title: Device Schema Extensions to the SCIM model abbrev: SCIM Device Schema Extensions docname: draft-ietf-scim-device-model-11 submissionType: IETF category: std
ipr: trust200902 keyword: Internet-Draft
stand_alone: yes pi: [toc, sortrefs, symrefs]
author:
- ins: M. Shahzad
name: Muhammad Shahzad
org: North Carolina State University
street:
- Department of Computer Science
- 890 Oval Drive
- Campus Box 8206 city: Raleigh, NC code: 27695-8206 country: USA email: [email protected]
- ins: H. Iqbal
name: Hassan Iqbal
org: North Carolina State University
street:
- Department of Computer Science
- 890 Oval Drive
- Campus Box 8206 city: Raleigh, NC code: 27695-8206 country: USA email: [email protected]
- ins: E. Lear name: Eliot Lear org: Cisco Systems street: Richtistrasse 7 code: CH-8304 city: Wallisellen country: Switzerland phone: +41 44 878 9200 email: [email protected]
normative: BLE54: title: Bluetooth Core Specification, Version 5.4 author: - org: Bluetooth SIG date: 2023
DPP2: title: Wi-Fi Easy Connect Specification, Version 2.0 author: - org: Wi-Fi Alliance date: 2020
FDO11: title: FIDO Device Onboard Specification 1.1 author: - org: FIDO Alliance date: April 19, 2022
--- abstract
The initial core schema for SCIM (System for Cross Identity Management) was designed for provisioning users. This memo specifies schema extensions that enables provisioning of devices, using various underlying bootstrapping systems, such as Wi-fi Easy Connect, FIDO device onboarding vouchers, BLE passcodes, and MAC authenticated bypass.
--- middle
The Internet of Things presents a management challenge in many dimensions. One of them is the ability to onboard and manage large number of devices. There are many models for bootstrapping trust between devices and network deployments. Indeed it is expected that different manufacturers will make use of different methods.
SCIM (System for Cross Identity Management) {{!RFC7643}} {{!RFC7644}} defines a protocol and a schema for provisioning of users. However, it can easily be extended to provision device credentials and other attributes into a network. The protocol and core schema were designed to permit just such extensions. Bulk operations are supported. This is good because often devices are procured in bulk.
A primary purpose of this specification is to provision the network for onboarding and communications access to and from devices within a local deployment based on the underlying capabilities of those devices. The underlying security mechanisms of some devices range from non-existent such as the Bluetooth Low Energy (BLE) "Just Works" pairing method to a robust FIDO Device Onboard (FDO) mechanism. Information from the SCIM server is dispatched to control functions based on selected schema extensions to enable these communications within a network. The SCIM database is therefore essentially equivalent to a network's Authentication, Authorization, and Accounting (AAA) database, and should be carefully treated as such.
Some might ask why SCIM is well suited for this purpose and not, for example, NETCONF {{?RFC6241}} or RESTCONF {{?RFC8040}} with YANG {{?RFC7950}}. After all, there are all sorts of existing models available. The answer is that the only information being passed about the device is neither state nor device configuration information, but only information necessary to bootstrap trust so that the device may establish connectivity.
In the normal SCIM model, it was presumed that large federated deployments would be SCIM clients who provision and remove employees and contractors as they enter and depart those deployments, and federated services such as sales, payment, or conferencing services would be the servers.
In the device model, the roles are reversed, and may be somewhat more varied. A deployment network management system gateway (NMS gateway) plays the role of the server, receiving information about devices that are expected to be connected to its network. That server will apply appropriate local policies regarding whether/how the device should be connected.
The client may be one of a number of entities:
-
A vendor who is authorized to add devices to a network as part of a sales transaction. This is similar to the sales integration sometimes envisioned by Bootstrapping Remote Key Infrastructure (BRSKI) {{?RFC8995}}.
-
A client application that administrators or employees use to add, remove, or get information about devices. An example might be an tablet or phone app that scans Wi-fi Easy Connect QR codes.
