draft-ietf-scim-api-05.txt   draft-ietf-scim-api-06.txt 
Network Working Group P. Hunt, Ed. Network Working Group P. Hunt, Ed.
Internet-Draft Oracle Internet-Draft Oracle
Intended status: Standards Track K. Grizzle Intended status: Standards Track K. Grizzle
Expires: November 14, 2014 SailPoint Expires: December 25, 2014 SailPoint
M. Ansari M. Ansari
Cisco Cisco
E. Wahlstroem E. Wahlstroem
Technology Nexus Technology Nexus
C. Mortimore C. Mortimore
Salesforce Salesforce
May 13, 2014 June 23, 2014
System for Cross-Domain Identity Management:Protocol System for Cross-Domain Identity Management:Protocol
draft-ietf-scim-api-05 draft-ietf-scim-api-06
Abstract Abstract
The System for Cross-Domain Identity Management (SCIM) specification The System for Cross-Domain Identity Management (SCIM) specification
is designed to make managing user identity in cloud based is designed to make managing user identity in cloud based
applications and services easier. The specification suite seeks to applications and services easier. The specification suite seeks to
build upon experience with existing schemas and deployments, placing build upon experience with existing schemas and deployments, placing
specific emphasis on simplicity of development and integration, while specific emphasis on simplicity of development and integration, while
applying existing authentication, authorization, and privacy models. applying existing authentication, authorization, and privacy models.
It's intent is to reduce the cost and complexity of user management It's intent is to reduce the cost and complexity of user management
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 14, 2014. This Internet-Draft will expire on December 25, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 29 skipping to change at page 2, line 29
Table of Contents Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 3
1.1. Intended Audience . . . . . . . . . . . . . . . . . . . . 3 1.1. Intended Audience . . . . . . . . . . . . . . . . . . . . 3
1.2. Notational Conventions . . . . . . . . . . . . . . . . . 3 1.2. Notational Conventions . . . . . . . . . . . . . . . . . 3
1.3. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 1.3. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3
2. Authentication and Authorization . . . . . . . . . . . . . . 4 2. Authentication and Authorization . . . . . . . . . . . . . . 4
3. API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Creating Resources . . . . . . . . . . . . . . . . . . . 7 3.1. Creating Resources . . . . . . . . . . . . . . . . . . . 7
3.1.1. Resource Types . . . . . . . . . . . . . . . . . . . 8 3.1.1. Resource Types . . . . . . . . . . . . . . . . . . . 9
3.2. Retrieving Resources . . . . . . . . . . . . . . . . . . 8 3.2. Retrieving Resources . . . . . . . . . . . . . . . . . . 9
3.2.1. Retrieving a known Resource . . . . . . . . . . . . . 8 3.2.1. Retrieving a known Resource . . . . . . . . . . . . . 9
3.2.2. List/Query Resources . . . . . . . . . . . . . . . . 10 3.2.2. List/Query Resources . . . . . . . . . . . . . . . . 10
3.2.3. Querying Resources Using HTTP POST . . . . . . . . . 20 3.2.3. Querying Resources Using HTTP POST . . . . . . . . . 20
3.3. Modifying Resources . . . . . . . . . . . . . . . . . . . 22 3.3. Modifying Resources . . . . . . . . . . . . . . . . . . . 22
3.3.1. Modifying with PUT . . . . . . . . . . . . . . . . . 23 3.3.1. Replacing with PUT . . . . . . . . . . . . . . . . . 23
3.3.2. Modifying with PATCH . . . . . . . . . . . . . . . . 25 3.3.2. Modifying with PATCH . . . . . . . . . . . . . . . . 25
3.4. Deleting Resources . . . . . . . . . . . . . . . . . . . 34 3.4. Deleting Resources . . . . . . . . . . . . . . . . . . . 35
3.5. Bulk . . . . . . . . . . . . . . . . . . . . . . . . . . 35 3.5. Bulk . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.6. Data Input/Output Formats . . . . . . . . . . . . . . . . 50 3.6. Data Input/Output Formats . . . . . . . . . . . . . . . . 50
3.7. Additional Operation Response Parameters . . . . . . . . 51 3.7. Additional Operation Response Parameters . . . . . . . . 51
3.8. Attribute Notation . . . . . . . . . . . . . . . . . . . 52 3.8. Attribute Notation . . . . . . . . . . . . . . . . . . . 52
3.9. "/Me" Authenticated Subject Alias . . . . . . . . . . . . 53 3.9. "/Me" Authenticated Subject Alias . . . . . . . . . . . . 53
3.10. HTTP Response Codes . . . . . . . . . . . . . . . . . . . 53 3.10. HTTP Response Codes . . . . . . . . . . . . . . . . . . . 53
3.11. API Versioning . . . . . . . . . . . . . . . . . . . . . 55 3.11. API Versioning . . . . . . . . . . . . . . . . . . . . . 55
3.12. Versioning Resources . . . . . . . . . . . . . . . . . . 55 3.12. Versioning Resources . . . . . . . . . . . . . . . . . . 55
4. Multi-Tenancy . . . . . . . . . . . . . . . . . . . . . . . . 57 4. Preparation and Comparison of Internationalized Strings . . . 57
4.1. Associating Clients to Tenants . . . . . . . . . . . . . 58 5. Multi-Tenancy . . . . . . . . . . . . . . . . . . . . . . . . 57
4.2. SCIM Identifiers with Multiple Tenants . . . . . . . . . 58 5.1. Associating Clients to Tenants . . . . . . . . . . . . . 58
5. Security Considerations . . . . . . . . . . . . . . . . . . . 59 5.2. SCIM Identifiers with Multiple Tenants . . . . . . . . . 59
5.1. TLS Support . . . . . . . . . . . . . . . . . . . . . . . 59 6. Security Considerations . . . . . . . . . . . . . . . . . . . 59
5.2. Querying Using HTTP GET . . . . . . . . . . . . . . . . . 59 6.1. TLS Support . . . . . . . . . . . . . . . . . . . . . . . 59
5.3. Universal Identifiers . . . . . . . . . . . . . . . . . . 60 6.2. Request URI Information Leakage . . . . . . . . . . . . . 59
6.3. Case Insensitive Comparision & International Languages . 60
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 6.4. Universal Identifiers . . . . . . . . . . . . . . . . . . 60
6.1. Media Type Registration . . . . . . . . . . . . . . . . . 60 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 61 7.1. Media Type Registration . . . . . . . . . . . . . . . . . 60
7.1. Normative References . . . . . . . . . . . . . . . . . . 61 7.2. SCIM API Message Schema Registry . . . . . . . . . . . . 61
7.2. Informative References . . . . . . . . . . . . . . . . . 62 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 62
Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 62 8.1. Normative References . . . . . . . . . . . . . . . . . . 62
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 62 8.2. Informative References . . . . . . . . . . . . . . . . . 64
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 63 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 64
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 64 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 64
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 64
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 66
1. Introduction and Overview 1. Introduction and Overview
The SCIM Protocol is an application-level, HTTP protocol for The SCIM Protocol is an application-level, HTTP protocol for
provisioning and managing identity data on the web. The protocol provisioning and managing identity data on the web. The protocol
supports creation, modification, retrieval, and discovery of core supports creation, modification, retrieval, and discovery of core
identity resources; i.e., Users and Groups, as well as custom identity resources; i.e., Users and Groups, as well as custom
resource extensions. resource extensions.
1.1. Intended Audience 1.1. Intended Audience
skipping to change at page 3, line 49 skipping to change at page 4, line 4
For purposes of readability examples are not URL encoded. For purposes of readability examples are not URL encoded.
Implementers MUST percent encode URLs as described in Section 2.1 Implementers MUST percent encode URLs as described in Section 2.1
[RFC3986]. [RFC3986].
1.3. Definitions 1.3. Definitions
Base URL: The SCIM HTTP API is always relative to a Base URL. The Base URL: The SCIM HTTP API is always relative to a Base URL. The
Base URL MUST NOT contain a query string as clients may append Base URL MUST NOT contain a query string as clients may append
additional path information and query parameters as part of additional path information and query parameters as part of
forming the request. Example: "https://example.com/scim/" forming the request. Example: "https://example.com/scim/"
For readability, all examples in this document are expressed For readability, all examples in this document are expressed
assuming the SCIM service root and the server root are the same. assuming the SCIM service root and the server root are the same.
It is expected that SCIM servers may be deployed using any URI It is expected that SCIM servers may be deployed using any URI
prefix. For example, a SCIM server might be have a prefix of prefix. For example, a SCIM server might be have a prefix of
"https://example.com/", or "https://example.com/scim/tenancypath/ "https://example.com/", or "https://example.com/scim/
". Additionally client may also apply a version number to the tenancypath/". Additionally client may also apply a version
server root prefix (see Section 3.11). number to the server root prefix (see Section 3.11 ).
2. Authentication and Authorization 2. Authentication and Authorization
The SCIM protocol does not define a scheme for authentication and The SCIM protocol does not define a scheme for authentication and
authorization therefore implementers are free to choose mechanisms authorization therefore implementers are free to choose mechanisms
appropriate to their use cases. The choice of authentication appropriate to their use cases. The choice of authentication
mechanism will impact interoperability. It is RECOMMENDED that mechanism will impact interoperability. It is RECOMMENDED that
clients be implemented in such a way that new authentication schemes clients be implemented in such a way that new authentication schemes
can be deployed. Implementers SHOULD support existing authentication can be deployed. Implementers SHOULD support existing
/authorization schemes. In particular, OAuth2[RFC6750] is authentication/authorization schemes. In particular, OAuth2
RECOMMENDED. Appropriate security considerations of the selected [RFC6750] is RECOMMENDED. Appropriate security considerations of the
authentication and authorization schemes SHOULD be taken. Because selected authentication and authorization schemes SHOULD be taken.
this protocol uses HTTP response status codes as the primary means of Because this protocol uses HTTP response status codes as the primary
reporting the result of a request, servers are advised to respond to means of reporting the result of a request, servers are advised to
unauthorized or unauthenticated requests using the 401 response code respond to unauthorized or unauthenticated requests using the 401
in accordance with section 10.4.2 of Section 10.4.2 [RFC2616]. response code in accordance with Section 3.1 of [RFC7235].
All examples assume OAuth2 bearer token [RFC6750]; e.g., All examples assume OAuth2 bearer token [RFC6750] ; e.g.,
GET /Users/2819c223-7f76-453a-919d-413861904646 HTTP/1.1 GET /Users/2819c223-7f76-453a-919d-413861904646 HTTP/1.1
Host: example.com Host: example.com
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
The context of the request (i.e. the user for whom data is being The context of the request (i.e. the user for whom data is being
requested) MUST be inferred by service providers. requested) MUST be inferred by service providers.
3. API 3. API
The SCIM protocol specifies well known endpoints and HTTP methods for The SCIM protocol specifies well known endpoints and HTTP methods for
managing resources defined in the core schema; i.e., "User" and managing resources defined in the core schema; i.e., "User" and
"Group" resources correspond to "/Users" and "/Groups" respectively. "Group" resources correspond to "/Users" and "/Groups" respectively.
Service providers that support extended resources SHOULD define Service providers that support extended resources SHOULD define
resource endpoints using the established convention; pluralize the resource endpoints using the established convention; pluralize the
resource name defined in the extended schema by appending an 's'. resource name defined in the extended schema by appending an 's'.
Given there are cases where resource pluralization is ambiguous; Given there are cases where resource pluralization is ambiguous;
e.g., a resource named "Person" is legitimately "Persons" and e.g., a resource named "Person" is legitimately "Persons" and
"People" clients SHOULD discover resource endpoints via the "/ "People" clients SHOULD discover resource endpoints via the
ResourceTypes" endpoint . "/ResourceTypes" endpoint.
GET Retrieves a complete or partial resource. GET Retrieves a complete or partial resource.
POST Create new resource, perform an extended Search, or bulk modify POST Create new resources, create a Search request, or bulk modify
resources. resources.
