lc1CNtwdNgIvJb4k6dNExGEa0DAb/IEiF IL2sT9+X8aawGCVNVFD0l5cwO0m/CdU+fn3sw9imLhvRsyFB5QNsTJPYDuV3OSx34eiLMEd7 ZCJtMi4UJbZYT1eNNxCjaova/w8O7/bZOAT+1uTCmCPvxzzhsp8I0IyW1KJrLqfSbkCnh9Y9 GwtMmidZZkUMNpEYPKsYBCxEYb4eknlH2pv5TZAtr3OXxBXP9AjJE7WGN7qxmUiC4gv9 --B_3588739235_2296937-- From nobody Wed Sep 20 05:16:25 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D2171330B0 for ; Wed, 20 Sep 2017 05:16:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xrC4aSwXcuf5 for ; Wed, 20 Sep 2017 05:16:20 -0700 (PDT) Received: from mail.pingpong.net (mail.pingpong.net [79.136.116.202]) by ietfa.amsl.com (Postfix) with ESMTP id 02077132D8A for ; Wed, 20 Sep 2017 05:16:20 -0700 (PDT) Received: from [172.20.10.2] (unknown [94.234.35.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.pingpong.net (Postfix) with ESMTPSA id C912022230; Wed, 20 Sep 2017 14:16:18 +0200 (CEST) From: Palle Girgensohn Message-Id: <6105E0C6-6343-4049-8CDC-EB0174D99193@pingpong.net> Content-Type: multipart/signed; boundary="Apple-Mail=_5C42957E-2C05-486B-8B03-E9AE49FC5896"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Wed, 20 Sep 2017 14:16:17 +0200 In-Reply-To: Cc: "scim@ietf.org" To: Chris Phillips References: <3ECCC834-AC08-4D47-8044-BF59A5278DC2@oracle.com> X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [scim] Persistent ID:s across services in SCIM X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 12:16:24 -0000 --Apple-Mail=_5C42957E-2C05-486B-8B03-E9AE49FC5896 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Chris, Thanks for your reply. I am well aware of Swamid's work as I do a lot of = work with higher education as well. eppn in the externalId is definitely a good choice. A UUID is another = alternative. We could really allow both, as long as it is something = universally unique. eppn:s are sometimes reused in schools, but this is = of course only due to bad internal processes. There's also the risk that = they change when a user changes surname, but this should really not be = allowed either. We need the eppn anyway to interoperate with SAML = Identity Providers. Our thought is to require eppn in the username = attribute. norEduPersonNIN is sadly not a stable identifier in schools, mainly = since refugees have the right to attend school from day one, but the = will not get a norEduPersonNIN until months later. And, as you say, it = is too sensitive. > 20 sep. 2017 kl. 14:00 skrev Chris Phillips = : >=20 > Palle, >=20 > When it comes to identifiers in Sweden's education sector I would > encourage you to take a look here: >=20 > https://wiki.swamid.se/display/SWAMID/Attribute+Profile >=20 >=20 > One suggestion is to be consistent with your region's educational = sector > data dictionary which appears to use eduPersonPrincipalName(ePPN) as = an > identifier. This appears to be permissible to link across systems but > check with SWAMID about it. >=20 > Storing ePPN in externalId may be your easiest way unless you want to > extend the schema for the eduPerson schema which may be beneficial if = you > are looking at circulating educationally focused attributes. >=20 > eduPerson schema details: > = https://www.internet2.edu/products-services/trust-identity/eduperson-eduor= g > / >=20 >=20 > I see norEduPersonNIN as another identifier but classified as = sensitive. > While it looks really useful, I encourage you to take care as it would = be > PII and may have other constraints around it, possibly legal = implications > in your region. >=20 > Hope this helps.. >=20 > C >=20 > P.s. Quick googling on SCIM and eduperson shows some work be PennState = in > the US: https://github.com/PennState/SCIMple-Identity > And some group management SCIM work by Internet2 as well: > https://spaces.internet2.edu/display/Grouper/Grouper+TIER+SCIM+server = that > may be useful to take a glance at to see if there's previous work to > leverage. >=20 > On 2017-09-20, 7:06 AM, "scim on behalf of Palle Girgensohn" > wrote: >=20 >> Our scope it not a solution for a single school but a Swedish = national >> standard for information exchange between systems within schools. = Hence >> we shouldn't really step away from the technical rules in the scim >> standard, as it would be confusing. >>=20 >> In our general use case, the register would probably act both as a = client >> and as as a (mostly read-only) scim server. Services that don't = require >> their own storage could be implemented to just GET objects on demand = and >> toss them once the user logs out. >>=20 >> But for now, lets focus on the use case where the student register is = a >> scim client. Since it is still not crystal clear to me how this is >> supposed to work, lets try with an example. >>=20 >> The systems below are register.example.com, a.example.com and >> b.example.com. >>=20 >> First the register creates a new user: >>=20 >> register -> a >>=20 >> POST /Users HTTP/1.1 >> Host: a.example.com >> Accept: application/scim+json >> Content-Type: application/scim+json >> Authorization: Bearer h480djs93hd8 >> Content-Length: ... >>=20 >> { >> "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], >> "userName":"bjensen", >> "externalId":"a7ff200e-8cca-4532-9e44-56721ee554e6", >> "name":{ >> "formatted":"Ms. Barbara J Jensen III", >> "familyName":"Jensen", >> "givenName":"Barbara" >> } >> } >>=20 >> a responds: >>=20 >> HTTP/1.1 201 Created >> Content-Type: application/scim+json >> Location: >> https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb >> ETag: W/"e180ee84f0671b1" >>=20 >> { >> "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], >> "id":"b24dbd91-a874-465f-b916-8c7003403bcb", >> "externalId":"a7ff200e-8cca-4532-9e44-56721ee554e6", >> "meta":{ >> "resourceType":"User", >> "created":"2011-08-01T21:32:44.882Z", >> "lastModified":"2011-08-01T21:32:44.882Z", >> "location": >> = "https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb", >> "version":"W\/\"e180ee84f0671b1\"" >> }, >> "name":{ >> "formatted":"Ms. Barbara