<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<title>FastFed Profile for SCIM Provisioning - draft 01</title>
<style type="text/css" title="Xml2Rfc (sans serif)">
/*<![CDATA[*/
a {
text-decoration: none;
}
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a.smpl {
color: black;
}
a:hover {
text-decoration: underline;
}
a:active {
text-decoration: underline;
}
address {
margin-top: 1em;
margin-left: 2em;
font-style: normal;
}
body {
color: black;
font-family: verdana, helvetica, arial, sans-serif;
font-size: 10pt;
max-width: 55em;
}
cite {
font-style: normal;
}
dd {
margin-right: 2em;
}
dl {
margin-left: 2em;
}
ul.empty {
list-style-type: none;
}
ul.empty li {
margin-top: .5em;
}
dl p {
margin-left: 0em;
}
dt {
margin-top: .5em;
}
h1 {
font-size: 14pt;
line-height: 21pt;
page-break-after: avoid;
}
h1.np {
page-break-before: always;
}
h1 a {
color: #333333;
}
h2 {
font-size: 12pt;
line-height: 15pt;
page-break-after: avoid;
}
h3, h4, h5, h6 {
font-size: 10pt;
page-break-after: avoid;
}
h2 a, h3 a, h4 a, h5 a, h6 a {
color: black;
}
img {
margin-left: 3em;
}
li {
margin-left: 2em;
margin-right: 2em;
}
ol {
margin-left: 2em;
margin-right: 2em;
}
ol p {
margin-left: 0em;
}
p {
margin-left: 2em;
margin-right: 2em;
}
pre {
margin-left: 3em;
background-color: lightyellow;
padding: .25em;
}
pre.text2 {
border-style: dotted;
border-width: 1px;
background-color: #f0f0f0;
width: 69em;
}
pre.inline {
background-color: white;
padding: 0em;
}
pre.text {
border-style: dotted;
border-width: 1px;
background-color: #f8f8f8;
width: 69em;
}
pre.drawing {
border-style: solid;
border-width: 1px;
background-color: #f8f8f8;
padding: 2em;
}
table {
margin-left: 2em;
}
table.tt {
vertical-align: top;
}
table.full {
border-style: outset;
border-width: 1px;
}
table.headers {
border-style: outset;
border-width: 1px;
}
table.tt td {
vertical-align: top;
}
table.full td {
border-style: inset;
border-width: 1px;
}
table.tt th {
vertical-align: top;
}
table.full th {
border-style: inset;
border-width: 1px;
}
table.headers th {
border-style: none none inset none;
border-width: 1px;
}
table.left {
margin-right: auto;
}
table.right {
margin-left: auto;
}
table.center {
margin-left: auto;
margin-right: auto;
}
caption {
caption-side: bottom;
font-weight: bold;
font-size: 9pt;
margin-top: .5em;
}
table.header {
border-spacing: 1px;
width: 95%;
font-size: 10pt;
color: white;
}
td.top {
vertical-align: top;
}
td.topnowrap {
vertical-align: top;
white-space: nowrap;
}
table.header td {
background-color: gray;
width: 50%;
}
table.header a {
color: white;
}
td.reference {
vertical-align: top;
white-space: nowrap;
padding-right: 1em;
}
thead {
display:table-header-group;
}
ul.toc, ul.toc ul {
list-style: none;
margin-left: 1.5em;
margin-right: 0em;
padding-left: 0em;
}
ul.toc li {
line-height: 150%;
font-weight: bold;
font-size: 10pt;
margin-left: 0em;
margin-right: 0em;
}
ul.toc li li {
line-height: normal;
font-weight: normal;
font-size: 9pt;
margin-left: 0em;
margin-right: 0em;
}
li.excluded {
font-size: 0pt;
}
ul p {
margin-left: 0em;
}
.comment {
background-color: yellow;
}
.center {
text-align: center;
}
.error {
color: red;
font-style: italic;
font-weight: bold;
}
.figure {
font-weight: bold;
text-align: center;
font-size: 9pt;
}
.filename {
color: #333333;
font-weight: bold;
font-size: 12pt;
line-height: 21pt;
text-align: center;
}
.fn {
font-weight: bold;
}
.hidden {
display: none;
}
.left {
text-align: left;
}
.right {
text-align: right;
}
.title {
color: #990000;
font-size: 18pt;
line-height: 18pt;
font-weight: bold;
text-align: center;
margin-top: 36pt;
}
.vcardline {
display: block;
}
.warning {
font-size: 14pt;
background-color: yellow;
}
@media print {
.noprint {
