Internet Engineering Task Force (IETF) P. Hunt, Ed.
Request for Comments: 7644 Oracle
Category: Standards Track K. Grizzle
ISSN: 2070-1721 SailPoint
M. Ansari
Cisco
E. Wahlstroem
Nexus Technology
C. Mortimore
Salesforce
September 2015
Internet Engineering Task Force (IETF) P. Hunt, Ed.
Request for Comments: 7644 Oracle
Category: Standards Track K. Grizzle
ISSN: 2070-1721 SailPoint
M. Ansari
Cisco
E. Wahlstroem
Nexus Technology
C. Mortimore
Salesforce
September 2015
System for Cross-domain Identity Management: Protocol
跨域身份管理系统:协议
Abstract
摘要
The System for Cross-domain Identity Management (SCIM) specification is an HTTP-based protocol that makes managing identities in multi-domain scenarios easier to support via a standardized service. Examples include, but are not limited to, enterprise-to-cloud service providers and inter-cloud scenarios. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. SCIM's intent is to reduce the cost and complexity of user management operations by providing a common user schema, an extension model, and a service protocol defined by this document.
跨域身份管理系统(SCIM)规范是一种基于HTTP的协议,它通过标准化服务使多域场景中的身份管理更易于支持。示例包括但不限于企业到云服务提供商和云间场景。规范套件寻求在现有模式和部署经验的基础上构建,特别强调开发和集成的简单性,同时应用现有的身份验证、授权和隐私模型。SCIM的目的是通过提供本文档定义的通用用户模式、扩展模型和服务协议来降低用户管理操作的成本和复杂性。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7644.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7644.
Copyright Notice
版权公告
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction and Overview .......................................3
1.1. Intended Audience ..........................................3
1.2. Notational Conventions .....................................4
1.3. Definitions ................................................4
2. Authentication and Authorization ................................5
2.1. Use of Tokens as Authorizations ............................7
2.2. Anonymous Requests .........................................7
3. SCIM Protocol ...................................................8
3.1. Background .................................................8
3.2. SCIM Endpoints and HTTP Methods ............................9
3.3. Creating Resources ........................................11
3.3.1. Resource Types .....................................13
3.4. Retrieving Resources ......................................13
3.4.1. Retrieving a Known Resource ........................14
3.4.2. Query Resources ....................................15
3.4.3. Querying Resources Using HTTP POST .................27
3.5. Modifying Resources .......................................29
3.5.1. Replacing with PUT .................................30
3.5.2. Modifying with PATCH ...............................32
3.6. Deleting Resources ........................................48
3.7. Bulk Operations ...........................................49
3.7.1. Circular Reference Processing ......................51
3.7.2. "bulkId" Temporary Identifiers .....................53
3.7.3. Response and Error Handling ........................58
3.7.4. Maximum Operations .................................63
3.8. Data Input/Output Formats .................................64
3.9. Additional Operation Response Parameters ..................64
3.10. Attribute Notation .......................................66
3.11. "/Me" Authenticated Subject Alias ........................66
1. Introduction and Overview .......................................3
1.1. Intended Audience ..........................................3
1.2. Notational Conventions .....................................4
1.3. Definitions ................................................4
2. Authentication and Authorization ................................5
2.1. Use of Tokens as Authorizations ............................7
2.2. Anonymous Requests .........................................7
3. SCIM Protocol ...................................................8
3.1. Background .................................................8
3.2. SCIM Endpoints and HTTP Methods ............................9
3.3. Creating Resources ........................................11
3.3.1. Resource Types .....................................13
3.4. Retrieving Resources ......................................13
3.4.1. Retrieving a Known Resource ........................14
3.4.2. Query Resources ....................................15
3.4.3. Querying Resources Using HTTP POST .................27
3.5. Modifying Resources .......................................29
3.5.1. Replacing with PUT .................................30
3.5.2. Modifying with PATCH ...............................32
3.6. Deleting Resources ........................................48
3.7. Bulk Operations ...........................................49
3.7.1. Circular Reference Processing ......................51
3.7.2. "bulkId" Temporary Identifiers .....................53
3.7.3. Response and Error Handling ........................58
3.7.4. Maximum Operations .................................63
3.8. Data Input/Output Formats .................................64
3.9. Additional Operation Response Parameters ..................64
3.10. Attribute Notation .......................................66
3.11. "/Me" Authenticated Subject Alias ........................66
3.12. HTTP Status and Error Response Handling ..................67
3.13. SCIM Protocol Versioning .................................71
3.14. Versioning Resources .....................................71
4. Service Provider Configuration Endpoints .......................73
5. Preparation and Comparison of Internationalized Strings ........76
6. Multi-Tenancy ..................................................76
6.1. Associating Clients to Tenants ............................77
6.2. SCIM Identifiers with Multiple Tenants ....................78
7. Security Considerations ........................................78
7.1. HTTP Considerations .......................................78
7.2. TLS Support Considerations ................................78
7.3. Authorization Token Considerations ........................78
7.4. Bearer Token and Cookie Considerations ....................79
7.5. Privacy Considerations ....................................79
7.5.1. Personal Information ...............................79
7.5.2. Disclosure of Sensitive Information in URIs ........80
7.6. Anonymous Requests ........................................80
7.7. Secure Storage and Handling of Sensitive Data .............81
7.8. Case-Insensitive Comparison and International Languages ...82
8. IANA Considerations ............................................82
8.1. Media Type Registration ...................................82
8.2. Registering URIs for SCIM Messages ........................84
9. References .....................................................85
9.1. Normative References ......................................85
9.2. Informative References ....................................87
Acknowledgements ..................................................88
Contributors ......................................................88
Authors' Addresses ................................................89
3.12. HTTP Status and Error Response Handling ..................67
3.13. SCIM Protocol Versioning .................................71
3.14. Versioning Resources .....................................71
4. Service Provider Configuration Endpoints .......................73
5. Preparation and Comparison of Internationalized Strings ........76
6. Multi-Tenancy ..................................................76
6.1. Associating Clients to Tenants ............................77
6.2. SCIM Identifiers with Multiple Tenants ....................78
7. Security Considerations ........................................78
7.1. HTTP Considerations .......................................78
7.2. TLS Support Considerations ................................78
7.3. Authorization Token Considerations ........................78
7.4. Bearer Token and Cookie Considerations ....................79
7.5. Privacy Considerations ....................................79
7.5.1. Personal Information ...............................79
7.5.2. Disclosure of Sensitive Information in URIs ........80
7.6. Anonymous Requests ........................................80
7.7. Secure Storage and Handling of Sensitive Data .............81
7.8. Case-Insensitive Comparison and International Languages ...82
8. IANA Considerations ............................................82
8.1. Media Type Registration ...................................82
8.2. Registering URIs for SCIM Messages ........................84
9. References .....................................................85
9.1. Normative References ......................................85
9.2. Informative References ....................................87
Acknowledgements ..................................................88
Contributors ......................................................88
Authors' Addresses ................................................89
The SCIM protocol is an application-level HTTP-based protocol for provisioning and managing identity data on the web and in cross-domain environments such as enterprise-to-cloud service providers or inter-cloud scenarios. The protocol supports creation, modification, retrieval, and discovery of core identity resources such as Users and Groups, as well as custom resources and resource extensions.
SCIM协议是一种基于应用程序级HTTP的协议,用于在web和跨域环境(如企业到云服务提供商或云间场景)中提供和管理身份数据。该协议支持创建、修改、检索和发现核心身份资源,如用户和组,以及自定义资源和资源扩展。
The definition of resources, attributes, and overall schema are defined in the SCIM Core Schema document [RFC7643].
资源、属性和总体模式的定义在SCIM核心模式文档[RFC7643]中定义。
This document is intended to serve as a guide to SCIM protocol usage for both SCIM HTTP service providers and HTTP clients who may provision information to service providers or retrieve information from them.
本文档旨在为SCIM HTTP服务提供商和HTTP客户端提供SCIM协议使用指南,后者可以向服务提供商提供信息或从服务提供商检索信息。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. These key words are capitalized when used to unambiguously specify requirements of the protocol or application features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。当这些关键字用于明确指定影响实现的互操作性和安全性的协议或应用程序功能和行为的要求时,它们会大写。当这些词没有大写时,它们的意思是自然语言意义上的。
For purposes of readability, examples are not URL encoded. Implementers MUST percent-encode URLs as described in Section 2.1 of [RFC3986].
为了便于阅读,示例不是URL编码的。实施者必须按照[RFC3986]第2.1节所述对URL进行百分比编码。
Throughout this document, figures may contain spaces and extra line wrapping to improve readability and accommodate space limitations. Similarly, some URIs contained within examples have been shortened for space and readability reasons (as indicated by "...").
在本文档中,图形可能包含空格和额外换行,以提高可读性并适应空间限制。类似地,由于空间和可读性的原因,示例中包含的一些URI被缩短了(如“…”所示)。
This specification uses the definitions from [RFC7643] and defines the following additional term:
本规范使用[RFC7643]中的定义,并定义了以下附加术语:
Base URI The SCIM HTTP protocol is described in terms of a path relative to a Base URI. The Base URI MUST NOT contain a query string, as clients MAY append additional path information and query parameters as part of forming the request. The base URI is a URL that most often consists of the "https" protocol scheme, a domain name, and some initial path [RFC3986]. For example:
基本URI SCIM HTTP协议是根据相对于基本URI的路径来描述的。基本URI不能包含查询字符串,因为客户端可能会在形成请求时附加额外的路径信息和查询参数。基本URI是一个URL,通常由“https”协议方案、域名和一些初始路径组成[RFC3986]。例如:
"https://example.com/scim/"
"https://example.com/scim/"
For readability, all examples in this document assume that the SCIM service root and the server root are the same (no path prefix). It is expected that SCIM servers may be deployed using any URI path prefix. For example, a SCIM server might have a prefix of "https://example.com/" or "https://example.com/scim/tenancypath/". Additionally, a client MAY apply a version number to the server root prefix (see Section 3.13).
为了便于阅读,本文中的所有示例都假定SCIM服务根目录和服务器根目录相同(没有路径前缀)。预计可以使用任何URI路径前缀部署SCIM服务器。例如,SCIM服务器的前缀可能为“https://example.com/“或”https://example.com/scim/tenancypath/". 此外,客户机可以将版本号应用于服务器根前缀(参见第3.13节)。
The SCIM protocol is based upon HTTP and does not itself define a SCIM-specific scheme for authentication and authorization. SCIM depends on the use of Transport Layer Security (TLS) and/or standard HTTP authentication and authorization schemes as per [RFC7235]. For example, the following methodologies could be used, among others:
SCIM协议基于HTTP,并且本身没有定义SCIM特定的身份验证和授权方案。根据[RFC7235],SCIM依赖于传输层安全(TLS)和/或标准HTTP身份验证和授权方案的使用。例如,除其他外,可采用以下方法:
TLS Client Authentication The SCIM service provider MAY request TLS client authentication (also known as mutual authentication). See Section 7.3 of [RFC5246].
TLS客户端身份验证SCIM服务提供商可以请求TLS客户端身份验证(也称为相互身份验证)。参见[RFC5246]第7.3节。
HOBA Authentication HTTP Origin-Bound Authentication (HOBA) is a variation on TLS client authentication and uses a digital-signature-based design for an HTTP authentication method (see [RFC7486]). The design can also be used in JavaScript-based authentication embedded in HTML. HOBA is an alternative to HTTP authentication schemes that require passwords and therefore avoids all problems related to passwords, such as leakage of server-side password databases.
HOBA身份验证HTTP源绑定身份验证(HOBA)是TLS客户端身份验证的一种变体,并使用基于数字签名的HTTP身份验证方法设计(请参见[RFC7486])。该设计还可用于嵌入HTML中的基于JavaScript的身份验证。HOBA是HTTP身份验证方案的替代方案,HTTP身份验证方案需要密码,因此避免了与密码相关的所有问题,例如服务器端密码数据库的泄漏。
Bearer Tokens Bearer tokens [RFC6750] MAY be used when combined with TLS and a token framework such as OAuth 2.0 [RFC6749]. Tokens that are issued based on weak or no authentication of authorizing users and/or OAuth clients SHOULD NOT be used, unless, for example, they are being used as single-use tokens to permit one-time requests such as anonymous registration (see Section 3.3). For security considerations regarding the use of bearer tokens in SCIM, see Section 7.4. While bearer tokens most often represent an authorization, it is assumed that the authorization was based upon a successful authentication of the SCIM client. Accordingly, the SCIM service provider must have a method for validating, parsing, and/or "introspecting" the bearer token for the relevant authentication and authorization information. The method for this is assumed to be defined by the token-issuing system and is beyond the scope of this specification.
承载令牌承载令牌[RFC6750]可与TLS和令牌框架(如OAuth 2.0[RFC6749])结合使用。不应使用基于授权用户和/或OAuth客户端的弱身份验证或无身份验证而发行的令牌,除非,例如,它们被用作一次性令牌,以允许匿名注册等一次性请求(参见第3.3节)。有关在SCIM中使用承载令牌的安全考虑,请参见第7.4节。虽然承载令牌通常表示授权,但假定授权基于SCIM客户端的成功身份验证。因此,SCIM服务提供商必须具有用于验证、解析和/或“内省”承载令牌以获得相关认证和授权信息的方法。此方法假定由令牌发行系统定义,并且超出本规范的范围。
PoP Tokens A proof-of-possession (PoP) token demonstrates that the presenter of the token possesses a particular key and that the recipient can cryptographically confirm proof of possession of the key by the presenter. This property is sometimes also described as the presenter being a holder of the key. See [OAuth-PoP-Arch] for an example of such a token and its use.
PoP令牌拥有证明(PoP)令牌证明令牌的呈现者拥有特定密钥,并且接收方可以通过加密方式确认呈现者拥有密钥的证明。此属性有时也被描述为演示者是密钥的持有者。请参见[OAuth PoP Arch],了解此类令牌及其使用的示例。
Cookies JavaScript clients MAY assert HTTP cookies over TLS that contain an authentication state that is understood by the SCIM service provider (see [RFC6265]). An example of this is scenarios where web-form authentication has taken place with the user and HTTP cookies were set representing the authentication state. For the purposes of SCIM, the security considerations in Section 7.4 apply.
Cookies JavaScript客户端可以通过TLS断言HTTP Cookies,该TLS包含SCIM服务提供商可以理解的身份验证状态(请参阅[RFC6265])。这方面的一个例子是,对用户进行了web表单身份验证,并设置了表示身份验证状态的HTTP Cookie。就SCIM而言,第7.4节中的安全注意事项适用。
Basic Authentication Usage of basic authentication should be avoided, due to its use of a single factor that is based upon a relatively static, symmetric secret. Implementers SHOULD combine the use of basic authentication with other factors. The security considerations of HTTP Basic are well documented in [HTTP-BASIC-AUTH]; therefore, implementers are encouraged to use stronger authentication methods. Designating the specific methods of authentication and authorization is out of scope for SCIM; however, this information is provided as a resource to implementers.
基本身份验证应避免使用基本身份验证,因为它使用的是基于相对静态对称秘密的单一因素。实现者应该将基本身份验证的使用与其他因素结合起来。[HTTP-Basic-AUTH]中详细记录了HTTP Basic的安全注意事项;因此,鼓励实现者使用更强的身份验证方法。指定认证和授权的具体方法不属于SCIM的范围;但是,这些信息是作为资源提供给实现者的。
As per Section 4.1 of [RFC7235], a SCIM service provider SHALL indicate supported HTTP authentication schemes via the "WWW-Authenticate" header.
根据[RFC7235]第4.1节,SCIM服务提供商应通过“WWW-Authenticate”标头指示支持的HTTP认证方案。
Regardless of methodology, the SCIM service provider MUST be able to map the authenticated client to an access control policy in order to determine the client's authorization to retrieve and update SCIM resources. For example, while a browser session may have been established via HTTP cookie or TLS client authentication, the unique client MUST be mapped to a security subject (e.g., User). The authorization model and the process by which this is done are beyond the scope of this specification.
无论采用何种方法,SCIM服务提供商都必须能够将经过身份验证的客户端映射到访问控制策略,以便确定客户端检索和更新SCIM资源的授权。例如,虽然浏览器会话可能已通过HTTP cookie或TLS客户端身份验证建立,但唯一客户端必须映射到安全主题(例如,用户)。授权模型和授权过程超出了本规范的范围。
When processing requests, the service provider SHOULD consider the subject performing the request and whether or not the action is appropriate given the subject and the resource affected by the request. The subject performing the request is usually determined directly or indirectly from the "Authorization" header present in the request. For example, a subject MAY be permitted to retrieve and update their own "User" resource but will normally have restricted ability to access resources associated with other Users. In other cases, the SCIM service provider might only grant access to a subject's own associated "User" resource (e.g., for the purpose of updating personal contact attributes).
当处理请求时,服务提供者应该考虑执行请求的主体以及给定对象和受请求影响的资源是否适当的动作。执行请求的主体通常直接或间接地从请求中存在的“授权”头确定。例如,主体可能被允许检索和更新其自己的“用户”资源,但通常访问与其他用户关联的资源的能力受到限制。在其他情况下,SCIM服务提供商可能只授予对受试者自己的关联“用户”资源的访问权(例如,为了更新个人联系人属性)。
For illustrative purposes only, SCIM protocol examples show an OAuth 2.0 bearer token value [RFC6750] in the authorization header, e.g.,
仅出于说明目的,SCIM协议示例在授权报头中显示OAuth 2.0承载令牌值[RFC6750],例如。,
GET /Users/2819c223-7f76-453a-919d-413861904646 HTTP/1.1
Host: example.com
Authorization: Bearer h480djs93hd8
GET /Users/2819c223-7f76-453a-919d-413861904646 HTTP/1.1
Host: example.com
Authorization: Bearer h480djs93hd8
This is not intended to imply that bearer tokens are preferred. However, the use of bearer tokens in the specification does reflect common implementation practice.
这并不意味着优选承载令牌。然而,在规范中使用承载令牌确实反映了常见的实现实践。
When using bearer tokens or PoP tokens that represent an authorization grant, such as a grant issued by OAuth (see [RFC6749]), implementers SHOULD consider the type of authorization granted, any authorized scopes (see Section 3.3 of [RFC6749]), and the security subject(s) that SHOULD be mapped from the authorization when considering local access control rules. Section 6 of [RFC7521] documents common scenarios for authorization, including:
当使用代表授权授予的承载令牌或POP令牌时,例如由OAuth颁发的授权(参见[RCF679]),实现者应考虑授予的授权类型、任何授权的范围(参见[RCF679]的第3.3节)和安全主题。当考虑本地访问控制规则时,应该从授权映射。[RFC7521]第6节记录了常见的授权场景,包括:
o A client using an assertion to authenticate and/or act on behalf of itself,
o 使用断言进行身份验证和/或代表其自身行事的客户端,
o A client acting on behalf of a user, and
o 代表用户行事的客户,以及
o A client acting on behalf of an anonymous user (for example, see Section 2.2).
o 代表匿名用户的客户端(例如,参见第2.2节)。
When using OAuth authorization tokens, implementers MUST take into account the threats and countermeasures related to the use of client authorizations, as documented in Section 8 of [RFC7521]. When using other token formats or frameworks, implementers MUST take into account similar threats and countermeasures, especially those documented by the relevant specifications.
在使用OAuth授权令牌时,实现者必须考虑与使用客户端授权相关的威胁和对策,如[RFC7521]第8节所述。当使用其他令牌格式或框架时,实现者必须考虑类似的威胁和对策,尤其是相关规范中记录的威胁和对策。
In some SCIM deployments, it MAY be acceptable to permit unauthenticated (anonymous) requests -- for example, a user self-registration request where the service provider chooses to accept a SCIM Create request (see Section 3.3) from an anonymous client. See Section 7.6 for security considerations regarding anonymous requests.
在某些SCIM部署中,允许未经验证的(匿名)请求是可以接受的,例如,服务提供商选择接受匿名客户端的SCIM创建请求(请参见第3.3节)的用户自注册请求。有关匿名请求的安全注意事项,请参见第7.6节。
SCIM is a protocol that is based on HTTP [RFC7230]. Along with HTTP headers and URIs, SCIM uses JSON [RFC7159] payloads to convey SCIM resources, as well as protocol-specific payload messages that convey request parameters and response information such as errors. Both resources and messages are passed in the form of JSON-based structures in the message body of an HTTP request or response. To identify this content, SCIM uses a media type of "application/scim+json" (see Section 8.1).
SCIM是一种基于HTTP[RFC7230]的协议。除了HTTP头和URI之外,SCIM还使用JSON[RFC7159]有效负载来传输SCIM资源,以及传输请求参数和响应信息(如错误)的特定于协议的有效负载消息。在HTTP请求或响应的消息体中,资源和消息都以基于JSON的结构的形式传递。为了识别这些内容,SCIM使用了一种媒体类型“application/SCIM+json”(参见第8.1节)。
A SCIM "resource" is a JSON object [RFC7159] that may be created, maintained, and retrieved via HTTP request methods as described in this document. Each JSON resource representation contains a "schemas" attribute that contains a list of one or more URIs that indicate included SCIM schemas that are used to indicate the attributes contained within a resource. Specific information about what attributes are defined within a schema MAY be obtained by querying a SCIM service provider's "/Schemas" endpoint for a schema definition (see Section 8.7 of [RFC7643]). Responses from this endpoint describe the schema supported by a service provider, including attribute characteristics such as cardinality, case-exactness, mutability, uniqueness, returnability, and whether or not attributes are required. While SCIM schemas and an associated extension model are defined in [RFC7643], SCIM clients should expect that some attribute schema may change from service provider to service provider, particularly across administrative domains. In cases where SCIM may be used as an open protocol in front of an application service, it is quite reasonable to expect that some service providers may only support a subset of the schema defined in [RFC7643].
SCIM“资源”是一个JSON对象[RFC7159],可以通过本文档中描述的HTTP请求方法创建、维护和检索该对象。每个JSON资源表示都包含一个“schemas”属性,该属性包含一个或多个URI的列表,这些URI表示包含的SCIM模式,这些模式用于表示资源中包含的属性。通过查询SCIM服务提供商的“/Schemas”端点以获取模式定义,可以获得有关模式中定义的属性的特定信息(请参见[RFC7643]第8.7节)。来自该端点的响应描述了服务提供者支持的模式,包括属性特征,如基数、大小写正确性、可变性、唯一性、可返回性,以及是否需要属性。虽然[RFC7643]中定义了SCIM模式和相关的扩展模型,但SCIM客户端应该期望某些属性模式可能会在服务提供者之间发生变化,特别是在管理域之间。在SCIM可用作应用程序服务前面的开放协议的情况下,一些服务提供商可能只支持[RFC7643]中定义的模式子集,这是很合理的。
A SCIM message conveys protocol parameters related to a SCIM request or response; this specification defines these parameters. As with a SCIM resource, a SCIM message is a JSON object [RFC7159] that contains a "schemas" attribute with a URI whose namespace prefix MUST begin with "urn:ietf:params:scim:api:". As SCIM protocol messages are fixed and defined by SCIM specifications and registered extensions, SCIM message schemas using the above prefix URN SHALL NOT be discoverable using the "/Schemas" endpoint.
SCIM消息传送与SCIM请求或响应相关的协议参数;本规范定义了这些参数。与SCIM资源一样,SCIM消息是一个JSON对象[RFC7159],它包含一个带有URI的“schemas”属性,其命名空间前缀必须以“urn:ietf:params:SCIM:api:”开头。由于SCIM协议消息是由SCIM规范和注册扩展固定和定义的,因此使用上述前缀URN的SCIM消息模式在使用“/schemas”端点时不可发现。
As SCIM is intended for use in cross-domain scenarios where schema and implementations may vary, techniques such as document validation (e.g., [XML-Schema]) are not recommended. A SCIM service provider interprets a request in the context of its own schema (which may be different from the client's schema) and following the defined
由于SCIM旨在用于模式和实现可能不同的跨域场景,因此不建议使用文档验证(例如[XML模式])等技术。SCIM服务提供商在其自己的模式(可能不同于客户端的模式)的上下文中解释请求,并遵循定义的
processing rules for each request. The sections that follow define the processing rules for SCIM and provide allowances for schema differences where appropriate. For example, in a SCIM PUT request, "readOnly" attributes are ignored, while "readWrite" attributes are updated. There is no need for a SCIM client to discover which attributes are "readOnly", and the client does not need to remove them from a PUT request in order to be accepted. Similarly, a SCIM client SHOULD NOT expect a service provider to return SCIM resources with exactly the same schema and values as submitted. SCIM responses SHALL reflect resource state as interpreted by the SCIM service provider.
处理每个请求的规则。下面的部分定义了SCIM的处理规则,并在适当的情况下为模式差异提供了余量。例如,在SCIM PUT请求中,“readOnly”属性被忽略,而“readWrite”属性被更新。SCIM客户机不需要发现哪些属性是“只读”的,客户机也不需要从PUT请求中删除这些属性才能被接受。类似地,SCIM客户端不应期望服务提供商返回与提交的模式和值完全相同的SCIM资源。SCIM响应应反映SCIM服务提供商解释的资源状态。
The SCIM protocol specifies well-known endpoints and HTTP methods for managing resources defined in the SCIM Core Schema document ([RFC7643]); i.e., "User" and "Group" resources correspond to "/Users" and "/Groups", respectively. Service providers that support extended resources SHOULD define resource endpoints using the convention of pluralizing the resource name defined in the extended schema, by appending an 's'. Given that there are cases where resource pluralization is ambiguous, e.g., a resource named "Person" is legitimately "Persons" and "People", clients SHOULD discover resource endpoints via the "/ResourceTypes" endpoint.