+-----------------------------------+
| |
+-----------+ Request | +---------+ |
| onboarding|------------->| SCIM | |
| app |<-------------| Server | |
+-----------+ Ctrl Endpt +---------+ |
| |
+-----------+ | +------------+ +-------+ |
| Control |...........|..| ALG |.........|device | |
| App | | +------------+ +-------+ |
+-----------+ | |
| |
+-----------------------------------+
{: #arch title="Basic Architecture"}
In {{arch}}, the onboarding app provides the device particulars. As part of the response, the SCIM server might provide additional information, especially in the case of non-IP devices, where an application-layer gateway may need to be used to communicate with the device. The control endpoint is one among a number of objects that may be returned.
RFC 7643 does not prescribe a language to describe a schema. We have chosen the JSON schema language {{!I-D.bhutton-json-schema}} for this purpose. The use of XML for SCIM devices is not supported.
Several additional schemas specify specific onboarding mechanisms, such as BLE and Wi-fi Easy Connect.
Attributes defined in the device core schema and extensions comprise characteristics and SCIM datatypes defined in Sections 2.2 and 2.3 of the {{!RFC7643}}. This specifciation does not define new characteristics and datatypes for the SCIM attributes.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 {{!RFC2119}} {{!RFC8174}} when, and only when, they appear in all capitals, as shown here.
A new resource type 'Device' is specified. The "ResourceType" schema specifies the metadata about a resource type (see section 6 of {{!RFC7643}}). It comprises a core device schema and several extension schemas. The core schema provides a minimal resource representation, whereas extension schemas extend the core schema depending on the device's capability. The JSON schema for Device resource type is in {{resource-schema}}.
The Device schema contains three common attributes as defined in the {{!RFC7643}}.
id
An id is a required and unique attribute of the device core schema (see section 3.1 of {{!RFC7643}}).
externalID
An externalID is an optional attribute (see section 3.1 of {{!RFC7643}}).
meta
Meta is a complex attribute and is required (see section 3.1 of {{!RFC7643}}).
The core device schema provides the minimal representation of a resource "Device". It contains only those attributes that any device may need, and only one attribute is required. The core schema for "Device" is identified using the schema URI: "urn:ietf:params:scim:schemas:core:2.0:Device". The following attributes are defined in the device core schema.
displayName
This attribute is of type "string" and provides a human-readable name for a device. It is intended to be displayed to end-users and should be suitable for that purpose. The attribute is not required, and is not case-sensitive. It may be modified and SHOULD be returned by default. No uniqueness constraints are imposed on this attribute.
active
The "active" attribute is of type "boolean" and is a mutable attribute, and is required. If set to TRUE, it means that this device is intended to be operational. Attempts to control or access a device where this value is set to FALSE may fail. For example, when used in conjunction with NIPC {{?I-D.brinckman-nipc}}, commands such as connect, disconnect, subscribe that control app sends to the controller for the devices any command coming from the control app for the device will be rejected by the controller.
mudUrl
The mudUrl attribute represents the URL to the MUD file associated with this device. This attribute is optional and mutable. The mudUrl value is case sensitive and not unique. When present, this attribute may be used as described in {{!RFC8520}}. This attribute is case sensitive and returned by default.
| Attribute | Multi Value | Req | Case Exact | Mutable | Return | Unique |
|---|---|---|---|---|---|---|
| displayName | F | F | F | RW | Def | None |
| ------------- | ------- | ----- | ------ | --------- | -------- | -------- |
| active | F | T | F | RW | Def | None |
| ------------- | ------- | ----- | ------ | --------- | -------- | -------- |
| mudUrl | F | F | T | RW | Def | None |
| {: #tabDevice title="Characteristics of device schema attributes. (Req = Required, | ||||||
| T = True, F = False, RW = ReadWrite, and Def = Default)"} |
An example of a device SCIM object is as follows:
<CODE BEGINS>
{::include examples/SCIM_device_core_schema_object.ftxt}
<CODE ENDS>
The schema for the device is presented in JSON format in Section {{device-schema-json}}, while the openAPI representation is provided in Section {{device-schema-openapi-representation}}.
Device groups are created using the SCIM groups as defined in {{!RFC7643}} Section 4.2.
This section defines a new resource type, 'EndpointApp'. The "ResourceType" schema specifies the metadata about a resource type (see section 6 of {{!RFC7643}}). The resource "EndpointApp" represents client applications that can control and/or receive data from the devices. The JSON schema for EndpointApp resource type is in {{resource-schema}}.