J Jensen III", >> "familyName":"Jensen", >> "givenName":"Barbara" >> }, >> "userName":"bjensen" >> } >>=20 >>=20 >>=20 >> and also the register creates the resource in b.example.com using the >> exact same call as above. >>=20 >> and b responds: >>=20 >> HTTP/1.1 201 Created >> Content-Type: application/scim+json >> Location: >> https://b.example.com/v2/Users/713a3079-99dc-4295-9800-2d6bfcb66202 >> ETag: W/"e180ee84f0671b1" >>=20 >> { >> "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], >> "id":"713a3079-99dc-4295-9800-2d6bfcb66202", >> "externalId":"a7ff200e-8cca-4532-9e44-56721ee554e6", >> "meta":{ >> "resourceType":"User", >> "created":"2011-08-01T21:32:44.882Z", >> "lastModified":"2011-08-01T21:32:44.882Z", >> "location": >> = "https://b.example.com/v2/Users/713a3079-99dc-4295-9800-2d6bfcb66202", >> "version":"W\/\"e180ee84f0671b1\"" >> }, >> "name":{ >> "formatted":"Ms. Barbara J Jensen III", >> "familyName":"Jensen", >> "givenName":"Barbara" >> }, >> "userName":"bjensen" >> } >>=20 >>=20 >>=20 >>=20 >> Now we have three stable id:s for the user, one for each system. All >> three also have a common stable "externalId". >>=20 >> Now the register creates a group: >>=20 >> register -> a & b >>=20 >> POST /Groups HTTP/1.1 >> Host: a.example.com >> Accept: application/scim+json >> Content-Type: application/scim+json >> Authorization: Bearer h480djs93hd8 >> Content-Length: ... >>=20 >> { >> "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], >> "externalId": "e9e30dba-f08f-4109-8486-d5c6a331660a", >> "displayName": "Tour Guides", >> "members": [ >> { >> "value": "a7ff200e-8cca-4532-9e44-56721ee554e6", >> "$ref": >>=20 >> = "https://register.example.com/v2/Users/a7ff200e-8cca-4532-9e44-56721ee554e= >> 6", >> "display": "Babs Jensen" >> } >> ] >> } >>=20 >>=20 >>=20 >>=20 >> This does make sense if the client is also a scim server. It would be >> possible to search the register using scim, and the id:s and = references >> would be the same. The user's $ref points to the *source*, that is = the >> student register. In the more narrow use case where the register is = only >> a client, the reference to the member Babs is not correct here, = right? >> There is no correspondance to the externalId? a.example.com has never >> really seen this id before, so how can it understand that this is the >> Babs that was just created, unless we explicitally introduce a >> correlation between externalId and id? >>=20 >>=20 >> How should a respond? Should it use it's own id:s for the user and = the >> group, like this: >>=20 >> a -> register: >>=20 >>=20 >> HTTP/1.1 201 Created >> Content-Type: application/scim+json >> Location: >> = https://a.example.com/v2/Groups/bfc4daf4-845b-42d8-89c9-d27b2fb87ad9 >> ETag: W/"e180ee84f0671b1" >>=20 >> { >> "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], >> "id": "bfc4daf4-845b-42d8-89c9-d27b2fb87ad9", >> "displayName": "Tour Guides", >> "members": [ >> { >> "value": "b24dbd91-a874-465f-b916-8c7003403bcb", >> "$ref": >> = "https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb", >> "display": "Babs Jensen" >> } >> ], >> "meta": { >> "resourceType": "Group", >> "created": "2010-01-23T04:56:22Z", >> "lastModified": "2011-05-13T04:42:34Z", >> "version": "W\/\"3694e05e9dff592\"", >> "location": >> = "https://a.example.com/v2/Groups/bfc4daf4-845b-42d8-89c9-d27b2fb87ad9" >> } >> } >>=20 >>=20 >> In this case, it seems to me it that the server first has to ask the >> client what it means by member = "a7ff200e-8cca-4532-9e44-56721ee554e6", >> since it has never seen it before. This becomes almost a catch-22. >>=20 >>=20 >> Another way is to let the client create the group but references a:s = id:s >> for referenced resources. This is how scim is supposed to work: >>=20 >>=20 >> register -> a >>=20 >> POST /Groups HTTP/1.1 >> Host: a.example.com >> Accept: application/scim+json >> Content-Type: application/scim+json >> Authorization: Bearer h480djs93hd8 >> Content-Length: ... >>=20 >> { >> "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], >> "externalId": "e9e30dba-f08f-4109-8486-d5c6a331660a", >> "displayName": "Tour Guides", >> "members": [ >> { >> "value": "b24dbd91-a874-465f-b916-8c7003403bcb", >> "$ref": >> = "https://a.example.com/v2/Users/b24dbd91-a874-465f-b916-8c7003403bcb", >> "display": "Babs Jensen" >> } >> ] >> } >>=20 >>=20 >> But if the register is also a scim server, this is rather confusing. >>=20 >>=20 >> I believe we could, for our profile of the scim standard, require >> externalId to bu uuid:s and to never change for any reason, and also >> require that the externalId and the "local" id should be treated as >> identical. This would require a scim server to always use the = externalId >> as its own id, and we would be "home safe". Samuel just suggested a >> custom attribute instead of externalId. I can't really see how it = would >> much in terms of interoperability, but I guess you could argue that = it >> becomes more obvious what it is? >>=20 >> Thoughts? >>=20 >> Thanks, >> Palle >>=20 >>=20 >>> 20 sep. 2017 kl. 01:01 skrev Phil Hunt (IDM) : >>>=20 >>> The id in scim is a local instance identifier. Its purpose is to = give >>> permanence to the id. Ie. It never changes which gives referential >>> integrity. The timetable system can count on the uri for the = student. >>>=20 >>> Technically the client cannot assign the id, but the server can = choose >>> to use an attribute provided (eg the studentid) for the id value. = The >>> challenge is not to choose an id value that might change for any = reason. >>> It seems to me student ids are stable. >>>=20 >>> The point is if you were accessing a student in another school you >>> can't count on id being the student id. Nor that you will be able to >>> keep them the same. >>>=20 >>> When this happens you can use externalid to establish the linkage. >>>=20 >>> Phil >>>=20 >>>> On Sep 19, 2017, at 3:40 PM, Vella, Shon wrote: >>>>=20 >>>> I believe what you