Internet DRAFT - draft-hunt-scim-password-mgmt
draft-hunt-scim-password-mgmt
Network Working Group P. Hunt, Ed.
Internet-Draft G. Wilson
Intended status: Standards Track Oracle
Expires: September 30, 2015 March 29, 2015
SCIM Password Management Extension
draft-hunt-scim-password-mgmt-00
Abstract
The System for Cross-Domain Identity Management (SCIM) specification
is an HTTP based protocol that makes managing identities in multi-
domain scenarios easier to support through a standardized services.
SCIM provides extension points that enable new ResourceTypes and
Schema Extensions to be defined. This specification defines a set of
password and account status extensions for managing passwords and
password usage (e.g. failures) and other related session data. The
specification defines new ResourceTypes that enable management of
passwords and account recovery functions.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 30, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Hunt & Wilson Expires September 30, 2015 [Page 1]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 2
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3
1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4
2. Schema Extensions . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Password Schema Extension . . . . . . . . . . . . . . . . 4
2.2. Password Policy . . . . . . . . . . . . . . . . . . . . . 6
2.3. Management Requests . . . . . . . . . . . . . . . . . . . 10
2.4. PasswordResetRequest . . . . . . . . . . . . . . . . . . 10
2.4.1. Password Reset With Challenges . . . . . . . . . . . 11
2.4.2. Reset With Email Confirmation . . . . . . . . . . . . 12
2.5. PasswordValidateRequest . . . . . . . . . . . . . . . . . 13
2.6. UsernameValidateRequest . . . . . . . . . . . . . . . . . 14
2.7. UsernameGenerateRequest . . . . . . . . . . . . . . . . . 15
2.8. UsernameRecoverRequest . . . . . . . . . . . . . . . . . 17
3. Schemas Representation . . . . . . . . . . . . . . . . . . . 18
3.1. Password Extension . . . . . . . . . . . . . . . . . . . 18
3.2. Password Policy Schema . . . . . . . . . . . . . . . . . 23
3.3. Request Schemas . . . . . . . . . . . . . . . . . . . . . 32
4. Password Management ResourceTypes . . . . . . . . . . . . . . 38
5. Security Considerations . . . . . . . . . . . . . . . . . . . 40
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 41
7.1. Normative References . . . . . . . . . . . . . . . . . . 41
7.2. Informative References . . . . . . . . . . . . . . . . . 41
Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 41
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 41
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 41
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction and Overview
The System for Cross-Domain Identity Management (SCIM) specification
is an HTTP based protocol that makes managing identities in multi-
domain scenarios easier to support through a standardized services.
SCIM provides extension points that enable new ResourceTypes and
Schema Extensions to be defined. This specification defines a set of
password and account status extensions for managing passwords and
tracking password usage (e.g. failures) and other related session
data. The specification defines new resource types that enable
management of passwords and account recovery functions.
Hunt & Wilson Expires September 30, 2015 [Page 2]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
A set of SCIM schema extensions that define:
o Password Schema Extension - Providing account password state (e.g.
login attempts, successful login date, create date), policy,
account locking, as well as challenge questions.
o Password Policy Schema - A new resource type that defines password
policies that may be applied to resources that use passwords such
as complexity requirements, expiry, lockout, and usage
constraints.
A set of resource types are defined that enable password and password
policy management:
o Password Policy
o Password Reset Request
o Password Validation Request
o Username Recovery Request
In the above list, the last 3 resource types are temporary resources
that are used to convey requests that may update an identified target
resource URI (e.g. a User). While these requests have a simple state
transfer request/response relationship with a SCIM client, they may
cause secondary effects by changing multiple attribute states in the
target of the request. For example, setting a resource's password
attribute involves validating password policy as well as checking and
revising password history. There may be further service provider
actions such as email confirmation that occur asynchronously from the
SCIM client's perspective.
1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. These
keywords are capitalized when used to unambiguously specify
requirements of the protocol or application features and behavior
that affect the interoperability and security of implementations.
When these words are not capitalized, they are meant in their
natural-language sense.
For purposes of readability examples are not URL encoded.
Implementers MUST percent encode URLs as described in Section 2.1 of
[RFC3986].
Hunt & Wilson Expires September 30, 2015 [Page 3]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
Throughout this documents all figures MAY contain spaces and extra
line-wrapping for readability and space limitations. Similarly, some
URI's contained within examples, have been shortened for space and
readability reasons.
1.2. Definitions
[TBD]
2. Schema Extensions
2.1. Password Schema Extension
The following SCIM extension defines attributes used to manage
account passwords within a service provider. The extension is
applied to a "User" resource, but MAY be applied to other resources
that use passwords. The password extension is identified using the
following schema URI:
"urn:ietf:params:scim:schemas:extension:account:2.0:Password".
