tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search     info

RFC 7643

 
 
 

System for Cross-domain Identity Management: Core Schema

Part 2 of 4, p. 13 to 33
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 13 
3.  SCIM Resources

   Each SCIM resource is a JSON object that has the following
   components:

   Resource Type
      Each resource (or JSON object) in SCIM has a resource type
      ("meta.resourceType"; see Section 3.1) that defines the resource's
      core attribute schema and any attribute extension schema, as well
      as the endpoint where objects of the same type may be found.  More
      information about a resource MAY be found in its resource type
      definition (see Section 6).

   "Schemas" Attribute
      The "schemas" attribute is a REQUIRED attribute and is an array of
      Strings containing URIs that are used to indicate the namespaces
      of the SCIM schemas that define the attributes present in the
      current JSON structure.  This attribute may be used by parsers to
      define the attributes present in the JSON structure that is the
      body to an HTTP request or response.  Each String value must be a
      unique URI.  All representations of SCIM schemas MUST include a
      non-empty array with value(s) of the URIs supported by that
      representation.  The "schemas" attribute for a resource MUST only
      contain values defined as "schema" and "schemaExtensions" for the
      resource's defined "resourceType".  Duplicate values MUST NOT be
      included.  Value order is not specified and MUST NOT impact
      behavior.

   Common Attributes
      A resource's common attributes are those attributes that are part
      of every SCIM resource, regardless of the value of the "schemas"
      attribute present in a JSON body.  These attributes are not
      defined in any particular schema but SHALL be assumed to be
      present in every resource, regardless of the value of the
      "schemas" attribute.  See Section 3.1.

Top      Up      ToC       Page 14 
   Core Attributes
      A resource's core attributes are those attributes that sit at the
      top level of the JSON object together with the common attributes
      (such as the resource "id").  The list of valid attributes is
      specified by the resource's resource type "schema" attribute (see
      Section 6).  This same value is also present in the resource's
      "schemas" attribute.

   Extended Attributes
      Extended schema attributes are specified by the resource's
      resource type "schemaExtensions" attribute (see Section 6).
      Unlike core attributes, extended attributes are kept in their own
      sub-attribute namespace identified by the schema extension URI.
      This avoids attribute name conflicts that may arise due to
      conflicts from separate schema extensions.

Top      Up      ToC       Page 15 
   The following example "User" contains the common attributes "id" and
   "externalId", as well as the complex attribute "meta", which contains
   the sub-attribute "resourceType".  The resource also contains core
   attributes "userName" and "name", as well as extended enterprise User
   attributes "employeeNumber" and "costCenter", which are contained in
   their own JSON substructure identified by their schema URI.  Some
   values have been omitted (...), shortened, or spaced out for clarity.

   {
     "schemas":
       ["urn:ietf:params:scim:schemas:core:2.0:User",
         "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],

     "id": "2819c223-7f76-453a-413861904646",
     "externalId": "701984",

     "userName": "bjensen@example.com",
     "name": {
       "formatted": "Ms. Barbara J Jensen, III",
       "familyName": "Jensen",
       "givenName": "Barbara",
       "middleName": "Jane",
       "honorificPrefix": "Ms.",
       "honorificSuffix": "III"
     },
    ...

     "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
       "employeeNumber": "701984",
       "costCenter": "4130",
       ...
     },

     "meta": {
       "resourceType": "User",
       "created": "2010-01-23T04:56:22Z",
       "lastModified": "2011-05-13T04:42:34Z",
       "version": "W\/\"3694e05e9dff591\"",
       "location":
         "https://example.com/v2/Users/2819c223-7f76-453a-413861904646"
     }
   }

                 Figure 2: Example JSON Resource Structure

Top      Up      ToC       Page 16 
3.1.  Common Attributes

   Each SCIM resource (Users, Groups, etc.) includes the following
   common attributes.  With the exception of the "ServiceProviderConfig"
   and "ResourceType" server discovery endpoints and their associated
   resources, these attributes MUST be defined for all resources,
   including any extended resource types.  When accepted by a service
   provider (e.g., after a SCIM create), the attributes "id" and "meta"
   (and its associated sub-attributes) MUST be assigned values by the
   service provider.  Common attributes are considered to be part of
   every base resource schema and do not use their own "schemas" URI.

