RFC 7643
System for Cross-domain Identity Management: Core Schema
3. SCIM Resources
Each SCIM resource is a JSON object that has the following components: Resource Type Each resource (or JSON object) in SCIM has a resource type ("meta.resourceType"; see Section 3.1) that defines the resource's core attribute schema and any attribute extension schema, as well as the endpoint where objects of the same type may be found. More information about a resource MAY be found in its resource type definition (see Section 6). "Schemas" Attribute The "schemas" attribute is a REQUIRED attribute and is an array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure. This attribute may be used by parsers to define the attributes present in the JSON structure that is the body to an HTTP request or response. Each String value must be a unique URI. All representations of SCIM schemas MUST include a non-empty array with value(s) of the URIs supported by that representation. The "schemas" attribute for a resource MUST only contain values defined as "schema" and "schemaExtensions" for the resource's defined "resourceType". Duplicate values MUST NOT be included. Value order is not specified and MUST NOT impact behavior. Common Attributes A resource's common attributes are those attributes that are part of every SCIM resource, regardless of the value of the "schemas" attribute present in a JSON body. These attributes are not defined in any particular schema but SHALL be assumed to be present in every resource, regardless of the value of the "schemas" attribute. See Section 3.1.
Core Attributes
A resource's core attributes are those attributes that sit at the
top level of the JSON object together with the common attributes
(such as the resource "id"). The list of valid attributes is
specified by the resource's resource type "schema" attribute (see
Section 6). This same value is also present in the resource's
"schemas" attribute.
Extended Attributes
Extended schema attributes are specified by the resource's
resource type "schemaExtensions" attribute (see Section 6).
Unlike core attributes, extended attributes are kept in their own
sub-attribute namespace identified by the schema extension URI.
This avoids attribute name conflicts that may arise due to
conflicts from separate schema extensions.
The following example "User" contains the common attributes "id" and "externalId", as well as the complex attribute "meta", which contains the sub-attribute "resourceType". The resource also contains core attributes "userName" and "name", as well as extended enterprise User attributes "employeeNumber" and "costCenter", which are contained in their own JSON substructure identified by their schema URI. Some values have been omitted (...), shortened, or spaced out for clarity. { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"], "id": "2819c223-7f76-453a-413861904646", "externalId": "701984", "userName": "bjensen@example.com", "name": { "formatted": "Ms. Barbara J Jensen, III", "familyName": "Jensen", "givenName": "Barbara", "middleName": "Jane", "honorificPrefix": "Ms.", "honorificSuffix": "III" }, ... "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984", "costCenter": "4130", ... }, "meta": { "resourceType": "User", "created": "2010-01-23T04:56:22Z", "lastModified": "2011-05-13T04:42:34Z", "version": "W\/\"3694e05e9dff591\"", "location": "https://example.com/v2/Users/2819c223-7f76-453a-413861904646" } } Figure 2: Example JSON Resource Structure
3.1. Common Attributes
Each SCIM resource (Users, Groups, etc.) includes the following common attributes. With the exception of the "ServiceProviderConfig" and "ResourceType" server discovery endpoints and their associated resources, these attributes MUST be defined for all resources, including any extended resource types. When accepted by a service provider (e.g., after a SCIM create), the attributes "id" and "meta" (and its associated sub-attributes) MUST be assigned values by the service provider. Common attributes are considered to be part of every base resource schema and do not use their own "schemas" URI. For backward compatibility, some existing schema definitions MAY list common attributes as part of the schema. The attribute characteristics (see Section 2.2) listed here SHALL take precedence over older definitions that may be included in existing schemas. id A unique identifier for a SCIM resource as defined by the service provider. Each representation of the resource MUST include a non-empty "id" value. This identifier MUST be unique across the SCIM service provider's entire set of resources. It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests. The value of the "id" attribute is always issued by the service provider and MUST NOT be specified by the client. The string "bulkId" is a reserved keyword and MUST NOT be used within any unique identifier value. The attribute characteristics are "caseExact" as "true", a mutability of "readOnly", and a "returned" characteristic of "always". See Section 9 for additional considerations regarding privacy. externalId A String that is an identifier for the resource as defined by the provisioning client. The "externalId" may simplify identification of a resource between the provisioning client and the service provider by allowing the client to use a filter to locate the resource with an identifier from the provisioning domain, obviating the need to store a local mapping between the provisioning domain's identifier of the resource and the identifier used by the service provider. Each resource MAY include a non-empty "externalId" value. The value of the "externalId" attribute is always issued by the provisioning client and MUST NOT be specified by the service provider. The service provider MUST always interpret the externalId as scoped to the provisioning domain. While the server does not enforce uniqueness, it is assumed that the value's uniqueness is controlled by the client setting the value. See Section 9 for
additional considerations regarding privacy. This attribute has
"caseExact" as "true" and a mutability of "readWrite". This
attribute is OPTIONAL.
