**Session Date/Time:** 29 Jul 2022 16:30 # scim ## Summary The SCIM working group session at IETF 114 covered updates on the recently adopted SCIM Events draft and a new Use Cases document. A significant portion of the session was dedicated to reviewing existing drafts (cursor-based pagination, multi-valued attribute pagination, soft deletion, roles/entitlements) and introducing new topics (change detection, HR schema, account status context, reference URL improvements, security profile). A primary technical discussion revolved around different approaches to data synchronization and change notification, specifically comparing event-based mechanisms (SCIM Events) with polling-based methods (cursor-based pagination and delta queries), and the need for the working group to align on these strategies. ## Key Discussion Points * **SCIM Use Cases Document Update**: * A new Use Cases document in HackMD format was presented. * It defines terminology not found in RFCs 7643/7644 (e.g., SCIM Service Provider, SCIM Client, SCIM Schema, SCIM Protocol), industry definitions, concepts (units of work), and business scenarios (end-to-end activities). * The document will be published to the data tracker soon for review and feedback on the mailing list. * **Editor's Role for SCIM Schemas and Protocols**: * Danny Zolner and Janelle are volunteering as editors for updates and additions to SCIM schemas and protocols. * **Existing Drafts (Discussion for Adoption/Feedback)**: * **Cursor-Based Pagination (Draft)**: * Matt Peterson's expired draft was discussed, proposing `cursor`, `count`, `nextCursor`, `previousCursor` parameters. * **Use Case**: Traversing very large result sets (millions of entries) for massive scale operations. * Comparison with SCIM Events approach was noted, to be discussed further. * **Multi-Valued Attribute Pagination and Filtering (Draft)**: * Phil Hunt's draft extends complex multi-value attribute sub-attribute filtering to the `attributes` parameter, allowing paging of attribute values (e.g., members of a large group) rather than resources. * **Complexity**: Determining total number of rows. * Alternative proposal by Matt Peterson: Represent group memberships as new top-level resources (`/groupMemberships`, `/userGroups`) to leverage existing resource pagination logic. * **Soft Deletion (Draft)**: * Discussed Morteza Cortez's expired draft, introducing an `isSoftDeleted` attribute and query parameter. * **Problem**: Current SCIM protocol (RFC 7644) dictates a 404 for deleted resources. This draft aims to override that behavior to query soft-deleted resources. * **Concerns**: Security implications (trolling old links, access control for soft-deleted data), need for clear distinction and definition of "soft delete" vs. "hard delete," and server capability. * **Use Case**: User lifecycle management, allowing resurrection of users while maintaining resource identifiers. * **Roles and Entitlements (Draft)**: * Danny Zolner's draft (v02 recently published) adds `/roles` and `/entitlements` resource types. * **Purpose**: Enable SCIM clients to discover available role/entitlement values, especially in multi-tenanted SaaS applications where these values are customizable. * **Features (v02)**: Support for hierarchy of roles/entitlements and numerical availability (e.g., licensed seats). * **New Topics (No Drafts Yet)**: * **Change Detection / Delta Query**: * **Use Case**: Accurate tracking of data changes for large-scale data manipulation, particularly in pull-based scenarios (e.g., HR providers). * **Limitations of `meta.lastModified`**: Time drift in distributed systems. * **Proposal**: `deltaToken` parameter for `GET` requests (e.g., `GET /users?deltaToken=...`). * **Industry Precedent**: Other REST APIs use delta query mechanisms. * **Human Resources Schema**: * **Goal**: A unified, generic HR schema for SCIM to standardize data labeling across HR providers. * **Need**: Significant involvement from HR system implementers to ensure accuracy and utility. * **Account Status Context**: * **Proposal**: Expand the `active` boolean attribute with a complex `accountStatus` attribute to represent granular user states (e.g., pre-hire, on leave (paid/unpaid), terminated). * **Alignment**: Desire to align with states from the Shared Signals community. * **Reference URLs Improvement**: * **Problem**: Inadequate specification for handling `Reference` data types, especially for URLs (e.g., `photos` attribute). * **Concerns**: Hotlinking performance/cost, security of URLs (ensuring only authorized SCIM Service Providers can access). * **Current Spec**: Silent on security/post-provisioning behavior, leaving it to implementers, leading to inconsistent or insecure practices. * **Potential Solutions**: Embedded data (data URIs), trusted proxies, or clearer security considerations. * **Security Profile**: * **Goal**: Tighten SCIM security aspects, updating for post-2015 internet landscape. * **Proposals**: Strongly discourage basic authentication, re-evaluate or strongly advise against