Internet Engineering Task Force (IETF) M. Shahzad
Request for Comments: 9944 H. Iqbal
Category: Standards Track North Carolina State University
ISSN: 2070-1721 E. Lear
Cisco Systems
May 2026
The initial core schema for the System for Cross-domain Identity Management (SCIM) was designed for provisioning users. This memo specifies schema extensions that enable provisioning of devices using various underlying bootstrapping systems such as Wi-Fi Easy Connect, FIDO device onboarding vouchers, Bluetooth Low Energy (BLE) passcodes, and MAC Authenticated Bypass (MAB).
System for Cross-domain Identity Management (SCIM) の初期コア スキーマは、ユーザーをプロビジョニングするために設計されました。このメモでは、Wi-Fi Easy Connect、FIDO デバイス オンボーディング バウチャー、Bluetooth Low Energy (BLE) パスコード、MAC Authenticated Bypass (MAB) などのさまざまな基盤となるブートストラップ システムを使用したデバイスのプロビジョニングを可能にするスキーマ拡張を指定します。
This is an Internet Standards Track document.
これはインターネット標準化トラックの文書です。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
このドキュメントは Internet Engineering Task Force (IETF) の成果物です。これは IETF コミュニティのコンセンサスを表しています。この文書は公開レビューを受け、Internet Engineering Steering Group (IESG) によって公開が承認されています。インターネット標準の詳細については、RFC 7841 のセクション 2 を参照してください。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9944.
この文書の現在のステータス、正誤表、およびそれに対するフィードバックの提供方法に関する情報は、https://www.rfc-editor.org/info/rfc9944 で入手できます。
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.
Copyright (c) 2026 IETF Trust および文書の著者として特定された人物。無断転載を禁じます。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
この文書は、BCP 78 およびこの文書の発行日に有効な IETF 文書に関する IETF トラストの法的規定 (https://trustee.ietf.org/license-info) の対象となります。これらの文書には、この文書に関するお客様の権利と制限が記載されているため、注意深くお読みください。このドキュメントから抽出されたコード コンポーネントには、トラスト法的規定のセクション 4.e に記載されている改訂 BSD ライセンス テキストが含まれている必要があり、改訂 BSD ライセンスに記載されているように保証なしで提供されます。
1. Introduction
1.1. Why SCIM for Devices?
1.2. Protocol Participants
1.3. Schema Description
1.4. Schema Representation
1.5. Terminology
2. ResourceType Device
2.1. Common Attributes
3. SCIM Core Device Schema
3.1. Singular Attributes
4. Groups
5. Resource Type EndpointApp
6. SCIM EndpointApp Schema
6.1. Common Attributes
6.2. Singular Attributes
6.3. Complex Attributes
6.3.1. certificateInfo
7. SCIM Device Extensions
7.1. Bluetooth Low Energy (BLE) Extension
7.1.1. Singular Attributes
7.1.2. Multivalued Attributes
7.1.3. BLE Pairing Method Extensions
7.2. Wi-Fi Easy Connect Extension
7.2.1. Singular Attributes
7.2.2. Multivalued Attributes
7.3. Ethernet MAB Extension
7.3.1. Single Attribute
7.4. FIDO Device Onboard Extension
7.4.1. Single Attribute
7.5. Zigbee Extension
7.5.1. Singular Attribute
7.5.2. Multivalued Attribute
7.6. The Endpoint Applications Extension Schema
7.6.1. Singular Attributes
7.6.2. Multivalued Attribute
8. Security Considerations
8.1. SCIM Operations
8.1.1. Unauthorized Object Creation
8.2. Object Deletion
8.3. Read Operations
8.4. Update Operations
8.5. Higher Level Protection for Certain Systems
8.6. Logging
9. IANA Considerations
9.1. New Schemas
9.2. Device Schema Extensions
10. References
10.1. Normative References
10.2. Informative References
Appendix A. JSON Schema Representation
A.1. Resource Schema
A.2. Core Device Schema
A.3. EndpointApp Schema
A.4. BLE Extension Schema
A.5. DPP Extension Schema
A.6. Ethernet MAB Extension Schema
A.7. FDO Extension Schema
A.8. Zigbee Extension Schema
A.9. endpointAppsExt Extension Schema
Appendix B. OpenAPI Representation
B.1. Core Device Schema OpenAPI Representation
B.2. EndpointApp Schema OpenAPI Representation
B.3. BLE Extension Schema OpenAPI Representation
B.4. DPP Extension Schema OpenAPI Representation
B.5. Ethernet MAB Extension Schema OpenAPI Representation
B.6. FDO Extension Schema OpenAPI Representation
B.7. Zigbee Extension Schema OpenAPI Representation
B.8. endpointAppsExt Extension Schema OpenAPI Representation
Appendix C. FIDO Device Onboarding Example Flow
Acknowledgments
Authors' Addresses
The Internet of Things presents a management challenge in many dimensions. One of them is the ability to onboard and manage a large number of devices. There are many models for bootstrapping trust between devices and network deployments. Indeed, it is expected that different manufacturers will make use of different methods.
モノのインターネットは、さまざまな面で管理上の課題をもたらします。その 1 つは、多数のデバイスをオンボードして管理できることです。デバイスとネットワーク展開の間で信頼をブートストラップするためのモデルは数多くあります。実際、製造業者が異なれば、使用する方法も異なることが予想されます。
The System for Cross-domain Identity Management (SCIM) [RFC7643] [RFC7644] defines a protocol and a schema for the provisioning of users. However, it can easily be extended to provision device credentials and other attributes into a network. The protocol and core schema were designed to permit just such extensions. Bulk operations are supported. This is good because often devices are procured in bulk.
System for Cross-domain Identity Management (SCIM) [RFC7643] [RFC7644] は、ユーザーのプロビジョニングのためのプロトコルとスキーマを定義します。ただし、デバイスの資格情報やその他の属性をネットワークにプロビジョニングするように簡単に拡張できます。プロトコルとコア スキーマは、まさにそのような拡張を許可するように設計されています。一括操作がサポートされています。多くの場合、デバイスは大量に調達されるため、これは良いことです。
A primary purpose of this specification is to provision the network for onboarding and communications access to and from devices within a local deployment based on the underlying capabilities of those devices.
この仕様の主な目的は、デバイスの基盤となる機能に基づいて、ローカル展開内のデバイスとの間でオンボーディングおよび通信アクセスを行うためのネットワークをプロビジョニングすることです。
The underlying security mechanisms of some devices range from non-existent such as the Bluetooth Low Energy (BLE) "Just Works" pairing method to a robust FIDO Device Onboard (FDO) mechanism. Information from the SCIM server is dispatched to control functions based on selected schema extensions to enable these communications within a network. The SCIM database is therefore essentially equivalent to a network's Authentication, Authorization, and Accounting (AAA) database and should be carefully managed as such.
一部のデバイスの基盤となるセキュリティ メカニズムは、Bluetooth Low Energy (BLE) の「Just Works」ペアリング方式などの存在しないものから、堅牢な FIDO Device Onboard (FDO) メカニズムまで多岐にわたります。SCIM サーバーからの情報は、選択されたスキーマ拡張に基づいて機能を制御するために送信され、ネットワーク内でのこれらの通信を可能にします。したがって、SCIM データベースは本質的にネットワークの認証、認可、およびアカウンティング (AAA) データベースと同等であるため、そのように慎重に管理する必要があります。
There are a number of existing models that might provide the basis for a scheme for provisioning devices onto a network, including two standardized by the IETF: NETCONF [RFC6241] or RESTCONF [RFC8040] with YANG [RFC7950]. SCIM was chosen for the following reasons:
ネットワーク上にデバイスをプロビジョニングするスキームの基礎を提供する可能性のある既存のモデルが多数あります。その中には、IETF によって標準化された 2 つのモデル、NETCONF [RFC6241] または YANG [RFC7950] を使用した RESTCONF [RFC8040] が含まれます。SCIM が選択された理由は次のとおりです。
* NETCONF and RESTCONF focus on *configuration* rather than provisioning.
* NETCONF と RESTCONF は、プロビジョニングではなく *構成* に焦点を当てています。
* SCIM is designed with inter-domain provisioning in mind. The use of HTTP as a substrate permits both user-based authentication for local provisioning applications, as well as OAUTH or certificate-based authentication. The inter-domain nature of these operations does not expose local policy, which itself must be (and often is) configured with other APIs, many of which are not standardized.
* SCIM は、ドメイン間のプロビジョニングを念頭に置いて設計されています。HTTP を基板として使用すると、ローカル プロビジョニング アプリケーションのユーザー ベースの認証と、OAUTH または証明書ベースの認証の両方が可能になります。これらの操作のドメイン間の性質によりローカル ポリシーは公開されず、ローカル ポリシー自体は他の API で構成する必要があります (多くの場合、そのように構成されます)。その多くは標準化されていません。
* SCIM is also a familiar tool within the enterprise environment, used extensively to configure federated user accounts.
* SCIM はエンタープライズ環境内でもよく知られたツールであり、フェデレーション ユーザー アカウントを構成するために広く使用されています。
* Finally, once one chooses a vehicle such as SCIM, one is beholden to its data model. The SCIM data model is more targeted to provisioning as articulated in [RFC7643].
* 最後に、SCIM などの手段を選択すると、そのデータ モデルに依存することになります。SCIM データ モデルは、[RFC7643] で明示されているように、プロビジョニングをよりターゲットにしています。
This taken together with the fact that end devices are not intended to be *directly* configured leaves us with SCIM as the best standard option.
このことと、エンド デバイスが「直接」構成されることを意図していないという事実を考慮すると、最適な標準オプションとして SCIM が残ります。
In the normal SCIM model, it was presumed that large federated deployments would be SCIM clients who provision and remove employees and contractors as they enter and depart those deployments, and federated services such as sales, payment, or conferencing services would be the servers.
通常の SCIM モデルでは、大規模なフェデレーション展開は、従業員や請負業者がその展開に出入りするときにプロビジョニングおよび削除する SCIM クライアントとなり、販売、支払い、会議サービスなどのフェデレーション サービスがサーバーになると想定されていました。
In the device model, the roles are reversed and may be somewhat more varied. The SCIM server resides within a deployment and is used for receiving information about devices that are expected to be connected to its network. That server will apply appropriate local policies regarding whether/how the device should be connected.
デバイス モデルでは、役割が逆になり、多少多様になる場合があります。SCIM サーバーは展開内に常駐し、ネットワークに接続されることが予想されるデバイスに関する情報を受信するために使用されます。そのサーバーは、デバイスを接続するかどうか/接続する方法に関して適切なローカル ポリシーを適用します。
The client may be one of a number of entities:
クライアントは、次のような多数のエンティティのうちの 1 つである可能性があります。
* A vendor who is authorized to add devices to a network as part of a sales transaction. This is similar to the sales integration sometimes envisioned by Bootstrapping Remote Secure Key Infrastructure (BRSKI) [RFC8995].
* 販売取引の一環としてネットワークにデバイスを追加する権限を与えられたベンダー。これは、ブートストラップ リモート セキュア キー インフラストラクチャ (BRSKI) [RFC8995] によって時々想定される販売統合に似ています。
* A client application that administrators or employees use to add, remove, or get information about devices. An example might be a tablet or phone app that scans Wi-Fi Easy Connect QR codes.
* 管理者または従業員がデバイスの追加、削除、または情報の取得に使用するクライアント アプリケーション。例としては、Wi-Fi Easy Connect QR コードをスキャンするタブレットまたは電話アプリが挙げられます。
+-----------------------------------+
| |
+-----------+ Request | +---------+ |
| Onboarding|------------->| SCIM | |
| App |<-------------| Server | |
+-----------+ Ctrl Endpt +---------+ |
| | |
| |(Device Info) |
| v |
+-----------+ | +------------+ +-------+ |
| Control |...........|..| ALG |.........|Device | |
| App | | +------------+ +-------+ |
+-----------+ | |
| Local Network |
+-----------------------------------+
Figure 1: Basic Architecture - Non-IP Example
図 1: 基本アーキテクチャ - 非 IP の例
In Figure 1, the onboarding application (app) provides the device particulars, which will vary based on the type of device, as indicated by the selection of schema extensions. As part of the response, the SCIM server might provide additional information, especially in the case of non-IP devices, where an application-layer gateway may need to be used to communicate with the device (c.f., [NIPC]). The control endpoint is one among a number of objects that may be returned. That control endpoint will then communicate with the Application Layer Gateway (ALG) to reach the device.
図 1 では、オンボーディング アプリケーション (アプリ) がデバイスの詳細を提供します。これは、スキーマ拡張の選択によって示されるように、デバイスの種類に応じて異なります。応答の一部として、SCIM サーバーは、特に非 IP デバイスの場合、デバイスとの通信にアプリケーション層ゲートウェイを使用する必要がある場合に、追加情報を提供することがあります ([NIPC] を参照)。コントロール エンドポイントは、返される可能性のある多数のオブジェクトのうちの 1 つです。この制御エンドポイントは、アプリケーション層ゲートウェイ (ALG) と通信してデバイスに到達します。
+------------------------------------+
| |
+-----------+ Request | +---------+ +----+ +------+ |
| Onboarding|------------->| SCIM |-->| AAA|<-->|Switch| |
| App |<-------------| Server | +----+ +------+ |
+-----------+ Ctrl Endpt +---------+ | |
| | |
+-----------+ | +------------+ +-------+ |
| Control |...........|..| Router/fw |.........|Device | |
| App | | +------------+ +-------+ |
+-----------+ | |
| Local Network |
+------------------------------------+
Figure 2: Interaction with AAA
図 2: AAA との対話
Figure 2 shows how IP-based endpoints can be provisioned. In this case, the onboarding application provisions a device via SCIM. The necessary information is passed to the Authentication, Authorization, and Accounting (AAA) subsystem, such that the device is permitted to connect. Once it is online, since the device is based on IP, it will not need an ALG, but it will use the normal IP infrastructure to communicate with its control application.