meta
A complex attribute containing resource metadata. All "meta"
sub-attributes are assigned by the service provider (have a
"mutability" of "readOnly"), and all of these sub-attributes have
a "returned" characteristic of "default". This attribute SHALL be
ignored when provided by clients. "meta" contains the following
sub-attributes:
resourceType The name of the resource type of the resource. This
attribute has a mutability of "readOnly" and "caseExact" as
"true".
created The "DateTime" that the resource was added to the service
provider. This attribute MUST be a DateTime.
lastModified The most recent DateTime that the details of this
resource were updated at the service provider. If this
resource has never been modified since its initial creation,
the value MUST be the same as the value of "created".
location The URI of the resource being returned. This value MUST
be the same as the "Content-Location" HTTP response header (see
Section 3.1.4.2 of [RFC7231]).
version The version of the resource being returned. This value
must be the same as the entity-tag (ETag) HTTP response header
(see Sections 2.1 and 2.3 of [RFC7232]). This attribute has
"caseExact" as "true". Service provider support for this
attribute is optional and subject to the service provider's
support for versioning (see Section 3.14 of [RFC7644]). If a
service provider provides "version" (entity-tag) for a
representation and the generation of that entity-tag does not
satisfy all of the characteristics of a strong validator (see
Section 2.1 of [RFC7232]), then the origin server MUST mark the
"version" (entity-tag) as weak by prefixing its opaque value
with "W/" (case sensitive).
3.2. Defining New Resource Types
SCIM may be extended to define new classes of resources by defining a resource type. Each resource type defines the name, endpoint, base schema (the attributes), and any schema extensions registered for use with the resource type. In order to offer new types of resources, a service provider defines the new resource type as specified in Section 6 and defines a schema representation (see Section 8.7).3.3. Attribute Extensions to Resources
SCIM allows resource types to have extensions in addition to their core schema. This is similar to how "objectClasses" are used in LDAP [RFC4512]. However, unlike LDAP, there is no inheritance model; all extensions are additive (similar to the LDAP auxiliary object class). Each value in the "schemas" attribute indicates additive schema that MAY exist in a SCIM resource representation. The "schemas" attribute MUST contain at least one value, which SHALL be the base schema for the resource. The "schemas" attribute MAY contain additional values indicating extended schemas that are in use. Schema extensions SHOULD avoid redefining any attributes defined in this specification and SHOULD follow conventions defined in this specification. Except for the base object schema, the schema extension URI SHALL be used as a JSON container to distinguish attributes belonging to the extension namespace from base schema attributes. See Figure 5, which is an example of the JSON representation of an enterprise User and is also an example of a User with extended schema. In order to determine which URI value in the "schemas" attribute is the base schema and which is an extended schema for any given resource, the resource's "resourceType" attribute value MAY be used to retrieve the resource's "ResourceType" schema (see Section 6). See the "ResourceType" representation in Figure 8 for an example.
4. SCIM Core Resources and Extensions
This section defines the default resource schemas present in a SCIM server. SCIM is not exclusive to these resources and may be extended to support other resource types (see Section 3.2).4.1. "User" Resource Schema
SCIM provides a resource type for "User" resources. The core schema for "User" is identified using the following schema URI: "urn:ietf:params:scim:schemas:core:2.0:User". The following attributes are defined in addition to the core schema attributes:4.1.1. Singular Attributes
userName A service provider's unique identifier for the user, typically used by the user to directly authenticate to the service provider. Often displayed to the user as their unique identifier within the system (as opposed to "id" or "externalId", which are generally opaque and not user-friendly identifiers). Each User MUST include a non-empty userName value. This identifier MUST be unique across the service provider's entire set of Users. This attribute is REQUIRED and is case insensitive. name The components of the user's name. Service providers MAY return just the full name as a single string in the formatted sub-attribute, or they MAY return just the individual component attributes using the other sub-attributes, or they MAY return both. If both variants are returned, they SHOULD be describing the same name, with the formatted name indicating how the component attributes should be combined. formatted The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (e.g., "Ms. Barbara Jane Jensen, III"). familyName The family name of the User, or last name in most Western languages (e.g., "Jensen" given the full name "Ms. Barbara Jane Jensen, III"). givenName The given name of the User, or first name in most Western languages (e.g., "Barbara" given the full name "Ms. Barbara Jane Jensen, III"). middleName The middle name(s) of the User (e.g., "Jane" given the full name "Ms. Barbara Jane Jensen, III").
