draft-hunt-idevent-scim-00.txt

Network Working Group                                       P. Hunt, Ed.
Internet-Draft                                                    Oracle
Intended status: Standards Track                              W. Denniss
Expires: September 21, 2016                                       Google
                                                               M. Ansari
                                                                   Cisco
                                                          March 20, 2016


                          SCIM Event Extension
                       draft-hunt-idevent-scim-00

Abstract

   This specification profiles the Identity Event Token specification to
   define a set of identity events to be used with SCIM.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 21, 2016.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Hunt, et al.           Expires September 21, 2016               [Page 1]

Internet-Draft           draft-hunt-idevent-scim              March 2016


Table of Contents

   1.  Introduction and Overview . . . . . . . . . . . . . . . . . .   2
     1.1.  Notational Conventions  . . . . . . . . . . . . . . . . .   2
     1.2.  Definitions . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  SCIM Events . . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  Common Event Attributes . . . . . . . . . . . . . . . . .   3
     2.2.  Disclosure Profiles . . . . . . . . . . . . . . . . . . .   4
     2.3.  SCIM Events . . . . . . . . . . . . . . . . . . . . . . .   4
       2.3.1.  urn:ietf:params:event:SCIM:add  . . . . . . . . . . .   4
       2.3.2.  urn:ietf:params:event:SCIM:create . . . . . . . . . .   5
       2.3.3.  urn:ietf:params:event:SCIM:activate . . . . . . . . .   7
       2.3.4.  urn:ietf:params:event:SCIM:modify . . . . . . . . . .   8
       2.3.5.  urn:ietf:params:event:SCIM:deactivate . . . . . . . .   8
       2.3.6.  urn:ietf:params:event:SCIM:delete . . . . . . . . . .   8
       2.3.7.  urn:ietf:params:event:SCIM:remove . . . . . . . . . .   9
       2.3.8.  urn:ietf:params:event:SCIM:password . . . . . . . . .   9
   3.  Security Considerations . . . . . . . . . . . . . . . . . . .  11
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  12
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .  12
     5.2.  Informative References  . . . . . . . . . . . . . . . . .  13
   Appendix A.  Contributors . . . . . . . . . . . . . . . . . . . .  13
   Appendix B.  Acknowledgments  . . . . . . . . . . . . . . . . . .  13
   Appendix C.  Change Log . . . . . . . . . . . . . . . . . . . . .  13
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  13

1.  Introduction and Overview

   This specification profiles the Identity Event Token [idevent-token]
   to define events for SCIM Protocol [RFC7644].

1.1.  Notational Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].  These
   keywords are capitalized when used to unambiguously specify
   requirements of the protocol or application features and behavior
   that affect the interoperability and security of implementations.
   When these words are not capitalized, they are meant in their
   natural-language sense.

   For purposes of readability examples are not URL encoded.
   Implementers MUST percent encode URLs as described in Section 2.1 of
   [RFC3986].





Hunt, et al.           Expires September 21, 2016               [Page 2]

Internet-Draft           draft-hunt-idevent-scim              March 2016


   Throughout this documents all figures MAY contain spaces and extra
   line-wrapping for readability and space limitations.  Similarly, some
   URI's contained within examples, have been shortened for space and
   readability reasons.

1.2.  Definitions

   This specification uses definitions from the specification
   [idevent-token].

2.  SCIM Events

   SCIM events JSON objects that are encoded in JWT form as per
   [idevent-token].  An event includes a eventUri which indicates the
   type of event and the event specific attributes.  An event also
   includes standard JWT attributes "iss", "aud", "jti", and "iat" which
   indicates the event publisher (issuer), the the event feeds
   (audience), a token identifier, and the date of issue (iat).

2.1.  Common Event Attributes

   The following attributes are defined for all events defined in
   Section 2.3 or any schema defined within the uri namespace
   "urn:ietf:params:events:SCIM".

   id
      An optional multi-valued SCIM "id" value of the affected
      resource(s) as defined in Section 3.1 [RFC7643].  If provided the
      identifiers MUST correspond to the values referenced in
      "resourceUris".

   attributes
      A multi-valued list of affected SCIM attributes.  Each attribute
      listed may be a fully-qualified attribute name or an attribute
      "path" as defined in Figure 7 of Section 3.3.2 of [RFC7644]

   values
      A JSON object structure containing the affected attributes and
      their associated values.  If the "values" attribute is supplied,
      the event message MUST be encrypted.  Service providers SHOULD
      take care to ensure that eligible subscribers are able to see
      attribute values.  Alternatively, subscribers MAY use the
      resourceURIs to retrieve the final attribute values.  When doing
      so, the SCIM service provider can then assess the subscribers
      right to obtain the actual attribute values.






