idnits 2.17.1 draft-hunt-scim-password-mgmt-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 15 instances of too long lines in the document, the longest one being 11 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The exact meaning of the all-uppercase expression 'MAY NOT' is not defined in RFC 2119. If it is intended as a requirements expression, it should be rewritten using one of the combinations defined in RFC 2119; otherwise it should not be all-uppercase. == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: cantChange A Boolean indicating that the current password MAY NOT be changed and all other password expiry settings SHALL be ignored. == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: "attributes" : [ { "name" : "passwordState", "type" : "complex", "multiValued" : false, "description" : "A Complex attribute that describes server provided attributes regarding the state of the resource's password.", "required" : true, "returned" : "default", "mutability" : "readWrite", "subAttributes" : [ { "name" : "createDate", "type" : "dateTime", "multiValued" : false, "description" : "A DateTime which specifies the date and time the current password was set.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "cantChange", "type" : "boolean", "multiValued" : false, "description" : "A Boolean indicating that the current password MAY NOT be changed and all other password expiry settings SHALL be ignored", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "noExpiry", "type" : "boolean", "multiValued" : false, "description" : "A Boolean indicating that password expiry policy will not be applied for the current resource.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "lastSuccessfulLoginDate", "type" : "dateTime", "multiValued" : false, "description" : "A DateTime value indicating the last successful login date.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "lastFailedLoginDate", "type" : "dateTime", "multiValued" : false, "description" : "A DateTime value indicating the last failed login date.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "loginAttempts", "type" : "integer", "multiValued" : false, "description" : "An Integer value indicating the number of failed login attempts. The value is reset to 0 after a successfull login.", "required" : false, "mutability" : "readOnly", "returned" : "default" }, { "name" : "resetAttempts", "type" : "integer", "multiValued" : false, "description" : "An Integer value indicating the number of password reset attempts. The value is reset to 0 after successful reset.", "required" : false, "mutability" : "readOnly", "returned" : "default" }, { "name" : "passwordMustChange", "type" : "boolean", "multiValued" : false, "description" : "A Boolean value that indicates that the subject password value MUST change at the next login. If not changed, typically the account is locked The value may be set indirectly when the subject's current password expires, or directly set by an administrator.", "required" : false, "mutability" : "readWrite", "returned" : "default" } ] }, { "name" : "passwordPolicyUrl", "type" : "reference", "referenceTypes" : ["PasswordPolicy"], "multiValued" : false, "description" : "A URI reference value that indicates the address of a password policy that is used in relation to the current resource.", "required" : false, "caseExact" : false, "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" }, { "name" : "locked", "type" : "complex", "multiValued" : false, "description" : "A Complex attribute that indicates an account is locked (blocking new sessions).", "required" : false, "returned" : "default", "mutability" : "readWrite", "subAttributes" : [ { "name" : "reason", "type" : "integer", "multiValued" : false, "description" : "A number value indicating the reason for locking. Valid values are: 0 - failed attempts. 1 - admin lock. 2 - reset attempts", "required" : true, "mutability" : "readWrite", "returned" : "default" }, { "name" : "on", "type" : "boolean", "multiValued" : false, "description" : "A Boolean value indicating the account is locked.", "required" : true, "mutability" : "readWrite", "returned" : "default" == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHALL not' in this paragraph: }, { "name" : "maxLength", "type" : "integer", "multiValued" : false, "description" : "Maximum password length in characters.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "minAlphaNumerals", "type" : "integer", "multiValued" : false, "description" : "Minimum num of alphas and numeric chars.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "minSpecialChars", "type" : "integer", "multiValued" : false, "description" : "Minimum num of special chars.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "maxSpecialChars", "type" : "integer", "multiValued" : false, "description" : "Maximum number of special chars.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "minUpperCase", "type" : "integer", "multiValued" : false, "description" : "Minimum num of upper case chars.