Skip to content

SCIM Agent Extension

EXPERIMENTAL

This package implements draft-abbey-scim-agent-extension-00 which is still under development. The API may change as the specification evolves.

Part of AIStandards.io

This implementation is part of the AIStandards.io initiative tracking emerging AI agent standards. See the SCIM Agent Extension standard page for more information.

Overview

The SCIM Agent Extension adds two new resource types to SCIM 2.0 for managing AI agents and agentic applications across organizational domains.

Rather than creating entirely new protocols for agent discovery and management, this extension leverages the well-established SCIM protocol and existing implementations to solve agent cross-domain management.

Resource Types

Agent

An Agent represents an AI agent with its own identifier, metadata, and privileges, independent of a particular runtime environment or containing application. Agents are distinct from traditional software workloads due to varying degrees of unpredictable behavior caused by delegation of control flow to artificial intelligence models.

Schema URI: urn:ietf:params:scim:schemas:core:2.0:Agent

Endpoint: /Agents

Key attributes:

Attribute Description
name Unique identifier for the agent (REQUIRED)
displayName Human-readable display name
agentType Classification type (e.g., "Assistant", "Researcher")
active Administrative status
protocols Supported communication protocols (A2A, OpenAPI, MCP-Server)
owners Users or groups that own this agent
parent Parent agent in hierarchy

AgenticApplication

An AgenticApplication represents a software application that hosts or provides access to one or more agents. It serves as a container and runtime environment for agents, managing their authentication, authorization, and access to resources.

Schema URI: urn:ietf:params:scim:schemas:core:2.0:AgenticApplication

Endpoint: /AgenticApplications

Key attributes:

Attribute Description
name Unique identifier for the application (REQUIRED)
displayName Human-readable display name
applicationUrls URLs associated with the application
oAuthConfiguration OAuth client configurations
agents Agents associated with this application
active Administrative status

Protocol Communication Types

Agents can declare supported communication protocols via the protocols attribute:

Type Description
A2A Agent-to-Agent Protocol
OpenAPI OpenAPI/REST specification
MCP-Server Model Context Protocol Server

Each protocol includes a specificationUrl pointing to the agent's specific configuration document for that protocol.

ServiceProviderConfig Extension

SCIM servers that support the Agent Extension advertise this via the ServiceProviderConfig endpoint:

{
  "agentExtension": {
    "supported": true,
    "agentsSupported": true,
    "agenticApplicationsSupported": true
  }
}

Relationship to Other Protocols

The SCIM Agent Extension complements authentication protocols like:

  • AAuth: Agent Authentication using HTTP message signatures
  • ID-JAG: Identity Assertion JWT Authorization Grant
  • AIMS: Agent Identity Management System (SPIFFE/WIMSE)

While these protocols handle authentication (how agents prove identity), the SCIM Agent Extension handles provisioning (how agents are created, discovered, and managed in identity systems).

References