rfc9944.original   rfc9944.txt 
Network Working Group M. Shahzad Internet Engineering Task Force (IETF) M. Shahzad
Internet-Draft H. Iqbal Request for Comments: 9944 H. Iqbal
Intended status: Standards Track North Carolina State University Category: Standards Track North Carolina State University
Expires: 7 March 2026 E. Lear ISSN: 2070-1721 E. Lear
Cisco Systems Cisco Systems
3 September 2025 March 2026
Device Schema Extensions to the SCIM model Device Schema Extensions to the System for Cross-Domain Identity
draft-ietf-scim-device-model-18 Management (SCIM) Model
Abstract Abstract
The initial core schema for SCIM (System for Cross-domain Identity The initial core schema for the System for Cross-domain Identity
Management) was designed for provisioning users. This memo specifies Management (SCIM) was designed for provisioning users. This memo
schema extensions that enables provisioning of devices, using various specifies schema extensions that enable provisioning of devices using
underlying bootstrapping systems, such as Wi-fi Easy Connect, FIDO various underlying bootstrapping systems such as Wi-Fi Easy Connect,
device onboarding vouchers, BLE passcodes, and MAC authenticated FIDO device onboarding vouchers, Bluetooth Low Energy (BLE)
bypass. passcodes, and MAC Authenticated Bypass (MAB).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 7 March 2026. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9944.
Copyright Notice Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction
1.1. Why SCIM for devices? . . . . . . . . . . . . . . . . . . 4 1.1. Why SCIM for Devices?
1.2. Protocol Participants . . . . . . . . . . . . . . . . . . 5 1.2. Protocol Participants
1.3. Schema Description . . . . . . . . . . . . . . . . . . . 6 1.3. Schema Description
1.4. Schema Representation . . . . . . . . . . . . . . . . . . 7 1.4. Schema Representation
1.5. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 1.5. Terminology
2. ResourceType Device . . . . . . . . . . . . . . . . . . . . . 7 2. ResourceType Device
2.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 7 2.1. Common Attributes
3. SCIM Core Device Schema . . . . . . . . . . . . . . . . . . . 7 3. SCIM Core Device Schema
3.1. Singular Attributes . . . . . . . . . . . . . . . . . . . 8 3.1. Singular Attributes
4. Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4. Groups
5. Resource Type EndpointApp . . . . . . . . . . . . . . . . . . 9 5. Resource Type EndpointApp
6. SCIM EndpointApp Schema . . . . . . . . . . . . . . . . . . . 9 6. SCIM EndpointApp Schema
6.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 9 6.1. Common Attributes
6.2. Singular Attributes . . . . . . . . . . . . . . . . . . . 10 6.2. Singular Attributes
6.3. Complex Attributes . . . . . . . . . . . . . . . . . . . 10 6.3. Complex Attributes
6.3.1. certificateInfo . . . . . . . . . . . . . . . . . . . 10 6.3.1. certificateInfo
7. SCIM Device Extensions . . . . . . . . . . . . . . . . . . . 12 7. SCIM Device Extensions
7.1. Bluetooth Low Energy (BLE) Extension . . . . . . . . . . 12 7.1. Bluetooth Low Energy (BLE) Extension
7.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 12 7.1.1. Singular Attributes
7.1.2. Multivalued Attributes . . . . . . . . . . . . . . . 13 7.1.2. Multivalued Attributes
7.1.3. BLE Pairing Method Extensions . . . . . . . . . . . . 14 7.1.3. BLE Pairing Method Extensions
7.2. Wi-Fi Easy Connect Extension . . . . . . . . . . . . . . 18 7.2. Wi-Fi Easy Connect Extension
7.2.1. Singular Attributes . . . . . . . . . . . . . . . . . 19 7.2.1. Singular Attributes
7.2.2. Multivalued Attributes . . . . . . . . . . . . . . . 19 7.2.2. Multivalued Attributes
7.3. Ethernet MAB Extension . . . . . . . . . . . . . . . . . 21 7.3. Ethernet MAB Extension
7.3.1. Single Attribute . . . . . . . . . . . . . . . . . . 22 7.3.1. Single Attribute
7.4. FIDO Device Onboard Extension . . . . . . . . . . . . . . 23 7.4. FIDO Device Onboard Extension
7.4.1. Single Attribute . . . . . . . . . . . . . . . . . . 23 7.4.1. Single Attribute
7.5. Zigbee Extension . . . . . . . . . . . . . . . . . . . . 24 7.5. Zigbee Extension
7.5.1. Singular Attribute . . . . . . . . . . . . . . . . . 24 7.5.1. Singular Attribute
7.5.2. Multivalued Attribute . . . . . . . . . . . . . . . . 24 7.5.2. Multivalued Attribute
7.6. The Endpoint Applications Extension Schema . . . . . . . 25 7.6. The Endpoint Applications Extension Schema
7.6.1. Singular Attributes . . . . . . . . . . . . . . . . . 26 7.6.1. Singular Attributes
7.6.2. Multivalued Attribute . . . . . . . . . . . . . . . . 26 7.6.2. Multivalued Attribute
8. Security Considerations . . . . . . . . . . . . . . . . . . . 28 8. Security Considerations
8.1. SCIM operations . . . . . . . . . . . . . . . . . . . . . 28 8.1. SCIM Operations
8.1.1. Unauthorized Object Creation . . . . . . . . . . . . 29 8.1.1. Unauthorized Object Creation
8.2. Object Deletion . . . . . . . . . . . . . . . . . . . . . 29 8.2. Object Deletion
8.3. Read operations . . . . . . . . . . . . . . . . . . . . . 29 8.3. Read Operations
8.4. Update Operations . . . . . . . . . . . . . . . . . . . . 29 8.4. Update Operations
8.5. Higher level protection for certain systems . . . . . . . 30 8.5. Higher Level Protection for Certain Systems
8.6. Logging . . . . . . . . . . . . . . . . . . . . . . . . . 30 8.6. Logging
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 9. IANA Considerations
9.1. New Schemas . . . . . . . . . . . . . . . . . . . . . . . 30 9.1. New Schemas
9.2. Device Schema Extensions . . . . . . . . . . . . . . . . 30 9.2. Device Schema Extensions
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 10. References
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 10.1. Normative References
11.1. Normative References . . . . . . . . . . . . . . . . . . 32 10.2. Informative References
11.2. Informative References . . . . . . . . . . . . . . . . . 33 Appendix A. JSON Schema Representation
Appendix A. Changes from Earlier Versions . . . . . . . . . . . 34 A.1. Resource Schema
Appendix B. JSON Schema Representation . . . . . . . . . . . . . 35 A.2. Core Device Schema
B.1. Resource Schema . . . . . . . . . . . . . . . . . . . . . 35 A.3. EndpointApp Schema
B.2. Core Device Schema . . . . . . . . . . . . . . . . . . . 36 A.4. BLE Extension Schema
B.3. EndpointApp Schema . . . . . . . . . . . . . . . . . . . 38 A.5. DPP Extension Schema
B.4. BLE Extension Schema . . . . . . . . . . . . . . . . . . 41 A.6. Ethernet MAB Extension Schema
B.5. DPP Extension Schema . . . . . . . . . . . . . . . . . . 46 A.7. FDO Extension Schema
B.6. Ethernet MAB Extension Schema . . . . . . . . . . . . . . 48 A.8. Zigbee Extension Schema
B.7. FDO Extension Schema . . . . . . . . . . . . . . . . . . 49 A.9. EndpointAppsExt Extension Schema
B.8. Zigbee Extension Schema . . . . . . . . . . . . . . . . . 50 Appendix B. OpenAPI Representation
B.9. EndpointAppsExt Extension Schema . . . . . . . . . . . . 51 B.1. Core Device Schema OpenAPI Representation
Appendix C. OpenAPI representation . . . . . . . . . . . . . . . 53 B.2. EndpointApp Schema OpenAPI Representation
C.1. Core Device Schema OpenAPI Representation . . . . . . . . 53 B.3. BLE Extension Schema OpenAPI Representation
C.2. EndpointApp Schema OpenAPI Representation . . . . . . . . 56 B.4. DPP Extension Schema OpenAPI Representation
C.3. BLE Extension Schema OpenAPI Representation . . . . . . . 59 B.5. Ethernet MAB Extension Schema OpenAPI Representation
C.4. DPP Extension Schema OpenAPI Representation . . . . . . . 63 B.6. FDO Extension Schema OpenAPI Representation
C.5. Ethernet MAB Extension Schema OpenAPI Representation . . 65 B.7. Zigbee Extension Schema OpenAPI Representation
C.6. FDO Extension Schema OpenAPI Representation . . . . . . . 66 B.8. EndpointAppsExt Extension Schema OpenAPI Representation
C.7. Zigbee Extension Schema OpenAPI Representation . . . . . 67 Appendix C. FIDO Device Onboarding Example Flow
C.8. EndpointAppsExt Extension Schema OpenAPI Acknowledgments
Representation . . . . . . . . . . . . . . . . . . . . . 69 Authors' Addresses
Appendix D. Fido Device Onboarding Example Flow . . . . . . . . 70
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 72
1. Introduction 1. Introduction
The Internet of Things presents a management challenge in many The Internet of Things presents a management challenge in many
dimensions. One of them is the ability to onboard and manage large dimensions. One of them is the ability to onboard and manage a large
number of devices. There are many models for bootstrapping trust number of devices. There are many models for bootstrapping trust
between devices and network deployments. Indeed it is expected that between devices and network deployments. Indeed, it is expected that
different manufacturers will make use of different methods. different manufacturers will make use of different methods.
SCIM (System for Cross-domain Identity Management) [RFC7643] The System for Cross-domain Identity Management (SCIM) [RFC7643]
[RFC7644] defines a protocol and a schema for provisioning of users. [RFC7644] defines a protocol and a schema for the provisioning of
However, it can easily be extended to provision device credentials users. However, it can easily be extended to provision device
and other attributes into a network. The protocol and core schema credentials and other attributes into a network. The protocol and
were designed to permit just such extensions. Bulk operations are core schema were designed to permit just such extensions. Bulk
supported. This is good because often devices are procured in bulk. operations are supported. This is good because often devices are
procured in bulk.
A primary purpose of this specification is to provision the network A primary purpose of this specification is to provision the network
for onboarding and communications access to and from devices within a for onboarding and communications access to and from devices within a
local deployment based on the underlying capabilities of those local deployment based on the underlying capabilities of those
devices. devices.
The underlying security mechanisms of some devices range from non- The underlying security mechanisms of some devices range from non-
existent such as the Bluetooth Low Energy (BLE) "Just Works" pairing existent such as the Bluetooth Low Energy (BLE) "Just Works" pairing
method to a robust FIDO Device Onboard (FDO) mechanism. Information method to a robust FIDO Device Onboard (FDO) mechanism. Information
from the SCIM server is dispatched to control functions based on from the SCIM server is dispatched to control functions based on
selected schema extensions to enable these communications within a selected schema extensions to enable these communications within a
network. The SCIM database is therefore essentially equivalent to a network. The SCIM database is therefore essentially equivalent to a
network's Authentication, Authorization, and Accounting (AAA) network's Authentication, Authorization, and Accounting (AAA)
database, and should be carefully managed as such. database and should be carefully managed as such.
1.1. Why SCIM for devices? 1.1. Why SCIM for Devices?
There are a number of existing models that might provide the basis There are a number of existing models that might provide the basis
for a scheme for provisioning devices onto a network, including two for a scheme for provisioning devices onto a network, including two
standardised by the IETF: NETCONF [RFC6241] or RESTCONF [RFC8040] standardized by the IETF: NETCONF [RFC6241] or RESTCONF [RFC8040]
with YANG [RFC7950]. SCIM was chosen for the following reasons: with YANG [RFC7950]. SCIM was chosen for the following reasons:
* NETCONF and RESTCONF focus on *configuration* rather than * NETCONF and RESTCONF focus on *configuration* rather than
provisioning. provisioning.
* SCIM is designed with inter-domain provisioning in mind. The use * SCIM is designed with inter-domain provisioning in mind. The use
of HTTP as a substrate permits both user-based authentication for of HTTP as a substrate permits both user-based authentication for
local provisioning applications, as well as OAUTH or certificate- local provisioning applications, as well as OAUTH or certificate-
based authentication. The inter-domain nature of these operations based authentication. The inter-domain nature of these operations
does not expose local policy, which itself must be (and often is) does not expose local policy, which itself must be (and often is)
configured with other APIs, many of which are not standardized. configured with other APIs, many of which are not standardized.
* SCIM is also a familiar tool within the enterprise enviroment, * SCIM is also a familiar tool within the enterprise environment,
used extensively to configure federated user accounts. used extensively to configure federated user accounts.
* Finally, once one chooses a vehicle such as SCIM, one is beholden * Finally, once one chooses a vehicle such as SCIM, one is beholden
to its data model. The SCIM data model is more targeted to to its data model. The SCIM data model is more targeted to
provisioning as articulated in [RFC7643]. provisioning as articulated in [RFC7643].
This taken together with the fact that end devices are not intended This taken together with the fact that end devices are not intended
to be *directly* configured leave us with SCIM as the best standard to be *directly* configured leaves us with SCIM as the best standard
option. option.
1.2. Protocol Participants 1.2. Protocol Participants
In the normal SCIM model, it was presumed that large federated In the normal SCIM model, it was presumed that large federated
deployments would be SCIM clients who provision and remove employees deployments would be SCIM clients who provision and remove employees
and contractors as they enter and depart those deployments, and and contractors as they enter and depart those deployments, and
federated services such as sales, payment, or conferencing services federated services such as sales, payment, or conferencing services
would be the servers. would be the servers.
In the device model, the roles are reversed, and may be somewhat more In the device model, the roles are reversed and may be somewhat more
varied. The SCIM server resides within a deployment and is used for varied. The SCIM server resides within a deployment and is used for
receiving information about devices that are expected to be connected receiving information about devices that are expected to be connected
to its network. That server will apply appropriate local policies to its network. That server will apply appropriate local policies
regarding whether/how the device should be connected. regarding whether/how the device should be connected.
The client may be one of a number of entities: The client may be one of a number of entities:
* A vendor who is authorized to add devices to a network as part of * A vendor who is authorized to add devices to a network as part of
a sales transaction. This is similar to the sales integration a sales transaction. This is similar to the sales integration
sometimes envisioned by Bootstrapping Remote Key Infrastructure sometimes envisioned by Bootstrapping Remote Secure Key
(BRSKI) [RFC8995]. Infrastructure (BRSKI) [RFC8995].
* A client application that administrators or employees use to add, * A client application that administrators or employees use to add,
remove, or get information about devices. An example might be an remove, or get information about devices. An example might be a
tablet or phone app that scans Wi-fi Easy Connect QR codes. tablet or phone app that scans Wi-Fi Easy Connect QR codes.
+-----------------------------------+ +-----------------------------------+
| | | |
+-----------+ Request | +---------+ | +-----------+ Request | +---------+ |
| onboarding|------------->| SCIM | | | Onboarding|------------->| SCIM | |
| app |<-------------| Server | | | App |<-------------| Server | |
+-----------+ Ctrl Endpt +---------+ | +-----------+ Ctrl Endpt +---------+ |
| | | | | |
| |(device info) | | |(Device Info) |
| v | | v |
+-----------+ | +------------+ +-------+ | +-----------+ | +------------+ +-------+ |
| Control |...........|..| ALG |.........|device | | | Control |...........|..| ALG |.........|Device | |
| App | | +------------+ +-------+ | | App | | +------------+ +-------+ |
+-----------+ | | +-----------+ | |
| Local network | | Local Network |
+-----------------------------------+ +-----------------------------------+
Figure 1: Basic Architecture - non-IP example Figure 1: Basic Architecture - Non-IP Example
In Figure 1, the onboarding application (app) provides the device In Figure 1, the onboarding application (app) provides the device
particulars, which will vary based on the type of device, as particulars, which will vary based on the type of device, as
indicated by the selection of schema extensions. As part of the indicated by the selection of schema extensions. As part of the
response, the SCIM server might provide additional information, response, the SCIM server might provide additional information,
especially in the case of non-IP devices, where an application-layer especially in the case of non-IP devices, where an application-layer
gateway may need to be used to communicate with the device (c.f., gateway may need to be used to communicate with the device (c.f.,
[I-D.ietf-asdf-nipc]). The control endpoint is one among a number of [NIPC-API]). The control endpoint is one among a number of objects
objects that may be returned. That control endpoint will then that may be returned. That control endpoint will then communicate
communicate with the application layer gateway (ALG) to reach the with the Application Layer Gateway (ALG) to reach the device.
device.