are looking for is externalId for storing the >>>> common id. It could be the id from one of the systems or it could = be >>>> something else completely - whatever the = orchestration/synchronization >>>> glue needs it to be. >>>>=20 >>>> Shon Vella >>>> Identity Automation >>>>=20 >>>>=20 >>>>> On Tue, Sep 19, 2017 at 4:16 PM, Palle Girgensohn >>>>> wrote: >>>>>=20 >>>>> Hello all, >>>>>=20 >>>>> I have a question about how to maintain persistent id:s for = objects >>>>> through differents systems if we use SCIM to sync data between = them. >>>>>=20 >>>>> Say for example that we have school student register system where >>>>> students, classes, study groups etc is managed. Say also that we >>>>> extend SCIM with some resource types that define how to decribe = time >>>>> tables for the school. >>>>>=20 >>>>> We have two services that need information from the register; a = time >>>>> table software (A) and an attendance software (B). >>>>>=20 >>>>> The time table software (A) adds information about the time tables >>>>> and uses reference ("value" & "$ref") to point out groups and = users >>>>> from the register for the time table entries. Of course, B needs = this >>>>> information. >>>>>=20 >>>>> Simple setup: >>>>>=20 >>>>>=20 >>>>> Register >>>>>=20 >>>>> | | >>>>> v v >>>>>=20 >>>>> A -> B >>>>>=20 >>>>>=20 >>>>> Now, according to SCIM, the id property that may be sent from >>>>> Register to A and B should be ignored by A & B. Instead, A & B = should >>>>> make up their own id:s and return them to the register. This means >>>>> that A and B cannot communicate about these objects since they = don't >>>>> hava any common id to reference. The externalId in SCIM is just = for >>>>> filtering, it cannot be used in reference attributes. >>>>>=20 >>>>> How is this supposed to work? I think that maybe I'm missing >>>>> something here? Why can't the Register decide on the id for the >>>>> object, it seems so much more logical? >>>>>=20 >>>>> A similar question arises even in a simple setup with a register = and >>>>> a service provider. If the register first provisions a user in the >>>>> service provider, it gets the service provider's made up ID in the >>>>> respoonse. Then it creates a group and populate it with the user. >>>>> Should it then use the id from the service provider in the = "members": >>>>> {"value" and "$ref" ? It seems a bit backward to me? >>>>>=20 >>>>> We need the same "objects" to be synced between more than just two >>>>> systems, and to me it is confusing how to keep the id:s intact. Is >>>>> this not a job for SCIM at all? >>>>>=20 >>>>> Please advice :-) >>>>>=20 >>>>> Palle Girgensohn >>>>>=20 >>>>>=20 >>>>> _______________________________________________ >>>>> scim mailing list >>>>> scim@ietf.org >>>>>=20 >>>>> = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailm >>>>> = an_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK1= 0 >>>>> = &r=3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8= m >>>>> = 9xMtSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D= >>>>>=20 >>>>=20 >>>> _______________________________________________ >>>> scim mailing list >>>> scim@ietf.org >>>>=20 >>>> = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= >>>> = n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10= &r >>>> = =3DJBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=3DTdZHqR-ToFuh_fDFofMC8m9= xM >>>> tSQi_LtTBpJmvsKWw8&s=3DmrJ6_FjoMs25rlq59xNH4oqI3ObIV-7Gy2R4hvH1x-8&e=3D= >>>=20 >>> _______________________________________________ >>> scim mailing list >>> scim@ietf.org >>> https://www.ietf.org/mailman/listinfo/scim >>=20 > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim --Apple-Mail=_5C42957E-2C05-486B-8B03-E9AE49FC5896 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBCAAGBQJZwlwRAAoJEDQn0sf36UlsXPUIAIxywBwJlTfb2+7kbM2PV/at lZ5egXbkjRORSG3fG8wy1YGVT8OPQoWCL4/w3rUunOSWm62yAPv1Gpwyyt54Y0iC VNk7Edqw/Dys3N54n1DAxM7vO9rENC5ULlYAjiOnAjZQnPw8uq9UD6NxmvvH2tVf slRgMTKeG7FWJfrHSelQDRhtmRr1FBxLh9K7EXbkmJhsFKDq/Wp7QJQR4Mqo3OSX tb8IwgjSKgxqQdL6mbkFrpnPP1EIf51t/Id0zt61eb6tNq6yiNZINga5xbGi8wZE ++lX+B8GqXkFI7AvL+b0tGM5G8JS1aAUdA9O03H38jgY2ZtVCcKZ5sYn8z2KFMc= =k8hJ -----END PGP SIGNATURE----- --Apple-Mail=_5C42957E-2C05-486B-8B03-E9AE49FC5896-- From nobody Wed Sep 20 08:40:23 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FBB1132D54 for ; Wed, 20 Sep 2017 08:40:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1grwub8K90lX for ; Wed, 20 Sep 2017 08:40:19 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CBFD132C3F for ; Wed, 20 Sep 2017 08:40:19 -0700 (PDT) Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v8KFeHQU028685 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Sep 2017 15:40:17 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v8KFeFCa028175 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Sep 2017 15:40:16 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v8KFeEvM029411; Wed, 20 Sep 2017 15:40:14 GMT Received: from [10.228.115.170] (/24.244.32.166) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 20 Sep 2017 08:40:14 -0700 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: "Phil Hunt (IDM)" X-Mailer: iPhone Mail (14G60) In-Reply-To: <89834582-A7C5-4F68-AEB3-6AAA59E34179@pingpong.net> Date: Wed, 20 Sep 2017 08:40:12 -0700 Cc: scim@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <6B20D45B-63B6-4D00-ADE1-A3EC86B2348E@oracle.com> References: <89834582-A7C5-4F68-AEB3-6AAA59E34179@pingpong.net> To: Palle Girgensohn X-Source-IP: userv0022.oracle.com [156.151.31.74] Archived-At: Subject: Re: [scim] time window for members in a group X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 15:40:21 -0000 The topic of additional metadata has come up before. This includes attribute= verification level, consent, as well as expiration etc.=20 There are a bunch of possibilities but the best is not clear (at least to me= ). Might be a good WG topic at some future stage.