honorificPrefix The honorific prefix(es) of the User, or title in
most Western languages (e.g., "Ms." given the full name
"Ms. Barbara Jane Jensen, III").
honorificSuffix The honorific suffix(es) of the User, or suffix
in most Western languages (e.g., "III" given the full name
"Ms. Barbara Jane Jensen, III").
displayName
The name of the user, suitable for display to end-users. Each
user returned MAY include a non-empty displayName value. The name
SHOULD be the full name of the User being described, if known
(e.g., "Babs Jensen" or "Ms. Barbara J Jensen, III") but MAY be a
username or handle, if that is all that is available (e.g.,
"bjensen"). The value provided SHOULD be the primary textual
label by which this User is normally displayed by the service
provider when presenting it to end-users.
nickName
The casual way to address the user in real life, e.g., "Bob" or
"Bobby" instead of "Robert". This attribute SHOULD NOT be used to
represent a User's username (e.g., bjensen or mpepperidge).
profileUrl
A URI that is a uniform resource locator (as defined in
Section 1.1.3 of [RFC3986]) and that points to a location
representing the user's online profile (e.g., a web page). URIs
are canonicalized per Section 6.2 of [RFC3986].
title
The user's title, such as "Vice President".
userType
Used to identify the relationship between the organization and the
user. Typical values used might be "Contractor", "Employee",
"Intern", "Temp", "External", and "Unknown", but any value may be
used.
preferredLanguage
Indicates the user's preferred written or spoken languages and is
generally used for selecting a localized user interface. The
value indicates the set of natural languages that are preferred.
The format of the value is the same as the HTTP Accept-Language
header field (not including "Accept-Language:") and is specified
in Section 5.3.5 of [RFC7231]. The intent of this value is to
enable cloud applications to perform matching of language tags
[RFC4647] to the user's language preferences, regardless of what
may be indicated by a user agent (which might be shared), or in an
interaction that does not involve a user (such as in a delegated
OAuth 2.0 [RFC6749] style interaction) where normal HTTP
Accept-Language header negotiation cannot take place.
locale
Used to indicate the User's default location for purposes of
localizing such items as currency, date time format, or numerical
representations. A valid value is a language tag as defined in
[RFC5646]. Computer languages are explicitly excluded.
A language tag is a sequence of one or more case-insensitive
sub-tags, each separated by a hyphen character ("-", %x2D). For
backward compatibility, servers MAY accept tags separated by an
underscore character ("_", %x5F). In most cases, a language tag
consists of a primary language sub-tag that identifies a broad
family of related languages (e.g., "en" = English) and that is
optionally followed by a series of sub-tags that refine or narrow
that language's range (e.g., "en-CA" = the variety of English as
communicated in Canada). Whitespace is not allowed within a
language tag. Example tags include:
fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN
See [RFC5646] for further information.
timezone
The User's time zone, in IANA Time Zone database format [RFC6557],
also known as the "Olson" time zone database format [Olson-TZ]
(e.g., "America/Los_Angeles").
active
A Boolean value indicating the user's administrative status. The
definitive meaning of this attribute is determined by the service
provider. As a typical example, a value of true implies that the
user is able to log in, while a value of false implies that the
user's account has been suspended.
password
This attribute is intended to be used as a means to set, replace,
or compare (i.e., filter for equality) a password. The cleartext
value or the hashed value of a password SHALL NOT be returnable by
a service provider. If a service provider holds the value
locally, the value SHOULD be hashed. When a password is set or
changed by the client, the cleartext password SHOULD be processed
by the service provider as follows:
* Prepare the cleartext value for international language
comparison. See Section 7.8 of [RFC7644].
* Validate the value against server password policy. Note: The
definition and enforcement of password policy are beyond the
scope of this document.
