| Network Working Group | P. Hunt, Ed. |
| Internet-Draft | G. Wilson |
| Intended status: Standards Track | Oracle |
| Expires: September 30, 2015 | March 29, 2015 |
SCIM Password Management Extension
draft-hunt-scim-password-mgmt-00
The System for Cross-Domain Identity Management (SCIM) specification is an HTTP based protocol that makes managing identities in multi-domain scenarios easier to support through a standardized services. SCIM provides extension points that enable new ResourceTypes and Schema Extensions to be defined. This specification defines a set of password and account status extensions for managing passwords and password usage (e.g. failures) and other related session data. The specification defines new ResourceTypes that enable management of passwords and account recovery functions.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 30, 2015.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The System for Cross-Domain Identity Management (SCIM) specification is an HTTP based protocol that makes managing identities in multi-domain scenarios easier to support through a standardized services. SCIM provides extension points that enable new ResourceTypes and Schema Extensions to be defined. This specification defines a set of password and account status extensions for managing passwords and tracking password usage (e.g. failures) and other related session data. The specification defines new resource types that enable management of passwords and account recovery functions.
A set of SCIM schema extensions that define:
A set of resource types are defined that enable password and password policy management:
In the above list, the last 3 resource types are temporary resources that are used to convey requests that may update an identified target resource URI (e.g. a User). While these requests have a simple state transfer request/response relationship with a SCIM client, they may cause secondary effects by changing multiple attribute states in the target of the request. For example, setting a resource's password attribute involves validating password policy as well as checking and revising password history. There may be further service provider actions such as email confirmation that occur asynchronously from the SCIM client's perspective.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. These keywords are capitalized when used to unambiguously specify requirements of the protocol or application features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense.
For purposes of readability examples are not URL encoded. Implementers MUST percent encode URLs as described in Section 2.1 of [RFC3986].
Throughout this documents all figures MAY contain spaces and extra line-wrapping for readability and space limitations. Similarly, some URI's contained within examples, have been shortened for space and readability reasons.
[TBD]
The following SCIM extension defines attributes used to manage account passwords within a service provider. The extension is applied to a User resource, but MAY be applied to other resources that use passwords. The password extension is identified using the following schema URI: urn:ietf:params:scim:schemas:extension:account:2.0:Password.
The following Singular Attributes are defined:
The following Multi-valued Attributes are defined:
The following SCIM extension defines a new SCIM resource type known as PasswordPolicy and usually has an endpoint of /PasswordPolicies. The password policy is identified using the following core schema URI: urn:ietf:params:scim:schemas:core:2.0:policy:Password.
The following Single-value attributes are defined:
This extension defines a series of password and username management requests that are modeled as SCIM resource types. Each request acts as a "function" that MAY result in multiple changes to a designated resource (e.g. User). For example, setting a password involves the service provider validating the new password, updating the password, revising password history and resetting appropriate password state values.
A management request is performed by doing a SCIM creation request for the associated management function resource type. Each request resource type has its own schema and resource type endpoint. The normal SCIM API rules apply to these requests. When a request is completed, a SCIM service provider MAY return the final state in the HTTP response, or it MAY return the location of the created request resource object that MAY be used for further processing. [TO BE CLARIFIED]
The following requests are supported and defined in the following sections:
A password reset request is performed by performing a SCIM Create operation using HTTP POST to the endpoint for resource type PasswordResetRequest which is typically /PasswordResetRequests. Upon receiving the request, the service provider, based on its own logic, validates the request, and based on its own internal logic subsequently resets the password of the resource identified by userName. This request MAY be made anonymously (since the user is unable to authenticate) or through an authenticated web application component, who in turn may be unable to authenticate the user). [Add security considerations for this request]
Upon validating a request, the service provider may return either HTTP Status 200 (Ok), or it may return the request as a temporary resource that exists for a period of time (e.g. awaiting secondary approval or e-mail confirmation).