SCIM协议指定了用于管理SCIM核心模式文档([RFC7643])中定义的资源的知名端点和HTTP方法;i、 例如,“用户”和“组”资源分别对应于“/用户”和“/组”。支持扩展资源的服务提供程序应该使用扩展架构中定义的资源名称的复数约定,通过附加“s”来定义资源端点。考虑到有些情况下资源的多元化是不明确的,例如,名为“Person”的资源合法地是“Persons”和“People”,客户机应该通过“/ResourceTypes”端点发现资源端点。
HTTP SCIM Usage
Method
------ --------------------------------------------------------------
GET Retrieves one or more complete or partial resources.
HTTP SCIM Usage
Method
------ --------------------------------------------------------------
GET Retrieves one or more complete or partial resources.
POST Depending on the endpoint, creates new resources, creates a search request, or MAY be used to bulk-modify resources.
POST(根据端点而定)、创建新资源、创建搜索请求或可用于批量修改资源。
PUT Modifies a resource by replacing existing attributes with a specified set of replacement attributes (replace). PUT MUST NOT be used to create new resources.
PUT通过使用指定的替换属性集(replace)替换现有属性来修改资源。PUT不能用于创建新资源。
PATCH Modifies a resource with a set of client-specified changes (partial update).
修补程序使用一组客户端指定的更改(部分更新)修改资源。
DELETE Deletes a resource.
删除删除一个资源。
Table 1: SCIM HTTP Methods
表1:SCIM HTTP方法
Resource Endpoint Operations Description
-------- ---------------- ---------------------- --------------------
User /Users GET (Section 3.4.1), Retrieve, add,
POST (Section 3.3), modify Users.
PUT (Section 3.5.1),
PATCH (Section 3.5.2),
DELETE (Section 3.6)
Resource Endpoint Operations Description
-------- ---------------- ---------------------- --------------------
User /Users GET (Section 3.4.1), Retrieve, add,
POST (Section 3.3), modify Users.
PUT (Section 3.5.1),
PATCH (Section 3.5.2),
DELETE (Section 3.6)
Group /Groups GET (Section 3.4.1), Retrieve, add, POST (Section 3.3), modify Groups. PUT (Section 3.5.1), PATCH (Section 3.5.2), DELETE (Section 3.6)
组/组获取(第3.4.1节)、检索、添加、发布(第3.3节)、修改组。放置(第3.5.1节)、修补(第3.5.2节)、删除(第3.6节)
Self /Me GET, POST, PUT, PATCH, Alias for operations DELETE (Section 3.11) against a resource mapped to an authenticated subject (e.g., User).
针对映射到已验证主题(例如用户)的资源,执行删除操作(第3.11节)的Self/Me-GET、POST、PUT、PATCH、Alias。
Service /ServiceProvider GET (Section 4) Retrieve service provider Config provider's config. configuration.
服务/服务提供者获取(第4节)检索服务提供者配置提供者的配置。配置
Resource /ResourceTypes GET (Section 4) Retrieve supported type resource types.
资源/资源类型获取(第4节)检索支持的类型资源类型。
Schema /Schemas GET (Section 4) Retrieve one or more supported schemas.
Schema/Schemas GET(第4节)检索一个或多个受支持的模式。
Bulk /Bulk POST (Section 3.7) Bulk updates to one or more resources.
批量/批量发布(第3.7节)批量更新一个或多个资源。
Search [prefix]/.search POST (Section 3.4.3) Search from system root or within a resource endpoint for one or more resource types using POST.
搜索[前缀]/.Search POST(第3.4.3节)使用POST从系统根目录或在资源端点内搜索一种或多种资源类型。
Table 2: Defined Endpoints
表2:定义的端点
All requests to the service provider are made via HTTP methods as per Section 4.3 of [RFC7231] on a URL derived from the Base URL. Responses are returned in the body of the HTTP response, formatted as JSON. Error status codes SHOULD be transmitted via the HTTP status code of the response (if possible) and SHOULD also be specified in the body of the response (see Section 3.12).
根据[RFC7231]第4.3节的规定,对服务提供商的所有请求都是通过HTTP方法在源于基本URL的URL上发出的。响应在HTTP响应的主体中返回,格式为JSON。错误状态代码应通过响应的HTTP状态代码传输(如果可能),并且还应在响应正文中指定(见第3.12节)。
To create new resources, clients send HTTP POST requests to the resource endpoint, such as "/Users" or "/Groups", as defined by the associated resource type endpoint discovery (see Section 4).
要创建新资源,客户端将HTTP POST请求发送到资源端点,例如“/Users”或“/Groups”,如关联的资源类型端点发现所定义的那样(请参见第4节)。
The server SHALL process attributes according to the following mutability rules:
服务器应根据以下可变性规则处理属性:
o In the request body, attributes whose mutability is "readOnly" (see Sections 2.2 and 7 of [RFC7643]) SHALL be ignored.
o 在请求正文中,其可变性为“只读”的属性(参见[RFC7643]第2.2节和第7节)应被忽略。
o Attributes whose mutability is "readWrite" (see Section 2.2 of [RFC7643]) and that are omitted from the request body MAY be assumed to be not asserted by the client. The service provider MAY assign a default value to non-asserted attributes in the final resource representation.
o 可变性为“readWrite”(参见[RFC7643]第2.2节)且从请求正文中省略的属性可能被假定为未由客户端断言。服务提供者可以为最终资源表示中的非断言属性分配默认值。
o Service providers MAY take into account whether or not a client has access to all of the resource's attributes when deciding whether or not non-asserted attributes should be defaulted.
o 在决定是否默认非断言属性时,服务提供者可能会考虑客户端是否有权访问资源的所有属性。
o Clients that intend to override existing or server-defaulted values for attributes MAY specify "null" for a single-valued attribute or an empty array "[]" for a multi-valued attribute to clear all values.
o 要覆盖属性的现有值或服务器默认值的客户端可以为单值属性指定“null”,或为多值属性指定空数组“[]”,以清除所有值。
When the service provider successfully creates the new resource, an HTTP response SHALL be returned with HTTP status code 201 (Created). The response body SHOULD contain the service provider's representation of the newly created resource. The URI of the created resource SHALL include, in the HTTP "Location" header and the HTTP body, a JSON representation [RFC7159] with the attribute "meta.location". Since the server is free to alter and/or ignore POSTed content, returning the full representation can be useful to the client, enabling it to correlate the client's and server's views of the new resource.
当服务提供商成功创建新资源时,应返回HTTP响应,HTTP状态代码201(已创建)。响应主体应该包含服务提供者对新创建的资源的表示。所创建资源的URI应在HTTP“Location”头和HTTP正文中包含一个具有属性“meta.Location”的JSON表示[RFC7159]。由于服务器可以自由更改和/或忽略发布的内容,因此返回完整的表示形式对客户端非常有用,使其能够关联客户端和服务器对新资源的视图。
If the service provider determines that the creation of the requested resource conflicts with existing resources (e.g., a "User" resource with a duplicate "userName"), the service provider MUST return HTTP status code 409 (Conflict) with a "scimType" error code of "uniqueness", as per Section 3.12.
如果服务提供商确定所请求资源的创建与现有资源(例如,具有重复“用户名”的“用户”资源)冲突,则服务提供商必须根据第3.12节返回HTTP状态代码409(冲突),其中“scimType”错误代码为“唯一性”。
In the following example, a client sends a POST request containing a "User" to the "/Users" endpoint.
在下面的示例中,客户端向“/Users”端点发送包含“User”的POST请求。
POST /Users HTTP/1.1 Host: example.com Accept: application/scim+json Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 Content-Length: ...
POST/Users HTTP/1.1 Host:example.com Accept:application/scim+json内容类型:application/scim+json授权:Bearer h480djs93hd8内容长度:。。。
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName":"bjensen",
"externalId":"bjensen",
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
}
}
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName":"bjensen",
"externalId":"bjensen",
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
}
}
In response to the example request above, the server signals a successful creation with an HTTP status code 201 (Created) and returns a representation of the resource created:
响应于上述示例请求,服务器用HTTP状态代码201(已创建)发出成功创建的信号,并返回所创建资源的表示:
HTTP/1.1 201 Created
Content-Type: application/scim+json
Location:
https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"e180ee84f0671b1"
HTTP/1.1 201 Created
Content-Type: application/scim+json
Location:
https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"e180ee84f0671b1"
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"externalId":"bjensen",
"meta":{
"resourceType":"User",
"created":"2011-08-01T21:32:44.882Z",
"lastModified":"2011-08-01T21:32:44.882Z",
"location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
"version":"W\/\"e180ee84f0671b1\""
},
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
},
"userName":"bjensen"
}
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"externalId":"bjensen",
"meta":{
"resourceType":"User",
"created":"2011-08-01T21:32:44.882Z",
"lastModified":"2011-08-01T21:32:44.882Z",
"location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
"version":"W\/\"e180ee84f0671b1\""
},
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
},
"userName":"bjensen"
}
When adding a resource to a specific endpoint, the meta attribute "resourceType" SHALL be set by the HTTP service provider to the corresponding resource type for the endpoint. For example, a POST to the endpoint "/Users" will set "resourceType" to "User", and "/Groups" will set "resourceType" to "Group".
向特定端点添加资源时,HTTP服务提供商应将元属性“resourceType”设置为端点的相应资源类型。例如,发送到端点“/Users”的帖子将“resourceType”设置为“User”,而“/Groups”将“resourceType”设置为“Group”。
Resources MAY be retrieved via opaque, unique URLs or via queries (see Section 3.4.2). The attributes returned are defined in the server's attribute schema (see Section 8.7 of [RFC7643]) and may be modified by request parameters (see Section 3.9). By default, resource attributes returned in a response are those attributes whose characteristic "returned" setting is "always" or "default" (see Section 2.2 of [RFC7643]).
可通过不透明、唯一的URL或查询检索资源(见第3.4.2节)。返回的属性在服务器的属性模式中定义(见[RFC7643]第8.7节),并可通过请求参数进行修改(见第3.9节)。默认情况下,响应中返回的资源属性是那些其特征“返回”设置为“始终”或“默认”的属性(参见[RFC7643]第2.2节)。
To retrieve a known resource, clients send GET requests to the resource endpoint, e.g., "/Users/{id}", "/Groups/{id}", or "/Schemas/{id}", where "{id}" is a resource identifier (for example, the value of the "id" attribute).
要检索已知资源,客户端将GET请求发送到资源端点,例如“/Users/{id}”、“/Groups/{id}”或“/Schemas/{id}”,其中“{id}”是资源标识符(例如,“id”属性的值)。
If the resource exists, the server responds with HTTP status code 200 (OK) and includes the result in the body of the response.
如果资源存在,服务器将使用HTTP状态代码200(OK)进行响应,并将结果包含在响应正文中。
The example below retrieves a single User via the "/Users" endpoint.
下面的示例通过“/Users”端点检索单个用户。
GET /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
GET /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
The server responds with:
服务器响应为:
HTTP/1.1 200 OK
Content-Type: application/scim+json
Location:
https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"f250dd84f0671c3"
HTTP/1.1 200 OK
Content-Type: application/scim+json
Location:
https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"f250dd84f0671c3"
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"externalId":"bjensen",
"meta":{
"resourceType":"User",
"created":"2011-08-01T18:29:49.793Z",
"lastModified":"2011-08-01T18:29:49.793Z",
"location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
"version":"W\/\"f250dd84f0671c3\""
},
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
},
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"externalId":"bjensen",
"meta":{
"resourceType":"User",
"created":"2011-08-01T18:29:49.793Z",
"lastModified":"2011-08-01T18:29:49.793Z",
"location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
"version":"W\/\"f250dd84f0671c3\""
},
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
},
"userName":"bjensen",
"phoneNumbers":[
{
"value":"555-555-8377",
"type":"work"
}
],
"emails":[
{
"value":"bjensen@example.com",
"type":"work"
}
]
}
"userName":"bjensen",
"phoneNumbers":[
{
"value":"555-555-8377",
"type":"work"
}
],
"emails":[
{
"value":"bjensen@example.com",
"type":"work"
}
]
}
The SCIM protocol defines a standard set of query parameters that can be used to filter, sort, and paginate to return zero or more resources in a query response. Queries MAY be made against a single resource or a resource type endpoint (e.g., "/Users"), or the service provider Base URI. SCIM service providers MAY support additional query parameters not specified here and SHOULD ignore any query parameters they do not recognize instead of rejecting the query for versioning compatibility reasons.
SCIM协议定义了一组标准的查询参数,可用于过滤、排序和分页,以在查询响应中返回零个或多个资源。可以针对单个资源或资源类型终结点(例如“/Users”)或服务提供商基本URI进行查询。SCIM服务提供商可能支持此处未指定的其他查询参数,并且应忽略他们无法识别的任何查询参数,而不是出于版本控制兼容性原因拒绝查询。
Responses MUST be identified using the following URI: "urn:ietf:params:scim:api:messages:2.0:ListResponse". The following attributes are defined for responses:
必须使用以下URI标识响应:“urn:ietf:params:scim:api:messages:2.0:ListResponse”。为响应定义了以下属性:
totalResults The total number of results returned by the list or query operation. The value may be larger than the number of resources returned, such as when returning a single page (see Section 3.4.2.4) of results where multiple pages are available. REQUIRED.
totalResults列表或查询操作返回的结果总数。该值可能大于返回的资源数,例如当返回多个页面可用的结果的单个页面(见第3.4.2.4节)时。必修的。
Resources A multi-valued list of complex objects containing the requested resources. This MAY be a subset of the full set of resources if pagination (Section 3.4.2.4) is requested. REQUIRED if "totalResults" is non-zero.
资源包含请求的资源的复杂对象的多值列表。如果要求分页(第3.4.2.4节),这可能是整套资源的子集。如果“totalResults”为非零,则为必填项。
startIndex The 1-based index of the first result in the current set of list results. REQUIRED when partial results are returned due to pagination.
startIndex当前列表结果集中第一个结果的基于1的索引。由于分页而返回部分结果时需要。
itemsPerPage The number of resources returned in a list response page. REQUIRED when partial results are returned due to pagination.
itemsPerPage列表响应页中返回的资源数。由于分页而返回部分结果时需要。
A query that does not return any matches SHALL return success (HTTP status code 200) with "totalResults" set to a value of 0.
不返回任何匹配项的查询将返回成功(HTTP状态代码200),且“totalResults”的值设置为0。
The example query below requests the userName for all Users:
下面的示例查询请求所有用户的用户名:
GET /Users?attributes=userName
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
GET /Users?attributes=userName
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
The following is an example response to the query above:
以下是对上述查询的示例响应:
HTTP/1.1 200 OK
Content-Type: application/scim+json
HTTP/1.1 200 OK
Content-Type: application/scim+json
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults":2,
"Resources":[
{
"id":"2819c223-7f76-453a-919d-413861904646",
"userName":"bjensen"
},
{
"id":"c75ad752-64ae-4823-840d-ffa80929976c",
"userName":"jsmith"
}
]
}
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults":2,
"Resources":[
{
"id":"2819c223-7f76-453a-919d-413861904646",
"userName":"bjensen"
},
{
"id":"c75ad752-64ae-4823-840d-ffa80929976c",
"userName":"jsmith"
}
]
}
Note that in the above example, "id" is returned because the "id" attribute has the "returned" characteristic of "always".
注意,在上面的示例中,返回“id”是因为“id”属性具有“始终”的“返回”特性。
Queries MAY be performed against a SCIM resource object, a resource type endpoint, or a SCIM server root. For example:
可以对SCIM资源对象、资源类型终结点或SCIM服务器根执行查询。例如:
"/Users/{id}"
"/Users/{id}"
"/Users"
“/用户”
"/Groups"
“/组”
A query against a server root indicates that all resources within the server SHALL be included, subject to filtering. A filter expression using "meta.resourceType" MAY be used to restrict results to one or more specific resource types (to exclude others). For example:
对服务器根目录的查询表明服务器中的所有资源都应包括在内,并进行过滤。使用“meta.resourceType”的筛选器表达式可用于将结果限制为一个或多个特定的资源类型(以排除其他资源类型)。例如:
filter=(meta.resourceType eq User) or (meta.resourceType eq Group)
过滤器=(meta.resourceType eq用户)或(meta.resourceType eq组)
If a SCIM service provider determines that too many results would be returned (e.g., because a client queried a resource type endpoint or the server base URI), the server SHALL reject the request by returning an HTTP response with HTTP status code 400 (Bad Request) and JSON attribute "scimType" set to "tooMany" (see Table 9).
如果SCIM服务提供商确定将返回太多的结果(例如,因为客户端查询了资源类型端点或服务器基URI),则服务器应通过返回HTTP响应(HTTP状态代码400(错误请求)和JSON属性“scimType”设为“tooMany”(参见表9)来拒绝请求。
When processing query operations using endpoints that include more than one SCIM resource type (e.g., a query from the server root endpoint), filters MUST be processed as outlined in Section 3.4.2.2. For filtered attributes that are not part of a particular resource type, the service provider SHALL treat the attribute as if there is no attribute value. For example, a presence or equality filter for an undefined attribute evaluates to false.
当使用包含多个SCIM资源类型的端点(例如,来自服务器根端点的查询)处理查询操作时,必须按照第3.4.2.2节所述处理筛选器。对于不属于特定资源类型的过滤属性,服务提供商应将该属性视为没有属性值。例如,未定义属性的存在或相等筛选器的计算结果为false。
Filtering is an OPTIONAL parameter for SCIM service providers. Clients MAY discover service provider filter capabilities by looking at the "filter" attribute of the "ServiceProviderConfig" endpoint (see Section 4). Clients MAY request a subset of resources by specifying the "filter" query parameter containing a filter expression. When specified, only those resources matching the filter expression SHALL be returned. The expression language that is used with the filter parameter supports references to attributes and literals.
筛选是SCIM服务提供商的可选参数。客户机可以通过查看“ServiceProviderConfig”端点的“filter”属性来发现服务提供商筛选功能(请参阅第4节)。客户端可以通过指定包含筛选器表达式的“filter”查询参数来请求资源的子集。指定时,仅返回与筛选器表达式匹配的资源。与filter参数一起使用的表达式语言支持对属性和文字的引用。
Attribute names and attribute operators used in filters are case insensitive. For example, the following two expressions will evaluate to the same logical value:
筛选器中使用的属性名称和属性运算符不区分大小写。例如,以下两个表达式将计算为相同的逻辑值:
filter=userName Eq "john"
过滤器=用户名Eq“john”
filter=Username eq "john"
过滤器=用户名eq“john”
The filter parameter MUST contain at least one valid expression (see Table 3). Each expression MUST contain an attribute name followed by an attribute operator and optional value. Multiple expressions MAY be combined using logical operators (see Table 4). Expressions MAY be grouped together using round brackets "(" and ")" (see Table 5).
filter参数必须至少包含一个有效表达式(请参见表3)。每个表达式必须包含一个属性名称,后跟一个属性运算符和可选值。可以使用逻辑运算符组合多个表达式(参见表4)。表达式可使用圆括号(“和”)(见表5)组合在一起。
The operators supported in the expression are listed in Table 3.
表3列出了表达式中支持的运算符。
+----------+-------------+------------------------------------------+
| Operator | Description | Behavior |
+----------+-------------+------------------------------------------+
| eq | equal | The attribute and operator values must |
| | | be identical for a match. |
| | | |
| ne | not equal | The attribute and operator values are |
| | | not identical. |
| | | |
| co | contains | The entire operator value must be a |
| | | substring of the attribute value for a |
| | | match. |
| | | |
| sw | starts with | The entire operator value must be a |
| | | substring of the attribute value, |
| | | starting at the beginning of the |
| | | attribute value. This criterion is |
| | | satisfied if the two strings are |
| | | identical. |
| | | |
| ew | ends with | The entire operator value must be a |
| | | substring of the attribute value, |
| | | matching at the end of the attribute |
| | | value. This criterion is satisfied if |
| | | the two strings are identical. |
| | | |
| pr | present | If the attribute has a non-empty or |
| | (has value) | non-null value, or if it contains a |
| | | non-empty node for complex attributes, |
| | | there is a match. |
| | | |
| gt | greater | If the attribute value is greater than |
| | than | the operator value, there is a match. |
| | | The actual comparison is dependent on |
| | | the attribute type. For string |
| | | attribute types, this is a |
| | | lexicographical comparison, and for |
| | | DateTime types, it is a chronological |
| | | comparison. For integer attributes, it |
| | | is a comparison by numeric value. |
| | | Boolean and Binary attributes SHALL |
| | | cause a failed response (HTTP status |
| | | code 400) with "scimType" of |
| | | "invalidFilter". |
| | | |
+----------+-------------+------------------------------------------+
| Operator | Description | Behavior |
+----------+-------------+------------------------------------------+
| eq | equal | The attribute and operator values must |
| | | be identical for a match. |
| | | |
| ne | not equal | The attribute and operator values are |
| | | not identical. |
| | | |
| co | contains | The entire operator value must be a |
| | | substring of the attribute value for a |
| | | match. |
| | | |
| sw | starts with | The entire operator value must be a |
| | | substring of the attribute value, |
| | | starting at the beginning of the |
| | | attribute value. This criterion is |
| | | satisfied if the two strings are |
| | | identical. |
| | | |
| ew | ends with | The entire operator value must be a |
| | | substring of the attribute value, |
| | | matching at the end of the attribute |
| | | value. This criterion is satisfied if |
| | | the two strings are identical. |
| | | |
| pr | present | If the attribute has a non-empty or |
| | (has value) | non-null value, or if it contains a |
| | | non-empty node for complex attributes, |
| | | there is a match. |
| | | |
| gt | greater | If the attribute value is greater than |
| | than | the operator value, there is a match. |
| | | The actual comparison is dependent on |
| | | the attribute type. For string |
| | | attribute types, this is a |
| | | lexicographical comparison, and for |
| | | DateTime types, it is a chronological |
| | | comparison. For integer attributes, it |
| | | is a comparison by numeric value. |
| | | Boolean and Binary attributes SHALL |
| | | cause a failed response (HTTP status |
| | | code 400) with "scimType" of |
| | | "invalidFilter". |
| | | |
| ge | greater | If the attribute value is greater than |
| | than or | or equal to the operator value, there is |
| | equal to | a match. The actual comparison is |
| | | dependent on the attribute type. For |
| | | string attribute types, this is a |
| | | lexicographical comparison, and for |
| | | DateTime types, it is a chronological |
| | | comparison. For integer attributes, it |
| | | is a comparison by numeric value. |
| | | Boolean and Binary attributes SHALL |
| | | cause a failed response (HTTP status |
| | | code 400) with "scimType" of |
| | | "invalidFilter". |
| | | |
| lt | less than | If the attribute value is less than the |
| | | operator value, there is a match. The |
| | | actual comparison is dependent on the |
| | | attribute type. For string attribute |
| | | types, this is a lexicographical |
| | | comparison, and for DateTime types, it |
| | | is a chronological comparison. For |
| | | integer attributes, it is a comparison |
| | | by numeric value. Boolean and Binary |
| | | attributes SHALL cause a failed response |
| | | (HTTP status code 400) with "scimType" |
| | | of "invalidFilter". |
| | | |
| le | less than | If the attribute value is less than or |
| | or equal to | equal to the operator value, there is a |
| | | match. The actual comparison is |
| | | dependent on the attribute type. For |
| | | string attribute types, this is a |
| | | lexicographical comparison, and for |
| | | DateTime types, it is a chronological |
| | | comparison. For integer attributes, it |
| | | is a comparison by numeric value. |
| | | Boolean and Binary attributes SHALL |
| | | cause a failed response (HTTP status |
| | | code 400) with "scimType" of |
| | | "invalidFilter". |
+----------+-------------+------------------------------------------+
| ge | greater | If the attribute value is greater than |
| | than or | or equal to the operator value, there is |
| | equal to | a match. The actual comparison is |
| | | dependent on the attribute type. For |
| | | string attribute types, this is a |
| | | lexicographical comparison, and for |
| | | DateTime types, it is a chronological |
| | | comparison. For integer attributes, it |
| | | is a comparison by numeric value. |
| | | Boolean and Binary attributes SHALL |
| | | cause a failed response (HTTP status |
| | | code 400) with "scimType" of |
| | | "invalidFilter". |
| | | |
| lt | less than | If the attribute value is less than the |
| | | operator value, there is a match. The |
| | | actual comparison is dependent on the |
| | | attribute type. For string attribute |
| | | types, this is a lexicographical |
| | | comparison, and for DateTime types, it |
| | | is a chronological comparison. For |
| | | integer attributes, it is a comparison |
| | | by numeric value. Boolean and Binary |
| | | attributes SHALL cause a failed response |
| | | (HTTP status code 400) with "scimType" |
| | | of "invalidFilter". |
| | | |
| le | less than | If the attribute value is less than or |
| | or equal to | equal to the operator value, there is a |
| | | match. The actual comparison is |
| | | dependent on the attribute type. For |
| | | string attribute types, this is a |
| | | lexicographical comparison, and for |
| | | DateTime types, it is a chronological |
| | | comparison. For integer attributes, it |
| | | is a comparison by numeric value. |
| | | Boolean and Binary attributes SHALL |
| | | cause a failed response (HTTP status |
| | | code 400) with "scimType" of |
| | | "invalidFilter". |
+----------+-------------+------------------------------------------+
Table 3: Attribute Operators
表3:属性运算符
+----------+-------------+------------------------------------------+
| Operator | Description | Behavior |
+----------+-------------+------------------------------------------+
| and | Logical | The filter is only a match if both |
| | "and" | expressions evaluate to true. |
| | | |
| or | Logical | The filter is a match if either |
| | "or" | expression evaluates to true. |
| | | |
| not | "Not" | The filter is a match if the expression |
| | function | evaluates to false. |
+----------+-------------+------------------------------------------+
+----------+-------------+------------------------------------------+
| Operator | Description | Behavior |
+----------+-------------+------------------------------------------+
| and | Logical | The filter is only a match if both |
| | "and" | expressions evaluate to true. |
| | | |
| or | Logical | The filter is a match if either |
| | "or" | expression evaluates to true. |
| | | |
| not | "Not" | The filter is a match if the expression |
| | function | evaluates to false. |
+----------+-------------+------------------------------------------+
Table 4: Logical Operators
表4:逻辑运算符
+----------+-------------+------------------------------------------+
| Operator | Description | Behavior |
+----------+-------------+------------------------------------------+
| ( ) | Precedence | Boolean expressions MAY be grouped using |
| | grouping | parentheses to change the standard order |
| | | of operations, i.e., to evaluate logical |
| | | "or" operators before logical "and" |
| | | operators. |
| | | |
| [ ] | Complex | Service providers MAY support complex |
| | attribute | filters where expressions MUST be |
| | filter | applied to the same value of a parent |
| | grouping | attribute specified immediately before |
| | | the left square bracket ("["). The |
| | | expression within square brackets ("[" |
| | | and "]") MUST be a valid filter |
| | | expression based upon sub-attributes of |
| | | the parent attribute. Nested |
| | | expressions MAY be used. See examples |
| | | below. |
+----------+-------------+------------------------------------------+
+----------+-------------+------------------------------------------+
| Operator | Description | Behavior |
+----------+-------------+------------------------------------------+
| ( ) | Precedence | Boolean expressions MAY be grouped using |
| | grouping | parentheses to change the standard order |
| | | of operations, i.e., to evaluate logical |
| | | "or" operators before logical "and" |
| | | operators. |
| | | |
| [ ] | Complex | Service providers MAY support complex |
| | attribute | filters where expressions MUST be |
| | filter | applied to the same value of a parent |
| | grouping | attribute specified immediately before |
| | | the left square bracket ("["). The |
| | | expression within square brackets ("[" |
| | | and "]") MUST be a valid filter |
| | | expression based upon sub-attributes of |
| | | the parent attribute. Nested |
| | | expressions MAY be used. See examples |
| | | below. |
+----------+-------------+------------------------------------------+
Table 5: Grouping Operators
表5:分组运算符
SCIM filters MUST conform to the following ABNF [RFC5234] rules as specified below:
SCIM过滤器必须符合以下ABNF[RFC5234]规则:
FILTER = attrExp / logExp / valuePath / *1"not" "(" FILTER ")"
FILTER = attrExp / logExp / valuePath / *1"not" "(" FILTER ")"
valuePath = attrPath "[" valFilter "]" ; FILTER uses sub-attributes of a parent attrPath
valuePath=attrPath“[“valFilter”]”;过滤器使用父属性路径的子属性
valFilter = attrExp / logExp / *1"not" "(" valFilter ")"
valFilter = attrExp / logExp / *1"not" "(" valFilter ")"
attrExp = (attrPath SP "pr") /
(attrPath SP compareOp SP compValue)
attrExp = (attrPath SP "pr") /
(attrPath SP compareOp SP compValue)
logExp = FILTER SP ("and" / "or") SP FILTER
logExp = FILTER SP ("and" / "or") SP FILTER
compValue = false / null / true / number / string
; rules from JSON (RFC 7159)
compValue = false / null / true / number / string
; rules from JSON (RFC 7159)
compareOp = "eq" / "ne" / "co" /
"sw" / "ew" /
"gt" / "lt" /
"ge" / "le"
compareOp = "eq" / "ne" / "co" /
"sw" / "ew" /
"gt" / "lt" /
"ge" / "le"
attrPath = [URI ":"] ATTRNAME *1subAttr
; SCIM attribute name
; URI is SCIM "schema" URI
attrPath = [URI ":"] ATTRNAME *1subAttr
; SCIM attribute name
; URI is SCIM "schema" URI
ATTRNAME = ALPHA *(nameChar)
ATTRNAME=ALPHA*(nameChar)
nameChar = "-" / "_" / DIGIT / ALPHA
nameChar = "-" / "_" / DIGIT / ALPHA
subAttr = "." ATTRNAME ; a sub-attribute of a complex attribute
subAttr=“”属性名称;复杂属性的子属性
Figure 1: ABNF Specification of SCIM Filters
图1:SCIM过滤器的ABNF规格
In the above ABNF rules, the "compValue" (comparison value) rule is built on JSON Data Interchange format ABNF rules as specified in [RFC7159], "DIGIT" and "ALPHA" are defined per Appendix B.1 of [RFC5234], and "URI" is defined per Appendix A of [RFC3986].
