<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
margin-top:12.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
page-break-after:avoid;
font-size:16.0pt;
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-weight:normal;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
margin-top:2.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
page-break-after:avoid;
font-size:13.0pt;
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-weight:normal;}
p.MsoTitle, li.MsoTitle, div.MsoTitle
{mso-style-priority:10;
mso-style-link:"Title Char";
margin:0in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:28.0pt;
font-family:"Calibri Light",sans-serif;
letter-spacing:-.5pt;}
p.MsoTitleCxSpFirst, li.MsoTitleCxSpFirst, div.MsoTitleCxSpFirst
{mso-style-priority:10;
mso-style-link:"Title Char";
mso-style-type:export-only;
margin:0in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:28.0pt;
font-family:"Calibri Light",sans-serif;
letter-spacing:-.5pt;}
p.MsoTitleCxSpMiddle, li.MsoTitleCxSpMiddle, div.MsoTitleCxSpMiddle
{mso-style-priority:10;
mso-style-link:"Title Char";
mso-style-type:export-only;
margin:0in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:28.0pt;
font-family:"Calibri Light",sans-serif;
letter-spacing:-.5pt;}
p.MsoTitleCxSpLast, li.MsoTitleCxSpLast, div.MsoTitleCxSpLast
{mso-style-priority:10;
mso-style-link:"Title Char";
mso-style-type:export-only;
margin:0in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:28.0pt;
font-family:"Calibri Light",sans-serif;
letter-spacing:-.5pt;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.TitleChar
{mso-style-name:"Title Char";
mso-style-priority:10;
mso-style-link:Title;
font-family:"Calibri Light",sans-serif;
letter-spacing:-.5pt;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:527304107;
mso-list-type:hybrid;
mso-list-template-ids:1427934746 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:661201334;
mso-list-type:hybrid;
mso-list-template-ids:38575416 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:1341003375;
mso-list-type:hybrid;
mso-list-template-ids:-1862338546 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:1490092225;
mso-list-type:hybrid;
mso-list-template-ids:1022365020 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">At the prior WG meeting, we discussed SCIM interoperability questions. I had an action to come back with a strawman proposal.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">This proposal is pasted below and also uploaded into our Google Drive:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><a href="https://drive.google.com/file/d/1vlozxI74WYxUK69IlvhaXaiclVJYHLJH/view?usp=sharing">https://drive.google.com/file/d/1vlozxI74WYxUK69IlvhaXaiclVJYHLJH/view?usp=sharing</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">If possible, let’s use tomorrow’s WG meeting to review together. For folks who can’t attend the meeting, take a look and drop comments into the Google doc.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">-Darin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoTitle">SCIM Interop Requirements<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The FastFed working group deliberated the topic of prescriptiveness for SCIM interoperability.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Based on collective experience, we have observed that multiple ways exist to perform the same actions in SCIM. For example, there are at least 3 different mechanisms to update a User object. Identity Providers don’t share the same approaches,
thereby putting burden on Application Providers to deeply study each IdP and (in the experience of AWS) apply 1 year of effort to universally support all of them.<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">When Applications cannot make this level of investment, end-users find interop barriers when integrating between Providers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To fulfill the FastFed UX promise of “click a button and it just works”, we believe it is necessary to offer more prescriptive guidance to FastFed Compliant SCIM providers, akin to the FastFed guidance for other protocols such as SAML.