PUT Modifies a resource with a complete, client specified resource PUT Modifies a resource by replacing existing attributes with a
(replace). specified set of replacement attributes (replace). PUT SHOULD NOT
be used to create new resources.
PATCH Modifies a resource with a set of client specified changes PATCH Modifies a resource with a set of client specified changes
(partial update). (partial update).
DELETE Deletes a resource. DELETE Deletes a resource.
+------------+--------------------+---------------+-----------------+ +------------+--------------------+---------------+-----------------+
| Resource | Endpoint | Operations | Description | | Resource | Endpoint | Operations | Description |
+------------+--------------------+---------------+-----------------+ +------------+--------------------+---------------+-----------------+
| User | /Users | GET (Section | Retrieve/Add/Mo | | User | /Users | GET (Section | Retrieve/Add/Mo |
skipping to change at page 7, line 5 skipping to change at page 7, line 5
| | | | within a | | | | | within a |
| | | | resource | | | | | resource |
| | | | endpoint for | | | | | endpoint for |
| | | | one or more | | | | | one or more |
| | | | resource types | | | | | resource types |
| | | | using POST. | | | | | using POST. |
+------------+--------------------+---------------+-----------------+ +------------+--------------------+---------------+-----------------+
Table 1: Defined endpoints Table 1: Defined endpoints
All requests to the service provider are made via Section 9 [RFC2616] All requests to the service provider are made via HTTP Methods as per
on a URL derived from the Base URL. Responses are returned in the Section 4.3 [RFC7231] on a URL derived from the Base URL. Responses
body of the HTTP response, formatted as JSON. Response and error are returned in the body of the HTTP response, formatted as JSON.
codes SHOULD be transmitted via the HTTP status code of the response Response and error codes SHOULD be transmitted via the HTTP status
(if possible), and SHOULD also be specified in the body of the code of the response (if possible), and SHOULD also be specified in
response. the body of the response.
3.1. Creating Resources 3.1. Creating Resources
To create new resources, clients send POST requests to the resource To create new resources, clients send POST requests to the resource
endpoint; i.e., "/Users" or "/Groups". container endpoint such as: "/Users" or "/Groups".
Attributes whose mutability is "readOnly", that are included in the
request body SHALL be ignored.
Attributes whose mutability is "readWrite", that are omitted from the
request body, MAY be assumed to be not asserted by the client. The
service provider MAY assign a default value to non-asserted
attributes in the final resource representation. Service providers
MAY take into account whether a client has access to, or understands,
all of the resource's attributes when deciding whether non-asserted
attributes SHALL be defaulted. Clients that would like to override a
server defaults, MAY specify "null" for a single-valued attribute or
an empty array "[]" for a multi-valued attribute to clear all values.
Successful resource creation is indicated with a 201 ("Created") Successful resource creation is indicated with a 201 ("Created")
response code. Upon successful creation, the response body MUST response code. Upon successful creation, the response body MUST
contain the newly created resource. Since the server is free to contain the newly created resource. Since the server is free to
alter and/or ignore POSTed content, returning the full representation alter and/or ignore POSTed content, returning the full representation
can be useful to the client, enabling it to correlate the client and can be useful to the client, enabling it to correlate the client and
server views of the new resource. When a resource is created, its server views of the new resource. When a resource is created, its
URI must be returned in the response Location header. URI must be returned in the response Location header.
If the service provider determines creation of the requested resource If the service provider determines creation of the requested resource
skipping to change at page 7, line 32 skipping to change at page 8, line 4
server views of the new resource. When a resource is created, its server views of the new resource. When a resource is created, its
URI must be returned in the response Location header. URI must be returned in the response Location header.
If the service provider determines creation of the requested resource If the service provider determines creation of the requested resource
conflicts with existing resources; e.g., a "User" resource with a conflicts with existing resources; e.g., a "User" resource with a
duplicate "userName", the service provider MUST return a 409 error duplicate "userName", the service provider MUST return a 409 error
and SHOULD indicate the conflicting attribute(s) in the body of the and SHOULD indicate the conflicting attribute(s) in the body of the
response. response.
Below, the client sends a POST request containing a user Below, the client sends a POST request containing a user
POST /Users HTTP/1.1 POST /Users HTTP/1.1
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
Content-Length: ... Content-Length: ...
{ {
"schemas":["urn:scim:schemas:core:2.0:User"], "schemas":["urn:scim:schemas:core:2.0:User"],
"userName":"bjensen", "userName":"bjensen",
"externalId":"bjensen", "externalId":"bjensen",
"name":{ "name":{
"formatted":"Ms. Barbara J Jensen III", "formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen", "familyName":"Jensen",
skipping to change at page 8, line 4 skipping to change at page 8, line 21
{ {
"schemas":["urn:scim:schemas:core:2.0:User"], "schemas":["urn:scim:schemas:core:2.0:User"],
"userName":"bjensen", "userName":"bjensen",
"externalId":"bjensen", "externalId":"bjensen",
"name":{ "name":{
"formatted":"Ms. Barbara J Jensen III", "formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen", "familyName":"Jensen",
"givenName":"Barbara" "givenName":"Barbara"
} }
} }
The server signals a successful creation with a status code of 201. The server signals a successful creation with a status code of 201.
The response includes a Location header indicating the User URI, and The response includes a Location header indicating the User URI, and
a representation of that user in the body of the response. a representation of that user in the body of the response.
HTTP/1.1 201 Created HTTP/1.1 201 Created
Content-Type: application/json Content-Type: application/scim+json
Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"e180ee84f0671b1" ETag: W/"e180ee84f0671b1"
{ {
"schemas":["urn:scim:schemas:core:2.0:User"], "schemas":["urn:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646", "id":"2819c223-7f76-453a-919d-413861904646",
"externalId":"bjensen", "externalId":"bjensen",
"meta":{ "meta":{
"resourceType":"User", "resourceType":"User",
"created":"2011-08-01T21:32:44.882Z", "created":"2011-08-01T21:32:44.882Z",
skipping to change at page 9, line 12 skipping to change at page 9, line 31
To retrieve a known resource, clients send GET requests to the To retrieve a known resource, clients send GET requests to the
resource endpoint; e.g., "/Users/{id}" or "/Groups/{id}". resource endpoint; e.g., "/Users/{id}" or "/Groups/{id}".
If the resource exists the server responds with a status code of 200 If the resource exists the server responds with a status code of 200
and includes the result in the body of the response. and includes the result in the body of the response.
The below example retrieves a single User via the "/Users" endpoint. The below example retrieves a single User via the "/Users" endpoint.
GET /Users/2819c223-7f76-453a-919d-413861904646 GET /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
The server responds with: The server responds with:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/scim+json
Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646 Location: https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"f250dd84f0671c3" ETag: W/"f250dd84f0671c3"
{ {
"schemas":["urn:scim:schemas:core:2.0:User"], "schemas":["urn:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646", "id":"2819c223-7f76-453a-919d-413861904646",
"externalId":"bjensen", "externalId":"bjensen",
"meta":{ "meta":{
"resourceType":"User", "resourceType":"User",
"created":"2011-08-01T18:29:49.793Z", "created":"2011-08-01T18:29:49.793Z",
skipping to change at page 10, line 14 skipping to change at page 10, line 51
3.2.2. List/Query Resources 3.2.2. List/Query Resources
SCIM defines a standard set of operations that can be used to filter, SCIM defines a standard set of operations that can be used to filter,
sort, and paginate response results. The operations are specified by sort, and paginate response results. The operations are specified by
adding query parameters to the resource's endpoint. Service adding query parameters to the resource's endpoint. Service
providers MAY support additional query parameters not specified here, providers MAY support additional query parameters not specified here,
and Providers SHOULD ignore any query parameters they don't and Providers SHOULD ignore any query parameters they don't
recognize. recognize.
List and query responses MUST be identified using the following URI: List and query responses MUST be identified using the following URI:
"urn:scim:schemas:core:2.0:ListResponse". The following attributes "urn:scim:api:messages:2.0:ListResponse". The following attributes
are defined for list and query responses: are defined for list and query responses:
totalResults The total number of results returned by the list or totalResults The total number of results returned by the list or
query operation. This may not be equal to the number of elements query operation. This may not be equal to the number of elements
in the resources attribute of the list response if pagination in the resources attribute of the list response if pagination
(Section 3.2.2.4) is requested. REQUIRED. (Section 3.2.2.4) is requested. REQUIRED.
Resources A multi-valued list of complex objects containing the Resources A multi-valued list of complex objects containing the
requested resources. This may be a subset of the full set of requested resources. This may be a subset of the full set of
resources if pagination (Section 3.2.2.4) is requested. REQUIRED. resources if pagination (Section 3.2.2.4) is requested. REQUIRED
if "totalResults" is non-zero.
startIndex The 1-based index of the first result in the current set startIndex The 1-based index of the first result in the current set
of list results. REQUIRED if pagination (Section 3.2.2.4) is of list results. REQUIRED if pagination (Section 3.2.2.4) is
requested. requested.
itemsPerPage The number of resources returned in a list response itemsPerPage The number of resources returned in a list response
page. REQUIRED if pagination (Section 3.2.2.4) is requested. page. REQUIRED if pagination (Section 3.2.2.4) is requested.
A query that does not return any matches SHALL return success with
"totalResults" set to a value of 0.
The query example below requests the userName for all Users: The query example below requests the userName for all Users:
GET /Users?attributes=userName GET /Users?attributes=userName
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
The following is an example response to the query above: The following is an example response to the query above:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/scim+json
{ {
"schemas":["urn:scim:schemas:core:2.0:ListResponse"], "schemas":["urn:scim:api:messages:2.0:ListResponse"],
"totalResults":2, "totalResults":2,
"Resources":[ "Resources":[
{ {
"userName":"bjensen" "userName":"bjensen"
}, },
{ {
"userName":"jsmith" "userName":"jsmith"
} }
] ]
} }
skipping to change at page 11, line 37 skipping to change at page 12, line 20
"/Users/{userid}" "/Users/{userid}"
"/Users" "/Users"
"/Groups" "/Groups"
A server MAY support searches against the server root (e.g. "/"). A A server MAY support searches against the server root (e.g. "/"). A
search against a server root indicates that ALL resources within the search against a server root indicates that ALL resources within the
server SHALL be included subject to filtering. A filter expression server SHALL be included subject to filtering. A filter expression
using "meta.resourceType" MAY be used to restrict results to one or using "meta.resourceType" MAY be used to restrict results to one or
more specific resource types (e.g. "User"). more specific resource types (e.g. "User" ).
When processing search operations across endpoints that include more When processing search operations across endpoints that include more
than one SCIM resource type (e.g. a search from the server root than one SCIM resource type (e.g. a search from the server root
endpoint), filters MUST be processed in the same fashion as outlined endpoint), filters MUST be processed in the same fashion as outlined
in Section 3.2.2.2. For filtered attributes that are not part of a in Section 3.2.2.2. For filtered attributes that are not part of a
particular resource type, the service provider SHALL treat the particular resource type, the service provider SHALL treat the
attribute as if there is no attribute value. For example, a presence attribute as if there is no attribute value. For example, a presence
or equality filter for an undefined attribute evaluates as FALSE. or equality filter for an undefined attribute evaluates as FALSE.
3.2.2.2. Filtering 3.2.2.2. Filtering
skipping to change at page 19, line 44 skipping to change at page 19, line 44
| | current set of search results; e.g., 1. | | | current set of search results; e.g., 1. |
+--------------+----------------------------------------------------+ +--------------+----------------------------------------------------+
Table 6: Pagination Response Elements Table 6: Pagination Response Elements
For example, to retrieve the first 10 Users set the startIndex to 1 For example, to retrieve the first 10 Users set the startIndex to 1
and the count to 10: and the count to 10:
GET /Users?startIndex=1&count=10 GET /Users?startIndex=1&count=10
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
The response to the query above returns metadata regarding paging The response to the query above returns metadata regarding paging
similar to the following example (actual resources removed for similar to the following example (actual resources removed for
brevity): brevity):
{ {
"totalResults":100, "totalResults":100,
"itemsPerPage":10, "itemsPerPage":10,
"startIndex":1, "startIndex":1,
"schemas":["urn:scim:schemas:core:2.0"], "schemas":["urn:scim:api:messages:2.0"],
"Resources":[{ "Resources":[{
... ...
