<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
margin-top:12.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
page-break-after:avoid;
font-size:16.0pt;
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-weight:normal;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
margin-top:2.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
page-break-after:avoid;
font-size:13.0pt;
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-weight:normal;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
margin-top:2.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
page-break-after:avoid;
font-size:12.0pt;
font-family:"Calibri Light",sans-serif;
color:#1F3763;
font-weight:normal;}
p.MsoTitle, li.MsoTitle, div.MsoTitle
{mso-style-priority:10;
mso-style-link:"Title Char";
margin:0in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:28.0pt;
font-family:"Calibri Light",sans-serif;
letter-spacing:-.5pt;}
p.MsoTitleCxSpFirst, li.MsoTitleCxSpFirst, div.MsoTitleCxSpFirst
{mso-style-priority:10;
mso-style-link:"Title Char";
mso-style-type:export-only;
margin:0in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:28.0pt;
font-family:"Calibri Light",sans-serif;
letter-spacing:-.5pt;}
p.MsoTitleCxSpMiddle, li.MsoTitleCxSpMiddle, div.MsoTitleCxSpMiddle
{mso-style-priority:10;
mso-style-link:"Title Char";
mso-style-type:export-only;
margin:0in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:28.0pt;
font-family:"Calibri Light",sans-serif;
letter-spacing:-.5pt;}
p.MsoTitleCxSpLast, li.MsoTitleCxSpLast, div.MsoTitleCxSpLast
{mso-style-priority:10;
mso-style-link:"Title Char";
mso-style-type:export-only;
margin:0in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:28.0pt;
font-family:"Calibri Light",sans-serif;
letter-spacing:-.5pt;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri Light",sans-serif;
color:#1F3763;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.TitleChar
{mso-style-name:"Title Char";
mso-style-priority:10;
mso-style-link:Title;
font-family:"Calibri Light",sans-serif;
letter-spacing:-.5pt;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:569460472;
mso-list-type:hybrid;
mso-list-template-ids:-1818854208 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:661201334;
mso-list-type:hybrid;
mso-list-template-ids:38575416 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:675152581;
mso-list-type:hybrid;
mso-list-template-ids:-1974805358 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:745958793;
mso-list-type:hybrid;
mso-list-template-ids:-130544472 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4
{mso-list-id:1180197337;
mso-list-type:hybrid;
mso-list-template-ids:-49756976 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5
{mso-list-id:1206679663;
mso-list-type:hybrid;
mso-list-template-ids:366896350 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l6
{mso-list-id:1341003375;
mso-list-type:hybrid;
mso-list-template-ids:-1862338546 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l6:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l6:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l6:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l6:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l6:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l6:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l6:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l6:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l7
{mso-list-id:1490092225;
mso-list-type:hybrid;
mso-list-template-ids:1022365020 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l7:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l7:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l7:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l7:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l7:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l7:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l7:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l7:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks for all the feedback on the FastFed SCIM profile. (Was able to catchup with Karl and Zhen on Tuesday.)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I think we’re at consensus on the big questions. I’ve uploaded a new version and pasted a copy in this email.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><a href="https://drive.google.com/file/d/18XTUVXIG-AC3l_xoISkr9R-zV_69C6il/view?usp=sharing">https://drive.google.com/file/d/18XTUVXIG-AC3l_xoISkr9R-zV_69C6il/view?usp=sharing</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Based on this sketch, I’ll begin writing the normative version.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Key changes were to:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l5 level1 lfo1"><span style="font-size:11.0pt">Update User<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l5 level1 lfo1"><span style="font-size:11.0pt">Deactivate/Delete User<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l5 level1 lfo1"><span style="font-size:11.0pt">Deactivate/Delete Group<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l5 level1 lfo1"><span style="font-size:11.0pt">Add/Remove Group Members<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Please also check if the profile is missing operations you need for provisioning.</span></b><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Examples of operations NOT currently in the profile:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo2"><span style="font-size:11.0pt">Get all Users in Directory<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo2"><span style="font-size:11.0pt">Get all Groups in Directory<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo2"><span style="font-size:11.0pt">Get all Users in Group<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo2"><span style="font-size:11.0pt">Get all Groups for User<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">-Darin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">---------------------------------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoTitle">SCIM Interop Requirements V2<o:p></o:p></p>