在上述ABNF规则中,“compValue”(比较值)规则基于[RFC7159]中规定的JSON数据交换格式ABNF规则构建,“DIGIT”和“ALPHA”根据[RFC5234]的附录B.1定义,“URI”根据[RFC3986]的附录A定义。
Filters MUST be evaluated using the following order of operations, in order of precedence:
必须使用以下操作顺序(按优先顺序)计算过滤器:
1. Grouping operators
1. 分组运算符
2. Logical operators - where "not" takes precedence over "and", which takes precedence over "or"
2. 逻辑运算符-其中“not”优先于“and”,而“and”优先于“or”
3. Attribute operators
3. 属性运算符
If the specified attribute in a filter expression is a multi-valued attribute, the filter matches if any of the values of the specified attribute match the specified criterion; e.g., if a User has multiple "emails" values, only one has to match for the entire User to match. For complex attributes, a fully qualified sub-attribute MUST be specified using standard attribute notation (Section 3.10). For example, to filter by userName, the parameter value is "userName". To filter by first name, the parameter value is "name.givenName".
如果过滤器表达式中的指定属性是多值属性,则如果指定属性的任何值与指定条件匹配,则过滤器匹配;e、 例如,如果一个用户有多个“email”值,那么只有一个值需要匹配,整个用户才能匹配。对于复杂属性,必须使用标准属性表示法指定完全限定的子属性(第3.10节)。例如,要按用户名过滤,参数值为“userName”。要按名字筛选,参数值为“name.givenName”。
When applying a comparison (e.g., "eq") or presence filter (e.g., "pr") to a defaulted attribute, the service provider SHALL use the value that was returned to the client that last created or modified the attribute.
当对默认属性应用比较(如“eq”)或状态过滤器(如“pr”)时,服务提供商应使用上次创建或修改属性时返回给客户的值。
Providers MAY support additional filter operations if they choose. Providers MUST decline to filter results if the specified filter operation is not recognized and return an HTTP 400 error with a "scimType" error of "invalidFilter" and an appropriate human-readable response as per Section 3.12. For example, if a client specified an unsupported operator named 'regex', the service provider should specify an error response description identifying the client error, e.g., 'The operator 'regex' is not supported.'
提供程序可以支持其他筛选操作(如果选择)。如果指定的筛选操作未被识别,提供商必须拒绝筛选结果,并根据第3.12节返回HTTP 400错误,其中“scimType”错误为“invalidFilter”,并返回适当的人类可读响应。例如,如果客户端指定了一个名为“regex”的不受支持的运算符,则服务提供商应指定一个识别客户端错误的错误响应描述,例如,“不支持运算符“regex”
When comparing attributes of type String, the case sensitivity for String type attributes SHALL be determined by the attribute's "caseExact" characteristic (see Section 2.2 of [RFC7643]).
比较字符串类型属性时,字符串类型属性的大小写敏感度应由属性的“caseExact”特性确定(见[RFC7643]第2.2节)。
Clients MAY query by schema or schema extensions by using a filter expression including the "schemas" attribute (as shown in Figure 2).
客户机可以通过使用包含“schemas”属性的过滤器表达式(如图2所示)按模式或模式扩展进行查询。
The following are examples of valid filters. Some attributes (e.g., rooms and rooms.number) are hypothetical extensions and are not part of the SCIM core schema:
以下是有效过滤器的示例。某些属性(例如rooms和rooms.number)是假设的扩展,不属于SCIM核心架构的一部分:
filter=userName eq "bjensen"
过滤器=用户名eq“bjensen”
filter=name.familyName co "O'Malley"
过滤器=name.familyName公司“O'Malley”
filter=userName sw "J"
过滤器=用户名sw“J”
filter=urn:ietf:params:scim:schemas:core:2.0:User:userName sw "J"
filter=urn:ietf:params:scim:schemas:core:2.0:User:userName sw "J"
filter=title pr
过滤器=标题pr
filter=meta.lastModified gt "2011-05-13T04:42:34Z"
filter=meta.lastModified gt "2011-05-13T04:42:34Z"
filter=meta.lastModified ge "2011-05-13T04:42:34Z"
filter=meta.lastModified ge "2011-05-13T04:42:34Z"
filter=meta.lastModified lt "2011-05-13T04:42:34Z"
filter=meta.lastModified lt "2011-05-13T04:42:34Z"
filter=meta.lastModified le "2011-05-13T04:42:34Z"
filter=meta.lastModified le "2011-05-13T04:42:34Z"
filter=title pr and userType eq "Employee"
过滤器=标题pr和用户类型eq“员工”
filter=title pr or userType eq "Intern"
过滤器=标题pr或用户类型eq“实习生”
filter=
schemas eq "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
filter=
schemas eq "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
filter=userType eq "Employee" and (emails co "example.com" or emails.value co "example.org")
filter=userType eq“Employee”和(emails co“example.com”或emails.value co“example.org”)
filter=userType ne "Employee" and not (emails co "example.com" or emails.value co "example.org")
filter=userType ne“Employee”和not(emails co“example.com”或emails.value co“example.org”)
filter=userType eq "Employee" and (emails.type eq "work")
过滤器=用户类型eq“员工”和(电子邮件。类型eq“工作”)
filter=userType eq "Employee" and emails[type eq "work" and value co "@example.com"]
filter=userType eq“Employee”和电子邮件[type eq“work”和value co“@example.com”]
filter=emails[type eq "work" and value co "@example.com"] or ims[type eq "xmpp" and value co "@foo.com"]
filter=电子邮件[键入eq“work”和value co“@example.com”]或ims[键入eq“xmpp”和value co“@foo.com”]
Figure 2: Example Filters
图2:示例过滤器
Sort is OPTIONAL. Clients MAY discover sort capability by looking at the "sort" attribute of the service provider configuration (see Section 4). Sorting allows clients to specify the order in which resources are returned by specifying a combination of "sortBy" and "sortOrder" URL parameters.
排序是可选的。客户机可以通过查看服务提供商配置的“sort”属性来发现排序功能(参见第4节)。排序允许客户端通过指定“sortBy”和“sortOrder”URL参数的组合来指定返回资源的顺序。
sortBy The "sortBy" parameter specifies the attribute whose value SHALL be used to order the returned responses. If the "sortBy" attribute corresponds to a singular attribute, resources are sorted according to that attribute's value; if it's a multi-valued attribute, resources are sorted by the value of the primary attribute (see Section 2.4 of [RFC7643]), if any, or else the first value in the list, if any. If the attribute is complex, the attribute name must be a path to a sub-attribute in standard attribute notation (Section 3.10), e.g., "sortBy=name.givenName". For all attribute types, if there is no data for the specified "sortBy" value, they are sorted via the "sortOrder" parameter, i.e., they are ordered last if ascending and first if descending.
sortBy“sortBy”参数指定属性,该属性的值用于对返回的响应进行排序。如果“sortBy”属性对应于单个属性,则根据该属性的值对资源进行排序;如果是多值属性,则按主属性的值(参见[RFC7643]第2.4节)或列表中的第一个值(如有)对资源进行排序。如果属性很复杂,则属性名称必须是标准属性表示法(第3.10节)中子属性的路径,例如,“sortBy=name.givenName”。对于所有属性类型,如果指定的“sortBy”值没有数据,则通过“sortOrder”参数对它们进行排序,即升序时排在最后,降序时排在第一。
sortOrder The order in which the "sortBy" parameter is applied. Allowed values are "ascending" and "descending". If a value for "sortBy" is provided and no "sortOrder" is specified, "sortOrder" SHALL default to ascending. String type attributes are case insensitive by default, unless the attribute type is defined as a case-exact string. "sortOrder" MUST sort according to the attribute type; i.e., for case-insensitive attributes, sort the result using case-insensitive Unicode alphabetic sort order with no specific locale implied, and for case-exact attribute types, sort the result using case-sensitive Unicode alphabetic sort order.
sortOrder应用“sortBy”参数的顺序。允许的值为“升序”和“降序”。如果提供了“sortBy”的值且未指定“sortOrder”,则“sortOrder”应默认为升序。默认情况下,字符串类型属性不区分大小写,除非属性类型定义为大小写完全一致的字符串。“sortOrder”必须根据属性类型进行排序;i、 例如,对于不区分大小写的属性,使用不区分大小写的Unicode字母排序顺序对结果进行排序,不包含特定的区域设置;对于大小写精确的属性类型,使用区分大小写的Unicode字母排序顺序对结果进行排序。
Pagination parameters can be used together to "page through" large numbers of resources so as not to overwhelm the client or service provider. Because pagination is not stateful, clients MUST be prepared to handle inconsistent results. For example, a request for a list of 10 resources beginning with a startIndex of 1 MAY return different results when repeated, since resources on the service provider may have changed between requests. Pagination parameters and general behavior are derived from the OpenSearch Protocol [OpenSearch].
分页参数可以一起用于“分页”大量资源,以避免使客户机或服务提供商不知所措。因为分页不是有状态的,所以客户端必须准备好处理不一致的结果。例如,由于服务提供商上的资源可能在请求之间发生了变化,因此对以startIndex为1开头的10个资源的列表的请求在重复时可能会返回不同的结果。分页参数和一般行为源自OpenSearch协议[OpenSearch]。
Table 6 describes the URL pagination parameters.
表6描述了URL分页参数。
+------------+----------------------------+-------------------------+
| Parameter | Description | Default |
+------------+----------------------------+-------------------------+
| startIndex | The 1-based index of the | 1 |
| | first query result. A | |
| | value less than 1 SHALL be | |
| | interpreted as 1. | |
| | | |
| count | Non-negative integer. | None. When specified, |
| | Specifies the desired | the service provider |
| | maximum number of query | MUST NOT return more |
| | results per page, e.g., | results than specified, |
| | 10. A negative value | although it MAY return |
| | SHALL be interpreted as | fewer results. If |
| | "0". A value of "0" | unspecified, the |
| | indicates that no resource | maximum number of |
| | results are to be returned | results is set by the |
| | except for "totalResults". | service provider. |
+------------+----------------------------+-------------------------+
+------------+----------------------------+-------------------------+
| Parameter | Description | Default |
+------------+----------------------------+-------------------------+
| startIndex | The 1-based index of the | 1 |
| | first query result. A | |
| | value less than 1 SHALL be | |
| | interpreted as 1. | |
| | | |
| count | Non-negative integer. | None. When specified, |
| | Specifies the desired | the service provider |
| | maximum number of query | MUST NOT return more |
| | results per page, e.g., | results than specified, |
| | 10. A negative value | although it MAY return |
| | SHALL be interpreted as | fewer results. If |
| | "0". A value of "0" | unspecified, the |
| | indicates that no resource | maximum number of |
| | results are to be returned | results is set by the |
| | except for "totalResults". | service provider. |
+------------+----------------------------+-------------------------+
Table 6: Pagination Request Parameters
表6:分页请求参数
Table 7 describes the query response pagination attributes specified by the service provider.
表7描述了服务提供者指定的查询响应分页属性。
+--------------+----------------------------------------------------+
| Element | Description |
+--------------+----------------------------------------------------+
| itemsPerPage | Non-negative integer. Specifies the number of |
| | query results returned in a query response page, |
| | e.g., 10. |
| | |
| totalResults | Non-negative integer. Specifies the total number |
| | of results matching the client query, e.g., 1000. |
| | |
| startIndex | The 1-based index of the first result in the |
| | current set of query results, e.g., 1. |
+--------------+----------------------------------------------------+
+--------------+----------------------------------------------------+
| Element | Description |
+--------------+----------------------------------------------------+
| itemsPerPage | Non-negative integer. Specifies the number of |
| | query results returned in a query response page, |
| | e.g., 10. |
| | |
| totalResults | Non-negative integer. Specifies the total number |
| | of results matching the client query, e.g., 1000. |
| | |
| startIndex | The 1-based index of the first result in the |
| | current set of query results, e.g., 1. |
+--------------+----------------------------------------------------+
Table 7: Pagination Response Elements
表7:分页响应元素
For example, to retrieve the first 10 Users, set the startIndex to 1 and the count to 10:
例如,要检索前10个用户,请将startIndex设置为1,将计数设置为10:
GET /Users?startIndex=1&count=10
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
GET /Users?startIndex=1&count=10
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
The response to the query above returns metadata regarding paging similar to the following example (actual resources removed for brevity):
对上述查询的响应返回有关分页的元数据,类似于以下示例(为简洁起见,实际资源已删除):
{
"totalResults":100,
"itemsPerPage":10,
"startIndex":1,
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"Resources":[{
...
}]
}
{
"totalResults":100,
"itemsPerPage":10,
"startIndex":1,
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"Resources":[{
...
}]
}
Figure 3: ListResponse Format for Returning Multiple Resources
图3:返回多个资源的ListResponse格式
Given the example above, to continue paging, set the startIndex to 11 and re-fetch, i.e., /Users?startIndex=11&count=10.
给出上述示例,要继续分页,请将startIndex设置为11并重新获取,即/Users?startIndex=11&count=10。
The following attributes control which attributes SHALL be returned with a returned resource. SCIM clients MAY use one of these two OPTIONAL parameters, which MUST be supported by SCIM service providers:
以下属性控制应使用返回的资源返回哪些属性。SCIM客户端可以使用以下两个可选参数之一,SCIM服务提供商必须支持这两个参数:
attributes A multi-valued list of strings indicating the names of resource attributes to return in the response, overriding the set of attributes that would be returned by default. Attribute names MUST be in standard attribute notation (Section 3.10) form. See Section 3.9 for additional retrieval query parameters.
属性一个多值字符串列表,指示响应中要返回的资源属性的名称,覆盖默认情况下将返回的属性集。属性名称必须采用标准属性表示法(第3.10节)形式。有关其他检索查询参数,请参见第3.9节。
excludedAttributes A multi-valued list of strings indicating the names of resource attributes to be removed from the default set of attributes to return. This parameter SHALL have no effect on attributes whose schema "returned" setting is "always" (see Sections 2.2 and 7 of [RFC7643]). Attribute names MUST be in standard attribute notation (Section 3.10) form. See Section 3.9 for additional retrieval query parameters.
ExcludeDatAttribute一个多值字符串列表,指示要从要返回的默认属性集中删除的资源属性的名称。该参数对模式“返回”设置为“始终”的属性没有影响(参见[RFC7643]第2.2节和第7节)。属性名称必须采用标准属性表示法(第3.10节)形式。有关其他检索查询参数,请参见第3.9节。
Clients MAY execute queries without passing parameters on the URL by using the HTTP POST verb combined with the "/.search" path extension. The inclusion of "/.search" on the end of a valid SCIM endpoint SHALL be used to indicate that the HTTP POST verb is intended to be a query operation.
客户端可以通过使用HTTP POST谓词和“/.search”路径扩展来执行查询,而无需在URL上传递参数。在有效SCIM端点的末尾包含“/.search”应用于指示HTTP POST谓词旨在作为查询操作。
To create a new query result set, a SCIM client sends an HTTP POST request to the desired SCIM resource endpoint (ending in "/.search"). The body of the POST request MAY include any of the parameters defined in Section 3.4.2.
为了创建新的查询结果集,SCIM客户端向所需的SCIM资源端点发送HTTP POST请求(以“/.search”结尾)。POST请求的正文可能包括第3.4.2节中定义的任何参数。
Query requests MUST be identified using the following URI: "urn:ietf:params:scim:api:messages:2.0:SearchRequest". The following attributes are defined for query requests:
必须使用以下URI标识查询请求:“urn:ietf:params:scim:api:messages:2.0:SearchRequest”。为查询请求定义了以下属性:
attributes A multi-valued list of strings indicating the names of resource attributes to return in the response, overriding the set of attributes that would be returned by default. Attribute names MUST be in standard attribute notation (Section 3.10) form. See Section 3.9 for additional retrieval query parameters. OPTIONAL.
属性一个多值字符串列表,指示响应中要返回的资源属性的名称,覆盖默认情况下将返回的属性集。属性名称必须采用标准属性表示法(第3.10节)形式。有关其他检索查询参数,请参见第3.9节。可选择的
excludedAttributes A multi-valued list of strings indicating the names of resource attributes to be removed from the default set of attributes to return. This parameter SHALL have no effect on attributes whose schema "returned" setting is "always" (see Sections 2.2 and 7 of [RFC7643]). Attribute names MUST be in standard attribute notation (Section 3.10) form. See Section 3.9 for additional retrieval query parameters. OPTIONAL.
ExcludeDatAttribute一个多值字符串列表,指示要从要返回的默认属性集中删除的资源属性的名称。该参数对模式“返回”设置为“始终”的属性没有影响(参见[RFC7643]第2.2节和第7节)。属性名称必须采用标准属性表示法(第3.10节)形式。有关其他检索查询参数,请参见第3.9节。可选择的
filter The filter string used to request a subset of resources. The filter string MUST be a valid filter (Section 3.4.2.2) expression. OPTIONAL.
筛选器用于请求资源子集的筛选器字符串。筛选器字符串必须是有效的筛选器(第3.4.2.2节)表达式。可选择的
sortBy A string indicating the attribute whose value SHALL be used to order the returned responses. The "sortBy" attribute MUST be in standard attribute notation (Section 3.10) form. See Section 3.4.2.3. OPTIONAL.
通过一个字符串排序,该字符串指示应使用其值对返回的响应排序的属性。“sortBy”属性必须采用标准属性表示法(第3.10节)形式。见第3.4.2.3节。可选择的
sortOrder A string indicating the order in which the "sortBy" parameter is applied. Allowed values are "ascending" and "descending". See Section 3.4.2.3. OPTIONAL.
sortOrder一个字符串,指示应用“sortBy”参数的顺序。允许的值为“升序”和“降序”。见第3.4.2.3节。可选择的
startIndex An integer indicating the 1-based index of the first query result. See Section 3.4.2.4. OPTIONAL.
startIndex是一个整数,指示第一个查询结果的基于1的索引。见第3.4.2.4节。可选择的
count An integer indicating the desired maximum number of query results per page. See Section 3.4.2.4. OPTIONAL.
计算一个整数,该整数指示每页所需的最大查询结果数。见第3.4.2.4节。可选择的
After receiving an HTTP POST request, a response is returned as specified in Section 3.4.2.
收到HTTP POST请求后,将按照第3.4.2节的规定返回响应。
The following example shows an HTTP POST Query request with search parameters "attributes", "filter", and "count" included:
以下示例显示了包含搜索参数“attributes”、“filter”和“count”的HTTP POST查询请求:
POST /.search Host: example.com Accept: application/scim+json Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 Content-Length: ...
POST/.search Host:example.com Accept:application/scim+json内容类型:application/scim+json授权:Bearer h480djs93hd8内容长度:。。。
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"],
"attributes": ["displayName", "userName"],
"filter":
"displayName sw \"smith\"",
"startIndex": 1,
"count": 10
}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"],
"attributes": ["displayName", "userName"],
"filter":
"displayName sw \"smith\"",
"startIndex": 1,
"count": 10
}
Figure 4: Example POST Query Request
图4:示例POST查询请求
The example below shows a query response with the first page of results. For brevity, only two matches are shown: one User and one Group.
下面的示例显示了带有第一页结果的查询响应。为简洁起见,仅显示两个匹配项:一个用户和一个组。
HTTP/1.1 200 OK
Content-Type: application/scim+json
Location: https://example.com/.search
HTTP/1.1 200 OK
Content-Type: application/scim+json
Location: https://example.com/.search
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults":100,
"itemsPerPage":10,
"startIndex":1,
"Resources":[
{
"id":"2819c223-7f76-413861904646",
"userName":"jsmith",
"displayName":"Smith, James"
},
{
"id":"c8596b90-7539-4f20968d1908",
"displayName":"Smith Family"
},
...
]
}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults":100,
"itemsPerPage":10,
"startIndex":1,
"Resources":[
{
"id":"2819c223-7f76-413861904646",
"userName":"jsmith",
"displayName":"Smith, James"
},
{
"id":"c8596b90-7539-4f20968d1908",
"displayName":"Smith Family"
},
...
