SCIM User selection

[HarryKodden]

At this moment all CO members are selected during SCIM User and Group selection.
We would like to exclude the CO members which are expired in that CO.

The behaviour should be consistent with LDAP: so don't remove the users themselves, but add en extra attribute and remove from relevant groups.

[HarryKodden]

The status (expired/active) is an attribute of the membership of a person within the Collaboration. A Collaboration is reported as a SCIM Group Resource. In order to express the status of that membership the following solution is proposed:

Example (current situation)

{
  "Resources": [
    {
      "displayName": "Example CO",
      "externalId": "[email protected]",
      "members": [
        {
          "$ref": "/Users/185356bc-c73e-417d-acf8-78b37736aadf",
          "display": "Allice in Wonderland",
          "value": "185356bc-c73e-417d-acf8-78b37736aadf"
        },
        {
          "$ref": "/Users/311b759e-edda-4850-8985-5cef59471dc3",
          "display": "Bob de Bouwer",
          "value": "311b759e-edda-4850-8985-5cef59471dc3"
        }
      ],
      "urn:mace:surf.nl:sram:scim:extension:Group": {
        "description": "Dit is een voorbeeld CO",
        "urn": "ucc:co_nr_1",
        "links": [
          {
            "name": "sbs_url",
            "value": "https://test.sram.surf.nl/collaborations/7fcfc832-da96-4afb-a3f5-16ce588217e3"
          },
          {
            "name": "logo",
            "value": "https://test.sram.surf.nl/api/images/collaborations/afaff786-8409-46f3-a6c5-1bdb10cd9b19"
          }
        ]
      },
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group",
        "urn:mace:surf.nl:sram:scim:extension:Group"
      ],
      "id": "fff85cb2-4af3-4e84-8bd9-05d2ada7e364",
      "meta": {
        "created": "2024-08-10T10:36:08.808291",
        "lastModified": "2024-08-15T10:30:10.424721",
        "location": "/Groups/fff85cb2-4af3-4e84-8bd9-05d2ada7e364",
        "resourceType": "Group"
      }
    }
  ],
  "itemsPerPage": 1,
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "startIndex": 1,
  "totalResults": 1
}

Example (Proposed Solution):

{
  "Resources": [
    {
      "displayName": "Example CO",
      "externalId": "[email protected]",
      "members": [
        {
          "$ref": "/Users/185356bc-c73e-417d-acf8-78b37736aadf",
          "display": "Allice in Wonderland",
          "value": "185356bc-c73e-417d-acf8-78b37736aadf",
          "status": "active"
        },
        {
          "$ref": "/Users/311b759e-edda-4850-8985-5cef59471dc3",
          "display": "Bob de Bouwer",
          "value": "311b759e-edda-4850-8985-5cef59471dc3",
          "status": "expired"
        }
      ],
      "urn:mace:surf.nl:sram:scim:extension:Group": {
        "description": "Dit is een voorbeeld CO",
        "urn": "ucc:co_nr_1",
        "links": [
          {
            "name": "sbs_url",
            "value": "https://test.sram.surf.nl/collaborations/7fcfc832-da96-4afb-a3f5-16ce588217e3"
          },
          {
            "name": "logo",
            "value": "https://test.sram.surf.nl/api/images/collaborations/afaff786-8409-46f3-a6c5-1bdb10cd9b19"
          }
        ]
      },
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group",
        "urn:mace:surf.nl:sram:scim:extension:Group"
      ],
      "id": "fff85cb2-4af3-4e84-8bd9-05d2ada7e364",
      "meta": {
        "created": "2024-08-10T10:36:08.808291",
        "lastModified": "2024-08-15T10:30:10.424721",
        "location": "/Groups/fff85cb2-4af3-4e84-8bd9-05d2ada7e364",
        "resourceType": "Group"
      }
    }
  ],
  "itemsPerPage": 1,
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "startIndex": 1,
  "totalResults": 1
}

Remarks:

• Status is not official attribute in standard SCIM protocol (https://www.rfc-editor.org/rfc/rfc7644),

Question:

• Shall be include the status (only) for Group Resources which represent CO's or also for regular SRAM Groups ?

[HarryKodden]

Alternatief (om meer binnnen de SCIM specs te blijven) maar lastiger voor diensten om te parsen, is om de status toe te voegen aan het display attribuut. Dus bijvoorbeeld bij Bob de Bouwer, wordt dat dan:

        ...
        {
          "$ref": "/Users/311b759e-edda-4850-8985-5cef59471dc3",
          "display": "Bob de Bouwer (expired)",
          "value": "311b759e-edda-4850-8985-5cef59471dc3"
        }
        ...

[baszoetekouw]

I think we should approach this in the same way as in the ldap structure:

• all users get a status-attribute (or SCIM-equivalent) with values active, expired etc
• users who are suspended or whose CO membership is expired, are removed from alle relevant groups (including the CO-group).

[baszoetekouw]

It seems we can simply use voPersonStatus for the user attribute, like this:

{
     "schemas":
       ["urn:ietf:params:scim:schemas:core:2.0:User",
         "urn:oid:1.3.6.1.4.1.25178.4.1"],

     "id": "2819c223-7f76-453a-413861904646",
     "externalId": "701984",

     "userName": "[email protected]",
     "name": {
       "formatted": "Ms. Barbara J Jensen, III",
       ...
     },
    ...

     "urn:oid:1.3.6.1.4.1.25178.4.1": {
       "voPersonStatus": "expired",
       "voPersonExternalAffiliation": "[email protected]",
       ...
     },

     "meta": {
       "resourceType": "User",
       "created": "2010-01-23T04:56:22Z",
       "lastModified": "2011-05-13T04:42:34Z",
       "version": "W\/\"3694e05e9dff591\"",
       "location":
         "https://example.com/v2/Users/2819c223-7f76-453a-413861904646"
     }
   }

as described in https://datatracker.ietf.org/doc/html/rfc7643#section-3.3 and https://github.com/voperson/voperson/blob/main/voPerson.md

[logan-life]

@HarryKodden please proceed with @baszoetekouw recommendation for updating SCIM as above.