While this discussion may be more at home in a SCIM working group, the FastFed timelines encourage a more rapid response.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Due to the variability across Identity Providers, there is near certainty that any proposed interop profile will not completely match how IdPs behave today; necessitating work to comply.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">What we don’t know is whether the effort to comply is minimal, or launch-blocking. To help inform our decision making, this document presents a strawman proposal for SCIM interop. The intent is for working group members to evaluate (a)
whether they agree with the approach, and (b) the effort for compliance.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This information will facilitate future working group discussion.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For ease of consumption, this document forgoes the vocabulary of normative specifications and simply enumerates various CRUD operations and recommended implementation patterns.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h1><b><span style="color:#4472C4">User Operations<o:p></o:p></span></b></h1>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" align="center">
</div>
<h2><o:p> </o:p></h2>
<h2>Create User<o:p></o:p></h2>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>POST /Users</i></b><i><o:p></o:p></i></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> <o:p></o:p></span></pre>
<pre><span style="color:black"> POST /Users HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<pre><span style="color:black"><o:p> </o:p></span></pre>
<pre><span style="color:black"> {<o:p></o:p></span></pre>
<pre><span style="color:black"> "schemas":[<o:p></o:p></span></pre>
<pre><span style="color:black"> "urn:ietf:params:scim:schemas:core:2.0:User",<o:p></o:p></span></pre>
<pre><span style="color:black"> "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"<o:p></o:p></span></pre>
<pre><span style="color:black"> ],<o:p></o:p></span></pre>
<pre><span style="color:black"> "externalId": "98d78581-dd0d-4361-ab61-9511c6e5f035",<o:p></o:p></span></pre>
<pre><span style="color:black"> "userName":"bjensen",<o:p></o:p></span></pre>
<pre><span style="color:black"> "externalId":"bjensen",<o:p></o:p></span></pre>
<pre><span style="color:black"> "name":{<o:p></o:p></span></pre>
<pre><span style="color:black"> "formatted":"Ms. Barbara J Jensen III",<o:p></o:p></span></pre>
<pre><span style="color:black"> "familyName":"Jensen",<o:p></o:p></span></pre>
<pre><span style="color:black"> "givenName":"Barbara"<o:p></o:p></span></pre>
<pre><span style="color:black"> }<o:p></o:p></span></pre>
<pre><span style="color:black"> "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {<o:p></o:p></span></pre>
<pre><span style="color:black"> "costCenter":"12345",<o:p></o:p></span></pre>
<pre><span style="color:black"> "manager":{"value": "0cca76a8-090a-4944-8e61-e7791e619d48"}<o:p></o:p></span></pre>
<pre><span style="color:black"> }<o:p></o:p></span></pre>
<pre><span style="color:black"> }<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l2 level1 lfo1">The “groups” attribute on the User object must NOT be included<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l2 level1 lfo1">Multi-value elements, such as Emails, must have at least 1 member with “primary=true”<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l2 level1 lfo1">References to other resources, such as the “manager” attribute in the EnterpriseUser object, must contain the “id” of the referenced object in the SCIM server. The referenced object must
be created in advance. <span style="color:#767171;mso-style-textfill-fill-color:#767171;mso-style-textfill-fill-alpha:100.0%">
(Technical note: this precludes circular references. The SCIM bulk operation is intended to help with this, but we’re calling it out of scope. Does anyone need circular references?)</span><o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l2 level1 lfo1"><span style="color:black">If a value for “password” is sent, and the Application doesn’t need a password (because it relies on authentication via the IdP), it should ignore the password.
</span><span style="color:#A5A5A5">(For example, Okta generates an app-specific password for every user and sends it in the SCIM object, even if it’s unneeded.)</span><o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Update User<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">To illustrate the complexity of updates, there are (at least) 9 distinct use cases:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l0 level1 lfo2">Replace the object completely
<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l0 level1 lfo2">Add/Update/Remove a simple attribute<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l0 level1 lfo2">Add/Replace/Remove the full contents of a complex attribute<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l0 level1 lfo2">Add/Remove members of a multi-value attribute<o:p></o:p></li></ul>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">As a reminder, SCIM provides several “op” methods to handle this variety:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:10.0pt;font-family:"Courier New"">{<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:10.0pt;font-family:"Courier New""> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:10.0pt;font-family:"Courier New""> "Operations": [{<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:10.0pt;font-family:"Courier New""> "op": "{<b>add|remove|replace</b>}"<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:10.0pt;font-family:"Courier New""> "path": "{<b>scim path to attribute</b>}”<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:10.0pt;font-family:"Courier New""> "value": {<b>new value, if applicable</b>}<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:10.0pt;font-family:"Courier New""> }]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:10.0pt;font-family:"Courier New"">}<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">This is somewhat complicated to implement & test, especially for an Application Provider with limited resources.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Therefore, <u>the following is a proposal for simplification:
</u><b>Only support replacement in full.</b> Each update must resend the full User object, even if only 1 value has changed.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Some IdPs already behave this way. Others don’t.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">While it feels inefficient, I suspect in practice it makes little difference. For example, a common implementation is to store User objects as JSON blobs in a datastore. All modifications require reading the full
object and persisting back, regardless of how much is being updated.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Another consideration of this approach is when an Application Provider wishes to know which attributes have been modified. For this purpose, they must examine the deltas themselves. I would argue the analysis of
