RFC Errata
Found 38 records.
Status: Verified (16)
RFC 7643, "System for Cross-domain Identity Management: Core Schema", September 2015
Note: This RFC has been updated by RFC 9865
Source of RFC: scim (sec)
Errata ID: 5368
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Brendan McCollam
Date Reported: 2018-05-24
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 8.7.1 says:
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:Group",
"name" : "Group",
"description" : "Group",
"attributes" : [
{
"name" : "displayName",
"type" : "string",
"multiValued" : false,
"description" : "A human-readable name for the Group.
REQUIRED.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:Group",
"name" : "Group",
"description" : "Group",
"attributes" : [
{
"name" : "displayName",
"type" : "string",
"multiValued" : false,
"description" : "A human-readable name for the Group.
REQUIRED.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
Notes:
On page 68, in the JSON example schema for the Group resource, the displayName attribute is highlighted as REQUIRED in the "description" but the value of the "required" field is false. Given that section 4.2 also indicates displayName is a required attribute for Group resources, I believe the conflict in section 8.7.1 is best corrected by changing the value of the "required" attribute to true.
Errata ID: 5606
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Takashi Kato
Date Reported: 2019-01-16
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 8.7.1 says:
{
"name" : "type",
"type" : "string",
"multiValued" : false,
"description" : "The attribute's data type.
Valid values include 'string', 'complex', 'boolean',
'decimal', 'integer', 'dateTime', 'reference'.",
"required" : true,
"canonicalValues" : [
"string",
"complex",
"boolean",
"decimal",
"integer",
"dateTime",
"reference"
],
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"name" : "type",
"type" : "string",
"multiValued" : false,
"description" : "The attribute's data type.
Valid values include 'string', 'complex', 'boolean',
'decimal', 'integer', 'dateTime', 'reference', 'binary'.",
"required" : true,
"canonicalValues" : [
"string",
"complex",
"boolean",
"decimal",
"integer",
"dateTime",
"reference",
"binary"
],
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
Notes:
On page 83, the "canonicalValues" definition of "type" attribute missing "binary".
Errata ID: 5607
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Takashi Kato
Date Reported: 2019-01-16
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 8.7.2 says:
{
"name" : "referenceTypes",
"type" : "string",
"multiValued" : false,
"description" : "Used only with an attribute of type
'reference'. Specifies a SCIM resourceType that a
reference attribute MAY refer to, e.g., 'User'.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
}
It should say:
{
"name" : "referenceTypes",
"type" : "string",
"multiValued" : true,
"description" : "Used only with an attribute of type
'reference'. Specifies a SCIM resourceType that a
reference attribute MAY refer to, e.g., 'User'.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
}
Notes:
On page 90, the multiValued of resourceTypes should be true.
Errata ID: 6004
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Shelley Baker
Date Reported: 2020-03-03
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 8.7.1 says:
{
"name" : "name",
"type" : "complex",
...
"uniqueness" : "none"
},
...
{
"name" : "emails",
"type" : "complex",
...
"uniqueness" : "none"
},
...
{
"name" : "addresses",
"type" : "complex",
...
"uniqueness" : "none"
},
It should say:
{
"name" : "name",
"type" : "complex",
...
},
...
{
"name" : "emails",
"type" : "complex",
...
},
...
{
"name" : "addresses",
"type" : "complex",
...
},
Notes:
The "emails", "name", and "addresses" complex user attributes have a "uniqueness" characteristic defined. According to Section 2.3.8, complex attributes have no uniqueness. No other complex attributes in Section 8.7.1 specify a "uniqueness" characteristic. For compliance with Section 2.3.8 and consistency with other attribute definitions, the "uniqueness" sub-attribute for these complex attributes should be removed.
Errata ID: 7522
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Leonardo Speranzon
Date Reported: 2023-05-23
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 8.7.2 says:
{
"name" : "schemaExtensions",
"type" : "complex",
"multiValued" : false,
"description" : "A list of URIs of the resource type's schema
extensions.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default",
"subAttributes" : [
{
"name" : "schema",
"type" : "reference",
"referenceTypes" : ["uri"],
"multiValued" : false,
"description" : "The URI of a schema extension.",
"required" : true,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"name" : "schemaExtensions",
"type" : "complex",
"multiValued" : true,
"description" : "A list of URIs of the resource type's schema
extensions.",
"required" : true,
"mutability" : "readOnly",
"returned" : "default",
"subAttributes" : [
{
"name" : "schema",
"type" : "reference",
"referenceTypes" : ["uri"],
"multiValued" : false,
"description" : "The URI of a schema extension.",
"required" : true,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
Notes:
The description of "schemaExtensions" say that it is a list and also its name is plural. This contradict the value of "multiValued" setted to false. I believe that the "multiValued" attribute should be setted to "true".
Errata ID: 8361
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-03-31
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 3.1 says:
3.1. Common Attributes Each SCIM resource (Users, Groups, etc.) includes the following common attributes. With the exception of the "ServiceProviderConfig" and "ResourceType" server discovery endpoints and their associated resources, these attributes MUST be defined for all resources, including any extended resource types.
It should say:
3.1. Common Attributes Each SCIM resource (Users, Groups, etc.) includes the following common attributes. With the exception of the "/ServiceProviderConfig" and "/ResourceTypes" server discovery endpoints and their associated resources, these attributes MUST be defined for all resources, including any extended resource types.
Notes:
The endpoint is named "/ResourceTypes" (with "s"), not "/ResourceType". Also, all endpoints include a leading "/" in sections 1.2, in the schema definitions in section 8.6, and also in RFC7644.
Errata ID: 8415
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-05-14
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 8.7.1 says:
"name" : "subAttributes",
"type" : "complex",
"multiValued" : true,
"description" : "Used to define the sub-attributes of a
complex attribute.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default",
"subAttributes" : [
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "The attribute's name.",
"required" : true,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "type",
"type" : "string",
"multiValued" : false,
"description" : "The attribute's data type.