+------------------------------------+ +------------------------------------+
| | | |
+-----------+ Request | +---------+ +----+ +------+ | +-----------+ Request | +---------+ +----+ +------+ |
| onboarding|------------->| SCIM |-->| AAA|<-->|switch| | | Onboarding|------------->| SCIM |-->| AAA|<-->|Switch| |
| app |<-------------| Server | +----+ +------+ | | App |<-------------| Server | +----+ +------+ |
+-----------+ Ctrl Endpt +---------+ | | +-----------+ Ctrl Endpt +---------+ | |
| | | | | |
+-----------+ | +------------+ +-------+ | +-----------+ | +------------+ +-------+ |
| Control |...........|..| router/fw |.........|device | | | Control |...........|..| Router/fw |.........|Device | |
| App | | +------------+ +-------+ | | App | | +------------+ +-------+ |
+-----------+ | | +-----------+ | |
| Local network | | Local Network |
+------------------------------------+ +------------------------------------+
Figure 2: Interaction with AAA Figure 2: Interaction with AAA
Figure 2 shows how IP-based endpoints can be provisioned. In this Figure 2 shows how IP-based endpoints can be provisioned. In this
case, the onboarding application provisions a device via SCIM. The case, the onboarding application provisions a device via SCIM. The
necessary information is passed to the Authentication, Authorization, necessary information is passed to the Authentication, Authorization,
and Accounting (AAA) subsystem, such that the device is permitted to and Accounting (AAA) subsystem, such that the device is permitted to
connect. Once it is online, since the device is based on IP, it will connect. Once it is online, since the device is based on IP, it will
not need an ALG, but will use the normal IP infrastructure to not need an ALG, but it will use the normal IP infrastructure to
communicate with its control application. communicate with its control application.
1.3. Schema Description 1.3. Schema Description
RFC 7643 does not prescribe a language to describe a schema, but [RFC7643] does not prescribe a language to describe a schema but
instead uses narrative description with examples. We follow that instead uses a narrative description with examples. We follow that
approach. In addition, we provide non-normative JSON Schema approach. In addition, we provide non-normative JSON Schemas
[JSONSchema] and OpenAPI [OpenAPI] versions in the appendices for [JSONSchema] and OpenAPI [OpenAPI] versions in the appendices for
ease of implementation, neither of which existed when SCIM was ease of implementation, neither of which existed when SCIM was
originally developed. The only difference the authors note between originally developed. The only difference the authors note between
the normative schema representations is that JSON Schema and OpenAPI the normative schema representations is that the JSON Schemas and
do not have a means to express case sensitivity, and thus attributes OpenAPI versions do not have a means to express case sensitivity, and
that are not case sensitive must be manually validated. thus attributes that are not case sensitive must be manually
validated.
Several additional schemas specify specific onboarding mechanisms, Several additional schemas specify specific onboarding mechanisms,
such as Bluetooth Low energy (BLE) [BLE54], Wi-fi Easy Connect such as Bluetooth Low Energy (BLE) [BLE54], Wi-Fi Easy Connect
[DPP2], and FIDO Device Onboard [FDO11]. [DPP2], and FIDO Device Onboard [FDO11].
1.4. Schema Representation 1.4. Schema Representation
Attributes defined in the device core schema and extensions comprise Attributes defined in the device core schema and extensions comprise
characteristics and SCIM datatypes defined in Sections 2.2 and 2.3 of characteristics and SCIM datatypes defined in Sections 2.2 and 2.3 of
[RFC7643]. This specification does not define new characteristics [RFC7643]. This specification does not define new characteristics
and datatypes for the SCIM attributes. and datatypes for the SCIM attributes.
1.5. Terminology 1.5. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
The reader is also expected to be familiar with the narrative schema The reader is also expected to be familiar with the narrative schema
language used in [RFC7643]. language used in [RFC7643].
2. ResourceType Device 2. ResourceType Device
A new resource type 'Device' is specified. The "ResourceType" schema A new resource type 'Device' is specified. The "ResourceType" schema
specifies the metadata about a resource type (see Section 6 of specifies the metadata about a resource type (see Section 6 of
[RFC7643]). It comprises a core device schema and several extension [RFC7643]). It comprises a core device schema and several extension
skipping to change at page 7, line 39 skipping to change at line 310
whereas extension schemas extend it depending on the device's whereas extension schemas extend it depending on the device's
capability. capability.
2.1. Common Attributes 2.1. Common Attributes
The Device schema contains three common attributes as defined in The Device schema contains three common attributes as defined in
Section 3.1 of [RFC7643]. No semantic or syntax changes are made Section 3.1 of [RFC7643]. No semantic or syntax changes are made
here, but the attributes are listed merely for completeness. here, but the attributes are listed merely for completeness.
id: A required and unique attribute of the core device schema (see id: A required and unique attribute of the core device schema (see
section 3.1 of [RFC7643]). Section 3.1 of [RFC7643]).
externalId: An optional attribute (see section 3.1 of [RFC7643]). externalId: An optional attribute (see Section 3.1 of [RFC7643]).
meta: A complex attribute and is required (see section 3.1 of meta: A required and complex attribute (see Section 3.1 of
[RFC7643]). [RFC7643]).
3. SCIM Core Device Schema 3. SCIM Core Device Schema
The core device schema provides the minimal representation of a The core device schema provides the minimal representation of a
resource "Device". It contains only those attributes that any device resource "Device". It contains only those attributes that any device
may need, and only one attribute is required. It is identified using may need, and only one attribute is required. It is identified using
the schema URI: the schema URI:
"urn:ietf:params:scim:schemas:core:2.0:Device". urn:ietf:params:scim:schemas:core:2.0:Device
The following attributes are defined in the core device schema. The following attributes are defined in the core device schema.
3.1. Singular Attributes 3.1. Singular Attributes
displayName: A string that provides a human-readable name for a displayName: A string that provides a human-readable name for a
device. It is intended to be displayed to end-users and should be device. It is intended to be displayed to end users and should be
suitable for that purpose. The attribute is not required, and is suitable for that purpose. The attribute is not required and is
not case-sensitive. It may be modified and SHOULD be returned by not case sensitive. It may be modified and SHOULD be returned by
default. No uniqueness constraints are imposed on this attribute. default. No uniqueness constraints are imposed on this attribute.
active: A mutable boolean that is required. If set to TRUE, it active: A mutable boolean that is required. If set to TRUE, it
means that this device is intended to be operational. Attempts to means that this device is intended to be operational. Attempts to
control or access a device where this value is set to FALSE may control or access a device where this value is set to FALSE may
fail. For example, when used in conjunction with NIPC fail. For example, when used in conjunction with Non-IP Device
[I-D.brinckman-nipc], commands such as connect, disconnect, Control (NIPC) [NIPC], commands such as connect, disconnect, and
subscribe that control application sends to the controller for the subscribe that control application sends to the controller for the
devices any command will be rejected by the controller. devices any command will be rejected by the controller.
mudUrl: A string that represents the URL to the Manufacturer Usage mudUrl: A string that represents the URL to the Manufacturer Usage
Description (MUD) file associated with this device. This Description (MUD) file associated with this device. This
attribute is optional and mutable. The mudUrl value is case attribute is optional and mutable. The mudUrl value is case
sensitive and not unique. When present, this attribute may be sensitive and not unique. When present, this attribute may be
used as described in [RFC8520]. This attribute is case sensitive used as described in [RFC8520]. This attribute is case sensitive
and returned by default. and returned by default.
skipping to change at page 8, line 49 skipping to change at line 368
+=============+=======+=====+=======+=========+========+========+ +=============+=======+=====+=======+=========+========+========+
| displayName | F | F | F | RW | Def | None | | displayName | F | F | F | RW | Def | None |
+-------------+-------+-----+-------+---------+--------+--------+ +-------------+-------+-----+-------+---------+--------+--------+
| active | F | T | F | RW | Def | None | | active | F | T | F | RW | Def | None |
+-------------+-------+-----+-------+---------+--------+--------+ +-------------+-------+-----+-------+---------+--------+--------+
| mudUrl | F | F | T | RW | Def | None | | mudUrl | F | F | T | RW | Def | None |
+-------------+-------+-----+-------+---------+--------+--------+ +-------------+-------+-----+-------+---------+--------+--------+
| groups | T | F | T | RO | Def | n/a | | groups | T | F | T | RO | Def | n/a |
+-------------+-------+-----+-------+---------+--------+--------+ +-------------+-------+-----+-------+---------+--------+--------+
Table 1: Characteristics of device schema attributes. (Req = Table 1: Characteristics of Device Schema Attributes
Required, T = True, F = False, RO = ReadOnly, RW = ReadWrite,
and Def = Default) Legend:
Req: Required
T: True
F: False
RO: ReadOnly
RW: ReadWrite
Def: Default
<CODE BEGINS> <CODE BEGINS>
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device"], "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor", "displayName": "BLE Heart Monitor",
"active": true, "active": true,
"meta": { "meta": {
"resourceType": "Device", "resourceType": "Device",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
skipping to change at page 9, line 46 skipping to change at line 420
client applications that can control and/or receive data from the client applications that can control and/or receive data from the
devices. devices.
6. SCIM EndpointApp Schema 6. SCIM EndpointApp Schema
The EndpointApp schema is used to authorize control or telemetry The EndpointApp schema is used to authorize control or telemetry
services for clients. The schema identifies the application and how services for clients. The schema identifies the application and how
clients are to authenticate to the various services. clients are to authenticate to the various services.
The schema for "EndpointApp" is identified using the schema URI: The schema for "EndpointApp" is identified using the schema URI:
"urn:ietf:params:scim:schemas:core:2.0:EndpointApp". The following
attributes are defined in this schema. urn:ietf:params:scim:schemas:core:2.0:EndpointApp
The following attributes are defined in this schema.
6.1. Common Attributes 6.1. Common Attributes
Like Section 2.1 The EndpointApp schema contains the three common Like Section 2.1, the EndpointApp schema contains the three common
attributes specified in Section 3.1 [RFC7643]. attributes specified in Section 3.1 of [RFC7643].
6.2. Singular Attributes 6.2. Singular Attributes
applicationType: A string that represents the type of application. applicationType: A string that represents the type of application.
It will only contain two values; 'deviceControl' or 'telemetry'. It will only contain two values: 'deviceControl' or 'telemetry'.
'deviceControl' is the application that sends commands to control deviceControl is the application that sends commands to control
the device. 'telemetry' is the application that receives data from the device. telemetry is the application that receives data from
the device. The attribute is required, and is not case-sensitive. the device. The attribute is required and is not case sensitive.
The attribute is readOnly and should be returned by default. No The attribute is readOnly and should be returned by default. No
uniqueness constraints are imposed on this attribute. uniqueness constraints are imposed on this attribute.
applicationName: a string that represents a human readable name for applicationName: A string that represents a human-readable name for
the application. This attribute is required and mutable. The the application. This attribute is required and mutable. The
attribute should be returned by default and there is no uniqueness attribute should be returned by default and there is no uniqueness
contraint on the attribute. constraint on the attribute.
clientToken: A string contains a token that the client will use to clientToken: A string that contains a token that the client will use
authenticate itself. Each token may be a string up to 500 to authenticate itself. Each token may be a string up to 500
characters in length. It is not mutable, read-only, generated if characters in length. It is not mutable, read only, generated if
no certificateInfo object is provisioned, case sensitive and no certificateInfo object is provisioned, case sensitive, and
returned by default if it exists. The SCIM server should expect returned by default if it exists. The SCIM server should expect
that client tokens will be shared by the SCIM client with other that client tokens will be shared by the SCIM client with other
components within the client's infrastructure. groups: components within the client's infrastructure.
An optional read-only complex object that indicates group groups: An optional read-only complex object that indicates group
membership. Its form is precisely the same as that defined in membership. Its form is precisely the same as that defined in
Section 4.1.2 of [RFC7643]. Section 4.1.2 of [RFC7643].
6.3. Complex Attributes 6.3. Complex Attributes
6.3.1. certificateInfo 6.3.1. certificateInfo
certificateInfo is a complex attribute that contains x509 certificateInfo is a complex attribute that contains an X.509
certificate's subject name and root CA information associated with certificate's subject name and root Certificate Authority (CA)
application clients that will connect for purposes of device control information associated with application clients that will connect for
or telemetry. purposes of device control or telemetry.
rootCA: A base64-encoded string as described in [RFC4648] Section 4 rootCA: A base64-encoded string as described in Section 4 of
a trust anchor certificate. This trust anchor is applicable for [RFC4648] a trust anchor certificate. This trust anchor is
certificates used for client application access. The object is applicable for certificates used for client application access.
not required, singular, case sensitive, and read/write. If not The object is not required, singular, case sensitive, and read/
present, a set of trust anchors MUST be configured out of band. write. If not present, a set of trust anchors MUST be configured
out of band.
subjectName: when present, a string taht contains one of two one of subjectName: When present, a string that contains one of two names:
two names:
* a distinguished name as that will be present in the certificate * a distinguished name that will be present in the certificate
subject field, as described in Section 4.1.2.4 of [RFC5280]; or subject field, as described in Section 4.1.2.4 of [RFC5280] or
* or a dnsName as part of a subjectAlternateName as described in * a dnsName as part of a subjectAlternateName, as described in
Section 4.2.1.6 of [RFC5280]. Section 4.2.1.6 of [RFC5280].
In the latter case, servers validating such certificates SHALL In the latter case, servers validating such certificates SHALL
reject connections when name of the peer as resolved by a DNS reject connections when the name of the peer as resolved by a DNS
reverse lookup does not match the dnsName in the certificate. If reverse lookup does not match the dnsName in the certificate. If
multiple dnsNames are present, it is left to server multiple dnsNames are present, it is left to server
implementations to address any authorization conflicts associated implementations to address any authorization conflicts associated
with those names. This attribute is not required, mutable, with those names. This attribute is not required, mutable,
singular and NOT case sensitive. singular, and NOT case sensitive.
+=================+=======+===+=======+=========+========+========+ +=================+=======+===+=======+=========+========+========+
| Attribute | Multi |Req| Case | Mutable | Return | Unique | | Attribute | Multi |Req| Case | Mutable | Return | Unique |
| | Value | | Exact | | | | | | Value | | Exact | | | |
+=================+=======+===+=======+=========+========+========+ +=================+=======+===+=======+=========+========+========+
| applicationType | F |T | F | R | Def | None | | applicationType | F |T | F | R | Def | None |
+-----------------+-------+---+-------+---------+--------+--------+ +-----------------+-------+---+-------+---------+--------+--------+
| applicationName | F |T | F | RW | Def | None | | applicationName | F |T | F | RW | Def | None |
+-----------------+-------+---+-------+---------+--------+--------+ +-----------------+-------+---+-------+---------+--------+--------+
| clientToken | F |F | T | R | N | None | | clientToken | F |F | T | R | N | None |
+-----------------+-------+---+-------+---------+--------+--------+ +-----------------+-------+---+-------+---------+--------+--------+
| certificateInfo | F |F | F | RW | Def | None | | certificateInfo | F |F | F | RW | Def | None |
+-----------------+-------+---+-------+---------+--------+--------+ +-----------------+-------+---+-------+---------+--------+--------+
| rootCA | F |F | T | RW | Def | None | | rootCA | F |F | T | RW | Def | None |
+-----------------+-------+---+-------+---------+--------+--------+ +-----------------+-------+---+-------+---------+--------+--------+
| subjectName | F |T | T | RW | Def | None | | subjectName | F |T | T | RW | Def | None |
+-----------------+-------+---+-------+---------+--------+--------+ +-----------------+-------+---+-------+---------+--------+--------+
Table 2: Characteristics of EndpointApp schema attributes. Table 2: Characteristics of EndpointApp Schema Attributes
(Req = Required, T = True, F = False, R = ReadOnly, RW =
ReadWrite, Manuf = Manufacturer, N = No, and Def = Default)
Note that either clientToken or certificateInfo are used for the Legend:
Req: Required
T: True
F: False
R: ReadOnly
RW: ReadWrite
Manuf: Manufacturer
N: No
Def: Default
Note that either clientToken or certificateInfo is used for the
authentication of the application. If certificateInfo is NOT present authentication of the application. If certificateInfo is NOT present
when an endpointApp is object created, then the server SHOULD return when an endpointApp object is created, then the server SHOULD return
a clientToken. Otherwise, if the server accepts the certificateInfo a clientToken. Otherwise, if the server accepts the certificateInfo
object for authentication, it SHOULD NOT return a clientToken. If object for authentication, it SHOULD NOT return a clientToken. If
the server accepts and produces a clientToken, then control and the server accepts and produces a clientToken, then control and
telemetry servers MUST validate both. The SCIM client will know that telemetry servers MUST validate both. The SCIM client will know that
this is the case based on the SCIM object that is returned. this is the case based on the SCIM object that is returned.
certificateInfo is preferred in situations where client functions are certificateInfo is preferred in situations where client functions are
federated such that different clients may connect for different federated such that different clients may connect for different
purposes. purposes.
skipping to change at page 12, line 33 skipping to change at line 560
} }
<CODE ENDS> <CODE ENDS>
Figure 4: Endpoint App Example Figure 4: Endpoint App Example
7. SCIM Device Extensions 7. SCIM Device Extensions
SCIM provides various extension schemas, their attributes, JSON SCIM provides various extension schemas, their attributes, JSON
representation, and example object. The core schema is extended with representation, and example object. The core schema is extended with
a new resource type, Device. No schemaExtensions list is specified a new resource type, Device. No schemaExtensions list is specified
in that definition. Instead, IANA registry entries are created, in that definition. Instead, IANA registry entries have been
where all values for "required" are set to false. All extensions to created, where all values for "required" are set to false. All
the Device schema MUST be registered via IANA, as described in extensions to the Device schema MUST be registered via IANA, as
Section 9.2. The schemas below demonstrate how this model is to described in Section 9.2. The schemas below demonstrate how this
work. All the SCIM Server related Schema URIs are valid only with model is to work. All the SCIM server-related schema URIs are valid
Device resource types. only with Device resource types.
