One document matched: draft-hunt-scim-password-mgmt-00.xml
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type='text/xsl' href='http://xml.resource.org/authoring/rfc2629.xslt' ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-hunt-scim-password-mgmt-00"
ipr="trust200902">
<front>
<title abbrev="draft-hunt-scim-password-mgmt">SCIM Password Management
Extension</title>
<author fullname="Phil Hunt" initials="P." role="editor" surname="Hunt">
<organization abbrev="Oracle">Oracle Corporation</organization>
<address>
<email>phil.hunt@yahoo.com</email>
</address>
</author>
<author fullname="Gregg Wilson" initials="G." surname="Wilson">
<organization abbrev="Oracle">Oracle Corporation</organization>
<address>
<email>gregg.wilson@oracle.com</email>
</address>
</author>
<date month="March" year="2015"/>
<keyword>SCIM</keyword>
<abstract>
<t>The System for Cross-Domain Identity Management (SCIM) specification
is an HTTP based protocol that makes managing identities in multi-domain
scenarios easier to support through a standardized services. SCIM
provides extension points that enable new ResourceTypes and Schema
Extensions to be defined. This specification defines a set of password
and account status extensions for managing passwords and password usage
(e.g. failures) and other related session data. The specification
defines new ResourceTypes that enable management of passwords and
account recovery functions.</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction and Overview" toc="default">
<t>The System for Cross-Domain Identity Management (SCIM) specification
is an HTTP based protocol that makes managing identities in multi-domain
scenarios easier to support through a standardized services. SCIM
provides extension points that enable new ResourceTypes and Schema
Extensions to be defined. This specification defines a set of password
and account status extensions for managing passwords and tracking
password usage (e.g. failures) and other related session data. The
specification defines new resource types that enable management of
passwords and account recovery functions.</t>
<t>A set of SCIM schema extensions that define:<list style="symbols">
<t>Password Schema Extension - Providing account password state
(e.g. login attempts, successful login date, create date), policy,
account locking, as well as challenge questions.</t>
<t>Password Policy Schema - A new resource type that defines
password policies that may be applied to resources that use
passwords such as complexity requirements, expiry, lockout, and
usage constraints.</t>
</list></t>
<t>A set of resource types are defined that enable password and password
policy management:<list style="symbols">
<t>Password Policy</t>
<t>Password Reset Request</t>
<t>Password Validation Request</t>
<t>Username Recovery Request</t>
</list>In the above list, the last 3 resource types are temporary
resources that are used to convey requests that may update an identified
target resource URI (e.g. a User). While these requests have a simple
state transfer request/response relationship with a SCIM client, they
may cause secondary effects by changing multiple attribute states in the
target of the request. For example, setting a resource's password
attribute involves validating password policy as well as checking and
revising password history. There may be further service provider actions
such as email confirmation that occur asynchronously from the SCIM
client's perspective.</t>
<section anchor="notat" title="Notational Conventions" toc="default">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"/>. These keywords are capitalized when used to
unambiguously specify requirements of the protocol or application
features and behavior that affect the interoperability and security of
implementations. When these words are not capitalized, they are meant
in their natural-language sense.</t>
<t>For purposes of readability examples are not URL encoded.
Implementers MUST percent encode URLs as described in <xref
target="RFC3986">Section 2.1 of</xref>.</t>
<t>Throughout this documents all figures MAY contain spaces and extra
line-wrapping for readability and space limitations. Similarly, some
URI's contained within examples, have been shortened for space and
readability reasons.</t>
</section>
<section anchor="defs" title="Definitions" toc="default">
<t>[TBD]</t>
</section>
</section>
<section anchor="schema" title="Schema Extensions">
<section anchor="passwordSchema" title="Password Schema Extension">
<t>The following SCIM extension defines attributes used to manage
account passwords within a service provider. The extension is applied
to a <spanx style="verb">User</spanx> resource, but MAY be applied to
other resources that use passwords. The password extension is
identified using the following schema URI: <spanx style="verb">urn:ietf:params:scim:schemas:extension:account:2.0:Password</spanx>.</t>
<t>The following Singular Attributes are defined:<list style="hanging">
<t hangText="passwordState"><vspace/>A Complex attribute that
describes server provided attributes regarding the state of the
resource's password.<list style="hanging">
<t hangText="createDate"><vspace/>A DateTime which specifies
the date and time the current password was set.</t>
<t hangText="cantChange"><vspace/>A Boolean indicating that
the current password MAY NOT be changed and all other password
expiry settings SHALL be ignored.</t>
<t hangText="noExpiry"><vspace/>A Boolean indicating that
password expiry policy will not be applied for the current
resource.</t>
<t hangText="lastSuccessfulLoginDate"><vspace/>A DateTime
value indicating the last successful login date.</t>
<t hangText="lastFailedLoginDate"><vspace/>A DateTime value
indicating the last failed login date.</t>
<t hangText="loginAttempts"><vspace/>An Integer value
indicating the number of failed login attempts. The value is
reset to 0 after a successful login.</t>
<t hangText="resetAttempts"><vspace/>An Integer value
indicating the number of password reset attempts.</t>
<t hangText="passwordMustChange"><vspace/>A Boolean value that
indicates that the subject password value MUST change at the
next login. If not changed, typically the account is locked
The value may be set indirectly when the subject's current
password expires, or directly set by an administrator.</t>
</list></t>
<t hangText="passwordPolicyUri"><vspace/>A URI reference value
that indicates the address of a password policy that is used in
relation to the current resource.</t>
<t anchor="locked" hangText="locked"><vspace/>A Complex attribute
that indicates an account is locked (blocking new sessions). The
following sub-attributes are defined:<list style="hanging">
<t hangText="reason"><vspace/>A number value indicating the
reason for locking. Valid values are:<list>
<t>0 - locked due to failed login attempts.</t>
<t>1 - locked by an administrator.</t>
<t>2 - locked due to failed forgot password reset
attempts</t>
</list></t>
<t hangText="on"><vspace/>A Boolean value indicating the
account is locked.</t>
<t hangText="lockDate">A DateTime indicating when the resource
was locked.</t>
<t hangText="duration">An optional Integer indicating length
of lockout in seconds.</t>
</list></t>
</list></t>
<t>The following Multi-valued Attributes are defined:<list
style="hanging">
<t hangText="challenges"><vspace/>A Complex attribute describing
challenge questions that may be used as a supplementary factor
during login or during password management requests.<list
style="hanging">
<t hangText="question"><vspace/>A String that represents a
challenge question for which the corresponding response is
defined.</t>
<t hangText="response"><vspace/>A String that represents the
subjects specified correct response to the corresponding
challenge. The response MAY be compared case-sensitive or
case-insensitive based on service provider policy.</t>
</list></t>
<t hangText="passwordHistory"><vspace/>A writeOnly attribute that
contains hashes of previous passwords associated with the SCIM
resource. The number of passwords stored in this attribute is set
by: <spanx style="verb">policy.passwordHistorySize</spanx>.