The following Singular Attributes are defined:
passwordState
A Complex attribute that describes server provided attributes
regarding the state of the resource's password.
createDate
A DateTime which specifies the date and time the current
password was set.
cantChange
A Boolean indicating that the current password MAY NOT be
changed and all other password expiry settings SHALL be
ignored.
noExpiry
A Boolean indicating that password expiry policy will not be
applied for the current resource.
lastSuccessfulLoginDate
A DateTime value indicating the last successful login date.
lastFailedLoginDate
A DateTime value indicating the last failed login date.
loginAttempts
An Integer value indicating the number of failed login
attempts. The value is reset to 0 after a successful login.
Hunt & Wilson Expires September 30, 2015 [Page 4]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
resetAttempts
An Integer value indicating the number of password reset
attempts.
passwordMustChange
A Boolean value that indicates that the subject password value
MUST change at the next login. If not changed, typically the
account is locked The value may be set indirectly when the
subject's current password expires, or directly set by an
administrator.
passwordPolicyUri
A URI reference value that indicates the address of a password
policy that is used in relation to the current resource.
locked
A Complex attribute that indicates an account is locked (blocking
new sessions). The following sub-attributes are defined:
reason
A number value indicating the reason for locking. Valid values
are:
0 - locked due to failed login attempts.
1 - locked by an administrator.
2 - locked due to failed forgot password reset attempts
on
A Boolean value indicating the account is locked.
lockDate A DateTime indicating when the resource was locked.
duration An optional Integer indicating length of lockout in
seconds.
The following Multi-valued Attributes are defined:
challenges
A Complex attribute describing challenge questions that may be
used as a supplementary factor during login or during password
management requests.
question
A String that represents a challenge question for which the
corresponding response is defined.
Hunt & Wilson Expires September 30, 2015 [Page 5]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
response
A String that represents the subjects specified correct
response to the corresponding challenge. The response MAY be
compared case-sensitive or case-insensitive based on service
provider policy.
passwordHistory
A writeOnly attribute that contains hashes of previous passwords
associated with the SCIM resource. The number of passwords stored
in this attribute is set by: "policy.passwordHistorySize".
Persisted values MUST be securely hashed such that the clients may
test if a clear-text value was previously used by looking for a
matching hash within the array of values.
2.2. Password Policy
The following SCIM extension defines a new SCIM resource type known
as "PasswordPolicy" and usually has an endpoint of
"/PasswordPolicies". The password policy is identified using the
following core schema URI:
"urn:ietf:params:scim:schemas:core:2.0:policy:Password".
The following Single-value attributes are defined:
name
A String that is the name of the policy. Typically used for
informational purposes (e.g. to display to the user).
description
A String that describes the current policy. Typically used for
informational purposes (e.g. to display to a user).
maxLength
An Integer indicating the maximum password length (in characters).
A value of 0 or no value SHALL indicate no maximum length
restriction.
minLength
An Integer indicating the minimum password length (in characters).
A value of 0 or no value SHALL indicate no minimum length
restriction.
minAlphas
An Integer indicating the minimum number of alphabetic characters
in a password. A value of 0 or no value SHALL indicate no minimum
length restriction.
minNumerals
Hunt & Wilson Expires September 30, 2015 [Page 6]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
An Integer indicating the minimum number of numeric characters in
a password. A value of 0 or no value SHALL indicate no minimum
length restriction.
minAlphaNumerals
An Integer indicating the minimum number of alphabetic or numeric
characters in a password. A value of 0 or no value SHALL indicate
no minimum length restriction.
minSpecialChars
An Integer indicating the minimum number of special characters in
a password. A value of 0 or no value SHALL indicate no minimum
length restriction.
maxSpecialChars
An Integer indicating the maximum number of special characters in
a password. A value of 0 or no value SHALL indicate no maximum
length restriction.
minUpperCase
An Integer indicating the minimum number of upper-case alphabetic
characters in a password. A value of 0 or no value SHALL indicate
no minimum length restriction.
minLowerCase
An Integer indicating the minimum number of lower-case alphabetic
characters in a password. A value of 0 or no value SHALL indicate
no minimum length restriction.
minUniqueChars
An Integer indicating the minimum number of unique characters in a
password. A value of 0 or no value SHALL indicate no minimum
restriction.
maxRepeatedChars
An Integer indicating the maximum number of repeated characters in
a password. A value of 0 or no value SHALL indicate no
restriction.
startsWithAlpha
A Boolean indicating that the password MUST being with an
alphabetic character.
minUnicodeChars
[...not sure this makes sense. There are strict limitations on
password values (must be Unicode UTF-8 processed by PRECIS)]
firstNameDisallowed
Hunt & Wilson Expires September 30, 2015 [Page 7]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
A Boolean indicating a sequence of characters matching the
resource's "name.givenName" SHALL NOT be included in the password.
lastNameDisallowed
A Boolean indicating a sequence of characters matching the
resource's "name.familyName" SHALL NOT be included in the
password.
userNameDisallowed
A Boolean indicating a sequence of characters matching the
resource's "userName" SHALL NOT be included in the password.
minPasswordAgeInDays
An Integer indicating the minimum age in days before the password
MAY be changed.
warningAfterDays
An Integer indicating the number of days after which a password
reset warning will be issued.
expiresAfterDays
An Integer indicating the numbers of days after which a password
reset is required.
requiredChars
A String value whose contents indicates a set of characters that
MUST appear, in any sequence, in a password value.
disallowedChars
A String value whose contents indicates a set of characters that
SHALL NOT appear, in any sequence, in a password value.
disallowedSubStrings
A Multi-valued String indicating a set of Strings that SHALL NOT
appear within a password value.
dictionaryLocation
A Reference value containing the URI of a dictionary of words not
allowed to appear within a password value.
passwordHistorySize
An Integer indicating the number of passwords that will be kept in
history that may not be used as a password.
maxIncorrectAttempts
An Integer representing the maximum number of failed logins before
an account is locked.