display: none;
}
a {
color: black;
text-decoration: none;
}
table.header {
width: 90%;
}
td.header {
width: 50%;
color: black;
background-color: white;
vertical-align: top;
font-size: 12pt;
}
ul.toc a::after {
content: leader('.') target-counter(attr(href), page);
}
ul.ind li li a {
content: target-counter(attr(href), page);
}
.print2col {
column-count: 2;
-moz-column-count: 2;
column-fill: auto;
}
}
@page {
@top-left {
content: "Internet-Draft";
}
@top-right {
content: "December 2010";
}
@top-center {
content: "Abbreviated Title";
}
@bottom-left {
content: "Doe";
}
@bottom-center {
content: "Expires June 2011";
}
@bottom-right {
content: "[Page " counter(page) "]";
}
}
@page:first {
@top-left {
content: normal;
}
@top-right {
content: normal;
}
@top-center {
content: normal;
}
}
/*]]>*/
</style>
<link href="#rfc.toc" rel="Contents">
<link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
<link href="#rfc.section.1.1" rel="Chapter" title="1.1 Requirements Notation and Conventions">
<link href="#rfc.section.1.2" rel="Chapter" title="1.2 Terminology">
<link href="#rfc.section.2" rel="Chapter" title="2 FastFed Metadata">
<link href="#rfc.section.3" rel="Chapter" title="3 FastFed Handshake">
<link href="#rfc.section.3.1" rel="Chapter" title="3.1 FastFed Registration Request">
<link href="#rfc.section.3.2" rel="Chapter" title="3.2 FastFed Registration Response">
<link href="#rfc.section.4" rel="Chapter" title="4 Interoperability Requirements">
<link href="#rfc.section.4.1" rel="Chapter" title="4.1 Identity Provider Requirements">
<link href="#rfc.section.4.2" rel="Chapter" title="4.2 Application Provider Requirements">
<link href="#rfc.section.5" rel="Chapter" title="5 Security Considerations">
<link href="#rfc.section.6" rel="Chapter" title="6 IANA Considerations">
<link href="#rfc.references" rel="Chapter" title="7 Normative References">
<link href="#rfc.appendix.A" rel="Chapter" title="A Acknowledgements">
<link href="#rfc.appendix.B" rel="Chapter" title="B Notices">
<link href="#rfc.appendix.C" rel="Chapter" title="C Document History">
<link href="#rfc.authors" rel="Chapter">
<meta name="generator" content="xml2rfc version 2.15.4 - https://tools.ietf.org/tools/xml2rfc" />
<link rel="schema.dct" href="http://purl.org/dc/terms/" />
<meta name="dct.creator" content="McAdams, D." />
<meta name="dct.identifier" content="urn:ietf:id:fastfed-1_0" />
<meta name="dct.issued" scheme="ISO8601" content="2019-08-27" />
<meta name="dct.abstract" content="This specification defines the requirements to implement the FastFed Profile for SCIM Full Lifecycle provisioning. This profile supports continual provisioning, update, and deprovisioning of end-users between the Identity Provider and Application Provider. " />
<meta name="description" content="This specification defines the requirements to implement the FastFed Profile for SCIM Full Lifecycle provisioning. This profile supports continual provisioning, update, and deprovisioning of end-users between the Identity Provider and Application Provider. " />
</head>
<body>
<table class="header">
<tbody>
<tr>
<td class="left"></td>
<td class="right">D. McAdams</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">Amazon</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">August 27, 2019</td>
</tr>
</tbody>
</table>
<p class="title">FastFed Profile for SCIM Provisioning - draft 01<br />
<span class="filename">fastfed-1_0</span></p>
<h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
<p>This specification defines the requirements to implement the FastFed Profile for SCIM Full Lifecycle provisioning. This profile supports continual provisioning, update, and deprovisioning of end-users between the Identity Provider and Application Provider. </p>
