System for Cross-Domain Identity Management: Core Schema
draft-ietf-scim-core-schema-00
The System for Cross-Domain Identity Management (SCIM) specification is designed to make managing user identity in cloud based applications and services easier. The specification suite builds upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. Its intent is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. In essence, make it fast, cheap, and easy to move identity in to, out of, and around the cloud.
This document provides a platform neutral schema and extension model for representing users and groups in JSON and XML formats. This schema is intended for exchange and use with cloud service providers. Additional binding documents provide a standard REST API, SAML binding, and use cases.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 26, 2013.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] .
Throughout this document, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value.
While there are existing standards for describing and exchanging user information, many of these standards can be difficult to implement and/or use; e.g., their wire protocols do not easily traverse firewalls and/or are not easily layered onto existing web protocols. As a result, many cloud providers implement non-standard APIs for managing users within their services. This increases both the cost and complexity associated with organizations adopting products and services from multiple cloud providers as they must perform redundant integration development. Similarly, cloud services providers seeking to interoperate with multiple application marketplaces or cloud identity providers must be redundantly integrated.
SCIM seeks to simplify this problem through a simple to implement specification suite that provides a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema via a REST API. It draws inspiration and best practice, building upon existing user APIs and schemas from a wide variety of sources including, but not limited to, existing APIs exposed by cloud providers, PortableContacts, and LDAP directory services.
This document provides a platform neutral schema and extension model for representing users and groups in JSON and XML formats. This schema is intended for exchange and use with cloud service providers. Additional binding documents provide a standard REST API, SAML binding, and use cases.
SCIM schema provides a minimal core schema for representing users and groups (resources), encompassing common attributes found in many existing deployments and schemas.
A resource is a collection of attributes identified by one or more schemas. Minimally, an attribute consists of the attribute name and at least one Simple or Complex value either of which may be Multi-valued. SCIM schema defines the data type, plurality and other distinguishing features of an attribute. Unless otherwise specified all attributes are modifiable by Consumers. Immutable (read-only) attributes SHALL be specified as 'READ-ONLY' within the attribute definition. Additionally, Service Providers MAY choose to make some or all Resource attributes immutable and SHOULD identify those attributes via the associated Resource's schema endpoint [schemas-attribute].
Both XML and JSON formats are defined. Resource and attribute names MUST conform to XML naming rules;i.e., SCIM names MUST be valid XML names and SHOULD be camelCased. When marshalling or extending SCIM resources in XML implementors MUST use the normative, SCIM, XML schema (.xsd). SCIM resources represented in a schema-less format; e.g., JSON, MUST specify schema via the schemas attribute [schemas-attribute].
Attribute data types are derived from XML schema and unless otherwise specified are optional, modifiable by Consumers, and of type String [type-string]. The JSON format defines a limited set of data types, hence, where appropriate, alternate JSON representations are defined below. SCIM extensions SHOULD not introduce new data types.
A sequence of characters as defined in section 3.2.1 of the XML Schema Datatypes Specification. A String attribute MAY specify a required data format. Additionally, when Canonical Values are specified Service Providers SHOULD conform to those values if appropriate, but MAY provide alternate String values to represent additional values.
The literal "true" or "false" as specified in section 3.2.2 of the XML Schema Datatypes Specification.
A real number with at least one digit to the left and right of the period as specified in section 3.2.3 of the XML Schema Datatypes Specification.
Values represented in JSON MUST conform to the XML constraints above and are represented as a JSON Number.
A Decimal number with no fractional digits as defined in section 3.3.13 of the XML Schema Datatypes Specification.
Values represented in JSON MUST conform to the XML constraints above and are represented as a JSON Number.
A dateTime (e.g. 2008-01-23T04:56:22Z) as specified in section 3.2.7 of the XML Schema Datatypes Specification.
Values represented in JSON MUST conform to the XML constraints above and are represented as a JSON String.
The attribute value MUST be encoded as a valid xsd:base64Binary value as specified in section 3.2.16 of the XML Schema Datatypes Specification.