7.1. Bluetooth Low Energy (BLE) Extension 7.1. Bluetooth Low Energy (BLE) Extension
This schema extends the device schema to represent the devices This schema extends the device schema to represent the devices
supporting BLE. The extension is identified using the following supporting BLE. The extension is identified using the following
schema URI: schema URI:
urn:ietf:params:scim:schemas:extension:ble:2.0:Device urn:ietf:params:scim:schemas:extension:ble:2.0:Device
The attributes are as follows: The attributes are as follows.
7.1.1. Singular Attributes 7.1.1. Singular Attributes
deviceMacAddress: A string value that represent a public MAC address deviceMacAddress: A string value that represents a public MAC
assigned by the manufacturer. It is a unique 48-bit value. It is address assigned by the manufacturer. It is a unique 48-bit
required, case insensitive, is mutable, and is returned by value. It is required, case insensitive, mutable, and returned by
default. The ECMA regular expression pattern [ECMA] is the default. The ECMA regular expression pattern [ECMA] is the
following: following:
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$ ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$
isRandom: A boolean flag taken from [BLE54]. If FALSE, the device isRandom: A boolean flag taken from [BLE54]. If FALSE, the device
is using a public MAC address. If TRUE, the device uses a random is using a public MAC address. If TRUE, the device uses a random
address. If an Idenifying Resolving Key (IRK) is present, the address. If an Identifying Resolving Key (IRK) is present, the
address represents a resolvable private address. Otherwise, the address represents a resolvable private address. Otherwise, the
address is assumed to be a random static address. Non-resolvable address is assumed to be a random static address. Non-resolvable
private addresses are not supported by this specification. This private addresses are not supported by this specification. This
attribute is not required. It is mutable, and is returned by attribute is not required. It is mutable and is returned by
default. The default value is FALSE. default. The default value is FALSE.
separateBroadcastAddress: When present, this string represents an separateBroadcastAddress: When present, this string represents an
address used for broadcasts/advertisements. This value MUST NOT address used for broadcasts/advertisements. This value MUST NOT
be set when an IRK is provided. Its form is the same as be set when an IRK is provided. Its form is the same as
deviceMacAddress. It is not required, multivalued, mutable, and deviceMacAddress. It is not required, multivalued, mutable, and
returned by default. returned by default.
irk: A string value that specifies the identity resolving key (IRK), irk: A string value that specifies the IRK, which is unique to each
which is unique to each device. It is used to resolve private device. It is used to resolve a private random address. It
random address. It should only be provisioned when isRandom is should only be provisioned when isRandom is TRUE. It is mutable
TRUE. It is mutable and never returned. For more information and never returned. For more information about the use of the
about the use of the IRK, see Section 5.4.5 of [BLE54]. IRK, see Volume 1, Part A, Section 5.4.5 of [BLE54].
mobility: A boolean attribute to enable BLE device mobility. If set mobility: A boolean attribute to enable BLE device mobility. If set
to TRUE, the device could be expected to move within a network of to TRUE, the device could be expected to move within a network of
APs. For example, BLE device is connected with AP-1 and moves out APs. For example, if a BLE device is connected with AP-1 and
of range but comes in range of AP-2, it will be disconnected with moves out of range but comes in range of AP-2, it will be
AP-1 and connects with AP-2. It is returned by default and disconnected with AP-1 and connected with AP-2. It is returned by
mutable. default and mutable.
7.1.2. Multivalued Attributes 7.1.2. Multivalued Attributes
versionSupport: A multivalued set of strings that specifies the BLE versionSupport: A multivalued set of strings that specifies the BLE
versions supported by the device in the form of an array. For versions supported by the device in the form of an array, for
example, ["4.1", "4.2", "5.0", "5.1", "5.2", "5.3", "5.4"]. It is example, ["4.1", "4.2", "5.0", "5.1", "5.2", "5.3", "5.4"]. It is
required, mutable, and return as default. required, mutable, and returned by default.
pairingMethods: An multivalued set of strings that specifies pairing pairingMethods: A multivalued set of strings that specifies pairing
methods associated with the BLE device. The pairing methods may methods associated with the BLE device. The pairing methods may
require sub-attributes, such as key/password, for the device require subattributes such as key/password for the device pairing
pairing process. To enable the scalability of pairing methods in process. To enable the scalability of pairing methods in the
the future, they are represented as extensions to incorporate future, they are represented as extensions to incorporate various
various attributes that are part of the respective pairing attributes that are part of the respective pairing process.
process. Pairing method extensions are nested inside the BLE Pairing method extensions are nested inside the BLE extension. It
extension. It is required, case sensitive, mutable, and returned is required, case sensitive, mutable, and returned by default.
by default.
7.1.3. BLE Pairing Method Extensions 7.1.3. BLE Pairing Method Extensions
The details on pairing methods and their associated attributes are in The details on pairing methods and their associated attributes are in
section 5.2.4 of [BLE54]. This memo defines extensions for four Volume 1, Part A, Section 5.2.4 of [BLE54]. This memo defines
pairing methods that are nested insided the BLE extension schema. extensions for four pairing methods that are nested inside the BLE
Each extension contains the common attributes Section 6.1. These extension schema. Each extension contains the common attributes in
extension are as follows: Section 6.1. These extensions are as follows:
(i) pairingNull extension is identified using the following schema i. The pairingNull extension is identified using the following
URI: schema URI:
urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device
pairingNull does not have any attribute. It allows pairing for BLE pairingNull does not have any attribute. It allows pairing for
devices that do not require a pairing method. BLE devices that do not require a pairing method.
(ii) pairingJustWorks extension is identified using the following ii. The pairingJustWorks extension is identified using the
schema URI: following schema URI:
urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device
Just Works pairing method does not require a key to pair devices. The Just Works pairing method does not require a key to pair
For completeness, the key attribute is included and is set to 'null'. devices. For completeness, the key attribute is included and
Key attribute is required, immutable, and returned by default. is set to 'null'. The key attribute is required, immutable,
and returned by default.
(iii) pairingPassKey extension is identified using the following iii. The pairingPassKey extension is identified using the following
schema URI: schema URI:
urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device
The passkey pairing method requires a 6-digit key to pair devices. The passkey pairing method requires a 6-digit key to pair
This extension has one singular integer attribute, "key", which is devices. This extension has one singular integer attribute,
required, mutable and returned by default. The key pattern is as "key", which is required, mutable, and returned by default.
follows: The key pattern is as follows:
^[0-9]{6}$ ^[0-9]{6}$
(iv) pairingOOB extension is identified using the following schema iv. The pairingOOB extension is identified using the following
URI: schema URI:
urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device
The out-of-band pairing method includes three singular attributes, The out-of-band (OOB) pairing method includes three singular
i.e., key, randomNumber, and confirmationNumber. attributes: key, randomNumber, and confirmationNumber.
key: A string value, required and received from out-of-band sources key: A string value that is required and received from out-of-
such as NFC. It is case sensitive, mutable, and returned by band sources such as Near Field Communication (NFC). It is
default. case sensitive, mutable, and returned by default.
randomNumber: An integer that represents a nonce added to the key. randomNumber: An integer that represents a nonce added to the
It is a required attribute. It is mutable and returned by key. It is a required attribute. It is mutable and
default. returned by default.
confirmationNumber: An integer which some solutions require in confirmationNumber: An integer that some solutions require in
RESTful message exchange. It is not required. It is mutable and a RESTful message exchange. It is not required. It is
returned by default if it exists. mutable and returned by default if it exists.
+==================+=======+===+=======+=========+========+========+ +==================+=======+===+=======+=========+========+========+
| Attribute | Multi |Req| Case | Mutable | Return | Unique | | Attribute | Multi |Req| Case | Mutable | Return | Unique |
| | Value | | Exact | | | | | | Value | | Exact | | | |
+==================+=======+===+=======+=========+========+========+ +==================+=======+===+=======+=========+========+========+
| deviceMacAddress | F |T | F | RW | Def | Manuf | | deviceMacAddress | F |T | F | RW | Def | Manuf |
+------------------+-------+---+-------+---------+--------+--------+ +------------------+-------+---+-------+---------+--------+--------+
| isRandom | F |T | F | RW | Def | None | | isRandom | F |T | F | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+ +------------------+-------+---+-------+---------+--------+--------+
| sepBroadcastAdd | T |F | F | RW | Def | None | | sepBroadcastAdd | T |F | F | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+ +------------------+-------+---+-------+---------+--------+--------+
| irk | F |F | F | WO | Nev | Manuf | | irk | F |F | F | WO | Nev | Manuf |
+------------------+-------+---+-------+---------+--------+--------+ +------------------+-------+---+-------+---------+--------+--------+
| versionSupport | T |T | F | RW | Def | None | | versionSupport | T |T | F | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+ +------------------+-------+---+-------+---------+--------+--------+
| mobility | F |F | F | RW | Def | None | | mobility | F |F | F | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+ +------------------+-------+---+-------+---------+--------+--------+
| pairingMethods | T |T | T | RW | Def | None | | pairingMethods | T |T | T | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+ +------------------+-------+---+-------+---------+--------+--------+
Table 3: Characteristics of BLE extension schema attributes. Table 3: Characteristics of BLE Extension Schema Attributes
sepBroadcastAdd is short for separateBroadcastAddress. (Req =
Required, T = True, F = False, RW = ReadWrite, WO=Write Only, Legend:
Def = Default, Nev = Never, and Manuf = Manufacturer).
sepBroadcastAdd: separateBroadcastAddress
Req: Required
T: True
F: False
RW: ReadWrite
WO: Write Only
Def: Default
Nev: Never
Manuf: Manufacturer
<CODE BEGINS> <CODE BEGINS>
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device"], "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor", "displayName": "BLE Heart Monitor",
"active": true, "active": true,
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
skipping to change at page 17, line 42 skipping to change at line 799
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109
-8486-d5c6a3316111" -8486-d5c6a3316111"
} }
} }
<CODE ENDS> <CODE ENDS>
Figure 6: BLE with pairingOOB Figure 6: BLE with pairingOOB
However, a device can have more than one pairing method. Support for However, a device can have more than one pairing method. Support for
multiple pairing methods is also provided by the multi-valued multiple pairing methods is also provided by the multivalued
attribute pairingMethods. In the example below, the BLE device can attribute pairingMethods. In the example below, the BLE device can
pair with both passkey and OOB pairing methods. pair with both passkey and OOB pairing methods.
<CODE BEGINS> <CODE BEGINS>
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device"], "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor", "displayName": "BLE Heart Monitor",
skipping to change at page 18, line 45 skipping to change at line 843
"resourceType": "Device", "resourceType": "Device",
"created": "2022-01-23T04:56:22Z", "created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z", "lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109
-8486-d5c6a3316111" -8486-d5c6a3316111"
} }
} }
<CODE ENDS> <CODE ENDS>
Figure 7: BLE Pairing with both passkey and OOB Figure 7: BLE Pairing with Both Passkey and OOB
7.2. Wi-Fi Easy Connect Extension 7.2. Wi-Fi Easy Connect Extension
A schema that extends the device schema to enable Wi-Fi Easy Connect A schema that extends the device schema to enable Wi-Fi Easy Connect
(otherwise known as Device Provisioning Protocol or DPP). Throughout (otherwise known as Device Provisioning Protocol (DPP)). Throughout
this specification we use the term DPP. The extension is identified this specification, we use the term "DPP". The extension is
using the following schema URI: identified using the following schema URI:
urn:ietf:params:scim:schemas:extension:dpp:2.0:Device urn:ietf:params:scim:schemas:extension:dpp:2.0:Device
The attributes in this extension are adopted from [DPP2]. The The attributes in this extension are adopted from [DPP2]. The
attributes are as follows: attributes are as follows.
7.2.1. Singular Attributes 7.2.1. Singular Attributes
dppVersion: An integer that represents the version of DPP the device dppVersion: An integer that represents the version of DPP the device
supports. This attribute is required, case insensitive, mutable, supports. This attribute is required, case insensitive, mutable,
and returned by default. and returned by default.
bootstrapKey: A string value representing an Elliptic-Curve Diffie- bootstrapKey: A string value representing an Elliptic Curve Diffie-
Hellman (ECDH) public key. The base64 encoded lengths for P-256, Hellman (ECDH) public key. The base64-encoded lengths for P-256,
P-384, and P-521 are 80, 96, and 120 characters. This attribute P-384, and P-521 are 80, 96, and 120 characters. This attribute
is required, case-sensitive, mutable, and returned by default. is required, case sensitive, mutable, and returned by default.
deviceMacAddress: A MAC address stored as string. It is a unique deviceMacAddress: A MAC address stored as a string. It is a unique
48-bit value. This attribut is optional, case insensitive, 48-bit value. This attribute is optional, case insensitive,
mutable, and returned by default. Its form is identical to that mutable, and returned by default. Its form is identical to that
of the deviceMacAddress for BLE devices. of the deviceMacAddress for BLE devices.
serialNumber: An alphanumeric serial number, stored as string, may serialNumber: An alphanumeric serial number stored as a string. It
also be passed as bootstrapping information. This attribute is may also be passed as bootstrapping information. This attribute
optional, case insensitive, mutable, and returned by default. is optional, case insensitive, mutable, and returned by default.
7.2.2. Multivalued Attributes 7.2.2. Multivalued Attributes
bootstrappingMethod: One or more strings of all the bootstrapping bootstrappingMethod: One or more strings of all the bootstrapping
methods available on the enrollee device. For example, [QR, NFC]. methods available on the enrollee device, for example, [QR, NFC].
This attribute is optional, case insensitive, mutable, and This attribute is optional, case insensitive, mutable, and
returned by default. returned by default.
classChannel: One or more strings representing the global operating classChannel: One or more strings representing the global operating
class and channel shared as bootstrapping information. It is class and channel shared as bootstrapping information. It is
formatted as class/channel. For example, ['81/1','115/36']. This formatted as class/channel, for example, ['81/1','115/36']. This
attribute is optional, case insensitive, mutable, and returned by attribute is optional, case insensitive, mutable, and returned by
default. default.