]
}
Figure 5: Example POST Query Response
图5:查询后响应示例
Resources can be modified in whole or in part using HTTP PUT or HTTP PATCH, respectively. Implementers MUST support HTTP PUT as specified in Section 4.3 of [RFC7231]. Resources such as Groups may be very large; hence, implementers SHOULD support HTTP PATCH [RFC5789] to enable partial resource modifications. Service provider support for HTTP PATCH may be discovered by querying the service provider configuration (see Section 4).
可以分别使用HTTP PUT或HTTP修补程序对资源进行全部或部分修改。实现者必须支持[RFC7231]第4.3节中规定的HTTP PUT。群体等资源可能非常庞大;因此,实现者应该支持HTTP补丁[RFC5789],以支持部分资源修改。可以通过查询服务提供程序配置来发现服务提供程序对HTTP修补程序的支持(请参阅第4节)。
HTTP PUT is used to replace a resource's attributes. For example, clients that have previously retrieved the entire resource in advance and revised it MAY replace the resource using an HTTP PUT. Because SCIM resource identifiers are assigned by the service provider, HTTP PUT MUST NOT be used to create new resources.
HTTP PUT用于替换资源的属性。例如,先前已提前检索整个资源并对其进行了修改的客户端可以使用HTTP PUT替换该资源。因为SCIM资源标识符是由服务提供商分配的,所以不能使用HTTP PUT来创建新资源。
As the operation's intent is to replace all attributes, SCIM clients MAY send all attributes, regardless of each attribute's mutability. The server will apply attribute-by-attribute replacements according to the following attribute mutability rules:
由于操作的目的是替换所有属性,因此SCIM客户端可以发送所有属性,而不管每个属性的可变性如何。服务器将根据以下属性可变性规则逐个应用属性替换:
readWrite, writeOnly Any values provided SHALL replace the existing attribute values.
readWrite,writeOnly提供的任何值都应替换现有属性值。
Attributes whose mutability is "readWrite" that are omitted from the request body MAY be assumed to be not asserted by the client. The service provider MAY assume that any existing values are to be cleared, or the service provider MAY assign a default value to the final resource representation. Service providers MAY take into account whether or not a client has access to, or understands, all of the resource's attributes when deciding whether non-asserted attributes SHALL be removed or defaulted. Clients that want to override a server's defaults MAY specify "null" for a single-valued attribute, or an empty array "[]" for a multi-valued attribute, to clear all values.
可以假设客户机未断言从请求主体中省略的可变性为“readWrite”的属性。服务提供商可以假设任何现有值都将被清除,或者服务提供商可以为最终资源表示分配默认值。在决定是否删除或默认非断言属性时,服务提供商可能会考虑客户端是否可以访问或理解资源的所有属性。要覆盖服务器默认值的客户端可以为单值属性指定“null”,或为多值属性指定空数组“[]”,以清除所有值。
immutable If one or more values are already set for the attribute, the input value(s) MUST match, or HTTP status code 400 SHOULD be returned with a "scimType" error code of "mutability". If the service provider has no existing values, the new value(s) SHALL be applied.
不可变如果已经为属性设置了一个或多个值,则输入值必须匹配,或者HTTP状态代码400应返回“scimType”错误代码“mutability”。如果服务提供商没有现有值,则应采用新值。
readOnly Any values provided SHALL be ignored.
readOnly应忽略提供的任何值。
If an attribute is "required", clients MUST specify the attribute in the PUT request.
如果属性为“必需”,则客户端必须在PUT请求中指定该属性。
Unless otherwise specified, a successful PUT operation returns a 200 OK response code and the entire resource within the response body, enabling the client to correlate the client's and the service provider's views of the updated resource. For example:
除非另有规定,否则成功的PUT操作将返回200 OK响应代码和响应主体内的整个资源,从而使客户端能够关联客户端和服务提供商对更新资源的视图。例如:
PUT /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
PUT /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"userName":"bjensen",
"externalId":"bjensen",
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara",
"middleName":"Jane"
},
"roles":[],
"emails":[
{
"value":"bjensen@example.com"
},
{
"value":"babs@jensen.org"
}
]
}
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"userName":"bjensen",
"externalId":"bjensen",
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara",
"middleName":"Jane"
},
"roles":[],
"emails":[
{
"value":"bjensen@example.com"
},
{
"value":"babs@jensen.org"
}
]
}
The service responds with the entire updated User:
服务以整个更新的用户响应:
HTTP/1.1 200 OK
Content-Type: application/scim+json
ETag: W/"b431af54f0671a2"
Location:
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
HTTP/1.1 200 OK
Content-Type: application/scim+json
ETag: W/"b431af54f0671a2"
Location:
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"userName":"bjensen",
"externalId":"bjensen",
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara",
"middleName":"Jane"
},
"emails":[
{
"value":"bjensen@example.com"
},
{
"value":"babs@jensen.org"
}
],
"meta": {
"resourceType":"User",
"created":"2011-08-08T04:56:22Z",
"lastModified":"2011-08-08T08:00:12Z",
"location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
"version":"W\/\"b431af54f0671a2\""
}
}
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"userName":"bjensen",
"externalId":"bjensen",
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara",
"middleName":"Jane"
},
"emails":[
{
"value":"bjensen@example.com"
},
{
"value":"babs@jensen.org"
}
],
"meta": {
"resourceType":"User",
"created":"2011-08-08T04:56:22Z",
"lastModified":"2011-08-08T08:00:12Z",
"location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
"version":"W\/\"b431af54f0671a2\""
}
}
HTTP PATCH is an OPTIONAL server function that enables clients to update one or more attributes of a SCIM resource using a sequence of operations to "add", "remove", or "replace" values. Clients may discover service provider support for PATCH by querying the service provider configuration (see Section 4).
HTTP修补程序是一个可选的服务器功能,它使客户端能够使用“添加”、“删除”或“替换”值的操作序列来更新SCIM资源的一个或多个属性。客户端可以通过查询服务提供商配置来发现服务提供商对修补程序的支持(参见第4节)。
The general form of the SCIM PATCH request is based on JSON Patch [RFC6902]. One difference between SCIM PATCH and JSON Patch is that SCIM servers do not support array indexing and do not support [RFC6902] operation types relating to array element manipulation, such as "move".
SCIM补丁请求的一般形式基于JSON补丁[RFC6902]。SCIM修补程序和JSON修补程序之间的一个区别是,SCIM服务器不支持数组索引,也不支持与数组元素操作相关的[RFC6902]操作类型,例如“移动”。
The body of each request MUST contain the "schemas" attribute with the URI value of "urn:ietf:params:scim:api:messages:2.0:PatchOp".
每个请求的主体必须包含URI值为“urn:ietf:params:scim:api:messages:2.0:PatchOp”的“schemas”属性。
The body of an HTTP PATCH request MUST contain the attribute "Operations", whose value is an array of one or more PATCH operations. Each PATCH operation object MUST have exactly one "op" member, whose value indicates the operation to perform and MAY be one of "add", "remove", or "replace". The semantics of each operation are defined in the following subsections.
HTTP修补程序请求的主体必须包含属性“Operations”,其值是一个或多个修补程序操作的数组。每个修补程序操作对象必须正好有一个“op”成员,其值表示要执行的操作,可以是“添加”、“删除”或“替换”中的一个。每个操作的语义在以下小节中定义。
The following is an example representation of a PATCH request showing the basic JSON structure (non-normative):
以下是补丁请求的示例表示,显示了基本JSON结构(非规范):
{ "schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[
{
"op":"add",
"path":"members",
"value":[
{
"display": "Babs Jensen",
"$ref":
"https://example.com/v2/Users/2819c223...413861904646",
"value": "2819c223-7f76-453a-919d-413861904646"
}
]
},
... + additional operations if needed ...
]
}
{ "schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[
{
"op":"add",
"path":"members",
"value":[
{
"display": "Babs Jensen",
"$ref":
"https://example.com/v2/Users/2819c223...413861904646",
"value": "2819c223-7f76-453a-919d-413861904646"
}
]
},
... + additional operations if needed ...
]
}
Figure 6: Example JSON Body for SCIM PATCH Request
图6:SCIM补丁请求的JSON主体示例
The "path" attribute value is a String containing an attribute path describing the target of the operation. The "path" attribute is OPTIONAL for "add" and "replace" and is REQUIRED for "remove" operations. See relevant operation sections below for details.
“路径”属性值是一个字符串,包含描述操作目标的属性路径。“路径”属性对于“添加”和“替换”是可选的,对于“删除”操作是必需的。详见下文相关操作章节。
The "path" attribute is described by the following ABNF syntax rule:
“path”属性由以下ABNF语法规则描述:
PATH = attrPath / valuePath [subAttr]
PATH=attrPath/valuePath[subAttr]
Figure 7: SCIM PATCH PATH Rule
图7:SCIM补丁路径规则
The ABNF rules "attrPath", "valuePath", and "subAttr" are defined in Section 3.4.2.2. The "valuePath" rule allows specific values of a complex multi-valued attribute to be selected.
ABNF规则“attrPath”、“valuePath”和“subAttr”在第3.4.2.2节中定义。“valuePath”规则允许选择复杂多值属性的特定值。
Valid examples of "path" are as follows:
“路径”的有效示例如下:
"path":"members"
“路径”:“成员”
"path":"name.familyName"
“路径”:“name.familyName”
"path":"addresses[type eq \"work\"]"
“路径”:“地址[键入eq\”“工作\]”
"path":"members[value eq \"2819c223-7f76-453a-919d-413861904646\"]"
“路径”:“成员[值等式\”2819c223-7f76-453a-919d-413861904646 \”
"path":"members[value eq \"2819c223-7f76-453a-919d-413861904646\"].displayName"
“路径”:“成员[值等式\”2819c223-7f76-453a-919d-413861904646\]。显示名称”
Figure 8: Example Path Values
图8:示例路径值
Each operation against an attribute MUST be compatible with the attribute's mutability and schema as defined in Sections 2.2 and 2.3 of [RFC7643]. For example, a client MUST NOT modify an attribute that has mutability "readOnly" or "immutable". However, a client MAY "add" a value to an "immutable" attribute if the attribute had no previous value. An operation that is not compatible with an attribute's mutability or schema SHALL return the appropriate HTTP response status code and a JSON detail error response as defined in Section 3.12.
针对属性的每个操作必须与[RFC7643]第2.2节和第2.3节中定义的属性的可变性和模式兼容。例如,客户机不能修改具有可变性“只读”或“不可变”的属性。但是,如果“不可变”属性没有以前的值,则客户端可以向该属性“添加”值。与属性的可变性或模式不兼容的操作应返回第3.12节中定义的相应HTTP响应状态代码和JSON详细信息错误响应。
The attribute notation rules described in Section 3.10 apply for describing attribute paths. For all operations, the value of the "schemas" attribute on the SCIM service provider's representation of the resource SHALL be assumed by default. If one of the PATCH operations modifies the "schemas" attribute, subsequent operations SHALL assume the modified state of the "schemas" attribute. Clients MAY implicitly modify the "schemas" attribute by adding (or
第3.10节中描述的属性表示法规则适用于描述属性路径。对于所有操作,默认情况下应假定SCIM服务提供商表示的资源上的“schemas”属性的值。如果其中一个补丁操作修改了“schemas”属性,则后续操作将采用“schemas”属性的修改状态。客户端可以通过添加(或)隐式修改“schemas”属性
replacing) an attribute with its fully qualified name, including schema URN. For example, adding the attribute "urn:ietf:params:scim: schemas:extension:enterprise:2.0:User:employeeNumber" automatically adds the value "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" to the resource's "schemas" attribute.
替换)具有完全限定名称的属性,包括架构URN。例如,添加属性“urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber”会自动将值“urn:ietf:params:scim:schemas:extension:enterprise:2.0:User”添加到资源的“schemas”属性中。
Each PATCH operation represents a single action to be applied to the same SCIM resource specified by the request URI. Operations are applied sequentially in the order they appear in the array. Each operation in the sequence is applied to the target resource; the resulting resource becomes the target of the next operation. Evaluation continues until all operations are successfully applied or until an error condition is encountered.
每个修补程序操作代表一个要应用于请求URI指定的同一SCIM资源的操作。操作按它们在数组中出现的顺序顺序应用。序列中的每个操作都应用于目标资源;结果资源成为下一个操作的目标。评估将继续,直到成功应用所有操作或遇到错误条件。
For multi-valued attributes, a PATCH operation that sets a value's "primary" sub-attribute to "true" SHALL cause the server to automatically set "primary" to "false" for any other values in the array.
对于多值属性,将值的“primary”子属性设置为“true”的修补操作将导致服务器自动将数组中任何其他值的“primary”设置为“false”。
A PATCH request, regardless of the number of operations, SHALL be treated as atomic. If a single operation encounters an error condition, the original SCIM resource MUST be restored, and a failure status SHALL be returned.
无论操作次数多少,补丁请求都应被视为原子请求。如果单个操作遇到错误情况,则必须恢复原始SCIM资源,并返回故障状态。
If a request fails, the server SHALL return an HTTP response status code and a JSON detail error response as defined in Section 3.12.
如果请求失败,服务器应返回HTTP响应状态代码和第3.12节中定义的JSON详细错误响应。
On successful completion, the server either MUST return a 200 OK response code and the entire resource within the response body, subject to the "attributes" query parameter (see Section 3.9), or MAY return HTTP status code 204 (No Content) and the appropriate response headers for a successful PATCH request. The server MUST return a 200 OK if the "attributes" parameter is specified in the request.
成功完成后,服务器必须根据“属性”查询参数(参见第3.9节)返回200 OK响应代码和响应正文中的整个资源,或者可以为成功的补丁请求返回HTTP状态代码204(无内容)和相应的响应头。如果在请求中指定了“attributes”参数,服务器必须返回200 OK。
The "add" operation is used to add a new attribute value to an existing resource.
“添加”操作用于向现有资源添加新属性值。
The operation MUST contain a "value" member whose content specifies the value to be added. The value MAY be a quoted value, or it may be a JSON object containing the sub-attributes of the complex attribute specified in the operation's "path".
操作必须包含一个“value”成员,其内容指定要添加的值。该值可以是带引号的值,也可以是包含操作“路径”中指定的复杂属性的子属性的JSON对象。
The result of the add operation depends upon what the target location indicated by "path" references:
添加操作的结果取决于“路径”指示的目标位置引用的内容:
o If omitted, the target location is assumed to be the resource itself. The "value" parameter contains a set of attributes to be added to the resource.
o 如果省略,则假定目标位置是资源本身。“value”参数包含一组要添加到资源的属性。
o If the target location does not exist, the attribute and value are added.
o 如果目标位置不存在,则添加属性和值。
o If the target location specifies a complex attribute, a set of sub-attributes SHALL be specified in the "value" parameter.
o 如果目标位置指定了复杂属性,则应在“值”参数中指定一组子属性。
o If the target location specifies a multi-valued attribute, a new value is added to the attribute.
o 如果目标位置指定了多值属性,则会向该属性添加新值。
o If the target location specifies a single-valued attribute, the existing value is replaced.
o 如果目标位置指定了单值属性,则替换现有值。
o If the target location specifies an attribute that does not exist (has no value), the attribute is added with the new value.
o 如果目标位置指定的属性不存在(没有值),则会使用新值添加该属性。
o If the target location exists, the value is replaced.
o 如果目标位置存在,则替换该值。
o If the target location already contains the value specified, no changes SHOULD be made to the resource, and a success response SHOULD be returned. Unless other operations change the resource, this operation SHALL NOT change the modify timestamp of the resource.
o 如果目标位置已包含指定的值,则不应对资源进行任何更改,并应返回成功响应。除非其他操作更改资源,否则此操作不应更改资源的修改时间戳。
The following example shows how to add a member to a group. Some text was removed for readability (indicated by "..."):
以下示例显示如何向组中添加成员。为了便于阅读,删除了一些文本(用“…”表示):
PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
{ "schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[
{
"op":"add",
"path":"members",
"value":[
{
"display": "Babs Jensen",
"$ref":
"https://example.com/v2/Users/2819c223...413861904646",
"value": "2819c223-7f76-453a-919d-413861904646"
}
]
}
]
}
{ "schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[
{
"op":"add",
"path":"members",
"value":[
{
"display": "Babs Jensen",
"$ref":
"https://example.com/v2/Users/2819c223...413861904646",
"value": "2819c223-7f76-453a-919d-413861904646"
}
]
}
]
}
If the user was already a member of this group, no changes should be made to the resource, and a success response should be returned. The server responds with either the entire updated Group or no response body:
如果用户已经是此组的成员,则不应对资源进行任何更改,并且应返回成功响应。服务器以整个更新组或无响应正文进行响应:
HTTP/1.1 204 No Content
Authorization: Bearer h480djs93hd8
ETag: W/"b431af54f0671a2"
Location:
"https://example.com/Groups/acbf3ae7-8463-...-9b4da3f908ce"
HTTP/1.1 204 No Content
Authorization: Bearer h480djs93hd8
ETag: W/"b431af54f0671a2"
Location:
"https://example.com/Groups/acbf3ae7-8463-...-9b4da3f908ce"
The following example shows how to add one or more attributes to a User resource without using a "path" attribute.
下面的示例演示如何在不使用“路径”属性的情况下向用户资源添加一个或多个属性。
PATCH /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
PATCH /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op":"add",
"value":{
"emails":[
{
"value":"babs@jensen.org",
"type":"home"
}
],
"nickname":"Babs"
}]
}
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op":"add",
"value":{
"emails":[
{
"value":"babs@jensen.org",
"type":"home"
}
],
"nickname":"Babs"
}]
}
In the above example, an additional value is added to the multi-valued attribute "emails". The second attribute, "nickname", is added to the User resource. If the resource already had an existing "nickname", the value is replaced per the processing rules above for single-valued attributes.
在上面的示例中,向多值属性“emails”添加了一个附加值。第二个属性“昵称”被添加到用户资源中。如果资源已有“昵称”,则根据上述单值属性的处理规则替换该值。
The "remove" operation removes the value at the target location specified by the required attribute "path". The operation performs the following functions, depending on the target location specified by "path":
“remove”操作删除所需属性“path”指定的目标位置处的值。该操作根据“路径”指定的目标位置执行以下功能:
o If "path" is unspecified, the operation fails with HTTP status code 400 and a "scimType" error code of "noTarget".
o 如果未指定“路径”,则操作失败,HTTP状态代码为400,“scimType”错误代码为“noTarget”。
o If the target location is a single-value attribute, the attribute and its associated value is removed, and the attribute SHALL be considered unassigned.
o 如果目标位置是单值属性,则该属性及其关联值将被删除,且该属性应视为未指定。
o If the target location is a multi-valued attribute and no filter is specified, the attribute and all values are removed, and the attribute SHALL be considered unassigned.
o 如果目标位置是多值属性且未指定过滤器,则删除该属性和所有值,并将该属性视为未指定。
o If the target location is a multi-valued attribute and a complex filter is specified comparing a "value", the values matched by the filter are removed. If no other values remain after removal of the selected values, the multi-valued attribute SHALL be considered unassigned.
o 如果目标位置是多值属性,并且通过比较“值”指定了复杂过滤器,则过滤器匹配的值将被删除。如果删除选定值后没有其他值保留,则多值属性应视为未指定。
o If the target location is a complex multi-valued attribute and a complex filter is specified based on the attribute's sub-attributes, the matching records are removed. Sub-attributes whose values have been removed SHALL be considered unassigned. If the complex multi-valued attribute has no remaining records, the attribute SHALL be considered unassigned.
o 如果目标位置是复杂的多值属性,并且基于属性的子属性指定了复杂过滤器,则将删除匹配记录。移除其值的子属性应视为未分配。如果复杂多值属性没有剩余记录,则该属性应视为未分配。
If an attribute is removed or becomes unassigned and is defined as a required attribute or a read-only attribute, the server SHALL return an HTTP response status code and a JSON detail error response as defined in Section 3.12, with a "scimType" error code of "mutability".
如果某个属性被删除或未分配,并被定义为必需属性或只读属性,则服务器应返回HTTP响应状态代码和JSON详细错误响应,如第3.12节所定义,错误代码为“scimType”,错误代码为“可变”。
The following example shows how to remove a member from a group. As with the previous example, the "display" sub-attribute is optional. If the user was not a member of this group, no changes should be made to the resource, and a success response should be returned.
以下示例显示如何从组中删除成员。与上一个示例一样,“显示”子属性是可选的。如果用户不是此组的成员,则不应对资源进行任何更改,并且应返回成功响应。
Note that server responses have been omitted for the rest of the PATCH examples.
请注意,对于其余的补丁示例,服务器响应已被忽略。
Remove a single member from a group. Some text was removed for readability (indicated by "..."):
从组中删除单个成员。为了便于阅读,删除了一些文本(用“…”表示):
PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op":"remove",
"path":"members[value eq \"2819c223-7f76-...413861904646\"]"
}]
}
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op":"remove",
"path":"members[value eq \"2819c223-7f76-...413861904646\"]"
}]
}
Remove all members of a group:
删除组的所有成员:
PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
{ "schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op":"remove","path":"members"
}]
}
{ "schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op":"remove","path":"members"
}]
}
Removal of a value from a complex multi-valued attribute (request headers removed for brevity):
从复杂多值属性中删除值(为简洁起见,删除了请求头):
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op":"remove",
"path":"emails[type eq \"work\" and value ew \"example.com\"]"
}]
}
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op":"remove",
"path":"emails[type eq \"work\" and value ew \"example.com\"]"
}]
}
Example request to remove and add a member. Some text was removed for readability (indicated by "..."):
删除和添加成员的请求示例。为了便于阅读,删除了一些文本(用“…”表示):
PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
PATCH /Groups/acbf3ae7-8463-...-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
{ "schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op":"remove",
"path":
"members[value eq\"2819c223...919d-413861904646\"]"
},
{
"op":"add",
"path":"members",
"value": [
{
"display": "James Smith",
"$ref":
"https://example.com/v2/Users/08e1d05d...473d93df9210",
"value": "08e1d05d...473d93df9210"
}
]
}
]
}
{ "schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op":"remove",
"path":
"members[value eq\"2819c223...919d-413861904646\"]"
},
{
"op":"add",
"path":"members",
"value": [
{
"display": "James Smith",
"$ref":
"https://example.com/v2/Users/08e1d05d...473d93df9210",
"value": "08e1d05d...473d93df9210"
}
]
}
]
}
The following example shows how to replace all of the members of a group with a different members list. Some text was removed for readability (indicated by "..."):
以下示例显示如何使用不同的成员列表替换组的所有成员。为了便于阅读,删除了一些文本(用“…”表示):
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op":"remove","path":"members"
},
{
"op":"add",
"path":"members",
"value":[
{
"display": "Babs Jensen",
"$ref":
"https://example.com/v2/Users/2819c223...413861904646",
"value": "2819c223-7f76-453a-919d-413861904646"
},
{
"display": "James Smith",
"$ref":
"https://example.com/v2/Users/08e1d05d...473d93df9210",
"value": "08e1d05d-121c-4561-8b96-473d93df9210"
}]
}
]
}
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op":"remove","path":"members"
},
{
"op":"add",
"path":"members",
"value":[
{
"display": "Babs Jensen",
"$ref":
"https://example.com/v2/Users/2819c223...413861904646",
"value": "2819c223-7f76-453a-919d-413861904646"
},
{
"display": "James Smith",
"$ref":
"https://example.com/v2/Users/08e1d05d...473d93df9210",
"value": "08e1d05d-121c-4561-8b96-473d93df9210"
}]
}
]
}
The "replace" operation replaces the value at the target location specified by the "path". The operation performs the following functions, depending on the target location specified by "path":
“替换”操作替换“路径”指定的目标位置处的值。该操作根据“路径”指定的目标位置执行以下功能:
o If the "path" parameter is omitted, the target is assumed to be the resource itself. In this case, the "value" attribute SHALL contain a list of one or more attributes that are to be replaced.
o 如果省略“path”参数,则假定目标是资源本身。在这种情况下,“值”属性应包含要替换的一个或多个属性的列表。
o If the target location is a single-value attribute, the attributes value is replaced.
o 如果目标位置是单值属性,则替换属性值。
o If the target location is a multi-valued attribute and no filter is specified, the attribute and all values are replaced.
o 如果目标位置是多值属性且未指定过滤器,则将替换该属性和所有值。
o If the target location path specifies an attribute that does not exist, the service provider SHALL treat the operation as an "add".
o 如果目标位置路径指定了不存在的属性,则服务提供商应将该操作视为“添加”。
o If the target location specifies a complex attribute, a set of sub-attributes SHALL be specified in the "value" parameter, which replaces any existing values or adds where an attribute did not previously exist. Sub-attributes that are not specified in the "value" parameter are left unchanged.
o 如果目标位置指定了一个复杂属性,则应在“值”参数中指定一组子属性,该参数将替换任何现有值或添加以前不存在的属性。未在“值”参数中指定的子属性保持不变。
o If the target location is a multi-valued attribute and a value selection ("valuePath") filter is specified that matches one or more values of the multi-valued attribute, then all matching record values SHALL be replaced.
o 如果目标位置是多值属性,并且指定了与多值属性的一个或多个值匹配的值选择(“valuePath”)过滤器,则应替换所有匹配的记录值。
o If the target location is a complex multi-valued attribute with a value selection filter ("valuePath") and a specific sub-attribute (e.g., "addresses[type eq "work"].streetAddress"), the matching sub-attribute of all matching records is replaced.
o 如果目标位置是具有值选择过滤器(“valuePath”)和特定子属性(例如,“addresses[type eq“work”].streetAddress”)的复杂多值属性,则替换所有匹配记录的匹配子属性。
o If the target location is a multi-valued attribute for which a value selection filter ("valuePath") has been supplied and no record match was made, the service provider SHALL indicate failure by returning HTTP status code 400 and a "scimType" error code of "noTarget".
o 如果目标位置是一个多值属性,已为其提供值选择过滤器(“valuePath”),且未进行记录匹配,则服务提供商应通过返回HTTP状态代码400和“scimType”错误代码“NotTarget”来指示失败。
The following example shows how to replace all of the members of a group with a different members list in a single replace operation. Some text was removed for readability (indicated by "..."):
以下示例显示如何在单个替换操作中使用不同的成员列表替换组的所有成员。为了便于阅读,删除了一些文本(用“…”表示):
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
PATCH /Groups/acbf3ae7-8463-4692-b4fd-9b4da3f908ce
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op":"replace",
"path":"members",
"value":[
{
"display": "Babs Jensen",
"$ref":
"https://example.com/v2/Users/2819c223...413861904646",
"value": "2819c223...413861904646"
},
{
"display": "James Smith",
"$ref":
"https://example.com/v2/Users/08e1d05d...473d93df9210",
"value": "08e1d05d...473d93df9210"
}
]
}]
}
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op":"replace",
"path":"members",
"value":[
{
"display": "Babs Jensen",
"$ref":
"https://example.com/v2/Users/2819c223...413861904646",
"value": "2819c223...413861904646"
},
{
"display": "James Smith",
"$ref":
"https://example.com/v2/Users/08e1d05d...473d93df9210",
"value": "08e1d05d...473d93df9210"
}
]
}]
}
The following example shows how to change a User's entire "work" address, using a "valuePath" filter. Note that by setting "primary" to "true", the service provider will reset "primary" to "false" for any other existing values of "addresses".