Hunt, et al.           Expires September 21, 2016               [Page 3]

Internet-Draft           draft-hunt-idevent-scim              March 2016


      For a password change event, in maximal disclosure mode ( see
      Section 2.2), the clear text password attribute value MAY be
      included in the values"values" attribute.

2.2.  Disclosure Profiles

   SCIM events are intended to disclose the minimum amount of
   information required to provide co-ordination between asynchronous
   systems.  This has the effect of eliminating most error signaling
   conditions and simplifies privacy and security considerations.

   For each event type, the following levels of disclosure are defined,
   for which different security considerations may apply:

   Minimal
      In general, the main information content is the event description
      itself.  The event contents typically includes only REQUIRED
      attributes.  Because no data content is exchanged, encryption of
      the event message is not required.

   Default
      In general the default information is exchanged.  This includes
      the "sub" attribute and a list of affected SCIM attributes.
      Typically attribute values are not provided.  Encryption of the
      event message is typically not required unless otherwise stated.

   Maximal
      In maximal mode, all data involved in the state change is
      exchanged.  To prevent leakage of information, implementers SHOULD
      encrypt events that convey attributes about resources.  This
      profile should typically be used when co-ordinating information
      between tightly-coupled systems that are part of a common
      administrative domain.

   In the case of "minimal" and "default" disclosures, a subscriber MAY
   use a follow-up SCIM GET (see Section 3.4 [RFC7644] to obtain the
   current state of the resource (sub) following the event.  While this
   may be seen as costly (as a second call), using SCIM GET enables
   simpler error signalling, access control, distribution enforcement by
   the event publisher.

2.3.  SCIM Events

2.3.1.  urn:ietf:params:event:SCIM:add
   The specified resource URI was added to the feed.  An add does not
   indicate a resource is new or has been recently created.  For
   example, an existing user has had a new role (e.g.  CRM_User) added
   to their profile which has caused their resource to join a feed.



Hunt, et al.           Expires September 21, 2016               [Page 4]

Internet-Draft           draft-hunt-idevent-scim              March 2016


   The following is an example of a minimal disclosure Add Event
   message(it has been modified for readability):

{
  "jti": "6164f3bbf6ff41a88dc94f18cb0620e8",
  "eventUris":[
    "urn:ietf:params:event:SCIM:add"
  ],
  "iat": 1458505044,
  "iss":"https://scim.example.com",
  "aud":[
   "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754"
  ],
  "sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462",
}

                     Figure 1: Example SCIM Add Event

2.3.2.  urn:ietf:params:event:SCIM:create
   The new resource URI has been created at the service provider and has
   been added to the feed.  When a CREATE event is sent, a corresponding
   ADD event is not issued.  In "minimal" disclosure mode, event
   specific data is returned.  In "default" disclosure, the "attributes"
   attribute is returned disclosing what attributes were created at the
   publisher.  In "maximal" disclosure mode, set of values reflecting
   the final state of the resource at the service provider are provided
   in the "values" attribute and MUST be encrypted as a JWE (see
   [idevent-token]).























Hunt, et al.           Expires September 21, 2016               [Page 5]

Internet-Draft           draft-hunt-idevent-scim              March 2016


   The following is an example SCIM Create event message(it has been
   modified for readability) and uses maximal disclosure:

   {
     "jti": "4d3559ec67504aaba65d40b0363faad8",
     "eventUris":[
       "urn:ietf:params:event:SCIM:create"
     ],
     "iat": 1458496404,
     "iss":"https://scim.example.com",
     "aud":[
      "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754",
      "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7"
     ],
     "sub": "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9",
     "urn:ietf:params:event:SCIM:create":{
       "attributes":["id","name","userName","password","emails"],
       "values":{
         "emails":[
          {"type":"work","value":"jdoe@example.com"}
         ],
         "password":"not4u2no",
         "userName":"jdoe",
         "id":"44f6142df96bd6ab61e7521d9",
         "name":{
           "givenName":"John",
           "familyName":"Doe"
         }
       }
     }
   }

         Figure 2: Example SCIM Create Event (Maximal Disclosure)

   In the above example, the user "jdoe" is created with values an email
   address, an initial password, and a name.  Note that when raw data is
   sent, it is advisable to protect the event using JWE (see Section 2.2
   [idevent-token]).













Hunt, et al.           Expires September 21, 2016               [Page 6]

Internet-Draft           draft-hunt-idevent-scim              March 2016


   The following is an example SCIM Create event message(it has been
   modified for readability) and uses default disclosure:

   {
     "jti": "4d3559ec67504aaba65d40b0363faad8",
     "eventUris":[
       "urn:ietf:params:event:SCIM:create"
     ],
     "iat": 1458496404,
     "iss":"https://scim.example.com",
     "aud":[
      "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754",
      "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7"
     ],
     "sub": "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9",
     "urn:ietf:params:event:SCIM:create":{
       "attributes":["id","name","userName","password","emails"],
     }
   }

   The event above notifies the subscriber which attributes are
   available from the SCIM event publisher, but does not convey the
   actual information.  The subscriber MAY retrieve that information by
   performing a SCIM GET to the "sub" value specified.