Persisted values MUST be securely hashed such that the clients may
test if a clear-text value was previously used by looking for a
matching hash within the array of values.</t>
</list></t>
</section>
<section title="Password Policy">
<t>The following SCIM extension defines a new SCIM resource type known
as <spanx style="verb">PasswordPolicy</spanx> and usually has an
endpoint of <spanx style="verb">/PasswordPolicies</spanx>. The
password policy is identified using the following core schema URI:
<spanx style="verb">urn:ietf:params:scim:schemas:core:2.0:policy:Password</spanx>.</t>
<t>The following Single-value attributes are defined:<list
style="hanging">
<t hangText="name"><vspace/>A String that is the name of the
policy. Typically used for informational purposes (e.g. to display
to the user).</t>
<t hangText="description"><vspace/>A String that describes the
current policy. Typically used for informational purposes (e.g. to
display to a user).</t>
<t hangText="maxLength"><vspace/>An Integer indicating the maximum
password length (in characters). A value of 0 or no value SHALL
indicate no maximum length restriction.</t>
<t hangText="minLength"><vspace/>An Integer indicating the minimum
password length (in characters). A value of 0 or no value SHALL
indicate no minimum length restriction.</t>
<t hangText="minAlphas"><vspace/>An Integer indicating the minimum
number of alphabetic characters in a password. A value of 0 or no
value SHALL indicate no minimum length restriction.</t>
<t hangText="minNumerals"><vspace/>An Integer indicating the
minimum number of numeric characters in a password. A value of 0
or no value SHALL indicate no minimum length restriction.</t>
<t hangText="minAlphaNumerals"><vspace/>An Integer indicating the
minimum number of alphabetic or numeric characters in a password.
A value of 0 or no value SHALL indicate no minimum length
restriction.</t>
<t hangText="minSpecialChars"><vspace/>An Integer indicating the
minimum number of special characters in a password. A value of 0
or no value SHALL indicate no minimum length restriction.</t>
<t hangText="maxSpecialChars"><vspace/>An Integer indicating the
maximum number of special characters in a password. A value of 0
or no value SHALL indicate no maximum length restriction.</t>
<t hangText="minUpperCase"><vspace/>An Integer indicating the
minimum number of upper-case alphabetic characters in a password.
A value of 0 or no value SHALL indicate no minimum length
restriction.</t>
<t hangText="minLowerCase"><vspace/>An Integer indicating the
minimum number of lower-case alphabetic characters in a password.
