Independent Identity Inc

phil.hunt@independentid.com

Cisco Systems

ncamwing@cisco.com

Sailpoint Technologies

mike.kiser@sailpoint.com

Workday, Inc.

jwschreib@gmail.com

SEC SCIM Identity Event SET Provisioning Token SCIM This specification defines a set of System for Cross-domain Identity Management (SCIM) Security Events using the Security Event Token (SET) specification (RFC 8417) to enable the asynchronous exchange of messages between SCIM service providers and receivers. This specification updates RFC 7643 by defining additional attributes for the "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" schema, and it updates RFC 7644 with an optional new asynchronous SCIM request capability.

Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .

Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

• .  Introduction and Overview
  • .  Requirements Language
  • .  Notational Conventions
  • .  Definitions
• .  SCIM Events
  • .  Identifying the Subject of an Event
  • .  Common Event Attributes
  • .  SCIM Feed Events
    • .  urn:ietf:params:scim:event:feed:add
    • .  urn:ietf:params:scim:event:feed:remove
  • .  SCIM Provisioning Events
    • .  urn:ietf:params:scim:event:prov:create:{notice|full}
    • .  urn:ietf:params:scim:event:prov:patch:{notice|full}
    • .  urn:ietf:params:scim:event:prov:put:{notice|full}
    • .  urn:ietf:params:scim:event:prov:delete
    • .  urn:ietf:params:scim:event:prov:activate
    • .  urn:ietf:params:scim:event:prov:deactivate
  • .  Miscellaneous Events
    • .  Asynchronous Events
• .  Set-Txn HTTP Response Header for Asynchronous Requests
• .  Events Discovery Schema for Service Provider Configuration
• .  Security Considerations
• .  Privacy Considerations
• .  IANA Considerations
  • .  SCIM Asynchronous Set-Txn Header Registration
  • .  Registering Event Capability with SCIM Service Provider Configuration
  • .  Creation of the SCIM Event URIs Registry
  • .  Initial Contents of the SCIM Event URIs Registry
• .  References
  • .  Normative References
  • .  Informative References
• .  Use Cases
  • .  Domain-Based Replication
  • .  Coordinated Provisioning
• Acknowledgements
• Authors' Addresses

Introduction and Overview This specification defines Security Events for SCIM service providers and receivers as specified by Security Event Tokens (SETs) . In this specification, SCIM Security Events include asynchronous request completion, resource replication, and provisioning coordination. This specification defines the use of the HTTP header "Prefer: respond-async" to allow a SCIM client to request an asynchronous response (see ). Using the HTTP protocol, a SCIM client issues commands to a SCIM service provider using HTTP methods such as POST, PATCH, and DELETE that cause a state change to a SCIM resource. When multiple independent SCIM clients update SCIM resources, individual clients become out of date as state changes occur. Some clients may need to be informed of these changes for coordination or reconciliation purposes. This could be done using periodic SCIM GET requests over time, but this rapidly becomes problematic as the number of changes and the number of resources increases. SCIM Events can be shared over an established event feed enabling receivers to monitor and trigger independent asynchronous action. This approach enables greater scale and timeliness, where only changed information is exchanged between parties. A SET conveys information about a state change that has occurred at a SCIM service provider. That SET may be of interest to one or more receivers. But instead of interpreting SETs as commands, each Event Receiver is able to determine the best local follow-up action to take within its own context. For example, a receiver can reconcile schema and resource type differences between domains.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Notational Conventions Throughout this document, all figures may contain spaces and extra line wrapping for readability and space limitations. Similarly, some URIs contained within examples have been shortened for space and readability reasons.

Definitions This specification uses definitions from the following specifications:

• "JSON Web Token (JWT)" ,
• "Security Event Token (SET)" , and
• "System for Cross-domain Identity Management: Protocol" .

In JSON Web Tokens (JWTs) and Security Event Tokens, the term "claim" refers to JSON attribute values contained in a JWT structure. The term "claim" in tokens is used to indicate that an attribute value may not be verified and its accuracy can be questioned. In the context of SCIM, this distinction is not made. For this specification, the terms "claims" and "attributes" are interchangeable. For consistency, JWT and SET attributes registered by IANA will continue to be called "claims", while event information attributes (i.e., those in an event payload) will be referred to as "attributes". Additionally, the following terms are defined:

Attributes and Claims:

The JWT specification , upon which SET is based, uses the term "claims" to refer to attributes in a JSON Web Token. In contrast, SCIM uses the term "attributes" to refer to JSON attributes. For the purposes of this document, the terms "attributes" and "claims" are equivalent.

Coordinated Provisioning (CP):

As defined in , in CP relationships, an Event Publisher and Receiver typically exchange resource change events without exchanging data (see ). For a receiver to know the value of the data, the Event Receiver usually calls back to the SCIM Event Publisher domain to receive a new copy of data (e.g., uses a SCIM GET request).

Domain-Based Replication (DBR):

As defined in , in the DBR mode, there is an administrative relationship spanning multiple operational domains; data shared in Events typically uses the "full" mode variation of change events (see ) including the "data" payload attribute. This eliminates the need for a callback to retrieve additional data.

Event Feed / Event Stream:

An event feed (or equivalently an event stream) is a logical series of events shared with a unique receiving client. A SET transfer (see and ) service provider may offer to allow Event Receivers to "subscribe" to specific event types or events about specific resources (see feed events in ).