The attributes comprising EndpointsApp are listed in {{endpointapp-schema}}. The "EndpointApp" are included in the endpoint applications extension ("endpointAppsExt") {{endpointsappext-schema}}.
The EndpointApp schema is used to authorize clients control or telemetry services for clients. The schema identifies the application and how clients are to authenticate to the various services.
The schema for "EndpointApp" is identified using the schema URI: "urn:ietf:params:scim:schemas:core:2.0:EndpointApp". The following attributes are defined in this schema.
The EndpointApp schema contains three common attributes as defined in the {{!RFC7643}}.
applicationType
This attribute is of type "string" and represents the type of application. It will only contain two values; 'deviceControl' or 'telemetry'. 'deviceControl' is the application that sends commands to control the device. 'telemetry' is the application that receives data from the device. The attribute is required, and is not case-sensitive. The attribute is readOnly and should be returned by default. No uniqueness constraints are imposed on this attribute.
applicationName
The "applicationName" attribute is of type "string" and represents a human readable name for the application. This attribute is required and mutable. The attribute should be returned by default and there is no uniqueness contraint on the attribute.
clientToken
This attribute type string contains a token that the client will use to authenticate itself. Each token may be a string up to 500 characters in length. It is not mutable, read-only, generated if no certificateInfo object is provisioned, case sensitive and returned by default if it exists. The SCIM server should expect that client tokens will be shared by the SCIM client with other components within the client's infrastructure.
It is the complex attribute that contains x509 certificate's subject name and root CA information associated with application clients that will connect for purposes of device control or telemetry.
rootCA
This is the base64 encoding a trust anchor certificate as described in {{!rfc4648}} Section 4. This trust anchor is applicable for certificates used for client application access. The object is not required, singular, case sensitive, and read/write. If not present, a set of trust anchors MUST be configured out of band.
subjectName
If present, this field may contain one of two names:
- a distinguished name as that will be present in the certificate subject field, as de scribed in Section 4.1.2.4 of {{!RFC5280}}; or
- or a dnsName as part of a subjectAlternateName as described in Section 4.2.1.6 of {{!RFC5280}}.
In the latter case, servers validating such certificates SHALL reject connections when name of the peer as resolved by a DNS reverse lookup does not match the dnsName in the certificate. If multiple dnsNames are present, it is left to server implementations to address any authorization conflicts associated with those names. This attribute is not required, read write, singular and NOT case sensitive.
| Attribute | Multi Value | Req | Case Exact | Mutable | Return | Unique |
|---|---|---|---|---|---|---|
| applicationType | F | T | F | R | Def | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| applicationName | F | T | F | RW | Def | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| clientToken | F | F | T | R | N | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| certificateInfo | F | F | F | RW | Def | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| rootCA | F | F | T | RW | Def | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| subjectName | F | T | T | RW | Def | None |
| {: #tabEndpointApp title="Characteristics of EndpointApp schema attributes. (Req = Required, T = True, F = False, R = ReadOnly, RW = ReadWrite, Manuf = Manufacturer, N = No, and Def = Default)"} |
Note that either clientToken and certificateInfo are used for the authentication of the application. If certificateInfo is NOT present when an endpointApp is object created, then the server SHOULD return a clientToken. Otherwise, if the server accepts the certificateInfo object for authentication, it SHOULD NOT return a clientToken. If the server accepts and produces a clientToken, then control and telemetry servers MUST validate both. The SCIM client will know that this is the case based on the SCIM object that is returned.
certificateInfo is preferred in situations where client functions are federated such that different clients may connect for different purposes.
<CODE BEGINS>
{::include examples/SCIM_endpointapp_schema_object.ftxt}
<CODE ENDS>
The schema for the endpointApp is presented in JSON format in Section {{endpointapp-schema-json}}, while the openAPI representation is provided in Section {{endpointapp-schema-openapi-representation}}.
SCIM provides various extension schemas, their attributes, JSON representation, and example object. The core schema is extended with a new resource type, as described in {{resource-schema}}. No schemaExtensions list is specified in that definition. Instead, an IANA registry is created, where all values for "required" are set to false. All extensions to the Device schema MUST be registered via IANA, as described in . The schemas below demonstrate how this model is to work.