<hr class="noprint" />
<h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
<ul class="toc">
<li>1. <a href="#rfc.section.1">Introduction</a>
</li>
<ul><li>1.1. <a href="#rfc.section.1.1">Requirements Notation and Conventions</a>
</li>
<li>1.2. <a href="#rfc.section.1.2">Terminology</a>
</li>
</ul><li>2. <a href="#rfc.section.2">FastFed Metadata</a>
</li>
<li>3. <a href="#rfc.section.3">FastFed Handshake</a>
</li>
<ul><li>3.1. <a href="#rfc.section.3.1">FastFed Registration Request</a>
</li>
<li>3.2. <a href="#rfc.section.3.2">FastFed Registration Response</a>
</li>
</ul><li>4. <a href="#rfc.section.4">Interoperability Requirements</a>
</li>
<ul><li>4.1. <a href="#rfc.section.4.1">Identity Provider Requirements</a>
</li>
<li>4.2. <a href="#rfc.section.4.2">Application Provider Requirements</a>
</li>
</ul><li>5. <a href="#rfc.section.5">Security Considerations</a>
</li>
<li>6. <a href="#rfc.section.6">IANA Considerations</a>
</li>
<li>7. <a href="#rfc.references">Normative References</a>
</li>
<li>Appendix A. <a href="#rfc.appendix.A">Acknowledgements</a>
</li>
<li>Appendix B. <a href="#rfc.appendix.B">Notices</a>
</li>
<li>Appendix C. <a href="#rfc.appendix.C">Document History</a>
</li>
<li><a href="#rfc.authors">Author's Address</a>
</li>
</ul>
<h1 id="rfc.section.1">
<a href="#rfc.section.1">1.</a> <a href="#Introduction" id="Introduction">Introduction</a>
</h1>
<p id="rfc.section.1.p.1">This specification defines the functionality which a provider must implement to satisfy the FastFed Profile for SCIM Full Lifecycle provisioning. </p>
<p id="rfc.section.1.p.2">It consists of the following extensions to the <a href="#FastFed.Core" class="xref">FastFed Core</a> specification: </p>
<ul>
<li>Additional metadata in the FastFed Handshake Flows to exchange SCIM provisioning endpoints. </li>
<li>An interoperability profile describing the subset of the SCIM specifications which must be implemented to be FastFed Compatible for SCIM Full Lifecycle provisioning. </li>
</ul>
<p> </p>
<h1 id="rfc.section.1.1">
<a href="#rfc.section.1.1">1.1.</a> <a href="#rnc" id="rnc">Requirements Notation and Conventions</a>
</h1>
<p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <a href="#RFC2119" class="xref">RFC 2119</a>. </p>
<p id="rfc.section.1.1.p.2">In the .txt version of this specification, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value. In the HTML version of this specification, values to be taken literally are indicated by the use of <samp>this fixed-width font</samp>. </p>
<h1 id="rfc.section.1.2">
<a href="#rfc.section.1.2">1.2.</a> <a href="#Terminology" id="Terminology">Terminology</a>
</h1>
<p id="rfc.section.1.2.p.1">This FastFed Profile uses the terminology defined in Section 1.2 of the <a href="#FastFed.Core" class="xref">FastFed Core</a> specification. </p>
<h1 id="rfc.section.2">
<a href="#rfc.section.2">2.</a> <a href="#FastFedMetadata" id="FastFedMetadata">FastFed Metadata</a>
</h1>
<p id="rfc.section.2.p.1">This specification extends the <a href="#FastFed.Core" class="xref">FastFed Core</a> metadata (Section 3.3.1) with the following value for <samp>provisioning_profiles</samp>: </p>
<dl>
<dt>urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle</dt>
<dd style="margin-left: 8">A Provider who includes this URN in their list of capabilities MUST comply with the requirements described in this specification. </dd>
</dl>
<p> </p>
<p id="rfc.section.2.p.2">The following is a non-normative example of Provider Metadata showing the usage of the value: </p>
<pre>
{
"identity_provider": {
"capabilities": {
"provisioning_profiles": ["urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle"],
...