A value of 0 or no value SHALL indicate no minimum length
restriction.</t>
<t hangText="minUniqueChars"><vspace/>An Integer indicating the
minimum number of unique characters in a password. A value of 0 or
no value SHALL indicate no minimum restriction.</t>
<t hangText="maxRepeatedChars"><vspace/>An Integer indicating the
maximum number of repeated characters in a password. A value of 0
or no value SHALL indicate no restriction.</t>
<t hangText="startsWithAlpha"><vspace/>A Boolean indicating that
the password MUST being with an alphabetic character.</t>
<t hangText="minUnicodeChars"><vspace/>[...not sure this makes
sense. There are strict limitations on password values (must be
Unicode UTF-8 processed by PRECIS)]</t>
<t hangText="firstNameDisallowed"><vspace/>A Boolean indicating a
sequence of characters matching the resource's <spanx
style="verb">name.givenName</spanx> SHALL NOT be included in the
password.</t>
<t hangText="lastNameDisallowed"><vspace/>A Boolean indicating a
sequence of characters matching the resource's <spanx
style="verb">name.familyName</spanx> SHALL NOT be included in the
password.</t>
<t hangText="userNameDisallowed"><vspace/>A Boolean indicating a
sequence of characters matching the resource's <spanx
style="verb">userName</spanx> SHALL NOT be included in the
password.</t>
<t hangText="minPasswordAgeInDays"><vspace/>An Integer indicating
the minimum age in days before the password MAY be changed.</t>
<t hangText="warningAfterDays"><vspace/>An Integer indicating the
number of days after which a password reset warning will be
issued.</t>
<t hangText="expiresAfterDays"><vspace/>An Integer indicating the
numbers of days after which a password reset is required.</t>
<t hangText="requiredChars"><vspace/>A String value whose contents
indicates a set of characters that MUST appear, in any sequence,
in a password value.</t>
<t hangText="disallowedChars"><vspace/>A String value whose
contents indicates a set of characters that SHALL NOT appear, in
any sequence, in a password value.</t>
<t hangText="disallowedSubStrings"><vspace/>A Multi-valued String
indicating a set of Strings that SHALL NOT appear within a
password value.</t>
<t hangText="dictionaryLocation"><vspace/>A Reference value
containing the URI of a dictionary of words not allowed to appear
within a password value.</t>
<t hangText="passwordHistorySize"><vspace/>An Integer indicating
the number of passwords that will be kept in history that may not
be used as a password.</t>
<t hangText="maxIncorrectAttempts"><vspace/>An Integer
representing the maximum number of failed logins before an account
is locked.</t>
<t hangText="lockOutDuration"><vspace/>An Integer indicating the
number of minutes an account will be locked after <spanx
style="verb">maxIncorrectAttempts</spanx> exceeded.</t>
<t hangText="challengesEnabled"><vspace/>A Boolean value
indicating challenges MAY be used during authentication.</t>
<t hangText="challengePolicy"><vspace/>A complex attribute that
defines policy around challenges. It contains the following
sub-attributes:<list style="hanging">
<t hangText="source">An Integer indicating one of the
following:<list style="symbols">
<t>0 - User Defined.</t>
<t>1 - Admin Defined.</t>
<t>2 - User and Admin Defined.</t>
</list></t>
<t hangText="defaultQuestions">A Multi-valued String attribute
that contains one or more default question a subject may use
when setting their challenge questions.</t>
<t hangText="minQuestionCount">An Integer indicating the
minimum number of challenge questions a subject MUST answer
when setting challenge question answers. A value of 0 or no
value indicates no minimum.</t>
<t hangText="minAnswerCount">An Integer indicating the minimum
number of challenge answers a subject MUST answer when
attempting to reset their password via forgot password
request.</t>
<t hangText="allAtOnce">A Boolean value. When true, the client
UI will present all challengers in random order each time
displayed. When false, the client UI will present one
challenge question at a time where the subject MUST respond
before the next is displayed.</t>
<t hangText="minResponseLength">An Integer indicating the
minimum number of characters in a challenge response. No value
or a value of 0 indicates no minimum length (effectively
1).</t>
<t hangText="maxIncorrectAttempts">An Integer indicates the
maximum number of failed reset password attempts using
challenges. If any challenges are wrong in a reset attempt,
the user's <spanx style="verb">resetAttempts</spanx> counter
will be incremented by 1. If <spanx style="verb">resetAttempts</spanx>
is greater than <spanx style="verb">maxIncorrectAttempts</spanx>,
the subject's account will be locked with a <spanx
style="verb">locked.reason</spanx> value of 2 see <xref
target="locked"/>.</t>
</list></t>
</list></t>
</section>
<section title="Management Requests">
<t>This extension defines a series of password and username management
requests that are modeled as SCIM resource types. Each request acts as
a "function" that MAY result in multiple changes to a designated
resource (e.g. User). For example, setting a password involves the
service provider validating the new password, updating the password,
revising password history and resetting appropriate password state
values. </t>
<t>A management request is performed by doing a SCIM creation request
for the associated management function resource type. Each request
resource type has its own schema and resource type endpoint. The
normal SCIM API rules apply to these requests. When a request is
completed, a SCIM service provider MAY return the final state in the
HTTP response, or it MAY return the location of the created request
resource object that MAY be used for further processing. [TO BE
CLARIFIED]</t>
<t>The following requests are supported and defined in the following
sections:<list style="symbols">
<t>PasswordResetRequest</t>
<t>PasswordValidateRequest</t>
<t>UsernameValidateRequest</t>
<t>GenerateUsernameRequest</t>
<t>RecoverUsernameRequest</t>
</list></t>
</section>
<section title="PasswordResetRequest">
<t>A password reset request is performed by performing a SCIM Create
operation using HTTP POST to the endpoint for resource type <spanx
style="verb">PasswordResetRequest</spanx> which is typically <spanx
style="verb">/PasswordResetRequests</spanx>. Upon receiving the
request, the service provider, based on its own logic, validates the
request, and based on its own internal logic subsequently resets the
password of the resource identified by <spanx style="verb">userName</spanx>.
This request MAY be made anonymously (since the user is unable to
authenticate) or through an authenticated web application component,
who in turn may be unable to authenticate the user). [Add security
considerations for this request]</t>
<t>Upon validating a request, the service provider may return either
HTTP Status 200 (Ok), or it may return the request as a temporary
resource that exists for a period of time (e.g. awaiting secondary
approval or e-mail confirmation).</t>
<t>The core schema for a <spanx style="verb">PasswordResetRequest</spanx>
is <spanx style="verb">urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest</spanx>.