Values represented in JSON MUST conform to the XML constraints above and are represented as a JSON String.
A Singular or Multi-valued Attribute whose value is a composition of one or more Simple Attributes as specified in section 3.4 XML Schema Datatypes Specification.
JSON values are represented as JSON Objects.
Multi-valued attributes are unordered lists of attributes. Each attribute MAY contain Sub-Attributes and therefore multi-valued attributes may contain Complex Attributes. The below Sub-Attributes are considered normative and when specified SHOULD be used as defined.
When returning multi-valued attributes, Service Providers SHOULD canonicalize the value returned, if appropriate (e.g. for e-mail addresses and URLs). Providers MAY return the same value more than once with different types (e.g. the same e-mail address may used for work and home), but SHOULD NOT return the same (type, value) combination more than once per Attribute, as this complicates processing by the Consumer.
4. Schema Extension Model
SCIM schema follows an object extension model similar to ObjectClasses used in LDAP. Unlike LDAP there is no inheritance model; all extensions are additive (similar to LDAP Auxiliary Object Classes). Each value indicates additive schema that may exist in a SCIM representation as specified by extensions not defined in this suite. Schema extensions MUST NOT redefine any attributes defined in this specification and SHOULD follow conventions defined in this specification. Each schema extension must identify a URI used to identify the extension. XML MUST use XML namespaces and JSON formats MUST use the "schemas" attribute [schemas-attribute] to distinguish extended resources and attributes.
5.1. Common Schema Attributes
Each SCIM Resource (Users, Groups, etc.) includes the below common attributes. These attributes MUST be included in all Resources, including any extended Resource types. It is not necessary to specify the schemas attribute if the Resource is fully defined in this document as the core schema is implicitly included.
- id
- Unique identifier for the SCIM Resource as defined by the Service Provider. Each representation of the Resource MUST include a non-empty id value. This identifier MUST be unique across the Service Provider's entire set of Resources. It MUST be a stable, non-reassignable identifier that does not change when the same Resource is returned in subsequent requests. The value of the id attribute is always issued by the Service Provider and MUST never be specified by the Service Consumer. bulkId: is a reserved keyword and MUST NOT be used in the unique identifier. REQUIRED and READ-ONLY.
- externalId
- An identifier for the Resource as defined by the Service Consumer. The externalId may simplify identification of the Resource between Service Consumer and Service provider by allowing the Consumer to refer to the Resource with its own identifier, obviating the need to store a local mapping between the local identifier of the Resource and the identifier used by the Service Provider. Each Resource MAY include a non-empty externalId value. The value of the externalId attribute is always issued be the Service Consumer and can never be specified by the Service Provider. The Service Provider MUST always interpret the externalId as scoped to the Service Consumer's tenant.
- meta
- A complex attribute containing resource metadata. All sub-attributes are OPTIONAL
- created
- The DateTime the Resource was added to the Service Provider. The attribute MUST be a DateTime. READ-ONLY.
- lastModified
- The most recent DateTime the details of this Resource were updated at the Service Provider. If this Resource has never been modified since its initial creation, the value MUST be the same as the value of created. The attribute MUST be a DateTime. READ-ONLY.
- location
- The URI of the Resource being returned. This value MUST be the same as the Location HTTP response header. READ-ONLY.
- version
- The version of the Resource being returned. This value must be the same as the ETag HTTP response header. READ-ONLY.
- attributes
- The names of the attributes to remove from the Resource during a PATCH operation.
SCIM supports resources of different types, with extensible schemas. Each resource MUST be indicated using fully qualified URLs.
Where a specific representation has existing support for expressing schema, the traditional convention of that representation MUST be applied. For example, when representing users using XML, XML Namespace should be used.
When a representation does not explicitly provide support for indicating a schema, such as JSON, a schemas attribute is used to indicate the version of SCIM schema as well as any schema extensions.