+=====================+=====+===+=====+=========+========+========+ +=====================+=====+===+=====+=========+========+========+
| Attribute |Multi|Req|Case | Mutable | Return | Unique | | Attribute |Multi|Req|Case | Mutable | Return | Unique |
| |Value| |Exact| | | | | |Value| |Exact| | | |
+=====================+=====+===+=====+=========+========+========+ +=====================+=====+===+=====+=========+========+========+
| dppVersion |F |T |F | RW | Def | None | | dppVersion |F |T |F | RW | Def | None |
+---------------------+-----+---+-----+---------+--------+--------+ +---------------------+-----+---+-----+---------+--------+--------+
| bootstrapKey |F |T |T | WO | Nev | None | | bootstrapKey |F |T |T | WO | Nev | None |
+---------------------+-----+---+-----+---------+--------+--------+ +---------------------+-----+---+-----+---------+--------+--------+
| deviceMacAddress |F |F |F | RW | Def | Manuf | | deviceMacAddress |F |F |F | RW | Def | Manuf |
+---------------------+-----+---+-----+---------+--------+--------+ +---------------------+-----+---+-----+---------+--------+--------+
| serialNumber |F |F |F | RW | Def | None | | serialNumber |F |F |F | RW | Def | None |
+---------------------+-----+---+-----+---------+--------+--------+ +---------------------+-----+---+-----+---------+--------+--------+
| bootstrappingMethod |T |F |F | RW | Def | None | | bootstrappingMethod |T |F |F | RW | Def | None |
+---------------------+-----+---+-----+---------+--------+--------+ +---------------------+-----+---+-----+---------+--------+--------+
| classChannel |T |F |F | RW | Def | None | | classChannel |T |F |F | RW | Def | None |
+---------------------+-----+---+-----+---------+--------+--------+ +---------------------+-----+---+-----+---------+--------+--------+
Table 4: Characteristics of DPP extension schema attributes. Table 4: Characteristics of DPP Extension Schema Attributes
(Req = Required, T = True, F = False, RW = ReadWrite, WO =
Write Only, Def = Default, Nev = Never, and Manuf = Legend:
Manufacturer).
Req: Required
T: True
F: False
RW: ReadWrite
WO: Write Only
Def: Default
Nev: Never
Manuf: Manufacturer
<CODE BEGINS> <CODE BEGINS>
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:dpp:2.0 "urn:ietf:params:scim:schemas:extension:dpp:2.0
:Device"], :Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "WiFi Heart Monitor", "displayName": "WiFi Heart Monitor",
"active": true, "active": true,
skipping to change at page 22, line 20 skipping to change at line 981
onto the network. It takes the identical form as found in the BLE onto the network. It takes the identical form as found in the BLE
extension. extension.
+==================+=======+===+=======+=========+========+========+ +==================+=======+===+=======+=========+========+========+
| Attribute | Multi |Req| Case | Mutable | Return | Unique | | Attribute | Multi |Req| Case | Mutable | Return | Unique |
| | Value | | Exact | | | | | | Value | | Exact | | | |
+==================+=======+===+=======+=========+========+========+ +==================+=======+===+=======+=========+========+========+
| deviceMacAddress | F |T | F | RW | Def | None | | deviceMacAddress | F |T | F | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+ +------------------+-------+---+-------+---------+--------+--------+
Table 5: Characteristics of MAB extension schema attributes (Req Table 5: Characteristics of MAB Extension Schema Attributes
= Required, T = True, F = False, RW = ReadWrite, and Def =
Default) Legend:
Req: Required
T: True
F: False
RW: ReadWrite
Def: Default
<CODE BEGINS> <CODE BEGINS>
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0
:Device"], :Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "Some random Ethernet Device", "displayName": "Some random Ethernet Device",
"active": true, "active": true,
skipping to change at page 23, line 12 skipping to change at line 1025
Figure 9: MAB Example Figure 9: MAB Example
7.4. FIDO Device Onboard Extension 7.4. FIDO Device Onboard Extension
This extension specifies a voucher to be used by the FDO Device This extension specifies a voucher to be used by the FDO Device
Onboard (FDO) protocols [FDO11] to complete a trusted transfer of Onboard (FDO) protocols [FDO11] to complete a trusted transfer of
ownership and control of the device to the environment. The SCIM ownership and control of the device to the environment. The SCIM
server MUST know how to process the voucher, either directly or by server MUST know how to process the voucher, either directly or by
forwarding it along to an owner process as defined in the FDO forwarding it along to an owner process as defined in the FDO
specification. specification. The extension is identified using the following
schema URI:
urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device
7.4.1. Single Attribute 7.4.1. Single Attribute
This extension has a singular attribute: This extension has a singular attribute:
fdoVoucher: The voucher is formated as a PEM-encoded object in fdoVoucher: The voucher is formatted as a PEM-encoded object in
accordance with [FDO11]. accordance with [FDO11].
+============+=======+=====+=======+=========+========+========+ +============+=======+=====+=======+=========+========+========+
| Attribute | Multi | Req | Case | Mutable | Return | Unique | | Attribute | Multi | Req | Case | Mutable | Return | Unique |
| | Value | | Exact | | | | | | Value | | Exact | | | |
+============+=======+=====+=======+=========+========+========+ +============+=======+=====+=======+=========+========+========+
| fdoVoucher | F | T | F | WO | Nev | None | | fdoVoucher | F | T | F | WO | Nev | None |
+------------+-------+-----+-------+---------+--------+--------+ +------------+-------+-----+-------+---------+--------+--------+
Table 6: Characteristics of FDO extension schema attributes Table 6: Characteristics of FDO Extension Schema Attributes
(Req = Required, T = True, F = False, WO = WriteOnly, and
Nev = Never) Legend:
Req: Required
T: True
F: False
WO: WriteOnly
Nev: Never
<CODE BEGINS> <CODE BEGINS>
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Devices", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Devices",
"urn:ietf:params:scim:schemas:extension:fido-device-onboard "urn:ietf:params:scim:schemas:extension:fido-device-onboard
:2.0:Devices"], :2.0:Devices"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "Some random Ethernet Device", "displayName": "Some random Ethernet Device",
"active": true, "active": true,
skipping to change at page 24, line 41 skipping to change at line 1090
7.5. Zigbee Extension 7.5. Zigbee Extension
A schema that extends the device schema to enable the provisioning of A schema that extends the device schema to enable the provisioning of
Zigbee devices [Zigbee]. The extension is identified using the Zigbee devices [Zigbee]. The extension is identified using the
following schema URI: following schema URI:
urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device
It has one singular attribute and one multivalued attribute. The It has one singular attribute and one multivalued attribute. The
attributes are as follows: attributes are as follows.
7.5.1. Singular Attribute 7.5.1. Singular Attribute
deviceEui64Address: An EUI-64 (Extended Unique Identifier) device deviceEui64Address: A 64-bit Extended Unique Identifier (EUI-64)
address stored as string. This attribute is required, case device address stored as string. This attribute is required, case
insensitive, mutable, and returned by default. It takes the same insensitive, mutable, and returned by default. It takes the same
form as the deviceMACaddress in the BLE extension. form as the deviceMACaddress in the BLE extension.
7.5.2. Multivalued Attribute 7.5.2. Multivalued Attribute
versionSupport: One or more strings of all the Zigbee versions versionSupport: One or more strings of all the Zigbee versions
supported by the device. For example, [3.0]. This attribute is supported by the device, for example, [3.0]. This attribute is
required, case insensitive, mutable, and returned by default. required, case insensitive, mutable, and returned by default.
+====================+=====+===+=======+=========+========+========+ +====================+=====+===+=======+=========+========+========+
| Attribute |Multi|Req| Case | Mutable | Return | Unique | | Attribute |Multi|Req| Case | Mutable | Return | Unique |
| |Value| | Exact | | | | | |Value| | Exact | | | |
+====================+=====+===+=======+=========+========+========+ +====================+=====+===+=======+=========+========+========+
| deviceEui64Address |F |T | F | RW | Def | None | | deviceEui64Address |F |T | F | RW | Def | None |
+--------------------+-----+---+-------+---------+--------+--------+ +--------------------+-----+---+-------+---------+--------+--------+
| versionSupport |T |T | F | RW | Def | None | | versionSupport |T |T | F | RW | Def | None |
+--------------------+-----+---+-------+---------+--------+--------+ +--------------------+-----+---+-------+---------+--------+--------+
Table 7: Characteristics of Zigbee extension schema attributes. Table 7: Characteristics of Zigbee Extension Schema Attributes
(Req = Required, T = True, F = False, RW = ReadWrite, and Def =
Default) Legend:
Req: Required
T: True
F: False
RW: ReadWrite
Def: Default
<CODE BEGINS> <CODE BEGINS>
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device"], "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "Zigbee Heart Monitor", "displayName": "Zigbee Heart Monitor",
"active": true, "active": true,
"urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device" : { "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device" : {
skipping to change at page 26, line 5 skipping to change at line 1156
<CODE ENDS> <CODE ENDS>
Figure 11: Zigbee Example Figure 11: Zigbee Example
7.6. The Endpoint Applications Extension Schema 7.6. The Endpoint Applications Extension Schema
Sometimes non-IP devices such as those using BLE or Zigbee require an Sometimes non-IP devices such as those using BLE or Zigbee require an
application gateway interface to manage them. SCIM clients MUST NOT application gateway interface to manage them. SCIM clients MUST NOT
specify this to describe native IP-based devices. specify this to describe native IP-based devices.
endpointAppsExt provides the list of applications that connect to endpointAppsExt provides the list of applications that connect to an
enterprise gateway. The endpointAppsExt has one multivalued enterprise gateway. endpointAppsExt has one multivalued attribute and
attribute and two singular attributes. The extension is identified two singular attributes. The extension is identified using the
using the following schema URI: following schema URI:
urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device
7.6.1. Singular Attributes 7.6.1. Singular Attributes
deviceControlEnterpriseEndpoint: A string representing the URL of deviceControlEnterpriseEndpoint: A string representing the URL of
the enterprise endpoint to reach the enterprise gateway. When the the enterprise endpoint to reach the enterprise gateway. When the
enterprise receives the SCIM object from the onboarding enterprise receives the SCIM object from the onboarding
application, it adds this attribute to it and sends it back as a application, it adds this attribute to it and sends it back as a
response to the onboarding application. This attribute is response to the onboarding application. This attribute is
required, case-sensitive, mutable, and returned by default. The required, case sensitive, mutable, and returned by default. The
uniqueness is enforced by the enterprise. uniqueness is enforced by the enterprise.
telemetryEnterpriseEndpoint: A string representing a URL of the telemetryEnterpriseEndpoint: A string representing a URL of the
enterprise endpoint to reach the an enterprise gateway for enterprise endpoint to reach an enterprise gateway for telemetry.
telemetry. When the enterprise receives the SCIM object from the When the enterprise receives the SCIM object from the onboarding
onboarding application, it adds this attribute to it and sends it application, it adds this attribute to it and sends it back as a
back as a response to the onboarding application. This attribute response to the onboarding application. This attribute is
is optional, case-sensitive, mutable, and returned by default. optional, case sensitive, mutable, and returned by default. The
The uniqueness is enforced by the enterprise. An implementation uniqueness is enforced by the enterprise. An implementation MUST
MUST generate an exception if telemetryEnterpriseEndpoint is not generate an exception if telemetryEnterpriseEndpoint is not
returned and telemetry is required for the proper functioning of a returned and telemetry is required for the proper functioning of a
device. device.
7.6.2. Multivalued Attribute 7.6.2. Multivalued Attribute
applications: A multivalued attribute of one or more complex applications: A multivalued attribute of one or more complex
attributes that represent a list of endpoint applications i.e., attributes that represent a list of endpoint applications, i.e.,
deviceControl and telemetry. Each entry in the list comprises two deviceControl and telemetry. Each entry in the list comprises two
attributes including "value" and "$ref". attributes including "value" and "$ref".
value: A string containingthe identifier of the endpoint application value: A string containing the identifier of the endpoint
formated as UUID. It is same as the common attribute "$id" of the application formatted as a Universally Unique Identifier (UUID).
resource "endpointApp". It is read/write, required, case It is the same as the common attribute "$id" of the resource
insensitive and returned by default. "endpointApp". It is read/write, required, case insensitive, and
returned by default.
$ref: A reference to the respective endpointApp resource object $ref: A reference to the respective endpointApp resource object
stored in the SCIM server. It is readOnly, required, case stored in the SCIM server. It is readOnly, required, case
sensitive and returned by default. sensitive, and returned by default.
+====================+=====+===+=======+=========+========+========+ +====================+=====+===+=======+=========+========+========+
| Attribute |Multi|Req| Case | Mutable | Return | Unique | | Attribute |Multi|Req| Case | Mutable | Return | Unique |
| |Value| | Exact | | | | | |Value| | Exact | | | |
+====================+=====+===+=======+=========+========+========+ +====================+=====+===+=======+=========+========+========+
| devContEntEndpoint |F |T | T | R | Def | Ent | | devContEntEndpoint |F |T | T | R | Def | Ent |
+--------------------+-----+---+-------+---------+--------+--------+ +--------------------+-----+---+-------+---------+--------+--------+
| telEntEndpoint |F |F | T | R | Def | Ent | | telEntEndpoint |F |F | T | R | Def | Ent |
+--------------------+-----+---+-------+---------+--------+--------+ +--------------------+-----+---+-------+---------+--------+--------+
| applications |T |T | F | RW | Def | None | | applications |T |T | F | RW | Def | None |
+--------------------+-----+---+-------+---------+--------+--------+ +--------------------+-----+---+-------+---------+--------+--------+
| value |F |T | F | RW | Def | None | | value |F |T | F | RW | Def | None |
+--------------------+-----+---+-------+---------+--------+--------+ +--------------------+-----+---+-------+---------+--------+--------+
| $ref |F |T | F | R | Def | None | | $ref |F |T | F | R | Def | None |
+--------------------+-----+---+-------+---------+--------+--------+ +--------------------+-----+---+-------+---------+--------+--------+
Table 8: Characteristics of EndpointAppsExt extension schema Table 8: Characteristics of EndpointAppsExt Extension Schema
attributes. DevContEntEndpoint represents attribute Attributes
deviceControlEnterpriseEndpoint and telEntEndpoint represents
telemetryEnterpriseEndpoint. (Req = Required, T = True, F = Legend:
False, R = ReadOnly, RW = ReadWrite, Ent = Enterprise, and Def =
Default). devContEntEndpoint: deviceControlEnterpriseEndpoint
telEntEndpoint: telemetryEnterpriseEndpoint
Req: Required
T: True
F: False
R: ReadOnly
RW: ReadWrite
Ent: Enterprise
Def: Default
<CODE BEGINS> <CODE BEGINS>
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device", "urn:ietf:params:scim:schemas:extension:ble:2.0:Device",
"urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0 "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0
:Device"], :Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor", "displayName": "BLE Heart Monitor",
"active": true, "active": true,
skipping to change at page 28, line 36 skipping to change at line 1288
"version": "W\/\"a330bc54f0671c9\"", "version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109 "location": "https://example.com/v2/Devices/e9e30dba-f08f-4109
-8486-d5c6a3316111" -8486-d5c6a3316111"
} }
} }
<CODE ENDS> <CODE ENDS>
Figure 12: Endpoint Applications Extension Example Figure 12: Endpoint Applications Extension Example
The schema for the endpointAppsExt extension along with BLE extension The schema for the endpointAppsExt extension along with BLE extension
is presented in JSON format in Appendix B.9, while the openAPI is presented in JSON format in Appendix A.9, while the OpenAPI
representation is provided in Appendix C.8. representation is provided in Appendix B.8.
8. Security Considerations 8. Security Considerations
Because provisioning operations permit device access to a network, Because provisioning operations permit device access to a network,
each SCIM client MUST be appropriately authenticated. each SCIM client MUST be appropriately authenticated.
8.1. SCIM operations 8.1. SCIM Operations
An attacker that has authenticated to a trusted SCIM client could An attacker that has authenticated to a trusted SCIM client could
manipulate portions of the SCIM database. To be clear on the risks, manipulate portions of the SCIM database. To be clear on the risks,
we specify each operation below: we specify each operation below.
8.1.1. Unauthorized Object Creation 8.1.1. Unauthorized Object Creation
An attacker that is authenticated could attempt to add elements that An attacker that is authenticated could attempt to add elements that
the enterprise would not normally permit on a network. For instance, the enterprise would not normally permit on a network. For instance,
an enterprise may not wish specific devices that have well-known an enterprise may not wish specific devices that have well-known
vulnerabilities to be introduced to their environment. To mitigate vulnerabilities to be introduced to their environment. To mitigate
the attack, network administrators should layer additional policies the attack, network administrators should layer additional policies
regarding what devices are permitted on the network. regarding what devices are permitted on the network.
