Network Working Group M. Shahzad Internet-Draft H. Iqbal Intended status: Standards Track North Carolina State University Expires: 21 November 2024 E. Lear Cisco Systems 20 May 2024 Device Schema Extensions to the SCIM model draft-ietf-scim-device-model-05 Abstract The initial core schema for SCIM (System for Cross Identity Management) was designed for provisioning users. This memo specifies schema extensions that enables provisioning of devices, using various underlying bootstrapping systems, such as Wifi EasyConnect, FIDO device onboarding vouchers, BLE passcodes, and MAC authenticated bypass. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 21 November 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. Shahzad, et al. Expires 21 November 2024 [Page 1] Internet-Draft SCIM Device Schema Extensions May 2024 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Why SCIM for devices? . . . . . . . . . . . . . . . . . . 4 1.2. Protocol Participants . . . . . . . . . . . . . . . . . . 4 1.3. Schema Description . . . . . . . . . . . . . . . . . . . 5 1.4. Schema Representation . . . . . . . . . . . . . . . . . . 5 1.5. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 2. ResourceType Device . . . . . . . . . . . . . . . . . . . . . 5 2.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 5 3. SCIM Core Device Schema . . . . . . . . . . . . . . . . . . . 6 3.1. Singular Attributes . . . . . . . . . . . . . . . . . . . 6 4. Device Groups . . . . . . . . . . . . . . . . . . . . . . . . 7 5. Resource Type EndpointApp . . . . . . . . . . . . . . . . . . 8 6. SCIM EndpointApp Schema . . . . . . . . . . . . . . . . . . . 8 6.1. Common Attributes . . . . . . . . . . . . . . . . . . . . 8 6.2. Singular Attributes . . . . . . . . . . . . . . . . . . . 8 6.3. Complex Attribute . . . . . . . . . . . . . . . . . . . . 9 7. SCIM Device Extensions . . . . . . . . . . . . . . . . . . . 11 7.1. BLE Extension . . . . . . . . . . . . . . . . . . . . . . 11 7.1.1. Singular Attributes . . . . . . . . . . . . . . . . . 12 7.1.2. Multivalued Attributes . . . . . . . . . . . . . . . 12 7.1.3. BLE Pairing Method Extensions . . . . . . . . . . . . 13 7.2. EasyConnect Extension . . . . . . . . . . . . . . . . . . 18 7.2.1. Singular Attributes . . . . . . . . . . . . . . . . . 18 7.2.2. Multivalued Attributes . . . . . . . . . . . . . . . 18 7.3. Ethernet MAB Extension . . . . . . . . . . . . . . . . . 20 7.3.1. Single Attribute . . . . . . . . . . . . . . . . . . 21 7.4. Fido Device Onboarding Extension . . . . . . . . . . . . 22 7.4.1. Single Attribute . . . . . . . . . . . . . . . . . . 22 7.5. Zigbee Extension . . . . . . . . . . . . . . . . . . . . 23 7.5.1. Singular Attribute . . . . . . . . . . . . . . . . . 23 7.5.2. Multivalued Attribute . . . . . . . . . . . . . . . . 24 7.6. The Endpoint Applications Extension Schema . . . . . . . 25 7.6.1. Singular Attributes . . . . . . . . . . . . . . . . . 25 7.6.2. Multivalued Attribute . . . . . . . . . . . . . . . . 25 8. Schema JSON Representation . . . . . . . . . . . . . . . . . 28 8.1. Resource Schema . . . . . . . . . . . . . . . . . . . . . 28 8.2. Device Core Schema JSON . . . . . . . . . . . . . . . . . 29 Shahzad, et al. Expires 21 November 2024 [Page 2] Internet-Draft SCIM Device Schema Extensions May 2024 8.3. EndpointApp Schema JSON . . . . . . . . . . . . . . . . . 30 8.4. BLE Extension Schema JSON . . . . . . . . . . . . . . . . 33 8.5. DPP Extension Schema JSON . . . . . . . . . . . . . . . . 37 8.6. Ethernet MAB Extension Schema JSON . . . . . . . . . . . 39 8.7. FDO Extension Schema JSON . . . . . . . . . . . . . . . . 40 8.8. Zigbee Extension Schema JSON . . . . . . . . . . . . . . 41 8.9. EndpointAppsExt JSON Extension Schema . . . . . . . . . . 42 8.10. Representation of Schema . . . . . . . . . . . . . . . . 44 9. Security Considerations . . . . . . . . . . . . . . . . . . . 52 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 53 10.1. New Schemas . . . . . . . . . . . . . . . . . . . . . . 53 10.2. Device Schema Extensions . . . . . . . . . . . . . . . . 53 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 54 11.1. Normative References . . . . . . . . . . . . . . . . . . 54 11.2. Informative References . . . . . . . . . . . . . . . . . 55 Appendix A. Changes from Earlier Versions . . . . . . . . . . . 56 Appendix B. OpenAPI representation . . . . . . . . . . . . . . . 56 B.1. Device Core Schema OpenAPI Representation . . . . . . . . 56 B.2. EndpointApp Schema OpenAPI Representation . . . . . . . . 58 B.3. BLE Extension Schema OpenAPI Representation . . . . . . . 62 B.4. DPP Extension Schema OpenAPI Representation . . . . . . . 66 B.5. Ethernet MAB Extension Schema OpenAPI Representation . . 67 B.6. FDO Extension Schema OpenAPI Representation . . . . . . . 68 B.7. Zigbee Extension Schema OpenAPI Representation . . . . . 69 B.8. EndpointAppsExt Extension Schema OpenAPI Representation . . . . . . . . . . . . . . . . . . . . . 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 72 1. Introduction The Internet of Things presents a management challenge in many dimensions. One of them is the ability to onboard and manage large number of devices. There are many models for bootstrapping trust between devices and network deployments. Indeed it is expected that different manufacturers will make use of different methods. SCIM (System for Cross Identity Management) [RFC7643] [RFC7644] defines a protocol and a schema for provisioning of users. However, it can easily be extended to provision devices. The protocol and core schema were designed to permit just such extensions. Bulk operations are supported. This is good because often devices are procured in bulk. Shahzad, et al. Expires 21 November 2024 [Page 3] Internet-Draft SCIM Device Schema Extensions May 2024 1.1. Why SCIM for devices? Some might ask why SCIM is well suited for this purpose and not, for example, NETCONF or RESTCONF with YANG. After all, there are all sorts of existing models available. The answer is that the only information being passed about the device is neither state nor device configuration information, but only information necessary to bootstrap trust so that the device may establish connectivity. 1.2. Protocol Participants In the normal SCIM model, it was presumed that large federated deployments would be SCIM clients who provision and remove employees and contractors as they are enter and depart those deployments, and federated services such as sales, payment, or conferencing services would be the servers. In the device model, the roles are reversed, and may be somewhat more varied. A deployment network management system gateway (NMS gateway) plays the role of the server, receiving information about devices that are expected to be connected to its network. That server will apply appropriate local policies regarding whether/how the device should be connected. The client may be one of a number of entities: * A vendor who is authorized to add devices to a network as part of a sales transaction. This is similar to the sales integration sometimes envisioned by Bootstrapping Remote Key Infrastructure (BRSKI) [RFC8995]. * A client application that administrators or employees use to add, remove, or get information about devices. An example might be an tablet or phone app that scans Easyconnect QR codes. +-----------------------------------+ | | +-----------+ Request | +---------+ | | onboarding|------------->| SCIM | | | app |<-------------| Server | | +-----------+ Ctrl Endpt +---------+ | | | +-----------+ | +------------+ +-------+ | | Control |...........|..| ALG |.........|device | | | App | | +------------+ +-------+ | +-----------+ | | | | +-----------------------------------+ Shahzad, et al. Expires 21 November 2024 [Page 4] Internet-Draft SCIM Device Schema Extensions May 2024 Figure 1: Basic Architecture In Figure 1, the onboarding app provides the device particulars. As part of the response, the SCIM server might provide additional information, especially in the case of non-IP devices, where an application-layer gateway may need to be used to communicate with the device. The control endpoint is one among a number of objects that may be returned. 1.3. Schema Description RFC 7643 does not prescribe a language to describe a schema. We have chosen the JSON schema language [I-D.bhutton-json-schema] for this purpose. The use of XML for this SCIM devices is not supported. Several additional schemas specify specific onboarding mechanisms, such as BLE and Wifi Easy Connect. 1.4. Schema Representation Attributes defined in the device core schema and extensions comprise characteristics and SCIM datatypes defined in Sections 2.2 and 2.3 of the [RFC7643]. This specifciation does not define new characteristics and datatypes for the SCIM attributes. 1.5. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. ResourceType Device A new resource type 'Device' is specified. The "ResourceType" schema specifies the metadata about a resource type (see section 6 of [RFC7643]). The resource "Devices" comprises a core device schema and several extension schemas. The core schema provides a minimal resource representation, whereas extension schemas extend the core schema depending on the device's capability. The JSON schema for Device resource type is in Section 8.1. 2.1. Common Attributes The Device schema contains three common attributes as defined in the [RFC7643]. Shahzad, et al. Expires 21 November 2024 [Page 5] Internet-Draft SCIM Device Schema Extensions May 2024 id An id is a required and unique attribute of the device core schema (see section 3.1 of [RFC7643]). externalID An externalID is an optional attribute (see section 3.1 of [RFC7643]). meta Meta is a complex attribute and is required (see section 3.1 of [RFC7643]). 3. SCIM Core Device Schema The core device schema provides the minimal representation of a resource "Device". It contains only those attributes that any device may need, and only one attribute is required. The core schema for "Device" is identified using the schema URI: "urn:ietf:params:scim:schemas:core:2.0:Device". The following attributes are defined in the device core schema. 