The above schema can be used in several reset forms as described in
the following two sections. This schema includes the following
attributes:</t>
<t><list style="hanging">
<t hangText="userName"><vspace/>A string value that matches the
service provider unique identifier for the user.</t>
<t hangText="challenges"><vspace/>A Complex attribute describing
challenge questions and responses that match the values found in
the resource matched by the <spanx style="verb">userName</spanx>
attribute.<list style="hanging">
<t hangText="question"><vspace/>A String that represents a
challenge question for which the corresponding response is
defined.</t>
<t hangText="response"><vspace/>A String that represents the
subjects specified correct response to the corresponding
challenge. The response MAY be compared case-sensitive or
case-insensitive based on service provider policy.</t>
</list></t>
</list></t>
<section title="Password Reset With Challenges">
<t>An anonymous (or authenticated web application) by providing a
<spanx style="verb">userName</spanx> and the correct set of
challenges and a new password value, MAY request that a service
provider accept a requested <spanx style="verb">password</spanx> and
set the <spanx style="verb">password</spanx> directly. The service
provider might perform other secondary checks to confirm the
requestors identity (email confirmation.<figure>
<artwork>POST /PasswordResetRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest"],
"userName":
"happyAlice",
"challenges": [
{
"challenge":"what is your favorite color",
"response":"red"
},
{
"challenge":"what is name of your pet",
"response":"pet"
},
{
"challenge":"what is city of your birth",
"response":"city"
}],
"password": “<new password>”
}
</artwork>
</figure><figure>
<preamble>Upon processing a successful request, the SCIM service
provider would respond with:</preamble>
<artwork>HTTP/1.1 200 OK</artwork>
<postamble/>
</figure></t>
<t>In the above example, the request is considered complete when
response is returned. In this case, no permanent request object is
created and so no HTTP Location value is returned. In some cases,
the service provider MAY keep the request until workflow completes.
If it wishes to allow clients to "poll" for status, it MAY create a
resource and returns an HTTP Location in the response. [Is this
needed?]</t>
</section>
<section title="Reset With Email Confirmation">
<t>By providing only a <spanx style="verb">userName</spanx> value,
an email conformation flow MAY be initiated that requires the
subject to click on the link (to prove ownership of the known email)
upon which the user is confirmed and the request is
processed.<figure>
<artwork>POST /PasswordResetRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest"],
"userName":
"happyAlice"
}
</artwork>
</figure><figure>
<preamble>Upon processing a successful request, the SCIM service
provider SHALL respond with:</preamble>
<artwork>HTTP/1.1 200 OK</artwork>
<postamble/>
</figure></t>
<t>In the above example, it is expected that the User will be given
a link to click on out-of-band. As such the current request
completes with no further response. As with the Challenges variant,
a service provider MAY provide an HTTP Location if the service
provider intends to keep the request active until it is completed.
[Is a persisted request needed?]</t>
</section>
</section>
<section title="PasswordValidateRequest">
<t>A password validation request MAY be used to confirm that a
proposed password value conforms to service provider policy and
associated user policy and password state criteria (e.g. such as
password history). A request is performed by performing a SCIM Create
operation using HTTP POST to the endpoint for resource type <spanx
style="verb">PasswordValidateRequest</spanx> which is typically <spanx
style="verb">/PasswordValidateRequests</spanx>. Upon receiving the
request, the service provider, based on its own logic and any
associated password policy for the resource, validates the provided
password. [can this be made anonymously?]</t>
<t>Upon validating a request, the service provider may returns either
HTTP Status 200 (Ok), or it may return HTTP Status 400 indicating the
password is unacceptable. [NOTE: should there be a scimType and/or
description describing a standardized reason for failure such as:
history, tooShort, tooLong, missingSpecialChar, etc etc.</t>
<t>The core schema for a <spanx style="verb">PasswordValidateRequest</spanx>
is <spanx style="verb">urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest</spanx>.
This schema includes the following attributes:</t>
<t><list style="hanging">
<t hangText="$ref"><vspace/>A reference value that contains a URI
that points to the resource (e.g. User) against which the proposed
password is to be validated as an acceptable password.</t>
<t hangText="password"><vspace/>A string value containing the
requested password value for which validation is requested.</t>
</list></t>
<t><figure>
<preamble>The following is a non-normative example validation
request. The example has been altered for clarity:</preamble>
<artwork>POST /PasswordValidateRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest"],
"$ref": “/Users/2819c223-7f76-453a-919d-413861904646”,
"password":"someG00Didea!"
}
</artwork>
</figure><figure>
<preamble>A successful response looks similar to the following
non-normative example:</preamble>
<artwork>HTTP/1.1 200 OK</artwork>
</figure></t>
</section>
<section title="UsernameValidateRequest">
<t>A username validation request MAY be used to confirm that a
proposed username value conforms to service provider policy and
associated user policy as well as uniqueness. A request is performed
by performing a SCIM Create operation using HTTP POST to the endpoint
for resource type <spanx style="verb">UsernameValidateRequest</spanx>
which is typically <spanx style="verb">/UsernameValidateRequests</spanx>.
Upon receiving the request, the service provider, tests for uniqueness
and any associated formatting policy and validates the provided
username.</t>
<t>Upon validating a request, the service provider may returns either
HTTP Status 200 (Ok), or it may return HTTP Status 400 indicating the
password is unacceptable. [NOTE: should there be a scimType and/or
description describing a standardized reason for failure such as:
history, tooShort, tooLong, missingSpecialChar, etc etc.</t>
<t>The core schema for a <spanx style="verb">UsernameValidateRequest</spanx>
is <spanx style="verb">urn:ietf:params:scim:schemas:core:2.0:password:UsernameValidateRequest</spanx>.