   For backward compatibility, some existing schema definitions MAY list
   common attributes as part of the schema.  The attribute
   characteristics (see Section 2.2) listed here SHALL take precedence
   over older definitions that may be included in existing schemas.

   id
      A unique identifier for a SCIM resource as defined by the service
      provider.  Each representation of the resource MUST include a
      non-empty "id" value.  This identifier MUST be unique across the
      SCIM service provider's entire set of resources.  It MUST be a
      stable, non-reassignable identifier that does not change when the
      same resource is returned in subsequent requests.  The value of
      the "id" attribute is always issued by the service provider and
      MUST NOT be specified by the client.  The string "bulkId" is a
      reserved keyword and MUST NOT be used within any unique identifier
      value.  The attribute characteristics are "caseExact" as "true", a
      mutability of "readOnly", and a "returned" characteristic of
      "always".  See Section 9 for additional considerations regarding
      privacy.

   externalId
      A String that is an identifier for the resource as defined by the
      provisioning client.  The "externalId" may simplify identification
      of a resource between the provisioning client and the service
      provider by allowing the client to use a filter to locate the
      resource with an identifier from the provisioning domain,
      obviating the need to store a local mapping between the
      provisioning domain's identifier of the resource and the
      identifier used by the service provider.  Each resource MAY
      include a non-empty "externalId" value.  The value of the
      "externalId" attribute is always issued by the provisioning client
      and MUST NOT be specified by the service provider.  The service
      provider MUST always interpret the externalId as scoped to the
      provisioning domain.  While the server does not enforce
      uniqueness, it is assumed that the value's uniqueness is
      controlled by the client setting the value.  See Section 9 for

Top      Up      ToC       Page 17 
      additional considerations regarding privacy.  This attribute has
      "caseExact" as "true" and a mutability of "readWrite".  This
      attribute is OPTIONAL.

   meta
      A complex attribute containing resource metadata.  All "meta"
      sub-attributes are assigned by the service provider (have a
      "mutability" of "readOnly"), and all of these sub-attributes have
      a "returned" characteristic of "default".  This attribute SHALL be
      ignored when provided by clients.  "meta" contains the following
      sub-attributes:

      resourceType  The name of the resource type of the resource.  This
         attribute has a mutability of "readOnly" and "caseExact" as
         "true".

      created  The "DateTime" that the resource was added to the service
         provider.  This attribute MUST be a DateTime.

      lastModified  The most recent DateTime that the details of this
         resource were updated at the service provider.  If this
         resource has never been modified since its initial creation,
         the value MUST be the same as the value of "created".

      location  The URI of the resource being returned.  This value MUST
         be the same as the "Content-Location" HTTP response header (see
         Section 3.1.4.2 of [RFC7231]).

      version  The version of the resource being returned.  This value
         must be the same as the entity-tag (ETag) HTTP response header
         (see Sections 2.1 and 2.3 of [RFC7232]).  This attribute has
         "caseExact" as "true".  Service provider support for this
         attribute is optional and subject to the service provider's
         support for versioning (see Section 3.14 of [RFC7644]).  If a
         service provider provides "version" (entity-tag) for a
         representation and the generation of that entity-tag does not
         satisfy all of the characteristics of a strong validator (see
         Section 2.1 of [RFC7232]), then the origin server MUST mark the
         "version" (entity-tag) as weak by prefixing its opaque value
         with "W/" (case sensitive).

Top      Up      ToC       Page 18 
3.2.  Defining New Resource Types

   SCIM may be extended to define new classes of resources by defining a
   resource type.  Each resource type defines the name, endpoint, base
   schema (the attributes), and any schema extensions registered for use
   with the resource type.  In order to offer new types of resources, a
   service provider defines the new resource type as specified in
   Section 6 and defines a schema representation (see Section 8.7).

3.3.  Attribute Extensions to Resources

   SCIM allows resource types to have extensions in addition to their
   core schema.  This is similar to how "objectClasses" are used in LDAP
   [RFC4512].  However, unlike LDAP, there is no inheritance model; all
   extensions are additive (similar to the LDAP auxiliary object class).
   Each value in the "schemas" attribute indicates additive schema that
   MAY exist in a SCIM resource representation.  The "schemas" attribute
   MUST contain at least one value, which SHALL be the base schema for
   the resource.  The "schemas" attribute MAY contain additional values
   indicating extended schemas that are in use.  Schema extensions
   SHOULD avoid redefining any attributes defined in this specification
   and SHOULD follow conventions defined in this specification.  Except
   for the base object schema, the schema extension URI SHALL be used as
   a JSON container to distinguish attributes belonging to the extension
   namespace from base schema attributes.  See Figure 5, which is an
   example of the JSON representation of an enterprise User and is also
   an example of a User with extended schema.