Valid values include 'string', 'complex', 'boolean',
'decimal', 'integer', 'dateTime', 'reference'.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none",
"canonicalValues" : [
"string",
"complex",
"boolean",
"decimal",
"integer",
"dateTime",
"reference"
]
},
It should say:
"name" : "subAttributes",
"type" : "complex",
"multiValued" : true,
"description" : "Used to define the sub-attributes of a
complex attribute.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default",
"subAttributes" : [
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "The attribute's name.",
"required" : true,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "type",
"type" : "string",
"multiValued" : false,
"description" : "The attribute's data type.
Valid values include 'string', 'boolean',
'decimal', 'integer', 'dateTime', 'reference', 'binary'.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none",
"canonicalValues" : [
"string",
"boolean",
"decimal",
"integer",
"dateTime",
"reference",
"binary"
]
},
Notes:
As in erratum 5606, the valid value 'binary' is also missing for the subAttributes on page 88. Furthermore, complex attributes must not contain complex subAttributes (section 2.3.8). Thus, the data type 'complex' should not be listed as valid value for subAttributes.
Errata ID: 8417
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-05-16
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 8.7.2 says:
[
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
"name" : "Service Provider Configuration",
...
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
"name" : "ResourceType",
...
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:Schema",
"name" : "Schema",
It should say:
[
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"],
"id" :
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig",
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
},
"name" : "Service Provider Configuration",
...
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"],
"id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:ResourceType"
},
"name" : "ResourceType",
...
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"],
"id" : "urn:ietf:params:scim:schemas:core:2.0:Schema",
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Schema"
},
"name" : "Schema",
Notes:
The JSON representation of the Schema resources for ServiceProviderConfig, ResourceType, and Schema are missing the "schemas" attribute and the "meta" attribute. See also Erratum 5999.
Errata ID: 8450
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Guillaume Winter
Date Reported: 2025-06-05
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 4.1.1. says:
password
This attribute is intended to be used as a means to set, replace,
or compare (i.e., filter for equality) a password. The cleartext
value or the hashed value of a password SHALL NOT be returnable by
a service provider. If a service provider holds the value
locally, the value SHOULD be hashed. When a password is set or
changed by the client, the cleartext password SHOULD be processed
by the service provider as follows:
* Prepare the cleartext value for international language
comparison. See Section 7.8 of [RFC7644].
* Validate the value against server password policy. Note: The
definition and enforcement of password policy are beyond the
scope of this document.
* Ensure that the value is encrypted (e.g., hashed). See
Section 9.2 for acceptable hashing and encryption handling when
storing or persisting for provisioning workflow reasons.
It should say:
password
This attribute is intended to be used as a means to set, replace,
or compare (i.e., filter for equality) a password. The cleartext
value or the hashed value of a password SHALL NOT be returnable by
a service provider. If a service provider holds the value
locally, the value SHOULD be hashed. When a password is set or
changed by the client, the cleartext password SHOULD be processed
by the service provider as follows:
* Prepare the cleartext value for international language
comparison. See Section 7.8 of [RFC7644].
* Validate the value against server password policy. Note: The
definition and enforcement of password policy are beyond the
scope of this document.
* Ensure that the value is hashed or encrypted. See
Section 9.2 for acceptable hashing and encryption handling when
storing or persisting for provisioning workflow reasons.
Notes:
it was confusing that the text stated encrypted (e.g., hashed) .
Errata ID: 8471
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-06-20
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 8.7.1 says:
{
"name" : "groups",
"type" : "complex",
"multiValued" : true,
"description" : "A list of groups to which the user belongs,
either through direct membership, through nested groups, or
dynamically calculated.",
"required" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "string",
"multiValued" : false,
"description" : "The identifier of the User's group.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User",
"Group"
],
It should say:
{
"name" : "groups",
"type" : "complex",
"multiValued" : true,
"description" : "A list of groups to which the user belongs,
either through direct membership, through nested groups, or
dynamically calculated.",
"required" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "string",
"multiValued" : false,
"description" : "The identifier of the User's group.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"Group"
],
Notes:
The 'groups.$ref' sub-attribute of the core User schema should not contain "User" in its referenceTypes. According to section 4.1.2 it is "A list of groups to which the user belongs".
Errata ID: 8472
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-06-20
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 8.7.1 says:
{
"name" : "manager",
"type" : "complex",
"multiValued" : false,
"description" : "The User's manager. A complex type that
optionally allows service providers to represent organizational
hierarchy by referencing the 'id' attribute of another User.",
"required" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "string",
"multiValued" : false,
"description" : "The id of the SCIM resource representing
the User's manager. REQUIRED.",
"required" : false,
"caseExact" : false,
It should say:
{
"name" : "manager",
"type" : "complex",
"multiValued" : false,
"description" : "The User's manager. A complex type that
optionally allows service providers to represent organizational
hierarchy by referencing the 'id' attribute of another User.",
"required" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "string",
"multiValued" : false,
"description" : "The id of the SCIM resource representing
the User's manager. REQUIRED.",
"required" : false,
"caseExact" : true,
Notes:
In the Enterprise User, the sub-attribute "value" of the attribute "manager" is defined as 'The "id" of the SCIM resource representing the user's manager.' (section 4.3). The "id" is case-exact (section 3.1). Therefore, "manager.value" must also be case-exact.
Errata ID: 8475
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-06-20
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 6 says:
Section 6. ResourceType Schema
name
The resource type name. When applicable, service providers MUST
specify the name, e.g., "User" or "Group". This name is
referenced by the "meta.resourceType" attribute in all resources.
REQUIRED.
...
endpoint
The resource type's HTTP-addressable endpoint relative to the Base
URL of the service provider, e.g., "Users". REQUIRED.
---
Section 8.7.2. Service Provider Schema Representation
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
"name" : "ResourceType",
"description" : "Specifies the schema that describes a SCIM
resource type",
"attributes" : [
...