Hunt & Wilson Expires September 30, 2015 [Page 8]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
lockOutDuration
An Integer indicating the number of minutes an account will be
locked after "maxIncorrectAttempts" exceeded.
challengesEnabled
A Boolean value indicating challenges MAY be used during
authentication.
challengePolicy
A complex attribute that defines policy around challenges. It
contains the following sub-attributes:
source An Integer indicating one of the following:
+ 0 - User Defined.
+ 1 - Admin Defined.
+ 2 - User and Admin Defined.
defaultQuestions A Multi-valued String attribute that contains
one or more default question a subject may use when setting
their challenge questions.
minQuestionCount An Integer indicating the minimum number of
challenge questions a subject MUST answer when setting
challenge question answers. A value of 0 or no value indicates
no minimum.
minAnswerCount An Integer indicating the minimum number of
challenge answers a subject MUST answer when attempting to
reset their password via forgot password request.
allAtOnce A Boolean value. When true, the client UI will present
all challengers in random order each time displayed. When
false, the client UI will present one challenge question at a
time where the subject MUST respond before the next is
displayed.
minResponseLength An Integer indicating the minimum number of
characters in a challenge response. No value or a value of 0
indicates no minimum length (effectively 1).
maxIncorrectAttempts An Integer indicates the maximum number of
failed reset password attempts using challenges. If any
challenges are wrong in a reset attempt, the user's
"resetAttempts" counter will be incremented by 1. If
"resetAttempts" is greater than "maxIncorrectAttempts", the
Hunt & Wilson Expires September 30, 2015 [Page 9]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
subject's account will be locked with a "locked.reason" value
of 2 see Paragraph 3.
2.3. Management Requests
This extension defines a series of password and username management
requests that are modeled as SCIM resource types. Each request acts
as a "function" that MAY result in multiple changes to a designated
resource (e.g. User). For example, setting a password involves the
service provider validating the new password, updating the password,
revising password history and resetting appropriate password state
values.
A management request is performed by doing a SCIM creation request
for the associated management function resource type. Each request
resource type has its own schema and resource type endpoint. The
normal SCIM API rules apply to these requests. When a request is
completed, a SCIM service provider MAY return the final state in the
HTTP response, or it MAY return the location of the created request
resource object that MAY be used for further processing. [TO BE
CLARIFIED]
The following requests are supported and defined in the following
sections:
o PasswordResetRequest
o PasswordValidateRequest
o UsernameValidateRequest
o GenerateUsernameRequest
o RecoverUsernameRequest
2.4. PasswordResetRequest
A password reset request is performed by performing a SCIM Create
operation using HTTP POST to the endpoint for resource type
"PasswordResetRequest" which is typically "/PasswordResetRequests".
Upon receiving the request, the service provider, based on its own
logic, validates the request, and based on its own internal logic
subsequently resets the password of the resource identified by
"userName". This request MAY be made anonymously (since the user is
unable to authenticate) or through an authenticated web application
component, who in turn may be unable to authenticate the user). [Add
security considerations for this request]
Hunt & Wilson Expires September 30, 2015 [Page 10]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
Upon validating a request, the service provider may return either
HTTP Status 200 (Ok), or it may return the request as a temporary
resource that exists for a period of time (e.g. awaiting secondary
approval or e-mail confirmation).
The core schema for a "PasswordResetRequest" is "urn:ietf:params:scim
:schemas:core:2.0:password:PasswordResetRequest". The above schema
can be used in several reset forms as described in the following two
sections. This schema includes the following attributes:
userName
A string value that matches the service provider unique identifier
for the user.
challenges
A Complex attribute describing challenge questions and responses
that match the values found in the resource matched by the
"userName" attribute.
question
A String that represents a challenge question for which the
corresponding response is defined.
response
A String that represents the subjects specified correct
response to the corresponding challenge. The response MAY be
compared case-sensitive or case-insensitive based on service
provider policy.
2.4.1. Password Reset With Challenges
An anonymous (or authenticated web application) by providing a
"userName" and the correct set of challenges and a new password
value, MAY request that a service provider accept a requested
"password" and set the "password" directly. The service provider
might perform other secondary checks to confirm the requestors
identity (email confirmation.