- schemas
- The schemas attribute is an array of Strings which allows introspection of the supported schema version for a SCIM representation as well any schema extensions supported by that representation. Each String value must be a unique URI. This specification defines URIs for User, Group, and a standard "enterprise" extension. All representations of SCIM schema MUST include a non-zero value array with value(s) of the URIs supported by that representation. Duplicate values MUST NOT be included. Value order is not specified and MUST not impact behavior. REQUIRED.
SCIM provides a schema for representing Users, identified using the following URI: 'urn:scim:schemas:core:1.0'. The following attributes are defined in addition to those attributes defined in SCIM Core Schema:
6.1. Singular Attributes
- userName
- Unique identifier for the User, typically used by the user to directly authenticate to the service provider. Often displayed to the user as their unique identifier within the system (as opposed to id or externalId, which are generally opaque and not user-friendly identifiers). Each User MUST include a non-empty userName value. This identifier MUST be unique across the Service Consumer's entire set of Users. REQUIRED.
- name
- The components of the User's real name. Providers MAY return just the full name as a single string in the formatted sub-attribute, or they MAY return just the individual component attributes using the other sub-attributes, or they MAY return both. If both variants are returned, they SHOULD be describing the same name, with the formatted name indicating how the component attributes should be combined.
- formatted
- The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (e.g. Ms. Barbara Jane Jensen, III.).
- familyName
- The family name of the User, or "Last Name" in most Western languages (e.g. Jensen given the full name Ms. Barbara Jane Jensen, III.).
- givenName
- The given name of the User, or "First Name" in most Western languages (e.g. Barbara given the full name Ms. Barbara Jane Jensen, III.).
- middleName
- The middle name(s) of the User (e.g. Jane given the full name Ms. Barbara Jane Jensen, III.).
- honorificPrefix
- The honorific prefix(es) of the User, or "Title" in most Western languages (e.g. Ms. given the full name Ms. Barbara Jane Jensen, III.).
- honorificSuffix
- The honorific suffix(es) of the User, or "Suffix" in most Western languages (e.g. III. given the full name Ms. Barbara Jane Jensen, III.).
- displayName
- The name of the User, suitable for display to end-users. Each User returned MAY include a non-empty displayName value. The name SHOULD be the full name of the User being described if known (e.g. Babs Jensen or Ms. Barbara J Jensen, III), but MAY be a username or handle, if that is all that is available (e.g. bjensen). The value provided SHOULD be the primary textual label by which this User is normally displayed by the Service Provider when presenting it to end-users.
- nickName
- The casual way to address the user in real life, e.g. "Bob" or "Bobby" instead of "Robert". This attribute SHOULD NOT be used to represent a User's username (e.g. bjensen or mpepperidge).
- profileUrl
- A fully qualified URL to a page representing the User's online profile.
- title
- The user’s title, such as “Vice President.”
- userType
- Used to identify the organization to user relationship. Typical values used might be "Contractor", "Employee", "Intern", "Temp", "External", and "Unknown" but any value may be used.
- preferredLanguage
- Indicates the User's preferred written or spoken language. Generally used for selecting a localized User interface. Valid values are concatenation of the ISO 639-1 two letter language code, an underscore, and the ISO 3166-1 2 letter country code; e.g., 'en_US' specifies the language English and country US.
- locale
- Used to indicate the User's default location for purposes of localizing items such as currency, date time format, numerical representations, etc. A locale value is a concatenation of the ISO 639-1 two letter language code, an underscore, and the ISO 3166-1 2 letter country code; e.g., 'en_US' specifies the language English and country US.
- timezone
- The User's time zone in the "Olson" timezone database format; e.g.,'America/Los_Angeles'.
- active
- A Boolean value indicating the User's administrative status. The definitive meaning of this attribute is determined by the Service Provider though a value of true infers the User is, for example, able to login while a value of false implies the User's account has been suspended.
- password
- The User's clear text password. This attribute is intended to be used as a means to specify an initial password when creating a new User or to reset an existing User's password. No accepted standards exist to convey password policies, hence Consumers should expect Service Providers to reject password values. This value MUST never be returned by a Service Provider in any form.