3.1. Singular Attributes displayName This attribute is of type "string" and provides a human-readable name for a device. It is intended to be displayed to end-users and should be suitable for that purpose. The attribute is not required, and is not case-sensitive. It may be modified and SHOULD be returned by default. No uniqueness constraints are imposed on this attribute. active The "active" attribute is of type "boolean" and is a mutable attribute, and is required. If set to TRUE, it means that this device is intended to be operational. Attempts to control or access a device where this value is set to FALSE may fail. For example, when used in conjunction with NIPC [I-D.brinckman-nipc], commands such as connect, disconnect, subscribe that control app sends to the controller for the devices any command coming from the control app for the device will be rejected by the controller. mudUrl Shahzad, et al. Expires 21 November 2024 [Page 6] Internet-Draft SCIM Device Schema Extensions May 2024 The mudUrl attribute represents the URL to the MUD file associated with this device. This attribute is optional and mutable. The mudUrl value is case sensitive and not unique. When present, this attribute may be used as described in [RFC8520]. This attribute is case sensitive and returned by default. +=============+=======+=====+=======+=========+========+========+ | Attribute | Multi | Req | Case | Mutable | Return | Unique | | | Value | | Exact | | | | +=============+=======+=====+=======+=========+========+========+ | displayName | F | F | F | RW | Def | None | +-------------+-------+-----+-------+---------+--------+--------+ | active | F | T | F | RW | Def | None | +-------------+-------+-----+-------+---------+--------+--------+ | mudUrl | F | F | T | RW | Def | None | +-------------+-------+-----+-------+---------+--------+--------+ Table 1: Characteristics of device schema attributes. (Req = Required, T = True, F = False, RW = ReadWrite, and Def = Default) An example of a device SCIM object is as follows: { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "BLE Heart Monitor", "active": true, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Device/e9e30dba-f08f -4109-8486-d5c6a3316111" } } The schema for the device is presented in JSON format in Section Section 8.2, while the openAPI representation is provided in Section Appendix B.1. 4. Device Groups Device groups are created using the SCIM groups as defined in [RFC7643] Section 4.2. Shahzad, et al. Expires 21 November 2024 [Page 7] Internet-Draft SCIM Device Schema Extensions May 2024 5. Resource Type EndpointApp This section defines a new resource type, 'EndpointApp'. The "ResourceType" schema specifies the metadata about a resource type (see section 6 of [RFC7643]). The resource "EndpointApp" represents client applications that can control and/or receive data from the devices. The JSON schema for EndpointApp resource type is in Section 8.1. The attributes comprising EndpointsApp are listed in Section 6. The "EndpointApp" are included in the endpoint applications extension ("endpointAppsExt") Section 7.6. 6. SCIM EndpointApp Schema The schema for "EndpointApp" is identified using the schema URI: "urn:ietf:params:scim:schemas:core:2.0:EndpointApp". The following attributes are defined in this schema. 6.1. Common Attributes The EndpointApp schema contains three common attributes as defined in the [RFC7643]. 6.2. Singular Attributes applicationType This attribute is of type "string" and represents the type of application. It will only contain two values; 'deviceControl' or 'telemetry'. 'deviceControl' is the application that sends commands to control the device. 'telemetry' is the application that receives data from the device. The attribute is required, and is not case- sensitive. The is attribute readOnly and should be returned by default. No uniqueness constraints are imposed on this attribute. applicationName The "applicationName" attribute is of type "string" and represents a human readable name for the application. This attribute is required and mutable. The attribute should be returned by default and there is no uniqueness contraint on the attribute. clientToken Shahzad, et al. Expires 21 November 2024 [Page 8] Internet-Draft SCIM Device Schema Extensions May 2024 This attribute type string contains a token that the client will use to authenticate itself. Each token may be a string up to 500 characters in length. It is mutable, required, case sensitive and returned by default if it exists. 6.3. Complex Attribute certificateInfo It is the complex attribute that Contains x509 certificate's subject name and root CA information associated with the device control or telemetry app. It further has three attributes that are described below. rootCN It is the root certificate common name. This attribute is required, read only, singular and case sensitive. subjectName Also known as the Common Name (CN), the Subject Name is a field in the X.509 certificate that identifies the primary domain or IP address for which the certificate is issued. This attribute is not required, read only, singular and case sensitive. subjectAlternativeName This attribute allows for the inclusion of multiple domain names and IP addresses in a single certificate. This enables the certificate to be used for multiple related domains or IPs without the need for separate certificates for each. This attribute is not required, read only, multivalued and case sensitive. Shahzad, et al. Expires 21 November 2024 [Page 9] Internet-Draft SCIM Device Schema Extensions May 2024 +=================+=======+===+=======+=========+========+========+ | Attribute | Multi |Req| Case | Mutable | Return | Unique | | | Value | | Exact | | | | +=================+=======+===+=======+=========+========+========+ | applicationType | F |T | F | R | Def | None | +-----------------+-------+---+-------+---------+--------+--------+ | applicationName | F |T | F | RW | Def | None | +-----------------+-------+---+-------+---------+--------+--------+ | clientToken | F |T | T | R | Def | None | +-----------------+-------+---+-------+---------+--------+--------+ | certificateInfo | F |F | F | RW | Def | None | +-----------------+-------+---+-------+---------+--------+--------+ | rootCN | F |T | T | R | Def | None | +-----------------+-------+---+-------+---------+--------+--------+ | subjectName | F |F | T | R | Def | None | +-----------------+-------+---+-------+---------+--------+--------+ | subjectAltName | T |F | T | R | Def | None | +-----------------+-------+---+-------+---------+--------+--------+ Table 2: Characteristics of EndpointApp schema attributes. (Req = Required, T = True, F = False, R = ReadOnly, RW = ReadWrite, Manuf = Manufactirer and Def = Default) Note that attributes clientToken and certificateInfo are used for the authentication of the application. Both SHALL NOT exist together in the SCIM object. Either clientToken or certificateInfo SHALL be present in the SCIM object. An example of a endpointApp SCIM object is as follows. Note that since certificateInfo is present in the example, clientToken attribute is NULL. Shahzad, et al. Expires 21 November 2024 [Page 10] Internet-Draft SCIM Device Schema Extensions May 2024 { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:EndpointApp"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316212", "applicationType": "deviceControl", "applicationName": "Device Control App 1", "certificateInfo": { "rootCN": "DigiCert Global Root CA", "subjectName": "wwww.example.com", "subjectAlternativeName": ["xyz.example.com", "abc.example.com"] }, "clientToken": null, "meta": { "resourceType": "EndpointApp", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/EndpointApp/e9e30dba-f08f -4109-8486-d5c6a3316212" } } The schema for the endpointApp is presented in JSON format in Section Section 8.3, while the openAPI representation is provided in Section Appendix B.2. 7. SCIM Device Extensions SCIM provides various extension schemas, their attributes, JSON representation, and example object. The core schema is extended with a new resource type, as described in Section 8.1. No schemaExtensions list is specified in that definition. Instead, an IANA registry is created, where all values for "required" are set to false. All extensions involving Devices MUST be registered via IANA, as described in Section 10.2. The schemas below demonstrate how this model is to work. 7.1. BLE Extension This schema extends the device schema to represent the devices supporting BLE. The extension is identified using the following schema URI: urn:ietf:params:scim:schemas:extension:ble:2.0:Device The attributes are as follows: Shahzad, et al. Expires 21 November 2024 [Page 11] Internet-Draft SCIM Device Schema Extensions May 2024 7.1.1. Singular Attributes deviceMacAddress A string value that represent a public MAC address assigned by the manufacturer. It is a unique 48-bit value. Ir is required, case insensitive, and it is mutable and return as default. The regex pattern is the following: ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5} isRandom A boolean flag taken from the BLE core specification, 5.3. If FALSE, the device is using a public MAC address. If TRUE, the device uses a Random address resolved using IRK. This attribute is not required, it is mutable, and returned by default. Its default value is FALSE. separateBroadcastAddress When present, this address is used for broadcasts/advertisements. This value MUST NOT be set when an IRK is provided. Its form is the same as deviceMacAddress. It is not required, multivalued, mutable, and returned by default. irk A string value, Identity resolving key, which is unique for every device. It is used to resolve the random address. It is required when addressType is TRUE. It is mutable and return by default. mobility A boolean attribute to enable mobility on BLE device. If set to True, the BLE device will automatically connect to the closest AP. For example, BLE device is connected with AP-1 and moves out of range but comes in range of AP-2, it will be disconnected with AP-1 and connects with AP-2. It is returned by default and mutable. 7.1.2. Multivalued Attributes versionSupport A multivalued attribute that provides all the BLE versions supported by the device in the form of an array. For example, [4.1, 4.2, 5.0, 5.1, 5.2, 5.3]. It is required, mutable, and return as default. pairingMethods Shahzad, et al. Expires 21 November 2024 [Page 12] Internet-Draft SCIM Device Schema Extensions May 2024 An array of pairing methods associated with the BLE device. The pairing methods may require sub-attributes, such as key/password, for the device pairing process. To enable the scalability of pairing methods in the future, they are represented as extensions to incorporate various attributes that are part of the respective pairing process. Pairing method extensions are nested inside the BLE extension. It is required, case sensitive, mutable, and returned by default. 