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "The resource type name. When applicable,
service providers MUST specify the name, e.g., 'User'.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
...
{
"name" : "endpoint",
"type" : "reference",
"referenceTypes" : ["uri"],
"multiValued" : false,
"description" : "The resource type's HTTP-addressable
endpoint relative to the Base URL, e.g., '/Users'.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
Section 6. ResourceType Schema
name
The resource type name. When applicable, service providers MUST
specify the name, e.g., "User" or "Group". This name is
referenced by the "meta.resourceType" attribute in all resources.
This attribute has a "uniqueness" of "server" and is case-exact.
REQUIRED
...
endpoint
The resource type's HTTP-addressable endpoint relative to the Base
URL of the service provider, e.g., "Users". This attribute has a
"uniqueness" of "server" and is case-exact. REQUIRED
---
Section 8.7.2. Service Provider Schema Representation
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
"name" : "ResourceType",
"description" : "Specifies the schema that describes a SCIM
resource type",
"attributes" : [
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "The resource type name. Service providers MUST
specify the name, e.g., "User" or "Group".",
"required" : true,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "server"
},
...
{
"name" : "endpoint",
"type" : "reference",
"referenceTypes" : ["uri"],
"multiValued" : false,
"description" : "The resource type's HTTP-addressable
endpoint relative to the Base URL, e.g., '/Users'.",
"required" : true,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "server"
},
Notes:
The attributes "name" and "endpoint" in the ResourceType schema must have a "uniqueness" of "server" and be case-exact.
Case-exact:
The attributes "name" and "endpoint" are both used in references (e.g. "{base-url}/ResourceTypes/{name}" and "{base-url}/{endpoint}/{id}"). References are defined as case-exact in section 2.3.7. Therefore, both attributes must also be case-exact.
This should also be reflected in section 8.7.2
Uniqueness:
For the uniqueness of "name" see Errata ID: 8362.
For "endpoint" the change makes it explicit that each endpoint should provide exactly one type of resource. I do not see any point in RFC 7644 or RFC 7643 that currently forbids using the same endpoint for several resource types, but this would not work when creating resources. Clients cannot specify which resource type they want to create; they can only specify the endpoint and schema.
This should also be reflected in section 8.7.2 (see Errata ID: 8366)
Errata ID: 5990
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Shelley Baker
Date Reported: 2020-02-26
Verifier Name: Barry Leiba
Date Verified: 2020-02-26
Section 8.2 says:
"addresses": [
{
"type": "work",
"streetAddress": "100 Universal City Plaza",
"locality": "Hollywood",
"region": "CA",
"postalCode": "91608",
"country": "USA",
"formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA",
"primary": true
},
{
"type": "home",
"streetAddress": "456 Hollywood Blvd",
"locality": "Hollywood",
"region": "CA",
"postalCode": "91608",
"country": "USA",
"formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA"
}
],
It should say:
"addresses": [
{
"type": "work",
"streetAddress": "100 Universal City Plaza",
"locality": "Hollywood",
"region": "CA",
"postalCode": "91608",
"country": "US",
"formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA",
"primary": true
},
{
"type": "home",
"streetAddress": "456 Hollywood Blvd",
"locality": "Hollywood",
"region": "CA",
"postalCode": "91608",
"country": "US",
"formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA"
}
],
Notes:
Section 4.1.2 requires the use of the ISO 3166-1 "alpha-2" code format for the "country" attribute; however, sections 8.2 and 8.3 incorrectly specify "USA" instead of "US" for the "country" attribute.
Errata ID: 5991
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Shelley Baker
Date Reported: 2020-02-26
Verifier Name: Barry Leiba
Date Verified: 2020-02-26
Section 8.3 says:
"addresses": [
{
"streetAddress": "100 Universal City Plaza",
"locality": "Hollywood",
"region": "CA",
"postalCode": "91608",
"country": "USA",
"formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA",
"type": "work",
"primary": true
},
{
"streetAddress": "456 Hollywood Blvd",
"locality": "Hollywood",
"region": "CA",
"postalCode": "91608",
"country": "USA",
"formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA",
"type": "home"
}
],
It should say:
"addresses": [
{
"streetAddress": "100 Universal City Plaza",
"locality": "Hollywood",
"region": "CA",
"postalCode": "91608",
"country": "US",
"formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA",
"type": "work",
"primary": true
},
{
"streetAddress": "456 Hollywood Blvd",
"locality": "Hollywood",
"region": "CA",
"postalCode": "91608",
"country": "US",
"formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA",
"type": "home"
}
],
Notes:
Section 4.1.2 requires the use of the ISO 3166-1 "alpha-2" code format for the "country" attribute; however, sections 8.2 and 8.3 incorrectly specify "USA" instead of "US" for the "country" attribute.
Errata ID: 6727
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Will Springer
Date Reported: 2021-10-28
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 8.7.2 says:
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "The schema's human-readable name. When
applicable, service providers MUST specify the name,
e.g., 'User'.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "The schema's human-readable description. When
applicable, service providers MUST specify the description.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
Notes:
The previous description was that for the "name" attribute. Updated to the standard text for the "description" attribute.
Errata ID: 8435
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Philip Meholm
Date Reported: 2025-05-27
Verifier Name: RFC Editor
Date Verified: 2025-06-17
Section 7 says:
type The attribute's data type. Valid values are "string", "boolean", "decimal", "integer", "dateTime", "reference", and "complex". When an attribute is of type "complex", there SHOULD be a corresponding schema attribute "subAttributes" defined, listing the sub-attributes of the attribute.
It should say:
type The attribute's data type. Valid values are "string", "boolean", "decimal", "integer", "dateTime", "reference", "binary", and "complex". When an attribute is of type "complex", there SHOULD be a corresponding schema attribute "subAttributes" defined, listing the sub-attributes of the attribute.
Notes:
binary is missing from the possible values a attribute can have. It's documented everywhere else as a type that can be used, but not when you are explaining the actual property.