図 2 は、IP ベースのエンドポイントをプロビジョニングする方法を示しています。この場合、オンボーディング アプリケーションは SCIM 経由でデバイスをプロビジョニングします。必要な情報が認証、認可、およびアカウンティング (AAA) サブシステムに渡され、デバイスの接続が許可されます。オンラインになると、デバイスは IP に基づいているため、ALG は必要ありませんが、通常の IP インフラストラクチャを使用して制御アプリケーションと通信します。
[RFC7643] does not prescribe a language to describe a schema but instead uses a narrative description with examples. We follow that approach. In addition, we provide non-normative JSON Schemas [JSONSchema] and OpenAPI [OpenAPI] versions in the appendices for ease of implementation, neither of which existed when SCIM was originally developed. The only difference the authors note between the normative schema representations is that the JSON Schemas and OpenAPI versions do not have a means to express case sensitivity, and thus attributes that are not case sensitive must be manually validated.
[RFC7643] はスキーマを記述するための言語を規定しておらず、代わりに例を伴う説明的な記述を使用しています。私たちはそのアプローチに従っています。さらに、実装を容易にするために、付録で非標準の JSON スキーマ [JSONSchema] および OpenAPI [OpenAPI] バージョンを提供しますが、どちらも SCIM が最初に開発されたときには存在しませんでした。標準的なスキーマ表現の唯一の違いとして著者が指摘しているのは、JSON スキーマ バージョンと OpenAPI バージョンには大文字と小文字の区別を表現する手段がないため、大文字と小文字が区別されない属性は手動で検証する必要があることです。
Several additional schemas specify specific onboarding mechanisms, such as Bluetooth Low Energy (BLE) [BLE54], Wi-Fi Easy Connect [DPP2], and FIDO Device Onboard [FDO11].
いくつかの追加スキーマは、Bluetooth Low Energy (BLE) [BLE54]、Wi-Fi Easy Connect [DPP2]、FIDO Device Onboard [FDO11] などの特定のオンボーディング メカニズムを指定します。
When JSON is presented in this memo, it is folded in accordance with [RFC8792].
このメモ内で JSON が提示される場合、[RFC8792] に従って折り畳まれます。
Attributes defined in the device core schema (see Section 2.2 of [RFC7643]) and extensions comprise characteristics and the SCIM datatypes (defined in Section 2.3 of [RFC7643]). This specification does not define new characteristics and datatypes for the SCIM attributes.
デバイスコアスキーマ ([RFC7643] のセクション 2.2 を参照) で定義された属性と拡張は、特性と SCIM データ型 ([RFC7643] のセクション 2.3 で定義) で構成されます。この仕様は、SCIM 属性の新しい特性とデータ型を定義しません。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
このドキュメント内のキーワード「MUST」、「MUST NOT」、「REQUIRED」、「SHALL」、「SHALL NOT」、「SHOULD」、「SHOULD NOT」、「RECOMMENDED」、「NOT RECOMMENDED」、「MAY」、および「OPTIONAL」は、ここに示すようにすべて大文字で表示されている場合にのみ、BCP 14 [RFC2119] [RFC8174] で説明されているように解釈されます。
The reader is also expected to be familiar with the narrative schema language used in [RFC7643].
読者は、[RFC7643] で使用される物語スキーマ言語にも精通していることが期待されます。
A new resource type Device is specified. The "ResourceType" schema specifies the metadata about a resource type (see Section 6 of [RFC7643]). It comprises a core device schema and several extension schemas. This schema provides a minimal resource representation, whereas extension schemas extend it depending on the device's capability.
新しいリソース タイプ デバイスが指定されています。"ResourceType" スキーマは、リソースタイプに関するメタデータを指定します ([RFC7643] のセクション 6 を参照)。これは、コア デバイス スキーマといくつかの拡張スキーマで構成されます。このスキーマは最小限のリソース表現を提供しますが、拡張スキーマはデバイスの機能に応じてそれを拡張します。
The device schema contains three common attributes as defined in Section 3.1 of [RFC7643]. No semantic or syntax changes are made here, but the attributes are listed merely for completeness.
デバイススキーマには、[RFC7643] のセクション 3.1 で定義されている 3 つの共通属性が含まれています。ここでは意味や構文の変更は行われませんが、完全を期すために属性がリストされているだけです。
id:
id:
A required and unique attribute of the core device schema (see Section 3.1 of [RFC7643]).
コアデバイススキーマの必須かつ一意の属性 ([RFC7643] のセクション 3.1 を参照)。
externalId:
外部ID:
An optional attribute (see Section 3.1 of [RFC7643]).
オプションの属性 ([RFC7643] のセクション 3.1 を参照)。
meta:
メタ:
A required and complex attribute (see Section 3.1 of [RFC7643]).
必須かつ複雑な属性 ([RFC7643] のセクション 3.1 を参照)。
The core device schema provides the minimal representation of a resource Device. It contains only those attributes that any device may need, and only one attribute is required. It is identified using the schema URI:
コア デバイス スキーマは、リソース デバイスの最小限の表現を提供します。これには、デバイスに必要な属性のみが含まれており、必要な属性は 1 つだけです。これは、スキーマ URI を使用して識別されます。
urn:ietf:params:scim:schemas:core:2.0:Device
urn:ietf:params:scim:スキーマ:コア:2.0:デバイス
The following attributes are defined in the core device schema.
次の属性は、コア デバイス スキーマで定義されます。
displayName:
表示名:
A string that provides a human-readable name for a device. It is intended to be displayed to end users and should be suitable for that purpose. The attribute is not required and is not case sensitive. It may be modified and SHOULD be returned by default. No uniqueness constraints are imposed on this attribute.
人間が判読できるデバイス名を提供する文字列。これはエンド ユーザーに表示されることを目的としており、その目的に適している必要があります。この属性は必須ではなく、大文字と小文字は区別されません。これは変更される可能性があり、デフォルトで返されるべきです(SHOULD)。この属性には一意性の制約は課されません。
active:
アクティブ:
A mutable boolean that is required. If set to true, it means that this device is intended to be operational. Attempts to control or access a device where this value is set to false may fail. For example, when used in conjunction with Non-Internet-Connected Physical Components (NIPC) [NIPC], commands (such as connect, disconnect, and subscribe) that control application sends to the controller for devices will be rejected by the controller.
必須の変更可能なブール値。true に設定されている場合、このデバイスは動作可能であることを意味します。この値が false に設定されているデバイスを制御またはアクセスしようとすると、失敗する可能性があります。たとえば、非インターネット接続物理コンポーネント (NIPC) [NIPC] と組み合わせて使用すると、制御アプリケーションがデバイスのコントローラーに送信するコマンド (接続、切断、サブスクライブなど) がコントローラーによって拒否されます。
mudUrl:
泥URL:
A string that represents the URL to the Manufacturer Usage Description (MUD) file associated with this device. This attribute is optional, mutable, and returned by default. When present, this attribute may be used as described in [RFC8520]. The mudUrl value is case sensitive and not unique.
このデバイスに関連付けられた製造元使用法記述 (MUD) ファイルへの URL を表す文字列。この属性はオプションで変更可能で、デフォルトで返されます。存在する場合、この属性は [RFC8520] で説明されているように使用できます。mudUrl 値は大文字と小文字が区別され、一意ではありません。
groups:
グループ:
An optional read-only complex object that indicates group membership. Its form is precisely the same as that defined in Section 4.1.2 of [RFC7643].
グループのメンバーシップを示すオプションの読み取り専用複合オブジェクト。その形式は、[RFC7643] のセクション 4.1.2 で定義されているものとまったく同じです。
+=============+=======+=====+=======+=========+========+========+
| Attribute | Multi | Req | Case | Mutable | Return | Unique |
| | Value | | Exact | | | |
+=============+=======+=====+=======+=========+========+========+
| displayName | F | F | F | RW | Def | None |
+-------------+-------+-----+-------+---------+--------+--------+
| active | F | T | F | RW | Def | None |
+-------------+-------+-----+-------+---------+--------+--------+
| mudUrl | F | F | T | RW | Def | None |
+-------------+-------+-----+-------+---------+--------+--------+
| groups | T | F | T | RO | Def | n/a |
+-------------+-------+-----+-------+---------+--------+--------+
Table 1: Characteristics of Device Schema Attributes
表 1: デバイス スキーマ属性の特性
Legend:
伝説:
Req = Required, T = True, F = False, RO = ReadOnly, RW = ReadWrite, Def = Default
Req = 必須、T = True、F = False、RO = 読み取り専用、RW = 読み取り書き込み、Def = デフォルト
Example:
例:
<CODE BEGINS>
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor",
"active": true,
"meta": {
"resourceType": "Device",
"created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-\
4109-8486-d5c6a3316111"
}
}
<CODE ENDS>
Figure 3: Core Device Example Entries
図 3: コアデバイスのエントリ例
Device and EndpointApp groups are created using the SCIM groups as defined in Section 4.2 of [RFC7643]. If set, the "type" subattribute of the "members" attribute MUST be set to Device for devices and EndpointApp for endpoint applications.
Device グループと EndpointApp グループは、[RFC7643] のセクション 4.2 で定義されている SCIM グループを使用して作成されます。設定する場合、「members」属性の「type」サブ属性は、デバイスの場合は Device、エンドポイント アプリケーションの場合は EndpointApp に設定する必要があります。
This section defines the EndpointApp resource type. The "ResourceType" schema specifies the metadata about a resource type (see Section 6 of [RFC7643]). The resource EndpointApp represents client applications that can control and/or receive data from the devices.
このセクションでは、EndpointApp リソース タイプを定義します。"ResourceType" スキーマは、リソースタイプに関するメタデータを指定します ([RFC7643] のセクション 6 を参照)。EndpointApp リソースは、デバイスを制御したりデバイスからデータを受信したりできるクライアント アプリケーションを表します。
The EndpointApp schema is used to authorize control or telemetry services for clients. The schema identifies the application and how clients are to authenticate to the various services.
EndpointApp スキーマは、クライアントの制御サービスまたはテレメトリ サービスを承認するために使用されます。スキーマは、アプリケーションと、クライアントがさまざまなサービスに対して認証する方法を識別します。
The schema for EndpointApp is identified using the schema URI:
EndpointApp のスキーマは、スキーマ URI を使用して識別されます。
urn:ietf:params:scim:schemas:core:2.0:EndpointApp
urn:ietf:params:scim:schemas:core:2.0:EndpointApp
The following attributes are defined in this schema.
このスキーマでは次の属性が定義されています。
Like Section 2.1, the EndpointApp schema contains the three common attributes specified in Section 3.1 of [RFC7643].
セクション 2.1 と同様、EndpointApp スキーマには [RFC7643] のセクション 3.1 で指定されている 3 つの共通属性が含まれています。
applicationType:
アプリケーションタイプ:
A string that represents the type of application. It will only contain two values: deviceControl or telemetry. deviceControl is the application that sends commands to control the device. telemetry is the application that receives data from the device. The attribute is required and is not case sensitive. The attribute is immutable and should be returned by default. No uniqueness constraints are imposed on this attribute.
アプリケーションの種類を表す文字列。これには、deviceControl または telemetry の 2 つの値のみが含まれます。deviceControl は、デバイスを制御するコマンドを送信するアプリケーションです。テレメトリは、デバイスからデータを受信するアプリケーションです。この属性は必須であり、大文字と小文字は区別されません。この属性は不変であり、デフォルトで返される必要があります。この属性には一意性の制約は課されません。
applicationName:
アプリケーション名:
A string that represents a human-readable name for the application. This attribute is required and mutable. The attribute should be returned by default and there is no uniqueness constraint on the attribute.
人間が判読できるアプリケーション名を表す文字列。この属性は必須であり、変更可能です。属性はデフォルトで返される必要があり、属性には一意性の制約はありません。
clientToken:
クライアントトークン:
A string that contains a token that the client will use to authenticate itself. Each token may be a string up to 500 characters in length. It is not mutable. It is read-only, case sensitive, and generated if no certificateInfo object is provisioned. It is returned by default if it exists. The SCIM server should expect that client tokens will be shared by the SCIM client with other components within the client's infrastructure.
クライアントが自身を認証するために使用するトークンを含む文字列。各トークンは、長さ 500 文字までの文字列にすることができます。変更可能ではありません。これは読み取り専用で大文字と小文字が区別され、certificateInfo オブジェクトがプロビジョニングされていない場合に生成されます。存在する場合、デフォルトで返されます。SCIM サーバーは、クライアント トークンが SCIM クライアントによってクライアントのインフラストラクチャ内の他のコンポーネントと共有されることを予期する必要があります。
groups:
グループ:
An optional read-only complex object that indicates group membership. Its form is precisely the same as that defined in Section 4.1.2 of [RFC7643].
グループのメンバーシップを示すオプションの読み取り専用複合オブジェクト。その形式は、[RFC7643] のセクション 4.1.2 で定義されているものとまったく同じです。
certificateInfo is a complex attribute that contains an X.509 certificate's subject name and root Certificate Authority (CA) information associated with application clients that will connect for purposes of device control or telemetry.
certificateInfo は、X.509 証明書のサブジェクト名と、デバイス制御またはテレメトリの目的で接続するアプリケーション クライアントに関連付けられたルート認証局 (CA) 情報を含む複合属性です。
rootCA:
ルートCA:
A base64-encoded string as described in Section 4 of [RFC4648]. It is a trust anchor certificate applicable for certificates used for client application access. The object is not required. It is singular, case sensitive, and read/write. If not present, a set of trust anchors MUST be configured out of band.