This schema includes the following attributes:</t>
<t><list style="hanging">
<t hangText="$ref"><vspace/>A reference value that contains a URI
that points to the resource (e.g. User) against which the proposed
userName value is to be validated as an acceptable.</t>
<t hangText="userName"><vspace/>A string value containing the
requested userName value for which validation is requested.</t>
</list></t>
<t><figure>
<preamble>The following is a non-normative example validation
request. The example has been altered for clarity:</preamble>
<artwork>POST /UsernameValidaeRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:UsernameValidateRequest"],
"$ref": “/Users/2819c223-7f76-453a-919d-413861904646”,
"userName":"susieQ"
}</artwork>
</figure><figure>
<preamble>A successful response looks similar to the following
non-normative example:</preamble>
<artwork>HTTP/1.1 200 OK</artwork>
</figure></t>
</section>
<section title="UsernameGenerateRequest">
<t>A username generation request MAY be used to request an
automatically generated userName that conforms to service provider
policy and uniqueness requirements. A request is performed by
performing a SCIM Create operation using HTTP POST to the endpoint for
resource type <spanx style="verb">UsernameGenerateRequest</spanx>
which is typically <spanx style="verb">/UsernameGenerateRequests</spanx>.
Upon receiving the request, the service provider, generates a unique
userName and returns it in a response.</t>
<t>The core schema for a <spanx style="verb">UsernameGenerateRequest</spanx>
is <spanx style="verb">urn:ietf:params:scim:schemas:core:2.0:password:UsernameGenerateRequest</spanx>.
This schema includes the following attributes:</t>
<t><list style="hanging">
<t hangText="$ref"><vspace/>An operational reference value that
contains a URI that points to the resource (e.g. User) against
which existing resource's <spanx style="verb">name</spanx>
attribute MAY be used to generate a userName value. When the $ref
attribute is used, the generate request MUST be authenticated.</t>
<t hangText="userName"><vspace/>A string value that is returned in
the server's response that contains a generated userName value.
The generated userName is not reserved and is guaranteed on
first-come-first-served basis by a subsequent SCIM creation or
modify request.</t>
<t hangText="name"><vspace/>An optional complex attribute
containing the components of the user's name against which a
userName value is to be generated. This attribute MAY be typically
used as part of an anonymous userName generation request during a
user registration dialog.<list style="hanging">
<t hangText="formatted">The full name, including all middle
names, titles, and suffixes as appropriate, formatted for
display (e.g. <spanx style="verb">Ms. Barbara Jane Jensen, III.</spanx>
).</t>
<t hangText="familyName">The family name of the User, or last
name in most Western languages (e.g. <spanx style="verb">Jensen</spanx>
given the full name <spanx style="verb">Ms. Barbara Jane Jensen, III.</spanx>
).</t>
<t hangText="givenName">The given name of the User, or first
name in most Western languages (e.g. <spanx style="verb">Barbara</spanx>
given the full name <spanx style="verb">Ms. Barbara Jane Jensen, III.</spanx>
).</t>
<t hangText="middleName">The middle name(s) of the User (e.g.
<spanx style="verb">Jane</spanx> given the full name <spanx
style="verb">Ms. Barbara Jane Jensen, III.</spanx> ).</t>
<t hangText="honorificPrefix">The honorific prefix(es) of the
User, or title in most Western languages (e.g. <spanx
style="verb">Ms.</spanx> given the full name <spanx
style="verb">Ms. Barbara Jane Jensen, III.</spanx> ).</t>
<t hangText="honorificSuffix">The honorific suffix(es) of the
User, or suffix in most Western languages (e.g. <spanx
style="verb">III.</spanx> given the full name <spanx
style="verb">Ms. Barbara Jane Jensen, III.</spanx> ).</t>
</list></t>
</list></t>
<t><figure>
<preamble>The following is a non-normative example userName
generation request. The example has been altered for
clarity:</preamble>
<artwork>POST /UsernameGenerateRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:UsernameGenerateRequest"],
"name": {
"formatted": "Ms. Barbara J Doe III",
"familyName": "Doe",
"givenName": "Barbara",
"middleName": "Jane",
"honorificSuffix": "III"
}
}</artwork>
</figure><figure>
<preamble>A successful response looks similar to the following
non-normative example:</preamble>
<artwork>HTTP/1.1 200 OK
{
"userName": "barbara.doe",
}
</artwork>
</figure></t>
</section>
<section title="UsernameRecoverRequest">
<t>A userName recovery request MAY be used to look up a userName based
on a provided email address. The provided email address may be matched
against any value of an existing resource's <spanx style="verb">emails</spanx>
attribute. A request is performed by performing a SCIM Create
operation using HTTP POST to the endpoint for resource type <spanx
style="verb">UsernameRecoverRequest</spanx> which is typically <spanx
style="verb">/UsernameRecoverRequests</spanx>. Upon receiving the
request, the service provider, generates a unique userName and returns
it in a response.</t>
<t>The core schema for a <spanx style="verb">UsernameRecoverRequest</spanx>
is <spanx style="verb">urn:ietf:params:scim:schemas:core:2.0:password:UsernameRecoverRequest</spanx>.