Event Receiver:

An entity typically receives events as described in and or via HTTP GET (see ). In the case of push-based SET delivery , the Event Receiver is an HTTP endpoint that receives requests. In the case of poll-based SET delivery , the receiver is an HTTP client that initiates HTTP requests to an Event Publisher endpoint.

Event Publisher:

A system that issues SETs based on a resource state change that has occurred at a SCIM service provider. For example, events may be the result of a SCIM Create, Modify, or Delete operation as defined in . A SCIM service provider may be an Event Publisher or an independent service that aggregates events into Event Receiver feeds. As described above, when using , the Event Publisher is an HTTP client that initiates HTTP POST requests to a defined Event Receiver endpoint. When using , the Event Publisher provides an HTTP endpoint, which a receiver may use to "poll" for Security Events.

SCIM Client:

An HTTP client that initiates SCIM protocol requests and receives responses that may cause SCIM Events to be issued by the SCIM service provider. A SCIM client may also be an Event Receiver, typically when making an asynchronous SCIM request (see ).

SCIM Service Provider:

An HTTP server that implements the SCIM protocol and SCIM schema . Upon processing a state change to a SCIM resource, it issues a SCIM Event or causes an Event Publisher to issue a SCIM Event.

Security Event Token (SET):

As defined in .

SCIM Events A SCIM Event is a signal, in the form of a Security Event Token , that describes some event that has occurred. A SET event consists of a set of standard JWT "top-level" claims and an "events" claim that contains one or more event URI subclaims (JSON attributes) each with a JSON object containing relevant event information. This specification defines the new URI prefix "urn:ietf:params:scim:event", which is used as the prefix for the defined SCIM Events (see ). Events are grouped into one of two sub-namespaces: "feed" (feed control notices) or "prov" (provisioning).

Identifying the Subject of an Event SCIM Events MUST use the "sub_id" claim, defined by , to identify the subject of events. The "sub_id" claim MUST be contained within the main JWT claims body and MUST NOT be located within an event payload within the "events" claim. A SET with multiple event URIs indicates that the events arise from the same transaction or resource state change for a single resource or subject. The JWT "sub" claim MUST NOT be used to identify subjects to prevent confusion with JWT authorization tokens (originally recommended in ).

Example SCIM Subject Id { "iss": "issuer.example.com", "iat": 1508184845, "aud": "aud.example.com", "sub_id": { "format": "scim", "uri": "/Users/2b2f880af6674ac284bae9381673d462", "externalId": "alice@example.com" }, "events": { ... } }

Instead of "sub", the top-level claim "sub_id" SHALL be used. "sub_id" contains the subclaim attribute "format" set to "scim" to indicate that the attributes present in the "sub_id" object are SCIM attributes. The following "sub_id" attributes are defined:

uri:

The SCIM relative path for the resource that usually consists of the resource type endpoint plus the resource "id" (see ), for example, "/Users/2b2f880af6674ac284bae9381673d462". This attribute MUST be provided in a SCIM Event "sub_id" claim. Note that the relative path is the path component after the SCIM service provider Base URI as defined in . In cases where the Event Receiver is unable to match a URI, the Event Receiver MAY issue a callback to a previously agreed SCIM service provider Base URI plus the relative "uri" value and perform a SCIM GET request per .

externalId:

If known, the "externalId" value (defined in ) of the SCIM resource that MAY be used by a receiver to identify the corresponding resource in the Event Receiver's domain.

id:

The SCIM "id" attribute (defined in ) MAY be used for backwards compatibility reasons in addition to the "uri" claim.

In cases where SCIM identifiers ("id" and "externalId") are not enough to identify a common resource between an Event Publisher and Event Receiver, the "sub_id" object MAY contain attributes whose SCIM attribute types have "uniqueness" set to "server" or "global" as per . For example, attributes such as "emails" or "userName" (defined in ) are unique within a SCIM service provider. Such attributes should allow an Event Publisher and Event Receiver to identify a commonly understood subject resource of an event.

Common Event Attributes The following attributes are available for all events defined. Some attributes are defined as SET/JWT claims, while others are "event payload" claims as defined in . Only one of the claims, "data" or "attributes", MUST be provided depending on the event definition.

txn:

A SET-defined claim with a STRING value (see ) that uniquely identifies a transaction originating at a SCIM service provider and/or its underlying data repository or database where one or more SCIM Events may be subsequently issued. In contrast to a "jti" claim (see ), which uniquely identifies a token, the "txn" remains the same when one or more SETs are generated for various purposes such as retransmission, publication to multiple receivers, etc. A distinct state change or transaction within a SCIM service provider MAY result in multiple SETs issued each with distinct "jit" values and a common "txn" value. "txn" is REQUIRED to support asynchronous SCIM requests, CP, and replication to disambiguate or detect duplicate SETs regarding the same underlying transaction.

version:

The ETag version of the resource as a result of the event. Corresponds to the ETag response header described in .

data:

An event payload attribute that contains information described in the SCIM Bulk Operations "data" attribute in . The JSON object contains the equivalent SCIM command processed by the SCIM service provider. For example, after processing a SCIM Create operation, the data contained includes the final representation of the entity created by the SCIM service provider including the assigned "id" value.

attributes:

A payload that contains an array of attributes that were added, revised, or removed. Names of modified attributes SHOULD conform to the ABNF syntax rule for "path" (). For example: "attributes": ["userName","emails","name.familyName"].