         Figure 3: Example SCIM Create Event (Default Disclosure)

2.3.3.  urn:ietf:params:event:SCIM:activate
   The specified resource (e.g.  User) has been activated.  This
   optional event is used to indicate a high-level change in state as
   agreed between the publisher and subscriber.  For example, an
   activated resource is one that can now have an active session (may
   log in) from a security perspective (may log in).  Typically this
   event discloses only minimal information.

















Hunt, et al.           Expires September 21, 2016               [Page 7]

Internet-Draft           draft-hunt-idevent-scim              March 2016


   The following is an example of a minimal disclosure Activate Event
   message(it has been modified for readability):

{
  "jti": "6164f3bbf6ff41a88dc94f18cb0620e8",
  "eventUris":[
    "urn:ietf:params:event:SCIM:activate"
  ],
  "iat": 1458505044,
  "iss":"https://scim.example.com",
  "aud":[
   "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754"
  ],
  "sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462",
}

                   Figure 4: Example SCIM Activate Event

2.3.4.  urn:ietf:params:event:SCIM:modify
   The specified resource has been updated (e.g. one or more attributes
   has changed).  As with the create event, this event MAY be expressed
   in minimal, default, and maximal modes.

2.3.5.  urn:ietf:params:event:SCIM:deactivate
   The specified resource (e.g.  User) has been deactivated and
   disabled.  The exact meaning must be agreed to by a SCIM publisher
   and its corresponding subscriber.  Typically this means the sub may
   no longer have an active security session.  As with the activate
   event, this event has minimal disclosure requirements.

2.3.6.  urn:ietf:params:event:SCIM:delete
   The specified resource has been deleted from the SCIM publisher.  The
   resource is also removed from the feed.  When a DELETE is sent, a
   corresponding REMOVE is not issued.  A delete event has minimal
   disclosure profile only.
















Hunt, et al.           Expires September 21, 2016               [Page 8]

Internet-Draft           draft-hunt-idevent-scim              March 2016


   The following is an example of a minimal disclosure Delete Event
   message(it has been modified for readability):

{
  "jti": "6164f3bbf6ff41a88dc94f18cb0620e8",
  "eventUris":[
    "urn:ietf:params:event:SCIM:delete"
  ],
  "iat": 1458505044,
  "iss":"https://scim.example.com",
  "aud":[
   "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754"
  ],
  "sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462",
}

                    Figure 5: Example SCIM Delete Event

2.3.7.  urn:ietf:params:event:SCIM:remove
   The specified resource has been removed from the feed.  Removal does
   not indicate that the resource was deleted or otherwise deactivated.
   This event has minimal disclosure.

   The following is an example of a minimal disclosure Remove Event
   message(it has been modified for readability):

{
  "jti": "6164f3bbf6ff41a88dc94f18cb0620e8",
  "eventUris":[
    "urn:ietf:params:event:SCIM:remove"
  ],
  "iat": 1458505044,
  "iss":"https://scim.example.com",
  "aud":[
   "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754"
  ],
  "sub": "https://scim.example.com/Users/2b2f880af6674ac284bae9381673d462",
}

                    Figure 6: Example SCIM Remove Event

2.3.8.  urn:ietf:params:event:SCIM:password
   The specified resource (e.g.  User) has changed its password or the
   password has been reset.  When the password has changed, the
   "attributes" attribute is supplied with the value "password".






Hunt, et al.           Expires September 21, 2016               [Page 9]

Internet-Draft           draft-hunt-idevent-scim              March 2016


   The following is a non-normative example showing a password change
   event using minimal disclosure:

   {
     "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
     "eventUris":[
       "urn:ietf:params:event:SCIM:password"
     ],
     "iat": 1458496025,
     "iss": "https://scim.example.com",
     "aud":[
       "https://jhub.example.com/Feeds/98d52461fa5bbc879593b7754",
       "https://jhub.example.com/Feeds/5d7604516b1d08641d7676ee7"
     ],
     "sub":
       "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9",
   }

               Figure 7: Example SCIM Password Change Event

   The password event MAY be extended to conveys a password reset, the
   event MAY include an additional eventUri value of
   "urn:ietf:params:event:extension:example.com:password" which includes
   the attribute "resetAttempts".  "resetAttempts" indicates the current
   number of reset attempts since the last successful login by the
   subject.

