An attacker that gains access to SCIM could attempt to add an IP- An attacker that gains access to SCIM could attempt to add an IP-
based device that itself attempts unauthorized access, effectively based device that itself attempts unauthorized access, effectively
acting as a Bot. Network administrators SHOULD establish appropriate acting as a bot. Network administrators SHOULD establish appropriate
access-control policies that follow the principle of least privilege access-control policies that follow the principle of least privilege
to mitigate this attack. to mitigate this attack.
8.2. Object Deletion 8.2. Object Deletion
Once granted, even if the object is removed, the server may or may Once granted, even if the object is removed, the server may or may
not act on that removal. The deletion of the object is a signal of not act on that removal. The deletion of the object is a signal of
intent by the application that it no longer expects the device to be intent by the application that it no longer expects the device to be
on the network. It is strictly up to the SCIM server and its back on the network. It is strictly up to the SCIM server and its back
end policy to decide whether or not to revoke access to the end policy to decide whether or not to revoke access to the
infrastructure. It is RECOMMENDED that SCIM delete operations infrastructure. It is RECOMMENDED that SCIM delete operations
trigger a workflow in accordance with local network policy. trigger a workflow in accordance with local network policy.
8.3. Read operations 8.3. Read Operations
Read operations are necessary in order for an application to sync its Read operations are necessary in order for an application to sync its
state to know what devices it is expected to manage. An attacker state to know what devices it is expected to manage. An attacker
with access to SCIM objects may gain access to the devices with access to SCIM objects may gain access to the devices
themselves. To prevent one SCIM client from interfering with devices themselves. To prevent one SCIM client from interfering with devices
that it has no business managing, only clients that have created that it has no business managing, only clients that have created
objects or those they authorize SHOULD have the ability to read those objects or those they authorize SHOULD have the ability to read those
objects. objects.
8.4. Update Operations 8.4. Update Operations
Update operations may be necessary if a device has been modified in Update operations may be necessary if a device has been modified in
some way. Attackers with update access may be able to disable some way. Attackers with update access may be able to disable
network access to devices or device access to networks. To avoid network access to devices or device access to networks. To avoid
this, the same access control policy for read operations is this, the same access control policy for read operations is
RECOMMENDED here. RECOMMENDED here.
8.5. Higher level protection for certain systems 8.5. Higher Level Protection for Certain Systems
Devices provisioned with this model may be completely controlled by Devices provisioned with this model may be completely controlled by
the administrator of the SCIM server, depending on how those systems the administrator of the SCIM server, depending on how those systems
are defined. For instance, if BLE passkeys are provided, the device are defined. For instance, if BLE passkeys are provided, the device
can be connected to, and perhaps paired with. If the administrator can be connected to, and perhaps paired with. If the administrator
of the SCIM client does not wish the network to have complete access of the SCIM client does not wish the network to have complete access
to the device, the device itself MUST support finer levels of access to the device, the device itself MUST support finer levels of access
control and additional authentication mechanisms. Any additional control and additional authentication mechanisms. Any additional
security must be provided at higher application layers. For example, security must be provided at higher application layers. For example,
if client applications wish to keep private information to and from if client applications wish to keep private information to and from
skipping to change at page 30, line 28 skipping to change at line 1368
8.6. Logging 8.6. Logging
An attacker could learn what devices are on a network by examining An attacker could learn what devices are on a network by examining
SCIM logs. Due to the sensitive nature of SCIM operations, logs SCIM logs. Due to the sensitive nature of SCIM operations, logs
SHOULD be encrypted both on the disk and in transit. SHOULD be encrypted both on the disk and in transit.
9. IANA Considerations 9. IANA Considerations
9.1. New Schemas 9.1. New Schemas
The IANA is requested to add the following additions to the "SCIM IANA has added the following additions to the "SCIM Schema URIs for
Schema URIs for Data Resources" registry as follows: Data Resources" registry:
+====================================+=============+============+
| URN | Name | Reference |
+====================================+=============+============+
| urn:ietf:params:scim:schemas:core: | Core Device | This memo, |
| 2.0:Device | Schema | Section 3 |
+------------------------------------+-------------+------------+
| urn:ietf:params:scim:schemas:core: | Endpoint | This memo, |
| 2.0:EndpointApp | Application | Section 6 |
+------------------------------------+-------------+------------+
Table 9 +====================================+=============+===========+
| Schema URI | Name | Reference |
+====================================+=============+===========+
| urn:ietf:params:scim:schemas:core: | Core Device | RFC 9944, |
| 2.0:Device | Schema | Section 3 |
+------------------------------------+-------------+-----------+
| urn:ietf:params:scim:schemas:core: | Endpoint | RFC 9944, |
| 2.0:EndpointApp | Application | Section 6 |
+------------------------------------+-------------+-----------+
Note that the line break in URNs should be removed, as should this Table 9
comment.
9.2. Device Schema Extensions 9.2. Device Schema Extensions
IANA is requested to create the following extensions in the SCIM IANA has created the following extensions in the "SCIM Server-Related
Server-Related Schema URIs registry as described in Section 7: Schema URIs" registry as described in Section 7:
+================================+=============+========+==========+
| URN | Description |Resource|Reference |
| | |Type | |
+================================+=============+========+==========+
| urn:ietf:params:scim: | BLE |Device |This memo,|
| schemas:extension: | Extension | |Section |
| ble:2.0:Device | | |7.1 |
+--------------------------------+-------------+--------+----------+
| urn:ietf:params:scim: | Ethernet |Device |This memo,|
| schemas:extension: ethernet- | MAB | |Section |
| mab:2.0:Device | | |7.3 |
+--------------------------------+-------------+--------+----------+
| urn:ietf:params:scim: | FIDO Device |Device |This memo,|
| schemas:extension: fido- | Onboard | |Section |
| device-onboard:2.0:Device | | |7.4 |
+--------------------------------+-------------+--------+----------+
| urn:ietf:params:scim: | Wi-fi Easy |Device |This memo,|
| schemas:extension: | Connect | |Section |
| dpp:2.0:Device | | |7.2 |
+--------------------------------+-------------+--------+----------+
| urn:ietf:params:scim: | Application |Device |This memo,|
| schemas:extension: | Endpoint | |Section |
| endpointAppsExt:2.0:Device | Extension | |7.1.3 |
+--------------------------------+-------------+--------+----------+
| urn:ietf:params:scim: | Just Works |Device |This memo,|
| schemas:extension: | Auth BLE | |Section |
| pairingJustWorks:2.0:Device | | |7.1.3 |
+--------------------------------+-------------+--------+----------+
| urn:ietf:params:scim: | Out of Band |Device |This memo,|
| schemas:extension: | Pairing for | |Section |
| pairingOOB:2.0:Device | BLE | |7.1.3 |
+--------------------------------+-------------+--------+----------+
| urn:ietf:params:scim: | Passkey |Device |This memo,|
| schemas:extension: | Pairing for | |Section |
| pairingPassKey:2.0:Device | BLE | |7.1.3 |
+--------------------------------+-------------+--------+----------+
Table 10 +================================+=============+========+=========+
| Schema URI | Description |Resource|Reference|
| | |Type | |
+================================+=============+========+=========+
| urn:ietf:params:scim: | BLE |Device |RFC 9944,|
| schemas:extension: | Extension | |Section |
| ble:2.0:Device | | |7.1 |
+--------------------------------+-------------+--------+---------+
| urn:ietf:params:scim: | Ethernet |Device |RFC 9944,|
| schemas:extension: ethernet- | MAB | |Section |
| mab:2.0:Device | | |7.3 |
+--------------------------------+-------------+--------+---------+
| urn:ietf:params:scim: | FIDO Device |Device |RFC 9944,|
| schemas:extension: fido- | Onboard | |Section |
| device-onboard:2.0:Device | | |7.4 |
+--------------------------------+-------------+--------+---------+
| urn:ietf:params:scim: | Wi-Fi Easy |Device |RFC 9944,|
| schemas:extension: | Connect | |Section |
| dpp:2.0:Device | | |7.2 |
+--------------------------------+-------------+--------+---------+
| urn:ietf:params:scim: | Application |Device |RFC 9944,|
| schemas:extension: | Endpoint | |Section |
| endpointAppsExt:2.0:Device | Extension | |7.1.3 |
+--------------------------------+-------------+--------+---------+
| urn:ietf:params:scim: | Just Works |Device |RFC 9944,|
| schemas:extension: | Auth BLE | |Section |
| pairingJustWorks:2.0:Device | | |7.1.3 |
+--------------------------------+-------------+--------+---------+
| urn:ietf:params:scim: | Out-of-Band |Device |RFC 9944,|
| schemas:extension: | Pairing for | |Section |
| pairingOOB:2.0:Device | BLE | |7.1.3 |
+--------------------------------+-------------+--------+---------+
| urn:ietf:params:scim: | Passkey |Device |RFC 9944,|
| schemas:extension: | Pairing for | |Section |
| pairingPassKey:2.0:Device | BLE | |7.1.3 |
+--------------------------------+-------------+--------+---------+
10. Acknowledgments Table 10
The authors would like to thank Bart Brinckman, Rohit Mohan, Lars 10. References
Streubesand, Christian Amsüss, Jason Livingwood, Mike Ounsworth,
Monty Wiseman, Geoffrey Cooper, Paulo Jorge N. Correia, Phil Hunt,
and Elwyn Davies for their reviews, and Nick Ross for his
contribution to the Appendix.
11. References 10.1. Normative References
11.1. Normative References
[BLE54] Bluetooth SIG, "Bluetooth Core Specification, Version [BLE54] Bluetooth SIG, "Bluetooth Core Specification", Version
5.4", 2023, <https://www.bluetooth.org/DocMan/handlers/ 5.4, 2023, <https://www.bluetooth.org/DocMan/handlers/
DownloadDoc.ashx?doc_id=587177>. DownloadDoc.ashx?doc_id=587177>.
[DPP2] Wi-Fi Alliance, "Wi-Fi Easy Connect Specification, Version [DPP2] Wi-Fi Alliance, "Wi-Fi Easy Connect Specification",
2.0", 2020. Version 2.0, 2020.
[ECMA] ECMA International, "ECMA-262, 16th Edition", June 2025, [ECMA] ECMA International, "ECMAScript(R) 2025 Language
Specification", ECMA-262, 16th Edition, June 2025,
<https://ecma-international.org/publications-and- <https://ecma-international.org/publications-and-
standards/standards/ecma-262/>. standards/standards/ecma-262/>.
[FDO11] FIDO Alliance, "FIDO Device Onboard Specification 1.1", [FDO11] FIDO Alliance, "FIDO Device Onboard Specification 1.1",
April 2022. Proposed Standard, April 2022,
<https://fidoalliance.org/specs/FDO/FIDO-Device-Onboard-
PS-v1.1-20220419/FIDO-Device-Onboard-PS-
v1.1-20220419.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>. <https://www.rfc-editor.org/info/rfc4648>.
skipping to change at page 33, line 10 skipping to change at line 1483
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage [RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
Description Specification", RFC 8520, Description Specification", RFC 8520,
DOI 10.17487/RFC8520, March 2019, DOI 10.17487/RFC8520, March 2019,
<https://www.rfc-editor.org/info/rfc8520>. <https://www.rfc-editor.org/info/rfc8520>.
[Zigbee] Zigbee Alliance, "Zigbee Specification", August 2015, [Zigbee] Zigbee Alliance, "Zigbee Specification", ZigBee Document
<https://zigbeealliance.org/wp-content/uploads/2019/11/ 05-3474-21, August 2015, <https://zigbeealliance.org/wp-
docs-05-3474-21-0csg-zigbee-specification.pdf>. content/uploads/2019/11/docs-05-3474-21-0csg-zigbee-
specification.pdf>.
11.2. Informative References
[I-D.brinckman-nipc]
Brinckman, B., Mohan, R., and B. Sanford, "An Application
Layer Interface for Non-IP device control (NIPC)", Work in
Progress, Internet-Draft, draft-brinckman-nipc-01, 21
April 2024, <https://datatracker.ietf.org/doc/html/draft-
brinckman-nipc-01>.
[I-D.ietf-asdf-nipc] 10.2. Informative References
Brinckman, B., Mohan, R., and B. Sanford, "An Application
Layer Interface for Non-IP device control (NIPC)", Work in
Progress, Internet-Draft, draft-ietf-asdf-nipc-12, 19
August 2025, <https://datatracker.ietf.org/doc/html/draft-
ietf-asdf-nipc-12>.
[JSONSchema] [JSONSchema]
Wright, A., Ed., Andrews, H. A., Ed., Hutton, B., Ed., and Wright, A., Ed., Andrews, H. A., Ed., Hutton, B., Ed., and
G. Dennis, "JSON Schema- A Media Type for Describing JSON G. Dennis, "JSON Schema- A Media Type for Describing JSON
Documents", December 2022, Documents", December 2022,
<https://json-schema.org/draft/2020-12/json-schema-core>. <https://json-schema.org/draft/2020-12/json-schema-core>.
[OpenAPI] swagger.io, "OpenAPI Specification, Version 3.1.1", [NIPC] Brinckman, B., Mohan, R., and B. Sanford, "An Application
October 2024, <https://swagger.io/specification/>. Layer Interface for Non-IP device control (NIPC)", Work in
Progress, Internet-Draft, draft-brinckman-nipc-01, 21
April 2024, <https://datatracker.ietf.org/doc/html/draft-
brinckman-nipc-01>.
[NIPC-API] Brinckman, B., Mohan, R., and B. Sanford, "An Application
Layer Interface for Non-Internet-Connected Physical
Components (NIPC)", Work in Progress, Internet-Draft,
draft-ietf-asdf-nipc-18, 24 February 2026,
<https://datatracker.ietf.org/doc/html/draft-ietf-asdf-
nipc-18>.
[OpenAPI] Swagger, "OpenAPI Specification", Version 3.1.1, October
2024, <https://swagger.io/specification/>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8995] Pritikin, M., Richardson, M., Eckert, T., Behringer, M., [RFC8995] Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
and K. Watsen, "Bootstrapping Remote Secure Key and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995, Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995,
May 2021, <https://www.rfc-editor.org/info/rfc8995>. May 2021, <https://www.rfc-editor.org/info/rfc8995>.
Appendix A. Changes from Earlier Versions Appendix A. JSON Schema Representation
[RFC Editor to remove this section.]
Draft 17:
* Fix example.
Draft 16:
* More DISCUSS resolution: make clear that JSON Schema is not
normative
* Add reference for ECMA for regex
* lots of typo/spelling error cleanup
* Add figure labels for examples
* fix an aasvg rendering problem
* add some reference targets.
* Elwyn Davies review suggestions.
Drafts 17: * Post DISCUSS hiccup with groups. * Add OpenAPI header *
multivalues->multivalued * externalID->externalId * remove nullable
(wasn't doing anything) * Update appropriate json schema and openapi
accordingly.
Drafts 14, 15, 16: * Resolve DISCUSSes
Draft 13: * post IANA and IETF LC
Drafts 10-12: * additional WGLC and shepherd comments
Draft -09: * last call comments, bump BLE version, add
acknowledgments. * Also, recapture Rohit comments and those of
Christian.
Drafts 04-08: * Lots of cleanup * Security review responses * Removal
of a tab * Dealing with certificate stuff
Draft -03: * Add MAB, FDO * Some grammar improvements * fold OpenAPI
* IANA considerations
Draft -02: * Clean up examples * Move openapi to appendix Draft -01:
* Doh! We forgot the core device scheme!