This schema extends the device schema to represent the devices supporting BLE. The extension is identified using the following schema URI:
urn:ietf:params:scim:schemas:extension:ble:2.0:Device
The attributes are as follows:
deviceMacAddress
A string value that represent a public MAC address assigned by the manufacturer. It is a unique 48-bit value. Ir is required, case insensitive, and it is mutable and return as default. The regex pattern is the following:
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$
isRandom
A boolean flag taken from the BLE core specification, 5.3. If FALSE, the device is using a public MAC address. If TRUE, the device uses a random address. If an Idenifying Resolving Key (IRK) is present, the address represents a resolvable private address. Otherwise, the address is assumed to be a random static address. Non-resolvable private addresses are not supported by this specification. This attribute is not required. It is mutable, and is returned by default. The default value is FALSE.
separateBroadcastAddress
When present, this address is used for broadcasts/advertisements. This value MUST NOT be set when an IRK is provided. Its form is the same as deviceMacAddress. It is not required, multivalued, mutable, and returned by default.
irk
A string value that specifies the identity resolving key (IRK), which is unique to each device. It is used to resolve private random address. It should only be provisioned when isRandom is TRUE. It is mutable and never returned. For more information about the use of the IRK, see Section 5.4.5 of {{BLE54}}.
mobility
A boolean attribute to enable BLE device mobility. If set to TRUE, the device could be expected to move within a network of APs. For example, BLE device is connected with AP-1 and moves out of range but comes in range of AP-2, it will be disconnected with AP-1 and connects with AP-2. It is returned by default and mutable.
versionSupport
A multivalued attribute that provides all the BLE versions supported by the device in the form of an array. For example, [4.1, 4.2, 5.0, 5.1, 5.2, 5.3]. It is required, mutable, and return as default.
pairingMethods
An array of pairing methods associated with the BLE device. The pairing methods may require sub-attributes, such as key/password, for the device pairing process. To enable the scalability of pairing methods in the future, they are represented as extensions to incorporate various attributes that are part of the respective pairing process. Pairing method extensions are nested inside the BLE extension. It is required, case sensitive, mutable, and returned by default.
The details on pairing methods and their associated attributes are in section 2.3 of {{BLE54}}. This memo defines extensions for four pairing methods that are nested insided the BLE extension schema. Each extension contains the common attributes . These extension are as follows:
(i) pairingNull extension is identified using the following schema URI:
urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device
pairingNull does not have any attribute. It allows pairing for BLE devices that do not require a pairing method.
(ii) pairingJustWorks extension is identified using the following schema URI:
urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device
Just works pairing method does not require a key to pair devices. For completeness, the key attribute is included and is set to 'null'. Key attribute is required, immutable, and returned by default.
(iii) pairingPassKey extension is identified using the following schema URI:
urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device
The passkey pairing method requires a 6-digit key to pair devices. This extension has one singular integer attribute, "key", which is required, mutable and returned by default. The key pattern is as follows:
^[0-9]{6}$
(iv) pairingOOB extension is identified using the following schema URI:
urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device
The out-of-band pairing method includes three singular attributes, i.e., key, randomNumber, and confirmationNumber.
key
The key is string value, required and received from out-of-bond sources such as NFC. It is case sensitive, mutable, and returned by default.
randomNumber
This attribute represents a nonce added to the key. It is an integer value that is a required attribute. It is mutable and returned by default.
confirmationNumber
An integer which some solutions require in RESTful message exchange. It is not required. It is mutable and returned by default if it exists.