Hunt & Wilson Expires September 30, 2015 [Page 11]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
POST /PasswordResetRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest"],
"userName":
"happyAlice",
"challenges": [
{
"challenge":"what is your favorite color",
"response":"red"
},
{
"challenge":"what is name of your pet",
"response":"pet"
},
{
"challenge":"what is city of your birth",
"response":"city"
}],
"password": "<new password>"
}
Upon processing a successful request, the SCIM service provider would
respond with:
HTTP/1.1 200 OK
In the above example, the request is considered complete when
response is returned. In this case, no permanent request object is
created and so no HTTP Location value is returned. In some cases,
the service provider MAY keep the request until workflow completes.
If it wishes to allow clients to "poll" for status, it MAY create a
resource and returns an HTTP Location in the response. [Is this
needed?]
2.4.2. Reset With Email Confirmation
By providing only a "userName" value, an email conformation flow MAY
be initiated that requires the subject to click on the link (to prove
ownership of the known email) upon which the user is confirmed and
the request is processed.
Hunt & Wilson Expires September 30, 2015 [Page 12]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
POST /PasswordResetRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest"],
"userName":
"happyAlice"
}
Upon processing a successful request, the SCIM service provider SHALL
respond with:
HTTP/1.1 200 OK
In the above example, it is expected that the User will be given a
link to click on out-of-band. As such the current request completes
with no further response. As with the Challenges variant, a service
provider MAY provide an HTTP Location if the service provider intends
to keep the request active until it is completed. [Is a persisted
request needed?]
2.5. PasswordValidateRequest
A password validation request MAY be used to confirm that a proposed
password value conforms to service provider policy and associated
user policy and password state criteria (e.g. such as password
history). A request is performed by performing a SCIM Create
operation using HTTP POST to the endpoint for resource type
"PasswordValidateRequest" which is typically
"/PasswordValidateRequests". Upon receiving the request, the service
provider, based on its own logic and any associated password policy
for the resource, validates the provided password. [can this be made
anonymously?]
Upon validating a request, the service provider may returns either
HTTP Status 200 (Ok), or it may return HTTP Status 400 indicating the
password is unacceptable. [NOTE: should there be a scimType and/or
description describing a standardized reason for failure such as:
history, tooShort, tooLong, missingSpecialChar, etc etc.
The core schema for a "PasswordValidateRequest" is "urn:ietf:params:s
cim:schemas:core:2.0:password:PasswordValidateRequest". This schema
includes the following attributes:
$ref
Hunt & Wilson Expires September 30, 2015 [Page 13]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
A reference value that contains a URI that points to the resource
(e.g. User) against which the proposed password is to be
validated as an acceptable password.
password
A string value containing the requested password value for which
validation is requested.
The following is a non-normative example validation request. The
example has been altered for clarity:
POST /PasswordValidateRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest"],
"$ref": "/Users/2819c223-7f76-453a-919d-413861904646",
"password":"someG00Didea!"
}
A successful response looks similar to the following non-normative
example:
HTTP/1.1 200 OK
2.6. UsernameValidateRequest
A username validation request MAY be used to confirm that a proposed
username value conforms to service provider policy and associated
user policy as well as uniqueness. A request is performed by
performing a SCIM Create operation using HTTP POST to the endpoint
for resource type "UsernameValidateRequest" which is typically
"/UsernameValidateRequests". Upon receiving the request, the service
provider, tests for uniqueness and any associated formatting policy
and validates the provided username.
Upon validating a request, the service provider may returns either
HTTP Status 200 (Ok), or it may return HTTP Status 400 indicating the
password is unacceptable. [NOTE: should there be a scimType and/or
description describing a standardized reason for failure such as:
history, tooShort, tooLong, missingSpecialChar, etc etc.
The core schema for a "UsernameValidateRequest" is "urn:ietf:params:s
cim:schemas:core:2.0:password:UsernameValidateRequest". This schema
includes the following attributes:
Hunt & Wilson Expires September 30, 2015 [Page 14]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
$ref
A reference value that contains a URI that points to the resource
(e.g. User) against which the proposed userName value is to be
validated as an acceptable.
userName
A string value containing the requested userName value for which
validation is requested.
The following is a non-normative example validation request. The
example has been altered for clarity:
POST /UsernameValidaeRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:UsernameValidateRequest"],
"$ref": "/Users/2819c223-7f76-453a-919d-413861904646",
"userName":"susieQ"
}
A successful response looks similar to the following non-normative
example:
HTTP/1.1 200 OK
2.7. UsernameGenerateRequest
A username generation request MAY be used to request an automatically
generated userName that conforms to service provider policy and
uniqueness requirements. A request is performed by performing a SCIM
Create operation using HTTP POST to the endpoint for resource type
"UsernameGenerateRequest" which is typically
"/UsernameGenerateRequests". Upon receiving the request, the service
provider, generates a unique userName and returns it in a response.
The core schema for a "UsernameGenerateRequest" is "urn:ietf:params:s
cim:schemas:core:2.0:password:UsernameGenerateRequest". This schema
includes the following attributes:
$ref
An operational reference value that contains a URI that points to
the resource (e.g. User) against which existing resource's "name"
attribute MAY be used to generate a userName value. When the $ref
attribute is used, the generate request MUST be authenticated.
