MSC4098: Use the SCIM protocol for provisioning

[azmeuk]

Rendered

Implementation PR in synapse

[azmeuk]

I am wondering how far to push the implementation I have started, since discussions about the MSC may change the scope of the implementation. So far it covers the nominal cases, but no error cases nor any advanced features. Basically, I added a bunch of endpoints for the basic SCIM thing, but I am not sure what is needed for this MSC to go forward.

[dubiousgit]

I'm a big fan of SCIM provisioning because I think it solves a well-understood problem in the Enterprise space, and reduces the management overhead greatly. It also opens the door for default room provisioning with specific group membership I believe, which I would also approve. Waiting on this one with interest.

[clokep]

The proposal is missing what the stable location of this would be.

[azmeuk]

I am not sure about this. Would /_scim/ or /_matrix/scim/ be good candidates?

[azmeuk]

So, probably /_scim/ would be better as it is a whole different spec than Matrix.

[clokep]

Suggested change

## Proposal

This whole section seems like background, not part of the proposal. I'd rename the "Detailed implementation proposal" to "Proposal" (and place it as an H2) as that gets into the actual proposed changes.

[azmeuk]

Thank you for your review. I reorganized the sections and tried to describe a better chain of ideas :

• some use-cases are not covered by the spec
• → a provisioning protocol would cover them
• → having provisioning in the spec would help interoperability
• → adopting an existing provisioning standard would help interoperability even better, and save some design time
• → SCIM is the only relevant provisioning standard

[clokep]

I agree that using a standard (SCIM) over the custom implementation is better... but I think this MSC fails to mention why this is important to be in the spec as opposed to an implementation specific set of endpoints.

[azmeuk]

I attempted to answer to this in the A common protocol for the Matrix ecosystem paragraph.

[sandhose]

I'm sceptical of adding SCIM specifically to the Matrix C-S API.
Fundamentally, Matrix isn't a user and identity management API, it's not supposed to be.
It doesn't mean however that multiple homeserver implementation can't agree implementing SCIM with a specific schema, just that I don't think it makes sense within the Matrix spec.

What does make sense would be to define Matrix-specific SCIM schemas (mostly the MXID, as everything else has a 1-1 mapping with existing SCIM attributes?), but I wouldn't tie it to Matrix-specific auth, nor to a specific C-S endpoint

[pierreozoux]

@sandhose @pmaier1 currently, from my understanding, Matrix spec has a user and identity management API, is it correct? (sorry, I'm no specialist of matrix spec, discovering this world)

The idea of this proposal is to first add a new standard API for user provisioning.

[Xiretza]

Some copy editing