}] }]
} }
Given the example above, to continue paging set the startIndex to 11 Given the example above, to continue paging set the startIndex to 11
and re-fetch; i.e., /Users?startIndex=11&count=10 and re-fetch; i.e., /Users?startIndex=11&count=10
3.2.3. Querying Resources Using HTTP POST 3.2.3. Querying Resources Using HTTP POST
skipping to change at page 20, line 35 skipping to change at page 20, line 35
The inclusion of '/.search' on the end of a valid SCIM endpoint SHALL The inclusion of '/.search' on the end of a valid SCIM endpoint SHALL
be used to indicate the HTTP POST verb is intended to be a query be used to indicate the HTTP POST verb is intended to be a query
operation. operation.
To create a new search result set, a SCIM client sends an HTTP POST To create a new search result set, a SCIM client sends an HTTP POST
request to the desired SCIM resource endpoint (ending in '/.search'). request to the desired SCIM resource endpoint (ending in '/.search').
The body of the POST request MAY include any of the parameters as The body of the POST request MAY include any of the parameters as
defined in Section 3.2.2. defined in Section 3.2.2.
Search requests MUST be identified using the following URI: Search requests MUST be identified using the following URI:
'urn:scim:schemas:core:2.0:SearchRequest'. The following attributes 'urn:scim:api:messages:2.0:SearchRequest'. The following attributes
are defined for search requests: are defined for search requests:
attributes A multi-valued list of strings indicating the names of attributes A multi-valued list of strings indicating the names of
resource attributes to return in the response overriding the set resource attributes to return in the response overriding the set
of attributes that would be returned by default. Attribute names of attributes that would be returned by default. Attribute names
MUST be in standard attribute notation (Section 3.8) form. See MUST be in standard attribute notation (Section 3.8) form. See
additional retrieval query parameters (Section 3.7). OPTIONAL. additional retrieval query parameters (Section 3.7). OPTIONAL.
excludedAttributes A multi-valued list of strings indicating the excludedAttributes A multi-valued list of strings indicating the
names of resource attributes to be removed from the default set of names of resource attributes to be removed from the default set of
skipping to change at page 21, line 32 skipping to change at page 21, line 32
results per page. See pagination (Section 3.2.2.4). OPTIONAL. results per page. See pagination (Section 3.2.2.4). OPTIONAL.
After receiving a HTTP POST request, a response is returned as After receiving a HTTP POST request, a response is returned as
specified in Section 3.2.2. specified in Section 3.2.2.
The following example shows an HTTP POST Search request with search The following example shows an HTTP POST Search request with search
parameters attributes, filter, and count included: parameters attributes, filter, and count included:
POST /.search POST /.search
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
Content-Length: ... Content-Length: ...
{ {
"schemas": ["urn:scim:schemas:core:2.0:SearchRequest"], "schemas": ["urn:scim:api:messages:2.0:SearchRequest"],
"attributes": ["displayName", "userName"], "attributes": ["displayName", "userName"],
"filter": "displayName sw \"smith\"", "filter": "displayName sw \"smith\"",
"startIndex": 1, "startIndex": 1,
"count": 10 "count": 10
} }
Figure 2: Example POST Search Request Figure 2: Example POST Search Request
A search response is shown with the first page of results. For A search response is shown with the first page of results. For
brevity reasons, only two matches are shown: one User and one Group. brevity reasons, only two matches are shown: one User and one Group.
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/scim+json
Location: https://example.com/.search Location: https://example.com/.search
{ {
"schemas": ["urn:scim:schemas:core:2.0:ListResponse"], "schemas": ["urn:scim:api:messages:2.0:ListResponse"],
"totalResults":100, "totalResults":100,
"itemsPerPage":10, "itemsPerPage":10,
"startIndex":1, "startIndex":1,
"Resources":[ "Resources":[
{ {
"meta":{ "meta":{
"location": "location":
"https://example.com/Users/2819c223-7f76-413861904646", "https://example.com/Users/2819c223-7f76-413861904646",
"resourceType":"User", "resourceType":"User",
"lastModified": ... "lastModified": ...
skipping to change at page 22, line 46 skipping to change at page 22, line 46
... ...
] ]
} }
Figure 3: Example POST Search Response Figure 3: Example POST Search Response
3.3. Modifying Resources 3.3. Modifying Resources
Resources can be modified in whole or in part via PUT or PATCH, Resources can be modified in whole or in part via PUT or PATCH,
respectively. Implementers MUST support PUT as specified in respectively. Implementers MUST support PUT as specified in
Section 9.6 [RFC2616] . Resources such as Groups may be very large Section 4.3 [RFC7231]. Resources such as Groups may be very large
hence implementers SHOULD support PATCH [RFC5789] to enable partial hence implementers SHOULD support PATCH [RFC5789] to enable partial
resource modifications. resource modifications.
3.3.1. Modifying with PUT 3.3.1. Replacing with PUT
PUT performs a full update. Clients MAY retrieve the entire resource HTTP PUT is used to perform a full update of a resource's attributes.
in advance, add the desired modifications and use HTTP PUT which will Clients that MAY have previously retrieved the entire resource in
overwrite all previously stored data. Since the PUT request performs advance and revised it, MAY replace the resource using an HTTP PUT.
a full update, clients MAY send attributes of the retrieved resource Because SCIM resource identifiers are typically assigned by the
and the service provider MUST process according to attribute service provider, HTTP PUT SHOULD NOT be used to create new
mutability as follows: resources.
As the operation intent is to replace all attributes, SCIM clients
MAY send all attributes regardless of each attribute's mutability.
The server will apply attribute by attribute replace according to the
following attribute mutability rules:
readWrite, writeOnly Any values provided SHALL replace the existing readWrite, writeOnly Any values provided SHALL replace the existing
attribute values. Omitting the attribute or specific values means attribute values.
the attribute or specific value SHALL be removed;
immutable If values are provided for elements already set in the immutable If value(s) are already set for the attribute, the input
attribute they MUST match existing data or an error is returned. value(s) MUST match or HTTP status 400 SHOULD be returned with
If the service provider has no existing values, a new value(s) MAY error code "mutability". If the service provider has no existing
be specified; and, values, the new value(s) SHALL be applied.
readOnly Any values provided (e.g. meta.resourceType) SHALL be readOnly Any values provided (e.g. meta.resourceType) SHALL be
ignored. ignored.
If an attribute is "required", the client MUST specify the attribute If an attribute is "required", clients MUST specify the attribute in
in the PUT request. the PUT request.
If a value provided for an immutable attribute with an existing value Attributes whose mutability is "readWrite", that are omitted from the
is NOT matched, the server SHALL respond with an HTTP response code request body, MAY be assumed to be not asserted by the client. The
of 400 and an appropriate human readable message indicating an service provider MAY assume any existing values are to be cleared or
attempt to change an immutable attribute. the service provider MAY assign a default value to the final resource
representation. Service providers MAY take into account whether a
client has access to, or understands, all of the resource's
attributes when deciding whether non-asserted attributes SHALL be
removed or defaulted. Clients that would like to override a server
defaults, MAY specify "null" for a single-valued attribute or an
empty array "[]" for a multi-valued attribute to clear all values.
Unless otherwise specified a successful PUT operation returns a 200 Unless otherwise specified a successful PUT operation returns a 200
OK response code and the entire resource within the response body, OK response code and the entire resource within the response body,
enabling the client to correlate the client's and Provider's views of enabling the client to correlate the client's and Provider's views of
the updated resource. Example: the updated resource. Example:
PUT /Users/2819c223-7f76-453a-919d-413861904646 PUT /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9" If-Match: W/"a330bc54f0671c9"
{ {
"schemas":["urn:scim:schemas:core:2.0:User"], "schemas":["urn:scim:api:messages:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646", "id":"2819c223-7f76-453a-919d-413861904646",
"userName":"bjensen", "userName":"bjensen",
"externalId":"bjensen", "externalId":"bjensen",
"name":{ "name":{
"formatted":"Ms. Barbara J Jensen III", "formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen", "familyName":"Jensen",
"givenName":"Barbara", "givenName":"Barbara",
"middleName":"Jane" "middleName":"Jane"
}, },
"roles":[],
"emails":[ "emails":[
{ {
"value":"bjensen@example.com" "value":"bjensen@example.com"
}, },
{ {
"value":"babs@jensen.org" "value":"babs@jensen.org"
} }
] ]
} }
The service responds with the entire, updated User: The service responds with the entire, updated User:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/scim+json
ETag: W/"b431af54f0671a2" ETag: W/"b431af54f0671a2"
Location:"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646" Location:"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
{ {
"schemas":["urn:scim:schemas:core:2.0:User"], "schemas":["urn:scim:api:messages:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646", "id":"2819c223-7f76-453a-919d-413861904646",
"userName":"bjensen", "userName":"bjensen",
"externalId":"bjensen", "externalId":"bjensen",
"name":{ "name":{
"formatted":"Ms. Barbara J Jensen III", "formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen", "familyName":"Jensen",
"givenName":"Barbara", "givenName":"Barbara",
"middleName":"Jane" "middleName":"Jane"
}, },
"emails":[ "emails":[
skipping to change at page 26, line 4 skipping to change at page 26, line 4
update one or more attributes of a SCIM resource using a sequence of update one or more attributes of a SCIM resource using a sequence of
operations to "add", "remove", or "replace" values. The general form operations to "add", "remove", or "replace" values. The general form
of the SCIM patch request is based on JavaScript Object Notation of the SCIM patch request is based on JavaScript Object Notation
(JSON) Patch [RFC6902]. One difference between SCIM patch and JSON (JSON) Patch [RFC6902]. One difference between SCIM patch and JSON
patch is that SCIM servers do not support array indexing and may not patch is that SCIM servers do not support array indexing and may not
support all [RFC6902] operation types. support all [RFC6902] operation types.
The body of an HTTP PATCH request MUST contain one or more patch The body of an HTTP PATCH request MUST contain one or more patch
operation objects. A patch operation object MUST have exactly one operation objects. A patch operation object MUST have exactly one
"op" member, whose value indicates the operation to perform and MAY "op" member, whose value indicates the operation to perform and MAY
be one of "add", "remove", or "replace" . The semantics of each be one of "add", "remove", or "replace". The semantics of each
operation are defined below. operation are defined below.
Each operation object MUST contain the following "schemas" URI:
"urn:scim:api:messages:2.0:PatchOp"
Operation objects MUST have exactly one "path" member which is a Operation objects MUST have exactly one "path" member which is a
"String" containing an attribute path as specified by the following "String" containing an attribute path as specified by the following
ABNF syntax rule: ABNF syntax rule:
PATH = attrPath / valuePath [subAttr] PATH = attrPath / valuePath [subAttr]
Figure 4: SCIM Patch PATH Rule Figure 4: SCIM Patch PATH Rule
The rules, "attrPath", "valuePath", and "subAttr" are defined in The rules, "attrPath", "valuePath", and "subAttr" are defined in
Section 3.2.2.2. The "valuePath" rule allows specific values of a Section 3.2.2.2. The "valuePath" rule allows specific values of a
skipping to change at page 26, line 36 skipping to change at page 26, line 39
"path":"members[value eq "path":"members[value eq
\"2819c223-7f76-453a-919d-413861904646\"]" \"2819c223-7f76-453a-919d-413861904646\"]"
"path":"members[value eq "path":"members[value eq
\"2819c223-7f76-453a-919d-413861904646\"].displayName" \"2819c223-7f76-453a-919d-413861904646\"].displayName"
Each operation against an attribute MUST be compatible with the Each operation against an attribute MUST be compatible with the
attribute's mutability and schema as defined in the Attribute Types attribute's mutability and schema as defined in the Attribute Types
Section of [I-D.ietf-scim-core-schema]. For example, a client MAY Section of [I-D.ietf-scim-core-schema]. For example, a client MAY
NOT modify an attribute that has mutability "readOnly"or "immutable". NOT modify an attribute that has mutability "readOnly" or
However, a client MAY "add" a value to an"immutable" attribute if the "immutable". However, a client MAY "add" a value to an "immutable"
attribute had no previous value. An operation that is not attribute if the attribute had no previous value. An operation that
compatibile with an attribute's mutability or schema SHALL return an is not compatibile with an attribute's mutability or schema SHALL
error as indicated below. return an error as indicated below.