[RFC4648] のセクション 4 に記載されている、base64 でエンコードされた文字列。クライアント アプリケーションのアクセスに使用される証明書に適用されるトラスト アンカー証明書です。オブジェクトは必須ではありません。これは単数形で、大文字と小文字が区別され、読み取り/書き込み可能です。存在しない場合は、トラスト アンカーのセットを帯域外に設定する必要があります。
subjectName:
件名:
A string that contains one of two names:
2 つの名前のいずれかを含む文字列:
* a distinguished name that will be present in the certificate subject field, as described in Section 4.1.2.4 of [RFC5280] or
* [RFC5280] のセクション 4.1.2.4 に記載されているように、証明書のサブジェクトフィールドに存在する識別名、または
* a dnsName as part of a subjectAlternateName, as described in Section 4.2.1.6 of [RFC5280].
* [RFC5280] のセクション 4.2.1.6 で説明されているように、subjectAlternateName の一部としての dnsName。
In the latter case, servers validating such certificates SHALL reject connections when the name of the peer as resolved by a DNS reverse lookup does not match the dnsName in the certificate. If multiple dnsNames are present, it is left to server implementations to address any authorization conflicts associated with those names. This attribute is not required and not case sensitive. It is mutable and singular.
後者の場合、そのような証明書を検証するサーバーは、DNS 逆引き参照によって解決されたピアの名前が証明書内の dnsName と一致しない場合、接続を拒否するものとします (SHALL)。複数の dnsName が存在する場合、それらの名前に関連する承認の競合への対処はサーバー実装に委ねられます。この属性は必須ではなく、大文字と小文字は区別されません。それは可変であり、単数です。
+=================+=======+===+=======+=========+========+========+
| Attribute | Multi |Req| Case | Mutable | Return | Unique |
| | Value | | Exact | | | |
+=================+=======+===+=======+=========+========+========+
| applicationType | F |T | F | Imm | Def | None |
+-----------------+-------+---+-------+---------+--------+--------+
| applicationName | F |T | F | RW | Def | None |
+-----------------+-------+---+-------+---------+--------+--------+
| clientToken | F |F | T | RO | Def | None |
+-----------------+-------+---+-------+---------+--------+--------+
| certificateInfo | F |F | F | RW | Def | None |
+-----------------+-------+---+-------+---------+--------+--------+
| rootCA | F |F | T | RW | Def | None |
+-----------------+-------+---+-------+---------+--------+--------+
| subjectName | F |T | T | RW | Def | None |
+-----------------+-------+---+-------+---------+--------+--------+
| groups | T |F | T | RO | Def | n/a |
+-----------------+-------+---+-------+---------+--------+--------+
Table 2: Characteristics of EndpointApp Schema Attributes
表 2: EndpointApp スキーマ属性の特徴
Legend:
伝説:
Req = Required, T = True, F = False, RO = ReadOnly, RW = ReadWrite, N = No, Def = Default, Imm = Immutable
Req = 必須、T = True、F = False、RO = 読み取り専用、RW = 読み取り書き込み、N = いいえ、Def = デフォルト、Imm = 不変
If certificateInfo is provided by the client and is accepted by the server, the server MUST return that multivalued attribute in its response. Otherwise, the server is expected to return a clientToken. If the server returns neither certificateInfo nor a clientToken, then external authentication such as [OAUTHv2] MUST be pre-arranged. If the server accepts a certificate and produces a clientToken, then control and telemetry servers MUST validate both.
certificateInfo がクライアントによって提供され、サーバーによって受け入れられた場合、サーバーはその応答でその複数値属性を返さなければなりません (MUST)。それ以外の場合、サーバーは clientToken を返すことが期待されます。サーバーがcertificateInfoもclientTokenも返さない場合、[OAUTHv2]などの外部認証を事前に設定しなければなりません(MUST)。サーバーが証明書を受け入れて clientToken を生成する場合、コントロール サーバーとテレメトリ サーバーは両方を検証しなければなりません (MUST)。
certificateInfo is preferred in situations where client functions are federated such that different clients may connect for different purposes.
certificateInfo は、異なるクライアントが異なる目的で接続する可能性があるなど、クライアント機能が統合されている状況で推奨されます。
Example:
例:
<CODE BEGINS>
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:EndpointApp"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316212",
"applicationType": "deviceControl",
"applicationName": "Device Control App 1",
"certificateInfo": {
"rootCA" : "MIIBIjAN...",
"subjectName": "www.example.com"
},
"meta": {
"resourceType": "EndpointApp",
"created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/EndpointApps/e9e30dba-f08f-\
4109-8486-d5c6a3316212"
}
}
<CODE ENDS>
Figure 4: Endpoint App Example
図 4: エンドポイント アプリの例
SCIM provides various extension schemas and their attributes, along with JSON representations and example objects. The core schema is extended with a new resource type, Device. No schemaExtensions list is specified in that definition. Instead, IANA registry entries have been created, where all values for "required" are set to false. All extensions to the device schema MUST be registered via IANA, as described in Section 9.2. The schemas below demonstrate how this model is to work. All the SCIM server-related schema URIs are valid only with Device resource types.
SCIM は、JSON 表現とサンプル オブジェクトとともに、さまざまな拡張スキーマとその属性を提供します。コア スキーマは、新しいリソース タイプ Device で拡張されています。その定義では schemaExtensions リストが指定されていません。代わりに、IANA レジストリ エントリが作成され、「必須」のすべての値が false に設定されます。デバイス スキーマへのすべての拡張は、セクション 9.2 で説明されているように、IANA 経由で登録しなければなりません (MUST)。以下のスキーマは、このモデルがどのように機能するかを示しています。すべての SCIM サーバー関連のスキーマ URI は、デバイス リソース タイプでのみ有効です。
This schema extends the device schema to represent the devices supporting BLE. The extension is identified using the following schema URI:
このスキーマは、BLE をサポートするデバイスを表すようにデバイス スキーマを拡張します。拡張機能は、次のスキーマ URI を使用して識別されます。
urn:ietf:params:scim:schemas:extension:ble:2.0:Device
urn:ietf:params:scim:schemas:extension:ble:2.0:Device
The attributes are as follows.
属性は以下の通りです。
deviceMacAddress:
デバイスのMacアドレス:
A string value that represents a public MAC address assigned by the manufacturer. It is a unique 48-bit value. It is required, case insensitive, mutable, and returned by default. The ECMA regular expression pattern [ECMA] is the following:
製造元によって割り当てられたパブリック MAC アドレスを表す文字列値。これは一意の 48 ビット値です。これは必須であり、大文字と小文字は区別されず、変更可能であり、デフォルトで返されます。ECMA 正規表現パターン [ECMA] は次のとおりです。
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$
isRandom:
はランダムです:
A boolean flag. If false, the device is using a public MAC address. If true, the device uses a random address. If an Identifying Resolving Key (IRK) is present, the address represents a resolvable private address. Otherwise, the address is assumed to be a random static address. Non-resolvable private addresses are not supported by this specification. This attribute is not required. It is mutable and is returned by default. The default value is false. See Volume 6, Part B, Section 1.3 of [BLE54] for more information about different address types.
ブール値のフラグ。false の場合、デバイスはパブリック MAC アドレスを使用しています。true の場合、デバイスはランダムなアドレスを使用します。Identifying Resolve Key (IRK) が存在する場合、アドレスは解決可能なプライベート アドレスを表します。それ以外の場合、アドレスはランダムな静的アドレスであるとみなされます。解決できないプライベート アドレスは、この仕様ではサポートされていません。この属性は必須ではありません。これは変更可能であり、デフォルトで返されます。デフォルト値は false です。さまざまなアドレス タイプの詳細については、[BLE54] の第 6 巻、パート B、セクション 1.3 を参照してください。
separateBroadcastAddress:
別のブロードキャストアドレス:
When present, this string represents an address used for broadcasts/advertisements. This value MUST NOT be set when an IRK is provided. Its form is the same as deviceMacAddress. It is not required. It is multivalued, mutable, and returned by default.
存在する場合、この文字列はブロードキャスト/アドバタイズに使用されるアドレスを表します。IRK が提供される場合、この値を設定してはなりません。その形式は deviceMacAddress と同じです。必須ではありません。これは複数の値を持ち、変更可能であり、デフォルトで返されます。
irk:
irk:
A string value that specifies the IRK, which is unique to each device. It is used to resolve a private random address. It should only be provisioned when isRandom is true. It is mutable and never returned. For more information about the use of the IRK, see Volume 1, Part A, Section 5.4.5 of [BLE54].
各デバイスに固有の IRK を指定する文字列値。プライベートのランダム アドレスを解決するために使用されます。isRandom が true の場合にのみプロビジョニングする必要があります。これは変更可能であり、返されることはありません。IRK の使用の詳細については、[BLE54] の第 1 巻、パート A、セクション 5.4.5 を参照してください。
mobility:
モビリティ:
A boolean attribute to enable BLE device mobility. If set to true, the device could be expected to move within a network of Access Points (APs). For example, if a BLE device is connected with AP-1 and moves out of range but comes in range of AP-2, it will be disconnected with AP-1 and connected with AP-2. It is returned by default and mutable.
BLE デバイスのモビリティを有効にするブール属性。true に設定すると、デバイスはアクセス ポイント (AP) のネットワーク内で移動すると予想されます。たとえば、BLE デバイスが AP-1 に接続されており、範囲外に移動しても AP-2 の範囲内に入った場合、AP-1 との接続が切断され、AP-2 に接続されます。これはデフォルトで返され、変更可能です。
versionSupport:
バージョンサポート:
A multivalued set of strings that specifies the BLE versions supported by the device in the form of an array, for example, ["4.1", "4.2", "5.0", "5.1", "5.2", "5.3", "5.4"]. It is required, mutable, and returned by default.
デバイスでサポートされている BLE バージョンを配列形式で指定する複数値の文字列セット (["4.1"、"4.2"、"5.0"、"5.1"、"5.2"、"5.3"、"5.4"] など)。これは必須であり、変更可能であり、デフォルトで返されます。
pairingMethods:
ペアリング方法:
A multivalued set of strings that specifies pairing methods associated with the BLE device. The pairing methods may require subattributes such as key/password for the device pairing process. To enable the scalability of pairing methods in the future, they are represented as extensions to incorporate various attributes that are part of the respective pairing process. Pairing method extensions are nested inside the BLE extension. It is required, case sensitive, mutable, and returned by default.
BLE デバイスに関連付けられたペアリング方法を指定する文字列の複数値セット。ペアリング方法では、デバイスのペアリング プロセスにキー/パスワードなどのサブ属性が必要になる場合があります。将来のペアリング方法のスケーラビリティを可能にするために、それらは、それぞれのペアリング プロセスの一部であるさまざまな属性を組み込むための拡張機能として表されます。ペアリング メソッド拡張は、BLE 拡張内にネストされます。これは必須であり、大文字と小文字が区別され、変更可能であり、デフォルトで返されます。
The details on pairing methods and their associated attributes are in Volume 1, Part A, Section 5.2.4 of [BLE54]. This memo defines extensions for four pairing methods that are nested inside the BLE extension schema. Each extension contains the common attributes in Section 2.1. These extensions are as follows:
ペアリング方法とそれに関連する属性の詳細は、[BLE54] の第 1 巻、パート A、セクション 5.2.4 に記載されています。このメモは、BLE 拡張スキーマ内にネストされている 4 つのペアリング メソッドの拡張を定義します。各拡張には、セクション 2.1 の共通属性が含まれています。これらの拡張子は次のとおりです。
pairingNull extension:
ペアリングNull 拡張子:
Identified using the following schema URI:
次のスキーマ URI を使用して識別されます。
urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device
urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device
pairingNull does not have any attribute. It allows pairing for BLE devices that do not require a pairing method.
paringNull には属性がありません。ペアリング方法を必要としない BLE デバイスのペアリングが可能になります。
pairingJustWorks extension:
JustWorks 拡張機能のペアリング:
Identified using the following schema URI:
次のスキーマ URI を使用して識別されます。
urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device
urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device
The Just Works pairing method does not require a key to pair devices. For completeness, the key attribute is included and is set to 'null'. The key attribute is required, immutable, and returned by default.
Just Works のペアリング方法では、デバイスのペアリングにキーは必要ありません。完全を期すために、key 属性が含まれており、「null」に設定されています。key 属性は必須であり、不変であり、デフォルトで返されます。
pairingPassKey extension:
ペアリングパスキー拡張子:
Identified using the following schema URI:
次のスキーマ URI を使用して識別されます。
urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device
urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device
The passkey pairing method requires a 6-digit key to pair devices. This extension has one singular integer attribute, "key", which is required, mutable, and returned by default. The key pattern is as follows:
パスキー ペアリング方法では、デバイスのペアリングに 6 桁のキーが必要です。この拡張機能には、単一の整数属性「key」が 1 つあります。これは必須で変更可能で、デフォルトで返されます。キーパターンは次のとおりです。
^[0-9]{6}$
pairingOOB extension:
ペアリングOOB拡張子:
Identified using the following schema URI:
次のスキーマ URI を使用して識別されます。
urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device
urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device
The out-of-band (OOB) pairing method includes three singular attributes: key, randomNumber, and confirmationNumber.
帯域外 (OOB) ペアリング方法には、key、randomNumber、confirmationNumber という 3 つの特異な属性が含まれます。
key:
key:
A string value that is required and received from out-of-band sources such as Near Field Communication (NFC). It is case sensitive, mutable, and returned by default.