   In order to determine which URI value in the "schemas" attribute is
   the base schema and which is an extended schema for any given
   resource, the resource's "resourceType" attribute value MAY be used
   to retrieve the resource's "ResourceType" schema (see Section 6).
   See the "ResourceType" representation in Figure 8 for an example.

Top      Up      ToC       Page 19 
4.  SCIM Core Resources and Extensions

   This section defines the default resource schemas present in a SCIM
   server.  SCIM is not exclusive to these resources and may be extended
   to support other resource types (see Section 3.2).

4.1.  "User" Resource Schema

   SCIM provides a resource type for "User" resources.  The core schema
   for "User" is identified using the following schema URI:
   "urn:ietf:params:scim:schemas:core:2.0:User".  The following
   attributes are defined in addition to the core schema attributes:

4.1.1.  Singular Attributes

   userName
      A service provider's unique identifier for the user, typically
      used by the user to directly authenticate to the service provider.
      Often displayed to the user as their unique identifier within the
      system (as opposed to "id" or "externalId", which are generally
      opaque and not user-friendly identifiers).  Each User MUST include
      a non-empty userName value.  This identifier MUST be unique across
      the service provider's entire set of Users.  This attribute is
      REQUIRED and is case insensitive.

   name
      The components of the user's name.  Service providers MAY return
      just the full name as a single string in the formatted
      sub-attribute, or they MAY return just the individual component
      attributes using the other sub-attributes, or they MAY return
      both.  If both variants are returned, they SHOULD be describing
      the same name, with the formatted name indicating how the
      component attributes should be combined.

      formatted  The full name, including all middle names, titles, and
         suffixes as appropriate, formatted for display (e.g.,
         "Ms. Barbara Jane Jensen, III").

      familyName  The family name of the User, or last name in most
         Western languages (e.g., "Jensen" given the full name
         "Ms. Barbara Jane Jensen, III").

      givenName  The given name of the User, or first name in most
         Western languages (e.g., "Barbara" given the full name
         "Ms. Barbara Jane Jensen, III").

      middleName  The middle name(s) of the User (e.g., "Jane" given the
         full name "Ms. Barbara Jane Jensen, III").

Top      Up      ToC       Page 20 
      honorificPrefix  The honorific prefix(es) of the User, or title in
         most Western languages (e.g., "Ms." given the full name
         "Ms. Barbara Jane Jensen, III").

      honorificSuffix  The honorific suffix(es) of the User, or suffix
         in most Western languages (e.g., "III" given the full name
         "Ms. Barbara Jane Jensen, III").

   displayName
      The name of the user, suitable for display to end-users.  Each
      user returned MAY include a non-empty displayName value.  The name
      SHOULD be the full name of the User being described, if known
      (e.g., "Babs Jensen" or "Ms. Barbara J Jensen, III") but MAY be a
      username or handle, if that is all that is available (e.g.,
      "bjensen").  The value provided SHOULD be the primary textual
      label by which this User is normally displayed by the service
      provider when presenting it to end-users.

   nickName
      The casual way to address the user in real life, e.g., "Bob" or
      "Bobby" instead of "Robert".  This attribute SHOULD NOT be used to
      represent a User's username (e.g., bjensen or mpepperidge).

   profileUrl
      A URI that is a uniform resource locator (as defined in
      Section 1.1.3 of [RFC3986]) and that points to a location
      representing the user's online profile (e.g., a web page).  URIs
      are canonicalized per Section 6.2 of [RFC3986].

   title
      The user's title, such as "Vice President".

   userType
      Used to identify the relationship between the organization and the
      user.  Typical values used might be "Contractor", "Employee",
      "Intern", "Temp", "External", and "Unknown", but any value may be
      used.

   preferredLanguage
      Indicates the user's preferred written or spoken languages and is
      generally used for selecting a localized user interface.  The
      value indicates the set of natural languages that are preferred.
      The format of the value is the same as the HTTP Accept-Language
      header field (not including "Accept-Language:") and is specified
      in Section 5.3.5 of [RFC7231].  The intent of this value is to
      enable cloud applications to perform matching of language tags
      [RFC4647] to the user's language preferences, regardless of what
      may be indicated by a user agent (which might be shared), or in an

Top      Up      ToC       Page 21 
      interaction that does not involve a user (such as in a delegated
      OAuth 2.0 [RFC6749] style interaction) where normal HTTP
      Accept-Language header negotiation cannot take place.

   locale
      Used to indicate the User's default location for purposes of
      localizing such items as currency, date time format, or numerical
      representations.  A valid value is a language tag as defined in
      [RFC5646].  Computer languages are explicitly excluded.