}
</pre>
<h1 id="rfc.section.3">
<a href="#rfc.section.3">3.</a> <a href="#FastFedHandshake" id="FastFedHandshake">FastFed Handshake</a>
</h1>
<p id="rfc.section.3.p.1">When using this SCIM provisioning profile, the FastFed Identity Provider and Application Provider have various responsibilities to comply with the protocol. </p>
<p id="rfc.section.3.p.2">The Identity Provider fulfills the role of a SCIM Client. It has a responsibility to provision user information into the Application Provider as described in <a href="#SCIMInteroperabilityIdentityProviderReqs" class="xref">Section 4.1</a>. </p>
<p id="rfc.section.3.p.3">The Application Provider fulfills the role of a SCIM Service. It has a responsibility to host a SCIM Endpoint and handle provisioning messages from the Identity Provider as described in described in <a href="#SCIMInteroperabilityApplicationProviderReqs" class="xref">Section 4.2</a> </p>
<p id="rfc.section.3.p.4">This specification extends the <a href="#FastFed.Core" class="xref">FastFed Core</a> handshake messages with the additional attributes necessary for each party to fulfill their respective obligations under SCIM. </p>
<h1 id="rfc.section.3.1">
<a href="#rfc.section.3.1">3.1.</a> <a href="#FastFedHandshakeRegistrationRequest" id="FastFedHandshakeRegistrationRequest">FastFed Registration Request</a>
</h1>
<p id="rfc.section.3.1.p.1">This specification extends the contents of the FastFed Registration Request (Section 7.2.3.1 of <a href="#FastFed.Core" class="xref">FastFord Core</a>) with a structure sharing the same name as the profile: <samp>"urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle"</samp>. </p>
<p id="rfc.section.3.1.p.2">The structure contains the following attributes: </p>
<dl>
<dt>provider_authentication</dt>
<dd style="margin-left: 8">REQUIRED. A structure containing the authentication keys necessary to authenticate the provisioning provider, as defined in Section 3.3.3 of <a href="#FastFed.Core" class="xref">FastFord Core</a>. <br><br>The authentication keys MAY be the same as those defined in the Identity Provider's FastFed Metadata. Alternatively, SCIM provisioning may be delegated to a distinct sub-system which authenticates with its own key materials. The declaration of protocol-specific authentication materials enables both scenarios. </dd>
</dl>
<p> </p>
<p id="rfc.section.3.1.p.3">The following is a non-normative example of the contents of a registration request message: </p>
<pre>
{
"iss": "https://idp.example.com",
"sub": "tenant-12345",
"aud": "https://app.example.com",
"exp": 1234567890,
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"provisioning_profiles": [
"urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle"
],
"urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle": {
"provider_authentication": {
"jwks_uri": "https://provisioning.example.com/keys"
}
}
}
</pre>
<h1 id="rfc.section.3.2">
<a href="#rfc.section.3.2">3.2.</a> <a href="#FastFedHandshakeRegistrationResponse" id="FastFedHandshakeRegistrationResponse">FastFed Registration Response</a>
</h1>
<p id="rfc.section.3.2.p.1">This specification extends the contents of the FastFed Registration Response (Section 7.2.3.3 of <a href="#FastFed.Core" class="xref">FastFord Core</a>) with a structure sharing the same name as the profile: <samp>"urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle"</samp>. </p>
<p id="rfc.section.3.2.p.2">The structure contains the following attributes: </p>
<dl>
<dt>scim_service_uri</dt>
<dd style="margin-left: 8">REQUIRED. Contains the URL of the Application Provider's SCIM Endpoint. </dd>