<p class="MsoNormal"><b>Updated Feb 19<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This is a non-normative sketch of the interop profile, incorporating WG feedback.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h1><b><span style="color:#4472C4">User Operations<o:p></o:p></span></b></h1>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" align="center">
</div>
<h2><o:p> </o:p></h2>
<h2>Create User<o:p></o:p></h2>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>POST /Users</i></b><i><o:p></o:p></i></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> <o:p></o:p></span></pre>
<pre><span style="color:black"> POST /Users HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<pre><span style="color:black"><o:p> </o:p></span></pre>
<pre><span style="color:black"> {<o:p></o:p></span></pre>
<pre><span style="color:black"> "schemas":[<o:p></o:p></span></pre>
<pre><span style="color:black"> "urn:ietf:params:scim:schemas:core:2.0:User",<o:p></o:p></span></pre>
<pre><span style="color:black"> "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"<o:p></o:p></span></pre>
<pre><span style="color:black"> ],<o:p></o:p></span></pre>
<pre><span style="color:black"> "externalId": "98d78581-dd0d-4361-ab61-9511c6e5f035",<o:p></o:p></span></pre>
<pre><span style="color:black"> "userName":"bjensen",<o:p></o:p></span></pre>
<pre><span style="color:black"> "name":{<o:p></o:p></span></pre>
<pre><span style="color:black"> "formatted":"Ms. Barbara J Jensen III",<o:p></o:p></span></pre>
<pre><span style="color:black"> "familyName":"Jensen",<o:p></o:p></span></pre>
<pre><span style="color:black"> "givenName":"Barbara"<o:p></o:p></span></pre>
<pre><span style="color:black"> }<o:p></o:p></span></pre>
<pre><span style="color:black"> "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {<o:p></o:p></span></pre>
<pre><span style="color:black"> "costCenter":"12345",<o:p></o:p></span></pre>
<pre><span style="color:black"> "manager":{"value": "0cca76a8-090a-4944-8e61-e7791e619d48"}<o:p></o:p></span></pre>
<pre><span style="color:black"> }<o:p></o:p></span></pre>
<pre><span style="color:black"> }<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l6 level1 lfo3">The “groups” attribute on the User object should NOT be included. Application Providers should ignore it, if it exists.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l6 level1 lfo3">If multiple values are provided for “emails”,
<br>
“phoneNumbers”, or “addresses”, then one must have “primary=true”. If only a single value is provided, the Application may treat the single value as the primary if not explicitly labeled as such.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l6 level1 lfo3">References to other resources, such as the “manager” attribute in the EnterpriseUser object, must contain the “id” of the referenced object in the SCIM server. The referenced object must
be created in advance. <span style="color:#767171;mso-style-textfill-fill-color:#767171;mso-style-textfill-fill-alpha:100.0%">
(Technical note: this precludes circular references.)</span><o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l6 level1 lfo3"><span style="color:black">If a value for “password” is sent, and the Application doesn’t need a password (because it relies on authentication via the IdP), it should ignore the password.
</span><span style="color:#A5A5A5">(This is essentially Postel’s law. In the normative spec, can reformulate in a general sense. E.g. Ignore anything you didn’t ask for & don’t need.)</span><o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Update User<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>PATCH /Users/{id}</i></b><i><o:p></o:p></i></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><o:p> </o:p></span></pre>
<pre><span style="color:black"> PATCH /Users/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<pre><span style="color:black"><o:p> </o:p></span></pre>
<pre><span style="color:black"> {<o:p></o:p></span></pre>
<pre><span style="color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],<o:p></o:p></span></pre>
<pre><span style="color:black"> "Operations": [<o:p></o:p></span></pre>
<pre><span style="color:black"> {<o:p></o:p></span></pre>
<pre><span style="color:black"> "op": "replace"<o:p></o:p></span></pre>
<pre><span style="color:black"> "path": "name.formatted”<o:p></o:p></span></pre>
<pre><span style="color:black"> "value": "Babs Jensen"<o:p></o:p></span></pre>
<pre><span style="color:black"> },<o:p></o:p></span></pre>
<pre><span style="color:black"> {<o:p></o:p></span></pre>
<pre><span style="color:black"> "op": "replace"<o:p></o:p></span></pre>
<pre><span style="color:black"> "path": "addresses[type eq \"work\"].streetAddress”<o:p></o:p></span></pre>
<pre><span style="color:black"> "value": "1010 Broadway Ave"<o:p></o:p></span></pre>
<pre><span style="color:black"> },<o:p></o:p></span></pre>
<pre><span style="color:black"> ]<o:p></o:p></span></pre>
<pre><span style="color:black"> }<o:p></o:p></span></pre>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<p class="MsoListParagraphCxSpFirst" style="margin-left:1.0in;mso-add-space:auto;text-indent:-.25in;mso-list:l3 level1 lfo4">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>The original version of this document proposed doing all Updates via the PUT operation.<o:p></o:p></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-left:1.5in;mso-add-space:auto;text-indent:-.25in;mso-list:l3 level2 lfo4">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Feedback from WG members, including those who currently use PUT, was that it was preferable to move away from that model, instead PATCH’ing only the modified attributes.