| Attribute | Multi Value | Req | Case Exact | Mutable | Return | Unique |
|---|---|---|---|---|---|---|
| deviceMacAddress | F | T | F | RW | Def | Manuf |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| isRandom | F | T | F | RW | Def | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| sepBroadcastAdd | T | F | F | RW | Def | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| irk | F | F | F | WO | Nev | Manuf |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| versionSupport | T | T | F | RW | Def | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| mobility | F | F | F | RW | Def | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| pairingMethods | T | T | T | RW | Def | None |
| {: #tabBLE title="Characteristics of BLE extension schema attributes. | ||||||
| sepBroadcastAdd is short for separateBroadcastAddress. (Req = Required, | ||||||
| T = True, F = False, RW = ReadWrite, WO=Write Only, Def = Default, | ||||||
| Nev = Never, and Manuf = Manufacturer)."} |
An example of a device object with BLE extension is as follows:
<CODE BEGINS>
{::include examples/SCIM_device_ble_object_v1.ftxt}
<CODE ENDS>
In the above example, the pairing method is "pairingPassKey", which implies that this BLE device pairs using only a passkey. In another example below, the pairing method is "pairingOOB", denoting that this BLE device uses the out-of-band pairing method.
<CODE BEGINS>
{::include examples/SCIM_device_ble_object_v2.ftxt}
<CODE ENDS>
However, a device can have more than one pairing method. Support for multiple pairing methods is also provided by the multi-valued attribute pairingMethods. In the example below, the BLE device can pair with both passkey and OOB pairing methods.
<CODE BEGINS>
{::include examples/SCIM_device_ble_object_v3.ftxt}
<CODE ENDS>
The schema for the BLE extension is presented in JSON format in Section , while the openAPI representation is provided in Section .
A schema that extends the device schema to enable Wi-Fi Easy Connect (otherwise known as Device Provisioning Protocol or DPP). Throughout this specification we use the term DPP. The extension is identified using the following schema URI:
urn:ietf:params:scim:schemas:extension:dpp:2.0:Device
The attributes in this extension are adopted from {{DPP2}}. The attributes are as follows:
dppVersion
An integer that represents the version of DPP the device supports. This attribute is required, case insensitive, mutable, and returned by default.
bootstrapKey
A string value representing Elliptic-Curve Diffie–Hellman (ECDH) public key. The base64 encoded lengths for P-256, P-384, and P-521 are 80, 96, and 120 characters. This attribute is required, case-sensitive, mutable, and returned by default.
deviceMacAddress
The manufacturer assigns the MAC address stored as string. It is a unique 48-bit value. This attribute is optional, case insensitive, mutable, and returned by default. The regex pattern is as follows:
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$
serialNumber
An alphanumeric serial number, stored as string, may also be passed as bootstrapping information. This attribute is optional, case insensitive, mutable, and returned by default.
bootstrappingMethod
It is the array of strings of all the bootstrapping methods available on the enrollee device. For example, [QR, NFC]. This attribute is optional, case insensitive, mutable, and returned by default.
classChannel
This attribute is an array of strings of global operating class and channel shared as bootstrapping information. It is formatted as class/channel. For example, ['81/1','115/36']. This attribute is optional, case insensitive, mutable, and returned by default.
| Attribute | Multi Value | Req | Case Exact | Mutable | Return | Unique |
|---|---|---|---|---|---|---|
| dppVersion | F | T | F | RW | Def | None |
| -------------------- | ----- | --- | ------ | --------- | -------- | -------- |
| bootstrapKey | F | T | T | WO | Nev | None |
| -------------------- | ----- | --- | ------ | --------- | -------- | -------- |
| deviceMacAddress | F | F | F | RW | Def | Manuf |
| -------------------- | ----- | --- | ------ | --------- | -------- | -------- |
| serialNumber | F | F | F | RW | Def | None |
| -------------------- | ----- | --- | ------ | --------- | -------- | -------- |
| bootstrappingMethod | T | F | F | RW | Def | None |
| -------------------- | ----- | --- | ------ | --------- | -------- | -------- |
| classChannel | T | F | F | RW | Def | None |
| -------------------- | ----- | --- | ------ | --------- | -------- | -------- |
| {: #tabDPP title="Characteristics of DPP extension schema attributes. | ||||||
| (Req = Required, T = True, F = False, RW = ReadWrite, WO = Write Only, | ||||||
| Def = Default, Nev = Never, and Manuf = Manufacturer)."} |
An example of a device object with DPP extension is below:
<CODE BEGINS>
{::include examples/SCIM_device_dpp_object.ftxt}
<CODE ENDS>
The schema for the DPP extension is presented in JSON format in Section , while the openAPI representation is provided in Section .