      A language tag is a sequence of one or more case-insensitive
      sub-tags, each separated by a hyphen character ("-", %x2D).  For
      backward compatibility, servers MAY accept tags separated by an
      underscore character ("_", %x5F).  In most cases, a language tag
      consists of a primary language sub-tag that identifies a broad
      family of related languages (e.g., "en" = English) and that is
      optionally followed by a series of sub-tags that refine or narrow
      that language's range (e.g., "en-CA" = the variety of English as
      communicated in Canada).  Whitespace is not allowed within a
      language tag.  Example tags include:

           fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN

      See [RFC5646] for further information.

   timezone
      The User's time zone, in IANA Time Zone database format [RFC6557],
      also known as the "Olson" time zone database format [Olson-TZ]
      (e.g., "America/Los_Angeles").

   active
      A Boolean value indicating the user's administrative status.  The
      definitive meaning of this attribute is determined by the service
      provider.  As a typical example, a value of true implies that the
      user is able to log in, while a value of false implies that the
      user's account has been suspended.

Top      Up      ToC       Page 22 
   password
      This attribute is intended to be used as a means to set, replace,
      or compare (i.e., filter for equality) a password.  The cleartext
      value or the hashed value of a password SHALL NOT be returnable by
      a service provider.  If a service provider holds the value
      locally, the value SHOULD be hashed.  When a password is set or
      changed by the client, the cleartext password SHOULD be processed
      by the service provider as follows:

      *  Prepare the cleartext value for international language
         comparison.  See Section 7.8 of [RFC7644].

      *  Validate the value against server password policy.  Note: The
         definition and enforcement of password policy are beyond the
         scope of this document.

      *  Ensure that the value is encrypted (e.g., hashed).  See
         Section 9.2 for acceptable hashing and encryption handling when
         storing or persisting for provisioning workflow reasons.

      A service provider that immediately passes the cleartext value on
      to another system or programming interface MUST pass the value
      directly over a secured connection (e.g., Transport Layer Security
      (TLS)).  If the value needs to be temporarily persisted for a
      period of time (e.g., because of a workflow) before provisioning,
      then the value MUST be protected by some method, such as
      encryption.

      Testing for an equality match MAY be supported if there is an
      existing stored hashed value.  When testing for equality, the
      service provider:

      *  Prepares the filter value for international language
         comparison.  See Section 7.8 of [RFC7644].

      *  Generates the salted hash of the filter value and tests for a
         match with the locally held value.

      The mutability of the password attribute is "writeOnly",
      indicating that the value MUST NOT be returned by a service
      provider in any form (the attribute characteristic "returned" is
      "never").

Top      Up      ToC       Page 23 
4.1.2.  Multi-Valued Attributes

   The following multi-valued attributes are defined.

   emails
      Email addresses for the User.  The value SHOULD be specified
      according to [RFC5321].  Service providers SHOULD canonicalize the
      value according to [RFC5321], e.g., "bjensen@example.com" instead
      of "bjensen@EXAMPLE.COM".  The "display" sub-attribute MAY be used
      to return the canonicalized representation of the email value.
      The "type" sub-attribute is used to provide a classification
      meaningful to the (human) user.  The user interface should
      encourage the use of basic values of "work", "home", and "other"
      and MAY allow additional type values to be used at the discretion
      of SCIM clients.

   phoneNumbers
      Phone numbers for the user.  The value SHOULD be specified
      according to the format defined in [RFC3966], e.g.,
      'tel:+1-201-555-0123'.  Service providers SHOULD canonicalize the
      value according to [RFC3966] format, when appropriate.  The
      "display" sub-attribute MAY be used to return the canonicalized
      representation of the phone number value.  The sub-attribute
      "type" often has typical values of "work", "home", "mobile",
      "fax", "pager", and "other" and MAY allow more types to be defined
      by the SCIM clients.