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "minLowerCase", "type" : "integer", "multiValued" : false, "description" : "Minimum num of lower case chars.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "minUnique", "type" : "integer", "multiValued" : false, "description" : "Minimum num of unique chars.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "maxRepeatChars", "type" : "integer", "multiValued" : false, "description" : "Max num of repeated chars.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "startsWithAlphas", "type" : "boolean", "multiValued" : false, "description" : "Indicates password must begin with alpha char", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "minUnicodeChars", "type" : "integer", "multiValued" : false, "description" : "[TO BE DISCUSSED]", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "firstNameDisallowed", "type" : "boolean", "multiValued" : false, "description" : "Indicates a sequence of characters matching the resource's name.givenName SHALL NOT be included in the password", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "lastNameDisallowed", "type" : "boolean", "multiValued" : false, "description" : "Indicates a sequence of characters matching the resource's name.familyName SHALL NOT be included in the password", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "userNameDisallowed", "type" : "boolean", "multiValued" : false, "description" : "Indicates a sequence of characters matching the resource's userName SHALL NOT be included in the password", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "minPasswordAgeInDays", "type" : "integer", "multiValued" : false, "description" : "An Integer indicating the minimum age in days before the password MAY be changed.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "warningAfterDays", "type" : "integer", "multiValued" : false, "description" : "An Integer indicating the number of days after which a password reset warning will be issued.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "expiresAfterDays", "type" : "integer", "multiValued" : false, "description" : "An Integer indicating the numbers of days after which a password reset is required.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "requiredChars", "type" : "string", "multiValued" : false, "description" : "A String value whose contents indicates a set of characters that MUST appear, in any sequence, in a password value.", "required" : false, "caseExact" : true, "mutability" : "readWrite", "returned" : "never", "uniqueness" : "none" }, { "name" : "disallowedChars", "type" : "string", "multiValued" : false, "description" : "A String value whose contents indicates a set of characters that SHALL NOT appear, in a password value.", "required" : false, "caseExact" : true, "mutability" : "readWrite", "returned" : "never", "uniqueness" : "none" }, { "name" : "disallowedSubstrings", "type" : "string", "multiValued" : true, "description" : "A set of strings that SHALL not appear in a password value.", "required" : false, "caseExact" : true, "mutability" : "readWrite", "returned" : "never", "uniqueness" : "none" }, { "name" : "disctionaryLocation", "type" : "reference", "referenceTypes" : ["reference"], "multiValued" : false, "description" : "A Reference value containing the URI of a dictionary of words not allowed to appear within a password value.", "required" : false, "caseExact" : false, "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" }, { "name" : "passwordHistorySize", "type" : "integer", "multiValued" : false, "description" : "An Integer indicating the number of passwords that will be kept in history that may not be used as a password.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "maxIncorrectAttempts", "type" : "integer", "multiValued" : false, "description" : "An Integer representing the maximum number of failed logins before an account is locked.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "lockOutDuration", "type" : "integer", "multiValued" : false, "description" : "An integer indicating the number of minutes an account will be locked after maxIncorrectAttempts exceeded.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "challengesEnabled", "type" : "boolean", "multiValued" : false, "description" : "Indicates whether challenges may be used during authentication.", "required" : false, "mutability" : "readWrite", "returned" : "default" }, { "name" : "challengePolicy", "type" : "complex", "multiValued" : false, "description" : "A complex attribute that defines policy around challenges.", "required" : true, "returned" : "default", "mutability" : "readWrite", "subAttributes" : [ { "name" : "source", "type" : "integer", "multiValued" : false, "description" : "A number value indicating the source for challenges. Valid values are: 0 - user. 1 - admin defined. 