WG Review: System for Cross-domain Identity Management (scim)

2021-10-08 Thread The IESG 
A new IETF WG has been proposed in the Applications and Real-Time Area. The
IESG has not made any determination yet. The following draft charter was
submitted, and is provided for informational purposes only. Please send your
comments to the IESG mailing list (i...@ietf.org) by 2021-10-18.

System for Cross-domain Identity Management (scim)
---
Current status: Proposed WG

Chairs:
  Nancy Cam-Winget 

Assigned Area Director:
  Roman Danyliw 

Applications and Real-Time Area Directors:
  Murray Kucherawy 
  Francesca Palombini 

Mailing list:
  Address: s...@ietf.org
  To subscribe: https://www.ietf.org/mailman/listinfo/scim
  Archive: https://mailarchive.ietf.org/arch/browse/scim/

Group page: https://datatracker.ietf.org/group/scim/

Charter: https://datatracker.ietf.org/doc/charter-ietf-scim/

The System for Cross-domain Identity Management (SCIM) specifications provide
an HTTP-based protocol (RFC7643) and schema (RFC7644) that makes managing
identities in multi-domain scenarios easier.  Since its publication in 2015,
SCIM has seen growing adoption.

The first goal of this working group is to incorporate implementation
experience; errata and interoperability feedback; and current security and
best practices into a revised version of RFC7643 (protocol) and RFC7644 (base
schema) suitable for consideration at the Internet Standard level of
specification maturity.

Additionally, implementation experience with SCIM has surfaced new use cases
and requirements.  The WG will document them in a revision of RFC7642. The WG
will also consider publishing extensions to SCIM that have found broad
adoption. These extensions may include profiles and schemas for
interoperability in additional use cases.

The currently planned scope of work for the SCIM WG is:

* Revision of RFC 7642 that will:
* Focus on Use cases and implementation patterns
* Pull vs. Push based use cases
* Events and signals use cases
* Deletion use cases
* New use cases may be added to the revised RFC
* Revision of RFC 7643 and 7644 that will include:
* Profiling SCIM relationships with other identity-centric protocols such
as OAuth 2.0, OpenID Connect, Shared Signals, and Fastfed * Updates to
the evolution of the externalid usage
* Updates to account state for capturing context of the state or
change in state of the users account
* Multi-Value Query Filtering and Paging (based on draft-hunt-scim-mv-paging)
* Define a method for coordinating resources between domains:
* Incremental approach to synchronization
* Consider building off of RFC8417 and draft-hunt-idevent-scim
* Support for deletion-related goals including:
* Handling Deletes in SCIM Servers that don’t allow Deletes (Soft
Deletes) (based on draft-ansari-scim-soft-delete)
* Support for advanced automation scenarios such as:
* Discovery and negotiation of client credentials
* Attribute mapping
* Per-attribute schema negotiation
* Enhance the existing schema to support exchanging of HR, Enterprise group
and privileged access management (based on draft-grizzle-scim-pam-ext)

Milestones:

  Dec 2021 - Working group adoption of I-D for revising RFC7642

  Dec 2021 - Working group adoption of I-Ds for Soft Delete

  Mar 2022 - Working group adoption of I-Ds (either new or existing) for
  privileged access management

  Mar 2022 - Working group adoption of I-Ds for Multi-valued paging

  Mar 2022 - Working Group adoption of I-Ds for coordination/synchronization
  between domains

  Jun 2022 - Progress I-D revising RFC7642 to WGLC

  Jun 2022 - Working group adoption of I-D revising RFC7643

  Jun 2022 - Working group adoption of I-D revising RFC7644

  Dec 2022 - Progress I-Ds for Soft Delete to WGLC

  Dec 2022 - Progress I-Ds for Multi-valued paging to WGLC

  Mar 2023 - Progress I-Ds (either new or existing) for privileged access
  management to WGLC

  Jun 2023 - Progress I-Ds for coordination/synchronization between domains
  to WGLC

  Jun 2023 - Progress I-D revising RFC7643 to WGLC

  Jun 2023 - Progress I-D revising RFC7644 to WGLC



___
IETF-Announce mailing list
IETF-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-announce

WG Review: System for Cross-domain Identity Management (SCIM)

2012-05-31 Thread IESG Secretary 
A new IETF working group has been proposed in the Applications 
Area.  The IESG has not made any determination as yet. The following 
draft charter was submitted, and is provided for informational purposes 
only. Please send your comments to the IESG mailing list (i...@ietf.org) 
by June 7, 2012.   
 