Draft -00:
* Initial revision
Appendix B. JSON Schema Representation
B.1. Resource Schema A.1. Resource Schema
<CODE BEGINS> <CODE BEGINS>
[ [
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0 "schemas": ["urn:ietf:params:scim:schemas:core:2.0
:ResourceType"], :ResourceType"],
"id": "Device", "id": "Device",
"name": "Device", "name": "Device",
"endpoint": "/Devices", "endpoint": "/Devices",
"description": "Device Account", "description": "Device account.",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Device", "schema": "urn:ietf:params:scim:schemas:core:2.0:Device",
"meta": { "meta": {
"location": "https://example.com/v2/ResourceTypes/Device", "location": "https://example.com/v2/ResourceTypes/Device",
"resourceType": "ResourceType" "resourceType": "ResourceType"
} }
}, },
{ {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0 "schemas": ["urn:ietf:params:scim:schemas:core:2.0
:ResourceType"], :ResourceType"],
"id": "EndpointApp", "id": "EndpointApp",
skipping to change at page 36, line 5 skipping to change at line 1567
"schema": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp", "schema": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp",
"meta": { "meta": {
"location": "https "location": "https
://example.com/v2/ResourceTypes/EndpointApp", ://example.com/v2/ResourceTypes/EndpointApp",
"resourceType": "ResourceType" "resourceType": "ResourceType"
} }
} }
] ]
<CODE ENDS> <CODE ENDS>
B.2. Core Device Schema A.2. Core Device Schema
<CODE BEGINS> <CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:core:2.0:Device", "id": "urn:ietf:params:scim:schemas:core:2.0:Device",
"name": "Device", "name": "Device",
"description": "Entry containing attributes about a device", "description": "Entry containing attributes about a device.",
"attributes" : [ "attributes" : [
{ {
"name": "displayName", "name": "displayName",
"type": "string", "type": "string",
"description": "Human readable name of the device, suitable "description": "Human-readable name of the device, suitable
for displaying to end-users. For example, 'BLE Heart for displaying to end users, for example, 'BLE Heart
Monitor' etc.", Monitor', etc.",
"multiValued": false, "multiValued": false,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "active", "name": "active",
"type": "boolean", "type": "boolean",
"description": "A mutable boolean value indicating the device "description": "A mutable boolean value indicating the device
administrative status. If set TRUE, the commands (such as administrative status. If set TRUE, the commands (such as
connect, disconnect, subscribe) that control app sends to connect, disconnect, subscribe) that control app sends to
the controller for the devices will be processeed by the the controller for the devices will be processed by the
controller. If set FALSE, any command comming from the controller. If set FALSE, any command coming from the
control app for the device will be rejected by the control app for the device will be rejected by the
controller.", controller.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
skipping to change at page 37, line 46 skipping to change at line 1656
"caseExact": false, "caseExact": false,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "display", "name": "display",
"type": "string", "type": "string",
"multiValued": false, "multiValued": false,
"description": "A human-readable name, primarily used for "description": "A human-readable name, primarily used for
display purposes. READ-ONLY.", display purposes. READ ONLY.",
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "type", "name": "type",
"type": "string", "type": "string",
"multiValued": false, "multiValued": false,
skipping to change at page 38, line 33 skipping to change at line 1692
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device" "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device"
} }
} }
<CODE ENDS> <CODE ENDS>
B.3. EndpointApp Schema A.3. EndpointApp Schema
<CODE BEGINS> <CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp", "id": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp",
"name": "EndpointApp", "name": "EndpointApp",
"description": "Endpoint application and their credentials", "description": "Endpoint application and their credentials.",
"attributes" : [ "attributes" : [
{ {
"name": "applicationType", "name": "applicationType",
"type": "string", "type": "string",
"description": "This attribute will only contain two values; "description": "This attribute will only contain two values:
'deviceControl' or 'telemetry'.", 'deviceControl' or 'telemetry'.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "applicationName", "name": "applicationName",
"type": "string", "type": "string",
"description": "Human readable name of the application.", "description": "Human-readable name of the application.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "certificateInfo", "name": "certificateInfo",
"type": "complex", "type": "complex",
"description": "Contains x509 certificate's subject name and "description": "Contains X.509 certificate's subject name and
root CA information associated with the device control or root CA information associated with the device control or
telemetry app.", telemetry app.",
"multiValued": false, "multiValued": false,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none", "uniqueness": "none",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "rootCA", "name" : "rootCA",
"type" : "string", "type" : "string",
"description" : "The base64 encoding of the DER encoding "description" : "The base64 encoding of the DER encoding
of the CA certificate", of the CA certificate.",
"multiValued" : false, "multiValued" : false,
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "subjectName", "name" : "subjectName",
"type" : "string", "type" : "string",
"description" : "A Common Name (CN) of the form of CN = "description" : "A Common Name (CN) of the form of CN =
dnsName", dnsName.",
"multiValued" : false, "multiValued" : false,
"required" : true, "required" : true,
"caseExact" : true, "caseExact" : true,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
] ]
}, },
{ {
"name": "clientToken", "name": "clientToken",
"type": "string", "type": "string",
"description": "This attribute contains a token that the "description": "This attribute contains a token that the
client will use to authenticate itself. Each token may client will use to authenticate itself. Each token may
be a string up to 500 characters in length.", be a string up to 500 characters in length.",
"multiValued": false, "multiValued": false,
skipping to change at page 41, line 13 skipping to change at line 1816
"caseExact": false, "caseExact": false,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "display", "name": "display",
"type": "string", "type": "string",
"multiValued": false, "multiValued": false,
"description": "A human-readable name, primarily used for "description": "A human-readable name, primarily used for
display purposes. READ-ONLY.", display purposes. READ ONLY.",
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "type", "name": "type",
"type": "string", "type": "string",
"multiValued": false, "multiValued": false,
skipping to change at page 41, line 49 skipping to change at line 1852
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device" "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device"
} }
} }
<CODE ENDS> <CODE ENDS>
B.4. BLE Extension Schema A.4. BLE Extension Schema
<CODE BEGINS> <CODE BEGINS>
[ [
{ {
"id": "urn:ietf:params:scim:schemas:extension:ble:2.0:Device", "id": "urn:ietf:params:scim:schemas:extension:ble:2.0:Device",
"name": "bleExtension", "name": "bleExtension",
"description": "Ble extension for device account", "description": "BLE extension for device account.",
"attributes" : [ "attributes" : [
{ {
"name": "versionSupport", "name": "versionSupport",
"type": "string", "type": "string",
"description": "Provides a list of all the BLE versions "description": "Provides a list of all the BLE versions
supported by the device. For example, [4.1, 4.2, 5.0, supported by the device, for example, [4.1, 4.2, 5.0,
5.1, 5.2, 5.3].", 5.1, 5.2, 5.3].",
"multiValued": true, "multiValued": true,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "deviceMacAddress", "name": "deviceMacAddress",
skipping to change at page 43, line 8 skipping to change at line 1906
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "separateBroadcastAddress", "name": "separateBroadcastAddress",
"type": "string", "type": "string",
"description": "When present, this address is used for "description": "When present, this address is used for
broadcasts/advertisements. This value MUST NOT be set broadcasts/advertisements. This value MUST NOT be set
when an IRK is provided. Its form is the same as when an IRK is provided. Its form is the same as
deviceMa`cAddress.", deviceMacAddress.",
"multiValued": true, "multiValued": true,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "irk", "name": "irk",
"type": "string", "type": "string",
"description": "Identity resolving key, which is unique for "description": "Identity Resolving Key (IRK), which is
every device. It is used to resolve random address. unique for every device. It is used to resolve a
This value MUST NOT be set when random address. This value MUST NOT be set when
separateBroadcastAddress is set.", separateBroadcastAddress is set.",
"multiValued": false, "multiValued": false,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "Manufacturer" "uniqueness": "Manufacturer"
}, },
{ {
"name": "mobility", "name": "mobility",
"type": "bool", "type": "bool",
"description": "If set to True, the BLE device will "description": "If set to True, the BLE device will
automatically connect to the closest AP. For example, automatically connect to the closest AP. For example,
BLE device is connected with AP-1 and moves out of if a BLE device is connected with AP-1 and moves out of
range but comes in range of AP-2, it will be range but comes in range of AP-2, it will be
disconnected with AP-1 and connects with AP-2.", disconnected with AP-1 and connected with AP-2.",
"multiValued": false, "multiValued": false,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "pairingMethods", "name": "pairingMethods",
"type": "string", "type": "string",
"description": "List of pairing methods associated with the "description": "List of pairing methods associated with the
ble device, stored as schema URI.", BLE device, stored as schema URI.",
"multiValued": true, "multiValued": true,
"required": true, "required": true,
"caseExact": true, "caseExact": true,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:ble:2.0:Device" :extension:ble:2.0:Device"
} }
}, },
{ {
"id": "urn:ietf:params:scim:schemas:extension:pairingNull:2.0 "id": "urn:ietf:params:scim:schemas:extension:pairingNull:2.0
:Device", :Device",
"name": "nullPairing", "name": "nullPairing",
"description": "Null pairing method for ble. It is included for "description": "Null pairing method for BLE. It is included for
the devices that do not have a pairing method.", the devices that do not have a pairing method.",
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:pairingNull:2.0:Device" :extension:pairingNull:2.0:Device"
} }
}, },
{ {
"id": "urn:ietf:params:scim:schemas:extension:pairingJustWorks "id": "urn:ietf:params:scim:schemas:extension:pairingJustWorks
:2.0:Device", :2.0:Device",
"name": "pairingJustWorks", "name": "pairingJustWorks",
"description": "Just works pairing method for ble.", "description": "Just Works pairing method for BLE.",
"attributes" : [ "attributes" : [
{ {
"name": "key", "name": "key",
"type": "integer", "type": "integer",
"description": "Just works does not have any key value. For "description": "Just Works does not have any key value. For
completeness, it is added with a key value 'null'.", completeness, it is added with a key value 'null'.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "immutable", "mutability": "immutable",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
} }
], ],
"meta" : { "meta" : {
skipping to change at page 45, line 4 skipping to change at line 1998
"mutability": "immutable", "mutability": "immutable",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:pairingJustWorks:2.0:Device" :extension:pairingJustWorks:2.0:Device"
} }
}, },
{ {
"id": "urn:ietf:params:scim:schemas:extension:pairingPassKey "id": "urn:ietf:params:scim:schemas:extension:pairingPassKey
:2.0:Device", :2.0:Device",
"name": "pairingPassKey", "name": "pairingPassKey",
"description": "Pass key pairing method for ble.", "description": "Passkey pairing method for BLE.",
"attributes" : [ "attributes" : [
{ {
"name": "key", "name": "key",
"type": "integer", "type": "integer",
"description": "A six digit passkey for ble device. The "description": "A six-digit passkey for BLE device. The
pattern of key is ^[0-9]{6}$.", pattern of key is ^[0-9]{6}$.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:pairingPassKey:2.0:Device" :extension:pairingPassKey:2.0:Device"
} }
}, },
{ {
"id": "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0 "id": "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0
:Device", :Device",
"name": "pairingOOB", "name": "pairingOOB",
"description": "Pass key pairing method for ble.", "description": "Passkey pairing method for BLE.",
"attributes" : [ "attributes" : [
{ {
"name": "key", "name": "key",
"type": "string", "type": "string",
"description": "A key value retrieved from out of band "description": "A key value retrieved from out-of-band
source such as NFC.", source such as NFC.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": true, "caseExact": true,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "randomNumber", "name": "randomNumber",
skipping to change at page 46, line 33 skipping to change at line 2075
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:pairingOOB:2.0:Device" :extension:pairingOOB:2.0:Device"
} }
} }
] ]
<CODE ENDS> <CODE ENDS>
B.5. DPP Extension Schema A.5. DPP Extension Schema
<CODE BEGINS> <CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device", "id": "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device",
"name": "dppExtension", "name": "dppExtension",
"description": "Device extension schema for Wi-Fi Easy Connect "description": "Device extension schema for Wi-Fi Easy Connect
/ Device Provisioning Protocol (DPP)", / Device Provisioning Protocol (DPP).",
"attributes" : [ "attributes" : [
{ {
"name": "dppVersion", "name": "dppVersion",
"type": "integer", "type": "integer",
"description": "Version of DPP this device supports.", "description": "Version of DPP this device supports.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
skipping to change at page 47, line 4 skipping to change at line 2094
{ {
"name": "dppVersion", "name": "dppVersion",
"type": "integer", "type": "integer",
"description": "Version of DPP this device supports.", "description": "Version of DPP this device supports.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "bootstrappingMethod", "name": "bootstrappingMethod",
"type": "string", "type": "string",
"description": "The list of all the bootstrapping methods "description": "The list of all the bootstrapping methods
available on the enrollee device. For example, [QR, available on the enrollee device, for example, [QR,
NFC].", NFC].",
"multiValued": true, "multiValued": true,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "bootstrapKey", "name": "bootstrapKey",
"type": "string", "type": "string",
"description": "A base64-encoded Elliptic-Curve Diffie "description": "A base64-encoded Elliptic Curve Diffie-
-Hellman public key (may be P-256, P-384, or P-521).", Hellman public key (may be P-256, P-384, or P-521).",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": true, "caseExact": true,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "deviceMacAddress", "name": "deviceMacAddress",
"type": "string", "type": "string",
skipping to change at page 47, line 49 skipping to change at line 2138
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "Manufacturer" "uniqueness": "Manufacturer"
}, },
{ {
"name": "classChannel", "name": "classChannel",
"type": "string", "type": "string",
"description": "A list of global operating class and "description": "A list of global operating class and
channel shared as bootstrapping information. It is channel shared as bootstrapping information. It is
formatted as class/channel. For example, '81/1', formatted as class/channel, for example, '81/1',
'115/36'.", '115/36'.",
"multiValued": true, "multiValued": true,
"required": false, "required": false,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "serialNumber", "name": "serialNumber",
skipping to change at page 48, line 31 skipping to change at line 2169
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:dpp:2.0:Device" :extension:dpp:2.0:Device"
} }
} }
<CODE ENDS> <CODE ENDS>
B.6. Ethernet MAB Extension Schema A.6. Ethernet MAB Extension Schema
<CODE BEGINS> <CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 "id": "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0
:Device", :Device",
"name": "ethernetMabExtension", "name": "ethernetMabExtension",
"description": "Device extension schema for MAC authentication "description": "Device extension schema for MAC Authentication
Bypass.", Bypass.",
"attributes" : [ "attributes" : [
{ {
"name": "deviceMacAddress", "name": "deviceMacAddress",
"type": "string", "type": "string",
"pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$", "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$",
"description": "A MAC address assigned by the manufacturer", "description": "A MAC address assigned by the manufacturer.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "Manufacturer" "uniqueness": "Manufacturer"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:ethernet-mab:2.0:Device" :extension:ethernet-mab:2.0:Device"
} }
} }
<CODE ENDS> <CODE ENDS>
B.7. FDO Extension Schema A.7. FDO Extension Schema
<CODE BEGINS> <CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:extension:fido-device-onboard "id": "urn:ietf:params:scim:schemas:extension:fido-device-onboard
:2.0:Devices", :2.0:Devices",
"name": "FDOExtension", "name": "FDOExtension",
"description": "Device extension schema for FIDO Device Onboard "description": "Device extension schema for FIDO Device Onboard
(FDO).", (FDO).",
"attributes" : [ "attributes" : [
{ {
"name": "fdoVoucher", "name": "fdoVoucher",
"type": "string", "type": "string",
"description": "A voucher as defined in the FDO "description": "A voucher as defined in the FDO
specification", specification.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "Manufacturer" "uniqueness": "Manufacturer"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:fido-device-onboard:2.0:Devices" :extension:fido-device-onboard:2.0:Devices"
} }
} }
<CODE ENDS> <CODE ENDS>
B.8. Zigbee Extension Schema A.8. Zigbee Extension Schema
<CODE BEGINS> <CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device", "id": "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device",
"name": "zigbeeExtension", "name": "zigbeeExtension",
"description": "Device extension schema for zigbee.", "description": "Device extension schema for Zigbee.",
"attributes" : [ "attributes" : [
{ {
"name": "versionSupport", "name": "versionSupport",
"type": "string", "type": "string",
"description": "Provides a list of all the zigbee versions "description": "Provides a list of all the Zigbee versions
supported by the device. For example, [3.0].", supported by the device, for example,
[3.0].",
"multiValued": true, "multiValued": true,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
}, },
{ {
"name": "deviceEui64Address", "name": "deviceEui64Address",
"type": "string", "type": "string",
"pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){7}$", "pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){7}$",
"description": "The EUI-64 (Extended Unique Identifier) "description": "The 64-bit Extended Unique Identifier (EUI-64)
device address.", device address.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none" "uniqueness": "none"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:zigbee:2.0:Device" :extension:zigbee:2.0:Device"
} }
} }
<CODE ENDS> <CODE ENDS>
B.9. EndpointAppsExt Extension Schema A.9. EndpointAppsExt Extension Schema
<CODE BEGINS> <CODE BEGINS>
{ {
"id": "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0 "id": "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0
:Device", :Device",
"name": "endpointAppsExt", "name": "endpointAppsExt",
"description": "Extension for partner endpoint applications that "description": "Extension for partner endpoint applications that
can onboard, control, and communicate with the device.", can onboard, control, and communicate with the device.",
"attributes" : [ "attributes" : [
{ {
"name": "applications", "name": "applications",
"type": "complex", "type": "complex",
"description": "Includes references to two types of "description": "Includes references to two types of
application that connect with entrprise, i.e., applications that connect with enterprise, i.e.,
deviceControl and telemetry.", deviceControl and telemetry.",
"multiValued": true, "multiValued": true,
"required": true, "required": true,
"caseExact": false, "caseExact": false,
"mutability": "readWrite", "mutability": "readWrite",
"returned": "default", "returned": "default",
"uniqueness": "none", "uniqueness": "none",
"subAttributes" : [ "subAttributes" : [
{ {
"name" : "value", "name" : "value",
skipping to change at page 52, line 35 skipping to change at line 2313
"caseExact" : false, "caseExact" : false,
"mutability" : "readWrite", "mutability" : "readWrite",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
}, },
{ {
"name" : "$ref", "name" : "$ref",
"type" : "reference", "type" : "reference",
"referenceTypes" : "EndpointApps", "referenceTypes" : "EndpointApps",
"description" : "The URI of the corresponding "description" : "The URI of the corresponding
'EndpointApp' resource which will control or obtain 'EndpointApp' resource that will control or obtain
data from the device.", data from the device.",
"multiValued" : false, "multiValued" : false,
"required" : false, "required" : false,
"caseExact" : true, "caseExact" : true,
"mutability" : "readOnly", "mutability" : "readOnly",
"returned" : "default", "returned" : "default",
"uniqueness" : "none" "uniqueness" : "none"
} }
] ]
}, },
{ {
"name": "deviceControlEnterpriseEndpoint", "name": "deviceControlEnterpriseEndpoint",
"type": "reference", "type": "reference",
"description": "The URL of the enterprise endpoint which "description": "The URL of the enterprise endpoint that
device control apps use to reach enterprise network device control apps use to reach enterprise network
gateway.", gateway.",
"multiValued": false, "multiValued": false,
"required": true, "required": true,
"caseExact": true, "caseExact": true,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "Enterprise" "uniqueness": "Enterprise"
}, },
{ {
"name": "telemetryEnterpriseEndpoint", "name": "telemetryEnterpriseEndpoint",
"type": "reference", "type": "reference",
"description": "The URL of the enterprise endpoint which "description": "The URL of the enterprise endpoint that
telemetry apps use to reach enterprise network gateway.", telemetry apps use to reach enterprise network gateway.",
"multiValued": false, "multiValued": false,
"required": false, "required": false,
"caseExact": true, "caseExact": true,
"mutability": "readOnly", "mutability": "readOnly",
"returned": "default", "returned": "default",
"uniqueness": "Enterprise" "uniqueness": "Enterprise"
} }
], ],
"meta" : { "meta" : {
"resourceType" : "Schema", "resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas "location" : "/v2/Schemas/urn:ietf:params:scim:schemas
:extension:endpointAppsExt:2.0:Device" :extension:endpointAppsExt:2.0:Device"
} }
} }
<CODE ENDS> <CODE ENDS>
Appendix C. OpenAPI representation Appendix B. OpenAPI Representation
The following sections are provided for informational purposes. The following sections are provided for informational purposes.
