Overview#SCIM Service Provider provides a set of SCIM Resources, the allowable contents of which are defined by a set of SCIM Schemas Attribute URIs and a resource type.
SCIM Schema is not a document-centric one such as with XML-Schema. Instead, SCIM's support of schema is attribute based, where each attribute may have different type, mutability, cardinality, or returnability. Validation of documents and messages is always performed by an intended receiver, as specified by the SCIM specifications. Validation is performed by the receiver in the context of a SCIM protocol request (see RFC 7644).
For example, a SCIM Service Provider, upon receiving a request to replace an existing SCIM Resource with a replacement JSON object, evaluates each asserted attribute based on its characteristics as defined in the relevant schema (e.g., mutability) and decides which attributes may be replaced or ignored.
RFC 7643 provides a minimal core schema for representing SCIM Resources (SCIM Users and SCIM Groups), encompassing SCIM Common Attributes found in many existing deployments and schemas. In addition to the minimal SCIM Core Schema, RFC 7643 also specifies a standardized means by which service providers may extend schemas to define new resources and attributes in both standardized and service-provider-specific cases.
SCIM Resources are categorized into common resource types such as "User" or "Group". Collections of resources of the same type are usually contained within the same "container" SCIM ResourceTypes endpoint.
SCIM Resource Schema#The SCIM Resource:
Unlike other core resources, the "Schema" resource MAY contain a complex object within a sub-attribute, and all attributes are REQUIRED unless otherwise specified.
id REQUIRED SINGLE-VALUE#The unique URI of the schema. When applicable, service providers MUST specify the URI, e.g., "urn:ietf:params:scim:schemas:core:2.0:User".
Unlike most other schemas, which use some sort of Globally Unique Identifier (GUID) for the "id", the schema "id" is a URI so that it can be registered and is portable between different service providers and clients.
name OPTIONAL SINGLE-VALUE#The schema's human-readable name. When applicable, service providers MUST specify the name, e.g., "User" or "Group".
description OPTIONAL SINGLE-VALUE#The schema's human-readable description. When applicable, service providers MUST specify the description. Service Provider attributes and their qualities via the following set of sub-attributes:
- name The attribute's name.
- type The attribute's SCIM Data Type.
- subAttributes When an attribute is of type "complex", "subAttributes" defines a set of sub-attributes. "subAttributes" has the same schema sub-attributes as "attributes".
- multiValued - A Boolean value indicating the attribute's plurality.
- description - The attribute's human-readable description. When applicable, service providers MUST specify the description.
- required - A Boolean value that specifies whether or not the attribute is required.
- canonicalValues OPTIONAL - A collection of suggested canonical values that MAY be used (e.g., "work" and "home"). In some cases, service providers MAY choose to ignore unsupported values.
- caseExact - A Boolean value that specifies whether or not a string attribute is case-sensitive. The server SHALL use Case Sensitivity when evaluating filters. For attributes that are case exact, the server SHALL preserve case for any value submitted. If the attribute is case-insensitive, the server MAY alter case for a submitted value. Case sensitivity also impacts how attribute values MAY be compared against filter values (see Section 18.104.22.168 of RFC 7644).
- mutability A single keyword indicating the circumstances under which the value of the attribute can be (re)defined:
- readOnly The attribute SHALL NOT be modified.
- readWrite The attribute MAY be updated and read at any time. This is the default value.
- immutable The attribute MAY be defined at resource creation (e.g., POST) or at record replacement via a request (e.g., a PUT). The attribute SHALL NOT be updated.
- writeOnly The attribute MAY be updated at any time. Attribute values SHALL NOT be returned (e.g., because the value is a stored hash). Note: An attribute with a mutability of "writeOnly" usually also has a returned setting of "never".
- returned - A single keyword that indicates when an attribute and associated values are returned in response to a GET request or in response to a PUT, POST, or PATCH request. Valid keywords are as follows:
- always The attribute is always returned, regardless of the contents of the "attributes" parameter. For example, "id" is always returned to identify a SCIM resource.
- never The attribute is never returned. This may occur because the original attribute value (e.g., a hashed value) is not retained by the service provider. A service provider MAY allow attributes to be used in a search filter.
- default The attribute is returned by default in all SCIM operation responses where attribute values are returned. If the GET request "attributes" parameter is specified, attribute values are only returned if the attribute is named in the "attributes" parameter. DEFAULT.
- request The attribute is returned in response to any PUT, POST, or PATCH operations if the attribute was specified by the client (for example, the attribute was modified). The attribute is returned in a SCIM query operation only if specified in the "attributes" parameter.
- uniqueness A single keyword value that specifies how the service provider enforces uniqueness of attribute values. A server MAY reject an invalid value based on uniqueness by returning HTTP response code 400 (Bad Request). A client MAY enforce uniqueness on the client side to a greater degree than the service provider enforces. For example, a client could make a value unique while the server has uniqueness of "none". Valid keywords are as follows:
- none The values are not intended to be unique in any way. DEFAULT
- server The value SHOULD be unique within the context of the current SCIM endpoint (or tenancy) and MAY be globally unique (e.g., a "username", email address, or other server-generated key or counter). No two resources on the same server SHOULD possess the same value.
- global The value SHOULD be globally unique (e.g., an email address, a GUID, or other value). No two resources on any server SHOULD possess the same value.
- referenceTypes A multi-valued array of JSON strings that indicate the SCIM resource types that may be referenced. This attribute is only applicable for attributes that are of type "reference" (Section 2.3.7). Valid values are as follows:
- + A SCIM resource type (e.g., "User" or "Group")
- + "external" - indicating that the resource is an external resource (e.g., a photo)
- + "uri" - indicating that the reference is to a service endpoint or an identifier (e.g., a schema URN).