SCIM Feed Events This section defines events related to changes in the content of an event feed such as SCIM resources that are being added or removed from an event feed or events used in Coordinated Provisioning scenarios where only a subset of entities are shared across an event feed. The URI prefix for these events is "urn:ietf:params:scim:event:feed".

urn:ietf:params:scim:event:feed:add The specified resource has been added to the event feed. A "feed:add" does not indicate that a resource is new or has been recently created. For example, an existing user has had a new role (e.g., CRM_User) added to their profile, which has caused their resource to join a feed.

Example SCIM Feed Add Event { "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", "txn": "b7b953f11cc6489bbfb87834747cc4c1", "sub_id": { "format": "scim", "uri": "/Users/2b2f880af6674ac284bae9381673d462", "externalId": "jdoe" }, "events":{ "urn:ietf:params:scim:event:feed:add": {} }, "iat": 1458505044, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

urn:ietf:params:scim:event:feed:remove The specified resource has been removed from the feed. Removal does not indicate that the resource was deleted or otherwise deactivated.

Example SCIM Feed Remove Event { "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", "sub_id": { "format": "scim", "uri": "/Users/2b2f880af6674ac284bae9381673d462", "externalId": "jdoe", }, "events":{ "urn:ietf:params:scim:event:feed:remove": {} }, "iat": 1458505044, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

SCIM Provisioning Events This section defines resource changes that have occurred within a SCIM service provider. These events are used in both Domain-Based Replication (DBR) and Coordinated Provisioning (CP) mode. The URI prefix for these events is "urn:ietf:params:scim:event:prov". When the "data" payload attribute is included for each of the following events, the event URI MUST end with "full"; otherwise, the event URI ends with "notice". In "full" mode, the set of values reflecting the final representation of the resource (such as would be returned in a SCIM protocol response) at the service provider are provided using the "data" attribute (see ). In "notice" mode, the "attributes" attribute is returned and lists the set of attributes created or modified in the request (see ). Exactly one of the payload attributes, "data" or "attributes", MUST be present. Both MUST NOT be present simultaneously.

urn:ietf:params:scim:event:prov:create:{notice|full} The specified resource indicates that a new SCIM resource has been created by the SCIM service provider and has been added to the event feed. Note that because the event may be used for replication, the "id" attribute that was assigned by the SCIM service provider is shared so that all replicas in the domain MAY use the same resource identifier.

Example SCIM Create Event (Full) { "jti": "4d3559ec67504aaba65d40b0363faad8", "iat": 1458496404, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754", "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7" ], "sub_id": { "format": "scim", "uri": "/Users/44f6142df96bd6ab61e7521d9", "externalId":"jdoe" }, "events":{ "urn:ietf:params:scim:event:prov:create:full":{ "data":{ "schemas":[ "urn:ietf:params:scim:schemas:core:2.0:User"], "emails":[ {"type":"work","value":"jdoe@example.com"} ], "userName":"jdoe", "name":{ "givenName":"John", "familyName":"Doe" } } } } }

Example SCIM Create Event (Notice) { "jti": "4d3559ec67504aaba65d40b0363faad8", "iat": 1458496404, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754", "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7" ], "sub_id": { "format": "scim", "uri": "/Users/44f6142df96bd6ab61e7521d9", "externalId": "jdoe" }, "events": { "urn:ietf:params:scim:event:prov:create:notice": { "attributes": [ "id", "name", "userName", "password", "emails" ] } } }

The event shown in notifies the Event Receiver of which attributes have changed, but it does not convey the actual information. The Event Receiver MAY retrieve that information by performing a SCIM GET based on the "sub_id" value provided.

urn:ietf:params:scim:event:prov:patch:{notice|full} The specified resource has been updated using SCIM PATCH. In "full" mode, the "data" payload attribute is included (see ). When the event URI ends with "notice", the list of modified attributes is provided (see ).

Example SCIM Patch Event (Full) { "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", "sub_id": { "format": "scim", "uri": "/Groups/176f397ec4c44b94b2cfcb759780b8c2", "externalId": "crmUsers" }, "events":{ "urn:ietf:params:scim:event:prov:patch:full": { "version": "a330bc54f0671c9", "data": { "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations":[{ "op":"add", "path":"members", "value":[{ "display": "Babs Jensen", "$ref": "/Users/2819c223...413861904646", "value": "2819c223-7f76-453a-919d-413861904646" }] }] } } }, "iat": 1458505044, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

Example SCIM Patch Event (Notice) { "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", "sub_id": { "format": "scim", "uri": "/Groups/176f397ec4c44b94b2cfcb759780b8c2", "externalId": "crmUsers" }, "events":{ "urn:ietf:params:scim:event:prov:patch:notice": { "attributes": ["members"], "version": "a330bc54f0671c9" } }, "iat": 1458505044, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

urn:ietf:params:scim:event:prov:put:{notice|full} The specified resource has been updated (e.g., one or more attributes has changed). In "full" mode, the SCIM PUT request body is included in the "data" attribute (see ). In "notice" mode, the modified attributes are listed using "attributes" (see ).