Each patch operation represents a single action to be applied to the Each patch operation represents a single action to be applied to the
same SCIM resource specified by the request URI. Operations are same SCIM resource specified by the request URI. Operations are
applied sequentially in the order they appear in the array. Each applied sequentially in the order they appear in the array. Each
operation in the sequence is applied to the target resource; the operation in the sequence is applied to the target resource; the
resulting resource becomes the target of the next operation. resulting resource becomes the target of the next operation.
Evaluation continues until all operations are successfully applied or Evaluation continues until all operations are successfully applied or
until an error condition is encountered. until an error condition is encountered.
A patch request, regardless of the number of operations, SHALL be A patch request, regardless of the number of operations, SHALL be
skipping to change at page 27, line 36 skipping to change at page 27, line 39
operation could be performed. operation could be performed.
invalid_value invalid_value
The operation "value" was missing or was not compatable with the The operation "value" was missing or was not compatable with the
targeted attribute's type targeted attribute's type
The following is a non-normative example of an error response to a The following is a non-normative example of an error response to a
patch request. patch request.
HTTP/1.1 400 Bad Request HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8 Content-Type: application/scim+json;charset=UTF-8
Cache-Control: no-store Cache-Control: no-store
Pragma: no-cache Pragma: no-cache
{ {
"schemas": ["urn:scim:schemas:core:2.0:Error"], "schemas": ["urn:scim:api:messages:2.0:Error"],
"Errors":[ "Errors":[
{ {
"error":"mutability", "error":"mutability",
"error_description":"Attribute 'id' is readOnly." "error_description":"Attribute 'id' is readOnly."
} }
] ]
} }
On successful completion, the server MUST return either a 200 OK On successful completion, the server MUST return either a 200 OK
response code and the entire resource (subject to the "attributes" response code and the entire resource (subject to the "attributes"
query parameter - see Additional Retrieval Query Parameters query parameter - see Additional Retrieval Query Parameters
(Section 3.7)) within the response body, or a 204 No Content response (Section 3.7) ) within the response body, or a 204 No Content
code and the appropriate response headers for a successful patch response code and the appropriate response headers for a successful
request. The server MUST return a 200 OK if the "attributes" patch request. The server MUST return a 200 OK if the "attributes"
parameter is specified on the request. parameter is specified on the request.
3.3.2.1. Add Operation 3.3.2.1. Add Operation
The "add" operation performs one of the following functions, The "add" operation performs one of the following functions,
depending upon what the target location indicated by "path" depending upon what the target location indicated by "path"
references: references:
o If the target location does not exist, the attribute and value is o If the target location does not exist, the attribute and value is
added. added.
skipping to change at page 29, line 10 skipping to change at page 29, line 10
The operation MUST contain a "value" member whose content specifies The operation MUST contain a "value" member whose content specifies
the value to be added. The value MAY be a quoted value OR it may be the value to be added. The value MAY be a quoted value OR it may be
a JSON object containing the sub-attributes of the complex attribute a JSON object containing the sub-attributes of the complex attribute
specified in the operation's "path". specified in the operation's "path".
The following example shows how to add a member to a group. Some The following example shows how to add a member to a group. Some
text removed for readability ("..."): text removed for readability ("..."):
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9" If-Match: W/"a330bc54f0671c9"
{ {
"schemas": ["urn:scim:api:messages:2.0:PatchOp"],
"op":"add", "op":"add",
"path":"members", "path":"members",
"value":[ "value":[
{ {
"display": "Babs Jensen", "display": "Babs Jensen",
"$ref": "https://example.com/v2/Users/2819c223...413861904646", "$ref": "https://example.com/v2/Users/2819c223...413861904646",
"value": "2819c223-7f76-453a-919d-413861904646" "value": "2819c223-7f76-453a-919d-413861904646"
} }
] ]
} }
skipping to change at page 29, line 42 skipping to change at page 29, line 43
HTTP/1.1 204 No Content HTTP/1.1 204 No Content
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
ETag: W/"b431af54f0671a2" ETag: W/"b431af54f0671a2"
Location: "https://example.com/Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce" Location: "https://example.com/Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce"
3.3.2.2. Remove Operation 3.3.2.2. Remove Operation
The "remove" operation removes the value at the target location The "remove" operation removes the value at the target location
specified by the "path". The operation performs the following specified by the "path". The operation performs the following
functions depending on the target location specified by "path": functions depending on the target location specified by "path" :
o If the target location is a single-value attribute, the attribute o If the target location is a single-value attribute, the attribute
and its associated value is removed. and its associated value is removed.
o If the target location is a multi-valued attribute and no filter o If the target location is a multi-valued attribute and no filter
is specified, the attribute and all values are removed. is specified, the attribute and all values are removed.
o If the target location is a multi-valued attribute and a complex o If the target location is a multi-valued attribute and a complex
filter is specified comparing a "value", the values matched by the filter is specified comparing a "value", the values matched by the
filter are removed. filter are removed.
skipping to change at page 30, line 22 skipping to change at page 30, line 26
to the resource and a success response should be returned. to the resource and a success response should be returned.
Note that server responses have been omitted for the rest of the Note that server responses have been omitted for the rest of the
PATCH examples. PATCH examples.
Remove a single member from a group. Some text removed for Remove a single member from a group. Some text removed for
readability ("..."): readability ("..."):
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9" If-Match: W/"a330bc54f0671c9"
{ {
"schemas": ["urn:scim:api:messages:2.0:PatchOp"],
"op":"remove", "op":"remove",
"path":"members[value eq \"2819c223-7f76-...413861904646\"]" "path":"members[value eq \"2819c223-7f76-...413861904646\"]"
} }
Remove all members of a group: Remove all members of a group:
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9" If-Match: W/"a330bc54f0671c9"
{ "op":"remove","path":"members"} { "schemas": ["urn:scim:api:messages:2.0:PatchOp"],
"op":"remove","path":"members"}
Removal of a value from a complex-multi-valued attribute (request Removal of a value from a complex-multi-valued attribute (request
headers removed for brevity): headers removed for brevity):
{ {
"schemas": ["urn:scim:api:messages:2.0:PatchOp"],
"op":"remove", "op":"remove",
"path":"emails[type eq \"work\" and value ew \"example.com\"]" "path":"emails[type eq \"work\" and value ew \"example.com\"]"
} }
Example request to remove and add a member. Some text removed for Example request to remove and add a member. Some text removed for
readability ("..."): readability ("..."):
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9" If-Match: W/"a330bc54f0671c9"
[ [
{ {
"schemas": ["urn:scim:api:messages:2.0:PatchOp"],
"op":"remove", "op":"remove",
"path":"members[value eq\"2819c223...919d-413861904646\"]" "path":"members[value eq\"2819c223...919d-413861904646\"]"
}, },
{ {
"schemas": ["urn:scim:api:messages:2.0:PatchOp"],
"op":"add", "op":"add",
"path":"members", "path":"members",
"value": [ "value": [
{ {
"display": "James Smith", "display": "James Smith",
"$ref": "https://example.com/v2/Users/08e1d05d...473d93df9210", "$ref": "https://example.com/v2/Users/08e1d05d...473d93df9210",
"value": "08e1d05d...473d93df9210" "value": "08e1d05d...473d93df9210"
} }
] ]
} }
] ]
The following example shows how to replace all the members of a group The following example shows how to replace all the members of a group
with a different members list. Some text removed for readabilty with a different members list. Some text removed for readabilty
("..."): ("..."):
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9" If-Match: W/"a330bc54f0671c9"
[ [
{ "op":"remove","path":"members"}, { "schemas": ["urn:scim:api:messages:2.0:PatchOp"],
"op":"remove","path":"members"},
{ {
"schemas": ["urn:scim:api:messages:2.0:PatchOp"],
"op":"add", "op":"add",
"path":"members", "path":"members",
"value":[ "value":[
{ {
"display": "Babs Jensen", "display": "Babs Jensen",
"$ref": "https://example.com/v2/Users/2819c223...413861904646", "$ref": "https://example.com/v2/Users/2819c223...413861904646",
"value": "2819c223-7f76-453a-919d-413861904646" "value": "2819c223-7f76-453a-919d-413861904646"
}, },
{ {
"display": "James Smith", "display": "James Smith",
"$ref": "https://example.com/v2/Users/08e1d05d...473d93df9210", "$ref": "https://example.com/v2/Users/08e1d05d...473d93df9210",
"value": "08e1d05d-121c-4561-8b96-473d93df9210" "value": "08e1d05d-121c-4561-8b96-473d93df9210"
}] }]
} }
] ]
3.3.2.3. Replace Operation 3.3.2.3. Replace Operation
The "replace" operation replaces the value at the target location The "replace" operation replaces the value at the target location
specified by the "path". The operation performs the following specified by the "path". The operation performs the following
functions depending on the target location specified by "path": functions depending on the target location specified by "path" :
o If the target location is a single-value attribute, the attributes o If the target location is a single-value attribute, the attributes
value is replaced. value is replaced.
o If the target location is a multi-valued attribute and no filter o If the target location is a multi-valued attribute and no filter
is specified, the attribute and all values are replaced. is specified, the attribute and all values are replaced.
o If the target location is a multi-valued attribute and a complex o If the target location is a multi-valued attribute and a complex
filter is specified comparing a "value", the values matched by the filter is specified comparing a "value", the values matched by the
filter are replaced. filter are replaced.
o If the target location is a complex-multi-valued attribute and a o If the target location is a complex-multi-valued attribute and a
complex filter is specified based on the attribute's sub- complex filter is specified based on the attribute's sub-
attributes, the matching records are replaced. attributes, the matching records are replaced.
o If the target location is a complex-multi-valued attribute with a o If the target location is a complex-multi-valued attribute with a
complex filter and a specific sub-attribute (e.g. "addresses[type complex filter and a specific sub-attribute (e.g. "addresses[type
eq "work"].streetAddress"), the matching sub-attribute of the eq "work"].streetAddress" ), the matching sub-attribute of the
matching record is replaced. matching record is replaced.
The following example shows how to replace all the members of a group The following example shows how to replace all the members of a group
with a different members list in a single replace operation. Some with a different members list in a single replace operation. Some
text removed for readability ("..."): text removed for readability ("..."):
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9" If-Match: W/"a330bc54f0671c9"
{ {
"schemas": ["urn:scim:api:messages:2.0:PatchOp"],
"op":"replace", "op":"replace",
"path":"members", "path":"members",
"value":[ "value":[
{ {
"display": "Babs Jensen", "display": "Babs Jensen",
"$ref": "https://example.com/v2/Users/2819c223...413861904646", "$ref": "https://example.com/v2/Users/2819c223...413861904646",
"value": "2819c223...413861904646" "value": "2819c223...413861904646"
}, },
{ {
"display": "James Smith", "display": "James Smith",
"$ref": "https://example.com/v2/Users/08e1d05d...473d93df9210", "$ref": "https://example.com/v2/Users/08e1d05d...473d93df9210",
"value": "08e1d05d...473d93df9210" "value": "08e1d05d...473d93df9210"
} }
] ]
} }
The following example shows how to change a User's entire "work" The following example shows how to change a User's entire "work"
address. address.