必須であり、近距離無線通信 (NFC) などの帯域外ソースから受信される文字列値。大文字と小文字が区別され、変更可能であり、デフォルトで返されます。
randomNumber:
乱数:
An integer that represents a nonce added to the key. It is a required attribute. It is mutable and returned by default.
キーに追加されるノンスを表す整数。これは必須の属性です。これは変更可能であり、デフォルトで返されます。
confirmationNumber:
確認番号:
An integer that some solutions require in a RESTful message exchange (where RESTful refers to the Representational State Transfer (REST) architecture). It is not required. It is mutable and returned by default if it exists.
一部のソリューションが RESTful メッセージ交換で必要とする整数 (RESTful とは Representational State Transfer (REST) アーキテクチャを指します)。必須ではありません。これは変更可能であり、存在する場合はデフォルトで返されます。
+==================+=======+===+=======+=========+========+========+
| Attribute | Multi |Req| Case | Mutable | Return | Unique |
| | Value | | Exact | | | |
+==================+=======+===+=======+=========+========+========+
| deviceMacAddress | F |T | F | RW | Def | Manuf |
+------------------+-------+---+-------+---------+--------+--------+
| isRandom | F |F | F | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+
| sepBroadcastAdd | T |F | F | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+
| irk | F |F | F | WO | Nev | Manuf |
+------------------+-------+---+-------+---------+--------+--------+
| versionSupport | T |T | F | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+
| mobility | F |F | F | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+
| pairingMethods | T |T | T | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+
Table 3: Characteristics of BLE Extension Schema Attributes
表 3: BLE 拡張スキーマ属性の特徴
Legend:
伝説:
sepBroadcastAdd = separateBroadcastAddress, Req = Required, T = True, F = False, RW = ReadWrite, WO = WriteOnly, Def = Default, Nev = Never, Manuf = Manufacturer
sepBroadcastAdd = SeparateBroadcastAddress、Req = 必須、T = True、F = False、RW = ReadWrite、WO = WriteOnly、Def = デフォルト、Nev = Never、Manuf = メーカー
Example:
例:
<CODE BEGINS>
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor",
"active": true,
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
"versionSupport": ["5.4"],
"deviceMacAddress": "2C:54:91:88:C9:E2",
"isRandom": false,
"separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77:\
22:12"],
"mobility": true,
"pairingMethods": ["urn:ietf:params:scim:schemas:extension:\
pairingPassKey:2.0:Device"],
"urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:\
Device" : {
"key": 123456
}
},
"meta": {
"resourceType": "Device",
"created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109-\
8486-d5c6a3316111"
}
}
<CODE ENDS>
Figure 5: BLE Example
図 5: BLE の例
In the above example, the pairing method is "pairingPassKey", which implies that this BLE device pairs using only a passkey. In another example below, the pairing method is "pairingOOB", denoting that this BLE device uses the out-of-band pairing method.
上の例では、ペアリング方法は「pairingPassKey」です。これは、この BLE デバイスがパスキーのみを使用してペアリングすることを意味します。以下の別の例では、ペアリング方法は「pairingOOB」で、この BLE デバイスが帯域外ペアリング方法を使用していることを示しています。
Example:
例:
<CODE BEGINS>
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor",
"active": true,
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
"versionSupport": ["5.4"],
"deviceMacAddress": "2C:54:91:88:C9:E2",
"isRandom": false,
"separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77:\
22:12"],
"mobility": true,
"pairingMethods": ["urn:ietf:params:scim:schemas:extension:\
pairingOOB:2.0:Device"],
"urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device": {
"key": "TheKeyvalueRetrievedFromOOB",
"randomNumber": 238796813516896
}
},
"meta": {
"resourceType": "Device",
"created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109-\
8486-d5c6a3316111"
}
}
<CODE ENDS>
Figure 6: BLE with pairingOOB
図 6: ペアリング OOB を使用した BLE
However, a device can have more than one pairing method. Support for multiple pairing methods is also provided by the multivalued attribute pairingMethods. In the example below, the BLE device can pair with both passkey and OOB pairing methods.
ただし、デバイスには複数のペアリング方法を使用できる場合があります。複数のペアリング メソッドのサポートは、複数値属性の paringMethods によっても提供されます。以下の例では、BLE デバイスはパスキーと OOB の両方のペアリング方法でペアリングできます。
Example:
例:
<CODE BEGINS>
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor",
"active": true,
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
"versionSupport": ["5.4"],
"deviceMacAddress": "2C:54:91:88:C9:E2",
"isRandom": false,
"separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77:\
22:12"],
"mobility": true,
"pairingMethods": ["urn:ietf:params:scim:schemas:extension:\
pairingPassKey:2.0:Device",
"urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:\
Device"],
"urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:\
Device" : {
"key": 123456
},
"urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device": {
"key": "TheKeyvalueRetrievedFromOOB",
"randomNumber": 238796813516896
}
},
"meta": {
"resourceType": "Device",
"created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109-\
8486-d5c6a3316111"
}
}
<CODE ENDS>
Figure 7: BLE Pairing with Both Passkey and OOB
図 7: パスキーと OOB の両方を使用した BLE ペアリング
This section describes a schema that extends the device schema to enable Wi-Fi Easy Connect (otherwise known as Device Provisioning Protocol (DPP)). Throughout this specification, we use the term "DPP". The extension is identified using the following schema URI:
このセクションでは、Wi-Fi Easy Connect (デバイス プロビジョニング プロトコル (DPP) とも呼ばれる) を有効にするためにデバイス スキーマを拡張するスキーマについて説明します。この仕様全体を通じて、「DPP」という用語を使用します。拡張機能は、次のスキーマ URI を使用して識別されます。
urn:ietf:params:scim:schemas:extension:dpp:2.0:Device
urn:ietf:params:scim:schemas:extension:dpp:2.0:Device
The attributes in this extension are adopted from [DPP2]. The attributes are as follows.
この拡張の属性は [DPP2] から採用されています。属性は以下の通りです。
dppVersion:
dppバージョン:
An integer that represents the version of DPP the device supports. This attribute is required, case insensitive, mutable, and returned by default.
デバイスがサポートする DPP のバージョンを表す整数。この属性は必須であり、大文字と小文字は区別されず、変更可能であり、デフォルトで返されます。
bootstrapKey:
ブートストラップキー:
A string value representing an Elliptic Curve Diffie-Hellman (ECDH) public key. The base64-encoded lengths for P-256, P-384, and P-521 are 80, 96, and 120 characters. This attribute is required, case sensitive, write only, and never returned.
楕円曲線ディフィーヘルマン (ECDH) 公開キーを表す文字列値。P-256、P-384、および P-521 の Base64 エンコードの長さは、80、96、および 120 文字です。この属性は必須であり、大文字と小文字が区別され、書き込みのみであり、返されることはありません。
deviceMacAddress:
デバイスのMacアドレス:
A MAC address stored as a string. It is a unique 48-bit value. This attribute is optional, case insensitive, mutable, and returned by default. Its form is identical to that of the deviceMacAddress for BLE devices.
文字列として保存された MAC アドレス。これは一意の 48 ビット値です。この属性はオプションであり、大文字と小文字は区別されず、変更可能であり、デフォルトで返されます。その形式は、BLE デバイスの deviceMacAddress の形式と同じです。
serialNumber:
シリアルナンバー:
An alphanumeric serial number stored as a string. It may also be passed as bootstrapping information. This attribute is optional, case insensitive, mutable, and returned by default.
文字列として保存された英数字のシリアル番号。ブートストラップ情報として渡すこともできます。この属性はオプションであり、大文字と小文字は区別されず、変更可能であり、デフォルトで返されます。
bootstrappingMethod:
ブートストラップ方法:
One or more strings of all the bootstrapping methods available on the enrollee device, for example, [QR, NFC]. This attribute is optional, case insensitive, mutable, and returned by default.
エンローリーデバイスで利用可能なすべてのブートストラップメソッドの 1 つ以上の文字列 ([QR、NFC] など)。この属性はオプションであり、大文字と小文字は区別されず、変更可能であり、デフォルトで返されます。
classChannel:
クラスチャンネル:
One or more strings representing the global operating class and channel shared as bootstrapping information. It is formatted as class/channel, for example, ['81/1','115/36']. This attribute is optional, case insensitive, mutable, and returned by default.
ブートストラップ情報として共有されるグローバル オペレーティング クラスとチャネルを表す 1 つ以上の文字列。これは、['81/1','115/36'] など、クラス/チャネルとしてフォーマットされます。この属性はオプションであり、大文字と小文字は区別されず、変更可能であり、デフォルトで返されます。
+=====================+=====+===+=====+=========+========+========+
| Attribute |Multi|Req|Case | Mutable | Return | Unique |
| |Value| |Exact| | | |
+=====================+=====+===+=====+=========+========+========+
| dppVersion |F |T |F | RW | Def | None |
+---------------------+-----+---+-----+---------+--------+--------+
| bootstrapKey |F |T |T | WO | Nev | None |
+---------------------+-----+---+-----+---------+--------+--------+
| deviceMacAddress |F |F |F | RW | Def | Manuf |
+---------------------+-----+---+-----+---------+--------+--------+
| serialNumber |F |F |F | RW | Def | None |
+---------------------+-----+---+-----+---------+--------+--------+
| bootstrappingMethod |T |F |F | RW | Def | None |
+---------------------+-----+---+-----+---------+--------+--------+
| classChannel |T |F |F | RW | Def | None |
+---------------------+-----+---+-----+---------+--------+--------+
Table 4: Characteristics of DPP Extension Schema Attributes
表 4: DPP 拡張スキーマ属性の特性
Legend:
伝説:
Req = Required, T = True, F = False, RW = ReadWrite, WO = WriteOnly, Def = Default, Nev = Never, Manuf = Manufacturer
Req = 必須、T = True、F = False、RW = ReadWrite、WO = WriteOnly、Def = デフォルト、Nev = Never、Manuf = メーカー
Example:
例:
<CODE BEGINS>
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:dpp:2.0:\
Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "WiFi Heart Monitor",
"active": true,
"urn:ietf:params:scim:schemas:extension:dpp:2.0:Device" : {
"dppVersion": 2,
"bootstrappingMethod": ["QR"],
"bootstrapKey": "\
MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADURzxmttZoIRIPWGoQMV00XHWCAQIhXru\
VWOz0NjlkIA=",
"deviceMacAddress": "2C:54:91:88:C9:F2",
"classChannel": ["81/1", "115/36"],
"serialNumber": "4774LH2b4044"
},
"meta": {
"resourceType": "Device",
"created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-\
4109-8486-d5c6a3316111"
}
}
<CODE ENDS>
Figure 8: DPP Example
図 8: DPP の例
This extension enables a legacy means of (very) weak authentication, known as MAC Authenticated Bypass (MAB), that is supported in many wired ethernet solutions. If the MAC address is known, then the device may be permitted (perhaps limited) access. The extension is identified by the following URI:
この拡張機能により、多くの有線イーサネット ソリューションでサポートされている、MAC 認証バイパス (MAB) として知られる、(非常に) 弱い認証の従来の手段が有効になります。MAC アドレスがわかっている場合、デバイスへのアクセスが (おそらくは制限されて) 許可される可能性があります。拡張子は次の URI で識別されます。
urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device
urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device
Note that this method is not likely to work properly with MAC address randomization.
この方法は、MAC アドレスのランダム化では適切に機能しない可能性があることに注意してください。
This extension has a singular attribute:
この拡張機能には単一の属性があります。
deviceMacAddress:
デバイスのMacアドレス:
This is the Ethernet address to be provisioned onto the network. It takes the identical form as found in the BLE extension.
これは、ネットワーク上にプロビジョニングされるイーサネット アドレスです。これは、BLE 拡張機能で見られるものと同じ形式を取ります。
+==================+=======+===+=======+=========+========+========+
| Attribute | Multi |Req| Case | Mutable | Return | Unique |
| | Value | | Exact | | | |
+==================+=======+===+=======+=========+========+========+
| deviceMacAddress | F |T | F | RW | Def | None |
+------------------+-------+---+-------+---------+--------+--------+
Table 5: Characteristics of MAB Extension Schema Attributes
表 5: MAB 拡張スキーマ属性の特性
Legend:
伝説:
Req = Required, T = True, F = False, RW = ReadWrite, Def = Default
Req = 必須、T = True、F = False、RW = 読み取り/書き込み、Def = デフォルト
Example:
例:
<CODE BEGINS>
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device\
"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "Some random Ethernet Device",
"active": true,
"urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device" \
: {
"deviceMacAddress": "2C:54:91:88:C9:E2"
},
"meta": {
"resourceType": "Device",
"created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109-\
8486-d5c6a3316111"
}
}
<CODE ENDS>
Figure 9: MAB Example
図 9: MAB の例
This extension specifies a voucher to be used by the FDO Device Onboard (FDO) protocols [FDO11] to complete a trusted transfer of ownership and control of the device to the environment. The SCIM server MUST know how to process the voucher, either directly or by forwarding it along to an owner process as defined in the FDO specification. The extension is identified using the following schema URI:
この拡張機能は、環境へのデバイスの所有権と制御の信頼できる移転を完了するために、FDO Device Onboard (FDO) プロトコル [FDO11] によって使用されるバウチャーを指定します。SCIM サーバーは、バウチャーを直接処理する方法、または FDO 仕様で定義されている所有者プロセスに転送することによってバウチャーを処理する方法を認識している必要があります。拡張機能は、次のスキーマ URI を使用して識別されます。
urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device
urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device
This extension has a singular attribute:
この拡張機能には単一の属性があります。
fdoVoucher:
fdo バウチャー:
The voucher is formatted as a PEM-encoded object in accordance with [FDO11].