The core schema for a PasswordResetRequest is urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest. The above schema can be used in several reset forms as described in the following two sections. This schema includes the following attributes:
POST /PasswordResetRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest"],
"userName":
"happyAlice",
"challenges": [
{
"challenge":"what is your favorite color",
"response":"red"
},
{
"challenge":"what is name of your pet",
"response":"pet"
},
{
"challenge":"what is city of your birth",
"response":"city"
}],
"password": “<new password>”
}
An anonymous (or authenticated web application) by providing a userName and the correct set of challenges and a new password value, MAY request that a service provider accept a requested password and set the password directly. The service provider might perform other secondary checks to confirm the requestors identity (email confirmation.
Upon processing a successful request, the SCIM service provider would respond with:
HTTP/1.1 200 OK
In the above example, the request is considered complete when response is returned. In this case, no permanent request object is created and so no HTTP Location value is returned. In some cases, the service provider MAY keep the request until workflow completes. If it wishes to allow clients to "poll" for status, it MAY create a resource and returns an HTTP Location in the response. [Is this needed?]
POST /PasswordResetRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest"],
"userName":
"happyAlice"
}
By providing only a userName value, an email conformation flow MAY be initiated that requires the subject to click on the link (to prove ownership of the known email) upon which the user is confirmed and the request is processed.
Upon processing a successful request, the SCIM service provider SHALL respond with:
HTTP/1.1 200 OK
In the above example, it is expected that the User will be given a link to click on out-of-band. As such the current request completes with no further response. As with the Challenges variant, a service provider MAY provide an HTTP Location if the service provider intends to keep the request active until it is completed. [Is a persisted request needed?]
A password validation request MAY be used to confirm that a proposed password value conforms to service provider policy and associated user policy and password state criteria (e.g. such as password history). A request is performed by performing a SCIM Create operation using HTTP POST to the endpoint for resource type PasswordValidateRequest which is typically /PasswordValidateRequests. Upon receiving the request, the service provider, based on its own logic and any associated password policy for the resource, validates the provided password. [can this be made anonymously?]
Upon validating a request, the service provider may returns either HTTP Status 200 (Ok), or it may return HTTP Status 400 indicating the password is unacceptable. [NOTE: should there be a scimType and/or description describing a standardized reason for failure such as: history, tooShort, tooLong, missingSpecialChar, etc etc.
The core schema for a PasswordValidateRequest is urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest. This schema includes the following attributes:
The following is a non-normative example validation request. The example has been altered for clarity:
POST /PasswordValidateRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest"],
"$ref": “/Users/2819c223-7f76-453a-919d-413861904646”,
"password":"someG00Didea!"
}
A successful response looks similar to the following non-normative example:
HTTP/1.1 200 OK
A username validation request MAY be used to confirm that a proposed username value conforms to service provider policy and associated user policy as well as uniqueness. A request is performed by performing a SCIM Create operation using HTTP POST to the endpoint for resource type UsernameValidateRequest which is typically /UsernameValidateRequests. Upon receiving the request, the service provider, tests for uniqueness and any associated formatting policy and validates the provided username.
Upon validating a request, the service provider may returns either HTTP Status 200 (Ok), or it may return HTTP Status 400 indicating the password is unacceptable. [NOTE: should there be a scimType and/or description describing a standardized reason for failure such as: history, tooShort, tooLong, missingSpecialChar, etc etc.
The core schema for a UsernameValidateRequest is urn:ietf:params:scim:schemas:core:2.0:password:UsernameValidateRequest. This schema includes the following attributes:
The following is a non-normative example validation request. The example has been altered for clarity:
POST /UsernameValidaeRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:UsernameValidateRequest"],
"$ref": “/Users/2819c223-7f76-453a-919d-413861904646”,
"userName":"susieQ"
}
A successful response looks similar to the following non-normative example:
HTTP/1.1 200 OK
A username generation request MAY be used to request an automatically generated userName that conforms to service provider policy and uniqueness requirements. A request is performed by performing a SCIM Create operation using HTTP POST to the endpoint for resource type UsernameGenerateRequest which is typically /UsernameGenerateRequests. Upon receiving the request, the service provider, generates a unique userName and returns it in a response.