以下示例显示如何使用“valuePath”筛选器更改用户的整个“工作”地址。请注意,通过将“primary”设置为“true”,服务提供商将为“addresses”的任何其他现有值将“primary”重置为“false”。
PATCH /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
PATCH /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op":"replace",
"path":"addresses[type eq \"work\"]",
"value":
{
"type": "work",
"streetAddress": "911 Universal City Plaza",
"locality": "Hollywood",
"region": "CA",
"postalCode": "91608",
"country": "US",
"formatted":
"911 Universal City Plaza\nHollywood, CA 91608 US",
"primary": true
}
}]
}
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op":"replace",
"path":"addresses[type eq \"work\"]",
"value":
{
"type": "work",
"streetAddress": "911 Universal City Plaza",
"locality": "Hollywood",
"region": "CA",
"postalCode": "91608",
"country": "US",
"formatted":
"911 Universal City Plaza\nHollywood, CA 91608 US",
"primary": true
}
}]
}
The following example shows how to change a specific sub-attribute "streetAddress" of complex attribute "emails" selected by a "valuePath" filter:
以下示例显示如何更改由“valuePath”筛选器选择的复杂属性“电子邮件”的特定子属性“streetAddress”:
PATCH /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
PATCH /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op":"replace",
"path":"addresses[type eq \"work\"].streetAddress",
"value":"1010 Broadway Ave"
}]
}
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op":"replace",
"path":"addresses[type eq \"work\"].streetAddress",
"value":"1010 Broadway Ave"
}]
}
The following example shows how to replace all values of one or more specific attributes of a User resource. Note that other attributes are unaffected.
以下示例显示如何替换用户资源的一个或多个特定属性的所有值。请注意,其他属性不受影响。
PATCH /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
PATCH /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
If-Match: W/"a330bc54f0671c9"
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op":"replace",
"value":{
"emails":[
{
"value":"bjensen@example.com",
"type":"work",
"primary":true
},
{
"value":"babs@jensen.org",
"type":"home"
}
],
"nickname":"Babs"
}]
}
{
"schemas":
["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op":"replace",
"value":{
"emails":[
{
"value":"bjensen@example.com",
"type":"work",
"primary":true
},
{
"value":"babs@jensen.org",
"type":"home"
}
],
"nickname":"Babs"
}]
}
Clients request resource removal via DELETE. Service providers MAY choose not to permanently delete the resource but MUST return a 404 (Not Found) error code for all operations associated with the previously deleted resource. Service providers MUST omit the resource from future query results. In addition, the service provider SHOULD NOT consider the deleted resource in conflict calculation. For example, if a User resource is deleted, a CREATE request for a User resource with the same userName as the previously deleted resource SHOULD NOT fail with a 409 error due to userName conflict.
客户端通过删除请求删除资源。服务提供商可以选择不永久删除资源,但必须为与先前删除的资源关联的所有操作返回404(未找到)错误代码。服务提供者必须从将来的查询结果中省略资源。此外,在冲突计算中,服务提供者不应考虑删除的资源。例如,如果删除了一个用户资源,则对于与先前删除的资源具有相同用户名的用户资源的创建请求不应因用户名冲突而失败,并出现409错误。
DELETE /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Authorization: Bearer h480djs93hd8
If-Match: W/"c310cd84f0281b7"
DELETE /Users/2819c223-7f76-453a-919d-413861904646
Host: example.com
Authorization: Bearer h480djs93hd8
If-Match: W/"c310cd84f0281b7"
In response to a successful DELETE, the server SHALL return a successful HTTP status code 204 (No Content). A non-normative example response:
作为对成功删除的响应,服务器应返回成功的HTTP状态代码204(无内容)。非规范性示例响应:
HTTP/1.1 204 No Content
HTTP/1.1 204无内容
Example: Client's attempt to retrieve the previously deleted User
示例:客户端尝试检索以前删除的用户
GET /Users/2819c223-7f76-453a-919d-413861904646 Host: example.com Authorization: Bearer h480djs93hd8
GET/Users/2819c223-7f76-453a-919d-413861904646主机:example.com授权:承载h480djs93hd8
Server response:
服务器响应:
HTTP/1.1 404 Not Found
未找到HTTP/1.1 404
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":"Resource 2819c223-7f76-453a-919d-413861904646 not found",
"status": "404"
}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":"Resource 2819c223-7f76-453a-919d-413861904646 not found",
"status": "404"
}
The SCIM bulk operation is an optional server feature that enables clients to send a potentially large collection of resource operations in a single request. Support for bulk requests can be discovered by querying the service provider configuration (see Section 4). The body of a bulk operation contains a set of HTTP resource operations using one of the HTTP methods supported by the API, i.e., POST, PUT, PATCH, or DELETE.
SCIM批量操作是一种可选的服务器功能,它使客户端能够在单个请求中发送潜在的大量资源操作集合。通过查询服务提供商配置可以发现对批量请求的支持(参见第4节)。批量操作的主体包含一组使用API支持的HTTP方法之一的HTTP资源操作,即POST、PUT、PATCH或DELETE。
Bulk requests are identified using the following schema URI: "urn:ietf:params:scim:api:messages:2.0:BulkRequest". Bulk responses are identified using the following URI: "urn:ietf:params:scim:api:messages:2.0:BulkResponse". Bulk requests and bulk responses share many attributes. Unless otherwise specified, each attribute below is present in both bulk requests and bulk responses.
批量请求使用以下模式URI标识:“urn:ietf:params:scim:api:messages:2.0:BulkRequest”。批量响应使用以下URI标识:“urn:ietf:params:scim:api:messages:2.0:BulkResponse”。批量请求和批量响应共享许多属性。除非另有规定,否则以下每个属性都存在于批量请求和批量响应中。
The following singular attribute is defined, in addition to the common attributes defined in [RFC7643].
除了[RFC7643]中定义的公共属性外,还定义了以下单一属性。
failOnErrors An integer specifying the number of errors that the service provider will accept before the operation is terminated and an error response is returned. OPTIONAL in a request. Not valid in a response.
FailOneError是一个整数,指定服务提供商在终止操作并返回错误响应之前将接受的错误数。在请求中是可选的。在响应中无效。
The following complex multi-valued attribute is defined, in addition to the common attributes defined in [RFC7643].
除了[RFC7643]中定义的常见属性外,还定义了以下复杂多值属性。
Operations Defines operations within a bulk job. Each operation corresponds to a single HTTP request against a resource endpoint. REQUIRED. The Operations attribute has the following sub-attributes:
操作定义批量作业中的操作。每个操作对应于针对资源端点的单个HTTP请求。必修的。“操作”属性具有以下子属性:
method The HTTP method of the current operation. Possible values are "POST", "PUT", "PATCH", or "DELETE". REQUIRED.
方法当前操作的HTTP方法。可能的值为“POST”、“PUT”、“PATCH”或“DELETE”。必修的。
bulkId The transient identifier of a newly created resource, unique within a bulk request and created by the client. The bulkId serves as a surrogate resource id enabling clients to uniquely identify newly created resources in the response and cross-reference new resources in and across operations within a bulk request. REQUIRED when "method" is "POST".
bulkId新创建的资源的临时标识符,在批量请求中是唯一的,由客户端创建。bulkId用作代理资源id,使客户端能够在响应中唯一地标识新创建的资源,并在批量请求中的操作中和跨操作交叉引用新资源。当“方法”为“POST”时需要。
version The current resource version. Version MAY be used if the service provider supports entity-tags (ETags) (Section 2.3 of [RFC7232]) and "method" is "PUT", "PATCH", or "DELETE".
版本:当前资源版本。如果服务提供商支持实体标签(ETAG)(RFC7232第2.3节)且“方法”为“放置”、“修补”或“删除”,则可使用该版本。
path The resource's relative path to the SCIM service provider's root. If "method" is "POST", the value must specify a resource type endpoint, e.g., /Users or /Groups, whereas all other "method" values must specify the path to a specific resource, e.g., /Users/2819c223-7f76-453a-919d-413861904646. REQUIRED in a request.
将资源的相对路径设置为SCIM服务提供商的根目录。如果“方法”为“POST”,则该值必须指定资源类型端点,例如/Users或/Groups,而所有其他“方法”值必须指定特定资源的路径,例如/Users/2819c223-7f76-453a-919d-413861904646。请求中需要的。
data The resource data as it would appear for a single SCIM POST, PUT, or PATCH operation. REQUIRED in a request when "method" is "POST", "PUT", or "PATCH".
数据—单个SCIM POST、PUT或修补程序操作中显示的资源数据。当“方法”是“POST”、“PUT”或“PATCH”时,请求中需要。
location The resource endpoint URL. REQUIRED in a response, except in the event of a POST failure.
定位资源终结点URL。响应中需要,但POST失败的情况除外。
response The HTTP response body for the specified request operation. When indicating a response with an HTTP status other than a 200-series response, the response body MUST be included. For normal completion, the server MAY elect to omit the response body.
响应指定请求操作的HTTP响应正文。当指示HTTP状态不是200系列响应的响应时,必须包括响应正文。为了正常完成,服务器可以选择省略响应主体。
status The HTTP response status code for the requested operation. When indicating an error, the "response" attribute MUST contain the detail error response as per Section 3.12.
status请求的操作的HTTP响应状态代码。指示错误时,“响应”属性必须包含第3.12节规定的详细错误响应。
If a bulk job is processed successfully, HTTP response code 200 OK MUST be returned; otherwise, an appropriate HTTP error code MUST be returned.
如果批量作业处理成功,则必须返回HTTP响应代码200OK;否则,必须返回相应的HTTP错误代码。
The service provider MUST continue performing as many changes as possible and disregard partial failures. The client MAY override this behavior by specifying a value for the "failOnErrors" attribute. The "failOnErrors" attribute defines the number of errors that the service provider should accept before failing the remaining operations returning the response.
服务提供商必须继续执行尽可能多的更改,并忽略部分故障。客户端可以通过指定“FailOneErrors”属性的值来覆盖此行为。“FailOneErrors”属性定义了服务提供商在使返回响应的其余操作失败之前应接受的错误数。
To be able to reference a newly created resource, the bulkId attribute MAY be specified when creating new resources. The "bulkId" is defined by the client as a surrogate identifier in a POST operation (see Section 3.7.2). The service provider MUST return the same "bulkId" together with the newly created resource. The "bulkId" can then be used by the client to map the service provider id with the "bulkId" of the created resource.
为了能够引用新创建的资源,可以在创建新资源时指定bulkId属性。“bulkId”由客户定义为POST操作中的代理标识符(见第3.7.2节)。服务提供商必须将相同的“bulkId”与新创建的资源一起返回。然后,客户端可以使用“bulkId”将服务提供者id映射到所创建资源的“bulkId”。
A SCIM service provider MAY elect to optimize the sequence of operations received (e.g., to improve processing performance). When doing so, the service provider MUST ensure that the client's intent is preserved and the same stateful result is achieved as for
SCIM服务提供商可以选择优化接收的操作序列(例如,改进处理性能)。在执行此操作时,服务提供商必须确保保留客户端的意图,并实现与客户端相同的有状态结果
non-optimized processing. For example, before a "User" can be added to a "Group", they must first be created. Processing these requests out of order might result in a failure to add the new "User" to the "Group".
非优化处理。例如,在将“用户”添加到“组”之前,必须先创建用户。无序处理这些请求可能导致无法将新“用户”添加到“组”。
The service provider MUST try to resolve circular cross-references between resources in a single bulk job but MAY stop after a failed attempt and instead return HTTP status code 409 (Conflict). The following example exhibits the potential conflict.
服务提供商必须尝试解决单个批量作业中资源之间的循环交叉引用,但可能在尝试失败后停止,而返回HTTP状态代码409(冲突)。下面的示例展示了潜在的冲突。
POST /v2/Bulk Host: example.com Accept: application/scim+json Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 Content-Length: ...
POST/v2/Bulk Host:example.com Accept:application/scim+json内容类型:application/scim+json授权:承载h480djs93hd8内容长度:。。。
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
"Operations": [
{
"method": "POST",
"path": "/Groups",
"bulkId": "qwerty",
"data": {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Group A",
"members": [
{
"type": "Group",
"value": "bulkId:ytrewq"
}
]
}
},
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
"Operations": [
{
"method": "POST",
"path": "/Groups",
"bulkId": "qwerty",
"data": {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Group A",
"members": [
{
"type": "Group",
"value": "bulkId:ytrewq"
}
]
}
},
{
"method": "POST",
"path": "/Groups",
"bulkId": "ytrewq",
"data": {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Group B",
"members": [
{
"type": "Group",
"value": "bulkId:qwerty"
}
]
}
}
]
}
{
"method": "POST",
"path": "/Groups",
"bulkId": "ytrewq",
"data": {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Group B",
"members": [
{
"type": "Group",
"value": "bulkId:qwerty"
}
]
}
}
]
}
If the service provider resolved the above circular references, the following is returned from a subsequent GET request.
如果服务提供商解析了上述循环引用,则后续GET请求将返回以下内容。
GET /v2/Groups?filter=displayName sw 'Group'
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
GET /v2/Groups?filter=displayName sw 'Group'
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
HTTP/1.1 200 OK
Content-Type: application/scim+json
HTTP/1.1 200 OK
Content-Type: application/scim+json
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 2,
"Resources": [
{
"id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Group A",
"meta": {
"resourceType": "Group",
"created": "2011-08-01T18:29:49.793Z",
"lastModified": "2011-08-01T18:29:51.135Z",
"location":
"https://example.com/v2/Groups/c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
"version": "W\/\"mvwNGaxB5SDq074p\""
},
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 2,
"Resources": [
{
"id": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Group A",
"meta": {
"resourceType": "Group",
"created": "2011-08-01T18:29:49.793Z",
"lastModified": "2011-08-01T18:29:51.135Z",
"location":
"https://example.com/v2/Groups/c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
"version": "W\/\"mvwNGaxB5SDq074p\""
},
"members": [
{
"value": "6c5bb468-14b2-4183-baf2-06d523e03bd3",
"$ref":
"https://example.com/v2/Groups/6c5bb468-14b2-4183-baf2-06d523e03bd3",
"type": "Group"
}
]
},
{
"id": "6c5bb468-14b2-4183-baf2-06d523e03bd3",
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Group B",
"meta": {
"resourceType": "Group",
"created": "2011-08-01T18:29:50.873Z",
"lastModified": "2011-08-01T18:29:50.873Z",
"location":
"https://example.com/v2/Groups/6c5bb468-14b2-4183-baf2-06d523e03bd3",
"version": "W\/\"wGB85s2QJMjiNnuI\""
},
"members": [
{
"value": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
"$ref":
"https://example.com/v2/Groups/c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
"type": "Group"
}
]
}
]
}
"members": [
{
"value": "6c5bb468-14b2-4183-baf2-06d523e03bd3",
"$ref":
"https://example.com/v2/Groups/6c5bb468-14b2-4183-baf2-06d523e03bd3",
"type": "Group"
}
]
},
{
"id": "6c5bb468-14b2-4183-baf2-06d523e03bd3",
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Group B",
"meta": {
"resourceType": "Group",
"created": "2011-08-01T18:29:50.873Z",
"lastModified": "2011-08-01T18:29:50.873Z",
"location":
"https://example.com/v2/Groups/6c5bb468-14b2-4183-baf2-06d523e03bd3",
"version": "W\/\"wGB85s2QJMjiNnuI\""
},
"members": [
{
"value": "c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
"$ref":
"https://example.com/v2/Groups/c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
"type": "Group"
}
]
}
]
}
A SCIM client can, within one bulk operation, create a new "User", create a new "Group", and add the newly created "User" to the newly created "Group". In order to add the new "User" to the "Group", the client must use the surrogate id attribute, "bulkId", to reference the User. The "bulkId" attribute value must be prepended with the literal "bulkId:"; e.g., if the bulkId is 'qwerty', the value is "bulkId:qwerty". The service provider MUST replace the string "bulkId:qwerty" with the permanent resource id once created.
SCIM客户端可以在一次批量操作中创建新的“用户”,创建新的“组”,并将新创建的“用户”添加到新创建的“组”。为了将新的“用户”添加到“组”,客户端必须使用代理id属性“bulkId”来引用该用户。“bulkId”属性值必须在前面加上文字“bulkId:”;e、 例如,如果bulkId为'qwerty',则值为“bulkId:qwerty”。一旦创建了永久资源id,服务提供商必须将字符串“bulkId:qwerty”替换为永久资源id。
To create multiple distinct requests, each with their own "bulkId", the SCIM client specifies different "bulkId" values for each separate request.
为了创建多个不同的请求,每个请求都有自己的“bulkId”,SCIM客户端为每个单独的请求指定不同的“bulkId”值。
The following example creates a User with the "userName" 'Alice' and a "Group" with "displayName", with a value of "Tour Guides" with Alice as a member. Notice that each operation has its own "bulkId" value. However, the second operation (whose "bulkId" is "ytrewq") refers to the "bulkId" of "qwerty" in order to add Alice to the new 'Tour Guides' group.
下面的示例创建了一个用户名为“Alice”的用户和一个名为“displayName”的“Group”,值为“Tour Guides”,成员为Alice。请注意,每个操作都有自己的“bulkId”值。然而,第二个操作(其“bulkId”为“ytrewq”)指的是“qwerty”的“bulkId”,以便将Alice添加到新的“导游”组中。
POST /v2/Bulk Host: example.com Accept: application/scim+json Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 Content-Length: ...
POST/v2/Bulk Host:example.com Accept:application/scim+json内容类型:application/scim+json授权:承载h480djs93hd8内容长度:。。。
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
"Operations": [
{
"method": "POST",
"path": "/Users",
"bulkId": "qwerty",
"data": {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "Alice"
}
},
{
"method": "POST",
"path": "/Groups",
"bulkId": "ytrewq",
"data": {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Tour Guides",
"members": [
{
"type": "User",
"value": "bulkId:qwerty"
}
]
}
}
]
}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
"Operations": [
{
"method": "POST",
"path": "/Users",
"bulkId": "qwerty",
"data": {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "Alice"
}
},
{
"method": "POST",
"path": "/Groups",
"bulkId": "ytrewq",
"data": {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Tour Guides",
"members": [
{
"type": "User",
"value": "bulkId:qwerty"
}
]
}
}
]
}
The service provider returns the following response:
服务提供商返回以下响应:
HTTP/1.1 200 OK
Content-Type: application/scim+json
HTTP/1.1 200 OK
Content-Type: application/scim+json
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
"Operations": [
{
"location":
"https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a",
"method": "POST",
"bulkId": "qwerty",
"version": "W\/\"4weymrEsh5O6cAEK\"",
"status": {
"code": "201"
}
},
{
"location":
"https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
"method": "POST",
"bulkId": "ytrewq",
"version": "W\/\"lha5bbazU3fNvfe5\"",
"status": {
"code": "201"
}
}
]
}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
"Operations": [
{
"location":
"https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a",
"method": "POST",
"bulkId": "qwerty",
"version": "W\/\"4weymrEsh5O6cAEK\"",
"status": {
"code": "201"
}
},
{
"location":
"https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
"method": "POST",
"bulkId": "ytrewq",
"version": "W\/\"lha5bbazU3fNvfe5\"",
"status": {
"code": "201"
}
}
]
}
In the above example, the "Alice" User resource has an "id" of "92b725cd-9465-4e7d-8c16-01f8e146b87a" and the 'Tour Guides' Group has an "id" of "e9e30dba-f08f-4109-8486-d5c6a331660a".
在上述示例中,“Alice”用户资源的“id”为“92b725cd-9465-4e7d-8c16-01f8e146b87a”,“导游”组的“id”为“e9e30dba-f08f-4109-8486-D5C6A33160A”。
A subsequent GET request for the 'Tour Guides' Group (with an "id" of "e9e30dba-f08f-4109-8486-d5c6a331660a") returns the following, with Alice's "id" as the value for the member in the Group 'Tour Guides':
“导游”组的后续GET请求(id为“e9e30dba-f08f-4109-8486-D5C6A31360A”)返回以下内容,Alice的“id”作为“导游”组成员的值:
HTTP/1.1 200 OK
Content-Type: application/scim+json
Location:
https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a
ETag: W/"lha5bbazU3fNvfe5"
HTTP/1.1 200 OK
Content-Type: application/scim+json
Location:
https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a
ETag: W/"lha5bbazU3fNvfe5"
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"id": "e9e30dba-f08f-4109-8486-d5c6a331660a",
"displayName": "Tour Guides",
"meta": {
"resourceType": "Group",
"created": "2011-08-01T18:29:49.793Z",
"lastModified": "2011-08-01T20:31:02.315Z",
"location":
"https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
"version": "W\/\"lha5bbazU3fNvfe5\""
},
"members": [
{
"value": "92b725cd-9465-4e7d-8c16-01f8e146b87a",
"$ref":
"https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a",
"type": "User"
}
]
}
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"id": "e9e30dba-f08f-4109-8486-d5c6a331660a",
"displayName": "Tour Guides",
"meta": {
"resourceType": "Group",
"created": "2011-08-01T18:29:49.793Z",
"lastModified": "2011-08-01T20:31:02.315Z",
"location":
"https://example.com/v2/Groups/e9e30dba-f08f-4109-8486-d5c6a331660a",
"version": "W\/\"lha5bbazU3fNvfe5\""
},
"members": [
{
"value": "92b725cd-9465-4e7d-8c16-01f8e146b87a",
"$ref":
"https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a",
"type": "User"
}
]
}
Extensions that include references to other resources MUST be handled in the same way by the service provider. The following example uses the bulkId attribute within the enterprise extension managerId attribute.
服务提供商必须以相同的方式处理包含对其他资源的引用的扩展。以下示例在企业扩展managerId属性中使用bulkId属性。
POST /v2/Bulk Host: example.com Accept: application/scim+json Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 Content-Length: ...
POST/v2/Bulk Host:example.com Accept:application/scim+json内容类型:application/scim+json授权:承载h480djs93hd8内容长度:。。。
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
"Operations": [
{
"method": "POST",
"path": "/Users",
"bulkId": "qwerty",
"data": {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "Alice"
}
},
{
"method": "POST",
"path": "/Users",
"bulkId": "ytrewq",
"data": {
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"userName": "Bob",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "11250",
"manager": {
"value": "bulkId:qwerty"
}
}
}
}
]
}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
"Operations": [
{
"method": "POST",
"path": "/Users",
"bulkId": "qwerty",
"data": {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "Alice"
}
},
{
"method": "POST",
"path": "/Users",
"bulkId": "ytrewq",
"data": {
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"userName": "Bob",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "11250",
"manager": {
"value": "bulkId:qwerty"
}
}
}
}
]
}
The service provider response MUST include the result of all processed operations. A "location" attribute that includes the resource's endpoint MUST be returned for all operations except for failed POST operations (which have no location). The status attribute includes information about the success or failure of one operation within the bulk job. The status attribute MUST include the code attribute that holds the HTTP response code that would have been returned if a single HTTP request would have been used. If an error occurred, the status MUST also include the description attribute containing a human-readable explanation of the error.