Hunt, et al.           Expires September 21, 2016              [Page 10]

Internet-Draft           draft-hunt-idevent-scim              March 2016


   The following is a non-normative example showing a password reset
   event:

   {
     "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
     "eventUris":[
       "urn:ietf:params:event:SCIM:password",
       "urn:ietf:params:event:extension:example.com:password"
     ],
     "iat": 1458496025,
     "iss": "https://scim.example.com",
     "aud":[
       "https://jhub.example.com/Feeds/98d52461fa5bbc879593b7754",
       "https://jhub.example.com/Feeds/5d7604516b1d08641d7676ee7"
     ],
     "sub":
       "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9",
     "urn:ietf:params:event:SCIM:password":{
       "id":"44f6142df96bd6ab61e7521d9",
     },
     "urn:ietf:params:event:extension:example.com:password":{
        "resetAttempts":4
     }
   }

                Figure 8: Example SCIM Password Reset Event

3.  Security Considerations

   [[TO BE COMPLETED]]

4.  IANA Considerations

   This section registers the schema extensions found in Section 2.3 in
   the "Event" registry as per Section 4.2 [idevent-token].

   Schema URI:  See Section 2.3.

   Schema Name:  See corresponding names under Section 2.3.

   Intented ResourceType:  N/A.  Events are not intended to be persisted
      in SCIM.

   Purpose:  See each description in Section 2.3.

   Single-valued Attributes:  None.





Hunt, et al.           Expires September 21, 2016              [Page 11]

Internet-Draft           draft-hunt-idevent-scim              March 2016


   Multi-valued Attributes:  All schemas in this specification share the
      same attributes.  See Section 2.1.

                   Summary of schema URI registrations:

   +---------------------------------------+-------------+-------------+
   | Schema URI                            | Name        | Reference   |
   +---------------------------------------+-------------+-------------+
   | urn:ietf:params:event:SCIM:add        | Resource    | Section 2.3 |
   |                                       | added to    |             |
   |                                       | Feed Event  |             |
   | urn:ietf:params:event:SCIM:remove     | Resource    | Section 2.3 |
   |                                       | Removal     |             |
   |                                       | From Feed   |             |
   |                                       | Event       |             |
   | urn:ietf:params:event:SCIM:create     | New         | Section 2.3 |
   |                                       | Resource    |             |
   |                                       | Event       |             |
   | urn:ietf:params:event:SCIM:modify     | Resource    | Section 2.3 |
   |                                       | Modified    |             |
   |                                       | Event       |             |
   | urn:ietf:params:event:SCIM:delete     | Resource    | Section 2.3 |
   |                                       | Deleted     |             |
   |                                       | Event       |             |
   | urn:ietf:params:event:SCIM:activate   | Resource    | Section 2.3 |
   |                                       | Activated   |             |
   |                                       | Event       |             |
   | urn:ietf:params:event:SCIM:deactivate | Resource    | Section 2.3 |
   |                                       | Deactivated |             |
   |                                       | Event       |             |
   | urn:ietf:params:event:SCIM:password   | Password    | Section 2.3 |
   |                                       | Change      |             |
   |                                       | Event       |             |
   +---------------------------------------+-------------+-------------+

5.  References

5.1.  Normative References

   [idevent-subscription]
              Oracle Corporation, "Identity Event Subscription Protocol
              (work in progress)".

   [idevent-token]
              Oracle Corporation, "Identity Event Token (work in
              progress)".





Hunt, et al.           Expires September 21, 2016              [Page 12]

Internet-Draft           draft-hunt-idevent-scim              March 2016


   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <http://www.rfc-editor.org/info/rfc3986>.

   [RFC7643]  Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C.
              Mortimore, "System for Cross-domain Identity Management:
              Core Schema", RFC 7643, DOI 10.17487/RFC7643, September
              2015, <http://www.rfc-editor.org/info/rfc7643>.

5.2.  Informative References

   [RFC7644]  Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
              and C. Mortimore, "System for Cross-domain Identity
              Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
              September 2015, <http://www.rfc-editor.org/info/rfc7644>.

Appendix A.  Contributors

Appendix B.  Acknowledgments

   The editor would like to thank the participants in the the SCIM
   working group and the id-event list for their support of this
   specification.

Appendix C.  Change Log

   Draft 00 - PH - First Draft

Authors' Addresses

   Phil Hunt (editor)
   Oracle Corporation

   Email: phil.hunt@yahoo.com


   William Denniss
   Salesforce.com

   Email: wdenniss@google.com





Hunt, et al.           Expires September 21, 2016              [Page 13]

Internet-Draft           draft-hunt-idevent-scim              March 2016


   Morteza Ansari
   Cisco

   Email: morteza.ansari@cisco.com















































Hunt, et al.           Expires September 21, 2016              [Page 14]