<o:p></o:p></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-left:1.5in;mso-add-space:auto;text-indent:-.25in;mso-list:l3 level2 lfo4">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>The reasoning is that there have been challenges with the PUT model accidentally overwriting information that the IdP shouldn’t touch.
<o:p></o:p></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-left:1.25in;mso-add-space:auto;text-indent:-.25in;mso-list:l3 level2 lfo4">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Implementing PUTs safely requires reading the existing entry, overlaying the changes, and then doing a conditional write back to the service with ETag semantics. This drives more traffic to the App, and requires them to implement
ETags.<o:p></o:p></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-left:1.25in;mso-add-space:auto;text-indent:-.25in;mso-list:l3 level2 lfo4">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>As an aside, in order to simplify the burden of handling PATCH requests, it would be nice if there was a widely adopted Open Source implementation for SCIM Users & Groups that would handle the complicated logic of mutating object
contents according to the SCIM rules for add/replace/remove. <o:p></o:p></p>
<p class="MsoListParagraphCxSpLast" style="margin-left:.75in;mso-add-space:auto;text-indent:-.25in;mso-list:l3 level1 lfo4">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>SCIM gives the option to return the full object (via an HTTP 200) or just an empty ACK (via an HTTP 204). FastFed will specify the HTTP 204 approach for update operations.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Deactivate/Reactivate User<o:p></o:p></h2>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">This is a special case of updating a user.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>PATCH /Users/{id}</i></b><i><o:p></o:p></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black">PATCH /Users/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<pre><span style="color:black"><o:p> </o:p></span></pre>
<pre><span style="color:black"> {<o:p></o:p></span></pre>
<pre><span style="color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],<o:p></o:p></span></pre>
<pre><span style="color:black"> "Operations": [{<o:p></o:p></span></pre>
<pre><span style="color:black"> "op": "replace"<o:p></o:p></span></pre>
<pre><span style="color:black"> "path": "active”<o:p></o:p></span></pre>
<pre><span style="color:black"> "value": false<o:p></o:p></span></pre>
<pre><span style="color:black"> }]<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black">}</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<h2><o:p> </o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<p class="MsoListParagraphCxSpFirst" style="margin-left:1.0in;mso-add-space:auto;text-indent:-.25in;mso-list:l3 level1 lfo4">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Deactivation will prevent the user from continuing to use the Application. From the existing spec: “<span style="font-size:10.0pt">Application Providers SHOULD respond to account deactivation by revoking the ability for the end-user
to use the Application, even if that end-user has an active session with an expiration date in the future. The revocation mechanism is an implementation detail and outside the scope of this specification. Revocation should occur within 5 minutes of receiving
the deactivation</span>”<o:p></o:p></p>
<p class="MsoListParagraphCxSpMiddle" style="margin-left:1.0in;mso-add-space:auto;text-indent:-.25in;mso-list:l3 level1 lfo4">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Must be able to reactivate the User. <o:p></o:p></p>
<p class="MsoListParagraphCxSpLast" style="margin-left:1.0in;mso-add-space:auto;text-indent:-.25in;mso-list:l3 level1 lfo4">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>It’s OK to leave a User in the deactivated status in perpetuity.<o:p></o:p></p>
<h2><o:p> </o:p></h2>
<h2>Delete User<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>DELETE /Users/{id}</i></b><i><o:p></o:p></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> DELETE /Users/{id}<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<p class="MsoListParagraphCxSpFirst" style="margin-left:1.0in;mso-add-space:auto;text-indent:-.25in;mso-list:l4 level1 lfo5">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>After a user is deleted, it must be possible to create a fresh user with the same username.