服务提供商响应必须包括所有已处理操作的结果。除了失败的POST操作(没有位置)之外,所有操作都必须返回包含资源端点的“location”属性。“状态”属性包含有关批量作业中一个操作的成功或失败的信息。status属性必须包含保存HTTP响应代码的code属性,如果使用单个HTTP请求,该代码将返回。如果发生错误,状态还必须包括描述属性,该属性包含对错误的可读解释。
"status": "201"
"status": "201"
The following is an example of a status in a failed operation.
以下是失败操作中的状态示例。
"status": "400",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"scimType":"invalidSyntax"
"detail":
"Request is unparsable, syntactically incorrect, or violates schema.",
"status":"400"
}
"status": "400",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"scimType":"invalidSyntax"
"detail":
"Request is unparsable, syntactically incorrect, or violates schema.",
"status":"400"
}
The following example shows how to add, update, and remove a user. The "failOnErrors" attribute is set to '1', indicating that the service provider will stop processing and return results after one error. The POST operation's bulkId value is set to 'qwerty', enabling the client to match the new User with the returned resource "id" of "92b725cd-9465-4e7d-8c16-01f8e146b87a".
以下示例显示如何添加、更新和删除用户。“FailOneErrors”属性设置为“1”,表示服务提供商将在出现一个错误后停止处理并返回结果。POST操作的bulkId值设置为“qwerty”,使客户端能够将新用户与返回的资源“id”92b725cd-9465-4e7d-8c16-01f8e146b87a匹配。
POST /v2/Bulk Host: example.com Accept: application/scim+json Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 Content-Length: ...
POST/v2/Bulk Host:example.com Accept:application/scim+json内容类型:application/scim+json授权:承载h480djs93hd8内容长度:。。。
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
"failOnErrors":1,
"Operations":[
{
"method":"POST",
"path":"/Users",
"bulkId":"qwerty",
"data":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:User"],
"userName":"Alice"
}
},
{
"method":"PUT",
"path":"/Users/b7c14771-226c-4d05-8860-134711653041",
"version":"W\/\"3694e05e9dff591\"",
"data":{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"b7c14771-226c-4d05-8860-134711653041",
"userName":"Bob"
}
},
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
"failOnErrors":1,
"Operations":[
{
"method":"POST",
"path":"/Users",
"bulkId":"qwerty",
"data":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:User"],
"userName":"Alice"
}
},
{
"method":"PUT",
"path":"/Users/b7c14771-226c-4d05-8860-134711653041",
"version":"W\/\"3694e05e9dff591\"",
"data":{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"b7c14771-226c-4d05-8860-134711653041",
"userName":"Bob"
}
},
{
"method": "PATCH",
"path": "/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc",
"version": "W/\"edac3253e2c0ef2\"",
"data": {[
{
"op": "remove",
"path": "nickName"
},
{
"op": "add",
"path": "userName",
"value": "Dave"
}
]}
},
{
"method":"DELETE",
"path":"/Users/e9025315-6bea-44e1-899c-1e07454e468b",
"version":"W\/\"0ee8add0a938e1a\""
}
]
}
{
"method": "PATCH",
"path": "/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc",
"version": "W/\"edac3253e2c0ef2\"",
"data": {[
{
"op": "remove",
"path": "nickName"
},
{
"op": "add",
"path": "userName",
"value": "Dave"
}
]}
},
{
"method":"DELETE",
"path":"/Users/e9025315-6bea-44e1-899c-1e07454e468b",
"version":"W\/\"0ee8add0a938e1a\""
}
]
}
The service provider returns the following response:
服务提供商返回以下响应:
HTTP/1.1 200 OK
Content-Type: application/scim+json
HTTP/1.1 200 OK
Content-Type: application/scim+json
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
"Operations": [
{
"location":
"https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a",
"method": "POST",
"bulkId": "qwerty",
"version": "W\/\"oY4m4wn58tkVjJxK\"",
"status": "201"
},
{
"location":
"https://example.com/v2/Users/b7c14771-226c-4d05-8860-134711653041",
"method": "PUT",
"version": "W\/\"huJj29dMNgu3WXPD\"",
"status": "200"
},
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
"Operations": [
{
"location":
"https://example.com/v2/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a",
"method": "POST",
"bulkId": "qwerty",
"version": "W\/\"oY4m4wn58tkVjJxK\"",
"status": "201"
},
{
"location":
"https://example.com/v2/Users/b7c14771-226c-4d05-8860-134711653041",
"method": "PUT",
"version": "W\/\"huJj29dMNgu3WXPD\"",
"status": "200"
},
{
"location":
"https://example.com/v2/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc",
"method": "PATCH",
"version": "W\/\"huJj29dMNgu3WXPD\"",
"status": "200"
},
{
"location":
"https://example.com/v2/Users/e9025315-6bea-44e1-899c-1e07454e468b",
"method": "DELETE",
"status": "204"
}
]
}
{
"location":
"https://example.com/v2/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc",
"method": "PATCH",
"version": "W\/\"huJj29dMNgu3WXPD\"",
"status": "200"
},
{
"location":
"https://example.com/v2/Users/e9025315-6bea-44e1-899c-1e07454e468b",
"method": "DELETE",
"status": "204"
}
]
}
The following response is returned if an error occurred when attempting to create the User 'Alice'. The service provider stops processing the bulk operation and immediately returns a response to the client. The response contains the error and any successful results prior to the error.
如果尝试创建用户“Alice”时出错,则返回以下响应。服务提供者停止处理批量操作,并立即向客户端返回响应。响应包含错误以及错误之前的任何成功结果。
HTTP/1.1 200 OK
Content-Type: application/scim+json
HTTP/1.1 200 OK
Content-Type: application/scim+json
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
"Operations": [
{
"method": "POST",
"bulkId": "qwerty",
"status": "400",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"scimType":"invalidSyntax"
"detail":
"Request is unparsable, syntactically incorrect, or violates schema.",
"status":"400"
}
}
]
}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
"Operations": [
{
"method": "POST",
"bulkId": "qwerty",
"status": "400",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"scimType":"invalidSyntax"
"detail":
"Request is unparsable, syntactically incorrect, or violates schema.",
"status":"400"
}
}
]
}
If the "failOnErrors" attribute is not specified or the service provider has not reached the error limit defined by the client, the service provider will continue to process all operations. The following is an example in which all operations failed.
如果未指定“FailOneErrors”属性,或者服务提供商未达到客户端定义的错误限制,则服务提供商将继续处理所有操作。下面是一个所有操作都失败的示例。
HTTP/1.1 200 OK
Content-Type: application/scim+json
HTTP/1.1 200 OK
Content-Type: application/scim+json
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
"Operations": [
{
"method": "POST",
"bulkId": "qwerty",
"status": "400",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"scimType":"invalidSyntax"
"detail":
"Request is unparsable, syntactically incorrect, or violates schema.",
"status":"400"
}
},
{
"location":
"https://example.com/v2/Users/b7c14771-226c-4d05-8860-134711653041",
"method": "PUT",
"status": "412",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":
"Failed to update. Resource changed on the server.",
"status":"412"
}
},
{
"location":
"https://example.com/v2/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc",
"method": "PATCH",
"status": "412",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":
"Failed to update. Resource changed on the server.",
"status":"412"
}
},
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
"Operations": [
{
"method": "POST",
"bulkId": "qwerty",
"status": "400",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"scimType":"invalidSyntax"
"detail":
"Request is unparsable, syntactically incorrect, or violates schema.",
"status":"400"
}
},
{
"location":
"https://example.com/v2/Users/b7c14771-226c-4d05-8860-134711653041",
"method": "PUT",
"status": "412",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":
"Failed to update. Resource changed on the server.",
"status":"412"
}
},
{
"location":
"https://example.com/v2/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc",
"method": "PATCH",
"status": "412",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":
"Failed to update. Resource changed on the server.",
"status":"412"
}
},
{
"location":
"https://example.com/v2/Users/e9025315-6bea-44e1-899c-1e07454e468b",
"method": "DELETE",
"status": "404",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":"Resource does not exist.",
"status":"404"
}
}
]
}
{
"location":
"https://example.com/v2/Users/e9025315-6bea-44e1-899c-1e07454e468b",
"method": "DELETE",
"status": "404",
"response":{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":"Resource does not exist.",
"status":"404"
}
}
]
}
The service provider MUST define the maximum number of operations and maximum payload size a client may send in a single request. These limits MAY be retrieved from the service provider configuration (see 'bulk' in Sections 5 and 8.5 of [RFC7643]). If either limit is exceeded, the service provider MUST return HTTP response code 413 (Payload Too Large). The returned response MUST specify the limit exceeded in the body of the error response.
服务提供商必须定义客户端在单个请求中可以发送的最大操作数和最大有效负载大小。这些限制可以从服务提供商配置中检索(参见[RFC7643]第5节和第8.5节中的“批量”)。如果超过任一限制,服务提供商必须返回HTTP响应代码413(有效负载太大)。返回的响应必须指定错误响应主体中超出的限制。
In the following example, the client sent a request exceeding the service provider's maximum payload size of 1 megabyte:
在以下示例中,客户端发送的请求超过了服务提供商的最大有效负载大小1 MB:
POST /v2/Bulk
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
Content-Length: 4294967296
POST /v2/Bulk
Host: example.com
Accept: application/scim+json
Content-Type: application/scim+json
Authorization: Bearer h480djs93hd8
Content-Length: 4294967296
...
...
The server sends the following error in response to the oversized request:
服务器发送以下错误以响应超大请求:
HTTP/1.1 413 Payload Too Large
Content-Type: application/scim+json
HTTP/1.1 413 Payload Too Large
Content-Type: application/scim+json
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": "413",
"detail":
"The size of the bulk operation exceeds the maxPayloadSize (1048576)."
}
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": "413",
"detail":
"The size of the bulk operation exceeds the maxPayloadSize (1048576)."
}
Servers MUST accept requests and be able to return JSON-structured responses using UTF-8 encoding [RFC3629]. UTF-8 SHALL be the default encoding format. Other media types MAY be supported by service providers but are beyond the scope of this specification.
服务器必须接受请求,并能够使用UTF-8编码[RFC3629]返回JSON结构化响应。UTF-8应为默认编码格式。服务提供商可能支持其他媒体类型,但不在本规范的范围内。
Clients using other encodings MUST specify the format in which the data is submitted via an HTTP "Content-Type" header as specified in Section 3.1.1.5 of [RFC7231] and MAY specify the desired response data format via an HTTP "Accept" header (Section 5.3.2 of [RFC7231]), e.g., "Accept: application/scim+json", or via URI suffix:
使用其他编码的客户端必须指定通过[RFC7231]第3.1.1.5节中指定的HTTP“内容类型”标头提交数据的格式,并且可以通过HTTP“接受”标头([RFC7231]第5.3.2节)指定所需的响应数据格式,例如,“接受:应用程序/scim+json”,或通过URI后缀:
GET /Users/2819c223-7f76-453a-919d-413861904646.scim Host: example.com
GET/Users/2819c223-7f76-453a-919d-413861904646.scim主机:example.com
Service providers MUST support the "Accept" header "Accept: application/scim+json" and SHOULD support the header "Accept: application/json", both of which specify JSON documents conforming to [RFC7159]. The format defaults to "application/scim+json" if no format is specified.
服务提供商必须支持“Accept”标题“Accept:application/scim+json”,并应支持标题“Accept:application/json”,两者都指定符合[RFC7159]的json文档。如果未指定格式,则格式默认为“application/scim+json”。
Singular attributes are encoded as string name-value pairs in JSON, e.g.,
单一属性在JSON中编码为字符串名称-值对,例如。,
"attribute": "value"
"attribute": "value"
Multi-valued attributes in JSON are encoded as arrays, e.g.,
JSON中的多值属性编码为数组,例如。,
"attributes": [ "value1", "value2" ]
"attributes": [ "value1", "value2" ]
Elements with nested elements are represented as objects in JSON, e.g.,
带有嵌套元素的元素在JSON中表示为对象,例如。,
"attribute": { "subattribute1": "value1", "subattribute2": "value2" }
"attribute": { "subattribute1": "value1", "subattribute2": "value2" }
For any SCIM operation where a resource representation is returned (e.g., HTTP GET), the attributes returned are defined as the minimum attribute set plus default attribute set. The minimum set is composed of those attributes that have their "returned" characteristic set to "always" (see Section 2.2 of [RFC7643]). The default attribute set is composed of those attributes that have the "returned" characteristic set to "default".
对于返回资源表示(例如HTTP GET)的任何SCIM操作,返回的属性定义为最小属性集加上默认属性集。最小集合由那些将其“返回”特征设置为“始终”的属性组成(见[RFC7643]第2.2节)。默认属性集由那些将“返回”特征设置为“默认”的属性组成。
Clients MAY request a partial resource representation on any operation that returns a resource within the response by specifying either of the mutually exclusive URL query parameters "attributes" or "excludedAttributes", as follows:
客户端可以通过指定互斥URL查询参数“attributes”或“excludedAttributes”来请求响应中返回资源的任何操作的部分资源表示,如下所示:
attributes When specified, the default list of attributes SHALL be overridden, and each resource returned MUST contain the minimum set of resource attributes and any attributes or sub-attributes explicitly requested by the "attributes" parameter. The query parameter attributes value is a comma-separated list of resource attribute names in standard attribute notation (Section 3.10) form (e.g., userName, name, emails).
属性指定时,应覆盖默认属性列表,返回的每个资源必须包含最小的资源属性集以及“attributes”参数明确请求的任何属性或子属性。查询参数属性值是标准属性表示法(第3.10节)形式的资源属性名称的逗号分隔列表(例如用户名、名称、电子邮件)。
excludedAttributes When specified, each resource returned MUST contain the minimum set of resource attributes. Additionally, the default set of attributes minus those attributes listed in "excludedAttributes" is returned. The query parameter attributes value is a comma-separated list of resource attribute names in standard attribute notation (Section 3.10) form (e.g., userName, name, emails).
ExcludeDatAttributes指定时,返回的每个资源必须包含最小的资源属性集。此外,将返回默认属性集减去“ExcludeDatAttributes”中列出的属性。查询参数属性值是标准属性表示法(第3.10节)形式的资源属性名称的逗号分隔列表(例如用户名、名称、电子邮件)。
GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=userName
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=userName
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
The following response is returned:
返回以下响应:
HTTP/1.1 200 OK
Content-Type: application/scim+json
Location:
https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"a330bc54f0671c9"
HTTP/1.1 200 OK
Content-Type: application/scim+json
Location:
https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"a330bc54f0671c9"
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"userName":"bjensen"
}
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"userName":"bjensen"
}
All operations share a common scheme for referencing simple and complex attributes. In general, attributes are uniquely identified by prefixing the attribute name with its schema URN separated by a colon (":") character; e.g., the core User resource attribute 'userName' is identified as "urn:ietf:params:scim:schemas:core:2.0:User:userName". Clients MAY omit core schema attribute URN prefixes but SHOULD fully qualify extended attributes with the associated schema extension URN to avoid naming conflicts. For example, the attribute 'age' defined in "urn:ietf:params:scim:schemas:exampleCo:2.0:hr" is uniquely identified as "urn:ietf:params:scim:schemas:exampleCo:2.0:hr:age". Complex attributes' sub-attributes are referenced via nested dot ('.') notation, i.e., {urn}:{Attribute name}.{Sub-Attribute name}. For example, the fully qualified path for a User's givenName is "urn:ietf:params:scim:schemas:core:2.0:User:name.givenName". All facets (URN, attribute, and sub-attribute name) of the fully encoded attribute name are case insensitive.
所有操作都共享一个用于引用简单和复杂属性的公共方案。通常,属性通过在属性名称前面加上模式URN(模式URN由冒号(“:”)分隔)来唯一标识;e、 例如,核心用户资源属性“userName”被标识为“urn:ietf:params:scim:schemas:core:2.0:User:userName”。客户端可以省略核心架构属性URN前缀,但应该使用关联的架构扩展URN完全限定扩展属性,以避免命名冲突。例如,“urn:ietf:params:scim:schemas:exampleCo:2.0:hr”中定义的属性“age”被唯一标识为“urn:ietf:params:scim:schemas:exampleCo:2.0:hr:age”。复杂属性的子属性通过嵌套的点('.')表示法引用,即{urn}:{Attribute name}.{sub Attribute name}。例如,用户的givenName的完全限定路径是“urn:ietf:params:scim:schemas:core:2.0:User:name.givenName”。完全编码的属性名称的所有方面(URN、属性和子属性名称)都不区分大小写。
A client MAY use a URL of the form "<base-URI>/Me" as a URI alias for the User or other resource associated with the currently authenticated subject for any SCIM operation. A service provider MAY respond in one of three ways:
客户端可以使用格式为“<base URI>/Me”的URL作为用户或与任何SCIM操作的当前认证主题相关联的其他资源的URI别名。服务提供商可通过以下三种方式之一作出响应:
o A service provider that does NOT support this feature SHOULD respond with HTTP status code 501 (Not Implemented).
o 不支持此功能的服务提供商应使用HTTP状态代码501(未实现)进行响应。
o A service provider MAY choose to redirect the client using HTTP status code 308 (Permanent Redirect) to the resource associated with the authenticated subject. The client MAY then repeat the request at the indicated location.
o 服务提供者可以选择使用HTTP状态码308(永久重定向)将客户端重定向到与认证主体相关联的资源。然后,客户端可以在指定的位置重复该请求。
o A service provider MAY process the SCIM request directly. In any response, the HTTP "Location" header MUST be the permanent location of the aliased resource associated with the authenticated subject.
o 服务提供商可以直接处理SCIM请求。在任何响应中,HTTP“Location”头必须是与经过身份验证的主题关联的别名资源的永久位置。
When using the SCIM Create Resource command (HTTP POST) with the "/Me" alias, the desired resourceType being created is at the discretion of the service provider, based on the authenticated subject (if not anonymous) making the request and any request body attributes (e.g., "schemas"). See Section 7.6 for information on security considerations related to this operation.
使用带有“/Me”别名的SCIM Create Resource命令(HTTP POST)时,所需的资源类型由服务提供商根据发出请求的经过身份验证的主题(如果不是匿名的)和任何请求正文属性(例如,“模式”)自行决定。有关此操作相关安全注意事项的信息,请参见第7.6节。
The SCIM protocol uses the HTTP response status codes defined in Section 6 of [RFC7231] to indicate operation success or failure. In addition to returning an HTTP response code, implementers MUST return the errors in the body of the response in a JSON format, using the attributes described below. Error responses are identified using the following "schema" URI: "urn:ietf:params:scim:api:messages:2.0:Error". The following attributes are defined for a SCIM error response using a JSON body:
SCIM协议使用[RFC7231]第6节中定义的HTTP响应状态代码来指示操作成功或失败。除了返回HTTP响应代码外,实现者还必须使用下面描述的属性以JSON格式返回响应体中的错误。使用以下“模式”URI标识错误响应:“urn:ietf:params:scim:api:messages:2.0:Error”。使用JSON正文为SCIM错误响应定义了以下属性:
status The HTTP status code (see Section 6 of [RFC7231]) expressed as a JSON string. REQUIRED.
status以JSON字符串表示的HTTP状态代码(参见[RFC7231]第6节)。必修的。
scimType A SCIM detail error keyword. See Table 9. OPTIONAL.
scimType SCIM详细信息错误关键字。见表9。可选择的
detail A detailed human-readable message. OPTIONAL.
详细说明一条人类可读的详细信息。可选择的
Implementers SHOULD handle the identified HTTP status codes as described below.