deltas is always necessary regardless of the update method, since it’s possible for a SCIM client to send a “replace” request for a single attribute but replace it with the same value that already exists, essentially resulting in a no-op. The Application Provider
always bears the burden of calculating what has truly changed.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">I am interested in working group feedback here. Do scenarios exist where this doesn’t succeed? My suspicion is this works for the vast majority of Applications, and if we need more complexity, we should make that
an optional step-up. <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><o:p> </o:p></span></pre>
<pre><span style="color:black"> PUT /Users/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<pre><span style="color:black"><o:p> </o:p></span></pre>
<pre><span style="color:black"> {<o:p></o:p></span></pre>
<pre><span style="color:black"> "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],<o:p></o:p></span></pre>
<pre><span style="color:black"> "userName":"bjensen",<o:p></o:p></span></pre>
<pre><span style="color:black"> "externalId":"bjensen",<o:p></o:p></span></pre>
<pre><span style="color:black"> "name":{<o:p></o:p></span></pre>
<pre><span style="color:black"> "formatted":"Ms. Barbara J Jensen III",<o:p></o:p></span></pre>
<pre><span style="color:black"> "familyName":"Jensen",<o:p></o:p></span></pre>
<pre><span style="color:black"> "givenName":"Barbara"<o:p></o:p></span></pre>
<pre><span style="color:black"> }<o:p></o:p></span></pre>
<pre><span style="color:black"> }<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Delete User<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>DELETE /Users/{id}</i></b><i><o:p></o:p></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> DELETE /Users/{id}<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Get User Details<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">Question for the Working Group: Does anyone need the ability to retrieve a User by UserId in order to accomplish SCIM provisioning? If so, the following mechanism is proposed:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>GET /Users/{id}</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> GET /Users/{id}<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The “groups” attribute on the User object must be undefined. This can be made explicit by requiring that callers provide the “excludedAttributes” parameter.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example w/ excludedAttributes<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> GET /Users/{id}?excludedAttributes=groups<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Search Users<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">The SCIM Service must support searching based on the following filters:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l3 level1 lfo3"><i>“username eq”</i><o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l3 level1 lfo3"><i>“externalId eq” (If the IdentityProvider has specified a value for externalId)</i><o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The SCIM Client may use these APIs to translate a foreign key, such as
<i>username</i> and <i>externalId</i>, into the primary <i>id</i> of the SCIM Service.<o:p></o:p></p>
<p class="MsoNormal"><i><o:p> </o:p></i></p>
<p class="MsoNormal" style="margin-left:.5in">The response only needs to include the
<i>id </i>attribute. This is formalized by specifying the attribute in the query parameters.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>GET /Users?attributes+eq+id&filter=...</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> GET /Users?attributes+eq+id&filter=userName+eq+{username}<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> HTTP/1.1 200 OK<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "totalResults":1,</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Resources":[</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "id":"2819c223-7f76-453a-919d-413861904646"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>All Other Operations<o:p></o:p></h2>
<p class="MsoNormal">Other operations are out of scope for SCIM provisioning between an Identity Provider and Application Provider.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Applications may support additional functionality, but it is not required for FastFed Compatibility.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h1><b><span style="color:#4472C4">Group Operations<o:p></o:p></span></b></h1>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" align="center">
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Create Group<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>POST /Groups</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> POST /Groups HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:scim:schemas:core:1.0"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "externalId": "e5a41517-bcd6-4b8b-8590-487ae996de44",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "displayName": "Group Name"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l1 level1 lfo4">DisplayName is required<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">ExternalId is optional<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l1 level1 lfo4">Members must be empty/undefined.
<span style="color:#A5A5A5">(Technical note: The reasoning here is two-fold. First, some implementations can store group metadata separately from group memberships, making it difficult to adhere to the atomic update requirements for POST and PATCH operations
on a two-phase commit. Second, even if that’s not the case, SCIM doesn’t provide any guidance (or way to communicate) regarding the maximum number of membership changes in a single POST/PATCH, such that even those with transactional capabilities may only be
capable of performing a limited quantity of work within a transactional unit. See later sections for recommended handling of group membership.)</span><o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Update Group Metadata<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>PATCH /Groups/{id}</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> PATCH /Groups/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"></span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "replace",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "externalId",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "value": "{newExternalId}"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "replace",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "displayName",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "value": "{newDisplayName}"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l1 level1 lfo4">Operation is always “replace”.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">ExternalId and DisplayName cannot be replaced with empty/null values.<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l1 level1 lfo4">Membership changes cannot be included when updating group metadata.
