Internet-Draft | draft-hunt-scim-events | March 2022 |
Hunt | Expires 4 September 2022 | [Page] |
This specification profiles the Security Event Token specification, to define a set of events for SCIM Protocol servers that can be used for asynchronous transaction confirmations, replication, cross-domain provisioning co-ordination, and security signals.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 4 September 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This specification profiles Security Event Tokens (SET) [RFC8417] to define Security Events and mechanisms for delivery with SCIM Protocol [RFC7644] systems that can be used for asynchronous transaction confirmations, replication, cross-domain provisioning co-ordination, and security signals.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
For purposes of readability examples are not URL encoded. Implementers MUST percent encode URLs as described in Section 2.1 of [RFC3986].¶
Throughout this documents all figures MAY contain spaces and extra line-wrapping for readability and space limitations. Similarly, some URI's contained within examples, have been shortened for space and readability reasons.¶
This specification uses definitions from the following specifications:¶
Additionally, the following terms are defined:¶
This specification defines 4 processing modes for SCIM Security Events that have different objectives, data requirements, and considerations for using Security Event Tokens.¶
The objective of DBR is to synchronize resource changes between SCIM replicas in a common administrative domain. In this mode, information about changes for resources are shared between replicas for immediate processing. The intention is that every replica node contains the same information content in a timely fashion.¶
In this mode, replication is a server-to-server process and it is assumed that access rights between servers is identical. Access to these messages MUST be limited to communication between replicating nodes with appropriate authorization. From a Privacy Perspective, it is assumed that all replicas of the server are in the same administrative domain and that the sharing of information is primarily for performance and availability reasons and the sharing information between replicas does not by itself enable access to new parties (e.g. where a user may not have consented).¶
In "Co-ordinated Provisioning" (CP), SCIM resource change events are shared between domains with the restriction that the actual attribute value data is omitted. In any Event Publisher and Receiver relationship, the set of SCIM resources that are co-ordinated is managed within the context of a "Feed" and MAY be a subset of the total set of resources on either side. To support this, "feed" events are defined that indicate the addition and removal of SCIM resources from a feed. For example, when a user consents to the sharing of information between domains, events about the User MAY be added to the feed between the Event Publisher and Receiver.¶
In CP mode, the receiver of an event must call back to the originating SCIM Service Provider (e.g. using a SCIM GET request) to reconcile the newly changed resource in order to obtain the changes.¶
Co-ordinated provisioning has the following benefits:¶
A disadvantage of the CP approach is that it may be considered costly in the sense that each event received might trigger a call back to the event issuer. This cost should be weighed against the cost producing filtered information in each event for each receiver. Further a receiver is not required to make a call-back on every provisioning event.¶
It is assumed that an underlying relationship between domains exists that permits the exchange of personal information and credentials. For example the decision to perform SCIM provisioning operations at the SCIM Service Provider issuing change events, was previously authorized and appropriate confidentiality and privacy agreements have been met in cross-domain scenarios. Examples of this might be services for hire by an employer or a specific consent from an end-user as part of a online authorization where individual consent was obtained.¶
The sharing of risk signals (RS) is intended for the purpose of co-ordinating change events between a SCIM Service Provider and another related security service. For example, when a password or other authentication factor has changed, a receiving security system can choose to terminate current User sessions to force a re-authentication against the modified User resource.¶
These signals MAY also include those described in the OpenID Shared Signals Working Group Specifications [SSWG].¶
These events are intended for receivers where there is a prior relationship on behalf of the users described in the SCIM Service Provider. The intent of sharing information about security events is for the purpose of securing a user account and ensuring privacy.¶
A SCIM provisioning client MAY wish to request "asynchronous" processing using the "Prefer Header
for HTTP", Section 4.1 [RFC7240]. In this mode, a normal SCIM protocol POST, PUT,
PATCH, or DELETE request is
made, and the HTTP Header Prefer
is included with the value respond-async
.
When a SCIM Client signals respond-async, the SCIM server response changes to HTTP Status 202 Accepted
as defined in [RFC7231]. The Location
header returned is the final resource
location and no payload is present. Following acceptance of an asynchronous request, a notification of
completion can be issued using the Async Event Notification per Section 3.5.1. The
location returned SHALL correspond to the sub claim in the future Async Event SET message.¶
A SCIM event is a message, in the form of a Security Event Token [RFC8417], that conveys information about changes that have occurred at a SCIM Service Provider that may be of interest to a receiving system. Examples of events include:¶
The following attributes are available for all events defined. The values are contained within the event payload per Section 2 [RFC8417].¶
id
attribute identifying the SCIM Service Provider's resource that was modified.