6.2. Multi-valued Attributes
The following multi-valued attributes are defined.
- emails
- E-mail addresses for the User. The value SHOULD be canonicalized by the Service Provider, e.g. bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.
- phoneNumbers
- Phone numbers for the User. The value SHOULD be canonicalized by the Service Provider according to format in RFC3966 e.g. 'tel:+1-201-555-0123'. Canonical Type values of work, home, mobile, fax, pager and other.
- ims
- Instant messaging address for the User. No official canonicalization rules exist for all instant messaging addresses, but Service Providers SHOULD, when appropriate, remove all whitespace and convert the address to lowercase. Instead of the standard Canonical Values for type, this attribute defines the following Canonical Values to represent currently popular IM services: aim, gtalk, icq, xmpp, msn, skype, qq, and yahoo.
- photos
- URL of a photo of the User. The value SHOULD be a canonicalized URL, and MUST point to an image file (e.g. a GIF, JPEG, or PNG image file) rather than to a web page containing an image. Service Providers MAY return the same image at different sizes, though it is recognized that no standard for describing images of various sizes currently exists. Note that this attribute SHOULD NOT be used to send down arbitrary photos taken by this User, but specifically profile photos of the User suitable for display when describing the User. Instead of the standard Canonical Values for type, this attribute defines the following Canonical Values to represent popular photo sizes: photo, thumbnail.
- addresses
- A physical mailing address for this User. Canonical Type Values of work, home, and other. The value attribute is a complex type with the following sub-attributes. All Sub-Attributes are OPTIONAL.
- formatted
- The full mailing address, formatted for display or use with a mailing label. This attribute MAY contain newlines.
- streetAddress
- The full street address component, which may include house number, street name, P.O. box, and multi-line extended street address information. This attribute MAY contain newlines.
- locality
- The city or locality component.
- region
- The state or region component.
- postalCode
- The zipcode or postal code component.
- country
- The country name component. When specified the value MUST be in ISO 3166-1 alpha 2 "short" code format; e.g., the United States and Sweden are "US" and "SE", respectively.
- groups
- A list of groups that the user belongs to, either thorough direct membership, nested groups, or dynamically calculated. The values are meant to enable expression of common group or role based access control models, although no explicit authorization model is defined. It is intended that the semantics of group membership and any behavior or authorization granted as a result of membership are defined by the Service Provider. The Canonical types "direct" and "indirect" are defined to describe how the group membership was derived. Direct group membership indicates the User is directly associated with the group and SHOULD indicate that Consumers may modify membership through the Group Resource. Indirect membership indicates User membership is transitive or dynamic and implies that Consumers cannot modify indirect group membership through the Group resource but MAY modify direct group membership through the Group resource which MAY influence indirect memberships. If the SCIM Service Provider exposes a Group resource, the value MUST be the "id" attribute of the corresponding Group resources to which the user belongs. Since this attribute is read-only, group membership changes MUST be applied via the Group Resource [group-resource]. READ-ONLY.
- entitlements
- A list of entitlements for the User that represent a thing the User has. That is, an entitlement is an additional right to a thing, object or service. No vocabulary or syntax is specified and Service Providers/Consumers are expected to encode sufficient information in the value so as to accurately and without ambiguity determine what the User has access to. This value has NO canonical types though type may be useful as a means to scope entitlements.
- roles
- A list of roles for the User that collectively represent who the User is; e.g., 'Student', "Faculty". No vocabulary or syntax is specified though it is expected that a role value is a String or label representing a collection of entitlements. This value has NO canonical types.
- x509Certificates
- A list of certificates issued to the User. Values are Binary [type-binary] and DER encoded x509. This value has NO canonical types.
7. SCIM Enterprise User Schema Extension
The following SCIM extension defines attributes commonly used in representing users that belong to, or act on behalf of a business or enterprise. The enterprise user extension is identified using the following URI: 'urn:scim:schemas:extension:enterprise:1.0'.