<o:p></o:p></p>
<p class="MsoListParagraphCxSpLast" style="margin-left:1.0in;mso-add-space:auto;text-indent:-.25in;mso-list:l4 level1 lfo5">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>It’s the choice of the IdP to determine when to invoke delete. As a reference to implementors, a best practice is to first Deactivate the user, wait for an undo window, and then permanently Delete if needed, such as when recycling
a username. It’s OK to never delete, too, if that’s the IdP preference.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Get User By Id<o:p></o:p></h2>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>GET /Users/{id}</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> GET /Users/{id}<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> HTTP/1.1 200 OK<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "meta":{</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "resourceType":"User",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "created":"2011-08-01T18:29:49.793Z",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "lastModified":"2011-08-01T18:29:49.793Z",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "version":"W\/\"f250dd84f0671c3\""</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "id":"2819c223-7f76-453a-919d-413861904646",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<pre><span style="color:black"> "externalId": "98d78581-dd0d-4361-ab61-9511c6e5f035",<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "userName":"bjensen",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "name":{</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "formatted":"Ms. Barbara J Jensen III",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "familyName":"Jensen",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "givenName":"Barbara"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "emails":[</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "value":"bjensen@example.com",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "type":"work"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]
</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="mso-list:l6 level1 lfo3">The “groups” attribute on the User object should NOT be included. Identity Providers should ignore it, if it exists.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Get User By Alternate Key<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">The SCIM Service must support looking up Users based on the following filters:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l7 level1 lfo6"><span style="font-size:10.0pt;font-family:"Courier New"">“username eq”<o:p></o:p></span></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l7 level1 lfo6"><span style="font-size:10.0pt;font-family:"Courier New"">“emails[primary eq true].value eq”</span><i> (if email is defined for Users)</i><o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l7 level1 lfo6"><span style="font-size:10.0pt;font-family:"Courier New"">“externalId eq”</span><i> (If the IdentityProvider has provided a value for externalId)</i><o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>GET /Users?filter=...</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> GET /Users?filter=userName+eq+{username}<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> HTTP/1.1 200 OK<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "totalResults":1,</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Resources":[</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "meta":{</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "resourceType":"User",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "created":"2011-08-01T18:29:49.793Z",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "lastModified":"2011-08-01T18:29:49.793Z",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "version":"W\/\"f250dd84f0671c3\""</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "id":"2819c223-7f76-453a-919d-413861904646",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<pre><span style="color:black"> "externalId": "98d78581-dd0d-4361-ab61-9511c6e5f035",<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "userName":"bjensen",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "name":{</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "formatted":"Ms. Barbara J Jensen III",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "familyName":"Jensen",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "givenName":"Barbara"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "emails":[</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "value":"bjensen@example.com",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "type":"work"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }
</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>All Other User Operations<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">Other operations are out of scope for SCIM provisioning between an Identity Provider and Application Provider.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Applications may support additional functionality, but it is not required for FastFed Compatibility.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h1><b><span style="color:#4472C4">Group Operations<o:p></o:p></span></b></h1>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" align="center">
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Create Group<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>POST /Groups</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> POST /Groups HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:scim:schemas:core:1.0"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "externalId": "e5a41517-bcd6-4b8b-8590-487ae996de44",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "displayName": "Group Name"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l1 level1 lfo7">DisplayName is required<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo7">ExternalId is optional<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l1 level1 lfo7">Members must be empty/undefined.
<span style="color:#A5A5A5">(Technical note: The reasoning here is two-fold. First, some implementations can store group metadata separately from group memberships, making it difficult to adhere to the atomic update requirements for POST and PATCH operations
on a two-phase commit. Second, even if that’s not the case, SCIM doesn’t provide any guidance (or way to communicate) the maximum number of membership changes in a single POST/PATCH, such that even those with transactional capabilities may only be capable
of performing a limited quantity of work within a transactional unit. See later sections for recommended handling of group membership.)</span><o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Update Group Metadata<o:p></o:p></h2>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>PATCH /Groups/{id}</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> PATCH /Groups/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"></span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "replace",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "externalId",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "value": "{newExternalId}"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "replace",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "displayName",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "value": "{newDisplayName}"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l1 level1 lfo7">DisplayName cannot be removed or replaced with empty/null values.<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l1 level1 lfo7">Membership changes cannot be included when updating group metadata.