This value is required.¶
externalId
value of the SCIM Resource that MAY be used by a receiver to identify
the corresponding resource in the Event Receiver's domain.¶
jti
claim MAY be used. The difference is that txn
identifies uniqueness within a SCIM Service Provider whereas JTI only identifies a unique JWT token.¶
id
value.¶
"attributes": ["username","emails"]
¶
Depending on the Processing Mode or Event definition, usually only one of data
or
attributes
is provided.¶
The sub
claim SHALL hold the SCIM Service Provider's Resource URI value of the affected
object. Note: that the SCIM Bulk path
attribute is SHALL NOT be used as this duplicates
the sub
claim.¶
This specifications defines a new schema URI prefix urn:ietf:params:event:SCIM
which is used
as the prefix for the following defined SCIM Events.¶
This section defines events related to notices about which resources are being added or removed from
an event feed. These events are used in Co-operative Provisioning scenarios where only a sub-set of
entities are shared across an Event Feed. The URI prefix for these events is:
urn:ietf:params:event:SCIM:feed
¶
The specified resource was added to the Event Feed. A feed:add
does not indicate a
resource is new or has been recently created. For example,
an existing user has had a new role (e.g. CRM_User) added to
their profile which has caused their resource to join a feed.¶
The specified resource has been removed from the feed. Removal does not indicate that the resource was deleted or otherwise deactivated. This event has minimal disclosure.¶
This section defines provisioning events that have occurred within a
SCIM Service Provider. These events are used in both Domain Based Replication (DBR) and Co-operative
Provisioning (CP) mode. The URI prefix for these events is:
urn:ietf:params:event:SCIM:prov
¶
Indicates a new SCIM resource has been created by the SCIM Service Provider
and has been added to the Event Feed. Note that when a create
event is sent,
a corresponding urn:ietf:params:event:SCIM:feed:add
event SHOULD NOT be issued in the
same feed. In DBR mode mode, all claims of the new resource are included. In CP mode,
the attributes
returned discloses what attributes were created at the publisher. In
DBR mode, the set of values reflecting the final
state of the resource at the service provider are provided
using the "data" attribute. Note that because this is a replication request, the id
attribute that was assigned by the SCIM Service Provider is shared so that all replicas in the
domain use the same resource identifier.¶
The event above notifies the Event Receiver which attributes
have changed but does not convey
the actual information. The Event Receiver MAY retrieve that information
by performing a SCIM GET to the sub
value specified.¶
The specified
resource has been updated using SCIM PATCH. When in DBR mode, the
data
attribute contains the PATCH Request body. In CP mode, only
the modified attribute name is included.¶
The specified resource has been updated (e.g. one or more attributes has
changed). In DBR mode, the SCIM PUT request body is included in the data
attribute; or, In CP mode the modified attributes are listed using attributes
.¶
The specified resource has been deleted from the SCIM publisher.