<dt>oauth_metadata</dt>
<dd style="margin-left: 8">REQUIRED. A structure containing the OAuth metadata for authenticating to the SCIM endpoint, as defined in Section 6.6 of <a href="#FastFed.Core" class="xref">FastFed Core</a>. <br><br> The OAuth scope returned in this structure MUST authorize the SCIM client to perform all provisioning activity specified by this profile. </dd>
</dl>
<p> </p>
<p id="rfc.section.3.2.p.3">The following is a non-normative example of the contents of a registration response message: </p>
<pre>
{
"urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle": {
"scim_service_uri": "https://tenant-56789.app.example.com/scim"
"oauth_metadata": {
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"token_endpoint": "https://tenant-56789.app.example.com/oauth",
"scope": "scim"
}
}
}
</pre>
<h1 id="rfc.section.4">
<a href="#rfc.section.4">4.</a> <a href="#Interoperability" id="Interoperability">Interoperability Requirements</a>
</h1>
<p id="rfc.section.4.p.1">Each identity standard defines a set of optional features to enable usage in a wide variety of circumstances. </p>
<p id="rfc.section.4.p.2">However, a consequence of the flexibility is that two Providers may find themselves incompabitible despite sharing the same protocols. </p>
<p id="rfc.section.4.p.3">To deliver the simplified experience that is the goal of FastFed, it is important that two FastFed-enabled Providers have confidence that they can interoperate when sharing the same protocols. </p>
<p id="rfc.section.4.p.4">The following sections describe the subset of the SCIM Protocol specifications that Providers MUST implement to be FastFed Compatible for this profile. Providers MAY support additional functionality, but MUST NOT require the additional functionality when configuring federation with another Provider using the FastFed specifications. </p>
<h1 id="rfc.section.4.1">
<a href="#rfc.section.4.1">4.1.</a> <a href="#SCIMInteroperabilityIdentityProviderReqs" id="SCIMInteroperabilityIdentityProviderReqs">Identity Provider Requirements</a>
</h1>
<p id="rfc.section.4.1.p.1">SCIM requirements for Identity Providers: </p>
<ul>
<li>MUST implement the required functionality of a SCIM Client as defined in <a href="#RFC7643" class="xref">[RFC7643]</a> and <a href="#RFC7644" class="xref">[RFC7644]</a>. </li>
<li>MUST authenticate to the SCIM endpoint using an OAuth <samp>access_token</samp>. The token must be attained using the mechanisms defined in Section 6.6 of the <a href="#FastFed.Core" class="xref">FastFord Core</a> specification. The keyId used to attain the OAuth token must exist in the keys hosted at the <samp>jwks_uri</samp> specified by the SCIM <samp>provider_authentication</samp> in <a href="#FastFedHandshakeRegistrationRequest" class="xref">Section 3.1</a>. </li>
<li>For each end-user that is authorized to access the Application: <ul>
<li>SHOULD replicate end-user information to the Application Provider within 60 minutes of an active end-user being created or updated. <br><br> The Identity Provider MAY use any combination of the following operations to provision user information: <ul>
<li>Create account via <em>POST /Users</em>
</li>
<li>Update account details via <em>PUT /Users/{id}</em>
</li>
<li>Read list of accounts via <em>GET /Users</em>
</li>
<li>Read account details via <em>GET /Users/{id}</em>
</li>
<li>Filtering based on <em>"userName eq"</em>
</li>
</ul>
<p> </p>
</li>
<li>SHOULD replicate end-user deactivation to the Application within 15 minutes of the user being deactivated within the Identity Provider. <br><br> The Identity Provider MAY use any combination of the following operations to deactivate users in the Application: <ul>