<span style="color:#A5A5A5">(For same reasoning as in Create Group.)</span><o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Deactivate Group<o:p></o:p></h2>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM has no mechanism to softly deactivate prior to permanent deletion of a group. However, experience has taught that leaping straight to permanent deletion can have undesired repercussions for any user entitlements
in the Application based on group membership. If the deletion was in error, it cannot be easily undone. The entitlements inside the Application must be re-established from scratch under a new group Id.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">To provide more safety, and simulate an undo window, Identity Providers are encouraged to first remove all group memberships, wait a period of time, and then permanently delete the group in the Application when
comfortable with the action. It is also acceptable to leave the empty group in perpetuity, or only delete it on-demand when a new group is being created with a recycled name.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">To allow this behavior, Application Providers must support removing all members via a PATCH:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>PATCH /Groups/{id}</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> PATCH /Groups/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<pre><span style="color:black"><o:p> </o:p></span></pre>
<pre><span style="color:black"> {<o:p></o:p></span></pre>
<pre><span style="color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],<o:p></o:p></span></pre>
<pre><span style="color:black"> "Operations": [{<o:p></o:p></span></pre>
<pre><span style="color:black"> "op": "remove"<o:p></o:p></span></pre>
<pre><span style="color:black"> "path": "members”<o:p></o:p></span></pre>
<pre><span style="color:black"> }]<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black">}</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Delete Group<o:p></o:p></h2>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">SCIM Operation: <b><i>DELETE /Groups/{id}</i></b><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> DELETE /Groups/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="mso-list:l2 level1 lfo8">Application Providers should verify the group membership is empty prior to deletion, and may reject the deletion (via an error code TBD) if members still exist.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Add User to Group / Remove User from Group<o:p></o:p></h2>
<p class="MsoNormal"><o:p> </o:p></p>
<h3 style="margin-left:.5in">Summary of Working Group Discussions<o:p></o:p></h3>
<p class="MsoNormal" style="margin-left:.5in">This was a rich topic. Three options were considered.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><b>Option 1) PATCH 1x1 <o:p></o:p></b></p>
<p class="MsoNormal" style="margin-left:.5in">In this approach, each PATCH contains a single user to add/remove. Multiple requests can be parallelized to accelerate provisioning.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> PATCH /Groups/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"></span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "add",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "members",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
<b>"value": [{"value": "{id}"}]</b></span><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]
</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The drawback here is that Identity Providers have encountered frequent rate limiting when parallelizing requests. At times, the call patterns trip DDOS detectors of an Application.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">This has been painful enough that multiple Providers expressed a strong preference for avoiding this approach. Some who do it today prefer to change.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><b>Option 2) PATCH a List<o:p></o:p></b></p>
<p class="MsoNormal" style="margin-left:.5in">In this approach, each PATCH request contains a list of users to add/remove, up to some maximum limit of 100-1000 users.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> PATCH /Groups/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"></span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "add",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "members",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black">
<b>"value": [</b></span><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {"value": "{id_1}"},</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {"value": "{id_2}"},</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {"value": "{id_3}"},</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ... truncated ...</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]
</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The drawback here is that SCIM asserts PATCH operations must be atomic. However, due to the various data models and storage technologies used by Applications, it can be difficult (or impossible) to commit 100-1000
updates in a single atomic transaction.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">If a PATCH partially succeeds, there is no way to communicate back to the Identity Provider which items succeeded/failed. As a result, two Providers may drift out of sync on group memberships.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><b>Option 3) Bulk APIs<o:p></o:p></b></p>
<p class="MsoNormal" style="margin-left:.5in">The SCIM protocol offers bulk APIs.
