<div dir="ltr"><div>Hi Phil,</div><div><br></div><div>OIDC & SCIM integration is also discussed in OpenID Foundation Japan Enterprize Identity WG (EIWG).</div><div>Since currently their OIDC & SCIM integration guidline document is publised only in Japanese, I summalize it in short.</div><div><br></div><div>In their use-case, OIDC Server is acting as SCIM Client, and provision user data to OIDC RPs which acts as SCIM Server.</div><div>To do that, they're proposing these 2 attributes as SCIM user scheme extension.</div><div>* "idTokenClaims.issuer"</div><div>* "idTokenClaims.subject"</div><div><br></div><div>I think ID Token claims "scim_id" and "scim_location" can be alternative of the above SCIM extension attributes for OIDF-J EWIG use-case, too.</div><div>However, the meaning of "scim_id" and "scim_location" will be different in EIWG case.</div><div>"scim_id" will be the User ID on OP (=SCIM Client) side, and "scim_location" will be SCIM Server endpoint on RP side which is used when OP provision the user's profile data to RP.</div><div><br></div><div>Moreover, it might be useful if OIDC Client Registration accepts SCIM Client credentials and SCIM Server Endpoint URL from RP (= SCIM Server).</div><div><br></div><div>Cheers,</div><div><br></div><div>nov</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-06-22 1:13 GMT+09:00 Phil Hunt <span dir="ltr"><<a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Any comments or feedback? I know a number indicated they plan to read the draft.<div><br><div>
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div><span style="border-collapse:separate;line-height:normal;border-spacing:0px"><div style="word-wrap:break-word"><div><div><div>Phil</div><div><br></div><div>@independentid</div><div><a href="http://www.independentid.com" target="_blank">www.independentid.com</a></div></div></div></div></span><a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a></div><div><br></div></div><br></div><br><br>
</div>
<br><div><blockquote type="cite"><div><div class="h5"><div>On Jun 15, 2016, at 1:10 PM, Phil Hunt <<a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a>> wrote:</div><br></div></div><div><div><div class="h5"><div style="word-wrap:break-word">Please find attached, a draft proposal from Chuck Mortimore and myself on using SCIM as an alternate endpoint for profile services in the context of Connect.<div><br></div><div>This specification defines:</div><div>a. Discovery metadata (scim_endpoint) indicating availability of a SCIM Protocol base endpoint</div><div>b. Dynamic registration metadata (scim_profile) used to indicate a client intends to use SCIM in addition to or instead of UserInfo</div><div>c. An additional ID Token claim (scim_id and scim_location) which specifies the SCIM resource endpoint and identifier associated with the authenticated subject.</div><div><br></div><div>By doing this, clients can avoid having to do an external authorization and another round of exchanges to access User profile information with full CRUD features.</div><div><br></div><div>Clients can also access SCIM’s more sophisticated query system to ask questions if the authenticated user has particular conditions (e.g. querying a sub-attribute such as “country” in the “addresses” attribute). </div><div><br></div><div>As an example use case: A cloud provider wants to build a user-profile self-service portal. OIDC does the authentication of the user and allows the web service to access the CRUD features of SCIM for the updates.</div><div><br></div><div><div>
<div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div><span style="border-collapse:separate;line-height:normal;border-spacing:0px"><div style="word-wrap:break-word"><div><div><div>Phil</div><div><br></div><div>@independentid</div><div><a href="http://www.independentid.com/" target="_blank">www.independentid.com</a></div></div></div></div></span><a href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a></div><div></div></div></div></div></div></div></div></div><span class=""><span><Draft: OpenID Connect Profile for SCIM Services.html></span><div style="word-wrap:break-word"><div><div><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div></div></div></div></div></div></div><span><openid-connect-scim-profile-1_0.txt></span><div style="word-wrap:break-word"><div><div><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div></div></div><br></div><br><br>
</div>
<br></div></div>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br></span></div></blockquote></div><br></div></div><br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br></div>