* Ensure that the value is encrypted (e.g., hashed). See
Section 9.2 for acceptable hashing and encryption handling when
storing or persisting for provisioning workflow reasons.
A service provider that immediately passes the cleartext value on
to another system or programming interface MUST pass the value
directly over a secured connection (e.g., Transport Layer Security
(TLS)). If the value needs to be temporarily persisted for a
period of time (e.g., because of a workflow) before provisioning,
then the value MUST be protected by some method, such as
encryption.
Testing for an equality match MAY be supported if there is an
existing stored hashed value. When testing for equality, the
service provider:
* Prepares the filter value for international language
comparison. See Section 7.8 of [RFC7644].
* Generates the salted hash of the filter value and tests for a
match with the locally held value.
The mutability of the password attribute is "writeOnly",
indicating that the value MUST NOT be returned by a service
provider in any form (the attribute characteristic "returned" is
"never").
4.1.2. Multi-Valued Attributes
The following multi-valued attributes are defined. emails Email addresses for the User. The value SHOULD be specified according to [RFC5321]. Service providers SHOULD canonicalize the value according to [RFC5321], e.g., "bjensen@example.com" instead of "bjensen@EXAMPLE.COM". The "display" sub-attribute MAY be used to return the canonicalized representation of the email value. The "type" sub-attribute is used to provide a classification meaningful to the (human) user. The user interface should encourage the use of basic values of "work", "home", and "other" and MAY allow additional type values to be used at the discretion of SCIM clients. phoneNumbers Phone numbers for the user. The value SHOULD be specified according to the format defined in [RFC3966], e.g., 'tel:+1-201-555-0123'. Service providers SHOULD canonicalize the value according to [RFC3966] format, when appropriate. The "display" sub-attribute MAY be used to return the canonicalized representation of the phone number value. The sub-attribute "type" often has typical values of "work", "home", "mobile", "fax", "pager", and "other" and MAY allow more types to be defined by the SCIM clients. ims Instant messaging address for the user. No official canonicalization rules exist for all instant messaging addresses, but service providers SHOULD, when appropriate, remove all whitespace and convert the address to lowercase. The "type" sub-attribute SHOULD take one of the following values: "aim", "gtalk", "icq", "xmpp", "msn", "skype", "qq", "yahoo", or "other" (representing currently popular IM services at the time of this writing). Service providers MAY add further values if new IM services are introduced and MAY specify more detailed canonicalization rules for each possible value. photos A URI that is a uniform resource locator (as defined in Section 1.1.3 of [RFC3986]) that points to a resource location representing the user's image. The resource MUST be a file (e.g., a GIF, JPEG, or PNG image file) rather than a web page containing an image. Service providers MAY return the same image in different sizes, although it is recognized that no standard for describing images of various sizes currently exists. Note that this attribute SHOULD NOT be used to send down arbitrary photos
taken by this user; instead, profile photos of the user that are
suitable for display when describing the user should be sent.
Instead of the standard canonical values for type, this attribute
defines the following canonical values to represent popular photo
sizes: "photo" and "thumbnail".
addresses
A physical mailing address for this user. Canonical type values
of "work", "home", and "other". This attribute is a complex type
with the following sub-attributes. All sub-attributes are
OPTIONAL.
formatted The full mailing address, formatted for display or use
with a mailing label. This attribute MAY contain newlines.
streetAddress The full street address component, which may
include house number, street name, P.O. box, and multi-line
extended street address information. This attribute MAY
contain newlines.
locality The city or locality component.
region The state or region component.
postalCode The zip code or postal code component.
country The country name component. When specified, the value
MUST be in ISO 3166-1 "alpha-2" code format [ISO3166]; e.g.,
the United States and Sweden are "US" and "SE", respectively.
groups
A list of groups to which the user belongs, either through direct
membership, through nested groups, or dynamically calculated. The
values are meant to enable expression of common group-based or
role-based access control models, although no explicit
authorization model is defined. It is intended that the semantics
of group membership and any behavior or authorization granted as a
result of membership are defined by the service provider. The
canonical types "direct" and "indirect" are defined to describe
how the group membership was derived. Direct group membership
indicates that the user is directly associated with the group and
SHOULD indicate that clients may modify membership through the
"Group" resource. Indirect membership indicates that user
membership is transitive or dynamic and implies that clients
cannot modify indirect group membership through the "Group"
resource but MAY modify direct group membership through the
"Group" resource, which may influence indirect memberships. If
the SCIM service provider exposes a "Group" resource, the "value"
sub-attribute MUST be the "id", and the "$ref" sub-attribute must
be the URI of the corresponding "Group" resources to which the
user belongs. Since this attribute has a mutability of
"readOnly", group membership changes MUST be applied via the
"Group" Resource (Section 4.2). This attribute has a mutability
of "readOnly".