2 - both", "required" : true, "mutability" : "readWrite", "returned" : "default" }, { "name" : "defaultQuestions", "type" : "string", "multiValued" : true, "description" : "A Multi-valued String attribute that contains one or more default question a subject may use when setting their challenge questions", "required" : false, "caseExact" : false, "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" }, { "name" : "minQuestionCount", "type" : "integer", "multiValued" : false, "description" : "An Integer indicating the minimum number of challenge questions a subject MUST answer when setting challenge question answers. A value of 0 or no value indicates no minimum.", "required" : true, "mutability" : "readWrite", "returned" : "default" }, { "name" : "minAnswerCount", "type" : "integer", "multiValued" : false, "description" : "An Integer indicating the mimimum number of challenge answers a subject MUST answer when attempting to reset their password via forgot password request.", "required" : true, "mutability" : "readWrite", "returned" : "default" }, { "name" : "allAtOnce", "type" : "boolean", "multiValued" : false, "description" : "When true, the client UI will present all challengers in random order each time displayed. When false, the client UI will present one challenge question at a time where the subject MUST respond before the next is displayed.", "required" : true, "mutability" : "readWrite", "returned" : "default" }, { "name" : "minResponseLength", "type" : "integer", "multiValued" : false, "description" : "An Integer indicating the minimum number of chars in a challenge response. No value or a value of 0 indicates no minimum length (effectively 1)", "required" : true, "mutability" : "readWrite", "returned" : "default" }, { "name" : "maxIncorrectAttempts", "type" : "integer", "multiValued" : false, "description" : "An Integer indicates the maximum number of failed reset password attempts using challenges. If any challenges are wrong in a reset attempt, the user's -- The document date (March 29, 2015) is 3316 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'TBD' is mentioned on line 152, but not defined == Unused Reference: 'I-D.ietf-scim-api' is defined on line 1906, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-scim-core-schema' is defined on line 1912, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-precis-framework' is defined on line 1927, but no explicit reference was found in the text == Outdated reference: A later version (-19) exists of draft-ietf-scim-api-14 == Outdated reference: A later version (-22) exists of draft-ietf-scim-core-schema-14 == Outdated reference: A later version (-23) exists of draft-ietf-precis-framework-21 Summary: 1 error (**), 0 flaws (~~), 11 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Hunt, Ed. 3 Internet-Draft G. Wilson 4 Intended status: Standards Track Oracle 5 Expires: September 30, 2015 March 29, 2015 7 SCIM Password Management Extension 8 draft-hunt-scim-password-mgmt-00 10 Abstract 12 The System for Cross-Domain Identity Management (SCIM) specification 13 is an HTTP based protocol that makes managing identities in multi- 14 domain scenarios easier to support through a standardized services. 15 SCIM provides extension points that enable new ResourceTypes and 16 Schema Extensions to be defined. This specification defines a set of 17 password and account status extensions for managing passwords and 18 password usage (e.g. failures) and other related session data. The 19 specification defines new ResourceTypes that enable management of 20 passwords and account recovery functions. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 30, 2015. 39 Copyright Notice 41 Copyright (c) 2015 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 2 57 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 58 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 59 2. Schema Extensions . . . . . . . . . . . . . . . . . . . . . . 4 60 2.1. Password Schema Extension . . . . . . . . . . . . . . . . 4 61 2.2. Password Policy . . . . . . . . . . . . . . . . . . . . . 6 62 2.3. Management Requests . . . . . . . . . . . . . . . . . . . 10 63 2.4. PasswordResetRequest . . . . . . . . . . . . . . . . . . 10 64 2.4.1. Password Reset With Challenges . . . . . . . . . . . 11 65 2.4.2. Reset With Email Confirmation . . . . . . . . . . . . 12 66 2.5. PasswordValidateRequest . . . . . . . . . . . . . . . . . 13 67 2.6. UsernameValidateRequest . . . . . . . . . . . . . . . . . 14 68 2.7. UsernameGenerateRequest . . . . . . . . . . . . . . . . . 15 69 2.8. UsernameRecoverRequest . . . . . . . . . . . . . . . . . 17 70 3. Schemas Representation . . . . . . . . . . . . . . . . . . . 18 71 3.1. Password Extension . . . . . . . . . . . . . . . . . . . 18 72 3.2. Password Policy Schema . . . . . . . . . . . . . . . . . 23 73 3.3. Request Schemas . . . . . . . . . . . . . . . . . . . . . 32 74 4. Password Management ResourceTypes . . . . . . . . . . . . . . 38 75 5. Security Considerations . . . . . . . . . . . . . . . . . . . 40 76 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 77 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 78 7.1. Normative References . . . . . . . . . . . . . . . . . . 41 79 7.2. Informative References . . . . . . . . . . . . . . . . . 