# SCIM IG Meeting Notes 2021-07-07 # Attendees Dale Olds (VMware) Danny Mayer Jacob Childress (Ping Identity) Matt Peterson (One Identity) Pam Dingle (Microsoft) Phil Hunt Shon Vella (Identity Automation) Paul Lanzi (Remediant) Tim Cappalli (Microsoft Identity) Matt Domsch (self) Wes Dunnington (Ping Identity) Jeremy Palenchar Connor Rowe (Okta) Anuradha Karunarathna # IETF111 * Announcement: Birds of a Feather meeting approved for IETF111; [July 29; Draft Agenda: https://github.com/SCIM-Interest-Group/wiki/blob/main/IETF111-SCIMBOF.md; Calendar invitation: https://datatracker.ietf.org/meeting/111/sessions/sins.ics; **Pam** to add additional information here]. This is a way for the Area Director to assess the community interest (diverse set of stakeholders, enough people committed to it, etc) to ensure an actual standard could be brought to maturity if a Working Group is empaneled. # Charter Notes * We have been asked to create a charter * Working draft: https://hackmd.io/gj0Du6xHRBq5wAwqFMueFg * (team read, discussed and revised in the working draft file directly) * Today: Ensure working group draft charter is an acceptable state to begin work * we need to find 1-2 things that the whole WG can get behind * Fractured support for different drafts could be a counter-indicator for the ADs * eg Phil's spec may be an example of this * We need to identify from this list, which ones MUST happen * Phil's candidate is soft delete * Wes: * Particular drafts might not be the right goal, for example no particular paging spec might be perfect but the work item might be neither * Phil: suggests a work effort of a "BCP" (best current practices) * Pam suggested a profile for provisioning vs directory * Phil suggested best security practices * Phil: other work item suggestions * Cleaning up SCIM * PAM * Phil to supply some text # Cursor Draft review/presentation/discussion (Matt Peterson) * Source material: draft-peterson-scim-cursor-pagination-000 * Matt asks for deep discussion to happen in a separate, follow-on, meeting * Matt presented slides: [**Matt** to add link here] * Experience came from One Identity trying to put SCIM in front of their existing APIs ("SCIM retrofit"); Matt believes this is a common use case / situation. In this scenario, unlikely you'd be able to modify the underlying system (much) and have to glue SCIM to the existing system * One recurring challenge was with cursor-based pagination at the SCIM layer not matching up with the underlying system's capabilities * There are arguments for both index-based (i.e. offset) and cursor-based pagination; see slide 11 for additional links/information. Intention of the draft is that implementors support both -- and at minimum, spec defines methods for sane/consistent implementation of both methods * Discussion about how this pushes complexity on to the client to pick their cursoring method from the option(s) available * Draft proposes two new query parameters: cursor and count and two new response metadata attributes: nextCursor and previousCursor (previousCursor is optional) * Discussion of potential Denial of Service (DoS) by an attacker creating many cursors; Matt noted that there are many mitigation stratgies for cursor over-allocation / resource abuse * Comments from chat window: * Phil - If you feel that scim can't change exisiting paging, how would a forced paging format help? Wouldn't it break the ability to implement against incompatiable paging systems? * Jeremy - So is there metadata in the draft where the server specifies support for cusrsors/paging/both? * Phil - What is the primary use of cursors? Synchronization? Reconciliation? * Jeremy - Additional Rationale for why we need cursors / paging - Querying all resources is required by many identity management systems in order to reliably deprovision accounts in the connected system * Next steps: schedule meeting for further discussion # SCIM Thoughts (Dale Olds) * Dale presented slides: [**Dale** to provide link] * In Dale's experience at VMware, he encourages adoption of OpenID Connect, Oauth2, SAML and SCIM. SCIM is the hardest for product/engineering teams to understand and adopt * almost all applicatinos need to browse users & groups * Need to move to a push model compared to a pull & cache model * Alignment of schemas between OAuth2, OIDC and SCIM? * He has observed SCIM being used as a metadirectory, in which case we need to keep track of the authoritative source for attributes; it's not clear who can update shared attributes Next steps: * Phil - ask on list about cursor types & uses * Pam to book an interim meeting next week * Will add to calendar and notify the list