Internet-Draft IPSIE AL1 SCIM December 2025
Maguire & Schreiber Expires 15 June 2026 [Page]
Workgroup:
IPSIE Working Group
Internet-Draft:
draft-ipsie-scim-al1-profile-latest
Published:
Intended Status:
Informational
Expires:
Authors:
M. Maguire
Aujas Cybersecurity
J. Schreiber
SGNL

IPSIE AL1 SCIM 2.0 Profile

Abstract

This document defines a profile for SCIM 2.0 to meet the security and interoperability requirements for identity lifecycle management within enterprises. Within the context of SCIM, The profile establishes requirements for provisioning, account management, client authentication, and identity synchronization.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://openid.github.io/ipsie-scim-al1/draft-ipsie-scim-al1-profile.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ipsie-scim-al1-profile/.

Discussion of this document takes place on the IPSIE Working Group mailing list (mailto:openid-specs-ipsie@lists.openid.net), which is archived at https://openid.net/wg/ipsie/.

Source for this draft and an issue tracker can be found at https://github.com/openid/ipsie-scim-al1.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 15 June 2026.

Table of Contents

1. Introduction

This document defines the IPSIE Account Lifecycle 1 (AL1) Profile for SCIM 2.0. It provides a clear reference for SCIM deployments that require a well-defined security baseline meeting best practices for interoperable enterprise identity management.

The profile addresses critical aspects of secure identity management, with particular emphasis on:

By adhering to this profile, organizations can implement SCIM-based integrations that meet stringent security requirements while ensuring interoperability across different implementations.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 RFC2119 [RFC8174] when, and only when, they appear in all capitals, as shown here.

2.1. Terminology

SCIM

  • The System for Cross-domain Identity Management as defined in [RFC7643] and [RFC7644]

SCIM Client

  • An application that uses the SCIM protocol to manage identity data maintained by the service provider. The client initiates SCIM HTTP requests to a target service provider.

SCIM Service Provider

  • An HTTP web application that provides identity information via the SCIM protocol.

Role

  • TODO: Add definition

Identity Service

  • Acts as the SCIM client, initiating all provisioning operations.

Application

  • Acts as the SCIM service provider, hosting SCIM endpoints and processing all provisioning requests.

Note: When SCIM is applied to the context of IPISIE, the Identity Service acts as the SCIM client and the Application acts as the SCIM service provider. The document will use the Role terms below for consistency between across IPSIE Profiles.

3. Profile

3.1. Authentication and Authorization

The Identity Service and Application MUST use OAuth 2.0 [RFC6749] for authentication and authorization of SCIM protocol.

// TODO: Should this link back to SL1?

// TODO: Expand Section

The following requirements ensure consistent and secure handling of access tokens and authorization server configuration:

// TODO: Be more explicit with token names.

  • OAuth 2.0 interactions MUST comply with JWT Client Authentication as defined in [RFC7523]

  • The token SHALL exchange a signed JWT for an access token and present that token in the {Authorization: Bearer} header on all subsequent SCIM requests.

  • The token MUST contain a "token_endpoint" value which is the URL of the Identity Service's OAuth 2.0 token endpoint.

  • The Acess Token MUST include the "scim" scope and not grant broader permissions.

  • All Authorization Server parameters SHOULD be discovered from OAuth Authorization Server metadata as defined in [RFC8414].

  • The Identity Service SHOULD expose a jwks_uri to allow the Application to perform signature verification

3.2. SCIM Interoperability Requirements

3.2.1. General Requirements

  • The Identity Service SHALL implement the required functionality of a SCIM client as defined in [RFC7643] and [RFC7644].

  • The Application SHALL implement the required functionality of a SCIM service provider as defined in [RFC7643] and [RFC7644].

  • All SCIM operations SHALL be authenticated and authorized via OAuth 2.0 as specified in Section 3.1.

  • Local modifications to Users or Groups in the Application are prohibited.

3.2.2. User Provisioning Operations

The Application MUST provide support all User provisioning operations defined in this section.

3.2.2.1. Create User (POST /Users)

User creation is performed by the SCIM operation POST /Users.

In addition to the user attributes required by [RFC7643], the following attributes are required to be part of the User schema:

// TODO: Should we keep this vauge or refer be explicit with attributes we are requiring? email vs emails?

  • An attribute which contains a unique identifier used by the enterprise to distinguish the owner of the account, such as "externalId."

  • An attribute which contains the primary email address of the user, such as "email"

3.2.2.2. Update User (PATCH /Users/{id})

User updates are performed by the SCIM operation PATCH /Users/{id}

3.2.2.3. Deactivate or Reactivate User (PATCH /Users/{id})

Changes to the user activation status, such deactivation and reactivation, are performed by the SCIM operation PATCH /Users/{id}

The Identity Service SHOULD propagate user deactivation events to the Application within 5 minutes of the user being deactivated.

The Application SHOULD respond to user deactivation events by revoking the ability for the user to continue accessing the Application, including the revocation of currently active sessions. The revocation mechanism outside the scope of this profile. Revocation SHOULD occur within 5 minutes of receiving the deactivation request.

When a user account is deactivated, all access mechanisms and authorizations associated with that account MUST also be deactivated. This includes, but is not limited to:

  • Web sessions

  • API tokens

  • Refresh tokens

  • Personal access tokens

  • SSH keys associated with the user

  • Device-based authentication credentials

The Application MUST allow reactivation of a deactivated user.

3.2.2.4. Delete User (DELETE /Users/{id})

User deletions are performed by the SCIM operation DELETE /Users/{id}

After a user is deleted, the Application MUST allow the creation of a new user with the same username.