バウチャーは、[FDO11] に従って PEM エンコードされたオブジェクトとしてフォーマットされます。
+============+=======+=====+=======+=========+========+========+
| Attribute | Multi | Req | Case | Mutable | Return | Unique |
| | Value | | Exact | | | |
+============+=======+=====+=======+=========+========+========+
| fdoVoucher | F | T | F | WO | Nev | None |
+------------+-------+-----+-------+---------+--------+--------+
Table 6: Characteristics of FDO Extension Schema Attributes
表 6: FDO 拡張スキーマ属性の特性
Legend:
伝説:
Req = Required, T = True, F = False, WO = WriteOnly, Nev = Never
Req = 必須、T = True、F = False、WO = WriteOnly、Nev = Never
Example:
例:
<CODE BEGINS>
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0\
:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "Some random Ethernet Device",
"active": true,
"urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:\
Device" : {
"fdoVoucher": "{... voucher ...}"
},
"meta": {
"resourceType": "Device",
"created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109-\
8486-d5c6a3316111"
}
}
<CODE ENDS>
Figure 10: FDO Example
図 10: FDO の例
This section describes a schema that extends the device schema to enable the provisioning of Zigbee devices [Zigbee]. The extension is identified using the following schema URI:
このセクションでは、Zigbee デバイス [Zigbee] のプロビジョニングを可能にするデバイス スキーマを拡張するスキーマについて説明します。拡張機能は、次のスキーマ URI を使用して識別されます。
urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device
urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device
It has one singular attribute and one multivalued attribute. The attributes are as follows.
これには、1 つの単一属性と 1 つの複数値属性があります。属性は以下の通りです。
deviceEui64Address:
デバイスEui64アドレス:
A 64-bit Extended Unique Identifier (EUI-64) device address stored as string. This attribute is required, case insensitive, mutable, and returned by default. It takes the same form as the deviceMacAddress in the BLE extension.
文字列として保存される 64 ビットの Extended Unique Identifier (EUI-64) デバイス アドレス。この属性は必須であり、大文字と小文字は区別されず、変更可能であり、デフォルトで返されます。これは、BLE 拡張機能の deviceMacAddress と同じ形式を取ります。
versionSupport:
バージョンサポート:
One or more strings of all the Zigbee versions supported by the device, for example, [3.0]. This attribute is required, case insensitive, mutable, and returned by default.
デバイスでサポートされているすべての Zigbee バージョンの 1 つ以上の文字列 ([3.0] など)。この属性は必須であり、大文字と小文字は区別されず、変更可能であり、デフォルトで返されます。
+====================+=====+===+=======+=========+========+========+
| Attribute |Multi|Req| Case | Mutable | Return | Unique |
| |Value| | Exact | | | |
+====================+=====+===+=======+=========+========+========+
| deviceEui64Address |F |T | F | RW | Def | None |
+--------------------+-----+---+-------+---------+--------+--------+
| versionSupport |T |T | F | RW | Def | None |
+--------------------+-----+---+-------+---------+--------+--------+
Table 7: Characteristics of Zigbee Extension Schema Attributes
表 7: Zigbee 拡張スキーマ属性の特徴
Legend:
伝説:
Req = Required, T = True, F = False, RW = ReadWrite, Def = Default
Req = 必須、T = True、F = False、RW = 読み取り/書き込み、Def = デフォルト
Example:
例:
<CODE BEGINS>
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "Zigbee Heart Monitor",
"active": true,
"urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device" : {
"versionSupport": ["3.0"],
"deviceEui64Address": "50:32:5F:FF:FE:E7:67:28"
},
"meta": {
"resourceType": "Device",
"created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109-\
8486-d5c6a3316111"
}
}
<CODE ENDS>
Figure 11: Zigbee Example
図 11: Zigbee の例
Sometimes non-IP devices such as those using BLE or Zigbee require an application gateway interface to manage them.
BLE や Zigbee を使用する非 IP デバイスでは、それらを管理するためにアプリケーション ゲートウェイ インターフェイスが必要になる場合があります。
endpointAppsExt provides the list of applications that connect to an enterprise gateway. endpointAppsExt has one multivalued attribute and two singular attributes. The extension is identified using the following schema URI:
endpointAppsExt は、エンタープライズ ゲートウェイに接続するアプリケーションのリストを提供します。endpointAppsExt には、1 つの複数値属性と 2 つの単数属性があります。拡張機能は、次のスキーマ URI を使用して識別されます。
urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device
urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device
deviceControlEnterpriseEndpoint:
deviceControlEnterpriseEndpoint:
A string representing the URL of the enterprise endpoint to reach the enterprise gateway. When the enterprise receives the SCIM object from the onboarding application, it adds this attribute to it and sends it back as a response to the onboarding application. This attribute is required, case sensitive, read-only, and returned by default. The uniqueness is enforced by the enterprise.
エンタープライズ ゲートウェイに到達するためのエンタープライズ エンドポイントの URL を表す文字列。企業は、オンボーディング アプリケーションから SCIM オブジェクトを受信すると、この属性をそれに追加し、応答としてオンボーディング アプリケーションに送り返します。この属性は必須であり、大文字と小文字が区別され、読み取り専用で、デフォルトで返されます。独自性は企業によって強制されます。
telemetryEnterpriseEndpoint:
テレメトリエンタープライズエンドポイント:
A string representing a URL of the enterprise endpoint to reach an enterprise gateway for telemetry. When the enterprise receives the SCIM object from the onboarding application, it adds this attribute to it and sends it back as a response to the onboarding application. This attribute is optional, case sensitive, read-only, and returned by default. The uniqueness is enforced by the enterprise. This attribute is populated when the enterprise provides a telemetry endpoint (e.g., hosted by the enterprise gateway). If a telemetry service is not known by the SCIM server, the attribute will not be returned. In such cases, if the application requires telemetry, separate arrangements must be made.
テレメトリ用のエンタープライズ ゲートウェイに到達するためのエンタープライズ エンドポイントの URL を表す文字列。企業は、オンボーディング アプリケーションから SCIM オブジェクトを受信すると、この属性をそれに追加し、応答としてオンボーディング アプリケーションに送り返します。この属性はオプションで、大文字と小文字が区別され、読み取り専用で、デフォルトで返されます。独自性は企業によって強制されます。この属性は、企業がテレメトリ エンドポイント (エンタープライズ ゲートウェイによってホストされるなど) を提供するときに設定されます。テレメトリ サービスが SCIM サーバーによって認識されていない場合、属性は返されません。このような場合、アプリケーションでテレメトリが必要な場合は、別途手配する必要があります。
applications:
アプリケーション:
A multivalued attribute of one or more complex attributes that represent a list of endpoint applications, i.e., deviceControl and telemetry. Each entry in the list comprises two attributes including "value" and "$ref".
エンドポイント アプリケーション (deviceControl やテレメトリ) のリストを表す 1 つ以上の複合属性の複数値属性。リストの各エントリは、「value」と「$ref」を含む 2 つの属性で構成されます。
value:
値:
A string containing the identifier of the endpoint application formatted as a Universally Unique Identifier (UUID). It is the same as the common attribute "$id" of the resource EndpointApp. It is read/write, required, case insensitive, and returned by default.
Universally Unique Identifier (UUID) としてフォーマットされたエンドポイント アプリケーションの識別子を含む文字列。EndpointAppリソースの共通属性「$id」と同じです。これは読み取り/書き込み可能で、必須であり、大文字と小文字は区別されず、デフォルトで返されます。
$ref:
$ref:
A reference to the respective EndpointApp resource object stored in the SCIM server. It is readOnly, required, case sensitive, and returned by default.
SCIM サーバーに保存されているそれぞれの EndpointApp リソース オブジェクトへの参照。これは読み取り専用であり、必須であり、大文字と小文字が区別され、デフォルトで返されます。
+====================+=====+===+=======+=========+========+========+
| Attribute |Multi|Req| Case | Mutable | Return | Unique |
| |Value| | Exact | | | |
+====================+=====+===+=======+=========+========+========+
| devContEntEndpoint |F |T | T | RO | Def | Ent |
+--------------------+-----+---+-------+---------+--------+--------+
| telEntEndpoint |F |F | T | RO | Def | Ent |
+--------------------+-----+---+-------+---------+--------+--------+
| applications |T |T | F | RW | Def | None |
+--------------------+-----+---+-------+---------+--------+--------+
| value |F |T | F | RW | Def | None |
+--------------------+-----+---+-------+---------+--------+--------+
| $ref |F |T | T | RO | Def | None |
+--------------------+-----+---+-------+---------+--------+--------+
Table 8: Characteristics of endpointAppsExt Extension Schema Attributes
表 8: endpointAppsExt 拡張スキーマ属性の特性
Legend:
伝説:
devContEntEndpoint = deviceControlEnterpriseEndpoint, telEntEndpoint = telemetryEnterpriseEndpoint, Req = Required, T = True, F = False, RO = ReadOnly, RW = ReadWrite, Ent = Enterprise, Def = Default
devContEntEndpoint = deviceControlEnterpriseEndpoint、telEntEndpoint = telemetryEnterpriseEndpoint、Req = 必須、T = True、F = False、RO = ReadOnly、RW = ReadWrite、Ent = Enterprise、Def = デフォルト
Example:
例:
<CODE BEGINS>
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Device",
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device",
"urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:\
Device"],
"id": "e9e30dba-f08f-4109-8486-d5c6a3316111",
"displayName": "BLE Heart Monitor",
"active": true,
"urn:ietf:params:scim:schemas:extension:ble:2.0:Device" : {
"versionSupport": ["5.4"],
"deviceMacAddress": "2C:54:91:88:C9:E2",
"isRandom": false,
"separateBroadcastAddress": ["AA:BB:88:77:22:11", "AA:BB:88:77:\
22:12"],
"mobility": false,
"pairingMethods": [
"urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:\
Device"],
"urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:\
Device" : {
"key": 123456
}
},
"urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device\
": {
"applications": [
{
"value" : "e9e30dba-f08f-4109-8486-d5c6a3316212",
"$ref" : "https://example.com/v2/EndpointApps/e9e30dba-f08f-\
4109-8486-d5c6a3316212"
},
{
"value" : "e9e30dba-f08f-4109-8486-d5c6a3316333",
"$ref" : "https://example.com/v2/EndpointApps/e9e30dba-f08f-\
4109-8486-d5c6a3316333"
}
],
"deviceControlEnterpriseEndpoint": "https://example.com/\
device_control_app_endpoint/",
"telemetryEnterpriseEndpoint": "mqtts://example.com/\
telemetry_app_endpoint/"
},
"meta": {
"resourceType": "Device",
"created": "2022-01-23T04:56:22Z",
"lastModified": "2022-05-13T04:42:34Z",
"version": "W\/\"a330bc54f0671c9\"",
"location": "https://example.com/v2/Devices/e9e30dba-f08f-4109-\
8486-d5c6a3316111"
}
}
<CODE ENDS>
Figure 12: Endpoint Applications Extension Example
図 12: エンドポイント アプリケーション拡張の例
The schema for the endpointAppsExt extension along with BLE extension is presented in JSON format in Appendix A.9, while the OpenAPI representation is provided in Appendix B.8.
endpointAppsExt 拡張機能と BLE 拡張機能のスキーマは付録 A.9 に JSON 形式で示され、OpenAPI 表現は付録 B.8 に示されています。
Because provisioning operations permit device access to a network, each SCIM client MUST be appropriately authenticated.
プロビジョニング操作によりデバイスのネットワークへのアクセスが許可されるため、各 SCIM クライアントは適切に認証されなければなりません。
An attacker that has authenticated to a trusted SCIM client could manipulate portions of the SCIM database. To be clear on the risks, we specify each operation below.
信頼された SCIM クライアントに対して認証された攻撃者は、SCIM データベースの一部を操作する可能性があります。リスクを明確にするために、以下に各操作を指定します。
An attacker that is authenticated could attempt to add elements that the enterprise would not normally permit on a network. For instance, an enterprise may not wish specific devices that have well-known vulnerabilities to be introduced to their environment. To mitigate the attack, network administrators should layer additional policies regarding what devices are permitted on the network.
認証された攻撃者は、企業が通常許可しない要素をネットワーク上に追加しようとする可能性があります。たとえば、企業は、既知の脆弱性を持つ特定のデバイスが自社の環境に導入されることを望まない場合があります。攻撃を軽減するには、ネットワーク管理者は、ネットワーク上でどのデバイスを許可するかに関する追加のポリシーを階層化する必要があります。
An attacker that gains access to SCIM could attempt to add an IP-based device that itself attempts unauthorized access, effectively acting as a bot. Network administrators SHOULD establish appropriate access-control policies that follow the principle of least privilege to mitigate this attack.
SCIM へのアクセスを取得した攻撃者は、それ自体が不正アクセスを試み、事実上ボットとして機能する IP ベースのデバイスを追加しようとする可能性があります。ネットワーク管理者は、この攻撃を軽減するために、最小特権の原則に従った適切なアクセス制御ポリシーを確立する必要があります。
Once granted, even if the object is removed, the server may or may not act on that removal. The deletion of the object is a signal of intent by the application that it no longer expects the device to be on the network. It is strictly up to the SCIM server and its back end policy to decide whether or not to revoke access to the infrastructure. It is RECOMMENDED that SCIM delete operations trigger a workflow in accordance with local network policy.