Status: Reported (5)
RFC 7643, "System for Cross-domain Identity Management: Core Schema", September 2015
Note: This RFC has been updated by RFC 9865
Source of RFC: scim (sec)
Errata ID: 5999
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Shelley Baker
Date Reported: 2020-03-02
Section 8.7.1 says:
"id" : "urn:ietf:params:scim:schemas:core:2.0:User", "name" : "User", "description" : "User Account", "id" : "urn:ietf:params:scim:schemas:core:2.0:Group", "name" : "Group", "description" : "Group", "id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "name" : "EnterpriseUser", "description" : "Enterprise User"
It should say:
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"], "id" : "urn:ietf:params:scim:schemas:core:2.0:User", "name" : "User", "description" : "User Account", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"], "id" : "urn:ietf:params:scim:schemas:core:2.0:Group", "name" : "Group", "description" : "Group", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"], "id" : "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "name" : "EnterpriseUser", "description" : "Enterprise User"
Notes:
The "schemas" attribute is missing from the example JSON representation schema resources. According to Sections 2.1 and Section 3, the "schemas" attribute is a REQUIRED and MUST be provided.
Errata ID: 6000
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Shelley Baker
Date Reported: 2020-03-02
Section 8.7.1 says:
{
"name" : "x509Certificates",
"type" : "complex",
"multiValued" : true,
"description" : "A list of certificates issued to the User.",
"required" : false,
"caseExact" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "binary",
"multiValued" : false,
"description" : "The value of an X.509 certificate.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"name" : "x509Certificates",
"type" : "complex",
"multiValued" : true,
"description" : "A list of certificates issued to the User.",
"required" : false,
"caseExact" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "binary",
"multiValued" : false,
"description" : "The value of an X.509 certificate.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
Notes:
Section 2.3.6 indicates that "binary is case exact." The "x509Certificates" binary "value" subattribute's "caseExact" characteristic is currently listed as "false", but should be "true".
Errata ID: 6007
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Shelley Baker
Date Reported: 2020-03-04
Section 8.7.1 says:
{
"name" : "preferredLanguage",
"type" : "string",
"multiValued" : false,
"description" : "Indicates the User's preferred written or
spoken language. Generally used for selecting a localized user
interface; e.g., 'en_US' specifies the language English and country
US.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"name" : "preferredLanguage",
"type" : "string",
"multiValued" : false,
"description" : "Indicates the User's preferred written or
spoken language. Generally used for selecting a localized user
interface; e.g., 'en-US' specifies the language English and country
US.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
Notes:
The "preferredLanguage" attribute, as defined in Section 4.1.1, follows RFC 7231's "Accept-Language" format, where "en_US" would not be syntactically valid, since language tags are separated by hyphens, not underscores.
Errata ID: 6011
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Shelley Baker
Date Reported: 2020-03-09
Section 8.7.1 says:
{
"name" : "members",
"type" : "complex",
"multiValued" : true,
"description" : "A list of members of the Group.",
"required" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "string",
"multiValued" : false,
"description" : "Identifier of the member of this Group.",
"required" : false,
"caseExact" : false,
"mutability" : "immutable",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User",
"Group"
],
"multiValued" : false,
"description" : "The URI corresponding to a SCIM resource
that is a member of this Group.",
"required" : false,
"caseExact" : false,
"mutability" : "immutable",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "type",
"type" : "string",
"multiValued" : false,
"description" : "A label indicating the type of resource,
e.g., 'User' or 'Group'.",
"required" : false,
"caseExact" : false,
"canonicalValues" : [
"User",
"Group"
],
"mutability" : "immutable",
"returned" : "default",
"uniqueness" : "none"
}
],
"mutability" : "readWrite",
"returned" : "default"
}
It should say:
{
"name" : "members",
"type" : "complex",
"multiValued" : true,
"description" : "A list of members of the Group.",
"required" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "string",
"multiValued" : false,
"description" : "Identifier of the member of this Group.",
"required" : false,
"caseExact" : false,
"mutability" : "immutable",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User",
"Group"
],
"multiValued" : false,
"description" : "The URI corresponding to a SCIM resource
that is a member of this Group.",
"required" : false,
"caseExact" : false,
"mutability" : "immutable",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "type",
"type" : "string",
"multiValued" : false,
"description" : "A label indicating the type of resource,
e.g., 'User' or 'Group'.",
"required" : false,
"caseExact" : false,
"canonicalValues" : [
"User",
"Group"
],
"mutability" : "immutable",
"returned" : "default",
"uniqueness" : "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human-readable name for the group member, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
}
],
"mutability" : "readWrite",
"returned" : "default"
}
Notes:
The group "members" attribute should define a "display" sub-attribute.
* Section 2.4 defines a standard multi-valued read-only attribute of "display".
* The Group Representation example in Section 8.4 also includes the "members.display" sub-attribute.
* This discussion in the SCIM mailing list [1] also indicates that this should be fixed.
[1] https://mailarchive.ietf.org/arch/msg/scim/EH99Gxn-hDluihMNtWLIekuFCs8/
Errata ID: 8011
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Éloi Rivard
Date Reported: 2024-06-30
Section 8.7.2 says:
{
"name" : "authenticationSchemes",
"type" : "complex",
"multiValued" : true,
"description" : "A complex type that specifies supported
authentication scheme properties.",
"required" : true,
"returned" : "default",
"mutability" : "readOnly",
"subAttributes" : [
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "The common authentication scheme name,
e.g., HTTP Basic.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "A description of the authentication
scheme.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "specUri",
"type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false,
"description" : "An HTTP-addressable URL pointing to the
authentication scheme's specification.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "documentationUri",
"type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false,
"description" : "An HTTP-addressable URL pointing to the
authentication scheme's usage documentation.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
}
]
}
It should say:
{
"name" : "authenticationSchemes",
"type" : "complex",
"multiValued" : true,
"description" : "A complex type that specifies supported
authentication scheme properties.",
"required" : true,
"returned" : "default",
"mutability" : "readOnly",
"subAttributes" : [
{
"name" : "type",
"type" : "string",
"multiValued" : false,
"description" : "The authentication scheme.",
"required" : true,
"caseExact" : false,
"canonicalValues" : [
"oauth",
"oauth2",
"oauthbearertoken",
"httpbasic",
"httpdigest"
],
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "The common authentication scheme name,
e.g., HTTP Basic.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "A description of the authentication
scheme.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "specUri",
"type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false,
"description" : "An HTTP-addressable URL pointing to the
authentication scheme's specification.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "documentationUri",
"type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false,
"description" : "An HTTP-addressable URL pointing to the
authentication scheme's usage documentation.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
}
]
}
Notes:
§5 explicitly defines a `type` attribute for ServiceProviderConfig, with canonical values ("oauth", "oauth2", "oauthbearertoken", "httpbasic", "httpdigest"). The canonical values should appear in the schema representation, thus the whole `type` attribute should be part of the schema representation.
