Session Topic: SCIM
Convener: Trey Drake
Notes-taker(s): Trey Drake
- Overview: What is SCIM's purpose in life: Currently provision identity information from one namespace to another with a single, interoperable protocol and extensible schema.
- What do we want to be when we grow up? A generalizable directory service? Reminder of IETF charter - strong desire to stay w/in the current charter but ensure we can evolve.
- Discussed where we're at the IETF. Moving along though slower than hoped. Isn't that always the case.
- Others want to know what's going on in the design team. Taking a crack at outstanding issues and getting them resolved.
- Do we have the right information and data model? VCard? Odata?...
- Notification service (enable clients to subscribe to changes to their stored artifacts)? In scope? Not in the charter but another highly desirable feature.
- What's the relationship between SCIM and the OIDC user info endpoint? In principle they are the same as they both enable clients to retrieve info about a user stored (typically) at the IDP. OIDC requests are normally in-band and enable user consent/authorization (client shows up with token and user decides if client is able to fetch requested scopes) whereas SCIM more or less plays the "directory in the cloud" role (client shows up with an identifier or search criteria to fetch user, authorization is out-of-band).
- Can we use SCIM as an attribute exchange provider. Sure, but there are no facilities in SCIM for consent, authz, etc.