7.1.3. BLE Pairing Method Extensions The details on pairing methods and their associated attributes are in section 2.3 of [BLE53]. This memo defines extensions for four pairing methods that are nested insided the BLE extension schema. Each extension contains the common attributes Section 2.1. These extension are are as follows. (i) pairingNull extension is identified using the following schema URI: urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device pairingNull does not have any attribute. It allows pairing for BLE devices that do not require a pairing method. (ii) pairingJustWorks extension is identified using the following schema URI: urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device Just works pairing method does not require a key to pair devices. For completeness, the key attribute is included and is set to 'null'. Key attribute is required, immutable, and return by default. (iii) pairingPassKey extension is identified using the following schema URI: urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device The pass key pairing method requires a 6-digit key to pair devices. This extension has one singular integer attribute, "key", which is required, mutable and returned by default. The key pattern is as follows: ^[0-9]{6}$ (iv) pairingOOB extension is identified using the following schema URI: Shahzad, et al. Expires 21 November 2024 [Page 13] Internet-Draft SCIM Device Schema Extensions May 2024 urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device The out-of-band pairing method includes three singular attributes, i.e., key, randomNumber, and confirmationNumber. key The key is string value, required and received from out-of-bond sources such as NFC. It is case sensitive, mutable, and returned by default. randomNumber It represents a nounce added to the key. It is and integer value that is required attribute. It is mutable and returned by default. confirmationNumber An integer which some solutions require in RESTful message exchange. It is not required. It is mutable and returned by default if it exists. +==================+=======+===+=======+=========+========+========+ | Attribute | Multi |Req| Case | Mutable | Return | Unique | | | Value | | Exact | | | | +==================+=======+===+=======+=========+========+========+ | deviceMacAddress | F |T | F | RW | Def | Manuf | +------------------+-------+---+-------+---------+--------+--------+ | isRandom | F |T | F | RW | Def | None | +------------------+-------+---+-------+---------+--------+--------+ | sepBroadcastAdd | T |T | F | RW | Def | None | +------------------+-------+---+-------+---------+--------+--------+ | irk | F |F | F | RW | Def | Manuf | +------------------+-------+---+-------+---------+--------+--------+ | versionSupport | T |T | F | RW | Def | None | +------------------+-------+---+-------+---------+--------+--------+ | mobility | F |F | F | RW | Def | None | +------------------+-------+---+-------+---------+--------+--------+ | pairingMethods | T |T | T | RW | Def | None | +------------------+-------+---+-------+---------+--------+--------+ Table 3: Characteristics of BLE extension schema attributes. sepBroadcastAdd is short for separateBroadcastAddress. (Req = Required, T = True, F = False, RW = ReadWrite, Def = Default, and Manuf = Manufacturer). An example of a device object with BLE extension is as follows: Shahzad, et al. Expires 21 November 2024 [Page 14] Internet-Draft SCIM Device Schema Extensions May 2024 { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "BLE Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "versionSupport": ["5.3"], "deviceMacAddress": "2C:54:91:88:C9:E2", "isRandom": false, "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77 :22:12"], "mobility": true, "pairingMethods": ["urn:ietf:params:scim:schemas:extension :pairingPassKey:2.0:Device"], "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0 :Device" : { "key": 123456 } }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Device/e9e30dba-f08f-4109 -8486-d5c6a3316111" } } In the above example, the pairing method is "pairingPassKey", which implies that this BLE device pairs using only a passkey. In another example below, the pairing method is "pairingOOB," implying that this BLE device uses the out-of-band pairing method. Shahzad, et al. Expires 21 November 2024 [Page 15] Internet-Draft SCIM Device Schema Extensions May 2024 { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "BLE Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "versionSupport": ["5.3"], "deviceMacAddress": "2C:54:91:88:C9:E2", "isRandom": false, "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77 :22:12"], "mobility": true, "pairingMethods": ["urn:ietf:params:scim:schemas:extension :pairingOOB:2.0:Device"], "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device": { "key": "TheKeyvalueRetrievedFromOOB", "randNumber": 238796813516896 } }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Device/e9e30dba-f08f-4109 -8486-d5c6a3316111" } } However, a device can have more than one pairing method. Support for multiple pairing methods is also provided by the multi-valued attribute pairingMethods. In the example below, the BLE device can pair with both passkey and OOB pairing methods. Shahzad, et al. Expires 21 November 2024 [Page 16] Internet-Draft SCIM Device Schema Extensions May 2024 { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:ble:2.0:Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "BLE Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "versionSupport": ["5.3"], "deviceMacAddress": "2C:54:91:88:C9:E2", "isRandom": false, "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77 :22:12"], "mobility": true, "pairingMethods": ["urn:ietf:params:scim:schemas:extension :pairingPassKey:2.0:Device", "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0 :Device"], "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0 :Device" : { "key": 123456 }, "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device": { "key": "TheKeyvalueRetrievedFromOOB", "randNumber": 238796813516896 } }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Device/e9e30dba-f08f-4109 -8486-d5c6a3316111" } } The schema for the BLE extension is presented in JSON format in Section Section 8.4, while the openAPI representation is provided in Section Appendix B.3. Shahzad, et al. Expires 21 November 2024 [Page 17] Internet-Draft SCIM Device Schema Extensions May 2024 7.2. EasyConnect Extension A schema that extends the device schema to enable WiFi EasyConnect (otherwise known as Device Provisioning Protocol or DPP). The extension is identified using the following schema URI: urn:ietf:params:scim:schemas:extension:dpp:2.0:Device The attributes in this extension are adopted from [DPP2]. The attributes are as follows: 7.2.1. Singular Attributes dppVersion An integer that represents the version of DPP the device supports. This attribute is required, case insensitive, mutable, and returned by default. bootstrapKey A string value representing Elliptic-Curve Diffie–Hellman (ECDH) public key. The base64 encoded lengths for P-256, P-384, and P-521 are 80, 96, and 120 characters. This attribute is required, case- sensitive, mutable, and returned by default. deviceMacAddress The manufacturer assigns the MAC address stored as string. It is a unique 48-bit value. This attribute is optional, case insensitive, mutable, and returned by default. The regex pattern is as follows: ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. serialNumber An alphanumeric serial number, stored as string, may also be passed as bootstrapping information. This attribute is optional, case insensitive, mutable, and returned by default. 7.2.2. Multivalued Attributes bootstrappingMethod It is the array of strings of all the bootstrapping methods available on the enrollee device. For example, [QR, NFC]. This attribute is optional, case insensitive, mutable, and returned by default. Shahzad, et al. Expires 21 November 2024 [Page 18] Internet-Draft SCIM Device Schema Extensions May 2024 classChannel This attribute is an array of strings of global operating class and channel shared as bootstrapping information. It is formatted as class/channel. For example, ['81/1','115/36']. This attribute is optional, case insensitive, mutable, and returned by default. +====================+=====+===+======+=========+========+========+ | Attribute |Multi|Req| Case | Mutable | Return | Unique | | |Value| | Exact| | | | +====================+=====+===+======+=========+========+========+ | dppVersion | F | T | F | RW | Def | None | +--------------------+-----+---+------+---------+--------+--------+ | bootstrapKey | F | T | T | RW | Def | None | +--------------------+-----+---+------+---------+--------+--------+ | deviceMacAddress | F | F | F | RW | Def | Manuf | +--------------------+-----+---+------+---------+--------+--------+ | serialNumber | F | F | F | RW | Def | None | +--------------------+-----+---+------+---------+--------+--------+ | bootstrappingMethod| T | F | F | RW | Def | None | +--------------------+-----+---+------+---------+--------+--------+ | classChannel | T | F | F | RW | Def | None | +--------------------+-----+---+------+---------+--------+--------+ Figure 2: Characteristics of DPP extension schema attributes. (Req = Required, T = True, F = False, RW = ReadWrite, Def = Default, and Manuf = Manufacturer). An example of a device object with DPP extension is below: Shahzad, et al. Expires 21 November 2024 [Page 19] Internet-Draft SCIM Device Schema Extensions May 2024 { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:dpp:2.0 :Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "WiFi Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device" : { "dppVersion": 2, "bootstrappingMethod": ["QR"], "bootstrapKey": "MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADURzxmt tZoIRIPWGoQMV00XHWCAQIhXruVWOz0NjlkIA=", "deviceMacAddress": "2C:54:91:88:C9:F2", "classChannel": ["81/1", "115/36"], "serialNumber": "4774LH2b4044" }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Device/e9e30dba-f08f -4109-8486-d5c6a3316111" } } The schema for the DPP extension is presented in JSON format in Section Section 8.5, while the openAPI representation is provided in Section Appendix B.4. 7.3. Ethernet MAB Extension This extension enables a legacy means of (very) weak authentication, known as MAC Authenticated Bypass (MAB), that is supported in many wired ethernet solutions. If the MAC address is known, then the device may be permitted (perhaps limited) access. The extension is identified by the following URI: urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device Shahzad, et al. Expires 21 November 2024 [Page 20] Internet-Draft SCIM Device Schema Extensions May 2024 7.3.1. Single Attribute This extension has a singular attribute: deviceMacAddress This is the Ethernet address to be provisioned onto the network. It takes the identical form as found in both the BLE and DPP extensions. +==================+=======+===+=======+=========+========+========+ | Attribute | Multi |Req| Case | Mutable | Return | Unique | | | Value | | Exact | | | | +==================+=======+===+=======+=========+========+========+ | deviceMacAddress | F |T | F | RW | Def | None | +------------------+-------+---+-------+---------+--------+--------+ Table 4: Characteristics of MAB extension schema attributes (Req = Required, T = True, F = False, RW = ReadWrite, and Def = Default) An example of a device object with EthernetMAB extension is shown below: { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 :Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "Some random Ethernet Device", "active": true, "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device" : { "deviceMacAddress": "2C:54:91:88:C9:E2" }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Device/e9e30dba-f08f-4109 -8486-d5c6a3316111" } } Shahzad, et al. Expires 21 November 2024 [Page 21] Internet-Draft SCIM Device Schema Extensions May 2024 The schema for the EthernetMAB extension is presented in JSON format in Section Section 8.6, while the openAPI representation is provided in Section Appendix B.5. 