In addition this would made the `readOnly` mutability explicit.
Status: Held for Document Update (12)
RFC 7643, "System for Cross-domain Identity Management: Core Schema", September 2015
Note: This RFC has been updated by RFC 9865
Source of RFC: scim (sec)
Errata ID: 6001
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Shelley Baker
Date Reported: 2020-03-02
Held for Document Update by: Deb Cooley
Date Held: 2025-10-28
Section 8.7.1 says:
{
"name" : "profileUrl",
"type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false,
"description" : "A fully qualified URL pointing to a page representing the User's online profile.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "photos",
"type" : "complex",
"multiValued" : true,
"description" : "URLs of photos of the User.",
"required" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false,
"description" : "URL of a photo of the User.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User",
"Group"
],
"multiValued" : false,
"description" : "The URI of the corresponding 'Group' resource to which the user belongs.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"name" : "profileUrl",
"type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false,
"description" : "A fully qualified URL pointing to a page representing the User's online profile.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "photos",
"type" : "complex",
"multiValued" : true,
"description" : "URLs of photos of the User.",
"required" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "reference",
"referenceTypes" : ["external"],
"multiValued" : false,
"description" : "URL of a photo of the User.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User",
"Group"
],
"multiValued" : false,
"description" : "The URI of the corresponding 'Group' resource to which the user belongs.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
Notes:
Section 2.3.7 indicates that "A reference is case exact." Section 8.7.1 defines a number of "reference" attributes that incorrectly have the "caseExact" characteristic set to "false"; these should instead be "true."
Errata ID: 6403
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Andrew Webb
Date Reported: 2021-01-21
Held for Document Update by: Deb Cooley
Date Held: 2025-10-28
Section 4.3 says:
value The "id" of the SCIM resource representing the user's
manager. RECOMMENDED.
$ref The URI of the SCIM resource representing the User's
manager. RECOMMENDED.
It should say:
value The "id" of the SCIM resource representing the user's
manager. REQUIRED.
$ref The URI of the SCIM resource representing the User's
manager. REQUIRED.
Notes:
The descriptions of the sub-attributes "value" and "$ref" on pages 71 and 72 indicate that these two are required, not recommended.
E.g. "The id of the SCIM resource representing
the User's manager. REQUIRED."
Given that no other value in the RFC is RECOMMENDED, it would seem likely that these two sub-sttributes should be REQUIRED and not RECOMMENDED.
Errata ID: 8358
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-03-31
Held for Document Update by: Deb Cooley
Date Held: 2025-12-28
Section 8.7.1 says:
{
"name" : "display",
"type" : "string",
"multiValued" : false,
"description" : "A human-readable name, primarily used
for display purposes. READ-ONLY.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"name" : "display",
"type" : "string",
"multiValued" : false,
"description" : "A human-readable name, primarily used
for display purposes.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
Notes:
The description of all "display" sub-attributes in the schema for User describes them as "READ-ONLY", but they are actually defined with "mutability" : "readWrite" in all cases except for the sub-attribute of "groups".
Errata ID: 8281
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-02-05
Held for Document Update by: Deb Cooley
Date Held: 2025-12-28
Section 7 says:
required A Boolean value that specifies whether or not the
attribute is required.
It should say:
required A Boolean value that specifies whether or not the
attribute is required. If an attribute is "required",
clients MUST specify the attribute in the PUT request,
see section 3.5.1 of RFC7644.
Notes:
The definition of the "required" characteristic is recursive and has no explanatory value. A reference to RFC7644 makes it much clearer.
Errata ID: 8279
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-02-05
Held for Document Update by: Deb Cooley
Date Held: 2025-12-28
Section 7 says:
server The value SHOULD be unique within the context of the
current SCIM endpoint (or tenancy) and MAY be globally
unique (e.g., a "username", email address, or other
server-generated key or counter). No two resources on the
same server SHOULD possess the same value.
It should say:
server The value for the attribute SHOULD be different from
all other values for the attribute in any resource on the
same server which use the same schema definition. Uniqueness
MAY be restricted to resources accessible to the same tenant.
Notes:
The definition is highly ambiguous. Assume a service provider offering the two endpoints /Users and /BusinessUsers. Assume that both resource types use the schema "urn:ietf:params:scim:schemas:core:2.0:User". Further, assume that the service provider serves two tenants, each having access to only a fraction of the resources.
Uniqueness within the context of the SCIM endpoint means that a User and a BusinessUser *can* have the same "userName", but two Users *cannot* exist on the server with the same "userName".
Uniqueness within the context of the tenancy means that a User and a BusinessUser *cannot* have the same "userName" if accessible to the same tenant, but two Users *can* exist on the server with the same "userName" if they are not accessible to the same tenant.
Finally, the uniqueness in the sense of the second sentence means that a User and a BusinessUser *cannot* have the same "userName" and two Users *cannot* exist on the server with the same "userName" irrespective of the tenancy.