   ims
      Instant messaging address for the user.  No official
      canonicalization rules exist for all instant messaging addresses,
      but service providers SHOULD, when appropriate, remove all
      whitespace and convert the address to lowercase.  The "type"
      sub-attribute SHOULD take one of the following values: "aim",
      "gtalk", "icq", "xmpp", "msn", "skype", "qq", "yahoo", or "other"
      (representing currently popular IM services at the time of this
      writing).  Service providers MAY add further values if new IM
      services are introduced and MAY specify more detailed
      canonicalization rules for each possible value.

   photos
      A URI that is a uniform resource locator (as defined in
      Section 1.1.3 of [RFC3986]) that points to a resource location
      representing the user's image.  The resource MUST be a file (e.g.,
      a GIF, JPEG, or PNG image file) rather than a web page containing
      an image.  Service providers MAY return the same image in
      different sizes, although it is recognized that no standard for
      describing images of various sizes currently exists.  Note that
      this attribute SHOULD NOT be used to send down arbitrary photos

Top      Up      ToC       Page 24 
      taken by this user; instead, profile photos of the user that are
      suitable for display when describing the user should be sent.
      Instead of the standard canonical values for type, this attribute
      defines the following canonical values to represent popular photo
      sizes: "photo" and "thumbnail".

   addresses
      A physical mailing address for this user.  Canonical type values
      of "work", "home", and "other".  This attribute is a complex type
      with the following sub-attributes.  All sub-attributes are
      OPTIONAL.

      formatted  The full mailing address, formatted for display or use
         with a mailing label.  This attribute MAY contain newlines.

      streetAddress  The full street address component, which may
         include house number, street name, P.O. box, and multi-line
         extended street address information.  This attribute MAY
         contain newlines.

      locality  The city or locality component.

      region  The state or region component.

      postalCode  The zip code or postal code component.

      country  The country name component.  When specified, the value
         MUST be in ISO 3166-1 "alpha-2" code format [ISO3166]; e.g.,
         the United States and Sweden are "US" and "SE", respectively.

   groups
      A list of groups to which the user belongs, either through direct
      membership, through nested groups, or dynamically calculated.  The
      values are meant to enable expression of common group-based or
      role-based access control models, although no explicit
      authorization model is defined.  It is intended that the semantics
      of group membership and any behavior or authorization granted as a
      result of membership are defined by the service provider.  The
      canonical types "direct" and "indirect" are defined to describe
      how the group membership was derived.  Direct group membership
      indicates that the user is directly associated with the group and
      SHOULD indicate that clients may modify membership through the
      "Group" resource.  Indirect membership indicates that user
      membership is transitive or dynamic and implies that clients
      cannot modify indirect group membership through the "Group"
      resource but MAY modify direct group membership through the
      "Group" resource, which may influence indirect memberships.  If
      the SCIM service provider exposes a "Group" resource, the "value"

Top      Up      ToC       Page 25 
      sub-attribute MUST be the "id", and the "$ref" sub-attribute must
      be the URI of the corresponding "Group" resources to which the
      user belongs.  Since this attribute has a mutability of
      "readOnly", group membership changes MUST be applied via the
      "Group" Resource (Section 4.2).  This attribute has a mutability
      of "readOnly".

   entitlements
      A list of entitlements for the user that represent a thing the
      user has.  An entitlement may be an additional right to a thing,
      object, or service.  No vocabulary or syntax is specified; service
      providers and clients are expected to encode sufficient
      information in the value so as to accurately and without ambiguity
      determine what the user has access to.  This value has no
      canonical types, although a type may be useful as a means to scope
      entitlements.

   roles
      A list of roles for the user that collectively represent who the
      user is, e.g., "Student", "Faculty".  No vocabulary or syntax is
      specified, although it is expected that a role value is a String
      or label representing a collection of entitlements.  This value
      has no canonical types.

   x509Certificates
      A list of certificates associated with the resource (e.g., a
      User).  Each value contains exactly one DER-encoded X.509
      certificate (see Section 4 of [RFC5280]), which MUST be base64
      encoded per Section 4 of [RFC4648].  A single value MUST NOT
      contain multiple certificates and so does not contain the encoding
      "SEQUENCE OF Certificate" in any guise.

4.2.  "Group" Resource Schema

   SCIM provides a schema for representing groups, identified using the
   following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group".