一度許可されると、オブジェクトが削除されたとしても、サーバーはその削除に応じて動作する場合と動作しない場合があります。オブジェクトの削除は、デバイスがネットワーク上に存在することを期待しなくなったというアプリケーションによる意図の信号です。インフラストラクチャへのアクセスを取り消すかどうかは、厳密に SCIM サーバーとそのバックエンド ポリシーによって決まります。SCIM 削除操作は、ローカル ネットワーク ポリシーに従ってワークフローをトリガーすることが推奨されます。
Read operations are necessary in order for an application to sync its state to know what devices it is expected to manage. An attacker with access to SCIM objects may gain access to the devices themselves. To prevent one SCIM client from interfering with devices that it has no business managing, only clients that have created objects or those they authorize SHOULD have the ability to read those objects.
読み取り操作は、アプリケーションがその状態を同期して、どのデバイスを管理する必要があるかを知るために必要です。SCIM オブジェクトにアクセスできる攻撃者は、デバイス自体にアクセスできる可能性があります。ある SCIM クライアントが、そのクライアントが管理していないデバイスに干渉するのを防ぐために、オブジェクトを作成したクライアントまたは許可したクライアントのみが、それらのオブジェクトを読み取る能力を持つ必要があります (SHOULD)。
Update operations may be necessary if a device has been modified in some way. Attackers with update access may be able to disable network access to devices or device access to networks. To avoid this, the same access control policy for read operations is RECOMMENDED here.
デバイスが何らかの方法で変更されている場合、更新操作が必要になる場合があります。更新アクセス権を持つ攻撃者は、デバイスへのネットワーク アクセスやデバイスのネットワークへのアクセスを無効にすることができる可能性があります。これを回避するために、ここでは読み取り操作に対して同じアクセス制御ポリシーを使用することが推奨されます。
Devices provisioned with this model may be completely controlled by the administrator of the SCIM server, depending on how those systems are defined. For instance, if BLE passkeys are provided, the device can be connected to, and perhaps paired with. If the administrator of the SCIM client does not wish the network to have complete access to the device, the device itself MUST support finer levels of access control and additional authentication mechanisms. Any additional security must be provided at higher application layers. For example, if client applications wish to keep private information to and from the device, they should encrypt that information over-the-top.
このモデルでプロビジョニングされたデバイスは、システムの定義方法に応じて、SCIM サーバーの管理者によって完全に制御される場合があります。たとえば、BLE パスキーが提供されている場合、デバイスを接続したり、場合によってはペアリングしたりできます。SCIM クライアントの管理者が、ネットワークがデバイスに完全にアクセスすることを望まない場合、デバイス自体は、より詳細なレベルのアクセス制御と追加の認証メカニズムをサポートしなければなりません (MUST)。追加のセキュリティは、上位のアプリケーション層で提供する必要があります。たとえば、クライアント アプリケーションがデバイスとの間で個人情報を保持したい場合は、その情報をオーバーザトップで暗号化する必要があります。
An attacker could learn what devices are on a network by examining SCIM logs. Due to the sensitive nature of SCIM operations, logs SHOULD be encrypted both on the disk and in transit.
攻撃者は、SCIM ログを調べることで、ネットワーク上にどのようなデバイスがあるかを知る可能性があります。SCIM 操作は機密性が高いため、ログはディスク上と転送中の両方で暗号化されるべきです(SHOULD)。
IANA has added the following additions to the "SCIM Schema URIs for Data Resources" registry:
IANA は、「データ リソースの SCIM スキーマ URI」レジストリに次の追加を追加しました。
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:core:2.0:Device
urn:ietf:params:scim:スキーマ:コア:2.0:デバイス
Name:
名前:
Core Device Schema
コアデバイススキーマ
Reference:
参照:
RFC 9944, Section 3
RFC 9944、セクション 3
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:core:2.0:EndpointApp
urn:ietf:params:scim:schemas:core:2.0:EndpointApp
Name:
名前:
Endpoint Application
エンドポイントアプリケーション
Reference:
参照:
RFC 9944, Section 6
RFC 9944、セクション 6
IANA has created the following extensions in the "SCIM Server-Related Schema URIs" registry (omitting the "Resource Type" field) as described in Section 7:
IANA は、セクション 7 で説明されているように、「SCIM サーバー関連スキーマ URI」レジストリに次の拡張機能を作成しました (「リソース タイプ」フィールドは省略)。
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:extension:ble:2.0:Device
urn:ietf:params:scim:schemas:extension:ble:2.0:Device
Name:
名前:
BLE Extension
BLE拡張機能
Resource Type:
リソースタイプ:
Device
デバイス
Reference:
参照:
RFC 9944, Section 7.1
RFC 9944、セクション 7.1
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device
urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:Device
Name:
名前:
Ethernet MAB
イーサネットMAB
Resource Type:
リソースタイプ:
Device
デバイス
Reference:
参照:
RFC 9944, Section 7.3
RFC 9944、セクション 7.3
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device
urn:ietf:params:scim:schemas:extension:fido-device-onboard:2.0:Device
Name:
名前:
FIDO Device Onboard
FIDO デバイスをオンボード
Resource Type:
リソースタイプ:
Device
デバイス
Reference:
参照:
RFC 9944, Section 7.4
RFC 9944、セクション 7.4
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:extension:dpp:2.0:Device
urn:ietf:params:scim:schemas:extension:dpp:2.0:Device
Name:
名前:
Wi-Fi Easy Connect
Wi-Fi簡単接続
Resource Type:
リソースタイプ:
Device
デバイス
Reference:
参照:
RFC 9944, Section 7.2
RFC 9944、セクション 7.2
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device
urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:Device
Name:
名前:
Application Endpoint Extension
アプリケーションエンドポイント拡張
Resource Type:
リソースタイプ:
Device
デバイス
Reference:
参照:
RFC 9944, Section 7.6
RFC 9944、セクション 7.6
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device
urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0:Device
Name:
名前:
Just Works Auth BLE
Just Works 認証 BLE
Resource Type:
リソースタイプ:
Device
デバイス
Reference:
参照:
RFC 9944, Section 7.1.3
RFC 9944、セクション 7.1.3
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device
urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:Device
Name:
名前:
Out-of-Band Pairing for BLE
BLE の帯域外ペアリング
Resource Type:
リソースタイプ:
Device
デバイス
Reference:
参照:
RFC 9944, Section 7.1.3
RFC 9944、セクション 7.1.3
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device
urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0:Device
Name:
名前:
Passkey Pairing for BLE
BLE のパスキー ペアリング
Resource Type:
リソースタイプ:
Device
デバイス
Reference:
参照:
RFC 9944, Section 7.1.3
RFC 9944、セクション 7.1.3
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device
urn:ietf:params:scim:schemas:extension:pairingNull:2.0:Device
Name:
名前:
Pairing Null
ペアリングが無効
Resource Type:
リソースタイプ:
Device
デバイス
Reference:
参照:
RFC 9944, Section 7.1.3
RFC 9944、セクション 7.1.3
Schema URI:
スキーマ URI:
urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device
urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device
Name:
名前:
Zigbee
ジグビー
Resource Type:
リソースタイプ:
Device
デバイス
Reference:
参照:
RFC 9944, Section 7.5
RFC 9944、セクション 7.5
[BLE54] Bluetooth SIG, "Bluetooth Core Specification", Version
5.4, 2023, <https://www.bluetooth.org/DocMan/handlers/
DownloadDoc.ashx?doc_id=587177>.
[DPP2] Wi-Fi Alliance, "Wi-Fi Easy Connect Specification",
Version 3.0, 2020, <https://www.wi-fi.org/system/files/Wi-
Fi_Easy_Connect_Specification_v3.0.pdf>.
[ECMA] ECMA International, "ECMAScript(R) 2025 Language
Specification", ECMA-262, 16th Edition, June 2025,
<https://ecma-international.org/publications-and-
standards/standards/ecma-262/>.
[FDO11] FIDO Alliance, "FIDO Device Onboard Specification 1.1",
Proposed Standard, April 2022,
<https://fidoalliance.org/specs/FDO/FIDO-Device-Onboard-
PS-v1.1-20220419/FIDO-Device-Onboard-PS-
v1.1-20220419.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C.
Mortimore, "System for Cross-domain Identity Management:
Core Schema", RFC 7643, DOI 10.17487/RFC7643, September
2015, <https://www.rfc-editor.org/info/rfc7643>.
[RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
and C. Mortimore, "System for Cross-domain Identity
Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
September 2015, <https://www.rfc-editor.org/info/rfc7644>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
Description Specification", RFC 8520,
DOI 10.17487/RFC8520, March 2019,
<https://www.rfc-editor.org/info/rfc8520>.
[Zigbee] Zigbee Alliance, "Zigbee Specification", ZigBee Document
05-3474-21, August 2015, <https://zigbeealliance.org/wp-
content/uploads/2019/11/docs-05-3474-21-0csg-zigbee-
specification.pdf>.
[JSONSchema]
Wright, A., Ed., Andrews, H. A., Ed., Hutton, B., Ed., and
G. Dennis, "JSON Schema: A Media Type for Describing JSON
Documents", December 2022,
<https://json-schema.org/draft/2020-12/json-schema-core>.
[NIPC] Brinckman, B., Mohan, R., and B. Sanford, "An Application
Layer Interface for Non-Internet-Connected Physical
Components (NIPC)", Work in Progress, Internet-Draft,
draft-ietf-asdf-nipc-19, 21 April 2026,
<https://datatracker.ietf.org/doc/html/draft-ietf-asdf-
nipc-19>.
[OAUTHv2] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012,
<https://www.rfc-editor.org/info/rfc6749>.
[OpenAPI] Swagger, "OpenAPI Specification", Version 3.1.1, October
2024, <https://swagger.io/specification/>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu,
"Handling Long Lines in Content of Internet-Drafts and
RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020,
<https://www.rfc-editor.org/info/rfc8792>.
[RFC8995] Pritikin, M., Richardson, M., Eckert, T., Behringer, M.,
and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructure (BRSKI)", RFC 8995, DOI 10.17487/RFC8995,
May 2021, <https://www.rfc-editor.org/info/rfc8995>.