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Be aware, this is not a mechanism for processing a list of changes via an asynchronous job. SCIM Bulk operations are regular HTTP POSTs with a list of changes. The difference between this and a PATCH operation is
that a bulk response is granular enough to indicate which actions succeeded or failed, rather than assuming all is atomic.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The request still needs to be executed within the lifetime of a single HTTP POST. This lifetime is often in the range of 60-100 seconds due to inherent timeouts in the call path. (Proxies, Load Balancers, WAF,
etc.) <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Net result: bulk requests have the same limits upon the amount of work that can be done, often in the range of 100-1000 requests per request. The key advantage is data consistency, because it is possible to accurately
communicate back to the IdP which items succeeded or failed.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The drawback is that almost nobody has implemented bulk APIs in a real production system. Therefore, we are asking Providers to do more work, and risk finding gotchas in a portion of the SCIM specification that
has seen minimal use.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><b>RECOMMENDATION<o:p></o:p></b></p>
<p class="MsoNormal" style="margin-left:.5in">The consensus was to encourage the use of bulk APIs, but allow the use of PATCH as a practical matter, because it represents how most systems behave today.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">This approach is illustrated below.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<h3 style="margin-left:.5in">Example of Adding/Removing Group Membership via Bulk APIs<o:p></o:p></h3>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">If an Application supports bulk operations, it must declare so in the /ServiceProviderConfig.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">If an Identity Provider also supports bulk operations, it must query the /ServiceProviderConfig to detect Application preferences.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> GET /ServiceProviderConfig HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"></span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas":</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "bulk": {</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "supported":true,</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "maxOperations":100</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ... truncated ...</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black">}</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Applications should specify the “maxOperations”. Minimum value is 100, but Providers may support more. If not defined, the default is “100”.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Next, the Identity Provider can invoke the bulk endpoint:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example Bulk Request:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> POST /Bulk HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"></span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas":</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<pre><span style="color:black"> ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],</span><o:p></o:p></pre>
<pre><span style="color:black"> "failOnErrors": false,</span><o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "method": "PATCH",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "/Groups/{groupId}",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "bulkId": "b668efbe-fe1c-4e87-b45c-6c2aacb48601",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "data":
</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "remove",</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "members[value eq \"{user_id_1}\"",</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "method": "PATCH",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "/Groups/{groupId}",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "bulkId": "933d69cc-599a-43bc-88d6-7223b27af374",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "data":
</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "add",</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "members",</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "value": [{"value": "{user_id_2}"}]</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "method": "PATCH",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "/Groups/{groupId}",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "bulkId": "f8fbb531-240e-47cd-b738-ba75bb9dfd52",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "data":
</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "add",</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "members",</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "value": [{"value": "{user_id_3}"}]</span></b><b><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black">}</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l2 level1 lfo8">All operations must be on the same GroupId<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l2 level1 lfo8">The “op” must be either “add” or “remove”.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l2 level1 lfo8">Each Operation should add/remove only a single resource.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l2 level1 lfo8"><span style="color:black">The resource must be a User.</span><span style="color:red"> Nested groups are not supported</span>. Identity Providers should flatten any nested group memberships
before provisioning to an Application. <span style="color:#A5A5A5">(The reasoning here is that most Applications don’t support nested groups, and asking them to do so is a heavy lift in order to achieve FastFed Interoperability.)</span><o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l2 level1 lfo8">“failOnErrors” must be false or unspecified.