// TODO: this could be tricky RE: maintianing the user's data

3.2.2.5. Get All Users (GET /Users)

Get all users in the system is performed by the SCIM operation GET /Users

This endpoint ensures that all users are managed by the Identity Service.

To ensure that large amounts of data can be read from the Application, the application must support with index-based or cursor-based pagination for the GET /Users request. To ensure system stability and prevent abuse, the Application SHALL enforce rate limits on this endpoint and must respond with appropriate headers, such as "429 Too Many Requests" and "Retry-After," when limits are exceeded.

3.2.2.6. Get User By ID (GET /Users/{id})

User searches by id are performed by the SCIM operation GET /Users/{id}

3.2.2.7. List Users By Alternate Identifier (GET /Users?)

User searches by alternate identifier are performed via the SCIM operation: GET /Users?filter={filterExpression}

Application Providers MUST support the following filter expressions:

  • username eq {username}

  • externalId eq {externalId}

  • emails[value eq {email}]

3.2.3. Group (Role) Provisioning Operations

The Application MUST provide support all Group provisioning operations defined in this section.

Note: Within the IPSIE standard, Application permissions are referred to as "Roles." Within SCIM, Application permissions are referred to as "Groups." The term "Role" in IPSIE is functionally equivalent to the term "Group" in SCIM.

3.2.3.1. Create Group (POST /Groups)

Group creation is performed by the SCIM operation POST /Group.

// TODO: Add more details

3.2.3.2. Get All Groups (GET /Groups)

A search for all groups in the system is performed by the SCIM operation GET /Groups

This endpoint ensures that all groups are managed by the Identity Service.

To ensure that large amounts of data can be read from the Application, the application MUST support with index-based or cursor-based pagination for the GET /Groups request. To ensure system stability and prevent abuse, the Application SHALL enforce rate limits on this endpoint and MUST respond with appropriate headers, such as "429 Too Many Requests" and "Retry-After," when limits are exceeded.

3.2.3.3. Get Group By ID (GET /Group/{id})

Group searches by id are performed by the SCIM operation GET /Group/{id}?excludedAttributes=members

3.2.3.4. List Groups By Alternate Identifier (GET /Groups?)

User lookups by alternate identifier are performed by the SCIM operation GET /Groups?filter={filterExpression}&excludedAttributes=members

Application Providers MUST support the following filter expressions:

// TODO: Add what filters are required to be supported

3.2.3.5. Add or Remove Group Members (PATCH /Group/{id})

Members are added or removed from Groups via the SCIM operation PATCH /Groups/{id}

For each Operation in the PATCH:

The op attribute MUST contain either "add" or "remove".

  • When the op is "add":

    • The path attribute MUST be "members".

    • The value attribute MUST be an array of Group member elements, as defined in Section 4.2 of the SCIM Core Schema [RFC7643]. Each member MUST contain a value subattribute with the id of the resource being added to the group.

  • When the op is "remove":

    • The path attribute MUST be either:

      • "members" (to remove all members)

      • "members[value eq {id}]" (to remove a single member)

    • The value attribute MUST be unspecified.

3.3. Metadata Endpoints

3.3.1. ResourceTypes

Application MUST host a /ResourceTypes endpoint, as defined in Section 4 of [RFC7644].

The supported ResourceTypes MUST include Users and Groups.

3.3.2. ServiceProviderConfig

Application Providers MUST host a /ServiceProviderConfig endpoint to describe the operations they support, as defined in Section 4 of [RFC7644]

The operations MUST include, at minimum, the set of SCIM capabilities required for compatibility with this IPSIE profile.

3.3.3. Schemas

Application Providers MUST host a /Schemas endpoint to describe the supported schemas, as defined in Section 4 of [RFC7644]. There must be a schema for both Users and Groups. The schemas must include all required attributes from RFC 7643 and from Section 3.2.3 (Create User).

3.4. Security Considerations

For SCIM security considerations, see [RFC7643] and [RFC7644]

Additionally, the following requierements are included to address security considerations.

  • Transport Security: All endpoints SHALL enforce TLS 1.2 or later with strong cipher suites and certificate validation.

  • Error Handling: Error responses SHALL use the SCIM error format and SHALL NOT leak internal details.

  • Replay Resistance: Access tokens SHALL expire and nonces SHALL be validated to prevent replay.

  • Auditing: All provisioning actions and responses SHALL be logged for audit and troubleshooting.

  • Rate Limiting: All endpoints SHALL enforce rate limiting and must respond with "429 Too Many Requests" when limits are exceeded.

4. Compliance Statement

Implementation of all mandatory requirements in this profile will result in a SCIM 2.0 deployment that satisfies IPSIE Identity Lifecycle Level 1 (IL1). Specifically:

By conforming to this profile, implementations will achieve a consistent, secure, and interoperable baseline for enterprise identity lifecycle management.

5. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC6749]
Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, , <https://www.rfc-editor.org/rfc/rfc6749>.
[RFC7523]
Jones, M., Campbell, B., and C. Mortimore, "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants", RFC 7523, DOI 10.17487/RFC7523, , <https://www.rfc-editor.org/rfc/rfc7523>.
[RFC7643]
Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C. Mortimore, "System for Cross-domain Identity Management: Core Schema", RFC 7643, DOI 10.17487/RFC7643, , <https://www.rfc-editor.org/rfc/rfc7643>.
[RFC7644]
Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E., and C. Mortimore, "System for Cross-domain Identity Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, , <https://www.rfc-editor.org/rfc/rfc7644>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8414]
Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 Authorization Server Metadata", RFC 8414, DOI 10.17487/RFC8414, , <https://www.rfc-editor.org/rfc/rfc8414>.

Authors' Addresses

Mark Maguire
Aujas Cybersecurity
Jen Schreiber
SGNL