   "Group" resources are meant to enable expression of common
   group-based or role-based access control models, although no explicit
   authorization model is defined.  It is intended that the semantics of
   group membership, and any behavior or authorization granted as a
   result of membership, are defined by the service provider; these are
   considered out of scope for this specification.

Top      Up      ToC       Page 26 
   The following singular attribute is defined in addition to the common
   attributes defined in the SCIM core schema:

   displayName
      A human-readable name for the Group.  REQUIRED.

   The following multi-valued attribute is defined in addition to the
   common attributes defined in the SCIM core schema:

   members
      A list of members of the Group.  While values MAY be added or
      removed, sub-attributes of members are "immutable".  The "value"
      sub-attribute contains the value of an "id" attribute of a SCIM
      resource, and the "$ref" sub-attribute must be the URI of a SCIM
      resource such as a "User", or a "Group".  The intention of the
      "Group" type is to allow the service provider to support nested
      groups.  Service providers MAY require clients to provide a
      non-empty value by setting the "required" attribute characteristic
      of a sub-attribute of the "members" attribute in the "Group"
      resource schema.

4.3.  Enterprise User Schema Extension

   The following SCIM extension defines attributes commonly used in
   representing users that belong to, or act on behalf of, a business or
   enterprise.  The enterprise User extension is identified using the
   following schema URI:
   "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User".

   The following singular attributes are defined:

   employeeNumber
      A string identifier, typically numeric or alphanumeric, assigned
      to a person, typically based on order of hire or association with
      an organization.

   costCenter
      Identifies the name of a cost center.

   organization
      Identifies the name of an organization.

   division
      Identifies the name of a division.

   department
      Identifies the name of a department.

Top      Up      ToC       Page 27 
   manager
      The user's manager.  A complex type that optionally allows service
      providers to represent organizational hierarchy by referencing the
      "id" attribute of another User.

      value  The "id" of the SCIM resource representing the user's
         manager.  RECOMMENDED.

      $ref  The URI of the SCIM resource representing the User's
         manager.  RECOMMENDED.

      displayName  The displayName of the user's manager.  This
         attribute is OPTIONAL, and mutability is "readOnly".

5.  Service Provider Configuration Schema

   SCIM provides a schema for representing the service provider's
   configuration, identified using the following schema URI:
   "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig".

   The service provider configuration resource enables a service
   provider to discover SCIM specification features in a standardized
   form as well as provide additional implementation details to clients.
   All attributes have a mutability of "readOnly".  Unlike other core
   resources, the "id" attribute is not required for the service
   provider configuration resource.

   The following singular attributes are defined in addition to the
   common attributes defined in the core schema:

   documentationUri
      An HTTP-addressable URL pointing to the service provider's
      human-consumable help documentation.  OPTIONAL.

   patch
      A complex type that specifies PATCH configuration options.
      REQUIRED.  See Section 3.5.2 of [RFC7644].

      supported  A Boolean value specifying whether or not the operation
         is supported.  REQUIRED.

   bulk
      A complex type that specifies bulk configuration options.  See
      Section 3.7 of [RFC7644].  REQUIRED.

      supported  A Boolean value specifying whether or not the operation
         is supported.  REQUIRED.

Top      Up      ToC       Page 28 
      maxOperations  An integer value specifying the maximum number of
         operations.  REQUIRED.

      maxPayloadSize  An integer value specifying the maximum payload
         size in bytes.  REQUIRED.

   filter
      A complex type that specifies FILTER options.  REQUIRED.  See
      Section 3.4.2.2 of [RFC7644].

      supported  A Boolean value specifying whether or not the operation
         is supported.  REQUIRED.

      maxResults  An integer value specifying the maximum number of
         resources returned in a response.  REQUIRED.

   changePassword
      A complex type that specifies configuration options related to
      changing a password.  REQUIRED.

      supported  A Boolean value specifying whether or not the operation
         is supported.  REQUIRED.

   sort
      A complex type that specifies Sort configuration options.
      REQUIRED.

      supported  A Boolean value specifying whether or not sorting is
         supported.  REQUIRED.

   etag
      A complex type that specifies ETag configuration options.
      REQUIRED.

      supported  A Boolean value specifying whether or not the operation
         is supported.  REQUIRED.