The resource is also removed from the feed. When a
DELETE is sent, a corresponding feedRemove
is not issued. A delete
event has minimal disclosure profile only.¶
The specified resource (e.g. User) has been activated. This event indicates a high-level change in state as agreed between the Event Publisher and Event Receiver. For example, an activated resource is one that can now have an active session (may log in) from a security perspective.¶
The specified resource (e.g. User) has been deactivated and disabled. The exact meaning must be agreed to by the Event Publisher and its corresponding Event Receiver. Typically this means the sub may no longer have an active security session. As with the activate event, this event has minimal disclosure requirements.¶
This section defines security signal events that have occured within a
SCIM Service Provider.The URI prefix for these events is:
urn:ietf:params:event:SCIM:signal
¶
A new authentication method has been added to the User profile. As attackers often use new authentication methods to lock-out Users from their account, this signal can be used by the receiver that the chance of account them may be temporarily elevated. The receiver MAY also wish to take action such as resetting current authorizations or sessions.¶
The specified resource (e.g. User) has changed its password or the password
has been reset. When the password has changed, the
attributes
attribute is supplied with the value "password".¶
This section defines events related miscellaneous events such as Asynchronous Request complettion that have occured within a
SCIM Service Provider. The URI prefix for these events is:
urn:ietf:params:event:SCIM:misc
¶
This event signals the completion of a SCIM request. The payload contains the attributes defined in SCIM Bulk Section 3.7 [RFC7644] and is the same a single SCIM Bulk Response Operation as per Section 3.7.3.¶
As Security Event Tokens are based on JWT tokens, it is possible to exchange events by a number of transfer mechanisms such as: XMPP [RFC6120], HTTP [RFC7540], and Message Buses (e.g. [RFC3259], Apache Kafka [Kafka]). This draft discusses 2 general delivery methods: Message Bus and Point-to-Point.¶
This specification uses Security Event Tokens as the message format for SCIM Events. As SETs are based on JWT tokens [RFC7519], they can be transmitted unsecurity, signed, or encrypted. For more information see the JWT Cookbook specification [RFC7520] for examples. The decision on whether to use JWS and JWE depends on operational considerations. For each SCIM Feed relationship, it is up to deployers to decide on signing, encryption and algorithm requirements. Deployers SHOULD be aware that too much emphasis on turning on every possible encryption feature may cause operational performance to suffer. Deployers MUST weigh the security trade-offs of up-to-date SCIM services, vs. the potential information loss of an event.¶
{"alg":"none"}
.
This mode speeds up processing and is best used in DBR scenarios. Unencrypted tokens MUST be
transferred over authenticated TLS layer encryption and SHOULD only be used in a restricted
network environment.¶
Security Event Tokens MAY be delivered using push-based HTTP delivery [RFC8935], or pull-based HTTP Polling [RFC8936]. Both of these protocols define a method of transfer and acknowledgement to prevent loss-of-information and to provide re-transmission and recover. The method of transfer is best decided by considering the following advantages and disadvantages in a production scenario:¶
Push-based delivery has the following advantages:¶
Push-delivery has the following disadvantages:¶
Delivery by HTTP Polling has the following advantages:¶
Polling-based delivery has the following disadvantages:¶
Security Event Tokens MAY be delivered using a message bus. While this draft will not talk about any particular message bus, it will discuss the pros and cons for message buses in general and any anticipated issues and requirements.¶
Message buses have the following advantages:¶
Message buses may have following disadvantages:¶
In scenarios where there may be multiple issuers of SCIM Events, it becomes possible that conflicts can arise when the same version of a resource is modified by multiple parties.¶
Editors note: TO BE COMPLETED¶
In cases where resources change frequently, SCIM Service Providers MAY choose to release events on an interval basis in order to reduce traffic. For example, a large Group with millions of members may have hundreds of changes per minute. For optimization, a SCIM Service Provider MAY choose to issue a cumulative event once per minute instead of for each change event.¶
Editors note: TO BE COMPLETED¶
[[TO BE COMPLETED]]¶
[[TO BE COMPLETED]]¶
This section registers the schema extensions found in Section 3 in the "Event" registry as per Section 4.2 [RFC8417].¶
Summary of schema URI registrations:¶
Schema URI | Name | Reference |
---|---|---|
urn:ietf:params:event:SCIM:feed:add | Resource added to Feed Event | Section 3.2.1 |
urn:ietf:params:event:SCIM:feed:remove | Remove resouce From Feed Event | Section 3.2.2 |
urn:ietf:params:event:SCIM:prov:create | New Resource Event | Section 3.3.1 |
urn:ietf:params:event:SCIM:prov:patch | Resource Patch Event | Section 3.3.2 |
urn:ietf:params:event:SCIM:prov:put | Resource Put Event | Section 3.3.3 |
urn:ietf:params:event:SCIM:prov:delete | Resource Deleted Event | Section 3.3.4 |
urn:ietf:params:event:SCIM:prov:activate | Resource Activated Event | Section 3.3.5 |
urn:ietf:params:event:SCIM:prov:deactivate | Resource Deactivated Event | Section 3.3.6 |
urn:ietf:params:event:SCIM:sig:authMethod | New authentication method added | Section 3.4.1 |
urn:ietf:params:event:SCIM:sig:pwdReset | Password Reset Event | Section 3.4.2 |
Thanks to Morteza Ansari who contributed significantly to draft-hunt-idevent-scim-00, upon which this draft is based.¶
The editor would like to thank the participants in the the SCIM working group and the id-event list for their support of this specification.¶
Draft 00 - PH - First Draft¶