C.1. Core Device Schema OpenAPI Representation B.1. Core Device Schema OpenAPI Representation
OpenAPI representation of core device schema is as follows: OpenAPI representation of core device schema is as follows:
<CODE BEGINS> <CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Device Schema title: SCIM Device Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
Group: Group:
type: object type: object
description: A list of groups to which the device belongs, description: A list of groups to which the device belongs,
either through direct membership, through nested either through direct membership, through nested
groups, or dynamically calculated. groups, or dynamically calculated.
properties: properties:
value: value:
type: string type: string
description: the unique identifier of a group, description: The unique identifier of a group,
typically a UUID. typically a UUID.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
display: display:
type: string type: string
description: a display string for the group. description: A display string for the group.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
$ref: $ref:
type: string type: string
format: uri format: uri
description: reference to the group object description: Reference to the group object.
readOnly: true readOnly: true
writeOnly: true writeOnly: true
Device: Device:
description: Entry containing attributes about a device description: Entry containing attributes about a device.
type: object type: object
properties: properties:
displayName: displayName:
type: string type: string
description: "Human readable name of the device, suitable description: "Human-readable name of the device, suitable
for displaying to end-users. For example, for displaying to end users, for example,
'BLE Heart Monitor' etc." 'BLE Heart Monitor' etc."
readOnly: false readOnly: false
writeOnly: false writeOnly: false
active: active:
type: boolean type: boolean
description: A mutable boolean value indicating the device description: A mutable boolean value indicating the device
administrative status. If set TRUE, the administrative status. If set TRUE, the
commands (such as connect, disconnect, commands (such as connect, disconnect,
subscribe) that control app sends to the subscribe) that control app sends to the
controller for the devices will be processeed controller for the devices will be processed
by the controller. If set FALSE, any command by the controller. If set FALSE, any command
comming from the control app for the device coming from the control app for the device
will be rejected by the controller. will be rejected by the controller.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
mudUrl: mudUrl:
type: string type: string
format: uri format: uri
description: A URL to MUD file of the device (RFC 8520). description: A URL to MUD file of the device (RFC 8520).
It It is added for future use. Current usage is
is added for future use. Current usage is not not defined yet.
defined yet.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
groups: groups:
type: array type: array
description: list of groups device belongs to description: List of groups to which a device belongs to.
items: items:
$ref: '#/components/schemas/Group' $ref: '#/components/schemas/Group'
required: required:
- active - active
additionalProperties: false additionalProperties: false
allOf: allOf:
- $ref: '#/components/schemas/CommonAttributes' - $ref: '#/components/schemas/CommonAttributes'
CommonAttributes: CommonAttributes:
type: object type: object
skipping to change at page 55, line 37 skipping to change at line 2458
description: The list of schemas that define the resource. description: The list of schemas that define the resource.
id: id:
type: string type: string
format: uri format: uri
description: The unique identifier for a resource. description: The unique identifier for a resource.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
externalId: externalId:
type: string type: string
description: An identifier for the resource that is description: An identifier for the resource that is
defined defined by the provisioning client.
by the provisioning client.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
meta: meta:
type: object type: object
readOnly: true readOnly: true
properties: properties:
resourceType: resourceType:
type: string type: string
description: The name of the resource type of the description: The name of the resource type of the
resource. resource.
skipping to change at page 56, line 33 skipping to change at line 2500
readOnly: true readOnly: true
writeOnly: false writeOnly: false
version: version:
type: string type: string
description: The version of the resource. description: The version of the resource.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
additionalProperties: false additionalProperties: false
<CODE ENDS> <CODE ENDS>
C.2. EndpointApp Schema OpenAPI Representation B.2. EndpointApp Schema OpenAPI Representation
OpenAPI representation of endpointApp schema is as follows: OpenAPI representation of endpointApp schema is as follows:
<CODE BEGINS> <CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM endpoint app schema title: SCIM Endpoint App Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
Group: Group:
type: object type: object
description: A list of groups to which the endpoint description: A list of groups to which the endpoint
application belongs, either through application belongs, either through
direct membership, through nested direct membership, through nested
groups, or dynamically calculated. groups, or dynamically calculated.
skipping to change at page 57, line 4 skipping to change at line 2520
components: components:
schemas: schemas:
Group: Group:
type: object type: object
description: A list of groups to which the endpoint description: A list of groups to which the endpoint
application belongs, either through application belongs, either through
direct membership, through nested direct membership, through nested
groups, or dynamically calculated. groups, or dynamically calculated.
properties: properties:
value: value:
type: string type: string
description: the unique identifier of a group, description: The unique identifier of a group,
typically a UUID. typically a UUID.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
display: display:
type: string type: string
description: a display string for the group. description: A display string for the group.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
$ref: $ref:
type: string type: string
format: uri format: uri
description: reference to the group object description: Reference to the group object.
readOnly: true readOnly: true
writeOnly: true writeOnly: true
EndpointApp: EndpointApp:
title: EndpointApp title: EndpointApp
description: Endpoint application resource description: Endpoint application resource.
type: object type: object
properties: properties:
applicationType: applicationType:
type: string type: string
description: This attribute will only contain two values; description: This attribute will only contain two values:
'deviceControl' or 'telemetry'. 'deviceControl' or 'telemetry'.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
applicationName: applicationName:
type: string type: string
description: Human readable name of the application. description: Human-readable name of the application.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
groups: groups:
type: array type: array
description: list of groups to which the endpointApp description: List of groups to which the endpointApp
belongs. belongs.
items: items:
$ref: '#/components/schemas/Group' $ref: '#/components/schemas/Group'
required: required:
- applicationType - applicationType
- applicationName - applicationName
additionalProperties: true additionalProperties: true
oneOf: oneOf:
skipping to change at page 58, line 18 skipping to change at line 2582
clientToken: clientToken:
type: string type: string
description: "This attribute contains a token that the client description: "This attribute contains a token that the client
will use to authenticate itself. Each token may will use to authenticate itself. Each token may
be a string up to 500 characters in length." be a string up to 500 characters in length."
readOnly: true readOnly: true
writeOnly: false writeOnly: false
certificateInfo: certificateInfo:
type: object type: object
description: "Contains x509 certificate's subject name and description: "Contains X.509 certificate's subject name and
root CA information associated with the device root CA information associated with the device
control or telemetry app." control or telemetry app."
properties: properties:
rootCA: rootCA:
type: string type: string
description: "The base64 encoding of a trust anchor description: "The base64 encoding of a trust anchor
certificate,as per RFC 4648 Section 4." certificate, as per RFC 4648, Section 4."
readOnly: false readOnly: false
writeOnly: false writeOnly: false
subjectName: subjectName:
type: string type: string
description: "Also known as the Common Name (CN), the description: "Also known as the Common Name (CN), the
Subject Name is a field in the X.509 Subject Name is a field in the X.509
certificate that identifies the primary certificate that identifies the primary
domain or IP address for which the domain or IP address for which the
certificate is issued." certificate is issued."
skipping to change at page 59, line 49 skipping to change at line 2661
readOnly: true readOnly: true
writeOnly: false writeOnly: false
version: version:
type: string type: string
description: The version of the resource. description: The version of the resource.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
additionalProperties: false additionalProperties: false
<CODE ENDS> <CODE ENDS>
C.3. BLE Extension Schema OpenAPI Representation B.3. BLE Extension Schema OpenAPI Representation
OpenAPI representation of BLE extension schema is as follows: OpenAPI representation of BLE extension schema is as follows:
<CODE BEGINS> <CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Bluetooth Extension Schema title: SCIM Bluetooth Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
skipping to change at page 60, line 35 skipping to change at line 2695
$ref: '#/components/schemas/BleDeviceExtension' $ref: '#/components/schemas/BleDeviceExtension'
required: true required: true
BleDeviceExtension: BleDeviceExtension:
type: object type: object
properties: properties:
versionSupport: versionSupport:
type: array type: array
items: items:
type: string type: string
description: Provides a list of all the BLE versions description: Provides a list of all the BLE versions
supported by the device. For example, supported by the device, for example,
[4.1, 4.2, 5.0, 5.1, 5.2, 5.3]. [4.1, 4.2, 5.0, 5.1, 5.2, 5.3].
readOnly: false readOnly: false
writeOnly: false writeOnly: false
deviceMacAddress: deviceMacAddress:
type: string type: string
description: It is the public MAC address assigned by the description: It is the public MAC address assigned by the
manufacturer. It is unique 48 bit value. The manufacturer. It is a unique 48-bit value. The
regex pattern is regex pattern is
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
isRandom: isRandom:
type: boolean type: boolean
description: AddressType flag is taken from the BLE core description: AddressType flag is taken from the BLE core
specifications 5.3. If FALSE, the device is specifications 5.3. If FALSE, the device is
using public MAC address. If TRUE, device is using a public MAC address. If TRUE, device
using a random address. is using a random address.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
separateBroadcastAddress: separateBroadcastAddress:
type: string type: string
description: "When present, this address is used for description: "When present, this address is used for
broadcasts/advertisements. This value MUST broadcasts/advertisements. This value
NOT MUST NOT be set when an IRK is provided.
be set when an IRK is provided. Its form is Its form is the same as deviceMacAddress."
the same as deviceMa`cAddress."
readOnly: false readOnly: false
writeOnly: false writeOnly: false
irk: irk:
type: string type: string
description: Identity resolving key, which is unique for description: Identity Resolving Key (IRK), which is unique
every device. It is used to resolve random for every device. It is used to resolve a
address. random address.
readOnly: false readOnly: false
writeOnly: true writeOnly: true
mobility: mobility:
type: boolean type: boolean
description: If set to True, the BLE device will description: If set to True, the BLE device will
automatically connect to the closest AP. For automatically connect to the closest AP. For
example, BLE device is connected with AP-1 example, if a BLE device is connected with
and AP-1 and moves out of range but comes in
moves out of range but comes in range of AP range of AP-2, it will be disconnected with
-2, AP-1 and connected with AP-2.
it will be disconnected with AP-1 and
connects
with AP-2.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
pairingMethods: pairingMethods:
type: array type: array
items: items:
type: string type: string
description: List of pairing methods associated with the description: List of pairing methods associated with the
ble device, stored as schema URI. BLE device, stored as schema URI.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
urn:ietf:params:scim:schemas:extension:pairingNull:2.0 urn:ietf:params:scim:schemas:extension:pairingNull:2.0
:Device: :Device:
$ref: '#/components/schemas/NullPairing' $ref: '#/components/schemas/NullPairing'
required: false required: false
urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0 urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0
:Device: :Device:
$ref: '#/components/schemas/PairingJustWorks' $ref: '#/components/schemas/PairingJustWorks'
required: false required: false
skipping to change at page 62, line 27 skipping to change at line 2780
- deviceMacAddress - deviceMacAddress
- AddressType - AddressType
- pairingMethods - pairingMethods
additionalProperties: false additionalProperties: false
NullPairing: NullPairing:
type: object type: object
PairingJustWorks: PairingJustWorks:
type: object type: object
description: Just works pairing method for ble description: Just Works pairing method for BLE.
properties: properties:
key: key:
type: integer type: integer
description: Just works does not have any key value. For description: Just Works does not have any key value. For
completeness, it is added with a key value completeness, it is added with a key value
'null'. 'null'.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
required: required:
- key - key
PairingPassKey: PairingPassKey:
type: object type: object
description: Pass key pairing method for ble description: Passkey pairing method for BLE.
properties: properties:
key: key:
type: integer type: integer
description: A six digit passkey for ble device. description: A six-digit passkey for BLE device.