<span style="color:#A5A5A5">(The reasoning here is that Applications may parallelize the work across multiple processes, making it challenging to track the number of accumulated errors in a distributed system. Since nobody appears to need this functionality,
labelling it out of scope for FastFed Interoperability.)</span><o:p></o:p></li></ul>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The Application provider responds with the results. In the following example, two operations succeeded and one failed.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example Bulk Response:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> HTTP/1.1 200 OK<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"></span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas":</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<pre><span style="color:black"> ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],</span><o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "method": "PATCH",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "/Groups/{groupId}",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "bulkId": "b668efbe-fe1c-4e87-b45c-6c2aacb48601",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "status": "204"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "method": "PATCH",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "/Groups/{groupId}",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "bulkId": "933d69cc-599a-43bc-88d6-7223b27af374",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "status": "204"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "method": "PATCH",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "/Groups/{groupId}",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "bulkId": "f8fbb531-240e-47cd-b738-ba75bb9dfd52",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "status": "404"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "response": {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<pre><span style="color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],<o:p></o:p></span></pre>
<pre><span style="color:black"> "Resource does not exist with id={user_id_3}”</span><o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "status": "404"</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black">}</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l2 level1 lfo8">As per the SCIM specifications, successful operations return a “204” status code to indicate that no data is being returned.<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l2 level1 lfo8">If an error occurs, the response is described by Section 3.7.3 of the SCIM Protocol.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h3 style="margin-left:.5in">Example of Adding/Removing Group Membership via PATCH<o:p></o:p></h3>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">If an Identity Provider does not support Bulk, or discovers that the Application doesn’t support Bulk, then PATCH is used.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Example:<o:p></o:p></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="margin-left:.5in;background:#FEFFCA;border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<pre><span style="color:black"><br><br><o:p></o:p></span></pre>
<pre><span style="color:black"> PATCH /Groups/{id} HTTP/1.1<o:p></o:p></span></pre>
<pre><span style="color:black"> Host: example.com<o:p></o:p></span></pre>
<pre><span style="color:black"> Accept: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Type: application/scim+json<o:p></o:p></span></pre>
<pre><span style="color:black"> Authorization: Bearer h480djs93hd8<o:p></o:p></span></pre>
<pre><span style="color:black"> Content-Length: ...<o:p></o:p></span></pre>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"></span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "Operations": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "remove",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "members[value eq \"{user_id_1}\"",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> },</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "op": "add",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "path": "members",</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> "value": [</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {"value": "{user_id_2}"},</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> {"value": "{user_id_3}"}</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> ]
</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"> }</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Notes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l1 level1 lfo7">Application Providers must always support group membership changes via PATCH, to be compatible with Identity Providers who lack Bulk capabilities.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo7">Up to 100 membership changes are allowed per PATCH request. This is measured by counting the individual users being added/removed, summed across all operations in the PATCH.<o:p></o:p>
<ul style="margin-top:0in" type="circle">
<li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level2 lfo7">Removal of all members, as defined in “Deactivate Group”, is counted as a single change and, if used, must be the first operation in a request.<o:p></o:p></li></ul>
</li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo7">Most of the same rules from Bulk updates apply to PATCH. This includes:<o:p></o:p>
<ul style="margin-top:0in" type="circle">
<li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level2 lfo7">No nested groups<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level2 lfo7">“op” can be either “add” or “remove”<o:p></o:p></li></ul>
</li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo7">If any membership change results in an error, the Application should stop processing and return the error response.
<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo7"><span style="color:#A5A5A5">(Technical Note: Even though the SCIM specification requires that PATCH operations be atomic, we have observed that implementations often are not. As a result,
it’s possible that an Application may commit a number of changes before halting on an error. Hence, the bullets below are aimed at allowing a graceful recovery if this occurs.)</span><o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo7">If the Identity Provider receives an error, it should assume that none of the changes were committed and retry as appropriate.<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l1 level1 lfo7">If the Application Provider receives a duplicate operations, such as adding a user to a group to which the user already belongs (or removing them from a group where they don’t belong), the
Application Provider should behave idempotently and return a success.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h1><b><span style="color:#4472C4">Other Considerations<o:p></o:p></span></b></h1>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" align="center">
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>ETags/If-Match<o:p></o:p></h2>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="mso-list:l1 level1 lfo7">Not required for FastFed Interoperability<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Configuration Endpoint: /Resourcetypes<o:p></o:p></h2>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="mso-list:l1 level1 lfo7">Applications must host a /ResourceTypes endpoint. It must include Users. It may include Groups. If the /ResourceTypes doesn’t include Groups, then the Identity Provider will not provision Groups.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Configuration Endpoint: /ServiceProviderConfig<o:p></o:p></h2>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l1 level1 lfo7">Applications must implement a /ServiceProviderConfig endpoint to describe the operations they support.
<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="mso-list:l1 level1 lfo7">The operations must include, at minimum, the set of SCIM capabilities required for FastFed compatibility.
<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l1 level1 lfo7">Additional capabilities may be supported, but are not required for FastFed compatibility.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<h2>Configuration Endpoint: /Schemas<o:p></o:p></h2>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="mso-list:l1 level1 lfo7">If an Application asks for custom attributes (as described in Section 3.3.5 of FastFed Core), then it must host a /Schemas endpoint describing the attributes.<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="mso-list:l1 level1 lfo7">Otherwise, if an Application only uses the predefined attributes in the SCIM Core specification, it does not need to host a /Schemas endpoint.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
</body>
</html>