entitlements
A list of entitlements for the user that represent a thing the
user has. An entitlement may be an additional right to a thing,
object, or service. No vocabulary or syntax is specified; service
providers and clients are expected to encode sufficient
information in the value so as to accurately and without ambiguity
determine what the user has access to. This value has no
canonical types, although a type may be useful as a means to scope
entitlements.
roles
A list of roles for the user that collectively represent who the
user is, e.g., "Student", "Faculty". No vocabulary or syntax is
specified, although it is expected that a role value is a String
or label representing a collection of entitlements. This value
has no canonical types.
x509Certificates
A list of certificates associated with the resource (e.g., a
User). Each value contains exactly one DER-encoded X.509
certificate (see Section 4 of [RFC5280]), which MUST be base64
encoded per Section 4 of [RFC4648]. A single value MUST NOT
contain multiple certificates and so does not contain the encoding
"SEQUENCE OF Certificate" in any guise.
4.2. "Group" Resource Schema
SCIM provides a schema for representing groups, identified using the
following schema URI: "urn:ietf:params:scim:schemas:core:2.0:Group".
"Group" resources are meant to enable expression of common
group-based or role-based access control models, although no explicit
authorization model is defined. It is intended that the semantics of
group membership, and any behavior or authorization granted as a
result of membership, are defined by the service provider; these are
considered out of scope for this specification.
The following singular attribute is defined in addition to the common
attributes defined in the SCIM core schema:
displayName
A human-readable name for the Group. REQUIRED.
The following multi-valued attribute is defined in addition to the
common attributes defined in the SCIM core schema:
members
A list of members of the Group. While values MAY be added or
removed, sub-attributes of members are "immutable". The "value"
sub-attribute contains the value of an "id" attribute of a SCIM
resource, and the "$ref" sub-attribute must be the URI of a SCIM
resource such as a "User", or a "Group". The intention of the
"Group" type is to allow the service provider to support nested
groups. Service providers MAY require clients to provide a
non-empty value by setting the "required" attribute characteristic
of a sub-attribute of the "members" attribute in the "Group"
resource schema.
4.3. Enterprise User Schema Extension
The following SCIM extension defines attributes commonly used in
representing users that belong to, or act on behalf of, a business or
enterprise. The enterprise User extension is identified using the
following schema URI:
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User".
The following singular attributes are defined:
employeeNumber
A string identifier, typically numeric or alphanumeric, assigned
to a person, typically based on order of hire or association with
an organization.
costCenter
Identifies the name of a cost center.
organization
Identifies the name of an organization.
division
Identifies the name of a division.
department
Identifies the name of a department.
manager
The user's manager. A complex type that optionally allows service
providers to represent organizational hierarchy by referencing the
"id" attribute of another User.
value The "id" of the SCIM resource representing the user's
manager. RECOMMENDED.
$ref The URI of the SCIM resource representing the User's
manager. RECOMMENDED.
displayName The displayName of the user's manager. This
attribute is OPTIONAL, and mutability is "readOnly".
5. Service Provider Configuration Schema
SCIM provides a schema for representing the service provider's
configuration, identified using the following schema URI:
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig".
The service provider configuration resource enables a service
provider to discover SCIM specification features in a standardized
form as well as provide additional implementation details to clients.
All attributes have a mutability of "readOnly". Unlike other core
resources, the "id" attribute is not required for the service
provider configuration resource.
The following singular attributes are defined in addition to the
common attributes defined in the core schema:
documentationUri
An HTTP-addressable URL pointing to the service provider's
human-consumable help documentation. OPTIONAL.
patch
A complex type that specifies PATCH configuration options.