实现者应按如下所述处理已识别的HTTP状态代码。
+----------------+---------------+----------------------------------+
| Status | Applicability | Suggested Explanation |
+----------------+---------------+----------------------------------+
| 307 (Temporary | GET, POST, | The client is directed to repeat |
| Redirect) | PUT, PATCH, | the same HTTP request at the |
| | DELETE | location identified. The client |
| | | SHOULD NOT use the location |
| | | provided in the response as a |
| | | permanent reference to the |
| | | resource and SHOULD continue to |
| | | use the original request URI |
| | | [RFC7231]. |
| | | |
| 308 (Permanent | GET, POST, | The client is directed to repeat |
| Redirect) | PUT, PATCH, | the same HTTP request at the |
| | DELETE | location identified. The client |
| | | SHOULD use the location provided |
| | | in the response as the permanent |
| | | reference to the resource |
| | | [RFC7538]. |
| | | |
| 400 (Bad | GET, POST, | Request is unparsable, |
| Request) | PUT, PATCH, | syntactically incorrect, or |
| | DELETE | violates schema. |
+----------------+---------------+----------------------------------+
| Status | Applicability | Suggested Explanation |
+----------------+---------------+----------------------------------+
| 307 (Temporary | GET, POST, | The client is directed to repeat |
| Redirect) | PUT, PATCH, | the same HTTP request at the |
| | DELETE | location identified. The client |
| | | SHOULD NOT use the location |
| | | provided in the response as a |
| | | permanent reference to the |
| | | resource and SHOULD continue to |
| | | use the original request URI |
| | | [RFC7231]. |
| | | |
| 308 (Permanent | GET, POST, | The client is directed to repeat |
| Redirect) | PUT, PATCH, | the same HTTP request at the |
| | DELETE | location identified. The client |
| | | SHOULD use the location provided |
| | | in the response as the permanent |
| | | reference to the resource |
| | | [RFC7538]. |
| | | |
| 400 (Bad | GET, POST, | Request is unparsable, |
| Request) | PUT, PATCH, | syntactically incorrect, or |
| | DELETE | violates schema. |
| | | |
| 401 | GET, POST, | Authorization failure. The |
| (Unauthorized) | PUT, PATCH, | authorization header is invalid |
| | DELETE | or missing. |
| | | |
| 403 | GET, POST, | Operation is not permitted based |
| (Forbidden) | PUT, PATCH, | on the supplied authorization. |
| | DELETE | |
| | | |
| 404 (Not | GET, POST, | Specified resource (e.g., User) |
| Found) | PUT, PATCH, | or endpoint does not exist. |
| | DELETE | |
| | | |
| 409 (Conflict) | POST, PUT, | The specified version number |
| | PATCH, DELETE | does not match the resource's |
| | | latest version number, or a |
| | | service provider refused to |
| | | create a new, duplicate |
| | | resource. |
| | | |
| 412 | PUT, PATCH, | Failed to update. Resource has |
| (Precondition | DELETE | changed on the server. |
| Failed) | | |
| | | |
| 413 (Payload | POST | {"maxOperations": |
| Too Large) | | 1000,"maxPayloadSize": 1048576} |
| | | |
| 500 (Internal | GET, POST, | An internal error. Implementers |
| Server Error) | PUT, PATCH, | SHOULD provide descriptive |
| | DELETE | debugging advice. |
| | | |
| 501 (Not | GET, POST, | Service provider does not |
| Implemented) | PUT, PATCH, | support the request operation, |
| | DELETE | e.g., PATCH. |
+----------------+---------------+----------------------------------+
| | | |
| 401 | GET, POST, | Authorization failure. The |
| (Unauthorized) | PUT, PATCH, | authorization header is invalid |
| | DELETE | or missing. |
| | | |
| 403 | GET, POST, | Operation is not permitted based |
| (Forbidden) | PUT, PATCH, | on the supplied authorization. |
| | DELETE | |
| | | |
| 404 (Not | GET, POST, | Specified resource (e.g., User) |
| Found) | PUT, PATCH, | or endpoint does not exist. |
| | DELETE | |
| | | |
| 409 (Conflict) | POST, PUT, | The specified version number |
| | PATCH, DELETE | does not match the resource's |
| | | latest version number, or a |
| | | service provider refused to |
| | | create a new, duplicate |
| | | resource. |
| | | |
| 412 | PUT, PATCH, | Failed to update. Resource has |
| (Precondition | DELETE | changed on the server. |
| Failed) | | |
| | | |
| 413 (Payload | POST | {"maxOperations": |
| Too Large) | | 1000,"maxPayloadSize": 1048576} |
| | | |
| 500 (Internal | GET, POST, | An internal error. Implementers |
| Server Error) | PUT, PATCH, | SHOULD provide descriptive |
| | DELETE | debugging advice. |
| | | |
| 501 (Not | GET, POST, | Service provider does not |
| Implemented) | PUT, PATCH, | support the request operation, |
| | DELETE | e.g., PATCH. |
+----------------+---------------+----------------------------------+
Table 8: SCIM HTTP Status Code Usage
表8:SCIM HTTP状态代码使用情况
For HTTP status code 400 (Bad Request) responses, the following detail error types are defined:
对于HTTP状态代码400(错误请求)响应,定义了以下详细错误类型:
+---------------+--------------------------------+------------------+
| scimType | Description | Applicability |
+---------------+--------------------------------+------------------+
| invalidFilter | The specified filter syntax | GET (Section |
| | was invalid (does not comply | 3.4.2), POST |
| | with Figure 1), or the | (Search - |
| | specified attribute and filter | Section 3.4.3), |
| | comparison combination is not | PATCH (Path |
| | supported. | Filter - Section |
| | | 3.5.2) |
| | | |
| tooMany | The specified filter yields | GET (Section |
| | many more results than the | 3.4.2), POST |
| | server is willing to calculate | (Search - |
| | or process. For example, a | Section 3.4.3) |
| | filter such as "(userName pr)" | |
| | by itself would return all | |
| | entries with a "userName" and | |
| | MAY not be acceptable to the | |
| | service provider. | |
| | | |
| uniqueness | One or more of the attribute | POST (Create - |
| | values are already in use or | Section 3.3), |
| | are reserved. | PUT (Section |
| | | 3.5.1), PATCH |
| | | (Section 3.5.2) |
| | | |
| mutability | The attempted modification is | PUT (Section |
| | not compatible with the target | 3.5.1), PATCH |
| | attribute's mutability or | (Section 3.5.2) |
| | current state (e.g., | |
| | modification of an "immutable" | |
| | attribute with an existing | |
| | value). | |
| | | |
| invalidSyntax | The request body message | POST (Search - |
| | structure was invalid or did | Section 3.4.3, |
| | not conform to the request | Create - Section |
| | schema. | 3.3, Bulk - |
| | | Section 3.7), |
| | | PUT (Section |
| | | 3.5.1) |
| | | |
+---------------+--------------------------------+------------------+
| scimType | Description | Applicability |
+---------------+--------------------------------+------------------+
| invalidFilter | The specified filter syntax | GET (Section |
| | was invalid (does not comply | 3.4.2), POST |
| | with Figure 1), or the | (Search - |
| | specified attribute and filter | Section 3.4.3), |
| | comparison combination is not | PATCH (Path |
| | supported. | Filter - Section |
| | | 3.5.2) |
| | | |
| tooMany | The specified filter yields | GET (Section |
| | many more results than the | 3.4.2), POST |
| | server is willing to calculate | (Search - |
| | or process. For example, a | Section 3.4.3) |
| | filter such as "(userName pr)" | |
| | by itself would return all | |
| | entries with a "userName" and | |
| | MAY not be acceptable to the | |
| | service provider. | |
| | | |
| uniqueness | One or more of the attribute | POST (Create - |
| | values are already in use or | Section 3.3), |
| | are reserved. | PUT (Section |
| | | 3.5.1), PATCH |
| | | (Section 3.5.2) |
| | | |
| mutability | The attempted modification is | PUT (Section |
| | not compatible with the target | 3.5.1), PATCH |
| | attribute's mutability or | (Section 3.5.2) |
| | current state (e.g., | |
| | modification of an "immutable" | |
| | attribute with an existing | |
| | value). | |
| | | |
| invalidSyntax | The request body message | POST (Search - |
| | structure was invalid or did | Section 3.4.3, |
| | not conform to the request | Create - Section |
| | schema. | 3.3, Bulk - |
| | | Section 3.7), |
| | | PUT (Section |
| | | 3.5.1) |
| | | |
| invalidPath | The "path" attribute was | PATCH (Section |
| | invalid or malformed (see | 3.5.2) |
| | Figure 7). | |
| | | |
| noTarget | The specified "path" did not | PATCH (Section |
| | yield an attribute or | 3.5.2) |
| | attribute value that could be | |
| | operated on. This occurs when | |
| | the specified "path" value | |
| | contains a filter that yields | |
| | no match. | |
| | | |
| invalidValue | A required value was missing, | GET (Section |
| | or the value specified was not | 3.4.2), POST |
| | compatible with the operation | (Create - |
| | or attribute type (see Section | Section 3.3, |
| | 2.2 of [RFC7643]), or resource | Query - Section |
| | schema (see Section 4 of | 3.4.3), PUT |
| | [RFC7643]). | (Section 3.5.1), |
| | | PATCH (Section |
| | | 3.5.2) |
| | | |
| invalidVers | The specified SCIM protocol | GET (Section |
| | version is not supported (see | 3.4.2), POST |
| | Section 3.13). | (ALL), PUT |
| | | (Section 3.5.1), |
| | | PATCH (Section |
| | | 3.5.2), DELETE |
| | | (Section 3.6) |
| | | |
| sensitive | The specified request cannot | GET (Section |
| | be completed, due to the | 3.4.2) |
| | passing of sensitive (e.g., | |
| | personal) information in a | |
| | request URI. For example, | |
| | personal information SHALL NOT | |
| | be transmitted over request | |
| | URIs. See Section 7.5.2. | |
+---------------+--------------------------------+------------------+
| invalidPath | The "path" attribute was | PATCH (Section |
| | invalid or malformed (see | 3.5.2) |
| | Figure 7). | |
| | | |
| noTarget | The specified "path" did not | PATCH (Section |
| | yield an attribute or | 3.5.2) |
| | attribute value that could be | |
| | operated on. This occurs when | |
| | the specified "path" value | |
| | contains a filter that yields | |
| | no match. | |
| | | |
| invalidValue | A required value was missing, | GET (Section |
| | or the value specified was not | 3.4.2), POST |
| | compatible with the operation | (Create - |
| | or attribute type (see Section | Section 3.3, |
| | 2.2 of [RFC7643]), or resource | Query - Section |
| | schema (see Section 4 of | 3.4.3), PUT |
| | [RFC7643]). | (Section 3.5.1), |
| | | PATCH (Section |
| | | 3.5.2) |
| | | |
| invalidVers | The specified SCIM protocol | GET (Section |
| | version is not supported (see | 3.4.2), POST |
| | Section 3.13). | (ALL), PUT |
| | | (Section 3.5.1), |
| | | PATCH (Section |
| | | 3.5.2), DELETE |
| | | (Section 3.6) |
| | | |
| sensitive | The specified request cannot | GET (Section |
| | be completed, due to the | 3.4.2) |
| | passing of sensitive (e.g., | |
| | personal) information in a | |
| | request URI. For example, | |
| | personal information SHALL NOT | |
| | be transmitted over request | |
| | URIs. See Section 7.5.2. | |
+---------------+--------------------------------+------------------+
Table 9: SCIM Detail Error Keyword Values
表9:SCIM详细信息错误关键字值
Note that in Table 9 above, the information in the Applicability column applies to the normal HTTP method but MAY apply within a SCIM bulk operation (via HTTP POST).
注意,在上面的表9中,“适用性”列中的信息适用于普通HTTP方法,但可能适用于SCIM批量操作(通过HTTP POST)。
Example of an error in response to a non-existent GET request:
响应不存在的GET请求时出错的示例:
HTTP/1.1 404 Not Found
未找到HTTP/1.1 404
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":"Resource 2819c223-7f76-453a-919d-413861904646 not found",
"status": "404"
}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":"Resource 2819c223-7f76-453a-919d-413861904646 not found",
"status": "404"
}
Example of an error in response to a PUT request:
响应PUT请求时出错的示例:
HTTP/1.1 400 Bad Request
HTTP/1.1400错误请求
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"scimType":"mutability"
"detail":"Attribute 'id' is readOnly",
"status": "400"
}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"scimType":"mutability"
"detail":"Attribute 'id' is readOnly",
"status": "400"
}
The Base URL MAY be appended with a version identifier as a separate segment in the URL path. At the time of this writing, the identifier is 'v2'. If specified, the version identifier MUST appear in the URL path immediately preceding the resource endpoint and conform to the following scheme: the character 'v' followed by the desired SCIM version number, e.g., a version 'v2' User request is specified as /v2/Users. When specified, service providers MUST perform the operation using the desired version or reject the request. When omitted, service providers SHOULD perform the operation using the most recent SCIM protocol version supported by the service provider.
基本URL可以附加版本标识符作为URL路径中的单独段。在撰写本文时,标识符为“v2”。如果指定,版本标识符必须出现在资源端点前面的URL路径中,并符合以下方案:字符“v”后跟所需的SCIM版本号,例如,版本“v2”用户请求被指定为/v2/Users。指定时,服务提供商必须使用所需版本执行操作或拒绝请求。省略时,服务提供商应使用服务提供商支持的最新SCIM协议版本执行操作。
The SCIM protocol supports resource versioning via standard HTTP ETags (Section 2.3 of [RFC7232]). Service providers MAY support weak ETags as the preferred mechanism for performing conditional retrievals and ensuring that clients do not inadvertently overwrite each other's changes, respectively. When supported, SCIM ETags MUST be specified as an HTTP header and SHOULD be specified within the 'version' attribute contained in the resource's 'meta' attribute.
SCIM协议支持通过标准HTTP ETAG(RFC7232的第2.3节)进行资源版本控制。服务提供商可以支持弱ETag作为执行条件检索和确保客户端不会无意中覆盖彼此更改的首选机制。受支持时,必须将SCIM etag指定为HTTP头,并应在资源的“meta”属性中包含的“version”属性中指定。
Example create request:
创建请求的示例:
POST /Users HTTP/1.1 Host: example.com Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 Content-Length: ...
POST/Users HTTP/1.1主机:example.com内容类型:application/scim+json授权:Bearer h480djs93hd8内容长度:。。。
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName":"bjensen",
"externalId":"bjensen",
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
}
}
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName":"bjensen",
"externalId":"bjensen",
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
}
}
The server responds with an ETag in the response header and meta structure:
服务器在响应头和元结构中使用ETag进行响应:
HTTP/1.1 201 Created
Content-Type: application/scim+json
Location:
https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"e180ee84f0671b1"
HTTP/1.1 201 Created
Content-Type: application/scim+json
Location:
https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"e180ee84f0671b1"
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"meta":{
"resourceType":"User",
"created":"2011-08-01T21:32:44.882Z",
"lastModified":"2011-08-01T21:32:44.882Z",
"location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
"version":"W\/\"e180ee84f0671b1\""
},
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
},
"userName":"bjensen"
}
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"id":"2819c223-7f76-453a-919d-413861904646",
"meta":{
"resourceType":"User",
"created":"2011-08-01T21:32:44.882Z",
"lastModified":"2011-08-01T21:32:44.882Z",
"location":
"https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646",
"version":"W\/\"e180ee84f0671b1\""
},
"name":{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
},
"userName":"bjensen"
}
With the returned ETag, clients MAY choose to retrieve the resource only if the resource has been modified.
使用返回的ETag,只有在资源已被修改的情况下,客户端才可以选择检索资源。
An example of conditional retrieval, using the If-None-Match header (Section 3.2 of [RFC7232]):
使用If None Match标头(RFC7232的第3.2节)的条件检索示例:
GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=displayName
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
If-None-Match: W/"e180ee84f0671b1"
GET /Users/2819c223-7f76-453a-919d-413861904646?attributes=displayName
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8
If-None-Match: W/"e180ee84f0671b1"
If the resource has not changed, the service provider simply returns an empty body with a 304 (Not Modified) response code.
如果资源没有更改,服务提供者只返回一个带有304(未修改)响应代码的空正文。
If the service provider supports versioning of resources, the client MAY supply an If-Match header (Section 3.1 of [RFC7232]) for PUT and PATCH operations to ensure that the requested operation succeeds only if the supplied ETag matches the latest service provider resource, e.g., If-Match: W/"e180ee84f0671b1".
如果服务提供商支持资源的版本控制,则客户端可以为PUT和PATCH操作提供If-Match头(RFC7232的第3.1节),以确保仅当提供的ETag与最新的服务提供商资源匹配时,请求的操作才成功,例如,If-Match:W/“e180ee84f0671b1”。
SCIM defines three endpoints to facilitate discovery of SCIM service provider features and schema that MAY be retrieved using HTTP GET:
SCIM定义了三个端点,以便于发现可以使用HTTP GET检索的SCIM服务提供商功能和模式:
/ServiceProviderConfig An HTTP GET to this endpoint will return a JSON structure that describes the SCIM specification features available on a service provider. This endpoint SHALL return responses with a JSON object using a "schemas" attribute of "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig". The attributes returned in the JSON object are defined in Section 5 of [RFC7643]. An example representation of SCIM service provider configuration may be found in Section 8.5 of [RFC7643].
/ServiceProviderConfig到达该端点的HTTP GET将返回一个JSON结构,该结构描述服务提供商上可用的SCIM规范功能。此端点应使用“urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig”的“schemas”属性返回JSON对象的响应。JSON对象中返回的属性在[RFC7643]的第5节中定义。SCIM服务提供商配置的示例表示可在[RFC7643]的第8.5节中找到。
/Schemas An HTTP GET to this endpoint is used to retrieve information about resource schemas supported by a SCIM service provider. An HTTP GET to the endpoint "/Schemas" SHALL return all supported schemas in ListResponse format (see Figure 3). Individual schema definitions can be returned by appending the schema URI to the /Schemas endpoint. For example:
/模式到该端点的HTTP GET用于检索有关SCIM服务提供商支持的资源模式的信息。HTTP GET到端点“/Schemas”将以ListResponse格式返回所有支持的模式(参见图3)。通过将模式URI附加到/Schemas端点,可以返回各个模式定义。例如:
/Schemas/urn:ietf:params:scim:schemas:core:2.0:User
/Schemas/urn:ietf:params:scim:schemas:core:2.0:User
The contents of each schema returned are described in Section 7 of [RFC7643]. An example representation of SCIM schemas may be found in Section 8.7 of [RFC7643].
[RFC7643]的第7节描述了返回的每个模式的内容。SCIM模式的示例表示可以在[RFC7643]的第8.7节中找到。
/ResourceTypes An HTTP GET to this endpoint is used to discover the types of resources available on a SCIM service provider (e.g., Users and Groups). Each resource type defines the endpoints, the core schema URI that defines the resource, and any supported schema extensions. The attributes defining a resource type can be found in Section 6 of [RFC7643], and an example representation can be found in Section 8.6 of [RFC7643].
/ResourceTypes访问此端点的HTTP用于发现SCIM服务提供商上可用的资源类型(例如,用户和组)。每种资源类型都定义端点、定义资源的核心架构URI以及任何受支持的架构扩展。定义资源类型的属性可以在[RFC7643]的第6节中找到,示例表示可以在[RFC7643]的第8.6节中找到。
In cases where a request is for a specific "ResourceType" or "Schema", the single JSON object is returned in the same way that a single User or Group is retrieved, as per Section 3.4.1. When returning multiple ResourceTypes or Schemas, the message form described by the "urn:ietf:params:scim:api:messages:2.0:ListResponse" (ListResponse) form SHALL be used as shown in Figure 3 and in Figure 9 below. Query parameters described in Section 3.4.2, such as filtering, sorting, and pagination, SHALL be ignored. If a "filter" is provided, the service provider SHOULD respond with HTTP status code 403 (Forbidden) to ensure that clients cannot incorrectly assume that any matching conditions specified in a filter are true.
如果请求是针对特定的“ResourceType”或“Schema”,则按照第3.4.1节的规定,以检索单个用户或组的相同方式返回单个JSON对象。当返回多个资源类型或模式时,应使用“urn:ietf:params:scim:api:messages:2.0:ListResponse”(ListResponse)表单描述的消息表单,如下图3和图9所示。应忽略第3.4.2节中描述的查询参数,如过滤、排序和分页。如果提供了“筛选器”,则服务提供商应使用HTTP状态代码403(禁止)进行响应,以确保客户端不会错误地认为筛选器中指定的任何匹配条件为真。
The following is a non-normative example of an HTTP GET to the /ResourceTypes endpoint:
以下是HTTP访问/ResourceTypes端点的非标准示例:
{
"totalResults":2,
"itemsPerPage":10,
"startIndex":1,
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"Resources":[{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
"id":"User",
"name":"User",
"endpoint": "/Users",
"description": "User Account",
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"schemaExtensions": [{
"schema":
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"required": true
}],
"meta": {
"location":"https://example.com/v2/ResourceTypes/User",
"resourceType": "ResourceType"
}
},
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
"id":"Group",
"name":"Group",
"endpoint": "/Groups",
"description": "Group",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
"meta": {
"location":"https://example.com/v2/ResourceTypes/Group",
"resourceType": "ResourceType"
}
}]
}
{
"totalResults":2,
"itemsPerPage":10,
"startIndex":1,
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"Resources":[{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
"id":"User",
"name":"User",
"endpoint": "/Users",
"description": "User Account",
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"schemaExtensions": [{
"schema":
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"required": true
}],
"meta": {
"location":"https://example.com/v2/ResourceTypes/User",
"resourceType": "ResourceType"
}
},
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
"id":"Group",
"name":"Group",
"endpoint": "/Groups",
"description": "Group",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
"meta": {
"location":"https://example.com/v2/ResourceTypes/Group",
"resourceType": "ResourceType"
}
}]
}
Figure 9: Example Resource Type JSON Representation
图9:示例资源类型JSON表示
To increase the likelihood that the input and comparison of usernames and passwords will work in ways that make sense for typical users throughout the world, there are rules for preparing, enforcing, and comparing internationalized strings that represent usernames and passwords. Before comparing or evaluating the uniqueness of a "userName" or "password" attribute, service providers MUST use the preparation, enforcement, and comparison of internationalized strings (PRECIS) preparation and comparison rules described in Sections 3 and 4, respectively, of [RFC7613], which is based on the PRECIS framework specification [RFC7564]. See Section 3.4 of [RFC7613] for discussion on "Case Mapping vs. Case Preparation" regarding "userName" attributes.
为了增加用户名和密码的输入和比较以对世界各地的典型用户有意义的方式工作的可能性,有一些规则用于准备、实施和比较表示用户名和密码的国际化字符串。在比较或评估“用户名”或“密码”属性的唯一性之前,服务提供商必须使用[RFC7613]第3节和第4节中分别描述的准备、实施和比较国际化字符串(PRECIS)准备和比较规则,该规则基于PRECIS框架规范[RFC7564]。有关“用户名”属性的“案例映射与案例准备”的讨论,请参见[RFC7613]的第3.4节。
A single service provider may expose the SCIM protocol to multiple clients. Depending on the nature of the service, the clients may have authority to access and alter resources initially created by other clients. Alternatively, clients may expect to access disjoint sets of resources and may expect that their resources are inaccessible to other clients. These scenarios are called "multi-tenancy", where each client is understood to be or represent a "tenant" of the service provider. Clients may also be multi-tenanted.
单个服务提供商可以向多个客户端公开SCIM协议。根据服务的性质,客户端可能有权访问和更改最初由其他客户端创建的资源。或者,客户端可能期望访问不相交的资源集,并且可能期望其他客户端无法访问它们的资源。这些场景称为“多租户”,其中每个客户机都被理解为或代表服务提供商的“租户”。客户也可以是多租户。
The following common cases may occur:
可能出现以下常见情况:
1. All clients share all resources (no tenancy).
1. 所有客户端共享所有资源(无租约)。
2. Each single client creates and accesses a private subset of resources (1 client:1 Tenant).
2. 每个客户端创建并访问一个私有资源子集(1个客户端:1个租户)。
3. Sets of clients share sets of resources (M clients:1 Tenant).
3. 客户端集共享资源集(M个客户端:1个租户)。
4. One client can create and access several private subsets of resources (1 client:M Tenants).
4. 一个客户端可以创建和访问多个私有资源子集(1个客户端:M个租户)。
Service providers may implement any subset of the above cases.
服务提供商可以实现上述情况的任何子集。
Multi-tenancy is OPTIONAL. The SCIM protocol does not define a scheme for multi-tenancy.
多租户是可选的。SCIM协议没有为多租户定义方案。
The SCIM protocol does not prescribe the mechanisms whereby clients and service providers interact for the following:
SCIM协议未规定客户端和服务提供商为以下目的进行交互的机制:
o Registering or provisioning Tenants
o 注册或调配租户
o Associating a subset of clients with a subset of the Tenants
o 将客户端子集与租户子集关联
o Indicating which tenant is associated with the data in a request or response, or indicating which Tenant is the subject of a query
o 指示哪个租户与请求或响应中的数据关联,或者指示哪个租户是查询的主体
The service provider MAY use one of the authentication mechanisms discussed in Section 2 to determine the identity of the client and thus infer the associated Tenant.
服务提供商可以使用第2节中讨论的认证机制之一来确定客户机的身份,从而推断关联的租户。
For implementations where a client is associated with more than one Tenant, the service provider MAY use one of the three methods below for explicit specification of the Tenant.
对于客户端与多个租户关联的实现,服务提供商可以使用以下三种方法之一来明确指定租户。
If any of these methods of allowing the client to explicitly specify the Tenant are employed, the service provider should ensure that access controls are in place to prevent or allow cross-tenant use cases.
如果采用了这些允许客户明确指定承租人的方法中的任何一种,则服务提供商应确保有适当的访问控制,以防止或允许跨承租人使用案例。
The service provider should consider precedence in cases where a client may explicitly specify a Tenant while being implicitly associated with a different Tenant.
服务提供者应该考虑在客户端明确地指定租户而隐含地与不同租户关联的情况下的优先权。
In all of these methods, the {tenant_id} is a unique identifier for the Tenant as defined by the service provider.
在所有这些方法中,{tenant_id}是服务提供者定义的租户的唯一标识符。
o A URL prefix: "https://www.example.com/Tenants/{tenant_id}/v2/ Users".
o URL前缀:“https://www.example.com/Tenants/{tenant_id}/v2/Users”。
o A sub-domain: "https://{tenant_id}.example.com/v2/Groups".
o 子域:“https://{tenant_id}.example.com/v2/Groups”。
o An HTTP header: The service provider may recognize a {tenant_id} provided by the client in an HTTP header as the indicator of the desired target Tenant.
o HTTP头:服务提供者可以将HTTP头中客户端提供的{tenant_id}识别为所需目标租户的指示符。
Considerations for a multi-tenant implementation:
多租户实施的注意事项:
o The service provider may choose to implement SCIM ids that are unique across all resources for all Tenants, but this is not required.
o 服务提供商可以选择为所有租户在所有资源中实现唯一的SCIM ID,但这不是必需的。
o The externalId, defined by the client, is required to be unique ONLY within the resources associated with the associated Tenant.
o 客户机定义的externalId仅在与关联租户关联的资源中是唯一的。
The SCIM protocol layers on top of HTTP and is thus subject to the security considerations of HTTP (Section 9 of [RFC7230]) and its related specifications.
SCIM协议层位于HTTP之上,因此受HTTP(RFC7230第9节)及其相关规范的安全考虑的约束。
As stated in Section 2.7.1 of [RFC7230], a SCIM client MUST NOT generate the "userinfo" (i.e., username and password) component (and its "@" delimiter) when an "http" URI reference is generated with a message, as userinfo and its "@" delimiter are now disallowed in HTTP.
如[RFC7230]第2.7.1节所述,当使用消息生成“http”URI引用时,SCIM客户端不得生成“userinfo”(即用户名和密码)组件(及其“@”分隔符),因为现在http中不允许使用userinfo及其“@”分隔符。
SCIM resources (e.g., Users and Groups) contain sensitive information, including passwords. Therefore, SCIM clients and service providers MUST require the use of a transport-layer security mechanism when communicating with SCIM service providers. The SCIM service provider MUST support TLS 1.2 [RFC5246] and MAY support additional transport-layer mechanisms meeting its security requirements. When using TLS, the client MUST perform a TLS/SSL server identity check, per [RFC6125]. Implementation security considerations for TLS can be found in [RFC7525].
SCIM资源(例如,用户和组)包含敏感信息,包括密码。因此,SCIM客户端和服务提供商在与SCIM服务提供商通信时必须使用传输层安全机制。SCIM服务提供商必须支持TLS 1.2[RFC5246],并且可以支持满足其安全要求的其他传输层机制。使用TLS时,客户机必须按照[RFC6125]执行TLS/SSL服务器身份检查。TLS的实现安全注意事项可在[RFC7525]中找到。
When using authorization tokens such as those issued by OAuth 2.0 [RFC6749], implementers MUST take into account threats and countermeasures as documented in Section 8 of [RFC7521].
当使用授权令牌(如OAuth 2.0[RFC6749]发布的令牌)时,实现者必须考虑[RFC7521]第8节中记录的威胁和对策。
Since the possession of a bearer token or cookie MAY authorize the holder to potentially read, modify, or delete resources, bearer tokens and cookies MUST contain sufficient entropy to prevent a random guessing attack; for example, see Section 5.2 of [RFC6750] and Section 5.1.4.2.2 of [RFC6819].
由于拥有承载令牌或cookie可能授权持有者潜在地读取、修改或删除资源,因此承载令牌和cookie必须包含足够的熵以防止随机猜测攻击;例如,参见[RFC6750]第5.2节和[RFC6819]第5.1.4.2.2节。
As with all SCIM communications, bearer tokens and HTTP cookies MUST be exchanged using TLS.
与所有SCIM通信一样,必须使用TLS交换承载令牌和HTTP cookie。
Bearer tokens MUST have a limited lifetime that can be determined directly or indirectly (e.g., by checking with a validation service) by the service provider. By expiring tokens, clients are forced to obtain a new token (which usually involves re-authentication) for continued authorized access. For example, in OAuth 2.0, a client MAY use OAuth token refresh to obtain a new bearer token after authenticating to an authorization server. See Section 6 of [RFC6749].
承载令牌必须具有可由服务提供商直接或间接确定的有限生存期(例如,通过验证服务进行检查)。通过使令牌过期,客户端被迫获得新令牌(通常涉及重新身份验证)以继续授权访问。例如,在OAuth 2.0中,客户机可以在向授权服务器进行身份验证之后使用OAuth令牌刷新来获得新的承载令牌。见[RFC6749]第6节。
As with bearer tokens, an HTTP cookie SHOULD last no longer than the lifetime of a browser session. An expiry time should be set that limits session cookie lifetime as per Section 5.2.1 of [RFC6265].