This extension enables a legacy means of (very) weak authentication, known as MAC Authenticated Bypass (MAB), that is supported in many wired ethernet solutions. If the MAC address is known, then the device may be permitted (perhaps limited) access. The extension is identified by the following URI:
urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device
This extension has a singular attribute:
deviceMacAddress
This is the Ethernet address to be provisioned onto the network. It takes the identical form as found in both the BLE and DPP extensions.
| Attribute | Multi Value | Req | Case Exact | Mutable | Return | Unique |
|---|---|---|---|---|---|---|
| deviceMacAddress | F | T | F | RW | Def | None |
| {: #tabMAB title="Characteristics of MAB extension schema attributes | ||||||
| (Req = Required, T = True, F = False, RW = ReadWrite, and | ||||||
| Def = Default)"} |
An example of a device object with EthernetMAB extension is shown below:
<CODE BEGINS>
{::include examples/SCIM_device_mab_object.ftxt}
<CODE ENDS>
The schema for the EthernetMAB extension is presented in JSON format in Section , while the openAPI representation is provided in Section .
This extension specifies a voucher to be used by the FDO Device Onboard (FDO) protocols {{FDO11}} to complete a trusted transfer of ownership and control of the device to the environment. The SCIM server MUST know how to process the voucher, either directly or by forwarding it along to an owner process as defined in the FDO specification.
urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device
This extension has a singular attribute:
fdoVoucher
The voucher is formated as a PEM-encoded object in accordance with {{FDO11}}.
| Attribute | Multi Value | Req | Case Exact | Mutable | Return | Unique |
|---|---|---|---|---|---|---|
| fdoVoucher | F | T | F | WO | Nev | None |
| {: #tabFDO title="Characteristics of FDO extension schema attributes | ||||||
| (Req = Required, T = True, F = False, WO = WriteOnly, and | ||||||
| Nev = Never)"} |
An example of a device object with FDO extension is shown below:
<CODE BEGINS>
{::include examples/SCIM_device_fdo_object.ftxt}
<CODE ENDS>
The schema for the FDO extension is presented in JSON format in Section , while the openAPI representation is provided in Section .
A schema that extends the device schema to enable the provisioning of Zigbee devices. The extension is identified using the following schema URI:
urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device
It has one singular attribute and one multivalued attribute. The attributes are as follows:
deviceEui64Address
An EUI-64 (Extended Unique Identifier) device address stored as string. This attribute is required, case insensitive, mutable, and returned by default. The regex pattern is as follows:
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){7}$
versionSupport
An array of strings of all the Zigbee versions supported by the device. For example, [3.0]. This attribute is required, case insensitive, mutable, and returned by default.
| Attribute | Multi Value | Req | Case Exact | Mutable | Return | Unique |
|---|---|---|---|---|---|---|
| deviceEui64Address | F | T | F | RW | Def | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| versionSupport | T | T | F | RW | Def | None |
| {: #tabZigbee title="Characteristics of Zigbee extension schema attributes. | ||||||
| (Req = Required, T = True, F = False, RW = ReadWrite, and | ||||||
| Def = Default)"} |
An example of a device object with Zigbee extension is shown below:
<CODE BEGINS>
{::include examples/SCIM_device_zigbee_object.ftxt}
<CODE ENDS>
The schema for the Zigbee extension is presented in JSON format in Section , while the openAPI representation is provided in Section .
Sometimes non-IP devices such as those using BLE or Zigbee require an application gateway interface to manage them. SCIM clients MUST NOT specify this to describe native IP-based devices.
endpointAppsExt provides the list application that connect to enterprise gateway. The endpointAppsExt has one multivalued attribute and two singular attributes. The extension is identified using the following schema URI:
urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device
deviceControlEnterpriseEndpoint
Device control apps use this URL of the enterprise endpoint to reach the enterprise gateway. When the enterprise receives the SCIM object from the onboarding app, it adds this attribute to it and sends it back as a response to the onboarding app. This attribute is required, case-sensitive, mutable, and returned by default. The uniqueness is enforced by the enterprise.