Hunt & Wilson Expires September 30, 2015 [Page 15]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
userName
A string value that is returned in the server's response that
contains a generated userName value. The generated userName is
not reserved and is guaranteed on first-come-first-served basis by
a subsequent SCIM creation or modify request.
name
An optional complex attribute containing the components of the
user's name against which a userName value is to be generated.
This attribute MAY be typically used as part of an anonymous
userName generation request during a user registration dialog.
formatted The full name, including all middle names, titles, and
suffixes as appropriate, formatted for display (e.g. "Ms.
Barbara Jane Jensen, III." ).
familyName The family name of the User, or last name in most
Western languages (e.g. "Jensen" given the full name "Ms.
Barbara Jane Jensen, III." ).
givenName The given name of the User, or first name in most
Western languages (e.g. "Barbara" given the full name "Ms.
Barbara Jane Jensen, III." ).
middleName The middle name(s) of the User (e.g. "Jane" given the
full name "Ms. Barbara Jane Jensen, III." ).
honorificPrefix The honorific prefix(es) of the User, or title in
most Western languages (e.g. "Ms." given the full name "Ms.
Barbara Jane Jensen, III." ).
honorificSuffix The honorific suffix(es) of the User, or suffix
in most Western languages (e.g. "III." given the full name
"Ms. Barbara Jane Jensen, III." ).
Hunt & Wilson Expires September 30, 2015 [Page 16]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
The following is a non-normative example userName generation request.
The example has been altered for clarity:
POST /UsernameGenerateRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:UsernameGenerateRequest"],
"name": {
"formatted": "Ms. Barbara J Doe III",
"familyName": "Doe",
"givenName": "Barbara",
"middleName": "Jane",
"honorificSuffix": "III"
}
}
A successful response looks similar to the following non-normative
example:
HTTP/1.1 200 OK
{
"userName": "barbara.doe",
}
2.8. UsernameRecoverRequest
A userName recovery request MAY be used to look up a userName based
on a provided email address. The provided email address may be
matched against any value of an existing resource's "emails"
attribute. A request is performed by performing a SCIM Create
operation using HTTP POST to the endpoint for resource type
"UsernameRecoverRequest" which is typically
"/UsernameRecoverRequests". Upon receiving the request, the service
provider, generates a unique userName and returns it in a response.
The core schema for a "UsernameRecoverRequest" is "urn:ietf:params:sc
im:schemas:core:2.0:password:UsernameRecoverRequest". This schema
includes the following attributes:
email
A string value containing an email address that is to be matched
against an existing resource's "emails" attribute.
Hunt & Wilson Expires September 30, 2015 [Page 17]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
userName A string value provided in response to a request which is
the unique userName that corresponds to the recovery request.
The following is a non-normative example userName recovery request.
The example has been altered for clarity:
POST /UsernameRecoverRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:UsernameRecoverRequest"],
"email": "bdoe@example.com"
}
A successful response looks similar to the following non-normative
example:
HTTP/1.1 200 OK
{
"userName": "barbara.doe",
}
[Note: it would be more secure not to return the userName in the
response and instead the service provider should send an email
confirmation]
3. Schemas Representation
This section provides a JSON representation of the schema extensions
in this draft. [TODO follow format of Sec 8.7 of core schema draft]
3.1. Password Extension
The following is a representation of the password state extension
"urn:ietf:params:scim:schemas:extension:account:2.0:Password" that is
used to extend a User resource.
{
"id" :
"urn:ietf:params:scim:schemas:extension:account:2.0:Password",
"name" : "Password Management Schema Extension",
"description" : "This extension defines attributes used to manage
account passwords within a service provider. The extension is
typically applied to a User resource, but MAY be applied to
other resources that use passwords.",
Hunt & Wilson Expires September 30, 2015 [Page 18]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"attributes" : [
{
"name" : "passwordState",
"type" : "complex",
"multiValued" : false,
"description" : "A Complex attribute that describes server
provided attributes regarding the state of the resource's
password.",
"required" : true,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "createDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime which specifies the date and
time the current password was set.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "cantChange",
"type" : "boolean",
"multiValued" : false,
"description" : "A Boolean indicating that the current
password MAY NOT be changed and all other password expiry
settings SHALL be ignored",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "noExpiry",
"type" : "boolean",
"multiValued" : false,
"description" : "A Boolean indicating that password expiry
policy will not be applied for the current resource.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lastSuccessfulLoginDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime value indicating the last
Hunt & Wilson Expires September 30, 2015 [Page 19]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
successful login date.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lastFailedLoginDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime value indicating the last
failed login date.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "loginAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer value indicating the number of
failed login attempts. The value is reset to 0 after a
successfull login.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "resetAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer value indicating the number of
password reset attempts. The value is reset to 0 after
successful reset.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "passwordMustChange",
"type" : "boolean",
"multiValued" : false,
"description" : "A Boolean value that indicates that the
subject password value MUST change at the next login. If
not changed, typically the account is locked The value
may be set indirectly when the subject's current password
expires, or directly set by an administrator.",
"required" : false,
"mutability" : "readWrite",
Hunt & Wilson Expires September 30, 2015 [Page 20]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"returned" : "default"
}
]
},
{
"name" : "passwordPolicyUrl",
"type" : "reference",
"referenceTypes" : ["PasswordPolicy"],
"multiValued" : false,
"description" : "A URI reference value that indicates the
address of a password policy that is used in relation to the
current resource.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "locked",
"type" : "complex",
"multiValued" : false,
"description" : "A Complex attribute that indicates an account
is locked (blocking new sessions).",
"required" : false,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "reason",
"type" : "integer",