7.4. Fido Device Onboarding Extension This extension specifies a voucher to be used by a Fido Device Onboarding (FDO) owner process [FDO11], so that a trusted introduction can be made using that mechanism. urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device 7.4.1. Single Attribute This extension has a singular attribute: fdoVoucher The voucher is formated as a PEM-encoded object in accordance with the FDO specification (citation needed). +============+=======+=====+=======+=========+========+========+ | Attribute | Multi | Req | Case | Mutable | Return | Unique | | | Value | | Exact | | | | +============+=======+=====+=======+=========+========+========+ | fdoVoucher | F | T | F | RW | Def | None | +------------+-------+-----+-------+---------+--------+--------+ Table 5: Characteristics of FDO extension schema attributes (Req = Required, T = True, F = False, RW = ReadWrite, and Def = Default) An example of a device object with FDO extension is shown below: Shahzad, et al. Expires 21 November 2024 [Page 22] Internet-Draft SCIM Device Schema Extensions May 2024 { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Devices", "urn:ietf:params:scim:schemas:extension:fido-device-onboard :2.0:Devices"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "Some random Ethernet Device", "active": true, "urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0 :Devices" : { "fdoVoucher": "{... voucher ...}" }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Device/e9e30dba-f08f-4109 -8486-d5c6a3316111" } } The schema for the FDO extension is presented in JSON format in Section Section 8.7, while the openAPI representation is provided in Section Appendix B.6. 7.5. Zigbee Extension A schema that extends the device schema to enable the provisioning of Zigbee devices. The extension is identified using the following schema URI: urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device It has one singular attribute and one multivalued attribute. The attributes are as follows: 7.5.1. Singular Attribute deviceEui64Address An EUI-64 (Extended Unique Identifier) device address stored as string. This attribute is required, case insensitive, mutable, and returned by default. The regex pattern is as follows: Shahzad, et al. Expires 21 November 2024 [Page 23] Internet-Draft SCIM Device Schema Extensions May 2024 ^[0-9A-Fa-f]{16}$ 7.5.2. Multivalued Attribute versionSupport An array of strings of all the Zigbee versions supported by the device. For example, [3.0]. This attribute is required, case insensitive, mutable, and returned by default. +====================+=====+===+=======+=========+========+========+ | Attribute |Multi|Req| Case | Mutable | Return | Unique | | |Value| | Exact | | | | +====================+=====+===+=======+=========+========+========+ | deviceEui64Address |F |T | F | RW | Def | None | +--------------------+-----+---+-------+---------+--------+--------+ | versionSupport |T |T | F | RW | Def | None | +--------------------+-----+---+-------+---------+--------+--------+ Table 6: Characteristics of Zigbee extension schema attributes. (Req = Required, T = True, F = False, RW = ReadWrite, and Def = Default) An example of a device object with Zigbee extension is shown below: { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "Zigbee Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device" : { "versionSupport": ["3.0"], "deviceEui64Address": "50325FFFFEE76728" }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Device/e9e30dba-f08f-4109 -8486-d5c6a3316111" } } Shahzad, et al. Expires 21 November 2024 [Page 24] Internet-Draft SCIM Device Schema Extensions May 2024 The schema for the Zigbee extension is presented in JSON format in Section Section 8.8, while the openAPI representation is provided in Section Appendix B.7. 7.6. The Endpoint Applications Extension Schema Sometimes non-IP devices such as those using BLE or Zigbee require an application gateway interface to manage them. SCIM clients MUST NOT specify this to describe native IP-based devices. endpointAppsExt provides the list application that connect to enterprise gateway. The endpointAppsExt has one multivalued attribute and two singular attributes. The extension is identified using the following schema URI: urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device 7.6.1. Singular Attributes deviceControlEnterpriseEndpoint Device control apps use this URL of the enterprise endpoint to reach the enterprise gateway. When the enterprise receives the SCIM object from the onboarding app, it adds this attribute to it and sends it back as a response to the onboarding app. This attribute is required, case-sensitive, mutable, and returned by default. The uniqueness is enforced by the enterprise. telemetryEnterpriseEndpoint Telemetry apps use this URL of the enterprise endpoint to reach the enterprise gateway. When the enterprise receives the SCIM object from the onboarding app, it adds this attribute to it and sends it back as a response to the onboarding app. This attribute is required, case-sensitive, mutable, and returned by default. The uniqueness is enforced by the enterprise. 7.6.2. Multivalued Attribute applications This is a complex multivalued attribute. It represents a list of endpoint applications i.e., deviceControl and telemetry. Each entry in the list comprises two attributes including "value" and "$ref". value Shahzad, et al. Expires 21 November 2024 [Page 25] Internet-Draft SCIM Device Schema Extensions May 2024 It is the identifier of the endpoint application formated as UUID. It is same as the common attribute "$id" of the resource "endpointApp". It is readOnly, required, case insensitive and returned by default. $ref It is the reference to the respective endpointApp resource object stored in the SCIM server. It is readOnly, required, case sensitive and returned by default. +====================+=====+===+=======+=========+========+========+ | Attribute |Multi|Req| Case | Mutable | Return | Unique | | |Value| | Exact | | | | +====================+=====+===+=======+=========+========+========+ | devContEntEndpoint |F |T | T | R | Def | Ent | +--------------------+-----+---+-------+---------+--------+--------+ | telEntEndpoint |F |T | T | R | Def | Ent | +--------------------+-----+---+-------+---------+--------+--------+ | applications |T |T | F | RW | Def | None | +--------------------+-----+---+-------+---------+--------+--------+ | value |F |T | F | R | Def | None | +--------------------+-----+---+-------+---------+--------+--------+ | $ref |F |T | F | R | Def | None | +--------------------+-----+---+-------+---------+--------+--------+ Table 7: Characteristics of EndpointAppsExt extension schema attributes. DevContEntEndpoint represents attribute deviceControlEnterpriseEndpoint and telEntEndpoint represents telemetryEnterpriseEndpoint. (Req = Required, T = True, F = False, R = ReadOnly, RW = ReadWrite, Ent = Enterprise, and Def = Default). An example of a device object with endpointAppsExt extension is below: { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device", "urn:ietf:params:scim:schemas:extension:ble:2.0:Device", "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0 :Device"], "id": "e9e30dba-f08f-4109-8486-d5c6a3316111", "displayName": "BLE Heart Monitor", "active": true, "urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : { "versionSupport": ["5.3"], "deviceMacAddress": "2C:54:91:88:C9:E2", Shahzad, et al. Expires 21 November 2024 [Page 26] Internet-Draft SCIM Device Schema Extensions May 2024 "isRandom": false, "separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77 :22:12"], "mobility": false, "pairingMethods": [ "urn:ietf:params:scim:schemas:extension:pairingNull:2.0 :Device", "urn:ietf:params:scim:schemas:extension:pairingJustWorks :2.0:Device", "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0 :Device", "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0 :Device"], "urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device" : null, "urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0 :Device": { "key": null }, "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0 :Device" : { "key": 123456 }, "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device": { "key": "TheKeyvalueRetrievedFromOOB", "randNumber": 238796813516896 } }, "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0 :Device": { "applications": [ { "value" : "e9e30dba-f08f-4109-8486-d5c6a3316212", "$ref" : "https://example.com/v2/EndpointApp/e9e30dba-f08f -4109-8486-d5c6a3316212" }, { "value" : "e9e30dba-f08f-4109-8486-d5c6a3316333", "$ref" : "https://example.com/v2/EndpointApp/e9e30dba-f08f -4109-8486-d5c6a3316333" } ], "deviceControlEnterpriseEndpoint": "https//enterprise.com/device_control_app_endpoint/", "telemetryEnterpriseEndpoint": Shahzad, et al. Expires 21 November 2024 [Page 27] Internet-Draft SCIM Device Schema Extensions May 2024 "https//enterprise.com/telemetry_app_endpoint/" }, "meta": { "resourceType": "Device", "created": "2022-01-23T04:56:22Z", "lastModified": "2022-05-13T04:42:34Z", "version": "W\/\"a330bc54f0671c9\"", "location": "https://example.com/v2/Device/e9e30dba-f08f-4109 -8486-d5c6a3316111" } } The schema for the endpointAppsExt extension along with BLE extension is presented in JSON format in Section Section 8.9, while the openAPI representation is provided in Section Appendix B.8. 8. Schema JSON Representation 8.1. Resource Schema Shahzad, et al. Expires 21 November 2024 [Page 28] Internet-Draft SCIM Device Schema Extensions May 2024 [ { "schemas": ["urn:ietf:params:scim:schemas:core:2.0 :ResourceType"], "id": "Device", "name": "Device", "endpoint": "/Devices", "description": "Device Account", "schema": "urn:ietf:params:scim:schemas:core:2.0:Device", "meta": { "location": "https://example.com/v2/ResourceTypes/Device", "resourceType": "ResourceType" } }, { "schemas": ["urn:ietf:params:scim:schemas:core:2.0 :ResourceType"], "id": "EndpointApp", "name": "EndpointApp", "endpoint": "/EndpointApp", "description": "Endpoint application such as device control and telemetry.", "schema": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp", "meta": { "location": "https ://example.com/v2/ResourceTypes/EndpointApp", "resourceType": "ResourceType" } } ] 8.2. Device Core Schema JSON { "id": "urn:ietf:params:scim:schemas:core:2.0:Device", "name": "Device", "description": "Device account", "attributes" : [ { "name": "displayName", "type": "string", "description": "Human readable name of the device, suitable for displaying to end-users. For example, 'BLE Heart Monitor' etc.", "multivalues": false, Shahzad, et al. Expires 21 November 2024 [Page 29] Internet-Draft SCIM Device Schema Extensions May 2024 "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "active", "type": "boolean", "description": "A mutable boolean value indicating the device administrative status. If set TRUE, the commands (such as connect, disconnect, subscribe) that control app sends to the controller for the devices will be processeed by the controller. If set FALSE, any command comming from the control app for the device will be rejected by the controller.", "multivalues": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "mudUrl", "type": "reference", "description": "A URL to MUD file of the device (RFC 