Example SCIM Put Event (Full) { "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", "sub_id": { "format": "scim", "uri": "/Users/2819c223-7f76-453a-919d-413861904646" }, "events":{ "urn:ietf:params:scim:event:prov:put:full": { "version": "a330bc54f0671c9", "data": { "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "userName":"jdoe", "externalId":"jdoe", "name":{ "formatted":"Mr. Jon Jack Doe III", "familyName":"Doe", "givenName":"Jon", "middleName":"Jack" }, "roles":[], "emails":[ {"value":"jdoe@example.com"}, {"value":"anon@jdoe.org"} ] } } }, "iat": 1458505044, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

Example SCIM Put Event (Notice) { "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", "sub_id": { "format": "scim", "uri": "/Users/2819c223-7f76-453a-919d-413861904646" }, "events":{ "urn:ietf:params:scim:event:prov:put:notice": { "version": "a330bc54f0671c9", "attributes": ["userName","externalId","name","roles","emails"] } }, "iat": 1458505044, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

urn:ietf:params:scim:event:prov:delete The specified resource has been deleted from the SCIM service provider. The resource is also removed from the feed. When a DELETE is sent, a corresponding "feedRemove" SHALL NOT be issued. A delete event has no payload attributes. Note that because the delete event has no attributes, the qualifiers "full" and "notice" SHALL NOT be used.

Example SCIM Delete Event { "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", "sub_id": { "format": "scim", "uri": "/Users/2b2f880af6674ac284bae9381673d462", "externalId": "jDoe" }, "events":{ "urn:ietf:params:scim:event:prov:delete": {} }, "iat": 1458505044, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

urn:ietf:params:scim:event:prov:activate The specified resource (e.g., User) has been "activated". This does not necessarily reflect any particular state change at the SCIM service provider but may simply indicate that the account defined by the SCIM resource is ready for use as agreed upon by the Event Publisher and Event Receiver. For example, an activated resource can represent an account that may be logged in.

Example SCIM Activate Event { "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", "sub_id": { "format": "scim", "uri": "/Users/2b2f880af6674ac284bae9381673d462" }, "events":{ "urn:ietf:params:scim:event:prov:activate": {} }, "iat": 1458505044, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

urn:ietf:params:scim:event:prov:deactivate The specified resource (e.g., User) has been deactivated and disabled. The exact meaning SHOULD be agreed to by the Event Publisher and its corresponding Event Receiver. Typically, this means the subject may no longer have an active security session.

Miscellaneous Events This section defines related miscellaneous events such as asynchronous request completion that has occurred within a SCIM service provider. The URI prefix for these events is "urn:ietf:params:scim:event:misc".

Asynchronous Events

Making an Asynchronous SCIM Request A SCIM client making SCIM HTTP requests defined in MAY request asynchronous processing using the "Prefer" HTTP header as defined in . The client may do this for a number of reasons such as avoiding holding HTTP connections open during long requests because the result of the request is not needed or the result is delivered to another entity for further action for coordination reasons. To initiate an asynchronous SCIM request, a normal SCIM protocol POST, PUT, PATCH, or DELETE request is performed with the HTTP "Prefer" header set to "respond-async" (). The HTTP "Accept" header MUST be ignored for purposes of an asynchronous response. Additionally, per , the "wait" preference SHOULD be supported to establish a maximum time before a SCIM service provider MAY choose to respond asynchronously. In response, the SCIM service provider returns either a normal SCIM response or HTTP status code 202 (Accepted). The asynchronous response MUST contain no response body. To enable correlation of the future event, the HTTP response header "Set-Txn" (see ) is returned with a value that MUST match the "txn" claim in a subsequent Security Event Token. Per , the response will also include the "Preference-Applied" header. The "Location" header value MUST be one of the following: (a) a URI where the completion SCIM Event Token MAY be retrieved using HTTP GET or (b) the normal SCIM location header response specified by . In the following non-normative example, a "Prefer" header is set to "respond-async":

Example Asynchronous SCIM Protocol Request PUT /Users/2819c223-7f76-453a-919d-413861904646 Host: scim.example.com Prefer: respond-async Content-Type: application/scim+json Authorization: Bearer h480djs93hd8 { "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "id":"2819c223-7f76-453a-919d-413861904646", "userName":"bjensen", "externalId":"bjensen", "name":{ "formatted":"Ms. Barbara J Jensen III" }, "roles":[], "emails":[ { "value":"bjensen@example.com" } ] }

The SCIM service provider responds with HTTP status code 202 (Accepted) and includes the Set-Txn header:

Async SCIM Request with Prefer Header HTTP/1.1 202 Accepted Set-Txn: 734f0614e3274f288f93ac74119dcf78 Preference-Applied: respond-async Location: "/Users/2819c223-7f76-453a-919d-413861904646"

Asynchronous Bulk Endpoint Requests provides the ability to submit multiple SCIM operations in a single "bulk" request. When an asynchronous response is requested, a single Asynchronous Request Completion Event MUST be generated for each requested operation. For example, if a single "bulk" request had 10 operations, then 10 Asynchronous Event completion events would be generated. The "txn" claim MUST be set to the value originally returned to the requesting SCIM client (see ) appended with a colon ":" and the zero-based array index of the operation expressed in the "Operations" attribute of the original bulk request. The "bulkId" parameter MUST NOT be used for this purpose as it is a temporary identifier and is not required for every operation. For example, if a SCIM service provider received a bulk request with two or more operations, and had a "txn" claim value of "2d80e537a3f64622b0347b641ebc8f44", then the first Asynchronous Response Event Token representing the first operation has a "txn" claim value of "2d80e537a3f64622b0347b641ebc8f44:0", the second operation has a value of "2d80e537a3f64622b0347b641ebc8f44:1", and so on. If a SCIM service provider optimizes the sequence of operations (per ), the Asynchronous Request Completion Events MAY be generated out of sequence from the original request. In this case, the "txn" claims in those events MUST use operation numbers that correspond to the order in the original request.

urn:ietf:params:scim:event:misc:asyncresp The Asynchronous Response Event signals the completion of a SCIM request. The event payload contains the attributes defined in and is the same as a single SCIM Bulk Response Operation as per . In the event, the "txn" claim MUST be set to the value originally returned to the requesting SCIM client (see ).