"multiValued" : false,
"description" : "A number value indicating the reason for
locking. Valid values are: 0 - failed attempts. 1 - admin
lock. 2 - reset attempts",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "on",
"type" : "boolean",
"multiValued" : false,
"description" :
"A Boolean value indicating the account is locked.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
Hunt & Wilson Expires September 30, 2015 [Page 21]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
},
{
"name" : "lockDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime which specifies the date and
time the current resource was locked.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
}
]
},
{
"name" : "challenges",
"type" : "complex",
"multiValued" : true,
"description" : "A Complex attribute describing challenge
questions that may be used as a supplementary factor during
login or during password management requests.",
"required" : false,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "question",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents a challenge
question for which the corresponding response is
defined.",
"required" : true,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "response",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents the subjects
specified correct response to the corresponding
challenge.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
Hunt & Wilson Expires September 30, 2015 [Page 22]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"uniqueness" : "none"
}
]
},
{
"name" : "passwordHistory",
"type" : "string",
"multiValued" : true,
"description" : "A writeOnly attribute that contains hashes of
previous passwords associated with the SCIM resource.",
"required" : false,
"caseExact" : true,
"mutability" : "writeOnly",
"returned" : "never",
"uniqueness" : "none"
}
]
}
Password Extension for Users
3.2. Password Policy Schema
The following is a representation of the password policy resource
type extension
"urn:ietf:params:scim:schemas:core:2.0:policy:Password" that is used
to define a PasswordPolicy resource.
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:policy:Password",
"name" : "Password Policy Schema",
"description" : "This extension defines attributes for a password
policy.",
"attributes" : [
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "A String that is the name of the policy.
Typically used for informational purposes (e.g. to display
to the user)",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
Hunt & Wilson Expires September 30, 2015 [Page 23]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "A String that describes the current policy.
Typically used for informational purposes (e.g. to display
to a user).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "maxLength",
"type" : "integer",
"multiValued" : false,
"description" : "Maximum password length in characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minLength",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum password length in characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minAlphas",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum number of alpha chcars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minNumerals",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum number of numeric characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
Hunt & Wilson Expires September 30, 2015 [Page 24]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
},
{
"name" : "maxLength",
"type" : "integer",
"multiValued" : false,
"description" : "Maximum password length in characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minAlphaNumerals",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of alphas and numeric chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minSpecialChars",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of special chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxSpecialChars",
"type" : "integer",
"multiValued" : false,
"description" : "Maximum number of special chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minUpperCase",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of upper case chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minLowerCase",
Hunt & Wilson Expires September 30, 2015 [Page 25]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of lower case chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minUnique",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of unique chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxRepeatChars",
"type" : "integer",
"multiValued" : false,
"description" : "Max num of repeated chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "startsWithAlphas",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates password must begin with alpha char",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minUnicodeChars",
"type" : "integer",
"multiValued" : false,
"description" : "[TO BE DISCUSSED]",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "firstNameDisallowed",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates a sequence of characters matching
Hunt & Wilson Expires September 30, 2015 [Page 26]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
the resource's name.givenName SHALL NOT be included in the
password",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lastNameDisallowed",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates a sequence of characters matching
the resource's name.familyName SHALL NOT be included in the
password",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "userNameDisallowed",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates a sequence of characters matching
the resource's userName SHALL NOT be included in the
password",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minPasswordAgeInDays",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the minimum age in days
before the password MAY be changed.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "warningAfterDays",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the number of days after
which a password reset warning will be issued.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
Hunt & Wilson Expires September 30, 2015 [Page 27]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
{
"name" : "expiresAfterDays",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the numbers of days
after which a password reset is required.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "requiredChars",
"type" : "string",
"multiValued" : false,
"description" : "A String value whose contents indicates a set
of characters that MUST appear, in any sequence, in a
password value.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "never",
"uniqueness" : "none"
},
{
"name" : "disallowedChars",
"type" : "string",
"multiValued" : false,
"description" : "A String value whose contents indicates a set
of characters that SHALL NOT appear, in a password value.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "never",
"uniqueness" : "none"
},
{
"name" : "disallowedSubstrings",
"type" : "string",
"multiValued" : true,
"description" : "A set of strings that SHALL not appear in a
password value.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "never",
"uniqueness" : "none"
},
{