8520).", "multivalues": false, "required": false, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device" } } 8.3. EndpointApp Schema JSON Shahzad, et al. Expires 21 November 2024 [Page 30] Internet-Draft SCIM Device Schema Extensions May 2024 { "id": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp", "name": "EndpointApp", "description": "Endpoint application and their credentials", "attributes" : [ { "name": "applicationType", "type": "string", "description": "This attribute will only contain two values; 'deviceControl' or 'telemetry'.", "multivalues": false, "required": true, "caseExact": false, "mutability": "readOnly", "returned": "default", "uniqueness": "none" }, { "name": "applicationName", "type": "string", "description": "Human readable name of the application.", "multivalues": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "certificateInfo", "type": "complex", "description": "Contains x509 certificate's subject name and root CA information associated with the device control or telemetry app.", "multivalues": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none", "subAttributes" : [ { "name" : "rootCN", "type" : "string", "description" : "A root certificate common name.", "multiValued" : false, "required" : true, Shahzad, et al. Expires 21 November 2024 [Page 31] Internet-Draft SCIM Device Schema Extensions May 2024 "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "subjectName", "type" : "string", "description" : "Also known as the Common Name (CN), the Subject Name is a field in the X.509 certificate that identifies the primary domain or IP address for which the certificate is issued.", "multiValued" : false, "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "subjectAlternativeName", "type" : "string", "description" : "This attribute allows for the inclusion of multiple domain names and IP addresses in a single certificate. This enables the certificate to be used for multiple related domains or IPs without the need for separate certificates for each.", "multiValued" : true, "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" } ] }, { "name": "clientToken", "type": "string", "description": "This attribute contains a token that the client will use to authenticate itself. Each token may be a string up to 500 characters in length.", "multivalues": false, "required": false, "caseExact": true, "mutability": "readOnly", "returned": "default", "uniqueness": "none" Shahzad, et al. Expires 21 November 2024 [Page 32] Internet-Draft SCIM Device Schema Extensions May 2024 } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device" } } 8.4. BLE Extension Schema JSON [ { "id": "urn:ietf:params:scim:schemas:extension:ble:2.0:Device", "name": "bleExtension", "description": "Ble extension for device account", "attributes" : [ { "name": "versionSupport", "type": "string", "description": "Provides a list of all the BLE versions supported by the device. For example, [4.1, 4.2, 5.0, 5.1, 5.2, 5.3].", "multivalues": true, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "deviceMacAddress", "type": "string", "description": "It is the public MAC address assigned by the manufacturer. It is unique 48 bit value. The regex pattern is ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.", "multivalues": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "Manufacturer" }, { "name": "isRandom", "type": "boolean", Shahzad, et al. Expires 21 November 2024 [Page 33] Internet-Draft SCIM Device Schema Extensions May 2024 "description": "The isRandom flag is taken from the BLE core specifications 5.3. If TRUE, device is using Random address which is resolved using IRK. If not present, the value is FALSE.", "multivalues": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "separateBroadcastAddress", "type": "string", "description": "When present, this address is used for broadcasts/advertisements. This value MUST NOT be set when an IRK is provided. Its form is the same as deviceMa`cAddress.", "multivalues": true, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "irk", "type": "string", "description": "Identity resolving key, which is unique for every device. It is used to resolve random address. This value MUST NOT be set when separateBroadcastAddress is set.", "multivalues": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "Manufacturer" }, { "name": "mobility", "type": "bool", "description": "If set to True, the BLE device will automatically connect to the closest AP. For example, BLE device is connected with AP-1 and moves out of range but comes in range of AP-2, it will be disconnected with AP-1 and connects with AP-2.", "multivalues": false, Shahzad, et al. Expires 21 November 2024 [Page 34] Internet-Draft SCIM Device Schema Extensions May 2024 "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "pairingMethods", "type": "string", "description": "List of pairing methods associated with the ble device, stored as schema URI.", "multivalues": true, "required": true, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:ble:2.0:Device" } }, { "id": "urn:ietf:params:scim:schemas:extension:pairingNull:2.0 :Device", "name": "nullPairing", "description": "Null pairing method for ble. It is included for the devices that do not have a pairing method.", "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:pairingNull:2.0:Device" } }, { "id": "urn:ietf:params:scim:schemas:extension:pairingJustWorks :2.0:Device", "name": "pairingJustWorks", "description": "Just works pairing method for ble.", "attributes" : [ { "name": "key", "type": "integer", "description": "Just works does not have any key value. For completeness, it is added with a key value 'null'.", Shahzad, et al. Expires 21 November 2024 [Page 35] Internet-Draft SCIM Device Schema Extensions May 2024 "multivalues": false, "required": true, "caseExact": false, "mutability": "immutable", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:pairingJustWorks:2.0:Device" } }, { "id": "urn:ietf:params:scim:schemas:extension:pairingPassKey :2.0:Device", "name": "pairingPassKey", "description": "Pass key pairing method for ble.", "attributes" : [ { "name": "key", "type": "integer", "description": "A six digit passkey for ble device. The pattern of key is ^[0-9]{6}$.", "multivalues": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:pairingPassKey:2.0:Device" } }, { "id": "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0 :Device", "name": "pairingOOB", "description": "Pass key pairing method for ble.", "attributes" : [ { "name": "key", "type": "string", Shahzad, et al. Expires 21 November 2024 [Page 36] Internet-Draft SCIM Device Schema Extensions May 2024 "description": "A key value retrieved from out of band source such as NFC.", "multivalues": false, "required": true, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "randomNumber", "type": "integer", "description": "Nonce added to the key.", "multivalues": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "confirmationNumber", "type": "integer", "description": "Some solutions require confirmation number in RESTful message exchange.", "multivalues": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:pairingOOB:2.0:Device" } } ] 8.5. DPP Extension Schema JSON Shahzad, et al. Expires 21 November 2024 [Page 37] Internet-Draft SCIM Device Schema Extensions May 2024 { "id": "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device", "name": "dppExtension", "description": "Device extension schema for DPP", "attributes" : [ { "name": "dppVersion", "type": "integer", "description": "Version of DPP this device supports.", "multivalues": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "bootstrappingMethod", "type": "string", "description": "The list of all the bootstrapping methods available on the enrollee device. For example, [QR, NFC].", "multivalues": true, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "bootstrapKey", "type": "string", "description": "This key is Elliptic-Curve Diffie–Hellman (ECDH) public key. The base64 encoded length for P-256, P-384, and P-521 is 80, 96, and 120 characters.", "multivalues": false, "required": true, "caseExact": true, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "deviceMacAddress", "type": "string", "description": "The MAC address assigned by the manufacturer. It is unique 48 bit value. The regex Shahzad, et al. Expires 21 November 2024 [Page 38] Internet-Draft SCIM Device Schema Extensions May 2024 pattern is ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.", "multivalues": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "Manufacturer" }, { "name": "classChannel", "type": "string", "description": "A list of global operating class and channel shared as bootstrapping information. It is formatted as class/channel. For example, '81/1', '115/36'.", "multivalues": true, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "serialNumber", "type": "string", "description": "An alphanumeric serial number that may also be passed as bootstrapping information.", "multivalues": false, "required": false, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:dpp:2.0:Device" } } 8.6. Ethernet MAB Extension Schema JSON Shahzad, et al. Expires 21 November 2024 [Page 39] Internet-Draft SCIM Device Schema Extensions May 2024 { "id": "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 :Device", "name": "ethernetMabExtension", "description": "Device extension schema for MAC authentication Bypass.", "attributes" : [ { "name": "deviceMacAddress", "type": "string", "description": "A MAC address assigned by the manufacturer. It is unique 48 bit value. The regex pattern is ^[0-9A -Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.", "multivalues": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "Manufacturer" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:ethernet-mab:2.0:Device" } } 8.7. FDO Extension Schema JSON Shahzad, et al. Expires 21 November 2024 [Page 40] Internet-Draft SCIM Device Schema Extensions May 2024 { "id": "urn:ietf:params:scim:schemas:extension:fido-device-onboard :2.0:Devices", "name": "FDOExtension", "description": "Device extension schema for Fido Device Onboard.", "attributes" : [ { "name": "fdoVoucher", "type": "string", "description": "A Fido Voucher as Defined in the FDO specification" "multivalues": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "Manufacturer" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:fido-device-onboard:2.0:Devices" } } 8.8. Zigbee Extension Schema JSON Shahzad, et al. Expires 21 November 2024 [Page 41] Internet-Draft SCIM Device Schema Extensions May 2024 { "id": "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device", "name": "zigbeeExtension", "description": "Device extension schema for zigbee.", "attributes" : [ { "name": "versionSupport", "type": "string", "description": "Provides a list of all the zigbee versions supported by the device. For example, [3.0].", "multivalues": true, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" }, { "name": "deviceEui64Address", "type": "string", "description": "The EUI-64 (Extended Unique Identifier) device address. The regex pattern is ^[0-9A-Fa-f]{16}$.", "multivalues": false, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:zigbee:2.0:Device" } } 8.9. EndpointAppsExt JSON Extension Schema { "id": "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0 :Device", "name": "endpointAppsExt", "description": "Extension for partner endpoint applications that can onboard, control, and communicate with the device.", Shahzad, et al. Expires 21 November 2024 [Page 42] Internet-Draft SCIM Device Schema Extensions May 2024 "attributes" : [ { "name": "applications", "type": "complex", "description": "Includes references to two types of application that connect with entrprise, i.e., deviceControl and telemetry.", "multivalues": true, "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "none", "subAttributes" : [ { "name" : "value", "type" : "string", "description" : "The identifier of the endpointApp.", "multiValued" : false, "required" : true, "caseExact" : false, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "$ref", "type" : "reference", "referenceTypes" : "EndpointApps", "description" : "The URI of the corresponding 'EndpointApp' resource which will control or obtain data from the device.", "multiValued" : false, "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" } ] }, { "name": "deviceControlEnterpriseEndpoint", "type": "reference", "description": "The URL of the enterprise endpoint which device control apps use to reach enterprise network gateway.", "multivalues": false, Shahzad, et al. Expires 21 November 2024 [Page 43] Internet-Draft SCIM Device Schema Extensions May 2024 "required": true, "caseExact": true, "mutability": "readOnly", "returned": "default", "uniqueness": "Enterprise" }, { "name": "telemetryEnterpriseEndpoint", "type": "reference", "description": "The URL of the enterprise endpoint which telemetry apps use to reach enterprise network gateway.", "multivalues": false, "required": true, "caseExact": true, "mutability": "readOnly", "returned": "default", "uniqueness": "Enterprise" } ], "meta" : { "resourceType" : "Schema", "location" : "/v2/Schemas/urn:ietf:params:scim:schemas :extension:endpointAppsExt:2.0:Device" } } 8.10. Representation of Schema The following is the JSON representation of the Schema. Implementors MUST NOT vary from the schema definitions in their implementations. They may choose not to implement a particular extension, but if they do, they MUST implement all mandatory elements, and they must implement optional elements as specified. { "id" : "urn:ietf:params:scim:schemas:core:2.0:Schema", "name" : "Schema", "description" : "Specifies the schema that describes a SCIM schema", "attributes" : [ { "name" : "id", "type" : "string", "multiValued" : false, "description" : "The unique URI of the schema. When applicable, service providers MUST specify the URI.", Shahzad, et al. Expires 21 November 2024 [Page 44] Internet-Draft SCIM Device Schema Extensions May 2024 "required" : true, "caseExact" : false, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "name", "type" : "string", "multiValued" : false, "description" : "The schema's human-readable name. When applicable, service providers MUST specify the name, e.g., 'Device'.", "required" : true, "caseExact" : false, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "description", "type" : "string", "multiValued" : false, "description" : "Human-readable description of the schema, e.g., 'Device account'.", "required" : false, "caseExact" : false, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "attributes", "type" : "complex", "multiValued" : true, "description" : "A complex attribute that includes the attributes of a schema.", "required" : true, "mutability" : "readOnly", "returned" : "default", "subAttributes" : [ { "name" : "name", "type" : "string", "multiValued" : false, "description" : "The attribute's name, e.g., 'displayName'.", "required" : true, Shahzad, et al. Expires 21 November 2024 [Page 45] Internet-Draft SCIM Device Schema Extensions May 2024 "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "type", "type" : "string", "multiValued" : false, "description" : "The attribute's data type. Valid values include 'string', 'complex', 'boolean', 'decimal', 'integer', 'dateTime', 'reference'.", "required" : true, "caseExact" : false, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none", "canonicalValues" : [ "string", "complex", "boolean", "decimal", "integer", "dateTime", "reference" ] }, { "name" : "multiValued", "type" : "boolean", "multiValued" : false, "description" : "A Boolean value indicating an attribute's plurality.", "required" : true, "mutability" : "readOnly", "returned" : "default" }, { "name" : "description", "type" : "string", "multiValued" : false, "description" : "A human-readable description of the attribute.", "required" : true, "caseExact" : false, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" Shahzad, et al. Expires 21 November 2024 [Page 46] Internet-Draft SCIM Device Schema Extensions May 2024 }, { "name" : "required", "type" : "boolean", "multiValued" : false, "description" : "A boolean value indicating whether or not the attribute is required.", "required" : true, "mutability" : "readOnly", "returned" : "default" }, { "name" : "canonicalValues", "type" : "string", "multiValued" : true, "description" : "A collection of canonical values. When applicable, service providers MUST specify the canonical types, e.g., mutability of an attribute, return type, uniqueness.", "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "caseExact", "type" : "boolean", "multiValued" : false, "description" : "A Boolean value indicating whether or not a string attribute is case sensitive.", "required" : false, "mutability" : "readOnly", "returned" : "default" }, { "name" : "mutability", "type" : "string", "multiValued" : false, "description" : "Indicates whether or not an attribute is modifiable.", "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none", "canonicalValues" : [ "readOnly", Shahzad, et al. Expires 21 November 2024 [Page 47] Internet-Draft SCIM Device Schema Extensions May 2024 "readWrite", "immutable", "writeOnly" ] }, { "name" : "returned", "type" : "string", "multiValued" : false, "description" : "Indicates when an attribute is returned in a response (e.g., to a query).", "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none", "canonicalValues" : [ "always", "never", "default", "request" ] }, { "name" : "uniqueness", "type" : "string", "multiValued" : false, "description" : "Indicates how unique a value must be.", "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none", "canonicalValues" : [ "none", "Enterprise", "Manufacturer" ] }, { "name" : "referenceTypes", "type" : "string", "multiValued" : false, "description" : "Used only with an attribute of type 'reference'. Specifies a SCIM resourceType that a reference attribute MAY refer to, e.g., 'EndpointApp'.", "required" : false, Shahzad, et al. Expires 21 November 2024 [Page 48] Internet-Draft SCIM Device Schema Extensions May 2024 "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "subAttributes", "type" : "complex", "multiValued" : true, "description" : "Used to define the sub-attributes of a complex attribute.", "required" : false, "mutability" : "readOnly", "returned" : "default", "subAttributes" : [ { "name" : "name", "type" : "string", "multiValued" : false, "description" : "The attribute's name.", "required" : true, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "type", "type" : "string", "multiValued" : false, "description" : "The attribute's data type. Valid values include 'string', 'complex', 'boolean', 'decimal', 'integer', 'dateTime', 'reference'.", "required" : true, "caseExact" : false, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none", "canonicalValues" : [ "string", "complex", "boolean", "decimal", "integer", "dateTime", "reference" ] }, Shahzad, et al. Expires 21 November 2024 [Page 49] Internet-Draft SCIM Device Schema Extensions May 2024 { "name" : "multiValued", "type" : "boolean", "multiValued" : false, "description" : "A Boolean value indicating an attribute's plurality.", "required" : true, "mutability" : "readOnly", "returned" : "default" }, { "name" : "description", "type" : "string", "multiValued" : false, "description" : "A human-readable description of the attribute.", "required" : true, "caseExact" : false, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "required", "type" : "boolean", "multiValued" : false, "description" : "A boolean value indicating whether or not the attribute is required.", "required" : true, "mutability" : "readOnly", "returned" : "default" }, { "name" : "canonicalValues", "type" : "string", "multiValued" : true, "description" : "A collection of canonical values. When applicable, service providers MUST specify the canonical types, e.g., mutability of an attribute, return type, uniqueness.", "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" }, { "name" : "caseExact", Shahzad, et al. Expires 21 November 2024 [Page 50] Internet-Draft SCIM Device Schema Extensions May 2024 "type" : "boolean", "multiValued" : false, "description" : "A Boolean value indicating whether or not a string attribute is case sensitive.", "required" : false, "mutability" : "readOnly", "returned" : "default" }, { "name" : "mutability", "type" : "string", "multiValued" : false, "description" : "Indicates whether or not an attribute is modifiable.", "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none", "canonicalValues" : [ "readOnly", "readWrite", "immutable", "writeOnly" ] }, { "name" : "returned", "type" : "string", "multiValued" : false, "description" : "Indicates when an attribute is returned in a response (e.g., to a query).", "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none", "canonicalValues" : [ "always", "never", "default", "request" ] }, { "name" : "uniqueness", "type" : "string", "multiValued" : false, Shahzad, et al. Expires 21 November 2024 [Page 51] Internet-Draft SCIM Device Schema Extensions May 2024 "description" : "Indicates how unique a value must be.", "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none", "canonicalValues" : [ "none", "Enterprise", "Manufacturer" ] }, { "name" : "referenceTypes", "type" : "string", "multiValued" : false, "description" : "Used only with an attribute of type 'reference'. Specifies a SCIM resourceType that a reference attribute MAY refer to, e.g., 'EndpointApp'.", "required" : false, "caseExact" : true, "mutability" : "readOnly", "returned" : "default", "uniqueness" : "none" } ] } ] } ] } 9. Security Considerations Because provisioning operations are senstive, each client must be appropriately authenticated. Certain objects may be read-only or not visible based on who is connected. Devices provisioned with this model may be completely controlled by the administrator of the SCIM server, depending on how those systems are defined. For instance, if BLE passkeys are provided, the device can be connected to, and perhaps paired with. Any additional security must be provided at higher application layers. For example, if client applications wish to keep private information to and from the device, they should encrypt that information over-the-top. Shahzad, et al. Expires 21 November 2024 [Page 52] Internet-Draft SCIM Device Schema Extensions May 2024 10. IANA Considerations 10.1. New Schemas The IANA is requested to add the following additions to the "SCIM Schema URIs for Data Resources" registry as follows: +====================================+=============+============+ | URN | Name | Reference | +====================================+=============+============+ | urn:ietf:params:scim:schemas:core: | Core Device | This memo, | | 2.0:Device | Schema | Section 3 | +------------------------------------+-------------+------------+ | urn:ietf:params:scim:schemas:core: | Endpoint | This memo, | | 2.0:EndpointApp | Application | Section 6 | +------------------------------------+-------------+------------+ Table 8 Note that the line break in URNs should be removed, as should this comment. 