=20 My guess is it would be best for now to define a new group whose enrollees/m= embers have the data you need.=20 Phil > On Sep 20, 2017, at 4:49 AM, Palle Girgensohn wrote:= >=20 > Hi, >=20 > We have the requirement to be able to describe during which time a user wi= ll be active in a group, not by adding and removing her in a timely manner, b= ut by actually have startDate and endDate attributes on in the complex membe= rs attribute. This is because we need to be able do describe historical info= rmation and also information in advance, about when a student has attended o= r will attend a class/group so attendance records can be correctly maintaine= d. >=20 > Since scim has a limitation that it does not allow custom schema elements i= n complex attributes, sadly his means that a normal scim Group cannot be use= d at all. instead we need to define a specific StudentGroup that mimics the b= eahviour of the standard group, but has a different complex attribute, Stud= entMembers: >=20 > { > "schemas": [ > "urn:ietf:params:scim:schemas:core:2.0:Group", > ], > "id": "e9e30dba-f08f-4109-8486-d5c6a331660a", > "externalId": "e9e30dba-f08f-4109-8486-d5c6a331660a", > "displayName": "N3A Kurser", > "urn:scim:schemas:extension:sis:school:1.0:StudentGroup": { > "studentMemberships": [ > { > "value": "2819c223-7f76-453a-919d-413861904646", > "$ref": "/v2/Users/2819c223-7f76-453a-919d-413861904646", > "displayName": "Barbara Jensen", > "startDate": "2015-01-01", > "endDate": "2015-10-30" > } > ], > "studentGroupType": "Undervisning", > "schoolType": "GY", > "schoolYears": [ > 2 > ] > }, > "meta": { > "resourceType": "Group", > "created": "2010-01-23T04:56:22Z", > "lastModified": "2011-05-13T04:42:34Z", > "version": "W/\"3694e05e9dff592\"", > "location": "/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a" > } > } >=20 >=20 > Would it possibly to discuss an alternative path where startDate and endDa= te where part of the complex attribut "members"? This would allow a much gre= ater interoperability since a scim system that does not know about the start= Date/endDate attributes would just ignore them. >=20 > Any other ideas or thoughs about this? >=20 > Thanks, > Palle >=20 > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim From nobody Wed Sep 20 09:39:38 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB5801331C2 for ; Wed, 20 Sep 2017 09:39:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RnFuGNDa6NNz for ; Wed, 20 Sep 2017 09:39:34 -0700 (PDT) Received: from mail.pingpong.net (mail.pingpong.net [79.136.116.202]) by ietfa.amsl.com (Postfix) with ESMTP id 8E88213202D for ; Wed, 20 Sep 2017 09:39:34 -0700 (PDT) Received: from [10.0.1.11] (h-158-174-8-242.NA.cust.bahnhof.se [158.174.8.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.pingpong.net (Postfix) with ESMTPSA id 98AD1225AC; Wed, 20 Sep 2017 18:39:31 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: Palle Girgensohn X-Mailer: iPhone Mail (14G60) In-Reply-To: <6B20D45B-63B6-4D00-ADE1-A3EC86B2348E@oracle.com> Date: Wed, 20 Sep 2017 18:39:31 +0200 Cc: scim@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <89834582-A7C5-4F68-AEB3-6AAA59E34179@pingpong.net> <6B20D45B-63B6-4D00-ADE1-A3EC86B2348E@oracle.com> To: "Phil Hunt (IDM)" Archived-At: Subject: Re: [scim] time window for members in a group X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 16:39:37 -0000 Thanks for the reply! Yes, we were forced to do just that. It is of course a long process to add m= ore attributes in the members box, but it would indeed be nice.=20 Are there any plans for new WG meetings? Palle > 20 sep. 2017 kl. 17:40 skrev Phil Hunt (IDM) : >=20 > The topic of additional metadata has come up before. This includes attribu= te verification level, consent, as well as expiration etc.=20 >=20 > There are a bunch of possibilities but the best is not clear (at least to m= e). Might be a good WG topic at some future stage.=20 >=20 > My guess is it would be best for now to define a new group whose enrollees= /members have the data you need.=20 >=20 > Phil >=20 >> On Sep 20, 2017, at 4:49 AM, Palle Girgensohn wrote= : >>=20 >> Hi, >>=20 >> We have the requirement to be able to describe during which time a user w= ill be active in a group, not by adding and removing her in a timely manner,= but by actually have startDate and endDate attributes on in the complex mem= bers attribute. This is because we need to be able do describe historical in= formation and also information in advance, about when a student has attended= or will attend a class/group so attendance records can be correctly maintai= ned. >>=20 >> Since scim has a limitation that it does not allow custom schema elements= in complex attributes, sadly his means that a normal scim Group cannot be u= sed at all. instead we need to define a specific StudentGroup that mimics th= e beahviour of the standard group, but has a different complex attribute, S= tudentMembers: >>=20 >> { >> "schemas": [ >> "urn:ietf:params:scim:schemas:core:2.0:Group", >> ], >> "id": "e9e30dba-f08f-4109-8486-d5c6a331660a", >> "externalId": "e9e30dba-f08f-4109-8486-d5c6a331660a", >> "displayName": "N3A Kurser", >> "urn:scim:schemas:extension:sis:school:1.0:StudentGroup": { >> "studentMemberships": [ >> { >> "value": "2819c223-7f76-453a-919d-413861904646", >> "$ref": "/v2/Users/2819c223-7f76-453a-919d-413861904646", >> "displayName": "Barbara Jensen", >> "startDate": "2015-01-01", >> "endDate": "2015-10-30" >> } >> ], >> "studentGroupType": "Undervisning", >> "schoolType": "GY", >> "schoolYears": [ >> 2 >> ] >> }, >> "meta": { >> "resourceType": "Group", >> "created": "2010-01-23T04:56:22Z", >> "lastModified": "2011-05-13T04:42:34Z", >> "version": "W/\"3694e05e9dff592\"", >> "location": "/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a" >> } >> } >>=20 >>=20 >> Would it possibly to discuss an alternative path where startDate and endD= ate where part of the complex attribut "members"? This would allow a much gr= eater interoperability since a scim system that does not know about the star= tDate/endDate attributes would just ignore them. >>=20 >> Any other ideas or thoughs about this? >>=20 >> Thanks, >> Palle >>=20 >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://www.ietf.org/mailman/listinfo/scim >=20 > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim From nobody Thu Sep 28 06:08:52 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67715134714 for ; Thu, 28 Sep 2017 06:08:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.699 X-Spam-Level: X-Spam-Status: No, score=-4.