PATCH /Users/2819c223-7f76-453a-919d-413861904646 PATCH /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9" If-Match: W/"a330bc54f0671c9"
{ {
"schemas": ["urn:scim:api:messages:2.0:PatchOp"],
"op":"replace", "op":"replace",
"path":"addresses[type eq \"work\"]", "path":"addresses[type eq \"work\"]",
"value": "value":
{ {
"type": "work", "type": "work",
"streetAddress": "911 Universal City Plaza", "streetAddress": "911 Universal City Plaza",
"locality": "Hollywood", "locality": "Hollywood",
"region": "CA", "region": "CA",
"postalCode": "91608", "postalCode": "91608",
"country": "US", "country": "US",
skipping to change at page 34, line 36 skipping to change at page 34, line 37
"primary": true "primary": true
} }
} }
The following example shows how to change a User's address. Since The following example shows how to change a User's address. Since
address does not have a value Sub-Attribute, the existing address address does not have a value Sub-Attribute, the existing address
must be removed and the modified address added. must be removed and the modified address added.
PATCH /Users/2819c223-7f76-453a-919d-413861904646 PATCH /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9" If-Match: W/"a330bc54f0671c9"
{ {
"schemas": ["urn:scim:api:messages:2.0:PatchOp"],
"op":"replace", "op":"replace",
"path":"addresses[type eq \"work\"].streetAddress", "path":"addresses[type eq \"work\"].streetAddress",
"value":"911 Universal City Plaza" "value":"911 Universal City Plaza"
} }
3.4. Deleting Resources 3.4. Deleting Resources
Clients request resource removal via DELETE. Service providers MAY Clients request resource removal via DELETE. Service providers MAY
choose not to permanently delete the resource, but MUST return a 404 choose not to permanently delete the resource, but MUST return a 404
error code for all operations associated with the previously deleted error code for all operations associated with the previously deleted
skipping to change at page 35, line 33 skipping to change at page 35, line 39
GET /Users/2819c223-7f76-453a-919d-413861904646 GET /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com Host: example.com
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
Server Response: Server Response:
HTTP/1.1 404 NOT FOUND HTTP/1.1 404 NOT FOUND
{ {
"schemas": ["urn:scim:schemas:core:2.0:Error"], "schemas": ["urn:scim:api:messages:2.0:Error"],
"Errors":[ "Errors":[
{ {
"description":"Resource 2819c223-7f76-453a-919d-413861904646 not found", "description":"Resource 2819c223-7f76-453a-919d-413861904646 not found",
"code":"404" "code":"404"
} }
] ]
} }
3.5. Bulk 3.5. Bulk
The SCIM bulk operation is an optional server feature that enables The SCIM bulk operation is an optional server feature that enables
clients to send a potentially large collection of resource operations clients to send a potentially large collection of resource operations
in a single request. The body of a a bulk operation contains a set in a single request. The body of a a bulk operation contains a set
of HTTP resource operations using one of the API supported HTTP of HTTP resource operations using one of the API supported HTTP
methods; i.e., POST, PUT, PATCH or DELETE. methods; i.e., POST, PUT, PATCH or DELETE.
Bulk requests are identified using the following URI: Bulk requests are identified using the following URI:
'urn:scim:schemas:core:2.0:BulkRequest'. Bulk responses are 'urn:scim:api:messages:2.0:BulkRequest'. Bulk responses are
identified using the following URI: identified using the following URI:
'urn:scim:schemas:core:2.0:BulkResponse'. Bulk requests and bulk 'urn:scim:api:messages:2.0:BulkResponse'. Bulk requests and bulk
responses share many attributes. Unless otherwise specified, each responses share many attributes. Unless otherwise specified, each
attribute below is present in both bulk requests and bulk responses. attribute below is present in both bulk requests and bulk responses.
The following Singular Attribute is defined in addition to the common The following Singular Attribute is defined in addition to the common
attributes defined in SCIM core schema. attributes defined in SCIM core schema.
failOnErrors An Integer specifying the number of errors that the failOnErrors An Integer specifying the number of errors that the
service provider will accept before the operation is terminated service provider will accept before the operation is terminated
and an error response is returned. OPTIONAL in a request. Not and an error response is returned. OPTIONAL in a request. Not
valid in a response. valid in a response.
skipping to change at page 36, line 39 skipping to change at page 36, line 44
bulkId serves as a surrogate resource id enabling clients to bulkId serves as a surrogate resource id enabling clients to
uniquely identify newly created resources in the Response and uniquely identify newly created resources in the Response and
cross reference new resources in and across operations within a cross reference new resources in and across operations within a
bulk request. REQUIRED when method is POST. bulk request. REQUIRED when method is POST.
version The current resource version. Version is REQUIRED if the version The current resource version. Version is REQUIRED if the
service provider supports ETags and the method is PUT, DELETE, service provider supports ETags and the method is PUT, DELETE,
or PATCH. or PATCH.
path The resource's relative path. If the method is POST the path The resource's relative path. If the method is POST the
value must specify a resource type endpoint; e.g., /Users or / value must specify a resource type endpoint; e.g., /Users or
Groups whereas all other method values must specify the path to /Groups whereas all other method values must specify the path
a specific resource; e.g., /Users/2819c223-7f76-453a- to a specific resource; e.g., /Users/2819c223-7f76-453a-919d-
919d-413861904646. REQUIRED in a request. 413861904646. REQUIRED in a request.
data The resource data as it would appear for a single POST, PUT data The resource data as it would appear for a single POST, PUT
or PATCH resource operation. REQUIRED in a request when method or PATCH resource operation. REQUIRED in a request when method
is POST, PUT and PATCH. is POST, PUT and PATCH.
location The resource endpoint URL. REQUIRED in a response, location The resource endpoint URL. REQUIRED in a response,
except in the event of a POST failure. except in the event of a POST failure.
status A complex type that contains information about the success status A complex type that contains information about the success
or failure of one operation within the bulk job. REQUIRED in a or failure of one operation within the bulk job. REQUIRED in a
skipping to change at page 38, line 25 skipping to change at page 38, line 25
The following example shows how to add, update, and remove a user. The following example shows how to add, update, and remove a user.
The failOnErrors attribute is set to '1' indicating the service The failOnErrors attribute is set to '1' indicating the service
provider should return on the first error. The POST operation's provider should return on the first error. The POST operation's
bulkId value is set to 'qwerty' enabling the client to match the new bulkId value is set to 'qwerty' enabling the client to match the new
User with the returned resource id '92b725cd-9465-4e7d- User with the returned resource id '92b725cd-9465-4e7d-
8c16-01f8e146b87a'. 8c16-01f8e146b87a'.
POST /v2/Bulk POST /v2/Bulk
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
Content-Length: ... Content-Length: ...
{ {
"schemas": ["urn:scim:schemas:core:2.0:BulkRequest"], "schemas": ["urn:scim:api:messages:2.0:BulkRequest"],
"failOnErrors":1, "failOnErrors":1,
"Operations":[ "Operations":[
{ {
"method":"POST", "method":"POST",
"path":"/Users", "path":"/Users",
"bulkId":"qwerty", "bulkId":"qwerty",
"data":{ "data":{
"schemas": ["urn:scim:schemas:core:2.0:User"], "schemas": ["urn:scim:api:messages:2.0:User"],
"userName":"Alice" "userName":"Alice"
} }
}, },
{ {
"method":"PUT", "method":"PUT",
"path":"/Users/b7c14771-226c-4d05-8860-134711653041", "path":"/Users/b7c14771-226c-4d05-8860-134711653041",
"version":"W\/\"3694e05e9dff591\"", "version":"W\/\"3694e05e9dff591\"",
"data":{ "data":{
"schemas": ["urn:scim:schemas:core:2.0:User"], "schemas": ["urn:scim:api:messages:2.0:User"],
"id":"b7c14771-226c-4d05-8860-134711653041", "id":"b7c14771-226c-4d05-8860-134711653041",
"userName":"Bob" "userName":"Bob"
} }
}, },
{ {
"method": "PATCH", "method": "PATCH",
"path": "/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc", "path": "/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc",
"version": "W/\"edac3253e2c0ef2\"", "version": "W/\"edac3253e2c0ef2\"",
"data": {[ "data": {[
skipping to change at page 40, line 6 skipping to change at page 40, line 6
"method":"DELETE", "method":"DELETE",
"path":"/Users/e9025315-6bea-44e1-899c-1e07454e468b", "path":"/Users/e9025315-6bea-44e1-899c-1e07454e468b",
"version":"W\/\"0ee8add0a938e1a\"" "version":"W\/\"0ee8add0a938e1a\""
} }
] ]
} }
The service provider returns the following response. The service provider returns the following response.
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/scim+json
{ {
"schemas": ["urn:scim:schemas:core:2.0:BulkResponse"], "schemas": ["urn:scim:api:messages:2.0:BulkResponse"],
"Operations": [ "Operations": [
{ {
"location": "https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a", "location": "https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a",
"method": "POST", "method": "POST",
"bulkId": "qwerty", "bulkId": "qwerty",
"version": "W\/\"oY4m4wn58tkVjJxK\"", "version": "W\/\"oY4m4wn58tkVjJxK\"",
"status": { "status": {
"code": "201" "code": "201"
} }
}, },
skipping to change at page 41, line 6 skipping to change at page 41, line 6
] ]
} }
The following response is returned if an error occurred when The following response is returned if an error occurred when
attempting to create the User 'Alice'. The service provider stops attempting to create the User 'Alice'. The service provider stops
processing the bulk operation and immediately returns a response to processing the bulk operation and immediately returns a response to
the client. The response contains the error and any successful the client. The response contains the error and any successful
results prior to the error. results prior to the error.
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/scim+json
{ {
"schemas": ["urn:scim:schemas:core:2.0:BulkResponse"], "schemas": ["urn:scim:api:messages:2.0:BulkResponse"],
"Operations": [ "Operations": [
{ {
"method": "POST", "method": "POST",
"bulkId": "qwerty", "bulkId": "qwerty",
"status": { "status": {
"code": "400", "code": "400",
"description": "Request is unparseable, syntactically incorrect, or violates schema." "description": "Request is unparseable, syntactically incorrect, or violates schema."
} }
} }
] ]
} }
If the failOnErrors attribute is not specified or the service If the failOnErrors attribute is not specified or the service
provider has not reached the error limit defined by the client the provider has not reached the error limit defined by the client the
service provider will continue to process all operations. The service provider will continue to process all operations. The
following is an example in which all operations failed. following is an example in which all operations failed.
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/scim+json
{ {
"schemas": ["urn:scim:schemas:core:2.0:BulkResponse"], "schemas": ["urn:scim:api:messages:2.0:BulkResponse"],
"Operations": [ "Operations": [
{ {
"method": "POST", "method": "POST",
"bulkId": "qwerty", "bulkId": "qwerty",
"status": { "status": {
"code": "400", "code": "400",
"description": "Request is unparseable, syntactically incorrect, or violates schema." "description": "Request is unparseable, syntactically incorrect, or violates schema."
} }
}, },
{ {
skipping to change at page 43, line 12 skipping to change at page 43, line 12
attribute value must be pre-pended with the literal "bulkId:"; e.g., attribute value must be pre-pended with the literal "bulkId:"; e.g.,
if the bulkId is 'qwerty' the value is "bulkId:qwerty". The service if the bulkId is 'qwerty' the value is "bulkId:qwerty". The service
provider MUST replace the string "bulkId:qwerty" with the permanent provider MUST replace the string "bulkId:qwerty" with the permanent
resource id once created. resource id once created.
The following example creates a User with the userName 'Alice' and a The following example creates a User with the userName 'Alice' and a
Group with the displayName 'Tour Guides' with Alice as a member. Group with the displayName 'Tour Guides' with Alice as a member.
POST /v2/Bulk POST /v2/Bulk
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
Content-Length: ... Content-Length: ...