the `password` attribute on the user resource. * **Current Spec**: Already advises against basic auth ("should be avoided"). * **Debate**: Removal of `password` attribute is complex, as some use cases (e.g., acting as a directory for OpenID providers) exist. Broader discussion on credential schema and MFA. * **Coordination Use Cases: Paging vs. Events (Core Debate)**: * **Phil Hunt's Presentation (Events Perspective)**: * **Overall Scenario**: Independent administrative domains with lifecycle relationships (e.g., employee termination) requiring coordination. * **Cursor Paging**: Periodically polling for logical copies of entire database for reconciliation. * **Concerns**: High raw cost for billions of users, high data exposure, potential server thrashing/memory issues for service providers with many tenants. Max results should limit total, not page, results. * **Event-Based System (SCIM Events)**: Server issues security event tokens (JOTs) in real-time through a message bus or SET Transfer Protocol. * **Benefits**: Near real-time change notices, minimal information sharing (notice of ID change, client fetches if needed), support for async signaling (bulk completion), security events (risk signals). * **Design**: Receiver decides what action to take; publisher's responsibility for event persistence is limited post-acknowledgment. * **Additional Use Cases for Events**: Bootstrap/Recovery (cross-domain), Internal Domain Replication (all information), Bi-directional Event Coordination (moving away from master/slave), Risk Sharing Events (password reset, suspicious activity). * **Danny Zolner's Response (Pagination Perspective)**: * **Pagination Benefit**: For a limited period, a cursor can be replayed if a receiver has infrastructure problems (VM failure, etc.), aiding recovery. * **Infrastructure Simplicity**: Cursor-based pagination is simpler to implement for a SCIM Service Provider than setting up a full shared signals processing infrastructure. * **Native Support**: Many identity databases natively support cursor-based pagination. * **Combined Approach**: Cursor-based pagination *with* a delta query mechanism (similar to LDAP changelog but without its security pitfalls) for large-scale changes. * **Events Use Case (Narrower)**: High-priority, urgent communications (e.g., immediate termination notice from HR) where polling is too slow. * **Community Input (Ling and others)**: * Many believe **both** cursor-based pagination and events have unique use cases and are needed. Event publishing should be the primary mechanism for efficient data sync, but pagination serves other needs. * **Implementation Pattern**: Implementers often start with search/cursor-based pagination due to immediate use cases, and later add event channels for real-time needs or scalability issues. * **Overhead**: Question posed to implementers/deployers if they are willing to absorb the overhead of supporting both mechanisms. * **Fallback**: Full export/import is sometimes still necessary to resolve complex data stream issues. * **Phil's Counterpoints**: * HTTP E-tags (RFC 7232) and `meta.lastModified` attribute (with some temporal padding) already offer existing mechanisms for change detection at a resource or collection level, respectively, without new specs. * Concern that if paging is offered, event signaling will be neglected, leading to interoperability issues as half the community adopts one, half the other. ## Decisions and Action Items * **SCIM Events Draft Adoption**: The working group has adopted the SCIM Events draft. Nancy and Mike have volunteered as co-authors; others are welcome. * **Use Cases Document**: * To be published to the data tracker soon. * Solicit review and feedback on the mailing list. * **Existing Drafts (Pagination, Multi-value Pagination, Soft Delete, Roles/Entitlements)**: Authors are encouraged to post to the mailing list and solicit feedback/comments from the community to gauge interest for adoption calls. Chairs will look for at least three non-author individuals to provide constructive feedback. * **Pagination vs. Events Comparison Chart**: Phil Hunt, Danny Zolner, and Matt Peterson (if available) are encouraged to update the comparison chart to include all options and their respective pros/cons, to facilitate further discussion. * **Mailing List Discussion**: A question will be formally posed to the mailing list: Are implementers and deployers willing to absorb the overhead of supporting both cursor-based pagination and event-based notification mechanisms, given their respective use cases and the desire for interoperability? ## Next Steps * The Chairs will update the working group milestones, potentially stretching out the timeline for the Use Cases document if it remains a living document. * The Chairs will discuss whether the future SCIM protocol and schema extensions will be one or several drafts. * An interim meeting will be scheduled, likely in September, with a Doodle poll to determine the date. * The working group looks forward to IETF 115 in London.