与承载令牌一样,HTTP cookie的持续时间不应超过浏览器会话的生存期。应根据[RFC6265]第5.2.1节的规定,设置限制会话cookie生存期的到期时间。
Implementations supporting OAuth bearer tokens need to factor in security considerations of this authorization method [RFC7521]. Since security is only as good as the weakest link, implementers also need to consider authentication choices coupled with OAuth bearer tokens. The security considerations of the default authentication method for OAuth bearer tokens, HTTP Basic, are well documented in [HTTP-BASIC-AUTH]; therefore, implementers are encouraged to use stronger authentication methods. Designating the specific methods of authentication and authorization is out of scope for SCIM; however, this information is provided as a resource to implementers.
支持OAuth承载令牌的实现需要考虑此授权方法的安全因素[RFC7521]。由于安全性仅与最弱的链路一样好,所以实现者还需要考虑与OAuth-Bouter令牌耦合的认证选择。[HTTP-Basic-AUTH]中详细介绍了OAuth承载令牌的默认身份验证方法HTTP Basic的安全注意事项;因此,鼓励实现者使用更强的身份验证方法。指定认证和授权的具体方法不属于SCIM的范围;但是,这些信息是作为资源提供给实现者的。
The SCIM Core Schema specification [RFC7643] defines attributes that may contain personally identifying information as well as other sensitive personal data. The privacy considerations in the Security Considerations section of [RFC7643] MUST be considered.
SCIM核心模式规范[RFC7643]定义了可能包含个人识别信息以及其他敏感个人数据的属性。必须考虑[RFC7643]的安全注意事项部分中的隐私注意事项。
As mentioned in Section 9.4 of [RFC7231], SCIM clients requesting information using query filters that use HTTP GET SHOULD give consideration to the information content of the filters and whether or not their exposure in a URI would represent a breach of security or confidentiality through leakage in web browsers or server logs. This is particularly true for information that is legally considered "personally identifiable information" or is otherwise restricted by privacy laws. In these situations, to ensure maximum security and confidentiality, clients SHOULD query using HTTP POST (see Section 3.4.3).
如[RFC7231]第9.4节所述,使用使用HTTP GET的查询过滤器请求信息的SCIM客户端应考虑过滤器的信息内容,以及它们在URI中的暴露是否会因web浏览器或服务器日志中的泄漏而违反安全性或机密性。对于在法律上被视为“个人可识别信息”或受隐私法限制的信息,尤其如此。在这些情况下,为了确保最大的安全性和机密性,客户端应该使用HTTP POST进行查询(请参见第3.4.3节)。
Servers that receive HTTP GET requests using filters that contain sensitive or confidential personal information SHOULD respond with HTTP status code 403 to indicate that the operation is forbidden. A "scimType" error code of "sensitive" may be returned to indicate that the request must be submitted using POST. The following is a non-normative example:
使用包含敏感或机密个人信息的筛选器接收HTTP GET请求的服务器应响应HTTP状态代码403,以指示该操作被禁止。可能会返回“敏感”的“scimType”错误代码,以指示必须使用POST提交请求。以下是一个非规范性示例:
HTTP/1.1 403 Forbidden
HTTP/1.1 403禁止
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":
"Query filter involving 'name' is restricted or confidential",
"scimType": "sensitive",
"status": "404"
}
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"detail":
"Query filter involving 'name' is restricted or confidential",
"scimType": "sensitive",
"status": "404"
}
If a SCIM service provider accepts anonymous requests such as SCIM resource creation requests (via HTTP POST), appropriate security measures should be put in place to prevent or limit exposure to attacks. The following countermeasures MAY be used:
如果SCIM服务提供商接受匿名请求,如SCIM资源创建请求(通过HTTP POST),则应采取适当的安全措施,以防止或限制受到攻击。可采用以下对策:
o Try to authenticate web user interface components that formulate the SCIM creation request. While the end-user may be anonymous, the web user interface component often has its own way to authenticate to the SCIM service provider (e.g., has an OAuth client credential [RFC6749]), and the web user interface component may implement its own measures (e.g., the Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)) to ensure that a legitimate request is being made.
o 尝试验证制定SCIM创建请求的web用户界面组件。虽然最终用户可能是匿名的,但web用户界面组件通常有其自己的方式向SCIM服务提供商进行身份验证(例如,具有OAuth客户端凭据[RFC6749]),并且web用户界面组件可以实现其自己的措施(例如,区分计算机和人类的完全自动化公共图灵测试(CAPTCHA))确保提出合法请求。
o Limit the number of requests that any particular client MAY make in a period of time.
o 限制任何特定客户端在一段时间内可能发出的请求数量。
o For User resources, default newly created resources with an "active" setting of "false", and use a secondary confirmation process (e.g., email confirmation) to ensure that the resource created is real.
o 对于用户资源,默认新创建的资源的“活动”设置为“false”,并使用二次确认过程(例如电子邮件确认)来确保创建的资源是真实的。
An attacker may obtain valid username/password combinations from the SCIM service provider's underlying database by gaining access to the database and/or launching injection attacks. This could lead to unintended disclosure of username/password combinations. The impact may extend beyond the domain of the SCIM service provider if the data was provisioned from other domains.
攻击者可以通过访问数据库和/或发起注入攻击,从SCIM服务提供商的基础数据库获得有效的用户名/密码组合。这可能会导致无意中泄露用户名/密码组合。如果数据是从其他域提供的,则影响可能超出SCIM服务提供商的域。
Administrators should undertake industry best practices to protect the storage of credentials and, in particular, SHOULD follow recommendations outlined in Section 5.1.4.1 of [RFC6819]. These recommendations include, but are not limited to, the following:
管理员应采用行业最佳实践来保护凭证的存储,尤其应遵循[RFC6819]第5.1.4.1节中概述的建议。这些建议包括但不限于以下内容:
o Provide injection attack countermeasures (e.g., by validating all inputs and parameters);
o 提供注入攻击对策(例如,通过验证所有输入和参数);
o Credentials should not be stored in cleartext form;
o 凭证不应以明文形式存储;
o Store credentials using an encrypted protection mechanism (e.g., hashing); and
o 使用加密保护机制(如哈希)存储凭据;和
o Where possible, avoid passwords as the sole form of authentication, and consider using credentials that are based on asymmetric cryptography.
o 在可能的情况下,避免将密码作为唯一的身份验证形式,并考虑使用基于非对称加密的凭据。
As outlined in Section 5.1.4.2 of [RFC6819], administrators SHOULD take countermeasures such as the following, to prevent online attacks on secrets:
如[RFC6819]第5.1.4.2节所述,管理员应采取以下对策,以防止对机密的在线攻击:
o Utilize a secure password policy in order to increase user password entropy, which will in turn hinder online attacks and password guessing;
o 利用安全密码策略来增加用户密码熵,从而阻止在线攻击和密码猜测;
o Mitigate attacks on passwords by locking respective accounts that have a number of failed attempts;
o 通过锁定具有多次失败尝试的相应帐户,减轻对密码的攻击;
o Use "tar pit" techniques by temporarily locking a respective account and delaying responses for a certain duration. The duration may increase with the number of failed attempts; and
o 使用“tarpit”技术,临时锁定相应的帐户并将响应延迟一定时间。持续时间可能随着失败尝试次数的增加而增加;和
o Use authentication systems that use CAPTCHAs and other factors for authenticating users, to further reduce the possibility of automated attacks.
o 使用使用CAPTCHA和其他因素对用户进行身份验证的身份验证系统,以进一步降低自动攻击的可能性。
Service providers SHOULD define an access control model that differentiates between individual client applications and their specific need to access information, and any User self-service rights to review and update personal profile information. This may include OAuth 2.0 delegation profiles that allow client systems to act on behalf of users with their permission.
服务提供商应定义一个访问控制模型,区分各个客户端应用程序及其访问信息的特定需求,以及审查和更新个人配置文件信息的任何用户自助服务权限。这可能包括OAuth 2.0委派配置文件,允许客户端系统在用户许可的情况下代表用户进行操作。
When comparing Unicode strings such as those in query filters or testing for uniqueness of usernames and passwords, strings MUST be appropriately prepared before comparison. See Section 5.
在比较Unicode字符串(如查询筛选器中的字符串)或测试用户名和密码的唯一性时,必须在比较之前适当准备字符串。见第5节。
To: ietf-types@iana.org
致:ietf-types@iana.org
Subject: Registration of media type application/scim+json
Subject: Registration of media type application/scim+json
Type name: application
类型名称:应用程序
Subtype name: scim+json
子类型名称:scim+json
Required parameters: none
所需参数:无
Optional parameters: none
可选参数:无
Encoding considerations: 8bit
编码注意事项:8位
Security considerations: See Section 7 of this document (RFC 7644)
安全注意事项:见本文件第7节(RFC 7644)
Interoperability considerations: The "application/scim+json" media type is intended to identify JSON structure data that conforms to the SCIM protocol and schema specifications. Older versions of SCIM are known to informally use "application/json".
互操作性注意事项:“应用程序/scim+json”媒体类型旨在识别符合scim协议和模式规范的json结构数据。已知较旧版本的SCIM非正式地使用“application/json”。
Published specification: this document (RFC 7644)
发布规范:本文件(RFC 7644)
Applications that use this media type: It is expected that applications that use this type may be special-purpose applications intended for inter-domain provisioning. Clients may also be applications (e.g., mobile applications) that need to use SCIM for self-registration of user accounts. SCIM services may be offered by web applications that offer support for standards-based provisioning or may be a dedicated SCIM service provider such as a "cloud directory". Content may be treated as equivalent to the "application/json" type for the purpose of displaying in web browsers.
使用此媒体类型的应用程序:使用此类型的应用程序可能是用于域间资源调配的专用应用程序。客户端也可能是需要使用SCIM进行用户帐户自注册的应用程序(例如,移动应用程序)。SCIM服务可以由支持基于标准的资源调配的web应用程序提供,也可以是专用的SCIM服务提供商,如“云目录”。为了在web浏览器中显示,可以将内容视为等同于“application/json”类型。
Additional information:
其他信息:
Magic number(s):
幻数:
File extension(s): .scim .scm
文件扩展名:.scim.scm
Macintosh file type code(s):
Macintosh文件类型代码:
Person & email address to contact for further information: SCIM
mailing list "<scim@ietf.org>"
Person & email address to contact for further information: SCIM
mailing list "<scim@ietf.org>"
Intended usage: COMMON* (see restrictions)
预期用途:通用*(见限制)
Restrictions on usage: For most client types, it is sufficient to recognize the content as equivalent to "application/json". Applications intending to use the SCIM protocol SHOULD use the "application/scim+json" media type.
使用限制:对于大多数客户端类型,只要将内容识别为等同于“application/json”就足够了。打算使用SCIM协议的应用程序应使用“application/SCIM+json”媒体类型。
Author: Phil Hunt
作者:菲尔·亨特
Change controller: IETF
更改控制器:IETF
As per the "SCIM Schema URIs for Data Resources" registry established by [RFC7643], the following defines and registers the SCIM protocol request/response JSON schema URN identifier prefix of "urn:ietf:params:scim:api:messages:2.0", which is part of the URN sub-namespace for SCIM. There is no specific associated resource type.
根据[RFC7643]建立的“数据资源的SCIM架构URI”注册表,以下定义并注册SCIM协议请求/响应JSON架构URN标识符前缀“URN:ietf:params:SCIM:api:messages:2.0”,它是SCIM的URN子命名空间的一部分。没有特定的关联资源类型。
+---------------------------------+-----------------+---------------+
| Schema URI | Name | Reference |
+---------------------------------+-----------------+---------------+
| urn:ietf:params:scim:api: | List/Query | See Section |
| messages:2.0:ListResponse | Response | 3.4.2 |
| | | |
| urn:ietf:params:scim:api: | POST Query | See Section |
| messages:2.0:SearchRequest | Request | 3.4.3 |
| | | |
| urn:ietf:params:scim:api: | PATCH Operation | See Section |
| messages:2.0:PatchOp | | 3.5.2 |
| | | |
| urn:ietf:params:scim:api: | Bulk Operations | See Section |
| messages:2.0:BulkRequest | Request | 3.7 |
| | | |
| urn:ietf:params:scim:api: | Bulk Operations | See Section |
| messages:2.0:BulkResponse | Response | 3.7 |
| | | |
| urn:ietf:params:scim:api: | Error Response | See Section |
| messages:2.0:Error | | 3.12 |
+---------------------------------+-----------------+---------------+
+---------------------------------+-----------------+---------------+
| Schema URI | Name | Reference |
+---------------------------------+-----------------+---------------+
| urn:ietf:params:scim:api: | List/Query | See Section |
| messages:2.0:ListResponse | Response | 3.4.2 |
| | | |
| urn:ietf:params:scim:api: | POST Query | See Section |
| messages:2.0:SearchRequest | Request | 3.4.3 |
| | | |
| urn:ietf:params:scim:api: | PATCH Operation | See Section |
| messages:2.0:PatchOp | | 3.5.2 |
| | | |
| urn:ietf:params:scim:api: | Bulk Operations | See Section |
| messages:2.0:BulkRequest | Request | 3.7 |
| | | |
| urn:ietf:params:scim:api: | Bulk Operations | See Section |
| messages:2.0:BulkResponse | Response | 3.7 |
| | | |
| urn:ietf:params:scim:api: | Error Response | See Section |
| messages:2.0:Error | | 3.12 |
+---------------------------------+-----------------+---------------+
Table 10: SCIM Schema URIs for Data Resources
表10:数据资源的SCIM模式URI
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC3629]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,DOI 10.17487/RFC3629,2003年11月<http://www.rfc-editor.org/info/rfc3629>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <http://www.rfc-editor.org/info/rfc3986>.
[RFC3986]Berners Lee,T.,Fielding,R.,和L.Masinter,“统一资源标识符(URI):通用语法”,STD 66,RFC 3986,DOI 10.17487/RFC3986,2005年1月<http://www.rfc-editor.org/info/rfc3986>.
[RFC5234] Crocker, D., Ed., and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/RFC5234, January 2008, <http://www.rfc-editor.org/info/rfc5234>.
[RFC5234]Crocker,D.,Ed.,和P.Overell,“语法规范的扩充BNF:ABNF”,STD 68,RFC 5234,DOI 10.17487/RFC5234,2008年1月<http://www.rfc-editor.org/info/rfc5234>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, <http://www.rfc-editor.org/info/rfc5246>.
[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,DOI 10.17487/RFC5246,2008年8月<http://www.rfc-editor.org/info/rfc5246>.
[RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", RFC 5789, DOI 10.17487/RFC5789, March 2010, <http://www.rfc-editor.org/info/rfc5789>.
[RFC5789]Dusseault,L.和J.Snell,“HTTP的补丁方法”,RFC 5789,DOI 10.17487/RFC5789,2010年3月<http://www.rfc-editor.org/info/rfc5789>.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March 2011, <http://www.rfc-editor.org/info/rfc6125>.
[RFC6125]Saint Andre,P.和J.Hodges,“在传输层安全(TLS)环境下使用X.509(PKIX)证书在互联网公钥基础设施内表示和验证基于域的应用程序服务身份”,RFC 6125,DOI 10.17487/RFC6125,2011年3月<http://www.rfc-editor.org/info/rfc6125>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, <http://www.rfc-editor.org/info/rfc6749>.
[RFC6749]Hardt,D.,Ed.“OAuth 2.0授权框架”,RFC 6749,DOI 10.17487/RFC6749,2012年10月<http://www.rfc-editor.org/info/rfc6749>.
[RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, DOI 10.17487/RFC6750, October 2012, <http://www.rfc-editor.org/info/rfc6750>.
[RFC6750]Jones,M.和D.Hardt,“OAuth 2.0授权框架:承载令牌使用”,RFC 6750,DOI 10.17487/RFC6750,2012年10月<http://www.rfc-editor.org/info/rfc6750>.
[RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March 2014, <http://www.rfc-editor.org/info/rfc7159>.
[RFC7159]Bray,T.,Ed.“JavaScript对象表示法(JSON)数据交换格式”,RFC 7159,DOI 10.17487/RFC7159,2014年3月<http://www.rfc-editor.org/info/rfc7159>.
[RFC7230] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, <http://www.rfc-editor.org/info/rfc7230>.
[RFC7230]Fielding,R.,Ed.,和J.Reschke,Ed.,“超文本传输协议(HTTP/1.1):消息语法和路由”,RFC 7230,DOI 10.17487/RFC7230,2014年6月<http://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI 10.17487/RFC7231, June 2014, <http://www.rfc-editor.org/info/rfc7231>.
[RFC7231]Fielding,R.,Ed.,和J.Reschke,Ed.,“超文本传输协议(HTTP/1.1):语义和内容”,RFC 7231,DOI 10.17487/RFC72312014年6月<http://www.rfc-editor.org/info/rfc7231>.
[RFC7232] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests", RFC 7232, DOI 10.17487/RFC7232, June 2014, <http://www.rfc-editor.org/info/rfc7232>.
[RFC7232]Fielding,R.,Ed.,和J.Reschke,Ed.,“超文本传输协议(HTTP/1.1):条件请求”,RFC 7232,DOI 10.17487/RFC72322014年6月<http://www.rfc-editor.org/info/rfc7232>.
[RFC7235] Fielding, R., Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Authentication", RFC 7235, DOI 10.17487/RFC7235, June 2014, <http://www.rfc-editor.org/info/rfc7235>.
[RFC7235]Fielding,R.,Ed.,和J.Reschke,Ed.,“超文本传输协议(HTTP/1.1):认证”,RFC 7235,DOI 10.17487/RFC7235,2014年6月<http://www.rfc-editor.org/info/rfc7235>.
[RFC7538] Reschke, J., "The Hypertext Transfer Protocol Status Code 308 (Permanent Redirect)", RFC 7538, DOI 10.17487/RFC7538, April 2015, <http://www.rfc-editor.org/info/rfc7538>.
[RFC7538]Reschke,J.,“超文本传输协议状态代码308(永久重定向)”,RFC 7538,DOI 10.17487/RFC7538,2015年4月<http://www.rfc-editor.org/info/rfc7538>.
[RFC7613] Saint-Andre, P. and A. Melnikov, "Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords", RFC 7613, DOI 10.17487/RFC7613, August 2015, <http://www.rfc-editor.org/info/rfc7613>.
[RFC7613]Saint Andre,P.和A.Melnikov,“代表用户名和密码的国际化字符串的准备、实施和比较”,RFC 7613,DOI 10.17487/RFC7613,2015年8月<http://www.rfc-editor.org/info/rfc7613>.
[RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C. Mortimore, "System for Cross-domain Identity Management: Core Schema", RFC 7643, DOI 10.17487/RFC7643, September 2015, <http://www.rfc-editor.org/info/rfc7643>.
[RFC7643]Hunt,P.,Ed.,Grizzle,K.,Wahlstroem,E.,和C.Mortimore,“跨域身份管理系统:核心模式”,RFC 7643,DOI 10.17487/RFC7643,2015年9月<http://www.rfc-editor.org/info/rfc7643>.
[HTTP-BASIC-AUTH] Reschke, J., "The 'Basic' HTTP Authentication Scheme", Work in Progress, draft-ietf-httpauth-basicauth-update-07, February 2015.
[HTTP-BASIC-AUTH]Reschke,J.,“基本”HTTP认证方案,正在进行的工作,草稿-ietf-httpauth-basicauth-update-072015年2月。
[OAuth-PoP-Arch] Hunt, P., Ed., Richer, J., Mills, W., Mishra, P., and H. Tschofenig, "OAuth 2.0 Proof-of-Possession (PoP) Security Architecture", Work in Progress, draft-ietf-oauth-pop-architecture-02, July 2015.
[OAuth PoP Arch]Hunt,P.,Ed.,Richer,J.,Mills,W.,Mishra,P.,和H.Tschofenig,“OAuth 2.0占有证明(PoP)安全体系结构”,正在进行的工作,草案-ietf-OAuth-PoP-Architecture-022015年7月。
[OpenSearch] Clinton, D., "OpenSearch Protocol 1.1, Draft 5", December 2005, <http://www.opensearch.org/Specifications/ OpenSearch/1.1>.
[OpenSearch]Clinton,D.,“OpenSearch协议1.1,草案5”,2005年12月<http://www.opensearch.org/Specifications/ OpenSearch/1.1>。
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, DOI 10.17487/RFC6265, April 2011, <http://www.rfc-editor.org/info/rfc6265>.
[RFC6265]Barth,A.,“HTTP状态管理机制”,RFC 6265,DOI 10.17487/RFC6265,2011年4月<http://www.rfc-editor.org/info/rfc6265>.
[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 Threat Model and Security Considerations", RFC 6819, DOI 10.17487/RFC6819, January 2013, <http://www.rfc-editor.org/info/rfc6819>.
[RFC6819]Lodderstet,T.,Ed.,McGloin,M.,和P.Hunt,“OAuth 2.0威胁模型和安全考虑”,RFC 6819,DOI 10.17487/RFC6819,2013年1月<http://www.rfc-editor.org/info/rfc6819>.
[RFC6902] Bryan, P., Ed., and M. Nottingham, Ed., "JavaScript Object Notation (JSON) Patch", RFC 6902, DOI 10.17487/RFC6902, April 2013, <http://www.rfc-editor.org/info/rfc6902>.
[RFC6902]Bryan,P.,Ed.,和M.Nottingham,Ed.,“JavaScript对象表示法(JSON)补丁”,RFC 6902,DOI 10.17487/RFC6902,2013年4月<http://www.rfc-editor.org/info/rfc6902>.
[RFC7486] Farrell, S., Hoffman, P., and M. Thomas, "HTTP Origin-Bound Authentication (HOBA)", RFC 7486, DOI 10.17487/RFC7486, March 2015, <http://www.rfc-editor.org/info/rfc7486>.
[RFC7486]Farrell,S.,Hoffman,P.和M.Thomas,“HTTP源绑定身份验证(HOBA)”,RFC 7486,DOI 10.17487/RFC7486,2015年3月<http://www.rfc-editor.org/info/rfc7486>.
[RFC7521] Campbell, B., Mortimore, C., Jones, M., and Y. Goland, "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants", RFC 7521, DOI 10.17487/RFC7521, May 2015, <http://www.rfc-editor.org/info/rfc7521>.
[RFC7521]Campbell,B.,Mortimore,C.,Jones,M.,和Y.Goland,“OAuth 2.0客户端身份验证和授权授权的断言框架”,RFC 7521,DOI 10.17487/RFC7521,2015年5月<http://www.rfc-editor.org/info/rfc7521>.
[RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May 2015, <http://www.rfc-editor.org/info/rfc7525>.
[RFC7525]Sheffer,Y.,Holz,R.,和P.Saint Andre,“安全使用传输层安全性(TLS)和数据报传输层安全性(DTLS)的建议”,BCP 195,RFC 7525,DOI 10.17487/RFC7525,2015年5月<http://www.rfc-editor.org/info/rfc7525>.
[RFC7564] Saint-Andre, P. and M. Blanchet, "PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols", RFC 7564, DOI 10.17487/RFC7564, May 2015, <http://www.rfc-editor.org/info/rfc7564>.
[RFC7564]Saint Andre,P.和M.Blanchet,“PRECIS框架:应用协议中国际化字符串的准备、实施和比较”,RFC 7564,DOI 10.17487/RFC7564,2015年5月<http://www.rfc-editor.org/info/rfc7564>.
[XML-Schema] Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes Second Edition", W3C Recommendation, October 2004, <http://www.w3.org/TR/xmlschema-2/>.
[XML模式]Biron,P.和A.Malhotra,“XML模式第2部分:数据类型第二版”,W3C建议,2004年10月<http://www.w3.org/TR/xmlschema-2/>.
Acknowledgements
致谢
The editor would like to acknowledge the contribution and work of the editors of draft versions of this document:
编辑谨感谢本文件草稿编辑的贡献和工作:
Trey Drake, UnboundID
特雷·德雷克,无拘无束
Chuck Mortimore, Salesforce
查克·莫蒂莫尔,销售人员
The editor would like to thank the participants in the SCIM working group for their support of this specification.
编辑要感谢SCIM工作组的参与者对本规范的支持。
Contributors
贡献者
Samuel Erdtman (samuel@erdtman.se)
塞缪尔·埃尔特曼(samuel@erdtman.se)
Patrick Harding (pharding@pingidentity.com)
帕特里克·哈丁(pharding@pingidentity.com)
Authors' Addresses
作者地址
Phil Hunt (editor) Oracle Corporation
菲尔·亨特(编辑)甲骨文公司
Email: phil.hunt@yahoo.com
Email: phil.hunt@yahoo.com
Kelly Grizzle SailPoint
凯利·格里泽赛点
Email: kelly.grizzle@sailpoint.com
Email: kelly.grizzle@sailpoint.com
Morteza Ansari Cisco
莫特扎·安萨里·思科
Email: morteza.ansari@cisco.com
Email: morteza.ansari@cisco.com
Erik Wahlstroem Nexus Technology
Erik Wahlstroem Nexus技术
Email: erik.wahlstrom@nexusgroup.com
Email: erik.wahlstrom@nexusgroup.com
Chuck Mortimore Salesforce.com
Chuck Mortimore Salesforce.com
Email: cmortimore@salesforce.com
Email: cmortimore@salesforce.com