{ {
"schemas": ["urn:scim:schemas:core:2.0:BulkRequest"], "schemas": ["urn:scim:api:messages:2.0:BulkRequest"],
"Operations": [ "Operations": [
{ {
"method": "POST", "method": "POST",
"path": "/Users", "path": "/Users",
"bulkId": "qwerty", "bulkId": "qwerty",
"data": { "data": {
"schemas": ["urn:scim:schemas:core:2.0:User"], "schemas": ["urn:scim:schemas:core:2.0:User"],
"userName": "Alice" "userName": "Alice"
} }
}, },
skipping to change at page 44, line 6 skipping to change at page 44, line 6
} }
] ]
} }
} }
] ]
} }
The service provider returns the following response. The service provider returns the following response.
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/scim+json
{ {
"schemas": ["urn:scim:schemas:core:2.0:BulkResponse"], "schemas": ["urn:scim:api:messages:2.0:BulkResponse"],
"Operations": [ "Operations": [
{ {
"location": "https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a", "location": "https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a",
"method": "POST", "method": "POST",
"bulkId": "qwerty", "bulkId": "qwerty",
"version": "W\/\"4weymrEsh5O6cAEK\"", "version": "W\/\"4weymrEsh5O6cAEK\"",
"status": { "status": {
"code": "201" "code": "201"
} }
}, },
skipping to change at page 44, line 32 skipping to change at page 44, line 32
"method": "POST", "method": "POST",
"bulkId": "ytrewq", "bulkId": "ytrewq",
"version": "W\/\"lha5bbazU3fNvfe5\"", "version": "W\/\"lha5bbazU3fNvfe5\"",
"status": { "status": {
"code": "201" "code": "201"
} }
} }
] ]
} }
A subsequent request for the 'Tour Guides' Group ('e9e30dba- A subsequent request for the 'Tour Guides' Group ('e9e30dba-f08f-
f08f-4109-8486-d5c6a331660a') returns the following: 4109-8486-d5c6a331660a') returns the following:
GET /v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a GET /v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/scim+json
Location: https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a Location: https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a
ETag: W/"lha5bbazU3fNvfe5" ETag: W/"lha5bbazU3fNvfe5"
{ {
"schemas": ["urn:scim:schemas:core:2.0:Group"], "schemas": ["urn:scim:schemas:core:2.0:Group"],
"id": "e9e30dba-f08f-4109-8486-d5c6a331660a", "id": "e9e30dba-f08f-4109-8486-d5c6a331660a",
"displayName": "Tour Guides", "displayName": "Tour Guides",
"meta": { "meta": {
"resourceType": "Group", "resourceType": "Group",
"created": "2011-08-01T18:29:49.793Z", "created": "2011-08-01T18:29:49.793Z",
skipping to change at page 46, line 7 skipping to change at page 46, line 7
] ]
} }
Extensions that include references to other resources MUST be handled Extensions that include references to other resources MUST be handled
in the same way by the service provider. The following example uses in the same way by the service provider. The following example uses
the bulkId attribute within the enterprise extension managerId the bulkId attribute within the enterprise extension managerId
attribute. attribute.
POST /v2/Bulk POST /v2/Bulk
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
Content-Length: ... Content-Length: ...
{ {
"schemas": ["urn:scim:schemas:core:2.0:BulkRequest"], "schemas": ["urn:scim:api:messages:2.0:BulkRequest"],
"Operations": [ "Operations": [
{ {
"method": "POST", "method": "POST",
"path": "/Users", "path": "/Users",
"bulkId": "qwerty", "bulkId": "qwerty",
"data": { "data": {
"schemas": ["urn:scim:schemas:core:2.0:User"], "schemas": ["urn:scim:schemas:core:2.0:User"],
"userName": "Alice" "userName": "Alice"
} }
}, },
skipping to change at page 47, line 7 skipping to change at page 47, line 7
] ]
} }
The service provider MUST try to resolve circular cross references The service provider MUST try to resolve circular cross references
between resources in a single bulk job but MAY stop after a failed between resources in a single bulk job but MAY stop after a failed
attempt and instead return the status code 409 Conflict. The attempt and instead return the status code 409 Conflict. The
following example exhibits the potential conflict. following example exhibits the potential conflict.
POST /v2/Bulk POST /v2/Bulk
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
Content-Length: ... Content-Length: ...
{ {
"schemas": ["urn:scim:schemas:core:2.0:BulkRequest"], "schemas": ["urn:scim:api:messages:2.0:BulkRequest"],
"Operations": [ "Operations": [
{ {
"method": "POST", "method": "POST",
"path": "/Groups", "path": "/Groups",
"bulkId": "qwerty", "bulkId": "qwerty",
"data": { "data": {
"schemas": ["urn:scim:schemas:core:2.0:Group"], "schemas": ["urn:scim:schemas:core:2.0:Group"],
"displayName": "Group A", "displayName": "Group A",
"members": [ "members": [
{ {
skipping to change at page 48, line 7 skipping to change at page 48, line 7
} }
} }
] ]
} }
If the service provider resolved the above circular references the If the service provider resolved the above circular references the
following is returned from a subsequent GET request. following is returned from a subsequent GET request.
GET /v2/Groups?filter=displayName sw 'Group' GET /v2/Groups?filter=displayName sw 'Group'
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/scim+json
{ {
"schemas": ["urn:scim:schemas:core:2.0:ListResponse"], "schemas": ["urn:scim:api:messages:2.0:ListResponse"],
"totalResults": 2, "totalResults": 2,
"Resources": [ "Resources": [
{ {
"id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97", "id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
"schemas": ["urn:scim:schemas:core:2.0:Group"], "schemas": ["urn:scim:schemas:core:2.0:Group"],
"displayName": "Group A", "displayName": "Group A",
"meta": { "meta": {
"resourceType": "Group", "resourceType": "Group",
"created": "2011-08-01T18:29:49.793Z", "created": "2011-08-01T18:29:49.793Z",
"lastModified": "2011-08-01T18:29:51.135Z", "lastModified": "2011-08-01T18:29:51.135Z",
skipping to change at page 50, line 15 skipping to change at page 50, line 15
maximum payload size a client may send in a single request. If maximum payload size a client may send in a single request. If
either limits are exceeded the service provider MUST return the HTTP either limits are exceeded the service provider MUST return the HTTP
response code 413 Request Entity Too Large. The returned response response code 413 Request Entity Too Large. The returned response
MUST specify the limit exceeded in the body of the error response. MUST specify the limit exceeded in the body of the error response.
The following example the client sent a request exceeding the service The following example the client sent a request exceeding the service
provider's max payload size of 1 megabyte. provider's max payload size of 1 megabyte.
POST /v2/Bulk POST /v2/Bulk
Host: example.com Host: example.com
Accept: application/json Accept: application/scim+json
Content-Type: application/json Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
Content-Length: 4294967296 Content-Length: 4294967296
... ...
HTTP/1.1 413 Request Entity Too Large HTTP/1.1 413 Request Entity Too Large
Content-Type: application/json Content-Type: application/scim+json
Location: https://example.com/v2/Bulk/yfCrVJhFIJagAHj8 Location: https://example.com/v2/Bulk/yfCrVJhFIJagAHj8
{ {
"schemas":["urn:scim:schemas:core:2.0:Error"], "schemas":["urn:scim:api:messages:2.0:Error"],
"Errors":[ "Errors":[
{ {
"description":"The size of the bulk operation exceeds the maxPayloadSize (1048576).", "description":"The size of the bulk operation exceeds the maxPayloadSize (1048576).",
"code":"413" "code":"413"
} }
] ]
} }
3.6. Data Input/Output Formats 3.6. Data Input/Output Formats
Servers MUST accept requests and respond with JSON structured Servers MUST accept requests and respond with JSON structured
responses using UTF-8 encoding [RFC3629], UTF-8 SHALL be the default responses using UTF-8 encoding [RFC3629], UTF-8 SHALL be the default
encoding format. encoding format.
Clients using other encodings MUST specify the format in which the Clients using other encodings MUST specify the format in which the
data is submitted via Section 14.17 HTTP header content-type[RFC2616] data is submitted via HTTP header "Content-Type" as specified in
and MAY specify the desired response data format via an HTTP Accept Section 3.1.1.5 [RFC7231] and MAY specify the desired response data
Header; e.g.,"Accept: application/json" or via URI suffix; e.g., format via an HTTP "Accept" header ( Section 5.3.2 [RFC7231] ); e.g.,
"Accept: application/scim+json" or via URI suffix; e.g.,
GET /Users/2819c223-7f76-453a-919d-413861904646.json GET /Users/2819c223-7f76-453a-919d-413861904646.scim
Host: example.com Host: example.com
Service providers MUST support the Accept Headers "Accept:
application/json" for [RFC7159]. The format defaults to JSON if no Service providers MUST support the accept header "Accept:
application/scim+json" and SHOULD support header "Accept:
application/json" both of which specify JSON documents conforming to
[RFC7159]. The format defaults to "application/scim+json" if no
format is specified. format is specified.
Singular attributes are encoded as string name-value-pairs in JSON; Singular attributes are encoded as string name-value-pairs in JSON;
e.g., e.g.,
"attribute": "value" "attribute": "value"
Multi-valued attributes in JSON are encoded as arrays; e.g., Multi-valued attributes in JSON are encoded as arrays; e.g.,
"attributes": [ "value1", "value2" ] "attributes": [ "value1", "value2" ]
Elements with nested elements are represented as objects in JSON; Elements with nested elements are represented as objects in JSON;
e.g, e.g,
"attribute": { "subattribute1": "value1", "subattribute2": "value2" } "attribute": { "subattribute1": "value1", "subattribute2": "value2" }
3.7. Additional Operation Response Parameters 3.7. Additional Operation Response Parameters
For any SCIM operation where a resource representation is returned For any SCIM operation where a resource representation is returned
(e.g. HTTP GET), the attributes normally returned are defined as the (e.g. HTTP GET), the attributes normally returned are defined as the
minimum attribute set plus default attributes. The minimum set are minimum attribute set plus default attributes. The minimum set are
those attributes whose schema have "returned" set to "always". The those attributes whose schema have "returned" set to "always". The
defaut attribute set are those attributes whose schema have defaut attribute set are those attributes whose schema have
"returned" set to "default". "returned" set to "default".
Clients MAY request a partial resource representation on any Clients MAY request a partial resource representation on any
operation that returns a resource within the response by specifying operation that returns a resource within the response by specifying
either of the mutually exclusive URL query parameters "attributes" OR either of the mutually exclusive URL query parameters "attributes" OR
"excludedAtributes" as follows: "excludedAtributes" as follows:
skipping to change at page 51, line 47 skipping to change at page 52, line 4
minimal set of resource attributes and MUST contain no other minimal set of resource attributes and MUST contain no other
attributes or sub-attributes other than those explicitly attributes or sub-attributes other than those explicitly
requested. The query parameter attributes value is a comma requested. The query parameter attributes value is a comma
separated list of resource attribute names in standard separated list of resource attribute names in standard
attribute notation (Section 3.8) form (e.g. userName, name, attribute notation (Section 3.8) form (e.g. userName, name,
emails). emails).
excludedAttributes When specified, each resource returned MUST excludedAttributes When specified, each resource returned MUST
contain the minimal set of resource attributes. contain the minimal set of resource attributes.
Additionally, the default set of attributes minus those Additionally, the default set of attributes minus those
attributes listed in "excludedAttributes"are also returned. attributes listed in "excludedAttributes" are also returned.
The query parameter attributes value is a comma separated The query parameter attributes value is a comma separated
list of resource attribute names in standard attribute list of resource attribute names in standard attribute
notation (Section 3.8) form (e.g. userName, name, emails). notation (Section 3.8) form (e.g. userName, name, emails).
. .
GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=userName GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=userName
Host: example.com Host: example.com
Accept: application/json Accept: application/json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
skipping to change at page 53, line 28 skipping to change at page 53, line 31
location. location.
o A service provider MAY process the SCIM request directly. In any o A service provider MAY process the SCIM request directly. In any
response, the HTTP "Location" header MUST be the permanent response, the HTTP "Location" header MUST be the permanent
location of the aliased resource associated with the authenticated location of the aliased resource associated with the authenticated
subject. subject.