Hunt & Wilson Expires September 30, 2015 [Page 28]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"name" : "disctionaryLocation",
"type" : "reference",
"referenceTypes" : ["reference"],
"multiValued" : false,
"description" : "A Reference value containing the URI of a
dictionary of words not allowed to appear within a password
value.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "passwordHistorySize",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the number of passwords
that will be kept in history that may not be used as a
password.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxIncorrectAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer representing the maximum number of
failed logins before an account is locked.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lockOutDuration",
"type" : "integer",
"multiValued" : false,
"description" : "An integer indicating the number of minutes
an account will be locked after maxIncorrectAttempts
exceeded.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "challengesEnabled",
"type" : "boolean",
Hunt & Wilson Expires September 30, 2015 [Page 29]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"multiValued" : false,
"description" : "Indicates whether challenges may be used
during authentication.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "challengePolicy",
"type" : "complex",
"multiValued" : false,
"description" : "A complex attribute that defines policy around
challenges.",
"required" : true,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "source",
"type" : "integer",
"multiValued" : false,
"description" : "A number value indicating the source for
challenges. Valid values are: 0 - user. 1 - admin
defined. 2 - both",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "defaultQuestions",
"type" : "string",
"multiValued" : true,
"description" : "A Multi-valued String attribute that
contains one or more default question a subject may use
when setting their challenge questions",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "minQuestionCount",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the minimum number
of challenge questions a subject MUST answer when setting
challenge question answers. A value of 0 or no value
Hunt & Wilson Expires September 30, 2015 [Page 30]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
indicates no minimum.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minAnswerCount",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the mimimum number
of challenge answers a subject MUST answer when
attempting to reset their password via forgot password
request.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "allAtOnce",
"type" : "boolean",
"multiValued" : false,
"description" : "When true, the client UI will present
all challengers in random order each time displayed.
When false, the client UI will present one challenge
question at a time where the subject MUST respond before
the next is displayed.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minResponseLength",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the minimum number
of chars in a challenge response. No value or a value
of 0 indicates no minimum length (effectively 1)",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxIncorrectAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicates the maximum number of
failed reset password attempts using challenges. If any
challenges are wrong in a reset attempt, the user's
Hunt & Wilson Expires September 30, 2015 [Page 31]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
resetAttempts counter will be incremented by 1. If
resetAttempts is greater than maxIncorrectAttempts, the
subject's account will be locked with a locked.reason
value.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
}
]
}
]
}
Password Policy Schema
3.3. Request Schemas
The following are the schemas for all password request resource types
returned by the "/Schemas" endpoint:
[
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest",
"name" : "Password Reset Request",
"description" : "Used to submit a password reset request for a
specific userName. Before resetting a secondary confirmation is
completed.",
"attributes" : [
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value that matches the service provider
unique identifier for the user.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "challenges",
"type" : "complex",
"multiValued" : true,
"description" : "A Complex attribute describing challenge
questions and responses that match the values found in the
resource matched by the userName attribute.",
Hunt & Wilson Expires September 30, 2015 [Page 32]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"required" : false,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "question",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents a challenge
question for which the corresponding response is
defined.",
"required" : true,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "response",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents the subjects
specified correct response to the corresponding
challenge.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"name" : "password",
"type" : "string",
"multiValued" : false,
"description" : "A string value for the requested password.
When specified, the challenges attribute must also be present.",
"required" : true,
"caseExact" : false,
"mutability" : "writeOnly",
"returned" : "never",
"uniqueness" : "none"
}
]
},
{
"id" :
Hunt & Wilson Expires September 30, 2015 [Page 33]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest",
"name" : "Password Validate Request",
"description" : "Used to submit a password for validation.",
"attributes" : [
{
"name" : "password",
"type" : "string",
"multiValued" : false,
"description" : "A string value for the requested password.
When specified, the challenges attribute must also be present.",
"required" : true,
"caseExact" : false,
"mutability" : "writeOnly",
"returned" : "never",
"uniqueness" : "none"
}
]
},
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameValidateRequest",
"name" : "UserName Validate Request",
"description" : "Used to submit a username for validation.",
"attributes" : [
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User"
],
"multiValued" : false,
"description" : "A reference value that contains a URI that
points to the resource (e.g. User) against which the proposed
userName value is to be validated as an acceptable.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value containing the requested userName
value for which validation is requested.",
"required" : true,
"caseExact" : false,
Hunt & Wilson Expires September 30, 2015 [Page 34]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameGenerateRequest",
"name" : "Username Generate Request",
"description" : "Used to request a new username be generated.",
"attributes" : [
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User"
],
"multiValued" : false,
"description" : "An reference value that contains a URI that
points to the resource (e.g. User) against which existing
resource's name attribute MAY be used to generate a userName
value. When the $ref attribute is used, the generate
request MUST be authenticated.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value that is returned in the
server's reponse that contains a generated userName value.