The core schema for a UsernameGenerateRequest is urn:ietf:params:scim:schemas:core:2.0:password:UsernameGenerateRequest. This schema includes the following attributes:
The following is a non-normative example userName generation request. The example has been altered for clarity:
POST /UsernameGenerateRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:UsernameGenerateRequest"],
"name": {
"formatted": "Ms. Barbara J Doe III",
"familyName": "Doe",
"givenName": "Barbara",
"middleName": "Jane",
"honorificSuffix": "III"
}
}
A successful response looks similar to the following non-normative example:
HTTP/1.1 200 OK
{
"userName": "barbara.doe",
}
A userName recovery request MAY be used to look up a userName based on a provided email address. The provided email address may be matched against any value of an existing resource's emails attribute. A request is performed by performing a SCIM Create operation using HTTP POST to the endpoint for resource type UsernameRecoverRequest which is typically /UsernameRecoverRequests. Upon receiving the request, the service provider, generates a unique userName and returns it in a response.
The core schema for a UsernameRecoverRequest is urn:ietf:params:scim:schemas:core:2.0:password:UsernameRecoverRequest. This schema includes the following attributes:
The following is a non-normative example userName recovery request. The example has been altered for clarity:
POST /UsernameRecoverRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:UsernameRecoverRequest"],
"email": “bdoe@example.com”
}
A successful response looks similar to the following non-normative example:
HTTP/1.1 200 OK
{
"userName": "barbara.doe",
}
This section provides a JSON representation of the schema extensions in this draft. [TODO follow format of Sec 8.7 of core schema draft]
{
"id" :
"urn:ietf:params:scim:schemas:extension:account:2.0:Password",
"name" : "Password Management Schema Extension",
"description" : "This extension defines attributes used to manage
account passwords within a service provider. The extension is
typically applied to a User resource, but MAY be applied to
other resources that use passwords.",
"attributes" : [
{
"name" : "passwordState",
"type" : "complex",
"multiValued" : false,
"description" : "A Complex attribute that describes server
provided attributes regarding the state of the resource's
password.",
"required" : true,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "createDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime which specifies the date and
time the current password was set.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "cantChange",
"type" : "boolean",
"multiValued" : false,
"description" : "A Boolean indicating that the current
password MAY NOT be changed and all other password expiry
settings SHALL be ignored",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "noExpiry",
"type" : "boolean",
"multiValued" : false,
"description" : "A Boolean indicating that password expiry
policy will not be applied for the current resource.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lastSuccessfulLoginDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime value indicating the last
successful login date.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lastFailedLoginDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime value indicating the last
failed login date.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "loginAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer value indicating the number of
failed login attempts. The value is reset to 0 after a
successfull login.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "resetAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer value indicating the number of
password reset attempts. The value is reset to 0 after
successful reset.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "passwordMustChange",
"type" : "boolean",
"multiValued" : false,
"description" : "A Boolean value that indicates that the
subject password value MUST change at the next login. If
not changed, typically the account is locked The value
may be set indirectly when the subject's current password
expires, or directly set by an administrator.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
}
]
},
{
"name" : "passwordPolicyUrl",
"type" : "reference",
"referenceTypes" : ["PasswordPolicy"],
"multiValued" : false,
"description" : "A URI reference value that indicates the
address of a password policy that is used in relation to the
current resource.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "locked",
"type" : "complex",
"multiValued" : false,
"description" : "A Complex attribute that indicates an account
is locked (blocking new sessions).",
"required" : false,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "reason",
"type" : "integer",
"multiValued" : false,
"description" : "A number value indicating the reason for
locking. Valid values are: 0 - failed attempts. 1 - admin
lock. 2 - reset attempts",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "on",
"type" : "boolean",
"multiValued" : false,
"description" :
"A Boolean value indicating the account is locked.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lockDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime which specifies the date and
time the current resource was locked.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
}
]
},
{
"name" : "challenges",
"type" : "complex",
"multiValued" : true,
"description" : "A Complex attribute describing challenge
questions that may be used as a supplementary factor during
login or during password management requests.",
"required" : false,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "question",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents a challenge
question for which the corresponding response is
defined.",
"required" : true,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "response",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents the subjects
specified correct response to the corresponding
challenge.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"name" : "passwordHistory",
"type" : "string",
"multiValued" : true,
"description" : "A writeOnly attribute that contains hashes of
previous passwords associated with the SCIM resource.",
"required" : false,
"caseExact" : true,
"mutability" : "writeOnly",
"returned" : "never",
"uniqueness" : "none"
}
]
}
Password Extension for Users
The following is a representation of the password state extension urn:ietf:params:scim:schemas:extension:account:2.0:Password that is used to extend a User resource.