REQUIRED. See Section 3.5.2 of [RFC7644].
supported A Boolean value specifying whether or not the operation
is supported. REQUIRED.
bulk
A complex type that specifies bulk configuration options. See
Section 3.7 of [RFC7644]. REQUIRED.
supported A Boolean value specifying whether or not the operation
is supported. REQUIRED.
maxOperations An integer value specifying the maximum number of
operations. REQUIRED.
maxPayloadSize An integer value specifying the maximum payload
size in bytes. REQUIRED.
filter
A complex type that specifies FILTER options. REQUIRED. See
Section 3.4.2.2 of [RFC7644].
supported A Boolean value specifying whether or not the operation
is supported. REQUIRED.
maxResults An integer value specifying the maximum number of
resources returned in a response. REQUIRED.
changePassword
A complex type that specifies configuration options related to
changing a password. REQUIRED.
supported A Boolean value specifying whether or not the operation
is supported. REQUIRED.
sort
A complex type that specifies Sort configuration options.
REQUIRED.
supported A Boolean value specifying whether or not sorting is
supported. REQUIRED.
etag
A complex type that specifies ETag configuration options.
REQUIRED.
supported A Boolean value specifying whether or not the operation
is supported. REQUIRED.
The following multi-valued attribute is defined in addition to the
common attributes defined in the core schema:
authenticationSchemes
A multi-valued complex type that specifies supported
authentication scheme properties. To enable seamless discovery of
configurations, the service provider SHOULD, with the appropriate
security considerations, make the authenticationSchemes attribute
publicly accessible without prior authentication. REQUIRED. The
following sub-attributes are defined:
type The authentication scheme. This specification defines the
values "oauth", "oauth2", "oauthbearertoken", "httpbasic", and
"httpdigest". REQUIRED.
name The common authentication scheme name, e.g., HTTP Basic.
REQUIRED.
description A description of the authentication scheme.
REQUIRED.
specUri An HTTP-addressable URL pointing to the authentication
scheme's specification. OPTIONAL.
documentationUri An HTTP-addressable URL pointing to the
authentication scheme's usage documentation. OPTIONAL.
6. ResourceType Schema
The "ResourceType" schema specifies the metadata about a resource
type. Resource type resources are READ-ONLY and identified using the
following schema URI:
"urn:ietf:params:scim:schemas:core:2.0:ResourceType". Unlike other
core resources, all attributes are REQUIRED unless otherwise
specified. The "id" attribute is not required for the resource type
resource.
The following singular attributes are defined:
id
The resource type's server unique id. This is often the same
value as the "name" attribute. OPTIONAL.
name
The resource type name. When applicable, service providers MUST
specify the name, e.g., "User" or "Group". This name is
referenced by the "meta.resourceType" attribute in all resources.
REQUIRED.
description
The resource type's human-readable description. When applicable,
service providers MUST specify the description. OPTIONAL.
endpoint
The resource type's HTTP-addressable endpoint relative to the Base
URL of the service provider, e.g., "Users". REQUIRED.
schema
The resource type's primary/base schema URI, e.g.,
"urn:ietf:params:scim:schemas:core:2.0:User". This MUST be equal
to the "id" attribute of the associated "Schema" resource.
REQUIRED.
schemaExtensions
A list of URIs of the resource type's schema extensions.
OPTIONAL.
schema The URI of an extended schema, e.g., "urn:edu:2.0:Staff".
This MUST be equal to the "id" attribute of a "Schema"
resource. REQUIRED.
required A Boolean value that specifies whether or not the schema
extension is required for the resource type. If true, a
resource of this type MUST include this schema extension and
also include any attributes declared as required in this schema
extension. If false, a resource of this type MAY omit this
schema extension. REQUIRED.
7. Schema Definition
This section defines a way to specify the schema in use by resources
available and accepted by a SCIM service provider. For each
"schemas" URI value, this schema specifies the defined attribute(s)
and their characteristics (mutability, returnability, etc). For
every schema URI used in a resource object, there is a corresponding
"Schema" resource. "Schema" resources are not modifiable, and their
associated attributes have a mutability of "readOnly". Except for
"id" (which is always returned), all attributes have a "returned"
characteristic of "default". Unless otherwise specified, all schema
attributes are case insensitive. These resources have a "schemas"
attribute with the following schema URI:
urn:ietf:params:scim:schemas:core:2.0:Schema
Unlike other core resources, the "Schema" resource MAY contain a
complex object within a sub-attribute, and all attributes are
REQUIRED unless otherwise specified.
The following singular attributes are defined:
id
The unique URI of the schema. When applicable, service providers
MUST specify the URI, e.g.,
"urn:ietf:params:scim:schemas:core:2.0:User". Unlike most other
schemas, which use some sort of Globally Unique Identifier (GUID)
for the "id", the schema "id" is a URI so that it can be
registered and is portable between different service providers and
clients. REQUIRED.
name
The schema's human-readable name. When applicable, service
providers MUST specify the name, e.g., "User" or "Group".