10.2. Device Schema Extensions IANA is requested to create a separate table for Device Schema Extensions, as described in Section 7, with the following columns: * schemaExtensionURI * Short Description * Reference The policy for entries into this table shall be both "Expert Review" and "Specification Required", as specified in [RFC8126]. Reviewers shall check that each schema is produced in the format described in [RFC7643], and that the semantics of the schema are clear and unambiguous. It is also RECOMMENDED that schemas be made available in OpenAPI. The initial table entries shall be as follows: Shahzad, et al. Expires 21 November 2024 [Page 53] Internet-Draft SCIM Device Schema Extensions May 2024 +=========================================+=============+===========+ | URN | Description |Reference | +=========================================+=============+===========+ | urn:ietf:params:scim:schemas:extension: | BLE |This memo, | | ble:2.0:Device | Extension |Section | | | |7.1 | +-----------------------------------------+-------------+-----------+ | urn:ietf:params:scim:schemas:extension: | Ethernet |This memo, | | ethernet-mab:2.0:Device | MAB |Section | | | |7.3 | +-----------------------------------------+-------------+-----------+ | urn:ietf:params:scim:schemas:extension: | Fido Device |This memo, | | fido-device-onboard:2.0:Device | Onboard |Section | | | |7.4 | +-----------------------------------------+-------------+-----------+ | urn:ietf:params:scim:schemas:extension: | Wifi |This memo, | | dpp:2.0:Device | EasyConnect |Section | | | |7.2 | +-----------------------------------------+-------------+-----------+ | urn:ietf:params:scim:schemas:extension: | Application |This memo, | | endpointAppsExt:2.0:Device | Endpoint |Section | | | Extension |7.1.3 | +-----------------------------------------+-------------+-----------+ | urn:ietf:params:scim:schemas:extension: | Just Works |This memo, | | pairingJustWorks:2.0:Device | Auth BLE |Section | | | |7.1.3 | +-----------------------------------------+-------------+-----------+ | urn:ietf:params:scim:schemas:extension: | Out of Band |This memo, | | pairingOOB:2.0:Device | Pairing for |Section | | | BLE |7.1.3 | +-----------------------------------------+-------------+-----------+ | urn:ietf:params:scim:schemas:extension: | Passkey |This memo, | | pairingPassKey:2.0:Device | Pairing for |Section | | | BLE |7.1.3 | +-----------------------------------------+-------------+-----------+ Table 9 11. References 11.1. Normative References [BLE53] Bluetooth SIG, "Bluetooth Core Specification, Version 5.3", 2021. [DPP2] Wi-Fi Alliance, "Wi-Fi Easy Connect Specification, Version 2.0", 2020. Shahzad, et al. Expires 21 November 2024 [Page 54] Internet-Draft SCIM Device Schema Extensions May 2024 [FDO11] FIDO Alliance, "FIDO Device Onboading Specification 1.1", April 2022. [I-D.bhutton-json-schema] Wright, A., Andrews, H., Hutton, B., and G. Dennis, "JSON Schema: A Media Type for Describing JSON Documents", Work in Progress, Internet-Draft, draft-bhutton-json-schema-01, 10 June 2022, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C. Mortimore, "System for Cross-domain Identity Management: Core Schema", RFC 7643, DOI 10.17487/RFC7643, September 2015, . [RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E., and C. Mortimore, "System for Cross-domain Identity Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, September 2015, . [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage Description Specification", RFC 8520, DOI 10.17487/RFC8520, March 2019, . 11.2. Informative References [I-D.brinckman-nipc] Brinckman, B., Mohan, R., and B. Sanford, "An Application Layer Interface for Non-IP device control (NIPC)", Work in Progress, Internet-Draft, draft-brinckman-nipc-01, 21 April 2024, . Shahzad, et al. Expires 21 November 2024 [Page 55] Internet-Draft SCIM Device Schema Extensions May 2024 [RFC8995] Pritikin, M., Richardson, M., Eckert, T., Behringer, M., and K. Watsen, "Bootstrapping Remote Secure Key Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995, May 2021, . Appendix A. Changes from Earlier Versions Draft -03: * Add MAB, FDO * Some grammar improvements * fold OpenAPI * IANA considerations Draft -02: * Clean up examples * Move openapi to appendix Draft -01: * Doh! We forgot the core device scheme! Draft -00: * Initial revision Appendix B. OpenAPI representation The following sections are provided for informational purposes. B.1. Device Core Schema OpenAPI Representation OpenAPI representation of device core schema is as follows: components: schemas: Device: title: Device description: Device account type: object properties: displayName: type: string description: "Human readable name of the device, suitable for displaying to end-users. For example, 'BLE Heart Monitor' etc." nullable: true readOnly: false writeOnly: false active: type: boolean description: A mutable boolean value indicating the device administrative status. If set TRUE, the commands (such as connect, disconnect, subscribe) that control app sends to the Shahzad, et al. Expires 21 November 2024 [Page 56] Internet-Draft SCIM Device Schema Extensions May 2024 controller for the devices will be processeed by the controller. If set FALSE, any command comming from the control app for the device will be rejected by the controller. nullable: false readOnly: false writeOnly: false mudUrl: type: string format: uri description: A URL to MUD file of the device (RFC 8520). It is added for future use. Current usage is not defined yet. nullable: true readOnly: false writeOnly: false required: - active additionalProperties: false allOf: - $ref: '#/components/schemas/CommonAttributes' CommonAttributes: type: object properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:core:2.0:Device description: The list of schemas that define the resource. nullable: false id: type: string format: uri description: The unique identifier for a resource. nullable: false readOnly: true writeOnly: false externalId: type: string description: An identifier for the resource that is defined by the provisioning client. nullable: true readOnly: false writeOnly: false Shahzad, et al. Expires 21 November 2024 [Page 57] Internet-Draft SCIM Device Schema Extensions May 2024 meta: type: object readOnly: true properties: resourceType: type: string description: The name of the resource type of the resource. nullable: false readOnly: true writeOnly: false location: type: string format: uri description: The URI of the resource being returned. nullable: false readOnly: true writeOnly: false created: type: string format: date-time description: The date and time the resource was added to the service provider. nullable: false readOnly: true writeOnly: false lastModified: type: string format: date-time description: The most recent date and time that the details of this resource were updated at the service provider. nullable: false readOnly: true writeOnly: false version: type: string description: The version of the resource. nullable: true readOnly: true writeOnly: false additionalProperties: false B.2. EndpointApp Schema OpenAPI Representation OpenAPI representation of endpointApp schema is as follows: Shahzad, et al. Expires 21 November 2024 [Page 58] Internet-Draft SCIM Device Schema Extensions May 2024 components: schemas: EndpointApp: title: EndpointApp description: Endpoint application resource type: object properties: applicationType: type: string description: "This attribute will only contain two values; 'deviceControl' or 'telemetry'." nullable: false readOnly: false writeOnly: false applicationName: type: string description: Human readable name of the application. nullable: false readOnly: false writeOnly: false required: - applicationType - applicationName additionalProperties: true oneOf: - $ref: '#/components/schemas/clientToken' - $ref: '#/components/schemas/certificateInfo' allOf: - $ref: '#/components/schemas/CommonAttributes' clientToken: type: string description: "This attribute contains a token that the client will use to authenticate itself. Each token may be a string up to 500 characters in length." nullable: true readOnly: true writeOnly: false certificateInfo: type: object description: "Contains x509 certificate's subject name and root CA information associated with the device Shahzad, et al. Expires 21 November 2024 [Page 59] Internet-Draft SCIM Device Schema Extensions May 2024 control or telemetry app." properties: rootCN: type: string description: "A root certificate common name." nullable: false readOnly: true writeOnly: false subjectName: type: string description: "Also known as the Common Name (CN), the Subject Name is a field in the X.509 certificate that identifies the primary domain or IP address for which the certificate is issued." nullable: false readOnly: true writeOnly: false subjectAlternativeName: type: array items: type: string description: "This attribute allows for the inclusion of multiple domain names and IP addresses in a single certificate. This enables the certificate to be used for multiple related domains or IPs without the need for separate certificates for each. " nullable: true readOnly: true writeOnly: false required: - rootCN CommonAttributes: type: object properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:core:2.0:EndpointApp description: The list of schemas that define the resource. nullable: false id: Shahzad, et al. Expires 21 November 2024 [Page 60] Internet-Draft SCIM Device Schema Extensions May 2024 type: string format: uri description: The unique identifier for a resource. nullable: false readOnly: true writeOnly: false meta: type: object readOnly: true properties: resourceType: type: string description: The name of the resource type of the resource. nullable: false readOnly: true writeOnly: false location: type: string format: uri description: The URI of the resource being returned. nullable: false readOnly: true writeOnly: false created: type: string format: date-time description: The date and time the resource was added to the service provider. nullable: false readOnly: true writeOnly: false lastModified: type: string format: date-time description: The most recent date and time that the details of this resource were updated at the service provider. nullable: false readOnly: true writeOnly: false version: type: string description: The version of the resource. nullable: true readOnly: true writeOnly: false additionalProperties: false Shahzad, et al. Expires 21 November 2024 [Page 61] Internet-Draft SCIM Device Schema Extensions May 2024 B.3. BLE Extension Schema OpenAPI Representation OpenAPI representation of BLE extension schema is as follows: components: schemas: BleDevice: type: object description: BLE Device schema. properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:extension:ble:2.0 :Device urn:ietf:params:scim:schemas:extension:ble:2.0:Device: $ref: '#/components/schemas/BleDeviceExtension' required: true BleDeviceExtension: type: object properties: versionSupport: type: array items: type: string description: Provides a list of all the BLE versions supported by the device. For example, [4.1, 4.2, 5.0, 5.1, 5.2, 5.3]. nullable: false readOnly: false writeOnly: false deviceMacAddress: type: string description: It is the public MAC address assigned by the manufacturer. It is unique 48 bit value. The regex pattern is ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. nullable: false readOnly: false writeOnly: false isRandom: Shahzad, et al. Expires 21 November 2024 [Page 62] Internet-Draft SCIM Device Schema Extensions May 2024 type: boolean description: AddressType flag is taken from the BLE core specifications 5.3. If FALSE, the device is using public MAC address. If TRUE, device is using Random address which is resolved using the IRK. nullable: false readOnly: false writeOnly: false separateBroadcastAddress: type: string description: "When present, this address is used for broadcasts/advertisements. This value MUST NOT be set when an IRK is provided. Its form is the same as deviceMa`cAddress." nullable: false readOnly: false writeOnly: false irk: type: string description: Identity resolving key, which is unique for every device. It is used to resolve random address. nullable: true readOnly: false writeOnly: false mobility: type: boolean description: If set to True, the BLE device will automatically connect to the closest AP. For example, BLE device is connected with AP-1 and moves out of range but comes in range of AP -2, it will be disconnected with AP-1 and connects with AP-2. nullable: false readOnly: false writeOnly: false pairingMethods: type: array items: type: string description: List of pairing methods associated with the Shahzad, et al. Expires 21 November 2024 [Page 63] Internet-Draft SCIM Device Schema Extensions May 2024 ble device, stored as schema URI. nullable: true readOnly: false writeOnly: false urn:ietf:params:scim:schemas:extension:pairingNull:2.0 :Device: $ref: '#/components/schemas/NullPairing' required: false urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0 :Device: $ref: '#/components/schemas/PairingJustWorks' required: false urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0 :Device: $ref: '#/components/schemas/PairingPassKey' required: false urn:ietf:params:scim:schemas:extension:pairingOOB:2.0 :Device: $ref: '#/components/schemas/PairingOOB' required: false required: - versionSupport - deviceMacAddress - AddressType - pairingMethods additionalProperties: false NullPairing: type: object properties: id: type: string description: The id of the null pairing schema. nullable: false readOnly: true writeOnly: false PairingJustWorks: type: object description: Just works pairing method for ble properties: key: type: integer description: Just works does not have any key value. For completeness, it is added with a key value 'null'. nullable: false readOnly: false Shahzad, et al. Expires 21 November 2024 [Page 64] Internet-Draft SCIM Device Schema Extensions May 2024 writeOnly: false required: - key PairingPassKey: type: object description: Pass key pairing method for ble properties: key: type: integer description: A six digit passkey for ble device. The pattern of key is ^[0-9]{6}$. nullable: false readOnly: false writeOnly: false required: - key PairingOOB: type: object description: Out-of-band pairing method for BLE properties: key: type: string description: The OOB key value for ble device. nullable: false readOnly: false writeOnly: false randomNumber: type: integer description: Nonce added to the key nullable: false readOnly: false writeOnly: false confirmationNumber: type: integer description: Some solutions require a confirmation number in the RESTful message exchange. nullable: true readOnly: false writeOnly: false required: - key - randomNumber Shahzad, et al. Expires 21 November 2024 [Page 65] Internet-Draft SCIM Device Schema Extensions May 2024 B.4. DPP Extension Schema OpenAPI Representation OpenAPI representation of DPP extension schema is as follows: components: schemas: DppDevice: type: object description: DPP device extension schema properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:extension:dpp:2.0 :Device urn:ietf:params:scim:schemas:extension:dpp:2.0:Device: $ref: '#/components/schemas/DppDeviceExtension' required: true DppDeviceExtension: type: object properties: dppVersion: type: integer description: Version of DPP this device supports. nullable: false readOnly: false writeOnly: false bootstrappingMethod: type: array items: type: string description: The list of all the bootstrapping methods available on the enrollee device. For example, [QR, NFC]. nullable: true readOnly: false writeOnly: false bootstrapKey: type: string description: This key is Elliptic-Curve Diffie–Hellman (ECDH) public key. The base64 encoded length for P-256, P-384, and P-521 is 80, 96, and 120 characters. nullable: false Shahzad, et al. Expires 21 November 2024 [Page 66] Internet-Draft SCIM Device Schema Extensions May 2024 readOnly: false writeOnly: false deviceMacAddress: type: string description: The MAC address assigned by the manufacturer. The regex pattern is ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. nullable: false readOnly: false writeOnly: false classChannel: type: array items: type: string description: A list of global operating class and channel shared as bootstrapping information. It is formatted as class/channel. For example, '81/1', '115/36'. nullable: false readOnly: false writeOnly: false serialNumber: type: string description: An alphanumeric serial number that may also be passed as bootstrapping information. nullable: false readOnly: false writeOnly: false required: - dppVersion - bootstrapKey additionalProperties: false B.5. Ethernet MAB Extension Schema OpenAPI Representation OpenAPI representation of Ethernet MAB extension schema is as follows: Shahzad, et al. Expires 21 November 2024 [Page 67] Internet-Draft SCIM Device Schema Extensions May 2024 components: schemas: EthernetMABDevice: type: object description: Ethernet MAC Authenticated Bypass properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:extension:ethernet-mab :2.0:Device urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 :Device: $ref: '#/components/schemas/EthernetMABDeviceExtension' required: true EthernetMABDeviceExtension: type: object properties: deviceMacAddress: type: string description: It is the public MAC address assigned by the manufacturer. It is unique 48 bit value. The regex pattern is ^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}. nullable: false readOnly: false writeOnly: false required: - deviceMacAddress description: Device extension schema for Ethernet-MAB B.6. FDO Extension Schema OpenAPI Representation OpenAPI representation of FDO extension schema is as follows: Shahzad, et al. Expires 21 November 2024 [Page 68] Internet-Draft SCIM Device Schema Extensions May 2024 components: schemas: FDODevice: type: object description: Fido Device Onboarding Voucher Extension properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:extension:ethernet-mab :2.0:Devices urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0 :Devices: $ref: '#/components/schemas/FDODeviceExtension' required: true FDODeviceExtension: type: object properties: fdoVoucher: type: string description: A Fido Device Onboarding Voucher nullable: false readOnly: false writeOnly: false required: - fdoVoucher description: Device Extension for a Fido Device Onboarding Voucher B.7. Zigbee Extension Schema OpenAPI Representation OpenAPI representation of zigbee extension schema is as follows: Shahzad, et al. Expires 21 November 2024 [Page 69] Internet-Draft SCIM Device Schema Extensions May 2024 components: schemas: ZigbeeDevice: type: object description: Zigbee Device schema. properties: schemas: type: array items: type: string enum: - urn:ietf:params:scim:schemas:extension:zigbee:2.0 :Device urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device: $ref: '#/components/schemas/ZigbeeDeviceExtension' required: true ZigbeeDeviceExtension: type: object properties: versionSupport: type: array items: type: string description: Provides a list of all the Zigbee versions supported by the device. For example, [3.0]. nullable: false readOnly: false writeOnly: false deviceEui64Address: type: string description: The EUI-64 (Extended Unique Identifier) device address. The regex pattern is ^[0-9A-Fa-f]{16}$. nullable: false readOnly: false writeOnly: false required: - versionSupport - deviceEui64Address description: Device extension schema for Zigbee. B.8. EndpointAppsExt Extension Schema OpenAPI Representation OpenAPI representation of endpoint Apps extension schema is as follows: Shahzad, et al. Expires 21 November 2024 [Page 70] Internet-Draft SCIM Device Schema Extensions May 2024 components: schemas: EndpointAppsExt: type: object properties: applications: $ref: '#/components/schemas/applications' deviceControlEnterpriseEndpoint: type: string format: url description: The URL of the enterprise endpoint which device control apps use to reach enterprise network gateway. nullable: false readOnly: true writeOnly: false telemetryEnterpriseEndpoint: type: string format: url description: The URL of the enterprise endpoint which telemetry apps use to reach enterprise network gateway. nullable: false readOnly: true writeOnly: false required: - applications - deviceControlEnterpriseEndpoint - telemetryEnterpriseEndpoint applications: type: array items: value: type: string description: The identifier of the endpointApp. nullable: false readOnly: true writeOnly: false ref: type: string format: uri Shahzad, et al. Expires 21 November 2024 [Page 71] Internet-Draft SCIM Device Schema Extensions May 2024 description: The URI of the corresponding 'EndpointApp' resource which will control or obtain data from the device. nullable: false readOnly: true writeOnly: false required: - value - ref Authors' Addresses Muhammad Shahzad North Carolina State University Department of Computer Science 890 Oval Drive Campus Box 8206 Raleigh, NC, 27695-8206 United States of America Email: mshahza@ncsu.edu Hassan Iqbal North Carolina State University Department of Computer Science 890 Oval Drive Campus Box 8206 Raleigh, NC, 27695-8206 United States of America Email: hassaniqbal931@gmail.com Eliot Lear Cisco Systems Richtistrasse 7 CH-8304 Wallisellen Switzerland Phone: +41 44 878 9200 Email: lear@cisco.com Shahzad, et al. Expires 21 November 2024 [Page 72]