The pattern of key is ^[0-9]{6}$. The pattern of key is ^[0-9]{6}$.
readOnly: false readOnly: false
writeOnly: true writeOnly: true
required: required:
- key - key
PairingOOB: PairingOOB:
type: object type: object
description: Out-of-band pairing method for BLE description: Out-of-band pairing method for BLE.
properties: properties:
key: key:
type: string type: string
description: The OOB key value for ble device. description: The OOB key value for BLE device.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
randomNumber: randomNumber:
type: integer type: integer
description: Nonce added to the key description: Nonce added to the key.
readOnly: false readOnly: false
writeOnly: true writeOnly: true
confirmationNumber: confirmationNumber:
type: integer type: integer
description: Some solutions require a confirmation number description: Some solutions require a confirmation number
in the RESTful message exchange. in the RESTful message exchange.
readOnly: false readOnly: false
writeOnly: true writeOnly: true
required: required:
- key - key
- randomNumber - randomNumber
<CODE ENDS> <CODE ENDS>
C.4. DPP Extension Schema OpenAPI Representation B.4. DPP Extension Schema OpenAPI Representation
OpenAPI representation of DPP extension schema is as follows: OpenAPI representation of DPP extension schema is as follows:
<CODE BEGINS> <CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Device Provisioning Protocol Extension Schema title: SCIM Device Provisioning Protocol Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
DppDevice: DppDevice:
type: object type: object
description: Wi-Fi Easy Connect (DPP) device extension schema description: Wi-Fi Easy Connect (DPP) device extension schema.
properties: properties:
schemas: schemas:
type: array type: array
items: items:
type: string type: string
enum: enum:
- urn:ietf:params:scim:schemas:extension:dpp:2.0 - urn:ietf:params:scim:schemas:extension:dpp:2.0
:Device :Device
urn:ietf:params:scim:schemas:extension:dpp:2.0:Device: urn:ietf:params:scim:schemas:extension:dpp:2.0:Device:
$ref: '#/components/schemas/DppDeviceExtension' $ref: '#/components/schemas/DppDeviceExtension'
required: true required: true
DppDeviceExtension: DppDeviceExtension:
type: object type: object
properties: properties:
dppVersion: dppVersion:
type: integer type: integer
description: Version of DPP this device supports. description: Version of DPP this device supports.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
bootstrappingMethod: bootstrappingMethod:
type: array type: array
items: items:
type: string type: string
description: The list of all the bootstrapping methods description: The list of all the bootstrapping methods
available on the enrollee device. For available on the enrollee device, for
example, [QR, NFC]. example, [QR, NFC].
readOnly: false readOnly: false
writeOnly: false writeOnly: false
bootstrapKey: bootstrapKey:
type: string type: string
description: An Elliptic-Curve Diffie Hellman description: An Elliptic Curve Diffie-Hellman
(ECDH) public key. The base64 encoded length (ECDH) public key. The base64-encoded length
for P-256, P-384, and P-521 is 80, 96, and for P-256, P-384, and P-521 is 80, 96, and
120 120 characters.
characters.
readOnly: false readOnly: false
writeOnly: true writeOnly: true
deviceMacAddress: deviceMacAddress:
type: string type: string
description: The MAC address assigned by the manufacturer. description: The MAC address assigned by the manufacturer.
The regex pattern is The regex pattern is
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
classChannel: classChannel:
type: array type: array
items: items:
type: string type: string
description: A list of global operating class and channel description: A list of global operating class and channel
shared as bootstrapping information. It is shared as bootstrapping information. It is
formatted as class/channel. For example, formatted as class/channel, for example,
'81/1', '115/36'. '81/1', '115/36'.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
serialNumber: serialNumber:
type: string type: string
description: An alphanumeric serial number that may also description: An alphanumeric serial number that may also
be be passed as bootstrapping information.
passed as bootstrapping information.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
required: required:
- dppVersion - dppVersion
- bootstrapKey - bootstrapKey
additionalProperties: false additionalProperties: false
<CODE ENDS> <CODE ENDS>
C.5. Ethernet MAB Extension Schema OpenAPI Representation B.5. Ethernet MAB Extension Schema OpenAPI Representation
OpenAPI representation of Ethernet MAB extension schema is as OpenAPI representation of Ethernet MAB extension schema is as
follows: follows:
<CODE BEGINS> <CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM MAC Authentication Bypass Extension Schema title: SCIM MAC Authentication Bypass Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
EthernetMABDevice: EthernetMABDevice:
type: object type: object
description: Ethernet MAC Authenticated Bypass description: Ethernet MAC Authenticated Bypass.
properties: properties:
schemas: schemas:
type: array type: array
items: items:
type: string type: string
enum: enum:
- urn:ietf:params:scim:schemas:extension:ethernet-mab - urn:ietf:params:scim:schemas:extension:ethernet-mab
:2.0:Device :2.0:Device
urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0
:Device: :Device:
$ref: '#/components/schemas/EthernetMABDeviceExtension' $ref: '#/components/schemas/EthernetMABDeviceExtension'
required: true required: true
EthernetMABDeviceExtension: EthernetMABDeviceExtension:
type: object type: object
properties: properties:
deviceMacAddress: deviceMacAddress:
type: string type: string
description: It is the public MAC address assigned by the description: It is the public MAC address assigned by the
manufacturer. It is unique 48 bit value. The manufacturer. It is a unique 48-bit value.
regex pattern is The regex pattern is
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
required: required:
- deviceMacAddress - deviceMacAddress
description: Device extension schema for Ethernet-MAB description: Device extension schema for Ethernet-MAB.
<CODE ENDS> <CODE ENDS>
C.6. FDO Extension Schema OpenAPI Representation B.6. FDO Extension Schema OpenAPI Representation
OpenAPI representation of FDO extension schema is as follows: OpenAPI representation of FDO extension schema is as follows:
<CODE BEGINS> <CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Fido Device Onboarding Extension Schema title: SCIM FIDO Device Onboarding Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
FDODevice: FDODevice:
type: object type: object
description: FIDO Device Onboarding Extension description: FIDO Device Onboarding (FDO) extension.
properties: properties:
schemas: schemas:
type: array type: array
items: items:
type: string type: string
enum: enum:
- urn:ietf:params:scim:schemas:extension:fido-device - urn:ietf:params:scim:schemas:extension:fido-device
-onboard:2.0:Devices -onboard:2.0:Devices
urn:ietf:params:scim:schemas:extension:fido-device-onboard urn:ietf:params:scim:schemas:extension:fido-device-onboard
:2.0:Devices: :2.0:Devices:
$ref: '#/components/schemas/FDODeviceExtension' $ref: '#/components/schemas/FDODeviceExtension'
required: true required: true
FDODeviceExtension: FDODeviceExtension:
type: object type: object
properties: properties:
fdoVoucher: fdoVoucher:
type: string type: string
description: A FIDO Device Onboard (FDO) Voucher description: A FIDO Device Onboard (FDO) voucher.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
required: required:
- fdoVoucher - fdoVoucher
description: Device Extension for a FIDO Device Onboard (FDO) description: Device extension for a FIDO Device Onboard (FDO).
<CODE ENDS> <CODE ENDS>
C.7. Zigbee Extension Schema OpenAPI Representation B.7. Zigbee Extension Schema OpenAPI Representation
OpenAPI representation of zigbee extension schema is as follows: OpenAPI representation of Zigbee extension schema is as follows:
<CODE BEGINS> <CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Zigbee Extension Schema title: SCIM Zigbee Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
ZigbeeDevice: ZigbeeDevice:
skipping to change at page 68, line 35 skipping to change at line 3028
$ref: '#/components/schemas/ZigbeeDeviceExtension' $ref: '#/components/schemas/ZigbeeDeviceExtension'
required: true required: true
ZigbeeDeviceExtension: ZigbeeDeviceExtension:
type: object type: object
properties: properties:
versionSupport: versionSupport:
type: array type: array
items: items:
type: string type: string
description: Provides a list of all the Zigbee versions description: Provides a list of all the Zigbee versions
supported by the device. For example, [3.0]. supported by the device, for example, [3.0].
readOnly: false readOnly: false
writeOnly: false writeOnly: false
deviceEui64Address: deviceEui64Address:
type: string type: string
description: The EUI-64 (Extended Unique Identifier) description: The 64-bit Extended Unique Identifier (EUI-64)
device device address. The regex pattern is
address. The regex pattern is
^[0-9A-Fa-f]{16}$. ^[0-9A-Fa-f]{16}$.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
required: required:
- versionSupport - versionSupport
- deviceEui64Address - deviceEui64Address
description: Device extension schema for Zigbee. description: Device extension schema for Zigbee.
<CODE ENDS> <CODE ENDS>
C.8. EndpointAppsExt Extension Schema OpenAPI Representation B.8. EndpointAppsExt Extension Schema OpenAPI Representation
OpenAPI representation of endpoint Apps extension schema is as OpenAPI representation of endpoint Apps extension schema is as
follows: follows:
<CODE BEGINS> <CODE BEGINS>
openapi: 3.1.0 openapi: 3.1.0
info: info:
title: SCIM Endpoint extension schema title: SCIM Endpoint Extension Schema
version: 1.0.0 version: 1.0.0
components: components:
schemas: schemas:
EndpointAppsExt: EndpointAppsExt:
type: object type: object
properties: properties:
applications: applications:
$ref: '#/components/schemas/applications' $ref: '#/components/schemas/applications'
deviceControlEnterpriseEndpoint: deviceControlEnterpriseEndpoint:
type: string type: string
format: url format: url
description: The URL of the enterprise endpoint which description: The URL of the enterprise endpoint that
device device control apps use to reach an
control apps use to reach enterprise network enterprise network gateway.
gateway.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
telemetryEnterpriseEndpoint: telemetryEnterpriseEndpoint:
type: string type: string
format: url format: url
description: The URL of the enterprise endpoint which description: The URL of the enterprise endpoint that
telemetry apps use to reach enterprise telemetry apps use to reach an enterprise
network network gateway.
gateway.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
required: required:
- applications - applications
- deviceControlEnterpriseEndpoint - deviceControlEnterpriseEndpoint
applications: applications:
type: array type: array
items: items:
skipping to change at page 70, line 4 skipping to change at line 3089
writeOnly: false writeOnly: false
required: required:
- applications - applications
- deviceControlEnterpriseEndpoint - deviceControlEnterpriseEndpoint
applications: applications:
type: array type: array
items: items:
value: value:
type: string type: string
description: The identifier of the endpointApp. description: The identifier of the endpointApp.
readOnly: false readOnly: false
writeOnly: false writeOnly: false
ref: ref:
type: string type: string
format: uri format: uri
description: The URI of the corresponding 'EndpointApp' description: The URI of the corresponding 'EndpointApp'
resource which will control or obtain data resource that will control or obtain data
from from the device.
the device.
readOnly: true readOnly: true
writeOnly: false writeOnly: false
required: required:
- value - value
- ref - ref
<CODE ENDS> <CODE ENDS>
Appendix D. Fido Device Onboarding Example Flow Appendix C. FIDO Device Onboarding Example Flow
The following diagrams are included to demonstrate how FDO can be The following diagrams are included to demonstrate how FDO can be
used. In this first diagram, a device is onboarded not only to the used. In this first diagram, a device is onboarded not only to the
device owner process, but also to the AAA server for initial device owner process but also to the AAA server for initial
onboarding. The voucher contains a device certificate that is used onboarding. The voucher contains a device certificate that is used
by the AAA system for authentication. by the AAA system for authentication.
,------. ,------. ,-------. ,------. ,------. ,-------.
|SCIM | |SCIM | |Owner | ,---. |SCIM | |SCIM | |Owner | ,---.
|Client| |Server| |Service| |AAA| |Client| |Server| |Service| |AAA|
`---+--' `---+--' `---+---' `-+-' `---+--' `---+--' `---+---' `-+-'
,------------------------------!. | | ,------------------------------!. | |
|voucher contains |_\ | | |Voucher contains |_\ | |
|an X.509 cert chain | | | |an X.509 cert chain | | |
`--------------------------------' | | `--------------------------------' | |
|1 POST [FDO(voucher)] | | | |1 POST [FDO(voucher)] | | |
|/HTTP | | | |/HTTP | | |
|--------------------->| | | |--------------------->| | |
| | | | | | | |
| |----. | | | |----. | |
| | | 2 Recover X.509 | | | | | 2 Recover X.509 | |
| |<---' cert chain | | | |<---' cert chain | |
| | from voucher | | | | from voucher | |
| | | | | | | |
| | | | | | | |
| |3 Add device(voucher) | | | |3 Add device(voucher) | |
| |/HTTP | | | |/HTTP | |
| |--------------------->| | | |--------------------->| |
| | | | | | | |
| | 4 200 "ok" | | | | 4 200 "ok" | |
| |<---------------------| | | |<---------------------| |
| | | | | | | |
| | 5 add identity | | | 5 Add identity |
| |------------------------------->| | |------------------------------->|
| | | | | | | |
| | 6 200 "ok" | | | 6 200 "ok" |
| |<-------------------------------| | |<-------------------------------|
| | | | | | | |
| 7 200 "ok" | | | | 7 200 "ok" | | |
|<---------------------| | | |<---------------------| | |
| | | | | | | |
| | | | | | | |
After this flow is complete, the device can then first provisionally After this flow is complete, the device can then first provisionally
onboard, and then later receive a trust anchor through FDO's TO2 onboard and then later receive a trust anchor through FDO's TO2
process. This is shown below. process. This is shown below.
,-------. ,------. ,-------. ,------.
|Owner | ,---. |Access| ,------. |Owner | ,---. |Access| ,------. |Service| |AAA| |Point |
|Service| |AAA| |Point | |Device| |Device| `---+---' `-+-' `---+--' `---+--' | | |
`---+---' `-+-' `---+--' `---+--' ,------------------!. | | | |Device configured |_\ | | |
| | | ,------------------!. |with well-known | | | | |RCOI and for trust | | | | |on first
| | | |Device configured |_\ use | | | | `--------------------' | | ,---------------!. | |
| | | |with well-known | | |WLAN configured|_\ | | | |with well-known | | | | |RCOI | |
| | | |RCOI and for trust | | | `-----------------' | | | | 1 EAP-TLS/EAPOL | | |
| | | |on first use | |<-----------------| | | | | | |2 EAP-TLS/Radius | | |
| | | `--------------------' |<----------------| | | | | | | |
| | ,---------------!. | ,--------------------------!. | | |Device skips |_\ | |
| | |WLAN configured|_\ | |server authentication | | | `----------------------------' |
| | |with well-known | | |3 Result=Success | | | |---------------->| | | | | | |
| | |RCOI | | ,-----------------------!. | | |Limited access |_\ | | |for
| | `-----------------' | now | | | `-------------------------' | | | |4 Result=Success
| | | 1 EAP-TLS/EAPOL | | | | |----------------->| | | | | | | 5 FDO TO2 | |
| | |<-----------------| |<----------------------------------------------------| | | |
| | | | |
| |2 EAP-TLS/Radius | | ,-------------------------------------------------------------!.
| |<----------------| | |FSIM, Runtime SSID, |_\ |Credentials incl. | |local trust
| | | | anchor |
| | ,--------------------------!. `---------------------------------------------------------------'
| | |Device skips |_\ | | | 6 dissasociate | | | |<-----------------| | | | | | | |7
| | |server authentication | EAP-TLS w/ LSC | | | |<-----------------| | | | | | | | | . .
| | `----------------------------' etc . .
| |3 Result=Success | |
| |---------------->| | Acknowledgments
| | | |
| ,-----------------------!. | The authors would like to thank Bart Brinckman, Rohit Mohan, Lars
| |Limited access |_\ | Streubesand, Christian Amsüss, Jason Livingwood, Mike Ounsworth,
| |for now | | Monty Wiseman, Geoffrey Cooper, Paulo Jorge N. Correia, Phil Hunt,
| `-------------------------' | and Elwyn Davies for their reviews and Nick Ross for his contribution
| | |4 Result=Success | to the appendix.
| | |----------------->|
| | | |
| | 5 FDO TO2 | |
|<----------------------------------------------------|
| | | |
,-------------------------------------------------------------!.
|FSIM, Runtime SSID, |_\
|Credentials incl. |
|local trust anchor |
`---------------------------------------------------------------'
| | | 6 dissasociate |
| | |<-----------------|
| | | |
| | |7 EAP-TLS w/ LSC |
| | |<-----------------|
| | | |
| | | |
. . etc . .
Authors' Addresses Authors' Addresses
Muhammad Shahzad Muhammad Shahzad
North Carolina State University North Carolina State University
Department of Computer Science Department of Computer Science
890 Oval Drive 890 Oval Drive
Campus Box 8206 Campus Box 8206
Raleigh, NC, 27695-8206 Raleigh, NC 27695-8206
United States of America United States of America
Email: mshahza@ncsu.edu Email: mshahza@ncsu.edu
Hassan Iqbal Hassan Iqbal
North Carolina State University North Carolina State University
Department of Computer Science Department of Computer Science
890 Oval Drive 890 Oval Drive
Campus Box 8206 Campus Box 8206
Raleigh, NC, 27695-8206 Raleigh, NC 27695-8206
United States of America United States of America
Email: hassaniqbal931@gmail.com Email: hassaniqbal931@gmail.com
Eliot Lear Eliot Lear
Cisco Systems Cisco Systems
Richtistrasse 7 Richtistrasse 7
CH-8304 Wallisellen CH-8304 Wallisellen
Switzerland Switzerland
Phone: +41 44 878 9200 Phone: +41 44 878 9200
Email: lear@cisco.com Email: lear@cisco.com
 End of changes. 267 change blocks. 
699 lines changed or deleted 668 lines changed or added

This html diff was produced by rfcdiff 1.48.