The generated userName is not reserved and is guaranteed on
first-come-first-served basis by a subsequent SCIM creation
or modify request.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "name",
"type" : "complex",
Hunt & Wilson Expires September 30, 2015 [Page 35]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"multiValued" : false,
"description" : "An optional complex attribute containing the
components of the user's name against which a userName value
is to be generated. This attribute MAY be typically used as
part of an anonymous userName generation request during a
user registration dialog.",
"required" : false,
"subAttributes" : [
{
"name" : "formatted",
"type" : "string",
"multiValued" : false,
"description" : "The full name, including all middle names,
titles, and suffixes as appropriate, formatted for display (e.g. Ms.
Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "familyName",
"type" : "string",
"multiValued" : false,
"description" : "The family name of the User, or Last Name
in most Western languages (e.g. Jensen given the full name Ms. Barbara J
Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "givenName",
"type" : "string",
"multiValued" : false,
"description" : "The given name of the User, or First Name
in most Western languages (e.g. Barbara given the full name Ms. Barbara
J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
Hunt & Wilson Expires September 30, 2015 [Page 36]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"name" : "middleName",
"type" : "string",
"multiValued" : false,
"description" : "The middle name(s) of the User (e.g. Robert
given the full name Ms. Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "honorificPrefix",
"type" : "string",
"multiValued" : false,
"description" : "The honorific prefix(es) of the User, or
Title in most Western languages (e.g. Ms. given the full name Ms.
Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "honorificSuffix",
"type" : "string",
"multiValued" : false,
"description" : "The honorific suffix(es) of the User, or
Suffix in most Western languages (e.g. III. given the full name Ms.
Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
],
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameRecoverRequest",
"name" : "UserName Recovery Request",
Hunt & Wilson Expires September 30, 2015 [Page 37]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"description" : "Used to look up a username by email address.",
"attributes" : [
{
"name" : "email",
"type" : "string",
"multiValued" : false,
"description" : "A string value containing an email address
that is to be matched against an existing resource's emails
attribue.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value provided in response to a
request which is the unique userName that corresponds to the
recovery request.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "always",
"uniqueness" : "none"
}
]
}
]
Request Schemas
4. Password Management ResourceTypes
The following are the resource type definitions for the resource
types defined in this specification.
[
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "PasswordPolicy",
"name" : "Password Policy Definition",
"endpoint" : "/Users",
"description" : "Password policy definition",
Hunt & Wilson Expires September 30, 2015 [Page 38]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
"schema" : "urn:ietf:params:scim:schemas:core:2.0:policy:Password",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "PasswordResetRequest",
"name" : "Password Reset Request type",
"endpoint" : "/PasswordResetRequest",
"description" : "Resource type for processing password reset
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "PasswordValidateRequest",
"name" : "Password Validate Request type",
"endpoint" : "/PasswordValidateRequest",
"description" : "Resource type for processing password validation
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "UserNameValidateRequest",
"name" : "Username Validate Request type",
"endpoint" : "/UserNameValidateRequest",
"description" : "Resource type for processing username validation
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameValidateRequest",
"schemaExtensions" : [
Hunt & Wilson Expires September 30, 2015 [Page 39]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "UserNameGenerateRequest",
"name" : "Username Generation Request type",
"endpoint" : "/UserNameGenerateRequest",
"description" : "Resource type for processing username generation
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameGenerateRequest",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "UserNameRecoverRequest",
"name" : "Username Recovery Request type",
"endpoint" : "/UserNameRecoverRequest",
"description" : "Resource type for recovering usernames.",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameRecoveryRequest",
"schemaExtensions" : [
]
}
]
Password Management Resource Types
5. Security Considerations
This specification builds on those of the SCIM API and Core-Schema
specifications and as such the security considerations of both of
these drafts apply to this specification.
[other considerations TBD]
6. IANA Considerations
TODO: Registration for Password management schema
TODO: Registration of password management resource types
Hunt & Wilson Expires September 30, 2015 [Page 40]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
7. References
7.1. Normative References
[I-D.ietf-scim-api]
Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C.
Mortimore, "System for Cross-Domain Identity Management:
Protocol", draft-ietf-scim-api-14 (work in progress),
December 2014.
[I-D.ietf-scim-core-schema]
Hunt, P., Grizzle, K., Wahlstroem, E., and C. Mortimore,
"System for Cross-Domain Identity Management: Core
Schema", draft-ietf-scim-core-schema-14 (work in
progress), December 2014.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC
3986, January 2005.
7.2. Informative References
[I-D.ietf-precis-framework]
Saint-Andre, P. and M. Blanchet, "PRECIS Framework:
Preparation, Enforcement, and Comparison of
Internationalized Strings in Application Protocols",
draft-ietf-precis-framework-21 (work in progress),
December 2014.
Appendix A. Contributors
Appendix B. Acknowledgments
The editor would like to thank the participants in the SCIM working
group for their support of this specification.
Appendix C. Change Log
Draft 00 - PH - First Draft
Authors' Addresses
Hunt & Wilson Expires September 30, 2015 [Page 41]
Internet-Draft draft-hunt-scim-password-mgmt March 2015
Phil Hunt (editor)
Oracle Corporation
Email: phil.hunt@yahoo.com
Gregg Wilson
Oracle Corporation
Email: gregg.wilson@oracle.com
Hunt & Wilson Expires September 30, 2015 [Page 42]