[Openid-specs-ab] Profile for using SCIM with OpenID Connect

Phil Hunt (IDM) phil.hunt at oracle.com
Thu Jun 23 02:37:06 UTC 2016


Nov,

Thanks for the comparison. Very interesting!

Phil

> On Jun 22, 2016, at 7:07 PM, matake, nov <nov at matake.jp> wrote:
> 
> Hi Phil,
> 
> OIDC & SCIM integration is also discussed in OpenID Foundation Japan Enterprize Identity WG (EIWG).
> Since currently their OIDC & SCIM integration guidline document is publised only in Japanese, I summalize it in short.
> 
> In their use-case, OIDC Server is acting as SCIM Client, and provision user data to OIDC RPs which acts as SCIM Server.
> To do that, they're proposing these 2 attributes as SCIM user scheme extension.
> * "idTokenClaims.issuer"
> * "idTokenClaims.subject"
> 
> I think ID Token claims "scim_id" and "scim_location" can be alternative of the above SCIM extension attributes for OIDF-J EWIG use-case, too.
> However, the meaning of "scim_id" and "scim_location" will be different in EIWG case.
> "scim_id" will be the User ID on OP (=SCIM Client) side, and "scim_location" will be SCIM Server endpoint on RP side which is used when OP provision the user's profile data to RP.
> 
> Moreover, it might be useful if OIDC Client Registration accepts SCIM Client credentials and SCIM Server Endpoint URL from RP (= SCIM Server).
> 
> Cheers,
> 
> nov
> 
> 
> 2016-06-22 1:13 GMT+09:00 Phil Hunt <phil.hunt at oracle.com>:
>> Any comments or feedback? I know a number indicated they plan to read the draft.
>> 
>> Phil
>> 
>> @independentid
>> www.independentid.com
>> phil.hunt at oracle.com
>> 
>> 
>> 
>> 
>> 
>>> On Jun 15, 2016, at 1:10 PM, Phil Hunt <phil.hunt at oracle.com> wrote:
>>> 
>>> Please find attached, a draft proposal from Chuck Mortimore and myself on using SCIM as an alternate endpoint for profile services in the context of Connect.
>>> 
>>> This specification defines:
>>> a. Discovery metadata (scim_endpoint) indicating availability of a SCIM Protocol base endpoint
>>> b. Dynamic registration metadata (scim_profile) used to indicate a client intends to use SCIM in addition to or instead of UserInfo
>>> c. An additional ID Token claim (scim_id and scim_location) which specifies the SCIM resource endpoint and identifier associated with the authenticated subject.
>>> 
>>> By doing this, clients can avoid having to do an external authorization and another round of exchanges to access User profile information with full CRUD features.
>>> 
>>> Clients can also access SCIM’s more sophisticated query system to ask questions if the authenticated user has particular conditions (e.g. querying a sub-attribute such as “country” in the “addresses” attribute).  
>>> 
>>> As an example use case: A cloud provider wants to build a user-profile self-service portal. OIDC does the authentication of the user and allows the web service to access the CRUD features of SCIM for the updates.
>>> 
>>> Phil
>>> 
>>> @independentid
>>> www.independentid.com
>>> phil.hunt at oracle.com
>>> <Draft: OpenID Connect Profile for SCIM Services.html>
>>> <openid-connect-scim-profile-1_0.txt>
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160622/cb91aeaa/attachment-0001.html>


More information about the Openid-specs-ab mailing list