[Openid-specs-ab] Profile for using SCIM with OpenID Connect

matake, nov nov at matake.jp
Thu Jun 23 02:07:00 UTC 2016


Hi Phil,

OIDC & SCIM integration is also discussed in OpenID Foundation Japan
Enterprize Identity WG (EIWG).
Since currently their OIDC & SCIM integration guidline document is publised
only in Japanese, I summalize it in short.

In their use-case, OIDC Server is acting as SCIM Client, and provision user
data to OIDC RPs which acts as SCIM Server.
To do that, they're proposing these 2 attributes as SCIM user scheme
extension.
* "idTokenClaims.issuer"
* "idTokenClaims.subject"

I think ID Token claims "scim_id" and "scim_location" can be alternative of
the above SCIM extension attributes for OIDF-J EWIG use-case, too.
However, the meaning of "scim_id" and "scim_location" will be different in
EIWG case.
"scim_id" will be the User ID on OP (=SCIM Client) side, and
"scim_location" will be SCIM Server endpoint on RP side which is used when
OP provision the user's profile data to RP.

Moreover, it might be useful if OIDC Client Registration accepts SCIM
Client credentials and SCIM Server Endpoint URL from RP (= SCIM Server).

Cheers,

nov


2016-06-22 1:13 GMT+09:00 Phil Hunt <phil.hunt at oracle.com>:

> Any comments or feedback? I know a number indicated they plan to read the
> draft.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt at oracle.com
>
>
>
>
>
> On Jun 15, 2016, at 1:10 PM, Phil Hunt <phil.hunt at oracle.com> wrote:
>
> Please find attached, a draft proposal from Chuck Mortimore and myself on
> using SCIM as an alternate endpoint for profile services in the context of
> Connect.
>
> This specification defines:
> a. Discovery metadata (scim_endpoint) indicating availability of a SCIM
> Protocol base endpoint
> b. Dynamic registration metadata (scim_profile) used to indicate a client
> intends to use SCIM in addition to or instead of UserInfo
> c. An additional ID Token claim (scim_id and scim_location) which
> specifies the SCIM resource endpoint and identifier associated with the
> authenticated subject.
>
> By doing this, clients can avoid having to do an external authorization
> and another round of exchanges to access User profile information with full
> CRUD features.
>
> Clients can also access SCIM’s more sophisticated query system to ask
> questions if the authenticated user has particular conditions (e.g.
> querying a sub-attribute such as “country” in the “addresses” attribute).
>
> As an example use case: A cloud provider wants to build a user-profile
> self-service portal. OIDC does the authentication of the user and allows
> the web service to access the CRUD features of SCIM for the updates.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt at oracle.com
> <Draft: OpenID Connect Profile for SCIM Services.html>
> <openid-connect-scim-profile-1_0.txt>
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160623/d926690b/attachment.html>


More information about the Openid-specs-ab mailing list