The following Singular Attributes are defined:
- employeeNumber
- Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization.
- costCenter
- Identifies the name of a cost center.
- organization
- Identifies the name of an organization.
- division
- Identifies the name of a division.
- department
- Identifies the name of a department.
- manager
- The User's manager. A complex type that optionally allows Service Providers to represent organizational hierarchy by referencing the "id" attribute of another User.
- managerId
- The id of the SCIM resource representing the User's manager. REQUIRED.
- displayName
- The displayName of the User's manager. OPTIONAL and READ-ONLY.
SCIM provides a schema for representing groups, identified using the following URI: 'urn:scim:schemas:core:1.0'.
Group resources are meant to enable expression of common Group or role based access control models, although no explicit authorization model is defined. It is intended that the semantics of group membership and any behavior or authorization granted as a result of membership are defined by the Service Provider are considered out of scope for this specification.
The following Singular Attribute is defined in addition to the common attributes defined in SCIM Core Schema:
- displayName
- A human readable name for the Group. REQUIRED.
The following multi-valued attribute is defined in addition to the common attributes defined in SCIM Core Schema:
- members
- A list of members of the Group. Canonical Types "User" and "Group" are READ-ONLY. The value must be the "id" of a SCIM resource, either a User, or a Group. The intention of the Group type is to allow the Service Provider to support nested Groups. Service Providers MAY require Consumers to provide a non-empty members value based on the "required" sub attribute of the "members" attribute in Group Resource Schema.
9. Service Provider Configuration Schema
SCIM provides a schema for representing the Service Provider's configuration identified using the following URI: 'urn:scim:schemas:core:1.0'
The Service Provider Configuration Resource enables a Service Provider to expose its compliance with the SCIM specification in a standardized form as well as provide additional implementation details to Consumers. All attributes are READ-ONLY.
The following Singular Attributes are defined in addition to the common attributes defined in Core Schema:
- documentationUrl
- An HTTP addressable URL pointing to the Service Provider's human consumable help documentation.
- patch
- A complex type that specifies PATCH configuration options. REQUIRED.
- supported
- Boolean value specifying whether the operation is supported. REQUIRED.
- bulk
- A complex type that specifies BULK configuration options. REQUIRED
- supported
- Boolean value specifying whether the operation is supported. REQUIRED.
- maxOperations
- An integer value specifying the maximum number of operations. REQUIRED.
- maxPayloadSize
- An integer value specifying the maximum payload size in bytes. REQUIRED.
- filter
- A complex type that specifies FILTER options. REQUIRED.
- supported
- Boolean value specifying whether the operation is supported. REQUIRED.
- maxResults
- Integer value specifying the maximum number of Resources returned in a response. REQUIRED.
- changePassword
- A complex type that specifies Change Password configuration options. REQUIRED.
- supported
- Boolean value specifying whether the operation is supported. REQUIRED.
- sort
- A complex type that specifies Sort configuration options. REQUIRED.
- supported
- Boolean value specifying whether sorting is supported. REQUIRED.
- etag
- A complex type that specifies Etag configuration options. REQUIRED.
- supported
- Boolean value specifying whether the operation is supported. REQUIRED.
- xmlDataFormat
- A complex type that specifies whether the XML data format is supported. REQUIRED.
- supported
- Boolean value specifying whether the operation is supported. REQUIRED.
The following multi-valued attribute is defined in addition to the common attributes defined in Core Schema:
- authenticationSchemes
- A complex type that specifies supported Authentication Scheme properties. Instead of the standard Canonical Values for type, this attribute defines the following Canonical Values to represent common schemes: oauth, oauth2, oauthbearertoken, httpbasic, and httpdigest. To enable seamless discovery of configuration, the Service Provider SHOULD, with the appropriate security considerations, make the authenticationSchemes attribute publicly accessible without prior authentication. REQUIRED.
- name
- The common authentication scheme name; e.g., HTTP Basic. REQUIRED.