telemetryEnterpriseEndpoint
Telemetry apps use this URL of the enterprise endpoint to reach the enterprise gateway. When the enterprise receives the SCIM object from the onboarding app, it adds this attribute to it and sends it back as a response to the onboarding app. This attribute is optional, case-sensitive, mutable, and returned by default. The uniqueness is enforced by the enterprise. An implementation MUST generate an exception if telemetryEnterpriseEndpoint is not returned and telemetry is required for the proper functioning of a device.
applications
This is a complex multivalued attribute. It represents a list of endpoint applications i.e., deviceControl and telemetry. Each entry in the list comprises two attributes including "value" and "$ref".
value
It is the identifier of the endpoint application formated as UUID. It is same as the common attribute "$id" of the resource "endpointApp". It is read/write, required, case insensitive and returned by default.
$ref
It is the reference to the respective endpointApp resource object stored in the SCIM server. It is readOnly, required, case sensitive and returned by default.
| Attribute | Multi Value | Req | Case Exact | Mutable | Return | Unique |
|---|---|---|---|---|---|---|
| devContEntEndpoint | F | T | T | R | Def | Ent |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| telEntEndpoint | F | F | T | R | Def | Ent |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| applications | T | T | F | RW | Def | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| value | F | T | F | RW | Def | None |
| ------------------ | ------- | ----- | ------ | --------- | -------- | -------- |
| $ref | F | T | F | R | Def | None |
| {: #tabEndpointAppsExt title="Characteristics of EndpointAppsExt extension schema | ||||||
| attributes. DevContEntEndpoint represents attribute | ||||||
| deviceControlEnterpriseEndpoint and telEntEndpoint represents | ||||||
| telemetryEnterpriseEndpoint. (Req = Required, T = True, F = False, | ||||||
| R = ReadOnly, RW = ReadWrite, Ent = Enterprise, and Def = Default)."} |
An example of a device object with endpointAppsExt extension is below:
<CODE BEGINS>
{::include examples/SCIM_device_endpoints_with_ble_object.ftxt}
<CODE ENDS>
The schema for the endpointAppsExt extension along with BLE extension is presented in JSON format in Section {{endpointappsext-extension-schema-json}}, while the openAPI representation is provided in Section {{endpointappsext-extension-schema-openapi-representation}}.
<CODE BEGINS>
{::include SCIM_resource_type.ftxt}
<CODE ENDS>
<CODE BEGINS>
{::include SCIM_device_core_schema_representation.ftxt}
<CODE ENDS>
<CODE BEGINS>
{::include SCIM_endpointApp_schema_representation.ftxt}
<CODE ENDS>
<CODE BEGINS>
{::include extensions/SCIM_BLE_extension_schema.ftxt}
<CODE ENDS>
<CODE BEGINS>
{::include extensions/SCIM_DPP_extension_schema.ftxt}
<CODE ENDS>
<CODE BEGINS>
{::include extensions/SCIM_mab_extension_schema.ftxt}
<CODE ENDS>
<CODE BEGINS>
{::include extensions/SCIM_fdo_extension_schema.ftxt}
<CODE ENDS>
<CODE BEGINS>
{::include extensions/SCIM_zigbee_extension_schema.ftxt}
<CODE ENDS>
<CODE BEGINS>
{::include extensions/SCIM_endpoint_extension_schema.ftxt}
<CODE ENDS>
The following is the JSON representation of the Schema. Implementors MUST NOT vary from the schema definitions in their implementations. They may choose not to implement a particular extension, but if they do, they MUST implement all mandatory elements, and they must implement optional elements as specified.
<CODE BEGINS>
{::include SCIM_schema.ftxt}
<CODE ENDS>
Because provisioning operations are sensitive, each client must be appropriately authenticated. Certain objects may be read-only or not visible based on who is connected.
An attacker that has authenticated to a trusted SCIM client could manipulate portions of the SCIM database. To be clear on the risks, we discuss each operation below:
Object creation in this framework grants a device access to the infrastructure and will to a greater or lesser extent grant the infrastructure access to the device. When IP-layer access is provisioned, then the access will be at the IP layer. For non-IP layer access, such as provisioning of BLE devices, the access may be to the entire device. The explicit grant is made when the credentials of the device are shared with the SCIM server.