Example SCIM Asynchronous Response Event { "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", "sub_id": { "format": "scim", "uri": "/Users/2819c223-7f76-453a-919d-413861904646" }, "txn": "734f0614e3274f288f93ac74119dcf78", "events":{ "urn:ietf:params:scim:event:misc:asyncresp": { "method": "PUT", "version": "W\/\"huJj29dMNgu3WXPD\"", "status": "200" } }, "iat": 1458505044, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

If an error occurs during asynchronous processing, the event operation MUST include a "response" attribute indicating a non-200-series HTTP status as defined in , and that "response" attribute MUST contain the sub-attributes defined in . The "status" attribute of the event operation typically matches the "status" attribute of the response.

Example SCIM Asynchronous Error Response Event { "jti": "6164f3bbf6ff41a88dc94f18cb0620e8", "sub_id": { "format": "scim", "uri": "/Users/2819c223-7f76-453a-919d-413861904646" }, "txn": "734f0614e3274f288f93ac74119dcf78", "events":{ "urn:ietf:params:scim:event:misc:asyncresp": { "method": "PUT", "version": "W\/\"huJj29dMNgu3WXPD\"", "status": "400", "response": { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "scimType":"invalidSyntax", "detail": "Request is unparsable", "status":"400" } } }, "iat": 1458505044, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

The following four figures show asynchronous completion events for the example in .

Example SCIM Asynchronous Response Event Operation (1 of 4) { "jti": "dbae9d7506b34329aa7f2f0d3827848b", "sub_id": { "format": "scim", "uri": "/Users/92b725cd-9465-4e7d-8c16-01f8e146b87a" }, "txn": "2d80e537a3f64622b0347b641ebc8f44:1", "events":{ "urn:ietf:params:scim:event:misc:asyncresp": { "method": "POST", "bulkId": "qwerty", "version": "W\/\"oY4m4wn58tkVjJxK\"", "status": "201" } }, "iat": 1458505044, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

Example SCIM Asynchronous Response Event Operation (2 of 4) { "jti": "ca977d05ba5c43929e3a69023d5392a9", "sub_id": { "format": "scim", "uri": "/Users/b7c14771-226c-4d05-8860-134711653041" }, "txn": "2d80e537a3f64622b0347b641ebc8f44:2", "events":{ "urn:ietf:params:scim:event:misc:asyncresp": { "method": "PUT", "version": "W\/\"huJj29dMNgu3WXPD\"", "status": "200" } }, "iat": 1458505045, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

Example SCIM Asynchronous Response Event Operation (3 of 4) { "jti": "4bb87d70a4ab463bbdcd1f99111cbbf1", "sub_id": { "format": "scim", "uri": "/Users/5d8d29d3-342c-4b5f-8683-a3cb6763ffcc" }, "txn": "2d80e537a3f64622b0347b641ebc8f44:3", "events":{ "urn:ietf:params:scim:event:misc:asyncresp": { "method": "PATCH", "version": "W\/\"huJj29dMNgu3WXPD\"", "status": "200" } }, "iat": 1458505046, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

Example SCIM Asynchronous Response Event Operation (4 of 4) { "jti": "6a7843a7f5244d0eb62ca38b641d9139", "sub_id": { "format": "scim", "uri": "/Users/e9025315-6bea-44e1-899c-1e07454e468b" }, "txn": "2d80e537a3f64622b0347b641ebc8f44:4", "events":{ "urn:ietf:params:scim:event:misc:asyncresp": { "method": "DELETE", "status": "204" } }, "iat": 1458505047, "iss":"https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754" ] }

Set-Txn HTTP Response Header for Asynchronous Requests This specification defines a new HTTP header field, "Set-Txn", which serves the purpose of conveying request completion information to SCIM HTTP clients that request an asynchronous response as described in . The header field MUST be used in SCIM responses when HTTP status code 202 (Accepted) is being returned with no message body. The "Set-Txn" HTTP header field value is a unique STRING (e.g., a Globally Unique Identifier (GUID)) used by the SCIM HTTP client to look for a matching SET event with a matching "txn" claim (see ) confirming the request completion status as described in . Intermediaries SHOULD NOT insert, modify, or delete the field's value. SCIM clients MAY ignore the header in cases where confirmation of completion is not required. For example, a SCIM client may simply not want to wait for synchronous completion.

Events Discovery Schema for Service Provider Configuration defines SCIM service provider configuration schemas. This section defines additional attributes that enable a SCIM client to discover the additional capabilities defined by this specification.

securityEvents:

A SCIM complex attribute that specifies the available capabilities related to asynchronous Security Events based on . This attribute is OPTIONAL, and when absent, it indicates the SCIM service provider does not support or is not currently configured for Security Events. The following sub-attributes are defined:

asyncRequest:

A case-insensitive string value specifying one of the following:

• "none" indicates that asynchronous SCIM requests defined in are not supported;
• "long" indicates that the server completes requests asynchronously at the server's discretion (e.g., based on a max wait time); and
• "request" indicates that the server completes requests asynchronously when requested by the SCIM client.

eventUris:

A multivalued string listing the SET Event URIs (defined in ) that the server is capable of generating and delivering via a SET Stream (see and ). This information is informational only. Stream registration and configuration are out of scope of this specification.