Because the option is named "server" and not "endpoint", I assume it is not intended to be restricted endpoints, but rather applies to all resource types using the schema. I also assume a restriction to tenancy is intended. Without this restriction it would be possible for a tenant to determine values of not accessible resources by a brute-force attack.
Let me note that the usage of SHOULD instead of MUST does not make much sense here, because a service provider offering the schema to clients will always know for sure if it enforces uniqueness or not. On the other hand, changing SHOULD to MUST is beyond the scope of errata.
Errata ID: 8280
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-02-05
Held for Document Update by: Deb Cooley
Date Held: 2025-12-28
Section 1.1 says:
---- Section 1.1 ---- The key words "REQUIRED" and "OPTIONAL" are used throughout this document to indicate whether an attribute or schema element is required or optional. These key words may be used alone (e.g., "REQUIRED.") or in a sentence. If not specified, an attribute is considered to be optional. ---- Section 2.2 ---- o "required" is "false" (i.e., not REQUIRED),
It should say:
---- Section 1.1 ---- The key words "REQUIRED" and "OPTIONAL" are used throughout this document to indicate whether an attribute or schema element is required to have a value or not. These key words may be used alone (e.g., "REQUIRED.") or in a sentence. If not specified, an attribute value is considered to be optional. ---- Section 2.2 ---- o "required" is "false",
Notes:
There are three ways in which an attribute can be required. The correction makes clear which one is meant.
1) Support is REQUIRED: It must be possible that the attribute has a value, i.e. it cannot be omitted from the schema.
2) A value is REQUIRED: The server must make sure that the attribute always has a value.
3) The attribute characteristic "required" is set to "true": If an attribute is "required", clients MUST specify the attribute in the PUT request. [RFC7644]
Analogous interpretations are possible for OPTIONAL.
While almost all usages of REQUIRED and OPTIONAL are compatible to the second interpretation, one usage in section 2.2 clearly refers to the third one and should be removed.
Errata ID: 8359
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-03-31
Held for Document Update by: Deb Cooley
Date Held: 2025-12-28
Section 8.7.1 says:
{
"name" : "manager",
"type" : "complex",
"multiValued" : false,
"description" : "The User's manager. A complex type that
optionally allows service providers to represent organizational
hierarchy by referencing the 'id' attribute of another User.",
"required" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "string",
"multiValued" : false,
"description" : "The id of the SCIM resource representing
the User's manager. REQUIRED.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User"
],
"multiValued" : false,
"description" : "The URI of the SCIM resource
representing the User's manager. REQUIRED.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "displayName",
"type" : "string",
"multiValued" : false,
"description" : "The displayName of the User's manager.
OPTIONAL and READ-ONLY.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
}
],
"mutability" : "readWrite",
"returned" : "default"
}
It should say:
{
"name" : "manager",
"type" : "complex",
"multiValued" : false,
"description" : "The User's manager. A complex type that
optionally allows service providers to represent organizational
hierarchy by referencing the 'id' attribute of another User.",
"required" : false,
"subAttributes" : [
{
"name" : "value",
"type" : "string",
"multiValued" : false,
"description" : "The id of the SCIM resource representing
the User's manager. REQUIRED.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User"
],
"multiValued" : false,
"description" : "The URI of the SCIM resource
representing the User's manager. REQUIRED.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "displayName",
"type" : "string",
"multiValued" : false,
"description" : "The displayName of the User's manager.
OPTIONAL and READ-ONLY.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
}
],
"mutability" : "readWrite",
"returned" : "default"
}
Notes:
The discription indicates that the sub-attributes "value" and "$ref" of "manager" in urn:ietf:params:scim:schemas:extension:enterprise:2.0:User should have "required": true instead of false.
Errata ID: 8363
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-03-31
Held for Document Update by: Deb Cooley
Date Held: 2025-12-28
Section 8.7.2 says:
{
"name" : "id",
"type" : "string",
"multiValued" : false,
"description" : "The unique URI of the schema.
When applicable, service providers MUST specify the URI.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
and
{
"name" : "id",
"type" : "string",
"multiValued" : false,
"description" : "The resource type's server unique id.
May be the same as the 'name' attribute.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"name" : "id",
"type" : "string",
"multiValued" : false,
"description" : "The unique URI of the schema.
When applicable, service providers MUST specify the URI.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "server"
},
and
{
"name" : "id",
"type" : "string",
"multiValued" : false,
"description" : "The resource type's server unique id.
May be the same as the 'name' attribute.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "server"
},
Notes:
The "id" attributes of "Schema" and "ResourceType" resources should have "uniqueness": "server", like their description says, instead of "uniqueness": "none".
Errata ID: 8366
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-04-01
Held for Document Update by: Deb Cooley
Date Held: 2025-10-28
Section 8.7.2 says:
{
"name" : "endpoint",
"type" : "reference",
"referenceTypes" : ["uri"],
"multiValued" : false,
"description" : "The resource type's HTTP-addressable
endpoint relative to the Base URL, e.g., '/Users'.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"name" : "endpoint",
"type" : "reference",
"referenceTypes" : ["uri"],
"multiValued" : false,
"description" : "The resource type's HTTP-addressable
endpoint relative to the Base URL, e.g., '/Users'.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "server"
},
Notes:
For "endpoint" the property "uniqueness" should be "server" instead of "none".
I believe endpoints are thought to be unique within a server, i.e. each endpoint should offer exactly one type of resources. Though I don't see any point in RFC7644 or RFC7643 that currently forbids using the same endpoint for several resource types, it would make processing much harder for clients. Also, clients cannot specify which resource type they want to create. They can only specify endpoint and schema.
Errata ID: 8418
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-05-16
Held for Document Update by: Deb Cooley
Date Held: 2025-10-28
Section 8.7.2 says:
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:Schema",
"name" : "Schema",
"description" : "Specifies the schema that describes a
SCIM schema",
"attributes" : [
{
"name" : "id",
"type" : "string",
"multiValued" : false,
"description" : "The unique URI of the schema.