3.10. HTTP Response Codes 3.10. HTTP Response Codes
The SCIM Protocol uses the response status codes defined in HTTP The SCIM Protocol uses the response status codes defined in HTTP
Section 10 [RFC2616] to indicate operation success or failure. In Section 6 [RFC7231] to indicate operation success or failure. In
addition to returning a HTTP response code implementers MUST return addition to returning a HTTP response code implementers MUST return
the errors in the body of the response in the client requested format the errors in the body of the response in the client requested format
containing the error response and, per the HTTP specification, human- containing the error response and, per the HTTP specification, human-
readable explanations. Error responses are identified using the readable explanations. Error responses are identified using the
following URI: 'urn:scim:schemas:core:2.0:Error'. The following following URI: 'urn:scim:api:messages:2.0:Error'. The following
multi-valued attribute is defined in addition to those attributes multi-valued attribute is defined in addition to those attributes
defined in SCIM Core Schema: defined in SCIM Core Schema:
Errors The list of errors encountered by the service provider. The Errors The list of errors encountered by the service provider. The
value attribute is a complex type with the following sub- value attribute is a complex type with the following sub-
attributes. attributes.
description A human-readable explanation of the error. REQUIRED. description A human-readable explanation of the error. REQUIRED.
code A string indicating the HTTP response code. REQUIRED. code A string indicating the HTTP response code. REQUIRED.
skipping to change at page 54, line 9 skipping to change at page 54, line 13
| Code | Applicability | Suggested Explanation | | Code | Applicability | Suggested Explanation |
+--------------+---------------+------------------------------------+ +--------------+---------------+------------------------------------+
| 307 | GET, POST, | The client is directed to repeat | | 307 | GET, POST, | The client is directed to repeat |
| TEMPORARY | PUT, PATCH, | the same HTTP request at the | | TEMPORARY | PUT, PATCH, | the same HTTP request at the |
| REDIRECT | DELETE | location identified. The client | | REDIRECT | DELETE | location identified. The client |
| | | SHOULD NOT use the location | | | | SHOULD NOT use the location |
| | | provided in the response as a | | | | provided in the response as a |
| | | permanent reference to the | | | | permanent reference to the |
| | | resource and SHOULD continue to | | | | resource and SHOULD continue to |
| | | use the original request URI | | | | use the original request URI |
| | | [I-D.ietf-httpbis-p2-semantics]. | | | | [RFC7231]. |
| 308 | GET, POST, | The client is directed to repeat | | 308 | GET, POST, | The client is directed to repeat |
| PERMANENT | PUT, PATCH, | the same HTTP request at the | | PERMANENT | PUT, PATCH, | the same HTTP request at the |
| REDIRECT | DELETE | location identified. The client | | REDIRECT | DELETE | location identified. The client |
| | | SHOULD use the location provided | | | | SHOULD use the location provided |
| | | in the response as the permanent | | | | in the response as the permanent |
| | | reference to the resource | | | | reference to the resource |
| | | [I-D.reschke-http-status-308]. | | | | [I-D.reschke-http-status-308]. |
| 400 BAD | GET, POST, | Request is unparseable, | | 400 BAD | GET, POST, | Request is unparseable, |
| REQUEST | PUT, PATCH, | syntactically incorrect, or | | REQUEST | PUT, PATCH, | syntactically incorrect, or |
| | DELETE | violates schema | | | DELETE | violates schema |
skipping to change at page 55, line 8 skipping to change at page 55, line 10
| | DELETE | | | | DELETE | |
+--------------+---------------+------------------------------------+ +--------------+---------------+------------------------------------+
Table 7: Defined error cases Table 7: Defined error cases
Error example in response to a non-existent GET request. Error example in response to a non-existent GET request.
HTTP/1.1 404 NOT FOUND HTTP/1.1 404 NOT FOUND
{ {
"schemas": ["urn:scim:schemas:core:2.0:Error"], "schemas": ["urn:scim:api:messages:2.0:Error"],
"Errors":[ "Errors":[
{ {
"description":"Resource 2819c223-7f76-453a-919d-413861904646 not found", "description":"Resource 2819c223-7f76-453a-919d-413861904646 not found",
"code":"404" "code":"404"
} }
] ]
} }
3.11. API Versioning 3.11. API Versioning
The Base URL MAY be appended with a version identifier as a separate The Base URL MAY be appended with a version identifier as a separate
segment in the URL path. At this time the only valid identifier is segment in the URL path. At this time of this specification, the
'v1'. If specified, the version identifier MUST appear in the URL identifier is 'v2'. If specified, the version identifier MUST appear
path immediately preceding the resource endpoint and conform to the in the URL path immediately preceding the resource endpoint and
following scheme: the character 'v' followed by the desired SCIM conform to the following scheme: the character 'v' followed by the
version number; e.g., a version 'v1' User request is specified as /v2 desired SCIM version number; e.g., a version 'v2' User request is
/Users. When specified service providers MUST perform the operation specified as /v2/Users. When specified service providers MUST
using the desired version or reject the request. When omitted perform the operation using the desired version or reject the
service providers SHOULD perform the operation using the most recent request. When omitted service providers SHOULD perform the operation
API supported by the service provider. using the most recent API supported by the service provider.
3.12. Versioning Resources 3.12. Versioning Resources
The API supports resource versioning via standard HTTP The API supports resource versioning via standard HTTP ETags
ETagsSection 14.19 [RFC2616]. Service providers MAY support weak Section 2.3 [RFC7233]. Service providers MAY support weak ETags as
ETags as the preferred mechanism for performing conditional the preferred mechanism for performing conditional retrievals and
retrievals and ensuring clients do not inadvertently overwrite each ensuring clients do not inadvertently overwrite each others changes,
others changes, respectively. When supported SCIM ETags MUST be respectively. When supported SCIM ETags MUST be specified as an HTTP
specified as an HTTP header and SHOULD be specified within the header and SHOULD be specified within the 'version' attribute
'version' attribute contained in the resource's 'meta' attribute. contained in the resource's 'meta' attribute.
Example: Example:
POST /Users HTTP/1.1 POST /Users HTTP/1.1
Host: example.com Host: example.com
Content-Type: application/json Content-Type: application/json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
Content-Length: ... Content-Length: ...
{ {
skipping to change at page 56, line 51 skipping to change at page 56, line 51
"formatted":"Ms. Barbara J Jensen III", "formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen", "familyName":"Jensen",
"givenName":"Barbara" "givenName":"Barbara"
}, },
"userName":"bjensen" "userName":"bjensen"
} }
With the returned ETag, clients MAY choose to retrieve the resource With the returned ETag, clients MAY choose to retrieve the resource
only if the resource has been modified. only if the resource has been modified.
Conditional retrieval example using If-None-Match Section 14.26 Conditional retrieval example using If-None-Match Section 3.2
[RFC2616] header: [RFC7233] header:
GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=displayName GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=displayName
Host: example.com Host: example.com
Accept: application/json Accept: application/json
Authorization: Bearer h480djs93hd8 Authorization: Bearer h480djs93hd8
If-None-Match: W/"e180ee84f0671b1" If-None-Match: W/"e180ee84f0671b1"
If the resource has not changed the service provider simply returns If the resource has not changed the service provider simply returns
an empty body with a 304 "Not Modified" response code. an empty body with a 304 "Not Modified" response code.
If the service providers supports versioning of resources the client If the service providers supports versioning of resources the client
MAY supply an If-Match Section 14.24 [RFC2616] header for PUT and MAY supply an If-Match Section 3.1 [RFC7233] header for PUT and PATCH
PATCH operations to ensure that the requested operation succeeds only operations to ensure that the requested operation succeeds only if
if the supplied ETag matches the latest service provider resource; the supplied ETag matches the latest service provider resource; e.g.,
e.g., If-Match: W/"e180ee84f0671b1" If-Match: W/"e180ee84f0671b1"
4. Multi-Tenancy 4. Preparation and Comparison of Internationalized Strings
To increase the likelihood that the input and comparison of unicode
usernames and passwords will work in ways that make sense for typical
users throughout the world there are special string preparation and
comparison methods (PRECIS) that MUST be followed for usernames and
passwords. Before comparing or evaluating uniqueness of a "userName"
or "password" attribute, service providers MUST use the "PRECIS"
profile described in Sections 4 and 5 respectively of
[I-D.ietf-precis-saslprepbis] and is based on the "PRECIS" framework
specification [I-D.ietf-precis-framework].
5. Multi-Tenancy
A single service provider may expose the SCIM protocol to multiple A single service provider may expose the SCIM protocol to multiple
clients. Depending on the nature of the service, the clients may clients. Depending on the nature of the service, the clients may
have authority to access and alter resources initially created by have authority to access and alter resources initially created by
other clients. Alternatively, clients may expect to access disjoint other clients. Alternatively, clients may expect to access disjoint
sets of resources, and may expect that their resources are sets of resources, and may expect that their resources are
inaccessible by other clients. These scenarios are called "multi- inaccessible by other clients. These scenarios are called "multi-
tenancy", where each client is understood to be or represent a tenancy", where each client is understood to be or represent a
"tenant" of the service provider. Clients may also be multi- "tenant" of the service provider. Clients may also be multi-
tenanted. tenanted.
skipping to change at page 58, line 4 skipping to change at page 58, line 15
Service providers may implement any subset of the above cases. Service providers may implement any subset of the above cases.
Multi-Tenancy is OPTIONAL. The SCIM protocol does not define a Multi-Tenancy is OPTIONAL. The SCIM protocol does not define a
scheme for multi-tenancy. scheme for multi-tenancy.
The SCIM protocol does not prescribe the mechanisms whereby clients The SCIM protocol does not prescribe the mechanisms whereby clients
and service providers interact for: and service providers interact for:
o Registering or provisioning Tenants o Registering or provisioning Tenants
o Associating a subset of clients with a subset of the Tenants o Associating a subset of clients with a subset of the Tenants
o Indicating which tenant is associated with the data in a request o Indicating which tenant is associated with the data in a request
or response, or indicating which Tenant is the subject of a query or response, or indicating which Tenant is the subject of a query
4.1. Associating Clients to Tenants 5.1. Associating Clients to Tenants
The service provider MAY use the authentication mechanism (Section 2) The service provider MAY use the authentication mechanism (Section 2)
to determine the identity of the client, and thus infer the to determine the identity of the client, and thus infer the
associated Tenant. associated Tenant.
For implementations where a client is associated with more than one For implementations where a client is associated with more than one
Tenant, the service provider MAY use one of the following methods for Tenant, the service provider MAY use one of the following methods for
explicit specification of the Tenant. explicit specification of the Tenant.
If any of these methods of allowing the client to explicitly specify If any of these methods of allowing the client to explicitly specify
skipping to change at page 58, line 40 skipping to change at page 59, line 5
o A URL prefix: "https://www.example.com/Tenants/{tenant_id}/v2/ o A URL prefix: "https://www.example.com/Tenants/{tenant_id}/v2/
Users" Users"
o A sub-domain: "https://{tenant_id}.example.com/v2/Groups" o A sub-domain: "https://{tenant_id}.example.com/v2/Groups"
o The service provider may recognize a {tenant_id} provided by the o The service provider may recognize a {tenant_id} provided by the
client in an HTTP Header as the indicator of the desired target client in an HTTP Header as the indicator of the desired target
Tenant. Tenant.
4.2. SCIM Identifiers with Multiple Tenants 5.2. SCIM Identifiers with Multiple Tenants
Considerations for a Multi-Tenant Implementation: Considerations for a Multi-Tenant Implementation:
The service provider may choose to implement SCIM ids which are The service provider may choose to implement SCIM ids which are
unique across all resources for all Tenants, but this is not unique across all resources for all Tenants, but this is not
required. required.
The externalId, defined by the client, is required to be unique ONLY The externalId, defined by the client, is required to be unique ONLY
within the resources associated with the associated Tenant. within the resources associated with the associated Tenant.