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sailpoint.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DmnYOHqJDPcm for ; Thu, 28 Sep 2017 06:08:48 -0700 (PDT) Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0107.outbound.protection.outlook.com [104.47.41.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 822EA13472D for ; Thu, 28 Sep 2017 06:08:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sailpoint.onmicrosoft.com; s=selector1-sailpoint-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=l7YKXC5odzdq7dr4SGorivKJ10DA0EAsPJdfw714zWw=; b=fX2GEsMZfMQQyg3Zqw06kTsk6g7BEOPHIuXMeXiJnja9hFULICnWJCDK2FIgPYTBC1J0e4OJjIZLdAROKWErOLTlPZl9EO9WuyIAfRsoMVhzlxWUxlaDxt9PdnmV3aZhSgG3TkdMdKpSVmieemqtQI9ZFnXPqoFP31J2QWWQ6tc= Received: from BN6PR04MB0339.namprd04.prod.outlook.com (10.168.225.20) by BN6PR04MB0339.namprd04.prod.outlook.com (10.168.225.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Thu, 28 Sep 2017 13:08:46 +0000 Received: from BN6PR04MB0339.namprd04.prod.outlook.com ([10.168.225.20]) by BN6PR04MB0339.namprd04.prod.outlook.com ([10.168.225.20]) with mapi id 15.20.0077.016; Thu, 28 Sep 2017 13:08:45 +0000 From: Kelly Grizzle To: "scim@ietf.org" Thread-Topic: Privileged Access Management (PAM) extension for SCIM Thread-Index: AdM4WuBXh9UNzJyZSuuD26r2o9484w== Date: Thu, 28 Sep 2017 13:08:45 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=kelly.grizzle@sailpoint.com; x-originating-ip: [70.114.154.180] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; BN6PR04MB0339; 6:52yvl2+E17PpKg8EoLUN+TtbDMaod1RxauxRwfVB2YeVtcUleLLsGYtpqnXCd+3f7kO7yTzTejEf1Y0SYimZRec2Brn9OcTLjY9bWF8F/ldLdV+HrhnVvsa9MAxAxz1T4ApJTgcqW2OpO+XMR5FUsIodOljbtl3V/pg53OccF6R13EvATqD+d2YiBjPeyRuz8FfRpqojxg9lbL86cHg7yqKopCfCGTjwg43Vbin6/9lrqWe7PpwAkuZ0qZiXxSrMxXRrZTls+v7Uryig5xykp3gNiUX0XwkzxGXvS1BneBILJ5hdylXmPSrFt573TuIaG25rYE+GpKKDeZxguAoGlw==; 5:sAyVDdHpR5/g30Stt0fF/t9XtYcSagiUJTNVroFy3L1IwnPGqwB/yltze+x+IHEhq6ljWFcpXDw1Yx/NM1iJJwdQTwfRf+2ted5s9tfKBi3uC7GlvOI5mQdS5Ol3j8ynb67CV/Fjqd+STG7AvKHTaA==; 24:g6xq8OBANQkIg9TMBcMQ7LtFC0VoYHP/tmuugMVqMdFQ/+mU19LHzdkb94SC9lSnJsgdF2oRnlbmNRcuWaB2HJlcaSq/BgG7l60HWDnK6jU=; 7:TS13uC9muj8t9X/LfOSg2M1/3CQhQWfznelgzKqj+sWk+OmEvp/0bivmHvLbgriRzx8klzpNOnyXzXGMHup94AaLi2XUiOSc4/rI6DEgo8WElkFYzKDnTfgZw5TxjtVRIgYgoVetMzQaOXnyD5yud6+hlBTxlkvrpaC247hd5wqTUrFQue0O+pEcoENf1pDVhzRSj1s/raKzipd+YXtl8Sf4/apdh012eDvGL6WMSIg= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: b1028d67-7630-42e9-14a1-08d506720d28 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254152)(2017052603199)(201703131423075)(201703031133081)(201702281549075); SRVR:BN6PR04MB0339; x-ms-traffictypediagnostic: BN6PR04MB0339: x-exchange-antispam-report-test: UriScan:(275491990439589)(120809045254105)(254730959083279)(21748063052155)(91638250987450); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123562025)(20161123555025)(20161123558100)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN6PR04MB0339; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN6PR04MB0339; x-forefront-prvs: 0444EB1997 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39830400002)(376002)(346002)(189002)(199003)(3660700001)(5630700001)(14454004)(189998001)(68736007)(8676002)(316002)(7736002)(81156014)(101416001)(74316002)(81166006)(54896002)(236005)(77096006)(966005)(9686003)(66066001)(25786009)(53936002)(8936002)(790700001)(1730700003)(6306002)(55016002)(2501003)(2900100001)(99286003)(102836003)(3846002)(5640700003)(6116002)(14613045005)(6916009)(478600001)(2906002)(106356001)(54356999)(50986999)(105586002)(3280700002)(7696004)(6436002)(2351001)(606006)(33656002)(86362001)(6506006)(97736004)(5660300001)(319975007)(15072575004); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR04MB0339; H:BN6PR04MB0339.namprd04.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: sailpoint.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BN6PR04MB033964F39AAEC8242E745CF1E2790BN6PR04MB0339namp_" MIME-Version: 1.0 X-OriginatorOrg: sailpoint.com X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Sep 2017 13:08:45.8312 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 9c848b2a-49ba-4c39-9749-118d06717a84 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR04MB0339 Archived-At: Subject: [scim] Privileged Access Management (PAM) extension for SCIM X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2017 13:08:50 -0000 --_000_BN6PR04MB033964F39AAEC8242E745CF1E2790BN6PR04MB0339namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable A group of individuals from the privileged access management and identity g= overnance and administration sectors have been working on a SCIM extension = that can help to bridge these two worlds. To this end, we have produced an= individual draft with a SCIM PAM extension - https://datatracker.ietf.org/= doc/draft-grizzle-scim-pam-ext/. (Huge thank you to all of the co-authors = and collaborators!) A swagger spec is available here: http://scim-pam-api.sailpoint.com.s3-webs= ite-us-east-1.amazonaws.com/#/ For more context see a recent blog post here: https://www.sailpoint.com/blo= g/privileged-access-management-identity/ A presentation that describes the need is available here: https://www.youtu= be.com/watch?v=3DCilH_aV8MCc Feedback is very much appreciated! --Kelly --_000_BN6PR04MB033964F39AAEC8242E745CF1E2790BN6PR04MB0339namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