OPTIONAL.
description
The schema's human-readable description. When applicable, service
providers MUST specify the description. OPTIONAL.
The following multi-valued attribute is defined:
attributes
A complex type that defines service provider attributes and their
qualities via the following set of sub-attributes:
name The attribute's name.
type The attribute's data type. Valid values are "string",
"boolean", "decimal", "integer", "dateTime", "reference", and
"complex". When an attribute is of type "complex", there
SHOULD be a corresponding schema attribute "subAttributes"
defined, listing the sub-attributes of the attribute.
subAttributes When an attribute is of type "complex",
"subAttributes" defines a set of sub-attributes.
"subAttributes" has the same schema sub-attributes as
"attributes".
multiValued A Boolean value indicating the attribute's plurality.
description The attribute's human-readable description. When
applicable, service providers MUST specify the description.
required A Boolean value that specifies whether or not the
attribute is required.
canonicalValues A collection of suggested canonical values that
MAY be used (e.g., "work" and "home"). In some cases, service
providers MAY choose to ignore unsupported values. OPTIONAL.
caseExact A Boolean value that specifies whether or not a string
attribute is case sensitive. The server SHALL use case
sensitivity when evaluating filters. For attributes that are
case exact, the server SHALL preserve case for any value
submitted. If the attribute is case insensitive, the server
MAY alter case for a submitted value. Case sensitivity also
impacts how attribute values MAY be compared against filter
values (see Section 3.4.2.2 of [RFC7644]).
mutability A single keyword indicating the circumstances under
which the value of the attribute can be (re)defined:
readOnly The attribute SHALL NOT be modified.
readWrite The attribute MAY be updated and read at any time.
This is the default value.
immutable The attribute MAY be defined at resource creation
(e.g., POST) or at record replacement via a request (e.g., a
PUT). The attribute SHALL NOT be updated.
writeOnly The attribute MAY be updated at any time. Attribute
values SHALL NOT be returned (e.g., because the value is a
stored hash). Note: An attribute with a mutability of
"writeOnly" usually also has a returned setting of "never".
returned A single keyword that indicates when an attribute and
associated values are returned in response to a GET request or
in response to a PUT, POST, or PATCH request. Valid keywords
are as follows:
always The attribute is always returned, regardless of the
contents of the "attributes" parameter. For example, "id"
is always returned to identify a SCIM resource.
never The attribute is never returned. This may occur because
the original attribute value (e.g., a hashed value) is not
retained by the service provider. A service provider MAY
allow attributes to be used in a search filter.
default The attribute is returned by default in all SCIM
operation responses where attribute values are returned. If
the GET request "attributes" parameter is specified,
attribute values are only returned if the attribute is named
in the "attributes" parameter. DEFAULT.
request The attribute is returned in response to any PUT,
POST, or PATCH operations if the attribute was specified by
the client (for example, the attribute was modified). The
attribute is returned in a SCIM query operation only if
specified in the "attributes" parameter.
uniqueness A single keyword value that specifies how the service
provider enforces uniqueness of attribute values. A server MAY
reject an invalid value based on uniqueness by returning HTTP
response code 400 (Bad Request). A client MAY enforce
uniqueness on the client side to a greater degree than the
service provider enforces. For example, a client could make a
value unique while the server has uniqueness of "none". Valid
keywords are as follows:
none The values are not intended to be unique in any way.
DEFAULT.
server The value SHOULD be unique within the context of the
current SCIM endpoint (or tenancy) and MAY be globally
unique (e.g., a "username", email address, or other
server-generated key or counter). No two resources on the
same server SHOULD possess the same value.
global The value SHOULD be globally unique (e.g., an email
address, a GUID, or other value). No two resources on any
server SHOULD possess the same value.
referenceTypes A multi-valued array of JSON strings that indicate
the SCIM resource types that may be referenced. Valid values
are as follows:
+ A SCIM resource type (e.g., "User" or "Group"),
+ "external" - indicating that the resource is an external
resource (e.g., a photo), or
+ "uri" - indicating that the reference is to a service
endpoint or an identifier (e.g., a schema URN).
This attribute is only applicable for attributes that are of
type "reference" (Section 2.3.7).
(next page on part 3)