This schema includes the following attributes:</t>
<t><list style="hanging">
<t hangText="email"><vspace/>A string value containing an email
address that is to be matched against an existing resource's
<spanx style="verb">emails</spanx> attribute.</t>
<t hangText="userName">A string value provided in response to a
request which is the unique userName that corresponds to the
recovery request.</t>
</list></t>
<t><figure>
<preamble>The following is a non-normative example userName
recovery request. The example has been altered for
clarity:</preamble>
<artwork>POST /UsernameRecoverRequests HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
"schemas":
["urn:ietf:params:scim:schemas:core:2.0:password:UsernameRecoverRequest"],
"email": “bdoe@example.com”
}</artwork>
</figure><figure>
<preamble>A successful response looks similar to the following
non-normative example:</preamble>
<artwork>HTTP/1.1 200 OK
{
"userName": "barbara.doe",
}
</artwork>
</figure>[Note: it would be more secure not to return the userName
in the response and instead the service provider should send an email
confirmation]</t>
</section>
</section>
<section title="Schemas Representation">
<t>This section provides a JSON representation of the schema extensions
in this draft. [TODO follow format of Sec 8.7 of core schema draft]</t>
<section title="Password Extension">
<t>The following is a representation of the password state extension
<spanx style="verb">urn:ietf:params:scim:schemas:extension:account:2.0:Password</spanx>
that is used to extend a User resource. <figure
title="Password Extension for Users">
<artwork> {
"id" :
"urn:ietf:params:scim:schemas:extension:account:2.0:Password",
"name" : "Password Management Schema Extension",
"description" : "This extension defines attributes used to manage
account passwords within a service provider. The extension is
typically applied to a User resource, but MAY be applied to
other resources that use passwords.",
"attributes" : [
{
"name" : "passwordState",
"type" : "complex",
"multiValued" : false,
"description" : "A Complex attribute that describes server
provided attributes regarding the state of the resource's
password.",
"required" : true,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "createDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime which specifies the date and
time the current password was set.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "cantChange",
"type" : "boolean",
"multiValued" : false,
"description" : "A Boolean indicating that the current
password MAY NOT be changed and all other password expiry
settings SHALL be ignored",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "noExpiry",
"type" : "boolean",
"multiValued" : false,
"description" : "A Boolean indicating that password expiry
policy will not be applied for the current resource.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lastSuccessfulLoginDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime value indicating the last
successful login date.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lastFailedLoginDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime value indicating the last
failed login date.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "loginAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer value indicating the number of
failed login attempts. The value is reset to 0 after a
successfull login.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "resetAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer value indicating the number of
password reset attempts. The value is reset to 0 after
successful reset.",
"required" : false,
"mutability" : "readOnly",
"returned" : "default"
},
{
"name" : "passwordMustChange",
"type" : "boolean",
"multiValued" : false,
"description" : "A Boolean value that indicates that the
subject password value MUST change at the next login. If
not changed, typically the account is locked The value
may be set indirectly when the subject's current password
expires, or directly set by an administrator.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
}
]
},
{
"name" : "passwordPolicyUrl",
"type" : "reference",
"referenceTypes" : ["PasswordPolicy"],
"multiValued" : false,
"description" : "A URI reference value that indicates the
address of a password policy that is used in relation to the
current resource.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "locked",
"type" : "complex",
"multiValued" : false,
"description" : "A Complex attribute that indicates an account
is locked (blocking new sessions).",
"required" : false,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "reason",
"type" : "integer",
"multiValued" : false,
"description" : "A number value indicating the reason for
locking. Valid values are: 0 - failed attempts. 1 - admin
lock. 2 - reset attempts",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "on",
"type" : "boolean",
"multiValued" : false,
"description" :
"A Boolean value indicating the account is locked.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lockDate",
"type" : "dateTime",
"multiValued" : false,
"description" : "A DateTime which specifies the date and
time the current resource was locked.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
}
]
},
{
"name" : "challenges",
"type" : "complex",
"multiValued" : true,
"description" : "A Complex attribute describing challenge
questions that may be used as a supplementary factor during
login or during password management requests.",
"required" : false,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "question",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents a challenge
question for which the corresponding response is
defined.",
"required" : true,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "response",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents the subjects
specified correct response to the corresponding
challenge.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"name" : "passwordHistory",
"type" : "string",
"multiValued" : true,
"description" : "A writeOnly attribute that contains hashes of
previous passwords associated with the SCIM resource.",
"required" : false,
"caseExact" : true,
"mutability" : "writeOnly",
"returned" : "never",
"uniqueness" : "none"
}
]
}</artwork>
</figure></t>
</section>
<section title="Password Policy Schema">
<t>The following is a representation of the password policy resource
type extension <spanx style="verb">urn:ietf:params:scim:schemas:core:2.0:policy:Password</spanx>
that is used to define a PasswordPolicy resource. <figure
title="Password Policy Schema">
<artwork> {
"id" :
"urn:ietf:params:scim:schemas:core:2.0:policy:Password",
"name" : "Password Policy Schema",
"description" : "This extension defines attributes for a password
policy.",
"attributes" : [
{
"name" : "name",
"type" : "string",
"multiValued" : false,
"description" : "A String that is the name of the policy.
Typically used for informational purposes (e.g. to display
to the user)",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "description",
"type" : "string",
"multiValued" : false,
"description" : "A String that describes the current policy.