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:policy:Password",
"name" : "Password Policy Schema",
"description" : "This extension defines attributes for a password
policy.",
"attributes" : [
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "A String that is the name of the policy.
Typically used for informational purposes (e.g. to display
to the user)",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "A String that describes the current policy.
Typically used for informational purposes (e.g. to display
to a user).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "maxLength",
"type" : "integer",
"multiValued" : false,
"description" : "Maximum password length in characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minLength",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum password length in characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minAlphas",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum number of alpha chcars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minNumerals",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum number of numeric characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxLength",
"type" : "integer",
"multiValued" : false,
"description" : "Maximum password length in characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minAlphaNumerals",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of alphas and numeric chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minSpecialChars",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of special chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxSpecialChars",
"type" : "integer",
"multiValued" : false,
"description" : "Maximum number of special chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minUpperCase",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of upper case chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minLowerCase",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of lower case chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minUnique",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of unique chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxRepeatChars",
"type" : "integer",
"multiValued" : false,
"description" : "Max num of repeated chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "startsWithAlphas",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates password must begin with alpha char",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minUnicodeChars",
"type" : "integer",
"multiValued" : false,
"description" : "[TO BE DISCUSSED]",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "firstNameDisallowed",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates a sequence of characters matching
the resource's name.givenName SHALL NOT be included in the
password",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lastNameDisallowed",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates a sequence of characters matching
the resource's name.familyName SHALL NOT be included in the
password",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "userNameDisallowed",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates a sequence of characters matching
the resource's userName SHALL NOT be included in the
password",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minPasswordAgeInDays",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the minimum age in days
before the password MAY be changed.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "warningAfterDays",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the number of days after
which a password reset warning will be issued.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "expiresAfterDays",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the numbers of days
after which a password reset is required.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "requiredChars",
"type" : "string",
"multiValued" : false,
"description" : "A String value whose contents indicates a set
of characters that MUST appear, in any sequence, in a
password value.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "never",
"uniqueness" : "none"
},
{
"name" : "disallowedChars",
"type" : "string",
"multiValued" : false,
"description" : "A String value whose contents indicates a set
of characters that SHALL NOT appear, in a password value.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "never",
"uniqueness" : "none"
},
{
"name" : "disallowedSubstrings",
"type" : "string",
"multiValued" : true,
"description" : "A set of strings that SHALL not appear in a
password value.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "never",
"uniqueness" : "none"
},
{
"name" : "disctionaryLocation",
"type" : "reference",
"referenceTypes" : ["reference"],
"multiValued" : false,
"description" : "A Reference value containing the URI of a
dictionary of words not allowed to appear within a password
value.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "passwordHistorySize",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the number of passwords
that will be kept in history that may not be used as a
password.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxIncorrectAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer representing the maximum number of
failed logins before an account is locked.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lockOutDuration",
"type" : "integer",
"multiValued" : false,
"description" : "An integer indicating the number of minutes
an account will be locked after maxIncorrectAttempts
exceeded.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "challengesEnabled",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates whether challenges may be used
during authentication.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "challengePolicy",
"type" : "complex",
"multiValued" : false,
"description" : "A complex attribute that defines policy around
challenges.",
"required" : true,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "source",
"type" : "integer",
"multiValued" : false,
"description" : "A number value indicating the source for
challenges. Valid values are: 0 - user. 1 - admin
defined. 2 - both",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "defaultQuestions",
"type" : "string",
"multiValued" : true,
"description" : "A Multi-valued String attribute that
contains one or more default question a subject may use
when setting their challenge questions",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "minQuestionCount",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the minimum number
of challenge questions a subject MUST answer when setting
challenge question answers. A value of 0 or no value
indicates no minimum.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minAnswerCount",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the mimimum number
of challenge answers a subject MUST answer when
attempting to reset their password via forgot password
request.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "allAtOnce",
"type" : "boolean",
"multiValued" : false,
"description" : "When true, the client UI will present
all challengers in random order each time displayed.