A group of individuals from the privileged access ma= nagement and identity governance and administration sectors have been worki= ng on a SCIM extension that can help to bridge these two worlds.  To t= his end, we have produced an individual draft with a SCIM PAM extension - https://datatracker.ietf.org/doc/draft-grizzle-scim-pam-ext/.  (Hu= ge thank you to all of the co-authors and collaborators!)

 

A swagger spec is available here: http://scim-pam-api.sailpoint.com.s3-website-us-east-1.amazonaws.com/#/=

For more context see a recent blog post here: https://www.sailpoint.com/blog/privileged-access-management-identity/

A presentation that describes the need is available = here: https://www.youtube.com/watch?v=3DCilH_aV8MCc

 

Feedback is very much appreciated!

 

--Kelly

 

--_000_BN6PR04MB033964F39AAEC8242E745CF1E2790BN6PR04MB0339namp_-- From nobody Fri Sep 29 01:56:20 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19DAF13213D for ; Fri, 29 Sep 2017 01:56:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7lBLyUDLjTBR for ; Fri, 29 Sep 2017 01:56:16 -0700 (PDT) Received: from mail-pf0-x230.google.com (mail-pf0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7159B132031 for ; Fri, 29 Sep 2017 01:56:16 -0700 (PDT) Received: by mail-pf0-x230.google.com with SMTP id u12so433103pfl.4 for ; Fri, 29 Sep 2017 01:56:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oMFOeMPAD2ttWI0P3NgnmqDOQrb/vL6CZ0EIeeyqfkY=; b=uKxl+uPJXBjheIS1mY8+MSWbm4bfNck+uibZH+PkSaAoewFNlPicq8qDKFFc3sqlVJ ZHJNZSB/a3fxv4tyeu68+yVJoOz19HczzveipGq14ffoD7lJkYMXKfjO0+neZzbPAUFS A47LZwVv4em05DSGmDTKtJ1MwbCpFLYG856oBue08Fx/F0wQA5SwwoVB2kEdlymV+WLG H1NWPvM6+hzszPCyk0tHh00cte03JgMd10CVvcvWXNmjLlmf+akAS2CSSQIybMed2rg3 eCZWzk4GSkQdcOO37/f/V/4ApDcpcwmzckGm34EJH0VlCsHo6ytDAdq/TDi+qy6eCDl/ dHKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oMFOeMPAD2ttWI0P3NgnmqDOQrb/vL6CZ0EIeeyqfkY=; b=V4DXH/d1jEfZ+KboT4ZgAETIKLobq6EIW2ZA8xh28EsoZn+zQsUv50GoKDYUCmGeYL tKkcXixaEPtRvVUSaSgcmtcLD59uupr9x3xl9VZBOxIrBtS9V+SLDbL+i637Lv9UJAW8 0bpx63tlBldLdCnInQ9NChh5IdF7KEqWSkiQR2QIFw25YgRoR+pzIILRTKqHy6RrcC8i 1V8sM+KAp3UH1E8UxXxI6qQ5CA1feIqEGapDW36O924BUjhvvF7bsSk3c+/4xZzYMAyF rdSEQUKlY49bXylNhAu+e548whFbcbtu2W3pQ6WklkoL5kcv4q5EPG6wadJ1N8BOMin9 VlvA== X-Gm-Message-State: AHPjjUgdAoGbckUV+ncFqAqAglowXYSjxWJIgt6Z/1Kz+PmBrkvNgRRv LfUyU59EjAh2/F18mLX23QojXkdIl6OsWwgMGcRxAA== X-Google-Smtp-Source: AOwi7QB1mvKEqGttM6IIFJyXnxTpGyZ8O1vZDH/A/ragf4gyYOZu6rlcMX4Bj3mEV+uUDh+4pUi8zFOdcR3ALKR6u6A= X-Received: by 10.101.83.72 with SMTP id w8mr6592661pgr.226.1506675375931; Fri, 29 Sep 2017 01:56:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.143.170 with HTTP; Fri, 29 Sep 2017 01:56:15 -0700 (PDT) In-Reply-To: References: From: Samuel Erdtman Date: Fri, 29 Sep 2017 10:56:15 +0200 Message-ID: To: Darshana Gunawardana Cc: Phil Hunt , vindula.13@cse.mrt.ac.lk, "scim@ietf.org" , Omindu Rathnaweera Content-Type: multipart/alternative; boundary="089e0826dfdc93156f055a5032b6" Archived-At: Subject: Re: [scim] Does SCIM 2.0 have a compliance test suite? X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2017 08:56:19 -0000 --089e0826dfdc93156f055a5032b6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, I have had an initial look at the project. Correct me if I=C2=B4m wrong but it is a copy of the simplecloud.info repo = with the compliance 2.0 added in parallel. a fork would have been even easier but I think this could work too. Have you tried to run the project in heroku? does all the dependencies etc. work in that environment? I tried to test the hosted demo but got a 404 https://compliance-scim2.wso2apps.com/scimproxycompliance/ The path forward that I would prefer would be to get an initial PR to simplecloud.info repo (https://github.com/erdtman/simplecloud.info/) with the added code (preferable not to master). Not necessarily making it visible, I can do that once I have merged the PR. Best regards //Samuel On Tue, Sep 12, 2017 at 4:32 AM, Darshana Gunawardana wrote: > Hi all, > > Giving you an update about on the topic. > > We were able to get a GSoC project slot for the above proposal and the > elected student -Vindula who cc'ed here- was able to come up with a > promising implementation on the project. > > - GSoC Project URL: https://summerofcode.withgoogle.com/projects/# > 6261985816608768 > - VIndula's blog on the project: https://medium.com/@ > vindulajayawardana/scim-2-0-compliance-test-suite-737fd4ace3cc > > - Source Repo: https://github.com/wso2-incubator/scim2-compliance- > test-suite > - Hosted Demo: https://compliance-scim2.wso2apps.com/ > scimproxycompliance/ > > With the increasing adoption of the SCIM 2.0, this test suite will be a > strong initial step to validate