Security Considerations As this specification is based upon the SETs specification and the associated delivery specifications, the following security considerations are also applicable to this specification:

• (Security Event Token)
• (Push-Based SET Delivery Using HTTP)
• (Poll-Based SET Delivery Using HTTP)

SETs may contain sensitive information, including Personally Identifiable Information (PII). In such cases, SET Transmitters and SET Recipients MUST protect the confidentiality of the SET contents in transit using TLS . When coordinating provisioning between entities, the long-term series of changes may be critical to the information integrity and recovery requirements of both sides. To address this, Event Publishers can make events available for receivers for longer periods of time than might typically be used for recovering from momentary delivery failures and retries per or . Similarly, Event Receivers MUST ensure events are persisted directly or indirectly to meet local recovery needs before acknowledging the SET Events were received. An attacker might leverage transaction and/or signal information contained in a SET Event Publisher or Receiver system. To mitigate this, access to event recovery and forwarding MUST be limited to the parties needed to support recovery or SET forwarding. When SET Events are transferred in such a way that the Event Publisher is not communicating directly to the Event Receiver, it may become possible for an attacker or other system to insert an event. To mitigate, Event Receivers MUST verify the originator of a SET using JSON Web Signature (JWS) signatures when the Event Publisher is not communicating directly with the Event Receiver. Validating event signatures may also be useful for auditing purposes as signed SET Events are protected from tampering in the event that an intermediate system, such as a TLS-terminating proxy, decrypts the SET payload before sending it onward to its intended recipient. In operation, some SCIM resources such as SCIM Groups may have a high rate of change. For example, groups with more than a few thousand member values could lead to excessive change rates, which could lead to a loss of SET Events between Event Publishers and Event Receivers. To mitigate this risk, consider the following to help with throughput issues:

• The use of SCIM PUT (), particularly with large SCIM Groups, can result in excessive data being conveyed in Security Event payloads. Instead, it is RECOMMENDED to use SCIM PATCH () to focus on updating and notifying about changed information. Alternatively, use SCIM PUT Event Notice (urn:ietf:params:scim:event:prov:put:notice) as a trigger to later retrieve the full information when needed.
• Use SCIM Patch Event Notice (urn:ietf:params:scim:event:prov:patch:notice) to reduce event content combined with periodic SCIM GETs (see ) to retrieve current group state.
• Aggregate multiple PATCH Events into a single event. If providing the exact date of each membership change is not critical, consider using a PATCH to aggregate multiple membership changes into a single event.

When using asynchronous SCIM requests (see ), a SCIM service provider returns a SCIM Accepted response with a URI for retrieving the event result. An unauthorized entity or attacker could obtain Asynchronous Request Completion Event information by querying the asynchronous operation result endpoint used by a SCIM service provider. To mitigate, the returned URI endpoint MUST be protected and requires an HTTP Authorization header or some other form of client authentication.

Privacy Considerations As this specification is based upon the SET specification and the associated delivery specifications, the following privacy considerations are also applicable to this specification:

• (Security Event Token)
• (Push-Based SET Delivery Using HTTP)
• (Poll-Based SET Delivery Using HTTP)

This specification enables the sharing of information between domains; therefore, it is assumed that implementers and deployers are operating under one of the following scenarios:

• A common administrative domain where there is one administrative owner of the data. In these cases, the goal is to protect privacy and security of the owner and user data by keeping information systems coordinated and up to date. For example, the domains decide to use DBR mode to keep employee information synchronized.
• In a cooperative or coordinated relationship, parties have decided to share a limited amount of data and/or signals for the benefits of their users. Depending on end-user consent, information is shared on an as-authorized and/or as-needed basis. For example, the domains agree to use CP mode that exchanges things such as account status or specific minimal attribute information that must be fetched on request after receiving notice of a change. This enables authorization to be verified each time data is transferred.

In general, the sharing of SCIM Event information falls within a pre-existing SCIM client and service provider relationship and carries no additional personal information.

IANA Considerations

SCIM Asynchronous Set-Txn Header Registration This specification registers the HTTP "Set-Txn" field name in the "Hypertext Transfer Protocol (HTTP) Field Name Registry" defined in .

Field name:

Set-Txn

Status:

permanent

Reference:

of RFC 9967.

Registering Event Capability with SCIM Service Provider Configuration A reference to of this document has been added to the "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" entry in the "SCIM Server-Related Schema URIs" registry () under the "System for Cross-domain Identity Management (SCIM) Schema URIs" registry group.

Creation of the SCIM Event URIs Registry IANA has created a new registry called "SCIM Event URIs" under the "System for Cross-domain Identity Management (SCIM) Schema URIs" registry group () at . The registration procedure is Expert Review . New registrations for this registry are evaluated by designated expert(s) for relevance to SCIM-based systems and to avoid possible duplication or conflict with other event definitions that may lie outside SCIM (e.g., Shared Signals ).

Namespace ID:

The sub-namespace ID of "event" is assigned within the "scim" namespace.

Syntactic Structure:

The Namespace Specific String (NSS) of all URNs that use the "event" Namespace ID has the following structure: "urn:ietf:params:scim:event:{class}:{name}:{other}" The keywords have the following meaning:

class

The class of events, which is one of: "feed", "prov", or "misc".

name

An ASCII string that conforms to URN syntax requirements (see ) and defines a descriptive event name (e.g., "create").

other

An optional ASCII string that conforms to URN syntax requirements (see ) and serves as an additional sub-category or qualifier, for example, "full" and "notice".