Once granted, even if the object is removed, the server may or may not act on that removal. The deletion of the object is a signal of intent by the application that it no longer expects the device to be on the network. It is strictly up to the SCIM server and its back end policy to decide whether or not to revoke access to the infrastructure. Any access grant by the device must be separately handled.
Read operations are necessary in order for an application to sync its state to know what devices it is expected to manage. An attacker with access to SCIM objects may gain access to the devices themselves. To prevent one SCIM client from interfering with devices that it has no business managing, only clients that have created objects or those they authorize SHOULD have the ability to read those objects.
Update operations may be necessary if a device has been modified in some way. Attackers with update access may be able to disable network access to devices or device access to networks. To avoid this, the same access control policy for read operations is RECOMMENDED here.
Devices provisioned with this model may be completely controlled by the administrator of the SCIM server, depending on how those systems are defined. For instance, if BLE passkeys are provided, the device can be connected to, and perhaps paired with. Any additional security must be provided at higher application layers. For example, if client applications wish to keep private information to and from the device, they should encrypt that information over-the-top.
An attacker could learn what devices are on a network by examining SCIM logs. Due to the sensitive nature of SCIM operations, logs SHOILD be encrypted both on the disk and in transit.
The IANA is requested to add the following additions to the "SCIM Schema URIs for Data Resources" registry as follows:
Note that the line break in URNs should be removed, as should this comment.
IANA is requested to create a separate table for Device Schema Extensions, as described in {{extensions}}, with the following columns:
- schemaExtensionURI
- Short Description
- Reference
The policy for entries into this table shall be and "Specification Required", as specified in {{!RFC8126}}. Designated experts shall check that each schema is produced in the format described in {{!RFC7643}}, and that the semantics of the schema are clear and unambiguous. It is also RECOMMENDED that schemas be made available in OpenAPI.
The initial table entries shall be as follows:
The authors would like to thank Bart Brinckman, Rohit Mohan, Lars Streubesand, Christian Amsüss, Jason Livingwood, Mike Ounsworth, Monty Wiseman, Geoffrey Cooper, and Phil Hunt for their reviews.
--- back
[RFC Editor to remove this section.]
Draft -09:
- last call comments, bump BLE version, add acknowledgments.
- Also, recapture Rohit comments and those of Christian.
Drafts 04-08:
- Lots of cleanup
- Security review responses
- Removal of a tab
- Dealing with certificate stuff
Draft -03:
- Add MAB, FDO
- Some grammar improvements
- fold OpenAPI
- IANA considerations
Draft -02:
-
Clean up examples
-
Move openapi to appendix Draft -01:
-
Doh! We forgot the core device scheme!
Draft -00:
- Initial revision
The following sections are provided for informational purposes.
OpenAPI representation of device core schema is as follows:
<CODE BEGINS>
{::include openapi/device_schema.fyml}
<CODE ENDS>
OpenAPI representation of endpointApp schema is as follows:
<CODE BEGINS>
{::include openapi/endpointapp_schema.fyml}
<CODE ENDS>
OpenAPI representation of BLE extension schema is as follows:
<CODE BEGINS>
{::include openapi/SCIM_BLE_extension_schema.fyml}
<CODE ENDS>
OpenAPI representation of DPP extension schema is as follows:
<CODE BEGINS>
{::include openapi/SCIM_DPP_extension_schema.fyml}
<CODE ENDS>
OpenAPI representation of Ethernet MAB extension schema is as follows:
<CODE BEGINS>
{::include openapi/SCIM_MAB_extension_schema.fyml}
<CODE ENDS>
OpenAPI representation of FDO extension schema is as follows:
<CODE BEGINS>
{::include openapi/SCIM_FDO_extension_schema.fyml}
<CODE ENDS>
OpenAPI representation of zigbee extension schema is as follows:
<CODE BEGINS>
{::include openapi/SCIM_zigbee_extension_schema.fyml}
<CODE ENDS>
EndpointAppsExt Extension Schema OpenAPI Representation {#endpointappsext-extension-schema-openapi-representation}
OpenAPI representation of endpoint Apps extension schema is as follows:
<CODE BEGINS>
{::include openapi/SCIM_endpoint_extension_schema.fyml}
<CODE ENDS>