- description
- A description of the Authentication Scheme. REQUIRED.
- specUrl
- A HTTP addressable URL pointing to the Authentication Scheme's specification. OPTIONAL.
- documentationUrl
- A HTTP addressable URL pointing to the Authentication Scheme's usage documentation. OPTIONAL.
The Resource schema specifies the Attribute(s) and meta-data that constitute a Resource. Schema Resources are READ-ONLY and identified using the following URI: 'urn:scim:schemas:core:1.0'. Unlike other core Resources the schema Resource MAY contain a complex object within a Sub-Attribute and all Attributes are REQUIRED unless other specified.
The following Singular Attributes are defined:
- name
- The Resource name. When applicable Service Providers MUST specify the name specified in the core schema specification; e.g., "User" or "Group".
- description
- The Resource's human readable description. When applicable Service Providers MUST specify the description specified in the core schema specification.
- schema
- The Resource's associated schema URI; e.g., urn:scim:schemas:core:1.0.
- endpoint
- The Resource's HTTP addressable endpoint relative to the Base URL; e.g., /Users.
The following multi-valued attribute is defined:
- attributes
- A complex type that specifies the set of Resource attributes.
- name
- The attribute's name.
- type
- The attribute's data type; e.g., String.
- multiValued
- Boolean value indicating the attribute's plurality.
- multiValuedAttributeChildName
- String value specifying the child XML element name; e.g., the 'emails' attribute value is 'email', 'phoneNumbers', is 'phoneNumber'. REQUIRED when the multiValued attribute value is true otherwise this attribute MUST be omitted.
- description
- The attribute's human readable description. When applicable Service Providers MUST specify the description specified in the core schema specification.
- schema
- The attribute's associated schema; e.g., urn:scim:schemas:core:1.0.
- readOnly
- A Boolean value that specifies if the attribute is mutable.
- required
- A Boolean value that specifies if the attribute is required.
- caseExact
- A Boolean value that specifies if the String attribute is case sensitive.
- The following multi-valued attributes are defined. There are no canonical type values defined and the primary value serves no useful purpose.
- subAttributes
- A list specifying the contained attributes. OPTIONAL.
- name
- The attribute's name.
- type
- The attribute's data type; e.g., String.
- description
- The attribute's human readable description. When applicable Service Providers MUST specify the description specified in the core schema specification.
- readOnly
- A Boolean value that specifies if the attribute is mutable.
- required
- A Boolean value that specifies if the attribute is required.
- caseExact
- A Boolean value that specifies if the String attribute is case sensitive.
- canonicalValues
- A collection of canonical values. When applicable Service Providers MUST specify the canonical types specified in the core schema specification; e.g.,"work","home". OPTIONAL.
11.1. Minimal User Representation
The following is a non-normative example of the minimal required SCIM representation in JSON format.
11.2. Full User Representation
The following is a non-normative example of the fully populated SCIM representation in JSON format.
11.3. Enterprise User Extension Representation
The following is a non-normative example of the fully populated User using the enterprise User extension in JSON format.
11.4. Group Representation
The following is a non-normative example of SCIM Group representation in JSON format.
11.5. Service Provider Configuration Representation
The following is a non-normative example of the SCIM Service Provider Configuration representation in JSON format.
11.6. Resource Schema Representation
The following is a normative example of the SCIM Resource Schema representation in JSON format.
12.1. Minimal Representation
The following is a non-normative example of the minimal required SCIM User representation in XML format.
12.2. Full Representation
The following is a non-normative example of the fully populated SCIM representation in XML format.
12.3. Enterprise User Extension Representation
The following is a non-normative example of the fully populated User using the enterprise User extension in XML format.
12.4. Group Representation
The following is a non-normative example of a SCIM Group representation in XML format.
The SCIM Core schema contains personally identifiable information as well as other sensitive data. Aside from prohibiting password values in a SCIM response this specification does not provide any means or guarantee of confidentiality.
14. References