Top      Up      ToC       Page 29 
   The following multi-valued attribute is defined in addition to the
   common attributes defined in the core schema:

   authenticationSchemes
      A multi-valued complex type that specifies supported
      authentication scheme properties.  To enable seamless discovery of
      configurations, the service provider SHOULD, with the appropriate
      security considerations, make the authenticationSchemes attribute
      publicly accessible without prior authentication.  REQUIRED.  The
      following sub-attributes are defined:

      type  The authentication scheme.  This specification defines the
         values "oauth", "oauth2", "oauthbearertoken", "httpbasic", and
         "httpdigest".  REQUIRED.

      name  The common authentication scheme name, e.g., HTTP Basic.
         REQUIRED.

      description  A description of the authentication scheme.
         REQUIRED.

      specUri  An HTTP-addressable URL pointing to the authentication
         scheme's specification.  OPTIONAL.

      documentationUri  An HTTP-addressable URL pointing to the
         authentication scheme's usage documentation.  OPTIONAL.

6.  ResourceType Schema

   The "ResourceType" schema specifies the metadata about a resource
   type.  Resource type resources are READ-ONLY and identified using the
   following schema URI:
   "urn:ietf:params:scim:schemas:core:2.0:ResourceType".  Unlike other
   core resources, all attributes are REQUIRED unless otherwise
   specified.  The "id" attribute is not required for the resource type
   resource.

   The following singular attributes are defined:

   id
      The resource type's server unique id.  This is often the same
      value as the "name" attribute.  OPTIONAL.

   name
      The resource type name.  When applicable, service providers MUST
      specify the name, e.g., "User" or "Group".  This name is
      referenced by the "meta.resourceType" attribute in all resources.
      REQUIRED.

Top      Up      ToC       Page 30 
   description
      The resource type's human-readable description.  When applicable,
      service providers MUST specify the description.  OPTIONAL.

   endpoint
      The resource type's HTTP-addressable endpoint relative to the Base
      URL of the service provider, e.g., "Users".  REQUIRED.

   schema
      The resource type's primary/base schema URI, e.g.,
      "urn:ietf:params:scim:schemas:core:2.0:User".  This MUST be equal
      to the "id" attribute of the associated "Schema" resource.
      REQUIRED.

   schemaExtensions
      A list of URIs of the resource type's schema extensions.
      OPTIONAL.

      schema  The URI of an extended schema, e.g., "urn:edu:2.0:Staff".
         This MUST be equal to the "id" attribute of a "Schema"
         resource.  REQUIRED.

      required  A Boolean value that specifies whether or not the schema
         extension is required for the resource type.  If true, a
         resource of this type MUST include this schema extension and
         also include any attributes declared as required in this schema
         extension.  If false, a resource of this type MAY omit this
         schema extension.  REQUIRED.

7.  Schema Definition

   This section defines a way to specify the schema in use by resources
   available and accepted by a SCIM service provider.  For each
   "schemas" URI value, this schema specifies the defined attribute(s)
   and their characteristics (mutability, returnability, etc).  For
   every schema URI used in a resource object, there is a corresponding
   "Schema" resource.  "Schema" resources are not modifiable, and their
   associated attributes have a mutability of "readOnly".  Except for
   "id" (which is always returned), all attributes have a "returned"
   characteristic of "default".  Unless otherwise specified, all schema
   attributes are case insensitive.  These resources have a "schemas"
   attribute with the following schema URI:

   urn:ietf:params:scim:schemas:core:2.0:Schema

   Unlike other core resources, the "Schema" resource MAY contain a
   complex object within a sub-attribute, and all attributes are
   REQUIRED unless otherwise specified.

Top      Up      ToC       Page 31 
   The following singular attributes are defined:

   id
      The unique URI of the schema.  When applicable, service providers
      MUST specify the URI, e.g.,
      "urn:ietf:params:scim:schemas:core:2.0:User".  Unlike most other
      schemas, which use some sort of Globally Unique Identifier (GUID)
      for the "id", the schema "id" is a URI so that it can be
      registered and is portable between different service providers and
      clients.  REQUIRED.

   name
      The schema's human-readable name.  When applicable, service
      providers MUST specify the name, e.g., "User" or "Group".
      OPTIONAL.

   description
      The schema's human-readable description.  When applicable, service
      providers MUST specify the description.  OPTIONAL.

