[Openid-specs-ab] FW: Profile for using SCIM with OpenID Connect

Mike Jones Michael.Jones at microsoft.com
Thu Jul 7 15:36:05 UTC 2016


On the working group call today, a decision to adopt this document was made, subject to working group feedback on the mailing list.  Please review this document by Thursday, July 14th and provide any comments, positive or negative, on its adoption.

Technical feedback on the specification is also welcomed and can be incorporated in subsequent versions following adoption.

                           -- Mike (writing as working group secretary)

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Phil Hunt
Sent: Wednesday, June 15, 2016 1:10 PM
To: openid-specs-ab at lists.openid.net
Cc: Ian Glazer <iglazer at salesforce.com>
Subject: [Openid-specs-ab] Profile for using SCIM with OpenID Connect

Please find attached, a draft proposal from Chuck Mortimore and myself on using SCIM as an alternate endpoint for profile services in the context of Connect.

This specification defines:
a. Discovery metadata (scim_endpoint) indicating availability of a SCIM Protocol base endpoint
b. Dynamic registration metadata (scim_profile) used to indicate a client intends to use SCIM in addition to or instead of UserInfo
c. An additional ID Token claim (scim_id and scim_location) which specifies the SCIM resource endpoint and identifier associated with the authenticated subject.

By doing this, clients can avoid having to do an external authorization and another round of exchanges to access User profile information with full CRUD features.

Clients can also access SCIM’s more sophisticated query system to ask questions if the authenticated user has particular conditions (e.g. querying a sub-attribute such as “country” in the “addresses” attribute).

As an example use case: A cloud provider wants to build a user-profile self-service portal. OIDC does the authentication of the user and allows the web service to access the CRUD features of SCIM for the updates.

Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160707/df6fdb8a/attachment-0002.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160707/df6fdb8a/attachment-0003.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160707/df6fdb8a/attachment-0002.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openid-connect-scim-profile-1_0.txt
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160707/df6fdb8a/attachment-0002.txt>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160707/df6fdb8a/attachment-0003.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00003.txt
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160707/df6fdb8a/attachment-0003.txt>


More information about the Openid-specs-ab mailing list