Identifier Uniqueness Considerations:

The designated contact is responsible for reviewing and enforcing uniqueness.

Identifier Persistence Considerations:

Once a name has been allocated, it MUST NOT be reallocated for a different purpose. The rules provided for the assignment of values within a sub-namespace MUST be constructed so that the meaning of values cannot change. This registration mechanism is not appropriate for naming values whose meaning may change over time.

Registration Format:

An event registration MUST include the following fields:

• Event URI
• Descriptive name
• Reference to event definition

Initial Contents of the SCIM Event URIs Registry IANA has added the following initial entries to the "SCIM Event URIs" registry:

Event URI	Name	Reference
urn:ietf:params:scim:event:feed:add	Resource added to Feed Event	of RFC 9967
urn:ietf:params:scim:event:feed:remove	Remove resource from Feed Event	of RFC 9967
urn:ietf:params:scim:event:prov:create: notice	New Resource Event (notice only)	of RFC 9967
urn:ietf:params:scim:event:prov:create: full	New Resource Event (full data)	of RFC 9967
urn:ietf:params:scim:event:prov:patch: notice	Resource Patch Event (notice only)	of RFC 9967
urn:ietf:params:scim:event:prov:patch: full	Resource Patch Event (full data)	of RFC 9967
urn:ietf:params:scim:event:prov:put: notice	Resource Put Event (notice only)	of RFC 9967
urn:ietf:params:scim:event:prov:put:full	Resource Put Event (full data)	of RFC 9967
urn:ietf:params:scim:event:prov:delete	Resource Deleted Event	of RFC 9967
urn:ietf:params:scim:event:prov:activate	Resource Activated Event	of RFC 9967
urn:ietf:params:scim:event:prov:deactivate	Resource Deactivated Event	of RFC 9967
urn:ietf:params:scim:event:misc:asyncresp	Asynchronous Request Completion	of RFC 9967

References Normative References This document formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those documents have been moved to Historic status. These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance. This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC 4347) but not DTLS version 1.2, and there is no DTLS version 1.1. This document updates many RFCs that normatively refer to TLS version 1.0 or TLS version 1.1, as described herein. This document also updates the best practices for TLS usage in RFC 7525; hence, it is part of BCP 195. Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are used to protect data exchanged over a wide range of application protocols and can also form the basis for secure transport protocols. Over the years, the industry has witnessed several serious attacks on TLS and DTLS, including attacks on the most commonly used cipher suites and their modes of operation. This document provides the latest recommendations for ensuring the security of deployed services that use TLS and DTLS. These recommendations are applicable to the majority of use cases. RFC 7525, an earlier version of the TLS recommendations, was published when the industry was transitioning to TLS 1.2. Years later, this transition is largely complete, and TLS 1.3 is widely available. This document updates the guidance given the new environment and obsoletes RFC 7525. In addition, this document updates RFCs 5288 and 6066 in view of recent attacks. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This specification defines an HTTP header field that can be used by a client to request that certain behaviors be employed by a server while processing a request. JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification. JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. The System for Cross-domain Identity Management (SCIM) specifications are designed to make identity management in cloud-based applications and services easier. The specification suite builds upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. Its intent is to reduce the cost and complexity of user management operations by providing a common user schema and extension model as well as binding documents to provide patterns for exchanging this schema using HTTP. This document provides a platform-neutral schema and extension model for representing users and groups and other resource types in JSON format. This schema is intended for exchange and use with cloud service providers. The System for Cross-domain Identity Management (SCIM) specification is an HTTP-based protocol that makes managing identities in multi-domain scenarios easier to support via a standardized service. Examples include, but are not limited to, enterprise-to-cloud service providers and inter-cloud scenarios. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. SCIM's intent is to reduce the cost and complexity of user management operations by providing a common user schema, an extension model, and a service protocol defined by this document. A Uniform Resource Name (URN) is a Uniform Resource Identifier (URI) that is assigned under the "urn" URI scheme and a particular URN namespace, with the intent that the URN will be a persistent, location-independent resource identifier. With regard to URN syntax, this document defines the canonical syntax for URNs (in a way that is consistent with URI syntax), specifies methods for determining URN-equivalence, and discusses URI conformance. With regard to URN namespaces, this document specifies a method for defining a URN namespace and associating it with a namespace identifier, and it describes procedures for registering namespace identifiers with the Internet Assigned Numbers Authority (IANA). This document obsoletes both RFCs 2141 and 3406. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This specification defines the Security Event Token (SET) data structure. A SET describes statements of fact from the perspective of an issuer about a subject. These statements of fact represent an event that occurred directly to or about a security subject, for example, a statement about the issuance or revocation of a token on behalf of a subject. This specification is intended to enable representing security- and identity-related events. A SET is a JSON Web Token (JWT), which can be optionally signed and/or encrypted. SETs can be distributed via protocols such as HTTP. This specification defines how a Security Event Token (SET) can be delivered to an intended recipient using HTTP POST over TLS. The SET is transmitted in the body of an HTTP POST request to an endpoint operated by the recipient, and the recipient indicates successful or failed transmission via the HTTP response. This specification defines how a series of Security Event Tokens (SETs) can be delivered to an intended recipient using HTTP POST over TLS initiated as a poll by the recipient. The specification also defines how delivery can be assured, subject to the SET Recipient's need for assurance. The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. Security events communicated within Security Event Tokens may support a variety of identifiers to identify subjects related to the event. This specification formalizes the notion of Subject Identifiers as structured information that describes a subject and named formats that define the syntax and semantics for encoding Subject Identifiers as JSON objects. It also establishes a registry for defining and allocating names for such formats as well as the JSON Web Token (JWT) "sub_id" Claim. Informative References Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. Oracle Google Cisco Work in Progress

Use Cases SCIM Events may be used in a number of ways. The following non-normative sections describe some of the expected uses.