When applicable, service providers MUST specify the URI.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "name",
It should say:
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:Schema",
"name" : "Schema",
"description" : "Specifies the schema that describes a
SCIM schema",
"attributes" : [
{
"name" : "name",
Notes:
The JSON representation of the schema resource for "Schema" specifies an "id" attribute. It should not be listed because it is part of the common attributes from section 3.1.
The attribute characteristics listed in section 3.1 for "id" would override the definitions given in the schema resource anyway. Therefore, "caseExact" will be true, "returned" will be "always", and "uniqueness" will be "server".
Errata ID: 8419
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-05-16
Held for Document Update by: Deb Cooley
Date Held: 2025-10-28
Section 8.7.2 says:
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
"name" : "ResourceType",
"description" : "Specifies the schema that describes a SCIM
resource type",
"attributes" : [
{
"name" : "id",
"type" : "string",
"multiValued" : false,
"description" : "The resource type's server unique id.
May be the same as the 'name' attribute.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "name",
It should say:
{
"id" : "urn:ietf:params:scim:schemas:core:2.0:ResourceType",
"name" : "ResourceType",
"description" : "Specifies the schema that describes a SCIM
resource type",
"attributes" : [
{
"name" : "name",
Notes:
The JSON representation of the schema resource for "ResourceType" specifies an "id" attribute. It should not be listed because it is part of the common attributes from section 3.1.
The attribute characteristics listed in section 3.1 for "id" would override the definitions given in the schema resource anyway. Therefore, "caseExact" will be true, "returned" will be "always", and "uniqueness" will be "server".
Section 3.1 says that for "ResourceType" and "ServiceProviderConfig" resources the common attributes do not need to be "defined", but they are still considered part of the base schema. This is stated explicitly in section 5 for "ServiceProviderConfig". All examples for "ResourceType" resource representations also include the attribute "meta" which is not defined in the schema in section 8.7.2.
Errata ID: 6005
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT
Reported By: Shelley Baker
Date Reported: 2020-03-03
Held for Document Update by: Deb Cooley
Date Held: 2025-12-28
Section 8.7.1 says:
{
"name" : "addresses",
"type" : "complex",
"multiValued" : true,
"description" : "A physical mailing address for this User. Canonical type values of 'work', 'home', and 'other'. This attribute is a complex type with the following sub-attributes.",
"required" : false,
"subAttributes" : [
{
"name" : "formatted",
"type" : "string",
"multiValued" : false,
"description" : "The full mailing address, formatted for display or use with a mailing label. This attribute MAY contain newlines.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "streetAddress",
"type" : "string",
"multiValued" : false,
"description" : "The full street address component, which may include house number, street name, P.O. box, and multi-line extended street address information. This attribute MAY contain newlines.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "locality",
"type" : "string",
"multiValued" : false,
"description" : "The city or locality component.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "region",
"type" : "string",
"multiValued" : false,
"description" : "The state or region component.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "postalCode",
"type" : "string",
"multiValued" : false,
"description" : "The zip code or postal code component.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "country",
"type" : "string",
"multiValued" : false,
"description" : "The country name component.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "type",
"type" : "string",
"multiValued" : false,
"description" : "A label indicating the attribute's function, e.g., 'work' or 'home'.",
"required" : false,
"caseExact" : false,
"canonicalValues" : [
"work",
"home",
"other"
],
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
],
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"name" : "addresses",
"type" : "complex",
"multiValued" : true,
"description" : "A physical mailing address for this User. Canonical type values of 'work', 'home', and 'other'. This attribute is a complex type with the following sub-attributes.",
"required" : false,
"subAttributes" : [
{
"name" : "formatted",
"type" : "string",
"multiValued" : false,
"description" : "The full mailing address, formatted for display or use with a mailing label. This attribute MAY contain newlines.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "streetAddress",
"type" : "string",
"multiValued" : false,
"description" : "The full street address component, which may include house number, street name, P.O. box, and multi-line extended street address information. This attribute MAY contain newlines.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "locality",
"type" : "string",
"multiValued" : false,
"description" : "The city or locality component.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "region",
"type" : "string",
"multiValued" : false,
"description" : "The state or region component.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "postalCode",
"type" : "string",
"multiValued" : false,
"description" : "The zip code or postal code component.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "country",
"type" : "string",
"multiValued" : false,
"description" : "The country name component.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "type",
"type" : "string",
"multiValued" : false,
"description" : "A label indicating the attribute's function, e.g., 'work' or 'home'.",
"required" : false,
"caseExact" : false,
"canonicalValues" : [
"work",
"home",
"other"
],
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "primary",
"type" : "boolean",
"multiValued" : false,
"description" : "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred mailing address. The primary attribute value 'true' MUST appear no more than once.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
}
],
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
Notes:
The "addresses" user attribute should specify a "primary" sub-attribute. "addresses" is a multi-valued attribute. According to Section 2.4, multi-valued attributes include a "primary" sub-attribute. The "primary" sub-attribute text even mentions this attribute's use for mailing "addresses."
Status: Rejected (5)
RFC 7643, "System for Cross-domain Identity Management: Core Schema", September 2015
Note: This RFC has been updated by RFC 9865
Source of RFC: scim (sec)
Errata ID: 4979
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: asgs
Date Reported: 2017-03-24
Rejected by: Deb Cooley
Date Rejected: 2025-10-28
Section 8.5 says:
"location": "https://example.com/v2/ServiceProviderConfig",
It should say:
"location": "https://example.com/v2/ServiceProviderConfigs"
Notes:
Per the details provided on the SCIM website http://www.simplecloud.info/#overview, the endpoint should be /ServiceProviderConfigs. A trailing "s" is missing. The SCIM implementations of major service providers like Facebook, Salesforce, Slack implement /ServiceProviderConfigs
Also, it would be better to replace all occurrences of the word "ServiceProviderConfig" with "ServiceProviderConfigs" wherever applicable, so as to remain sync with the endpoint.