5. Security Considerations 6. Security Considerations
5.1. TLS Support 6.1. TLS Support
The SCIM Protocol is based on HTTP and thus subject to the security The SCIM Protocol layers on top of Hypertext Transfer Protocol and
considerations found in Section 15 of [RFC2616]. SCIM resources thus subject to the security considerations of HTTP Section 9
(e.g., Users and Groups) can contain sensitive information. [RFC7230] and its related specifications.
Therefore, SCIM clients and service providers MUST implement TLS.
Which version(s) ought to be implemented will vary over time, and SCIM resources (e.g., Users and Groups) can contain sensitive
depend on the widespread deployment and known security information. Therefore, SCIM clients and service providers MUST
implement TLS. Which version(s) ought to be implemented will vary
over time, and depend on the widespread deployment and known security
vulnerabilities at the time of implementation. At the time of this vulnerabilities at the time of implementation. At the time of this
writing, TLS version 1.2 [RFC5246] is the most recent version, but writing, TLS version 1.2 [RFC5246] is the most recent version, but
has very limited actual deployment, and might not be readily has very limited actual deployment, and might not be readily
available in implementation toolkits. TLS version 1.0 [RFC2246] is available in implementation toolkits. TLS version 1.0 [RFC2246] is
the most widely deployed version, and will give the broadest the most widely deployed version, and will give the broadest
interoperability. interoperability.
5.2. Querying Using HTTP GET 6.2. Request URI Information Leakage
Clients requesting information using query filters SHOULD give Clients requesting information using query filters using HTTP GET
consideration to the information content of the filters and whether SHOULD give consideration to the information content of the filters
their exposure in a URL would represent a breach of security or and whether their exposure in a URI would represent a breach of
confidentiality through leakage in a web browser or logs. This is security or confidentiality through leakage in a web browsers or
particularly true for information that is legally considered server logs. This is particularly true for information that is
"personally identifiable information" or is otherwise restricted by legally considered "personally identifiable information" or is
privacy laws. To ensure maximum security and confidentiality, otherwise restricted by privacy laws. In these situations to ensure
clients SHOULD query using HTTP POST (see Section 3.2.3). maximum security and confidentiality, clients SHOULD query using HTTP
POST (see Section 3.2.3 ).
Servers that receive HTTP GET requests using filters that contain Servers that receive HTTP GET requests using filters that contain
restricted or confidential information SHOULD respond with HTTP restricted or confidential information SHOULD respond with HTTP
status 403 indicating the operation is FORBIDDEN. A detialed error, status 403 indicating the operation is FORBIDDEN. A detialed error,
"confidential_restricted" may be returned indicating the request must "confidential_restricted" may be returned indicating the request must
be submitted using POST. A non-normative example: be submitted using POST. A non-normative example:
HTTP/1.1 403 FORBIDDEN HTTP/1.1 403 FORBIDDEN
{ {
"schemas": ["urn:scim:schemas:core:2.0:Error"], "schemas": ["urn:scim:api:messages:2.0:Error"],
"Errors":[ "Errors":[
{ {
"description":"Query filter involving 'name' is restricted or confidential", "description":"Query filter involving 'name' is restricted or confidential",
"error":"confidential_restricted" "error":"confidential_restricted"
} }
] ]
} }
5.3. Universal Identifiers
6. IANA Considerations 6.3. Case Insensitive Comparision & International Languages
6.1. Media Type Registration When comparing unicode strings such as in query filters or testing
for uniqueness of usernames and passwords, strings MUST be
appopriately prepared before comparison. See Section 4.
6.4. Universal Identifiers
7. IANA Considerations
7.1. Media Type Registration
To: ietf-types@iana.org To: ietf-types@iana.org
Subject: Registration of media type application/scim+json Subject: Registration of media type application/scim+json
Type name: application Type name: application
Subtype name: scim+json Subtype name: scim+json
Required parameters: none Required parameters: none
Optional parameters: none Optional parameters: none
Encoding considerations: 8bit Encoding considerations: 8bit
Security considerations: See Section 5 Security considerations: See Section 6
Interoperability considerations: The "application/scim+json" media Interoperability considerations: The "application/scim+json" media
type is intended to identify JSON structure data that conforms to type is intended to identify JSON structure data that conforms to
the SCIM 2 api and schema specifications. Older versions of SCIM the SCIM 2 api and schema specifications. Older versions of SCIM
are known to informally use "application/json". are known to informally use "application/json".
Published specification: [[this document]] Published specification: [[this document]]
Applications that use this media type: It is expected that Applications that use this media type: It is expected that
applications that use this type may be special purpose applications that use this type may be special purpose
applications intended for inter-domain provisioning. Clients may applications intended for inter-domain provisioning. Clients may
also be applications (e.g. mobile applications) that need to use also be applications (e.g. mobile applications) that need to use
SCIM for self-registration of user accounts. SCIM services may be SCIM for self-registration of user accounts. SCIM services may be
offered by web applications wishin to offer support for standards offered by web applications wishin to offer support for standards
based provisioning or may be a dedicated SCIM service provider based provisioning or may be a dedicated SCIM service provider
such as a "cloud directory". Content may be treated as equivalent such as a "cloud directory". Content may be treated as equivalent
to "application/json" type for the purpose of displaying in web to "application/json" type for the purpose of displaying in web
browsers. browsers.
skipping to change at page 61, line 19 skipping to change at page 61, line 37
Restrictions on usage: For most client types, it is sufficient to Restrictions on usage: For most client types, it is sufficient to
recognize the content as equivalent to "application/json". recognize the content as equivalent to "application/json".
Applications intending to use the SCIM API SHOULD use the Applications intending to use the SCIM API SHOULD use the
application/scim+json media type. application/scim+json media type.
Author: Phil Hunt Author: Phil Hunt
Change controller: IETF Change controller: IETF
7. References 7.2. SCIM API Message Schema Registry
7.1. Normative References As per the IANA SCIM Schema Registry in [I-D.ietf-scim-core-schema],
the following registers and extends the SCIM Schema Registry to
define API request/response JSON schema URN identifier prefix of
"urn:scim:api:messages:2.0" which is part of the URN sub-Namespace
for SCIM. There is no specific associated resource type.
[I-D.ietf-httpbis-p2-semantics] +---------------------------------------+-----------+---------------+
Fielding, R. and J. Reschke, "Hypertext Transfer Protocol | Schema URI | Name | Reference |
(HTTP/1.1): Semantics and Content", draft-ietf- +---------------------------------------+-----------+---------------+
httpbis-p2-semantics-25 (work in progress), November 2013. | urn:scim:api:messages:2.0:ListRespons | List/Quer | See Section |
| e | y | 3.2.2 |
| | Response | |
| urn:scim:api:messages:2.0:SearchReque | POST | See Section |
| st | Query | 3.2.3 |
| | Request | |
| urn:scim:api:messages:2.0:PatchOp | Patch | See Section |
| | Operation | 3.3.2 |
| urn:scim:api:messages:2.0:BulkRequest | Bulk Oper | See Section |
| | ations | 3.5 |
| | Request | |
| urn:scim:api:messages:2.0:BulkRespons | Bulk Oper | See Section |
| e | ations | 3.5 |
| | Response | |
| urn:scim:api:messages:2.0:Error | Error | See Section |
| | Response | 3.10 |
+---------------------------------------+-----------+---------------+
SCIM Schema URIs for Data Resources
8. References
8.1. Normative References
[I-D.ietf-precis-saslprepbis]
Saint-Andre, P. and A. Melnikov, "Preparation and
Comparison of Internationalized Strings Representing
Usernames and Passwords", draft-ietf-precis-saslprepbis-07
(work in progress), March 2014.
[I-D.ietf-scim-core-schema] [I-D.ietf-scim-core-schema]
Grizzle, K., Hunt, P., Wahlstroem, E., and C. Mortimore, Grizzle, K., Hunt, P., Wahlstroem, E., and C. Mortimore,
"System for Cross-Domain Identity Management: Core "System for Cross-Domain Identity Management: Core
Schema", draft-ietf-scim-core-schema-03 (work in Schema", draft-ietf-scim-core-schema-05 (work in
progress), February 2014. progress), May 2014.
[I-D.reschke-http-status-308]
Reschke, J., "The Hypertext Transfer Protocol (HTTP)
Status Code 308 (Permanent Redirect)", draft-reschke-http-
status-308-07 (work in progress), March 2012.
[IANA.Language] [IANA.Language]
Internet Assigned Numbers Authority (IANA), "Language Internet Assigned Numbers Authority (IANA), "Language
Subtag Registry", 2005. Subtag Registry", 2005.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999. RFC 2246, January 1999.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
Internationalized Strings ("stringprep")", RFC 3454,
December 2002.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC Resource Identifier (URI): Generic Syntax", STD 66, RFC
3986, January 2005. 3986, January 2005.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008. Specifications: ABNF", STD 68, RFC 5234, January 2008.
skipping to change at page 62, line 27 skipping to change at page 63, line 35
[RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", RFC [RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", RFC
5789, March 2010. 5789, March 2010.
[RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
Framework: Bearer Token Usage", RFC 6750, October 2012. Framework: Bearer Token Usage", RFC 6750, October 2012.
[RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, March 2014. Interchange Format", RFC 7159, March 2014.
7.2. Informative References [RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
(HTTP/1.1): Message Syntax and Routing", RFC 7230, June
2014.
[RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
(HTTP/1.1): Semantics and Content", RFC 7231, June 2014.
[RFC7233] Fielding, R., Lafon, Y., and J. Reschke, "Hypertext
Transfer Protocol (HTTP/1.1): Range Requests", RFC 7233,
June 2014.
[RFC7235] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
(HTTP/1.1): Authentication", RFC 7235, June 2014.
8.2. Informative References
[I-D.ietf-precis-framework]
Saint-Andre, P. and M. Blanchet, "PRECIS Framework:
Preparation and Comparison of Internationalized Strings in
Application Protocols", draft-ietf-precis-framework-17
(work in progress), May 2014.
[I-D.reschke-http-status-308]
Reschke, J., "The Hypertext Transfer Protocol (HTTP)
Status Code 308 (Permanent Redirect)", draft-reschke-http-
status-308-07 (work in progress), March 2012.
[OpenSearch] [OpenSearch]
Clinton, D., "OpenSearch Protocol 1.1, Draft 5", . Clinton, D., "OpenSearch Protocol 1.1, Draft 5", .
[Order-Operations] [Order-Operations]
Wikipedia, "Order of Operations: Programming Languages", . Wikipedia, "Order of Operations: Programming Languages", .
[RFC2277] Alvestrand, H., "IETF Policy on Character Sets and [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and
Languages", BCP 18, RFC 2277, January 1998. Languages", BCP 18, RFC 2277, January 1998.
skipping to change at page 64, line 25 skipping to change at page 66, line 14
70 - Remove SCIM_TENANT_ID header 70 - Remove SCIM_TENANT_ID header
72 - Added text to indicate UTF-8 is default and mandatory 72 - Added text to indicate UTF-8 is default and mandatory
encoding format per BCP18 encoding format per BCP18
74 - Added security considerations for using GET with confidential 74 - Added security considerations for using GET with confidential
attribute filters attribute filters
- corrected error response in JSON PATCH operation - corrected error response in JSON PATCH operation
Draft 06 - PH - Revisions based on the following tickets and
editorial changes
41 - Revised content types from application/json to application/
scim+json, registered API schemas
63 - Revised uri schema prefixes for API json message schemas
66 - Updated references for RFC2616 to HTTPbis
75 - Added security considerations for International Strings and
"PRECIS" support
76 - Clarified handling of PUT (& POST) with regards to mutability
and default values
- Corrected version numbers in sec 3.11 API Versioning to v2 (from
v1)
- Clarified that no filter matches should return success
totalResults=0
Authors' Addresses Authors' Addresses
Phil Hunt (editor) Phil Hunt (editor)
Oracle Corporation Oracle Corporation
Email: phil.hunt@yahoo.com Email: phil.hunt@yahoo.com
Kelly Grizzle Kelly Grizzle
SailPoint SailPoint
 End of changes. 145 change blocks. 
244 lines changed or deleted 392 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/