When false, the client UI will present one challenge
question at a time where the subject MUST respond before
the next is displayed.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minResponseLength",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the minimum number
of chars in a challenge response. No value or a value
of 0 indicates no minimum length (effectively 1)",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxIncorrectAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicates the maximum number of
failed reset password attempts using challenges. If any
challenges are wrong in a reset attempt, the user's
resetAttempts counter will be incremented by 1. If
resetAttempts is greater than maxIncorrectAttempts, the
subject's account will be locked with a locked.reason
value.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
}
]
}
]
}
Password Policy Schema
The following is a representation of the password policy resource type extension urn:ietf:params:scim:schemas:core:2.0:policy:Password that is used to define a PasswordPolicy resource.
[
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest",
"name" : "Password Reset Request",
"description" : "Used to submit a password reset request for a
specific userName. Before resetting a secondary confirmation is
completed.",
"attributes" : [
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value that matches the service provider
unique identifier for the user.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "challenges",
"type" : "complex",
"multiValued" : true,
"description" : "A Complex attribute describing challenge
questions and responses that match the values found in the
resource matched by the userName attribute.",
"required" : false,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "question",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents a challenge
question for which the corresponding response is
defined.",
"required" : true,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "response",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents the subjects
specified correct response to the corresponding
challenge.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"name" : "password",
"type" : "string",
"multiValued" : false,
"description" : "A string value for the requested password.
When specified, the challenges attribute must also be present.",
"required" : true,
"caseExact" : false,
"mutability" : "writeOnly",
"returned" : "never",
"uniqueness" : "none"
}
]
},
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest",
"name" : "Password Validate Request",
"description" : "Used to submit a password for validation.",
"attributes" : [
{
"name" : "password",
"type" : "string",
"multiValued" : false,
"description" : "A string value for the requested password.
When specified, the challenges attribute must also be present.",
"required" : true,
"caseExact" : false,
"mutability" : "writeOnly",
"returned" : "never",
"uniqueness" : "none"
}
]
},
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameValidateRequest",
"name" : "UserName Validate Request",
"description" : "Used to submit a username for validation.",
"attributes" : [
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User"
],
"multiValued" : false,
"description" : "A reference value that contains a URI that
points to the resource (e.g. User) against which the proposed
userName value is to be validated as an acceptable.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value containing the requested userName
value for which validation is requested.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameGenerateRequest",
"name" : "Username Generate Request",
"description" : "Used to request a new username be generated.",
"attributes" : [
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User"
],
"multiValued" : false,
"description" : "An reference value that contains a URI that
points to the resource (e.g. User) against which existing
resource's name attribute MAY be used to generate a userName
value. When the $ref attribute is used, the generate
request MUST be authenticated.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value that is returned in the
server's reponse that contains a generated userName value.
The generated userName is not reserved and is guaranteed on
first-come-first-served basis by a subsequent SCIM creation
or modify request.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "name",
"type" : "complex",
"multiValued" : false,
"description" : "An optional complex attribute containing the
components of the user's name against which a userName value
is to be generated. This attribute MAY be typically used as
part of an anonymous userName generation request during a
user registration dialog.",
"required" : false,
"subAttributes" : [
{
"name" : "formatted",
"type" : "string",
"multiValued" : false,
"description" : "The full name, including all middle names,
titles, and suffixes as appropriate, formatted for display (e.g. Ms.
Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "familyName",
"type" : "string",
"multiValued" : false,
"description" : "The family name of the User, or Last Name
in most Western languages (e.g. Jensen given the full name Ms. Barbara J
Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "givenName",
"type" : "string",
"multiValued" : false,
"description" : "The given name of the User, or First Name
in most Western languages (e.g. Barbara given the full name Ms. Barbara
J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "middleName",
"type" : "string",
"multiValued" : false,
"description" : "The middle name(s) of the User (e.g. Robert
given the full name Ms. Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "honorificPrefix",
"type" : "string",
"multiValued" : false,
"description" : "The honorific prefix(es) of the User, or
Title in most Western languages (e.g. Ms. given the full name Ms.
Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "honorificSuffix",
"type" : "string",
"multiValued" : false,
"description" : "The honorific suffix(es) of the User, or
Suffix in most Western languages (e.g. III. given the full name Ms.
Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
],
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameRecoverRequest",
"name" : "UserName Recovery Request",
"description" : "Used to look up a username by email address.",
"attributes" : [
{
"name" : "email",
"type" : "string",
"multiValued" : false,
"description" : "A string value containing an email address
that is to be matched against an existing resource's emails
attribue.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value provided in response to a
request which is the unique userName that corresponds to the
recovery request.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "always",
"uniqueness" : "none"
}
]
}
]
Request Schemas
The following are the schemas for all password request resource types returned by the /Schemas endpoint:
[
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "PasswordPolicy",
"name" : "Password Policy Definition",
"endpoint" : "/Users",
"description" : "Password policy definition",
"schema" : "urn:ietf:params:scim:schemas:core:2.0:policy:Password",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "PasswordResetRequest",
"name" : "Password Reset Request type",
"endpoint" : "/PasswordResetRequest",
"description" : "Resource type for processing password reset
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "PasswordValidateRequest",
"name" : "Password Validate Request type",
"endpoint" : "/PasswordValidateRequest",
"description" : "Resource type for processing password validation
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "UserNameValidateRequest",
"name" : "Username Validate Request type",
"endpoint" : "/UserNameValidateRequest",
"description" : "Resource type for processing username validation
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameValidateRequest",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "UserNameGenerateRequest",
"name" : "Username Generation Request type",
"endpoint" : "/UserNameGenerateRequest",
"description" : "Resource type for processing username generation
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameGenerateRequest",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "UserNameRecoverRequest",
"name" : "Username Recovery Request type",
"endpoint" : "/UserNameRecoverRequest",
"description" : "Resource type for recovering usernames.",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameRecoveryRequest",
"schemaExtensions" : [
]
}
]
Password Management Resource Types
The following are the resource type definitions for the resource types defined in this specification.
This specification builds on those of the SCIM API and Core-Schema specifications and as such the security considerations of both of these drafts apply to this specification.
[other considerations TBD]
TODO: Registration for Password management schema
TODO: Registration of password management resource types
| [I-D.ietf-scim-api] | Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E. and C. Mortimore, "System for Cross-Domain Identity Management: Protocol", Internet-Draft draft-ietf-scim-api-14, December 2014. |
| [I-D.ietf-scim-core-schema] | Hunt, P., Grizzle, K., Wahlstroem, E. and C. Mortimore, "System for Cross-Domain Identity Management: Core Schema", Internet-Draft draft-ietf-scim-core-schema-14, December 2014. |
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
| [RFC3986] | Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. |
| [I-D.ietf-precis-framework] | Saint-Andre, P. and M. Blanchet, "PRECIS Framework: Preparation, Enforcement, and Comparison of Internationalized Strings in Application Protocols", Internet-Draft draft-ietf-precis-framework-21, December 2014. |
The editor would like to thank the participants in the SCIM working group for their support of this specification.
Draft 00 - PH - First Draft