Typically used for informational purposes (e.g. to display
to a user).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "maxLength",
"type" : "integer",
"multiValued" : false,
"description" : "Maximum password length in characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minLength",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum password length in characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minAlphas",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum number of alpha chcars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minNumerals",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum number of numeric characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxLength",
"type" : "integer",
"multiValued" : false,
"description" : "Maximum password length in characters.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minAlphaNumerals",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of alphas and numeric chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minSpecialChars",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of special chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxSpecialChars",
"type" : "integer",
"multiValued" : false,
"description" : "Maximum number of special chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minUpperCase",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of upper case chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minLowerCase",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of lower case chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minUnique",
"type" : "integer",
"multiValued" : false,
"description" : "Minimum num of unique chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxRepeatChars",
"type" : "integer",
"multiValued" : false,
"description" : "Max num of repeated chars.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "startsWithAlphas",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates password must begin with alpha char",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minUnicodeChars",
"type" : "integer",
"multiValued" : false,
"description" : "[TO BE DISCUSSED]",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "firstNameDisallowed",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates a sequence of characters matching
the resource's name.givenName SHALL NOT be included in the
password",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lastNameDisallowed",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates a sequence of characters matching
the resource's name.familyName SHALL NOT be included in the
password",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "userNameDisallowed",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates a sequence of characters matching
the resource's userName SHALL NOT be included in the
password",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minPasswordAgeInDays",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the minimum age in days
before the password MAY be changed.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "warningAfterDays",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the number of days after
which a password reset warning will be issued.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "expiresAfterDays",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the numbers of days
after which a password reset is required.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "requiredChars",
"type" : "string",
"multiValued" : false,
"description" : "A String value whose contents indicates a set
of characters that MUST appear, in any sequence, in a
password value.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "never",
"uniqueness" : "none"
},
{
"name" : "disallowedChars",
"type" : "string",
"multiValued" : false,
"description" : "A String value whose contents indicates a set
of characters that SHALL NOT appear, in a password value.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "never",
"uniqueness" : "none"
},
{
"name" : "disallowedSubstrings",
"type" : "string",
"multiValued" : true,
"description" : "A set of strings that SHALL not appear in a
password value.",
"required" : false,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "never",
"uniqueness" : "none"
},
{
"name" : "disctionaryLocation",
"type" : "reference",
"referenceTypes" : ["reference"],
"multiValued" : false,
"description" : "A Reference value containing the URI of a
dictionary of words not allowed to appear within a password
value.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "passwordHistorySize",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the number of passwords
that will be kept in history that may not be used as a
password.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxIncorrectAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer representing the maximum number of
failed logins before an account is locked.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "lockOutDuration",
"type" : "integer",
"multiValued" : false,
"description" : "An integer indicating the number of minutes
an account will be locked after maxIncorrectAttempts
exceeded.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "challengesEnabled",
"type" : "boolean",
"multiValued" : false,
"description" : "Indicates whether challenges may be used
during authentication.",
"required" : false,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "challengePolicy",
"type" : "complex",
"multiValued" : false,
"description" : "A complex attribute that defines policy around
challenges.",
"required" : true,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "source",
"type" : "integer",
"multiValued" : false,
"description" : "A number value indicating the source for
challenges. Valid values are: 0 - user. 1 - admin
defined. 2 - both",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "defaultQuestions",
"type" : "string",
"multiValued" : true,
"description" : "A Multi-valued String attribute that
contains one or more default question a subject may use
when setting their challenge questions",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "minQuestionCount",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the minimum number
of challenge questions a subject MUST answer when setting
challenge question answers. A value of 0 or no value
indicates no minimum.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minAnswerCount",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the mimimum number
of challenge answers a subject MUST answer when
attempting to reset their password via forgot password
request.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "allAtOnce",
"type" : "boolean",
"multiValued" : false,
"description" : "When true, the client UI will present
all challengers in random order each time displayed.
When false, the client UI will present one challenge
question at a time where the subject MUST respond before
the next is displayed.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "minResponseLength",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicating the minimum number
of chars in a challenge response. No value or a value
of 0 indicates no minimum length (effectively 1)",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
},
{
"name" : "maxIncorrectAttempts",
"type" : "integer",
"multiValued" : false,
"description" : "An Integer indicates the maximum number of
failed reset password attempts using challenges. If any
challenges are wrong in a reset attempt, the user's
resetAttempts counter will be incremented by 1. If
resetAttempts is greater than maxIncorrectAttempts, the
subject's account will be locked with a locked.reason
value.",
"required" : true,
"mutability" : "readWrite",
"returned" : "default"
}
]
}
]
}</artwork>
</figure></t>
</section>
<section title="Request Schemas">
<t>The following are the schemas for all password request resource
types returned by the <spanx style="verb">/Schemas</spanx>
endpoint:<figure title="Request Schemas">
<artwork>[
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest",
"name" : "Password Reset Request",
"description" : "Used to submit a password reset request for a
specific userName. Before resetting a secondary confirmation is
completed.",
"attributes" : [
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value that matches the service provider
unique identifier for the user.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "challenges",
"type" : "complex",
"multiValued" : true,
"description" : "A Complex attribute describing challenge
questions and responses that match the values found in the
resource matched by the userName attribute.",
"required" : false,
"returned" : "default",
"mutability" : "readWrite",
"subAttributes" : [
{
"name" : "question",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents a challenge
question for which the corresponding response is
defined.",
"required" : true,
"caseExact" : true,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "response",
"type" : "string",
"multiValued" : false,
"description" : "A String that represents the subjects
specified correct response to the corresponding
challenge.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"name" : "password",
"type" : "string",
"multiValued" : false,
"description" : "A string value for the requested password.
When specified, the challenges attribute must also be present.",
"required" : true,
"caseExact" : false,
"mutability" : "writeOnly",
"returned" : "never",
"uniqueness" : "none"
}
]
},
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest",
"name" : "Password Validate Request",
"description" : "Used to submit a password for validation.",
"attributes" : [
{
"name" : "password",
"type" : "string",
"multiValued" : false,
"description" : "A string value for the requested password.