<li>Deactivate account via <em>PATCH /Users{id}</em>
</li>
<li>Read list of accounts via <em>GET /Users</em>
</li>
<li>Read account details via <em>GET /Users/{id}</em>
</li>
<li>Filtering based on <em>"userName eq"</em>
</li>
</ul>
<p> </p>
</li>
<li>SHOULD populuate the <samp>groups</samp> attribute on a SCIM User object with a list of groups to which the user belongs. As specified in the SCIM Core Schema <a href="#RFC7643" class="xref">[RFC7643]</a>, a user can belong to a group either through direct membership, through nested groups, or dynamically calculated. </li>
</ul>
<p> </p>
</li>
</ul>
<p> </p>
<h1 id="rfc.section.4.2">
<a href="#rfc.section.4.2">4.2.</a> <a href="#SCIMInteroperabilityApplicationProviderReqs" id="SCIMInteroperabilityApplicationProviderReqs">Application Provider Requirements</a>
</h1>
<p id="rfc.section.4.2.p.1">SCIM requirements for Application Providers: </p>
<ul>
<li>MUST implement the required functionality of a SCIM Service Provider as defined in <a href="#RFC7643" class="xref">[RFC7643]</a> and <a href="#RFC7644" class="xref">[RFC7644]</a>. </li>
<li>MUST support authentication via OAuth <samp>access_tokens</samp>. </li>
<li>MUST provide an OAuth authorization server capable of issuing tokens as defined in Section 6.6 of the <a href="#FastFed.Core" class="xref">FastFord Core</a> specification. OAuth tokens MUST only be issued if the token request is signed using a keyId which exists in the key set hosted at the <samp>jwks_uri</samp> specified by the SCIM <samp>provider_authentication</samp> in <a href="#FastFedHandshakeRegistrationRequest" class="xref">Section 3.1</a>. </li>
<li>MUST support the following operations: <ul>
<li>Create account via <em>POST /Users</em>
</li>
<li>Update account details via <em>PUT /Users/{id}</em>
</li>
<li>Deactivate account via <em>PATCH /Users{id}</em>
</li>
<li>Read list of accounts via <em>GET /Users</em>
</li>
<li>Read account details via <em>GET /Users/{id}</em>
</li>
<li>Filtering based on <em>"userName eq"</em>
</li>
</ul>
<p> </p>
</li>
<li>SHOULD respond to account deactivation by revoking the ability for the end-user to use the Application, even if that end-user has an active session with an expiration date in the future. The revocation mechanism is an implementation detail and outside the scope of this specification. Revocation should occur within 15 minutes of receiving the deactivation. </li>
</ul>
<p> </p>
<h1 id="rfc.section.5">
<a href="#rfc.section.5">5.</a> <a href="#Security" id="Security">Security Considerations</a>
</h1>
<p id="rfc.section.5.p.1">TODO </p>
<h1 id="rfc.section.6">
<a href="#rfc.section.6">6.</a> <a href="#IANA" id="IANA">IANA Considerations</a>
</h1>
<p id="rfc.section.6.p.1">TODO </p>
<h1 id="rfc.references">
<a href="#rfc.references">7.</a> Normative References</h1>
<table><tbody>
<tr>
<td class="reference"><b id="FastFed.Core">[FastFed.Core]</b></td>
<td class="top">
<a title="Amazon">McAdams, K.</a>, "<a href="http://example.com">FastFed Core</a>", June 2018.</td>
</tr>
<tr>
<td class="reference"><b id="OpenID.Core">[OpenID.Core]</b></td>
<td class="top">
<a title="Nomura Research Institute, Ltd.">Sakimura, N.</a>, <a title="Ping Identity">Bradley, J.</a>, <a title="Microsoft">Jones, M.</a>, <a title="Google">de Medeiros, B.</a> and <a title="Salesforce">C. Mortimore</a>, "<a href="http://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect Core 1.0</a>", November 2014.</td>
</tr>
<tr>
<td class="reference"><b id="OpenID.Discovery">[OpenID.Discovery]</b></td>
<td class="top">