Domain-Based Replication The objective of DBR events is to synchronize resource changes between SCIM service providers in a common administrative domain. In this mode, complete information about modified resources are shared between replicas for immediate processing.

Domain-Based Replication Sequence +-------------+ +---------------------+ +------------------------+ |SCIM Client A| |SCIM Service Provider| |Service Provider Replica| +-------------+ +---------------------+ +------------------------+ | | | | [1] SCIM Operation | | |-------------------->| | | [2] SCIM Response | | |<--------------------| | | | | | | [3] Event SCIM:prov:<op> | | | id:xyz | | |- - - - - - - - - - - - - >| | | | | | [4] Update local node |--+ | | | | | | |<-+ | | | v v v

From a security perspective, it is assumed that servers sharing DBR events are secured by a common access policy and all servers are required to be up to date. From a privacy perspective, because all servers are in the same administrative domain, the primary objective is to keep individual service provider nodes or clusters synchronized.

Coordinated Provisioning In CP, SCIM resource change events perform the function of change notification without the need to provide raw data. In any Event Publisher and Receiver relationship, the set of SCIM resources (e.g., Users) that are linked or coordinated is managed within the context of an event feed and may be a subset of the total set of resources on either side. For example, an event feed could be limited to users who have consented to the sharing of information between domains. To support capability, "feed" specific events are defined to indicate the addition and removal of SCIM resources from a feed. For example, when a user consents to the sharing of information between domains, events about the User may be added to the feed between the Event Publisher and Receiver.

Coordinated Provisioning Sequence +-----------+ +---------------+ +-----------------+ +---------------+ |SCIM Client| | SCIM Service | | Event Receiver | | Coord. Action | | | | Provider | | | | Endpoint | +-----------+ +---------------+ +-----------------+ +---------------+ | | | | | [1] SCIM | | | | Operation | | | |--------------->| | | | | | | | [2] SCIM | | | | Response | | | |<---------------| | | | | | | | +=== loop ==========+===================+ | | | | | | [3] Event | | | | SCIM:prov:<op> | | | | id:xyz | | | |- - - - - - - - - >| | | | | | | | | Note: Receiver | | | | may accumulate | | | | events for | | | | periodic action. | | | | | | | [4] SCIM GET <id> | | | |<------------------| | | | | | | | [5] Filtered | | | | Resource | | | | Response | | | |------------------>| | | | | | | | | [6] Coordinated | | | | Action | | | |------------------>| | | | | | +=== end loop ======+===================+ v v v v

In CP mode, the receiver of an event must call back to the originating SCIM service provider (e.g., using a SCIM GET request) to reconcile the newly changed resource in order to obtain the changes. CP has the following benefits:

• Differences in schema (e.g., attributes) between domains. For example, a receiving domain may only be interested in or allowed to access to a few attributes (e.g., role-based access data) to enable access to an application.
• Different Event Receivers may have differing needs when accessing information and thus may be assigned varying access rights. Minimal information events combined with callbacks for data allows data filtering to be applied.
• Receivers can take independent action such as deciding which attributes or resource life cycle changes to accept. For example, in the case of a conflict, a receiver can prioritize one domain source over another.
• A receiver may throttle or buffer changes rather than act immediately on a notification. For example, for a frequently changing resource, the receiver may choose to make a scheduled SCIM GET for resources that have been marked "dirty" by events received in the last scheduled cycle.

A disadvantage of the CP approach is that it may be considered costly in the sense that each event received might trigger a callback to the event issuer. This cost should be weighed against the cost producing filtered information in each event for each receiver. Furthermore, a receiver is not required to make a callback on every provisioning event. It is assumed that an underlying relationship between domains exists that permits the exchange of personal information and credentials. For example, in a cross-domain scenario, a SCIM service provider would have been previously authorized to perform SCIM provisioning operations and publish change events. As such, appropriate confidentiality and privacy agreements should be in place between the domains. When sharing information between parties, CP Events minimize the information shared in each message and require the Security Event Receiver to receive more information from the Event Publisher as needed. In this way, the Event Receiver is able to have regular access to information through normal SCIM protocol access restrictions. The Event Receiver and Publisher may agree to communicate these updates through a variety of transmission methods such as push- and pull-based HTTP or HTTP GET (see ); streaming technologies (e.g., Kafka or Kinesis); or webhooks such as in the Shared Signals Framework.

Acknowledgements The authors would like to thank the following contributors:

• and , who contributed significantly to upon which this document is based.
• The participants of the SCIM Working Group and the IETF id-event mailing list for their support of this specification.
• , , , , , , , , , , , , , , and for their write-ups and reviews.

Authors' Addresses Independent Identity Inc

phil.hunt@independentid.com

Cisco Systems

ncamwing@cisco.com

Sailpoint Technologies

mike.kiser@sailpoint.com

Workday, Inc.

jwschreib@gmail.com