--VERIFIER NOTES--
The ServiceProviderConfig endpoint is singular. Simplecloud.info is/was incorrect.
Errata ID: 7921
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Francois LASNE
Date Reported: 2024-05-03
Rejected by: Deb Cooley
Date Rejected: 2024-05-04
Section 8.5 says:
"authenticationSchemes": [
{
"name": "OAuth Bearer Token",
"description":
"Authentication scheme using the OAuth Bearer Token Standard",
"specUri": "http://www.rfc-editor.org/info/rfc6750",
"documentationUri": "http://example.com/help/oauth.html",
"type": "oauthbearertoken",
"primary": true
}
It should say:
"authenticationSchemes": [
{
"name": "OAuth Bearer Token",
"description":
"Authentication scheme using the OAuth Bearer Token Standard",
"specUri": "http://www.rfc-editor.org/info/rfc6750",
"documentationUri": "http://example.com/help/oauth.html",
"type": "oauthbearertoken"
}
Notes:
The concept of primary is not authenticationScheme is not defined in the paragraph 5
it contains only
authenticationSchemes
A multi-valued complex type that specifies supported
authentication scheme properties. To enable seamless discovery of
configurations, the service provider SHOULD, with the appropriate
security considerations, make the authenticationSchemes attribute
publicly accessible without prior authentication. REQUIRED. The
following sub-attributes are defined:
type The authentication scheme. This specification defines the
values "oauth", "oauth2", "oauthbearertoken", "httpbasic", and
"httpdigest". REQUIRED.
name The common authentication scheme name, e.g., HTTP Basic.
REQUIRED.
description A description of the authentication scheme.
REQUIRED.
specUri An HTTP-addressable URL pointing to the authentication
scheme's specification. OPTIONAL.
documentationUri An HTTP-addressable URL pointing to the
authentication scheme's usage documentation. OPTIONAL.
=====> another option would be to add the primary attribute defining that is is the authentication scheme that should be considered first
--VERIFIER NOTES--
Primary is defined as part of complex multi-valued attributes section 2.4.
Errata ID: 8360
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-03-31
Rejected by: Deb Cooley
Date Rejected: 2025-10-28
Section 8.7.2 says:
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "A human-readable description of the
attribute.",
"required" : false,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
It should say:
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "A human-readable description of the
attribute.",
"required" : false,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
Notes:
In the schema definition for "Schema" the sub-attribute "description" of the complex attributes "attributes" and "subAttributes" is defined with "caseExact": true. This does not make much sense for a human-readable description. I believe it should be "caseExact": false, like it is for all other "description" attributes.
--VERIFIER NOTES--
This would represent a normative change that might impact interoperability. Description is not usually used in filters for human use.
Errata ID: 8362
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Winter
Date Reported: 2025-03-31
Rejected by: Deb Cooley
Date Rejected: 2025-10-28
Section 6 says:
id
The resource type's server unique id. This is often the same
value as the "name" attribute. OPTIONAL.
name
The resource type name. When applicable, service providers MUST
specify the name, e.g., "User" or "Group". This name is
referenced by the "meta.resourceType" attribute in all resources.
REQUIRED.
It should say:
id
The resource type's server unique id. This is often the same
value as the "name" attribute. OPTIONAL.
name
The resource type name. When applicable, service providers MUST
specify the name, e.g., "User" or "Group". This name is
referenced by the "meta.resourceType" attribute in all resources.
REQUIRED. The resource type name must be unique within the server.
Notes:
ResourceTypes are not referenced by their "id" in the meta.resourceType attribute, but by their "name".
Section 3.3 states:
In order to determine which URI value in the "schemas" attribute is
the base schema and which is an extended schema for any given
resource, the resource's "resourceType" attribute value MAY be used
to retrieve the resource's "ResourceType" schema (see Section 6).
This would not work if there were numerous ResourceType resources with the same name. The name must therefore be unique within the server.
This also applies to the schema definition in section 8.7.2 where it should be defined with "uniqueness": "server" instead of "none".
--VERIFIER NOTES--
Resource types are referenced by their ID. ALWAYS.
It often occurs that name and id are the same. The scenario you describe would not occur because it would point by ID.
Errata ID: 6438
Status: Rejected
Type: Editorial
Publication Format(s) : TEXT
Reported By: Andrew Webb
Date Reported: 2021-02-23
Rejected by: Barry Leiba
Date Rejected: 2021-02-23
Section 3.1. says:
version The version of the resource being returned. This value
must be the same as the entity-tag (ETag) HTTP response header
(see Sections 2.1 and 2.3 of [RFC7232]). This attribute has
"caseExact" as "true". Service provider support for this
attribute is optional and subject to the service provider's
support for versioning (see Section 3.14 of [RFC7644]). If a
service provider provides "version" (entity-tag) for a
representation and the generation of that entity-tag does not
satisfy all of the characteristics of a strong validator (see
Section 2.1 of [RFC7232]), then the origin server MUST mark the
"version" (entity-tag) as weak by prefixing its opaque value
with "W/" (case sensitive).
It should say:
version The version of the resource being returned. This value
must be the same as the entity-tag (ETag) HTTP response header
(see Sections 2.1 and 2.3 of [RFC7232]). This attribute has
"caseExact" as "true". Service provider support for this
attribute is optional and subject to the service provider's
support for versioning (see Section 3.14 of [RFC7644]). If a
service provider provides "version" (entity-tag) for a
representation and the generation of that entity-tag does not
satisfy all of the characteristics of a strong validator (see
Section 2.1 of [RFC7232]), then the origin server MUST mark the
"version" (entity-tag) as weak by prefixing its opaque value
with "W/" (case sensitive).
Notes:
In the original text, the hyperlinks applied to "2.1" and "2.3" incorrectly link to those sections in RFC 7643, whereas they should link to those sections in RFC 7232.
--VERIFIER NOTES--
Errata reports are for errors in the canonical version, which, for these RFCs, are the plain text versions. HTML renderings that include heuristically-generated links aren't covered by the errata system.