[
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"\
],
"id": "Device",
"name": "Device",
"endpoint": "/Devices",
"description": "Device account.",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Device",
"meta": {
"location": "https://example.com/v2/ResourceTypes/Device",
"resourceType": "ResourceType"
}
},
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"\
],
"id": "EndpointApp",
"name": "EndpointApp",
"endpoint": "/EndpointApps",
"description": "Endpoint application such as device control and \
telemetry.",
"schema": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp",
"meta": {
"location": "https://example.com/v2/ResourceTypes/EndpointApps",
"resourceType": "ResourceType"
}
}
]
{
"id": "urn:ietf:params:scim:schemas:core:2.0:Device",
"name": "Device",
"description": "Entry containing attributes about a device.",
"attributes" : [
{
"name": "displayName",
"type": "string",
"description": "Human-readable name of the device, suitable \
for displaying to end users, for example, 'BLE Heart Monitor' etc.",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "active",
"type": "boolean",
"description": "A mutable boolean value indicating the device \
administrative status. If true, the commands (such as connect, \
disconnect, subscribe) that control app sends to the controller for \
the devices will be processed by the controller. If false, any \
command coming from the control app for the device will be \
rejected by the controller.",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "mudUrl",
"type": "reference",
"description": "A URL to MUD file of the device (RFC 8520).",
"multiValued": false,
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "groups",
"type": "complex",
"multiValued": true,
"description": "A list of groups to which the device belongs, \
either through direct membership, through nested groups, or \
dynamically calculated.",
"required": false,
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "The identifier of the device's group.",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "$ref",
"type": "reference",
"referenceTypes": [
"Group"
],
"multiValued": false,
"description": "The URI of the corresponding 'Group' \
resource to which the device belongs.",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human-readable name, primarily used for \
display purposes. READ-ONLY.",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's \
function, e.g., 'direct' or 'indirect'.",
"required": false,
"caseExact": false,
"canonicalValues": [
"direct",
"indirect"
],
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
}
],
"mutability": "readOnly",
"returned": "default"
}
],
"meta" : {
"resourceType" : "Schema",
"location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Device"
}
}
{
"id": "urn:ietf:params:scim:schemas:core:2.0:EndpointApp",
"name": "EndpointApp",
"description": "Endpoint application and their credentials.",
"attributes" : [
{
"name": "applicationType",
"type": "string",
"description": "This attribute will only contain two values: \
deviceControl or telemetry.",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "applicationName",
"type": "string",
"description": "Human-readable name of the application.",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "certificateInfo",
"type": "complex",
"description": "Contains X.509 certificate's subject name and \
root CA information associated with the device control or telemetry \
app.",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none",
"subAttributes" : [
{
"name" : "rootCA",
"type" : "string",
"description" : "The base64 encoding of the DER encoding \
of the CA certificate.",
"multiValued" : false,
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "subjectName",
"type" : "string",
"description" : "A Common Name (CN) of the form of CN = \
dnsName.",
"multiValued" : false,
"required" : true,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"name": "clientToken",
"type": "string",
"description": "This attribute contains a token that the \
client will use to authenticate itself. Each token may be a string \
up to 500 characters in length.",
"multiValued": false,
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "groups",
"type": "complex",
"multiValued": true,
"description": "A list of groups to which an endpoint \
application belongs, either through direct membership, through \
nested groups, or dynamically calculated.",
"required": false,
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "The identifier of the endpoint application\
's group.",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "$ref",
"type": "reference",
"referenceTypes": [
"Group"
],
"multiValued": false,
"description": "The URI of the corresponding 'Group' \
resource to which the endpoint application belongs.",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human-readable name, primarily used for \
display purposes. READ-ONLY.",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's \
function, e.g., 'direct' or 'indirect'.",
"required": false,
"caseExact": false,
"canonicalValues": [
"direct",
"indirect"
],
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
}
],
"mutability": "readOnly",
"returned": "default"
}
],
"meta" : {
"resourceType" : "Schema",
"location" :
"/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:EndpointApp"
}
}
[
{
"id": "urn:ietf:params:scim:schemas:extension:ble:2.0:Device",
"name": "bleExtension",
"description": "BLE extension for device account.",
"attributes" : [
{
"name": "versionSupport",
"type": "string",
"description": "Provides a list of all the BLE versions \
supported by the device, for example, [4.1, 4.2, 5.0, 5.1, 5.2, 5.4]\
.",
"multiValued": true,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "deviceMacAddress",
"type": "string",
"pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$",
"description": "A unique public MAC address assigned by the \
manufacturer.",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "Manufacturer"
},
{
"name": "isRandom",
"type": "boolean",
"description": "The isRandom flag is taken from the BLE \
core specifications 5.4. If true, device is using a random address\
. Default value is false.",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "separateBroadcastAddress",
"type": "string",
"description": "When present, this address is used for \
broadcasts/advertisements. This value MUST NOT be set when an IRK \
is provided. Its form is the same as deviceMacAddress.",
"multiValued": true,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "irk",
"type": "string",
"description": "Identity Resolving Key (IRK), which is \
unique for every device. It is used to resolve a random address. \
This value MUST NOT be set when separateBroadcastAddress is set.",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "writeOnly",
"returned": "never",
"uniqueness": "Manufacturer"
},
{
"name": "mobility",
"type": "boolean",
"description": "If set to true, the BLE device will \
automatically connect to the closest AP. For example, if a BLE \
device is connected with AP-1 and moves out of range but comes in \
range of AP-2, it will be disconnected with AP-1 and \
connected with AP-2.",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "pairingMethods",
"type": "string",
"description": "List of pairing methods associated with the \
BLE device, stored as schema URI.",
"multiValued": true,
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:\
extension:ble:2.0:Device"
}
},
{
"id": "urn:ietf:params:scim:schemas:extension:pairingNull:2.0:\
Device",
"name": "nullPairing",
"description": "Null pairing method for BLE. It is included for \
the devices that do not have a pairing method.",
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:\
extension:pairingNull:2.0:Device"
}
},
{
"id": "urn:ietf:params:scim:schemas:extension:pairingJustWorks:2\
.0:Device",
"name": "pairingJustWorks",
"description": "Just Works pairing method for BLE.",
"attributes" : [
{
"name": "key",
"type": "integer",
"description": "Just Works does not have any key value. For \
completeness, it is added with a key value 'null'.",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none"
}
],
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:\
extension:pairingJustWorks:2.0:Device"
}
},
{
"id": "urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0\
:Device",
"name": "pairingPassKey",
"description": "Pass key pairing method for BLE.",
"attributes" : [
{
"name": "key",
"type": "integer",
"description": "A six-digit passkey for BLE a device. The \
pattern of key is ^[0-9]{6}$.",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:\
extension:pairingPassKey:2.0:Device"
}
},
{
"id": "urn:ietf:params:scim:schemas:extension:pairingOOB:2.0:\
Device",
"name": "pairingOOB",
"description": "Out-of-band pairing method for BLE.",
"attributes" : [
{
"name": "key",
"type": "string",
"description": "A key value retrieved from out-of-band \
source such as NFC.",
"multiValued": false,
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "randomNumber",
"type": "integer",
"description": "Nonce added to the key.",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "confirmationNumber",
"type": "integer",
"description": "Some solutions require confirmation number \
in RESTful message exchange.",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:\
extension:pairingOOB:2.0:Device"
}
}
]
{
"id": "urn:ietf:params:scim:schemas:extension:dpp:2.0:Device",
"name": "dppExtension",
"description": "Device extension schema for Wi-Fi Easy \
Connect / Device Provisioning Protocol (DPP).",
"attributes" : [
{
"name": "dppVersion",
"type": "integer",
"description": "Version of DPP this device supports.",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "bootstrappingMethod",
"type": "string",
"description": "The list of all the bootstrapping methods \
available on the enrollee device, for example, [QR, NFC].",
"multiValued": true,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "bootstrapKey",
"type": "string",
"description": "A base64-encoded Elliptic Curve Diffie-\
Hellman public key (may be P-256, P-384, or P-521).",
"multiValued": false,
"required": true,
"caseExact": true,
"mutability": "writeOnly",
"returned": "never",
"uniqueness": "none"
},
{
"name": "deviceMacAddress",
"type": "string",
"pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$",
"description": "A unique public MAC address assigned by the \
manufacturer.",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "Manufacturer"
},
{
"name": "classChannel",
"type": "string",
"description": "A list of global operating class and \
channel shared as bootstrapping information. It is formatted as \
class/channel, for example, '81/1', '115/36'.",
"multiValued": true,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "serialNumber",
"type": "string",
"description": "An alphanumeric serial number that may also \
be passed as bootstrapping information.",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:\
extension:dpp:2.0:Device"
}
}
{
"id": "urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0:\
Device",
"name": "ethernetMabExtension",
"description": "Device extension schema for MAC Authentication \
Bypass.",
"attributes" : [
{
"name": "deviceMacAddress",
"type": "string",
"pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}$",
"description": "A MAC address assigned by the manufacturer.",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "Manufacturer"
}
],
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:extension\
:ethernet-mab:2.0:Device"
}
}
{
"id": "urn:ietf:params:scim:schemas:extension:fido-device-onboard:\
2.0:Device",
"name": "FDOExtension",
"description": "Device extension schema for FIDO Device Onboard (\
FDO).",
"attributes" : [
{
"name": "fdoVoucher",
"type": "string",
"description": "A voucher as defined in the FDO \
specification.",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "writeOnly",
"returned": "never",
"uniqueness": "Manufacturer"
}
],
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:extension\
:fido-device-onboard:2.0:Device"
}
}
{
"id": "urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device",
"name": "zigbeeExtension",
"description": "Device extension schema for Zigbee.",
"attributes" : [
{
"name": "versionSupport",
"type": "string",
"description": "Provides a list of all the Zigbee versions \
supported by the device, for example, [3.0].",
"multiValued": true,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "deviceEui64Address",
"type": "string",
"pattern": "^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){7}$",
"description": "The 64-bit Extended Unique Identifier \
(EUI-64) device address.",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:extension\
:zigbee:2.0:Device"
}
}
{
"id": "urn:ietf:params:scim:schemas:extension:endpointAppsExt:2.0:\
Device",
"name": "endpointAppsExt",
"description": "Extension for partner endpoint applications that \
can onboard, control, and communicate with the device.",
"attributes" : [
{
"name": "applications",
"type": "complex",
"description": "Includes references to two types of \
applications that connect with enterprise, i.e., deviceControl and \
telemetry.",
"multiValued": true,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none",
"subAttributes" : [
{
"name" : "value",
"type" : "string",
"description" : "The identifier of the EndpointApp.",
"multiValued" : false,
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : "EndpointApps",
"description" : "The URI of the corresponding EndpointApp\
resource that will control or obtain data from the device.",
"multiValued" : false,
"required" : true,
"caseExact" : true,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"name": "deviceControlEnterpriseEndpoint",
"type": "reference",
"description": "The URL of the enterprise endpoint that \
device control apps use to reach enterprise network gateway.",
"multiValued": false,
"required": true,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "Enterprise"
},
{
"name": "telemetryEnterpriseEndpoint",
"type": "reference",
"description": "The URL of the enterprise endpoint that \
telemetry apps use to reach enterprise network gateway.",
"multiValued": false,
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "Enterprise"
}
],
"meta" : {
"resourceType" : "Schema",
"location" : "/v2/Schemas/urn:ietf:params:scim:schemas:extension\
:endpointAppsExt:2.0:Device"
}
}
The following sections are provided for informational purposes.
以下のセクションは情報提供を目的として提供されています。
OpenAPI representation of core device schema is as follows:
コアデバイススキーマの OpenAPI 表現は次のとおりです。
openapi: 3.1.0
info:
title: SCIM Device Schema
version: 1.0.0
components:
schemas:
Group:
type: object
description: A list of groups to which the device belongs,
either through direct membership, through nested
groups, or dynamically calculated.
properties:
value:
type: string
description: The unique identifier of a group,
typically a UUID.
readOnly: true
writeOnly: false
display:
type: string
description: A display string for the group.
readOnly: true
writeOnly: false
$ref:
type: string
format: uri
description: Reference to the group object.
readOnly: true
writeOnly: true
Device:
description: Entry containing attributes about a device.
type: object
properties:
displayName:
type: string
description: "Human-readable name of the device, suitable
for displaying to end users, for example,
'BLE Heart Monitor' etc."
readOnly: false
writeOnly: false
active:
type: boolean
description: A mutable boolean value indicating the device
administrative status. If true, the
commands (such as connect, disconnect,
subscribe) that control app sends to the
controller for the devices will be processed
by the controller. If false, any command
coming from the control app for the device
will be rejected by the controller.
readOnly: false
writeOnly: false
mudUrl:
type: string
format: uri
description: A URL to MUD file of the device (RFC 8520).
It is added for future use. Current usage is
not defined yet.
readOnly: false
writeOnly: false
groups:
type: array
description: List of groups to which a device belongs to.
items:
$ref: '#/components/schemas/Group'
required:
- active
additionalProperties: false
allOf:
- $ref: '#/components/schemas/CommonAttributes'
CommonAttributes:
type: object
properties:
schemas:
type: array
items:
type: string
enum:
- urn:ietf:params:scim:schemas:core:2.0:Device
description: The list of schemas that define the resource.
id:
type: string
format: uri
description: The unique identifier for a resource.
readOnly: true
writeOnly: false
externalId:
type: string
description: An identifier for the resource that is
defined by the provisioning client.
readOnly: false
writeOnly: false
meta:
type: object
readOnly: true
properties:
resourceType:
type: string
description: The name of the resource type of the
resource.
readOnly: true
writeOnly: false
location:
type: string
format: uri
description: The URI of the resource being returned.
readOnly: true
writeOnly: false
created:
type: string
format: date-time
description: The date and time the resource was added
to the service provider.
readOnly: true
writeOnly: false
lastModified:
type: string
format: date-time
description: The most recent date and time that the
details of this resource were updated at
the service provider.
readOnly: true
writeOnly: false
version:
type: string
description: The version of the resource.
readOnly: true
writeOnly: false
additionalProperties: false
OpenAPI representation of EndpointApp schema is as follows:
EndpointApp スキーマの OpenAPI 表現は次のとおりです。
openapi: 3.1.0
info:
title: SCIM Endpoint App Schema
version: 1.0.0
components:
schemas:
Group:
type: object
description: A list of groups to which the endpoint
application belongs, either through
direct membership, through nested
groups, or dynamically calculated.
properties:
value:
type: string
description: The unique identifier of a group,
typically a UUID.
readOnly: true
writeOnly: false
display:
type: string
description: A display string for the group.
readOnly: true
writeOnly: false
$ref:
type: string
format: uri
description: Reference to the group object.
readOnly: true
writeOnly: true
EndpointApp:
title: EndpointApp
description: Endpoint application resource.
type: object
properties:
applicationType:
type: string
description: This attribute will only contain two values:
deviceControl or telemetry.
readOnly: false
writeOnly: false
applicationName:
type: string
description: Human-readable name of the application.
readOnly: false
writeOnly: false
groups:
type: array
description: List of groups to which the EndpointApp
belongs.
items:
$ref: '#/components/schemas/Group'
required:
- applicationType
- applicationName
additionalProperties: true
oneOf:
- $ref: '#/components/schemas/clientToken'
- $ref: '#/components/schemas/certificateInfo'
allOf:
- $ref: '#/components/schemas/CommonAttributes'
clientToken:
type: string
description: "This attribute contains a token that the client
will use to authenticate itself. Each token may
be a string up to 500 characters in length."
readOnly: true
writeOnly: false
certificateInfo:
type: object
description: "Contains X.509 certificate's subject name and
root CA information associated with the device
control or telemetry app."
properties:
rootCA:
type: string
description: "The base64 encoding of a trust anchor
certificate, as per RFC 4648, Section 4."
readOnly: false
writeOnly: false
subjectName:
type: string
description: "Also known as the Common Name (CN), the
Subject Name is a field in the X.509
certificate that identifies the primary
domain or IP address for which the
certificate is issued."
readOnly: false
writeOnly: false
required:
- subjectName
CommonAttributes:
type: object
properties:
schemas:
type: array
items:
type: string
enum:
- urn:ietf:params:scim:schemas:core:2.0:EndpointApp
description: The list of schemas that define the resource.
id:
type: string
format: uri
description: The unique identifier for a resource.
readOnly: true
writeOnly: false
meta:
type: object
readOnly: true
properties:
resourceType:
type: string
description: The name of the resource type of the
resource.
readOnly: true
writeOnly: false
location:
type: string
format: uri
description: The URI of the resource being returned.
readOnly: true
writeOnly: false
created:
type: string
format: date-time
description: The date and time the resource was added
to the service provider.
readOnly: true
writeOnly: false
lastModified:
type: string
format: date-time
description: The most recent date and time that the
details of this resource were updated at
the service provider.
readOnly: true
writeOnly: false
version:
type: string
description: The version of the resource.
readOnly: true
writeOnly: false
additionalProperties: false
OpenAPI representation of BLE extension schema is as follows:
BLE 拡張スキーマの OpenAPI 表現は次のとおりです。
openapi: 3.1.0
info:
title: SCIM Bluetooth Extension Schema
version: 1.0.0
components:
schemas:
BleDevice:
type: object
description: BLE device schema.
properties:
schemas:
type: array
items:
type: string
enum:
- urn:ietf:params:scim:schemas:extension:ble:2.0
:Device
urn:ietf:params:scim:schemas:extension:ble:2.0:Device:
$ref: '#/components/schemas/BleDeviceExtension'
required: true
BleDeviceExtension:
type: object
properties:
versionSupport:
type: array
items:
type: string
description: Provides a list of all the BLE versions
supported by the device, for example,
[4.1, 4.2, 5.0, 5.1, 5.2, 5.4].
readOnly: false
writeOnly: false
deviceMacAddress:
type: string
description: It is the public MAC address assigned by the
manufacturer. It is a unique 48-bit value. The
regex pattern is
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
readOnly: false
writeOnly: false
isRandom:
type: boolean
description: AddressType flag is taken from the BLE core
specifications 5.4. If false, the device is
using a public MAC address. If true, device
is using a random address.
readOnly: false
writeOnly: false
separateBroadcastAddress:
type: string
description: "When present, this address is used for
broadcasts/advertisements. This value
MUST NOT be set when an IRK is provided.