<a title="Nomura Research Institute, Ltd.">Sakimura, N.</a>, <a title="Ping Identity">Bradley, J.</a>, <a title="Microsoft">Jones, M.</a> and <a title="Illumila">E. Jay</a>, "<a href="http://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>", November 2014.</td>
</tr>
<tr>
<td class="reference"><b id="OpenID.Registration">[OpenID.Registration]</b></td>
<td class="top">
<a title="Nomura Research Institute, Ltd.">Sakimura, N.</a>, <a title="Ping Identity">Bradley, J.</a> and <a title="Microsoft">M. Jones</a>, "<a href="http://openid.net/specs/openid-connect-registration-1_0.html">OpenID Connect Dynamic Client Registration 1.0</a>", November 2014.</td>
</tr>
<tr>
<td class="reference"><b id="OpenID.SCIMProfile">[OpenID.SCIMProfile]</b></td>
<td class="top">
<a title="Oracle">Hunt, P.</a> and <a title="Salesforce">C. Mortimore</a>, "<a href="http://openid.net/specs/openid-connect-scim-profile-1_0.html">OpenID Connect Profile for SCIM Services [DRAFT]</a>", June 2016.</td>
</tr>
<tr>
<td class="reference"><b id="RFC2119">[RFC2119]</b></td>
<td class="top">
<a>Bradner, S.</a>, "<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
</tr>
<tr>
<td class="reference"><b id="RFC2616">[RFC2616]</b></td>
<td class="top">
<a>Fielding, R.</a>, <a>Gettys, J.</a>, <a>Mogul, J.</a>, <a>Frystyk, H.</a>, <a>Masinter, L.</a>, <a>Leach, P.</a> and <a>T. Berners-Lee</a>, "<a href="https://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a>", RFC 2616, DOI 10.17487/RFC2616, June 1999.</td>
</tr>
<tr>
<td class="reference"><b id="RFC3986">[RFC3986]</b></td>
<td class="top">
<a>Berners-Lee, T.</a>, <a>Fielding, R.</a> and <a>L. Masinter</a>, "<a href="https://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005.</td>
</tr>
<tr>
<td class="reference"><b id="RFC4627">[RFC4627]</b></td>
<td class="top">
<a>Crockford, D.</a>, "<a href="https://tools.ietf.org/html/rfc4627">The application/json Media Type for JavaScript Object Notation (JSON)</a>", RFC 4627, DOI 10.17487/RFC4627, July 2006.</td>
</tr>
<tr>
<td class="reference"><b id="RFC5646">[RFC5646]</b></td>
<td class="top">
<a>Phillips, A.</a> and <a>M. Davis</a>, "<a href="https://tools.ietf.org/html/rfc5646">Tags for Identifying Languages</a>", BCP 47, RFC 5646, DOI 10.17487/RFC5646, September 2009.</td>
</tr>
<tr>
<td class="reference"><b id="RFC6125">[RFC6125]</b></td>
<td class="top">
<a>Saint-Andre, P.</a> and <a>J. Hodges</a>, "<a href="https://tools.ietf.org/html/rfc6125">Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)</a>", RFC 6125, DOI 10.17487/RFC6125, March 2011.</td>
</tr>
<tr>
<td class="reference"><b id="RFC6749">[RFC6749]</b></td>
<td class="top">
<a>Hardt, D.</a>, "<a href="https://tools.ietf.org/html/rfc6749">The OAuth 2.0 Authorization Framework</a>", RFC 6749, DOI 10.17487/RFC6749, October 2012.</td>
</tr>
<tr>
<td class="reference"><b id="RFC6750">[RFC6750]</b></td>
<td class="top">
<a>Jones, M.</a> and <a>D. Hardt</a>, "<a href="https://tools.ietf.org/html/rfc6750">The OAuth 2.0 Authorization Framework: Bearer Token Usage</a>", RFC 6750, DOI 10.17487/RFC6750, October 2012.</td>
</tr>
<tr>
<td class="reference"><b id="RFC7643">[RFC7643]</b></td>
<td class="top">
<a>Hunt, P.</a>, <a>Grizzle, K.</a>, <a>Wahlstroem, E.</a> and <a>C. Mortimore</a>, "<a href="https://tools.ietf.org/html/rfc7643">System for Cross-domain Identity Management: Core Schema</a>", RFC 7643, DOI 10.17487/RFC7643, September 2015.</td>
</tr>
<tr>
<td class="reference"><b id="RFC7644">[RFC7644]</b></td>
<td class="top">
