A new IETF working group has been proposed in the Applications Area. The IESG has not made any determination as yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by June 7, 2012. System for Cross-domain Identity Management (SCIM) ---------------------------------------------- Status: Proposed Working Group Last updated: 2012-05-29 Chair(s): TBD Applications Area Director(s): Pete Resnick <presnick@qualcomm.com> Barry Leiba <barryleiba@computer.org> Mailing Lists: General Discussion: scim@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/scim Archive: http://www.ietf.org/mail-archive/web/scim/ Description of Working Group: The System for Cross-domain Identity Management (SCIM) working group will standardize methods for creating, reading, searching, modifying, and deleting user identities and identity-related objects across administrative domains, with the goal of simplifying common tasks related to user identity management in services and applications. "Standardize" does not necessarily mean that the working group will develop new technologies. For example, the existing specifications for "SCIM 1.0" provide RESTful interfaces on top of HTTP rather than defining a new application protocol. Today, distributed identity management across administrative domains is complicated by a lack of protocol and schema standardization between consumers and producers of identities. This has led to a number of approaches, including error-prone manual administration and bulk file uploads, as well as proprietary protocols and mediation devices that must be adapted to each service for each organization. While there is existing work in the field, it has not been widely adopted for a variety of reasons, including a lack of common artifacts such as schema, toolsets, and libraries. The SCIM working group will develop the core schema and RESTful interfaces to address these problems. Initially, the group will focus on - a schema definition - a set of operations for creation, modification, and deletion of users - schema discovery - read and search - bulk operations - mapping between the inetOrgPerson LDAP object class (RFC 2798) and the SCIM schema It will follow that by considering extensions for client targeting of specific SCIM endpoints and SAML binding. The approach will be extensible. The group will use, as starting points, the following drafts in the following ways: draft-scim-use-cases-00 as the initial use cases for SCIM draft-scim-core-schema-00 as the schema specification draft-scim-api-00 as the protocol specification These drafts are based on existing specifications, which together are commonly known as SCIM 1.0. Because there is existing work with existing implementations, some consideration should be given to backward compatibility, though getting it right takes priority. This group will consider the operational experience gathered from the existing work, as well as experiences with work done by other bodies, including the OASIS Provisioning TC. The use cases document will be a "living document", guiding the working group during its development of the standards. The group may take snapshots of that document for Informational publication, to serve as documentation of the motivation for the work in progress and to similarly guide planning and implementation. The group will produce Proposed Standards for a schema, a REST-based protocol, and a SAML binding, as well as an Informational document defining an LDAP mapping. In doing so, the group will make the terminology consistent, identify any functional gaps that would be useful for future work, address internationalization, and provide guidelines and mechanisms for extensibility. In addition, the working group will ensure that the SCIM protocol embodies good security practices. Given both the sensitivity of the information being conveyed in SCIM messages and the regulatory requirements regarding the privacy of personally identifiable information, the working group will pay particular attention to issues around authorization, authenticity, and privacy. The group considers the following out of scope for this group: Defining new authentication schemes Defining new policy/authorization schemes Milestones 06/2012 Initial adoption of SCIM use cases, as a living document 06/2012 Initial adoption of SCIM core schema 08/2012 Initial adoption of SCIM restful interface draft 12/2012 Snapshot version of SCIM use cases to IESG as Informational (possibly) 12/2012 Proposal for client targeting of SCIM endpoints 01/2013 Initial adoption of SCIM LDAP inetOrgPerson mapping draft 02/2013 SCIM core schema to IESG as Proposed Standard 05/2013 SCIM restful interface to IESG as Proposed Standard 06/2013 SCIM LDAP inetOrgPerson mapping to IESG as Informational 07/2013 Initial adoption of SCIM SAML bindings draft 08/2013 Client targeting of SCIM endpoints to IESG as Proposed Standard 09/2013 Snapshot update of SCIM use cases as Informational (possibly) 11/2013 SCIM SAML bindings to IESG as Proposed Standard 01/2014 Work completed; discuss re-charter