Its form is the same as deviceMacAddress."
readOnly: false
writeOnly: false
irk:
type: string
description: Identity Resolving Key (IRK), which is unique
for every device. It is used to resolve a
random address.
readOnly: false
writeOnly: true
mobility:
type: boolean
description: If set to true, the BLE device will
automatically connect to the closest AP. For
example, if a BLE device is connected with
AP-1 and moves out of range but comes in
range of AP-2, it will be disconnected with
AP-1 and connected with AP-2.
readOnly: false
writeOnly: false
pairingMethods:
type: array
items:
type: string
description: List of pairing methods associated with the
BLE device, stored as schema URI.
readOnly: false
writeOnly: false
urn:ietf:params:scim:schemas:extension:pairingNull:2.0
:Device:
$ref: '#/components/schemas/NullPairing'
required: false
urn:ietf:params:scim:schemas:extension:pairingJustWorks:2.0
:Device:
$ref: '#/components/schemas/PairingJustWorks'
required: false
urn:ietf:params:scim:schemas:extension:pairingPassKey:2.0
:Device:
$ref: '#/components/schemas/PairingPassKey'
required: false
urn:ietf:params:scim:schemas:extension:pairingOOB:2.0
:Device:
$ref: '#/components/schemas/PairingOOB'
required: false
required:
- versionSupport
- deviceMacAddress
- AddressType
- pairingMethods
additionalProperties: false
NullPairing:
type: object
PairingJustWorks:
type: object
description: Just Works pairing method for BLE.
properties:
key:
type: integer
description: Just Works does not have any key value. For
completeness, it is added with a key value
'null'.
readOnly: false
writeOnly: false
required:
- key
PairingPassKey:
type: object
description: Passkey pairing method for BLE.
properties:
key:
type: integer
description: A six-digit passkey for a BLE device.
The pattern of key is ^[0-9]{6}$.
readOnly: false
writeOnly: true
required:
- key
PairingOOB:
type: object
description: Out-of-band pairing method for BLE.
properties:
key:
type: string
description: The OOB key value for a BLE device.
readOnly: false
writeOnly: false
randomNumber:
type: integer
description: Nonce added to the key.
readOnly: false
writeOnly: true
confirmationNumber:
type: integer
description: Some solutions require a confirmation number
in the RESTful message exchange.
readOnly: false
writeOnly: true
required:
- key
- randomNumber
OpenAPI representation of DPP extension schema is as follows:
DPP 拡張スキーマの OpenAPI 表現は次のとおりです。
openapi: 3.1.0
info:
title: SCIM Device Provisioning Protocol Extension Schema
version: 1.0.0
components:
schemas:
DppDevice:
type: object
description: Wi-Fi Easy Connect (DPP) device extension schema.
properties:
schemas:
type: array
items:
type: string
enum:
- urn:ietf:params:scim:schemas:extension:dpp:2.0
:Device
urn:ietf:params:scim:schemas:extension:dpp:2.0:Device:
$ref: '#/components/schemas/DppDeviceExtension'
required: true
DppDeviceExtension:
type: object
properties:
dppVersion:
type: integer
description: Version of DPP this device supports.
readOnly: false
writeOnly: false
bootstrappingMethod:
type: array
items:
type: string
description: The list of all the bootstrapping methods
available on the enrollee device, for
example, [QR, NFC].
readOnly: false
writeOnly: false
bootstrapKey:
type: string
description: An Elliptic Curve Diffie-Hellman
(ECDH) public key. The base64-encoded length
for P-256, P-384, and P-521 is 80, 96, and
120 characters.
readOnly: false
writeOnly: true
deviceMacAddress:
type: string
description: The MAC address assigned by the manufacturer.
The regex pattern is
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
readOnly: false
writeOnly: false
classChannel:
type: array
items:
type: string
description: A list of global operating class and channel
shared as bootstrapping information. It is
formatted as class/channel, for example,
'81/1', '115/36'.
readOnly: false
writeOnly: false
serialNumber:
type: string
description: An alphanumeric serial number that may also
be passed as bootstrapping information.
readOnly: false
writeOnly: false
required:
- dppVersion
- bootstrapKey
additionalProperties: false
OpenAPI representation of Ethernet MAB extension schema is as follows:
イーサネット MAB 拡張スキーマの OpenAPI 表現は次のとおりです。
openapi: 3.1.0
info:
title: SCIM MAC Authentication Bypass Extension Schema
version: 1.0.0
components:
schemas:
EthernetMABDevice:
type: object
description: Ethernet MAC Authenticated Bypass.
properties:
schemas:
type: array
items:
type: string
enum:
- urn:ietf:params:scim:schemas:extension:ethernet-mab
:2.0:Device
urn:ietf:params:scim:schemas:extension:ethernet-mab:2.0
:Device:
$ref: '#/components/schemas/EthernetMABDeviceExtension'
required: true
EthernetMABDeviceExtension:
type: object
properties:
deviceMacAddress:
type: string
description: It is the public MAC address assigned by the
manufacturer. It is a unique 48-bit value.
The regex pattern is
^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2}){5}.
readOnly: false
writeOnly: false
required:
- deviceMacAddress
description: Device extension schema for Ethernet-MAB.
OpenAPI representation of FDO extension schema is as follows:
FDO 拡張スキーマの OpenAPI 表現は次のとおりです。
openapi: 3.1.0
info:
title: SCIM FIDO Device Onboarding Extension Schema
version: 1.0.0
components:
schemas:
FDODevice:
type: object
description: FIDO Device Onboarding (FDO) extension.
properties:
schemas:
type: array
items:
type: string
enum:
- urn:ietf:params:scim:schemas:extension:fido-device
-onboard:2.0:Device
urn:ietf:params:scim:schemas:extension:fido-device-onboard
:2.0:Device:
$ref: '#/components/schemas/FDODeviceExtension'
required: true
FDODeviceExtension:
type: object
properties:
fdoVoucher:
type: string
description: A FIDO Device Onboard (FDO) voucher.
readOnly: false
writeOnly: false
required:
- fdoVoucher
description: Device extension for a FIDO Device Onboard (FDO).
OpenAPI representation of Zigbee extension schema is as follows:
Zigbee 拡張スキーマの OpenAPI 表現は次のとおりです。
openapi: 3.1.0
info:
title: SCIM Zigbee Extension Schema
version: 1.0.0
components:
schemas:
ZigbeeDevice:
type: object
description: Zigbee device schema.
properties:
schemas:
type: array
items:
type: string
enum:
- urn:ietf:params:scim:schemas:extension:zigbee:2.0
:Device
urn:ietf:params:scim:schemas:extension:zigbee:2.0:Device:
$ref: '#/components/schemas/ZigbeeDeviceExtension'
required: true
ZigbeeDeviceExtension:
type: object
properties:
versionSupport:
type: array
items:
type: string
description: Provides a list of all the Zigbee versions
supported by the device, for example, [3.0].
readOnly: false
writeOnly: false
deviceEui64Address:
type: string
description: The 64-bit Extended Unique Identifier (EUI-64)
device address. The regex pattern is
^[0-9A-Fa-f]{16}$.
readOnly: false
writeOnly: false
required:
- versionSupport
- deviceEui64Address
description: Device extension schema for Zigbee.
OpenAPI representation of endpointAppsExt extension schema is as follows:
endpointAppsExt 拡張スキーマの OpenAPI 表現は次のとおりです。
openapi: 3.1.0
info:
title: SCIM Endpoint Extension Schema
version: 1.0.0
components:
schemas:
EndpointAppsExt:
type: object
properties:
applications:
$ref: '#/components/schemas/applications'
deviceControlEnterpriseEndpoint:
type: string
format: url
description: The URL of the enterprise endpoint that
device control apps use to reach an
enterprise network gateway.
readOnly: true
writeOnly: false
telemetryEnterpriseEndpoint:
type: string
format: url
description: The URL of the enterprise endpoint that
telemetry apps use to reach an enterprise
network gateway.
readOnly: true
writeOnly: false
required:
- applications
- deviceControlEnterpriseEndpoint
applications:
type: array
items:
value:
type: string
description: The identifier of the EndpointApp.
readOnly: false
writeOnly: false
ref:
type: string
format: uri
description: The URI of the corresponding EndpointApp
resource that will control or obtain data
from the device.
readOnly: true
writeOnly: false
required:
- value
- ref
The following diagrams are included to demonstrate how FDO can be used. In this first diagram, a device is onboarded not only to the device owner process but also to the AAA server for initial onboarding. The voucher contains a device certificate that is used by the AAA system for authentication.
次の図は、FDO の使用方法を示すために含まれています。この最初の図では、デバイスはデバイス所有者プロセスだけでなく、初期オンボーディングのために AAA サーバーにもオンボードされます。バウチャーには、AAA システムが認証に使用するデバイス証明書が含まれています。
,------. ,------. ,-------.
|SCIM | |SCIM | |Owner | ,---.
|Client| |Server| |Service| |AAA|
`---+--' `---+--' `---+---' `-+-'
,------------------------------!. | |
|Voucher contains |_\ | |
|an X.509 cert chain | | |
`--------------------------------' | |
|1 POST [FDO(voucher)] | | |
|/HTTP | | |
|--------------------->| | |
| | | |
| |----. | |
| | | 2 Recover X.509 | |
| |<---' cert chain | |
| | from voucher | |
| | | |
| | | |
| |3 Add device(voucher) | |
| |/HTTP | |
| |--------------------->| |
| | | |
| | 4 200 "ok" | |
| |<---------------------| |
| | | |
| | 5 Add identity |
| |------------------------------->|
| | | |
| | 6 200 "ok" |
| |<-------------------------------|
| | | |
| 7 200 "ok" | | |
|<---------------------| | |
| | | |
| | | |
After this flow is complete, the device can then first provisionally onboard and then later receive a trust anchor through FDO's Transfer Ownership Protocol 2 (TO2) process. This is shown below.
このフローが完了すると、デバイスは最初に暫定的にオンボードされ、その後 FDO の所有権移転プロトコル 2 (TO2) プロセスを通じてトラスト アンカーを受け取ることができます。これを以下に示します。
,-------. ,------.
|Owner | ,---. |Access| ,------.
|Service| |AAA| |Point | |Device|
`---+---' `-+-' `---+--' `---+--'
| | | ,------------------!.
| | | |Device configured |_\
| | | |with well-known |
| | | |RCOI and for trust |
| | | |on first use |
| | | `--------------------'
| | ,---------------!. |
| | |WLAN configured|_\ |
| | |with well-known | |
| | |RCOI | |
| | `-----------------' |
| | | 1 EAP-TLS/EAPOL |
| | |<-----------------|
| | | |
| |2 EAP-TLS/Radius | |
| |<----------------| |
| | | |
| | ,--------------------------!.
| | |Device skips |_\
| | |server authentication |
| | `----------------------------'
| |3 Result=Success | |
| |---------------->| |
| | | |
| ,-----------------------!. |
| |Limited access |_\ |
| |for now | |
| `-------------------------' |
| | |4 Result=Success |
| | |----------------->|
| | | |
| | 5 FDO TO2 | |
|<----------------------------------------------------|
| | | |
,-------------------------------------------------------------!.
|FSIM, Runtime SSID, |_\
|Credentials incl. |
|local trust anchor |
`---------------------------------------------------------------'
| | | 6 dissasociate |
| | |<-----------------|
| | | |
| | |7 EAP-TLS w/ LSC |
| | |<-----------------|
| | | |
| | | |
. . etc . .
The authors would like to thank Sriram Sekar, Bart Brinckman, Rohit Mohan, Lars Streubesand, Christian Amsüss, Jason Livingwood, Mike Ounsworth, Monty Wiseman, Geoffrey Cooper, Paulo Jorge N. Correia, Phil Hunt, and Elwyn Davies for their reviews and Nick Ross for his contribution to the appendix.
著者らは、書評に対してSriram Sekar氏、Bart Brinckman氏、Rohit Mohan氏、Lars Streubesand氏、Christian Amsüss氏、Jason Livingwood氏、Mike Ounsworth氏、Monty Wiseman氏、Geoffrey Cooper氏、Paulo Jorge N. Correia氏、Phil Hunt氏、Elwyn Davies氏、付録への貢献に対してNick Ross氏に感謝します。
Muhammad Shahzad
North Carolina State University
Department of Computer Science
890 Oval Drive
Campus Box 8206
Raleigh, NC 27695-8206
United States of America
Email: mshahza@ncsu.edu
Hassan Iqbal
North Carolina State University
Department of Computer Science
890 Oval Drive
Campus Box 8206
Raleigh, NC 27695-8206
United States of America
Email: hassaniqbal931@gmail.com
Eliot Lear
Cisco Systems
Richtistrasse 7
CH-8304 Wallisellen
Switzerland
Phone: +41 44 878 9200
Email: lear@cisco.com