interoperability, yet i'm sure there is > much room to improve. So, > > Try the hosted demo > > If you see have any suggestion to improve, open a git issue on the sour= ce > repo > > If you know the fix, send a PR.. > > Any kind of feedback would be highly appreciated. > > Thanks, > > > On Fri, Mar 17, 2017 at 12:19 AM, Darshana Gunawardana < > darshanasbg@gmail.com> wrote: > >> Hi folks, >> >> Thanks all for your responses. >> >> On Wed, Mar 1, 2017 at 1:05 AM, Phil Hunt wrote: >> >>> There has been discussion about having OpenID Foundation host some >>> tests. However, so far, nobody has volunteered to write the tests or fu= nd >>> their support. If we can generate interest, maybe we can make it happe= n. >>> >> >> A few of us at WSO2 thought about a suitable way to generate interest on >> this. >> >> WSO2 has been a mentor organization for GSoC for the last three years an= d >> also accepted for the same on this year as well. So we have come up with= a >> GSoC project proposal on the topic "SCIM 2.0 compliance test suite". You >> can find more details of the project proposal on the below link. >> >> https://docs.wso2.com/display/GSoC/Project+Proposals+for+201 >> 7#ProjectProposalsfor2017-Proposal21:[IS]SCIM2.0compliancetestsuite >> >> Any suggestions on the project proposal are highly appreciated. >> >> The good news is, we already have one interested applicant on this >> project!!! >> >> Hopefully we will have more applicants.. and a decent student proposal t= o >> proceed with.. >> >> Thanks, >> Darshana >> >> >>> >>> Note: The IETF does not seem to handle inter-op test suites and >>> certifications. At least not in my experience. >>> >>> Phil >>> >>> Oracle Corporation, Identity Cloud Services & Identity Standards >>> @independentid >>> www.independentid.com >>> phil.hunt@oracle.com >>> >>> >>> >>> >>> >>> >>> >>> On Feb 7, 2017, at 12:15 AM, Darshana Gunawardana >>> wrote: >>> >>> Hi Samuel, >>> >>> Thanks for the response..! >>> >>> My colleges from WSO2 are in the process of implementing SCIM 2.0 serve= r >>> and currently people working on improving the test coverage on that. >>> >>> If there is no work done on this, we can check on creating common SCIM >>> 2.0 suite and contributing back to the community. Wanted to check wheth= er >>> it would be useful to implement common SCIM 2.0 suite thing. >>> >>> If this is something useful to have, we can check on possible ways of >>> getting interested persons... >>> >>> And can I know references on the implementations on the test suite done >>> on SCIM 1.1? So I can get an idea on the current design and effort need= ed >>> to implement in that way. >>> >>> Thanks, >>> Darshana >>> >>> On Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman wr >>> ote: >>> >>>> There is currently no such tool as far as I know. >>>> >>>> That it says ongoing is a bit too optimistic, there is no ongoing work >>>> as far as I know. >>>> >>>> You are not the only one asking for this so maybe a few persons could >>>> do some cooperation and create something. >>>> >>>> >>>> On Tue, 7 Feb 2017 at 07:37, Darshana Gunawardana < >>>> darshanasbg@gmail.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> Is there a test tool that can used to check compliance with the SCIM >>>>> 2.0 specification? >>>>> >>>>> The site [1] specifies that there is an ongoing effort. Is this an >>>>> open source effort where someone interested can try prototype version= s and >>>>> contribute for the development? >>>>> >>>>> [1] http://www.simplecloud.info/ >>>>> [2] "Work on SCIM 2.0 tests is under development and there are >>>>> currently no support for the enterprise extension" >>>>> >>>>> Thanks, >>>>> -- >>>>> With Regards, >>>>> >>>>> Darshana Gunawardana, >>>>> Alumni : Dept. of Computer Science & Engineering, >>>>> University of Moratuwa, >>>>> Sri Lanka >>>>> _______________________________________________ >>>>> scim mailing list >>>>> scim@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/scim >>>>> >>>> >>> >>> >>> -- >>> With Regards, >>> >>> Darshana Gunawardana, >>> Alumni : Dept. of Computer Science & Engineering, >>> University of Moratuwa, >>> Sri Lanka >>> _______________________________________________ >>> scim mailing list >>> scim@ietf.org >>> https://www.ietf.org/mailman/listinfo/scim >>> >>> >>> >> >> >> -- >> With Regards, >> >> Darshana Gunawardana, >> Alumni : Dept. of Computer Science & Engineering, >> University of Moratuwa, >> Sri Lanka >> > > > > -- > With Regards, > > Darshana Gunawardana, > Alumni : Dept. of Computer Science & Engineering, > University of Moratuwa, > Sri Lanka > --089e0826dfdc93156f055a5032b6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

I have had an initial look= at the project.