   The following multi-valued attribute is defined:

   attributes
      A complex type that defines service provider attributes and their
      qualities via the following set of sub-attributes:

      name  The attribute's name.

      type  The attribute's data type.  Valid values are "string",
         "boolean", "decimal", "integer", "dateTime", "reference", and
         "complex".  When an attribute is of type "complex", there
         SHOULD be a corresponding schema attribute "subAttributes"
         defined, listing the sub-attributes of the attribute.

      subAttributes  When an attribute is of type "complex",
         "subAttributes" defines a set of sub-attributes.
         "subAttributes" has the same schema sub-attributes as
         "attributes".

      multiValued  A Boolean value indicating the attribute's plurality.

      description  The attribute's human-readable description.  When
         applicable, service providers MUST specify the description.

      required  A Boolean value that specifies whether or not the
         attribute is required.

Top      Up      ToC       Page 32 
      canonicalValues  A collection of suggested canonical values that
         MAY be used (e.g., "work" and "home").  In some cases, service
         providers MAY choose to ignore unsupported values.  OPTIONAL.

      caseExact  A Boolean value that specifies whether or not a string
         attribute is case sensitive.  The server SHALL use case
         sensitivity when evaluating filters.  For attributes that are
         case exact, the server SHALL preserve case for any value
         submitted.  If the attribute is case insensitive, the server
         MAY alter case for a submitted value.  Case sensitivity also
         impacts how attribute values MAY be compared against filter
         values (see Section 3.4.2.2 of [RFC7644]).

      mutability  A single keyword indicating the circumstances under
         which the value of the attribute can be (re)defined:

         readOnly  The attribute SHALL NOT be modified.

         readWrite  The attribute MAY be updated and read at any time.
            This is the default value.

         immutable  The attribute MAY be defined at resource creation
            (e.g., POST) or at record replacement via a request (e.g., a
            PUT).  The attribute SHALL NOT be updated.

         writeOnly  The attribute MAY be updated at any time.  Attribute
            values SHALL NOT be returned (e.g., because the value is a
            stored hash).  Note: An attribute with a mutability of
            "writeOnly" usually also has a returned setting of "never".

      returned  A single keyword that indicates when an attribute and
         associated values are returned in response to a GET request or
         in response to a PUT, POST, or PATCH request.  Valid keywords
         are as follows:

         always  The attribute is always returned, regardless of the
            contents of the "attributes" parameter.  For example, "id"
            is always returned to identify a SCIM resource.

         never  The attribute is never returned.  This may occur because
            the original attribute value (e.g., a hashed value) is not
            retained by the service provider.  A service provider MAY
            allow attributes to be used in a search filter.

Top      Up      ToC       Page 33 
         default  The attribute is returned by default in all SCIM
            operation responses where attribute values are returned.  If
            the GET request "attributes" parameter is specified,
            attribute values are only returned if the attribute is named
            in the "attributes" parameter.  DEFAULT.

         request  The attribute is returned in response to any PUT,
            POST, or PATCH operations if the attribute was specified by
            the client (for example, the attribute was modified).  The
            attribute is returned in a SCIM query operation only if
            specified in the "attributes" parameter.

      uniqueness  A single keyword value that specifies how the service
         provider enforces uniqueness of attribute values.  A server MAY
         reject an invalid value based on uniqueness by returning HTTP
         response code 400 (Bad Request).  A client MAY enforce
         uniqueness on the client side to a greater degree than the
         service provider enforces.  For example, a client could make a
         value unique while the server has uniqueness of "none".  Valid
         keywords are as follows:

         none  The values are not intended to be unique in any way.
            DEFAULT.

         server  The value SHOULD be unique within the context of the
            current SCIM endpoint (or tenancy) and MAY be globally
            unique (e.g., a "username", email address, or other
            server-generated key or counter).  No two resources on the
            same server SHOULD possess the same value.

         global  The value SHOULD be globally unique (e.g., an email
            address, a GUID, or other value).  No two resources on any
            server SHOULD possess the same value.

      referenceTypes  A multi-valued array of JSON strings that indicate
         the SCIM resource types that may be referenced.  Valid values
         are as follows:

         +  A SCIM resource type (e.g., "User" or "Group"),

         +  "external" - indicating that the resource is an external
            resource (e.g., a photo), or

         +  "uri" - indicating that the reference is to a service
            endpoint or an identifier (e.g., a schema URN).

         This attribute is only applicable for attributes that are of
         type "reference" (Section 2.3.7).


Next RFC Part