<span style="color:#A5A5A5">(For same reasoning as in Create Group.)</span><o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Delete Group<o:p></o:p></h2>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>DELETE /Groups/{id}</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> DELETE /Groups/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Add User to Group<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>PATCH /Groups/{id}</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> PATCH /Groups/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"></span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "add",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "members",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "value": [{"id": "{id}"}]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]
</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l1 level1 lfo4">Operation is always “add”.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">Path must be “members”<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">Only 1 member can updated per PATCH request
<span style="color:#A5A5A5">(Technical Note: The reasoning here is that SCIM specifies PATCH operations as atomic, but Application Providers should not be required to support an unbounded number of mutations in a single transactional unit. For example, Okta
currently sends batches of up to 1000 updates in a single PATCH, which is nearly impossible to handle quickly in a single transaction. In addition, SCIM has no mechanism to communicate partial success/failure of a PATCH request, so even if we tried to mimic
a bulk atomic update, sporadic failures will inevitably lead to data drift between the Providers. Much simpler to mutate records 1x1 and parallelize requests as needed to accelerate the overall pace of synchronization.)</span><o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">Value is represented as a list with a single element<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">The element must contain the attribute “id” representing the identifier of the resource being added.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">The resource type can be a User or Group object
<span style="color:#A5A5A5">(Technical Note: This implies support for nested groups. Is that OK? Do any SaaS Applications really support nested groups? Do they need to block circular memberships, such as a group containing itself?)</span><o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="color:black;mso-list:l1 level1 lfo4">
Multiple concurrent PATCH requests can be made for a single group. Maximum concurrency is 100 TPS per group.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Remove User From Group<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>PATCH /Groups/{id}</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> PATCH /Groups/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"></span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "remove",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "members",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "value": [{"id": "{id}"}]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]
</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l1 level1 lfo4">Operation is always “remove”.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">Path must be “members”<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">Only 1 member can updated per PATCH request
<span style="color:#A5A5A5">(for all the reasons described in “Add Users To Group”)</span><o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">Value is represented as a list with a single element<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">The element must contain the attribute “id” representing the identifier of the resource being added.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="color:black;mso-list:l1 level1 lfo4">
Multiple concurrent PATCH requests can be made for a single group. Maximum concurrency is 100 TPS per group.<o:p></o:p></li></ul>
<p class="MsoListParagraphCxSpLast" style="margin-left:1.0in;mso-add-space:auto">
<o:p> </o:p></p>
<h2>List Users in Group<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">Question for the Working Group: Does anyone need this capability for SCIM provisioning, such as for anti-entropy purposes? We haven’t found anyone that uses it.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">If unnecessary, that’s fine. Can skip it.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Alternatively, if needed, the following implementation is proposed:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>GET /Users?attributes+eq+id&</i></b>
<b><i>filter=groups.value+eq+{groupId}&startIndex=1&count=100</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> GET /Users?attributes+eq+id& filter=groups.value+eq+{groupId}&startIndex=1&count=100<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> HTTP/1.1 200 OK<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "totalResults":100,</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Resources":[</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "id":"2819c223-7f76-453a-919d-413861904646"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "id":"c75ad752-64ae-4823-840d-ffa80929976c"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ... truncated ...</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="mso-list:l1 level1 lfo4">Maximum page size is 100<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>List Group Memberships for User<o:p></o:p></h2>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Question for the Working Group: Same as above, does anyone need this capability for SCIM provisioning. We haven’t found anyone that uses it.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">If needed, the following implementation is proposed:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>GET /Groups?attributes+eq+id&</i></b>
<b><i>filter=members.value+eq+{userId}&startIndex=1&count=100</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> GET /Groups?attributes+eq+id& filter=members.value+eq+{userId}&startIndex=1&count=100<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> HTTP/1.1 200 OK<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "totalResults":100,</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Resources":[</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "id":"</span><span style="color:black">
</span><span style="font-size:10.0pt;font-family:"Courier New";color:black">a6f93476-854f-43a4-b8e9-ddf8e81c4ca3",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "id":"</span><span style="color:black">
</span><span style="font-size:10.0pt;font-family:"Courier New";color:black">3f946a76-0378-4edd-be50-ff8d118d44fe",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ... truncated ...</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h1><b><span style="color:#4472C4">Other Considerations<o:p></o:p></span></b></h1>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" align="center">
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>ETags/If-Match<o:p></o:p></h2>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="mso-list:l1 level1 lfo4">SCIM allows this. Does anyone require it for conditional updates?<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Service Provider Configuration Endpoints<o:p></o:p></h2>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l1 level1 lfo4">SCIM defines endpoints for:<o:p></o:p>
<ul style="margin-top:0in" type="circle">
<li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level2 lfo4">/ServiceProviderConfig<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level2 lfo4">/Schemas<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level2 lfo4">/ResourceTypes<o:p></o:p></li></ul>
</li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo4">Anyone require these?<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l1 level1 lfo4">If so, would it still be required if the Application is known to be FastFed Compatible, as defined in this document?<o:p></o:p></li></ul>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
</body>
</html>