Correct me if I=C2=B4m wrong but it is a copy= of the simplecloud.info repo with = the compliance 2.0 added in parallel. a fork would have been even easier bu= t I think this could work too.

Have you tried to run the proje= ct in heroku? does all the dependencies etc. work in that environment?
<= br>I tried to test the hosted demo but got a 404
https://compliance-scim2.ws= o2apps.com/scimproxycompliance/

The path forward= that I would prefer would be to get an initial PR to simplecloud.info repo (https://github.com/erdtman/simplecloud.info/) w= ith the added code (preferable not to master).

Not necess= arily making it visible, I can do that once I have merged the PR.

Best regards
//Samuel

<= br>



On Tue, Sep 12, 2017 at 4:32 AM, Darshana Gunawardana <dar= shanasbg@gmail.com> wrote:
=
Hi all,

Giving you an update about on t= he topic.

We were able to get a GSoC project slot = for the above proposal and the elected student -Vindula who cc'ed here-= was able to come up with a promising implementation on the project.
<= div>
With the increasing adoption= of the SCIM 2.0, this test suite will be a strong initial step to validate= interoperability, yet i'm sure there is much room to improve. So,
> Try the hosted demo
> If you see have any suggestio= n to improve, open a git issue on the source repo
> If you know the fix, send a PR..

Any ki= nd of feedback would be highly appreciated.

Thanks= ,

On Fri, Mar 17, 2017 at 12:19 AM, Darshana Guna= wardana <darshanasbg@gmail.com> wrote:
Hi folks,

Thanks all for your responses.

<= div class=3D"gmail_quote">On Wed, Mar 1, 2017 at 1:05 AM, Phil Hunt <= span dir=3D"ltr"><phil.hunt@oracle.com> wrote:
There has been= discussion about having OpenID Foundation host some tests. However, so far= , nobody has volunteered to write the tests or fund their support.=C2=A0 If= we can generate interest, maybe we can make it happen.
<= div>
A few of us at WSO2=C2=A0thought=C2=A0about a suitable way to generate interest on = this.

WSO2 has been a mentor organization for GSoC= for the last three years and also accepted for the same on this year as we= ll. So we have come up with a GSoC project proposal on the topic "SCIM= 2.0 compliance test suite". You can find more details of the project = proposal on the below link.

https://docs.w= so2.com/display/GSoC/Project+Proposals+for+2017#ProjectProposalsf= or2017-Proposal21:[IS]SCIM2.0compliancetestsuite=C2=A0

Any suggestions on the project proposal are hig= hly appreciated.

The good news is, we already = have one interested applicant on this project!!!

H= opefully we will have more applicants.. and a decent=C2=A0student proposal = to proceed with..

Thanks,
Darshana=
=C2=A0

Not= e: The IETF does not seem to handle inter-op test suites and certifications= .=C2=A0 At least not in my experience.

Phil

Oracle Corporation, Identity Cloud Services & Identity Standards
=
@independentid
phil.hunt@oracle.com







Hi Samuel,

Thanks for the respon= se..!

My colleges from WSO2 are in the process of = implementing SCIM 2.0 server and currently people working on improving the = test coverage on that.

If there is no work done on= this, we can check on creating common SCIM 2.0 suite and contributing back= to the community. Wanted to check whether it would be useful to implement = common SCIM 2.0 suite thing.

If this is something = useful to have, we can check on possible ways of getting interested persons= ...

And can I know references on the implementatio= ns on the test suite done on SCIM 1.1? So I can get an idea on the current = design and effort needed to implement in that way.

Thanks,
Darshana

=
On Tue, Feb 7, 2017 at 1:06 PM, Samuel Erdtman=C2=A0<samuel@erdtman.se>=C2=A0wrote:
There is currently no such = tool as far as I know.

That it says ongoing is a b= it too optimistic, there is no ongoing work as far as I know.
You are not the only one asking for this so maybe a few persons= could do some cooperation and create something.

<= br>
On = Tue, 7 Feb 2017 at 07:37, Darshana Gunawardana <darshanasbg@gmail.com> wrote:
=
Hi,
Is there a test tool that can used to check compliance with the SCIM 2.0 = specification?

The site [1] specifies that there is an ongoing ef= fort. Is this an open source effort where someone interested can try protot= ype versions and contribute for the development?=C2=A0

[1]=C2=A0<= a href=3D"http://www.simplecloud.info/" class=3D"m_-5139740392090228391gmai= l-m_1376985840989271562m_1603289033073655025m_-5872495967044311210gmail-m_9= 045969488578760714gmail-m_-1144345979569978128gmail-m_-4844266541294802224g= mail_msg" target=3D"_blank">http://www.simplecloud.info/
[2] "Work on SCIM 2.0 te= sts is under development and there are currently no support for the enterpr= ise extension"
=
Thanks,
--=C2=A0
With Regards,

Dars= hana Gunawardana,
Alumni : = Dept. of Computer Science & Engineering,
University of Moratuwa,
Sri Lanka
_______________= ________________________________
scim mailing list
scim@ietf.org
https://www.ietf.org/mailman/listinfo/scim

<= br clear=3D"all">

--=C2=A0=
With Regards,<= /div>

Darshana Gunawardana,
Alumni : Dept. of Computer Sci= ence & Engineering,
University of Moratuwa,
Sri Lanka
=
_______________________________= ________________
scim mailing listscim@ietf.org
https://www.ietf.org/ma= ilman/listinfo/scim

=



--
With Regards,

<= /div>Darshana Gunawardana,
Alumni : Dept. of Computer Science & Engi= neering,
University of Moratuwa,
Sri Lanka



--
With Regards,

Dar= shana Gunawardana,
Alumni : Dept. of Computer Science & Engineering,=
University of Moratuwa,
Sri Lanka

--089e0826dfdc93156f055a5032b6--