<a>Hunt, P.</a>, <a>Grizzle, K.</a>, <a>Ansari, M.</a>, <a>Wahlstroem, E.</a> and <a>C. Mortimore</a>, "<a href="https://tools.ietf.org/html/rfc7644">System for Cross-domain Identity Management: Protocol</a>", RFC 7644, DOI 10.17487/RFC7644, September 2015.</td>
</tr>
<tr>
<td class="reference"><b id="W3C.REC-html401-19991224">[W3C.REC-html401-19991224]</b></td>
<td class="top">
<a title="W3C">Raggett, D.</a>, <a title="W3C">Hors, A.</a> and <a title="W3C">I. Jacobs</a>, "<a href="https://www.w3.org/TR/1999/REC-html401-19991224">HTML 4.01 Specification</a>", December 1999.</td>
</tr>
</tbody></table>
<h1 id="rfc.appendix.A">
<a href="#rfc.appendix.A">Appendix A.</a> <a href="#Acknowledgements" id="Acknowledgements">Acknowledgements</a>
</h1>
<p id="rfc.section.A.p.1">The OpenID Community would like to thank the following people for their contributions to this specification: </p>
<p></p>
<ul class="empty"><li>TODO</li></ul>
<p> </p>
<h1 id="rfc.appendix.B">
<a href="#rfc.appendix.B">Appendix B.</a> <a href="#Notices" id="Notices">Notices</a>
</h1>
<p id="rfc.section.B.p.1">Copyright (c) 2017 The OpenID Foundation.</p>
<p id="rfc.section.B.p.2">The OpenID Foundation (OIDF) grants to any Contributor, developer, implementer, or other interested party a non-exclusive, royalty free, worldwide copyright license to reproduce, prepare derivative works from, distribute, perform and display, this Implementers Draft or Final Specification solely for the purposes of (i) developing specifications, and (ii) implementing Implementers Drafts and Final Specifications based on such documents, provided that attribution be made to the OIDF as the source of the material, but that such attribution does not indicate an endorsement by the OIDF.</p>
<p id="rfc.section.B.p.3">The technology described in this specification was made available from contributions from various sources, including members of the OpenID Foundation and others. Although the OpenID Foundation has taken steps to help ensure that the technology is available for distribution, it takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this specification or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any independent effort to identify any such rights. The OpenID Foundation and the contributors to this specification make no (and hereby expressly disclaim any) warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to this specification, and the entire risk as to implementing this specification is assumed by the implementer. The OpenID Intellectual Property Rights policy requires contributors to offer a patent promise not to assert certain patent claims against other contributors and against implementers. The OpenID Foundation invites any interested party to bring to its attention any copyrights, patents, patent applications, or other proprietary rights that may cover technology that may be required to practice this specification.</p>
<h1 id="rfc.appendix.C">
<a href="#rfc.appendix.C">Appendix C.</a> <a href="#History" id="History">Document History</a>
</h1>
<p id="rfc.section.C.p.1">[[ To be removed from the final specification ]]</p>
<h1 id="rfc.authors"><a href="#rfc.authors">Author's Address</a></h1>
<div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">Darin K. McAdams</span>
<span class="n hidden">
<span class="family-name">McAdams</span>
</span>
</span>
<span class="org vcardline">Amazon</span>
<span class="adr">
<span class="vcardline">
<span class="locality"></span>
<span class="region"></span>
<span class="code"></span>
</span>
<span class="country-name vcardline"></span>
</span>
<span class="vcardline">EMail: <a href="mailto:darinm@amazon.com">darinm@amazon.com</a></span>
</address>
</div>
</body>
</html>