System for Cross-domain Identity Management (SCIM)
--
Status: Proposed Working Group

Last updated: 2012-05-29

Chair(s): TBD 

Applications Area Director(s):
  Pete Resnick presn...@qualcomm.com 
  Barry Leiba barryle...@computer.org 

Mailing Lists:
  General Discussion: s...@ietf.org
  To Subscribe:   https://www.ietf.org/mailman/listinfo/scim
  Archive:http://www.ietf.org/mail-archive/web/scim/
 
Description of Working Group:

The System for Cross-domain Identity Management (SCIM) working group
will standardize methods for creating, reading, searching, modifying,
and deleting user identities and identity-related objects across
administrative domains, with the goal of simplifying common tasks
related to user identity management in services and applications.

Standardize does not necessarily mean that the working group will
develop new technologies.  For example, the existing specifications
for SCIM 1.0 provide RESTful interfaces on top of HTTP rather than
defining a new application protocol.

Today, distributed identity management across administrative domains
is complicated by a lack of protocol and schema standardization
between consumers and producers of identities.  This has led to a
number of approaches, including error-prone manual administration and
bulk file uploads, as well as proprietary protocols and mediation
devices that must be adapted to each service for each organization. 
While there is existing work in the field, it has not been widely
adopted for a variety of reasons, including a lack of common artifacts
such as schema, toolsets, and libraries.

The SCIM working group will develop the core schema and RESTful
interfaces to address these problems.  Initially, the group will focus
on
- a schema definition
- a set of operations for creation, modification, and deletion of users
- schema discovery
- read and search
- bulk operations
- mapping between the inetOrgPerson LDAP object class (RFC 2798) and
  the SCIM schema

It will follow that by considering extensions for client targeting of
specific SCIM endpoints and SAML binding.  The approach will be
extensible.

The group will use, as starting points, the following drafts in the
following ways:
 draft-scim-use-cases-00 as the initial use cases for SCIM
 draft-scim-core-schema-00 as the schema specification
 draft-scim-api-00 as the protocol specification

These drafts are based on existing specifications, which together are
commonly known as SCIM 1.0.  Because there is existing work with
existing implementations, some consideration should be given to
backward compatibility, though getting it right takes priority.  This
group will consider the operational experience gathered from the
existing work, as well as experiences with work done by other bodies,
including the OASIS Provisioning TC.

The use cases document will be a living document, guiding the
working group during its development of the standards.  The group may
take snapshots of that document for Informational publication, to
serve as documentation of the motivation for the work in progress
and to similarly guide planning and implementation.

The group will produce Proposed Standards for a schema, a REST-based
protocol, and a SAML binding, as well as an Informational document
defining an LDAP mapping. In doing so, the group will make the
terminology consistent, identify any functional gaps that would be
useful for future work, address internationalization, and provide
guidelines and mechanisms for extensibility.

In addition, the working group will ensure that the SCIM protocol
embodies good security practices. Given both the sensitivity of the
information being conveyed in SCIM messages and the regulatory
requirements regarding the privacy of personally identifiable
information, the working group will pay particular attention to issues
around authorization, authenticity, and privacy.

The group considers the following out of scope for this group:
 Defining new authentication schemes
 Defining new policy/authorization schemes

Milestones

06/2012Initial adoption of SCIM use cases, as a living document
06/2012Initial adoption of SCIM core schema
08/2012Initial adoption of SCIM restful interface draft
12/2012Snapshot version of SCIM use cases to IESG as Informational 
(possibly)
12/2012Proposal for client targeting of SCIM endpoints
01/2013Initial adoption of SCIM LDAP inetOrgPerson mapping draft
02/2013SCIM core schema to IESG as Proposed Standard
05/2013SCIM restful interface to IESG as Proposed Standard
06/2013SCIM LDAP inetOrgPerson