When specified, the challenges attribute must also be present.",
"required" : true,
"caseExact" : false,
"mutability" : "writeOnly",
"returned" : "never",
"uniqueness" : "none"
}
]
},
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameValidateRequest",
"name" : "UserName Validate Request",
"description" : "Used to submit a username for validation.",
"attributes" : [
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User"
],
"multiValued" : false,
"description" : "A reference value that contains a URI that
points to the resource (e.g. User) against which the proposed
userName value is to be validated as an acceptable.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value containing the requested userName
value for which validation is requested.",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameGenerateRequest",
"name" : "Username Generate Request",
"description" : "Used to request a new username be generated.",
"attributes" : [
{
"name" : "$ref",
"type" : "reference",
"referenceTypes" : [
"User"
],
"multiValued" : false,
"description" : "An reference value that contains a URI that
points to the resource (e.g. User) against which existing
resource's name attribute MAY be used to generate a userName
value. When the $ref attribute is used, the generate
request MUST be authenticated.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value that is returned in the
server's reponse that contains a generated userName value.
The generated userName is not reserved and is guaranteed on
first-come-first-served basis by a subsequent SCIM creation
or modify request.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "name",
"type" : "complex",
"multiValued" : false,
"description" : "An optional complex attribute containing the
components of the user's name against which a userName value
is to be generated. This attribute MAY be typically used as
part of an anonymous userName generation request during a
user registration dialog.",
"required" : false,
"subAttributes" : [
{
"name" : "formatted",
"type" : "string",
"multiValued" : false,
"description" : "The full name, including all middle names,
titles, and suffixes as appropriate, formatted for display (e.g. Ms.
Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "familyName",
"type" : "string",
"multiValued" : false,
"description" : "The family name of the User, or Last Name
in most Western languages (e.g. Jensen given the full name Ms. Barbara J
Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "givenName",
"type" : "string",
"multiValued" : false,
"description" : "The given name of the User, or First Name
in most Western languages (e.g. Barbara given the full name Ms. Barbara
J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "middleName",
"type" : "string",
"multiValued" : false,
"description" : "The middle name(s) of the User (e.g. Robert
given the full name Ms. Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "honorificPrefix",
"type" : "string",
"multiValued" : false,
"description" : "The honorific prefix(es) of the User, or
Title in most Western languages (e.g. Ms. given the full name Ms.
Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "honorificSuffix",
"type" : "string",
"multiValued" : false,
"description" : "The honorific suffix(es) of the User, or
Suffix in most Western languages (e.g. III. given the full name Ms.
Barbara J Jensen, III.).",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
],
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
]
},
{
"id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameRecoverRequest",
"name" : "UserName Recovery Request",
"description" : "Used to look up a username by email address.",
"attributes" : [
{
"name" : "email",
"type" : "string",
"multiValued" : false,
"description" : "A string value containing an email address
that is to be matched against an existing resource's emails
attribue.",
"required" : false,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
},
{
"name" : "userName",
"type" : "string",
"multiValued" : false,
"description" : "A string value provided in response to a
request which is the unique userName that corresponds to the
recovery request.",
"required" : true,
"caseExact" : false,
"mutability" : "readOnly",
"returned" : "always",
"uniqueness" : "none"
}
]
}
]</artwork>
</figure></t>
</section>
</section>
<section anchor="resourceTypes" title="Password Management ResourceTypes">
<t>The following are the resource type definitions for the resource
types defined in this specification.<figure
title="Password Management Resource Types">
<artwork>[
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "PasswordPolicy",
"name" : "Password Policy Definition",
"endpoint" : "/Users",
"description" : "Password policy definition",
"schema" : "urn:ietf:params:scim:schemas:core:2.0:policy:Password",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "PasswordResetRequest",
"name" : "Password Reset Request type",
"endpoint" : "/PasswordResetRequest",
"description" : "Resource type for processing password reset
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "PasswordValidateRequest",
"name" : "Password Validate Request type",
"endpoint" : "/PasswordValidateRequest",
"description" : "Resource type for processing password validation
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "UserNameValidateRequest",
"name" : "Username Validate Request type",
"endpoint" : "/UserNameValidateRequest",
"description" : "Resource type for processing username validation
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameValidateRequest",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "UserNameGenerateRequest",
"name" : "Username Generation Request type",
"endpoint" : "/UserNameGenerateRequest",
"description" : "Resource type for processing username generation
requests",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameGenerateRequest",
"schemaExtensions" : [
]
},
{
"schemas" : [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id" : "UserNameRecoverRequest",
"name" : "Username Recovery Request type",
"endpoint" : "/UserNameRecoverRequest",
"description" : "Resource type for recovering usernames.",
"schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameRecoveryRequest",
"schemaExtensions" : [
]
}
]</artwork>
</figure></t>
</section>
<section anchor="Security" title="Security Considerations" toc="default">
<t>This specification builds on those of the SCIM API and Core-Schema
specifications and as such the security considerations of both of these
drafts apply to this specification.</t>
<t>[other considerations TBD]</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>TODO: Registration for Password management schema</t>
<t>TODO: Registration of password management resource types</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml' ?>
<?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.3986.xml' ?>
<?rfc include='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-scim-api-14.xml'?>
<?rfc include='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-scim-core-schema-14.xml'?>
</references>
<references title="Informative References">
<?rfc include='http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-precis-framework-21.xml'?>
</references>
<section title="Contributors"/>
<section title="Acknowledgments">
<t>The editor would like to thank the participants in the SCIM working
group for their support of this specification.</t>
</section>
<section title="Change Log">
<t>Draft 00 - PH - First Draft</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 07:14:33 |