41 80 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 41 81 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 41 82 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 41 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41 85 1. Introduction and Overview 87 The System for Cross-Domain Identity Management (SCIM) specification 88 is an HTTP based protocol that makes managing identities in multi- 89 domain scenarios easier to support through a standardized services. 90 SCIM provides extension points that enable new ResourceTypes and 91 Schema Extensions to be defined. This specification defines a set of 92 password and account status extensions for managing passwords and 93 tracking password usage (e.g. failures) and other related session 94 data. The specification defines new resource types that enable 95 management of passwords and account recovery functions. 97 A set of SCIM schema extensions that define: 99 o Password Schema Extension - Providing account password state (e.g. 100 login attempts, successful login date, create date), policy, 101 account locking, as well as challenge questions. 103 o Password Policy Schema - A new resource type that defines password 104 policies that may be applied to resources that use passwords such 105 as complexity requirements, expiry, lockout, and usage 106 constraints. 108 A set of resource types are defined that enable password and password 109 policy management: 111 o Password Policy 113 o Password Reset Request 115 o Password Validation Request 117 o Username Recovery Request 119 In the above list, the last 3 resource types are temporary resources 120 that are used to convey requests that may update an identified target 121 resource URI (e.g. a User). While these requests have a simple state 122 transfer request/response relationship with a SCIM client, they may 123 cause secondary effects by changing multiple attribute states in the 124 target of the request. For example, setting a resource's password 125 attribute involves validating password policy as well as checking and 126 revising password history. There may be further service provider 127 actions such as email confirmation that occur asynchronously from the 128 SCIM client's perspective. 130 1.1. Notational Conventions 132 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 133 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 134 document are to be interpreted as described in [RFC2119]. These 135 keywords are capitalized when used to unambiguously specify 136 requirements of the protocol or application features and behavior 137 that affect the interoperability and security of implementations. 138 When these words are not capitalized, they are meant in their 139 natural-language sense. 141 For purposes of readability examples are not URL encoded. 142 Implementers MUST percent encode URLs as described in Section 2.1 of 143 [RFC3986]. 145 Throughout this documents all figures MAY contain spaces and extra 146 line-wrapping for readability and space limitations. Similarly, some 147 URI's contained within examples, have been shortened for space and 148 readability reasons. 150 1.2. Definitions 152 [TBD] 154 2. Schema Extensions 156 2.1. Password Schema Extension 158 The following SCIM extension defines attributes used to manage 159 account passwords within a service provider. The extension is 160 applied to a "User" resource, but MAY be applied to other resources 161 that use passwords. The password extension is identified using the 162 following schema URI: 163 "urn:ietf:params:scim:schemas:extension:account:2.0:Password". 165 The following Singular Attributes are defined: 167 passwordState 168 A Complex attribute that describes server provided attributes 169 regarding the state of the resource's password. 171 createDate 172 A DateTime which specifies the date and time the current 173 password was set. 175 cantChange 176 A Boolean indicating that the current password MAY NOT be 177 changed and all other password expiry settings SHALL be 178 ignored. 180 noExpiry 181 A Boolean indicating that password expiry policy will not be 182 applied for the current resource. 184 lastSuccessfulLoginDate 185 A DateTime value indicating the last successful login date. 187 lastFailedLoginDate 188 A DateTime value indicating the last failed login date. 190 loginAttempts 191 An Integer value indicating the number of failed login 192 attempts. The value is reset to 0 after a successful login. 194 resetAttempts 195 An Integer value indicating the number of password reset 196 attempts. 198 passwordMustChange 199 A Boolean value that indicates that the subject password value 200 MUST change at the next login. If not changed, typically the 201 account is locked The value may be set indirectly when the 202 subject's current password expires, or directly set by an 203 administrator. 205 passwordPolicyUri 206 A URI reference value that indicates the address of a password 207 policy that is used in relation to the current resource. 209 locked 210 A Complex attribute that indicates an account is locked (blocking 211 new sessions). The following sub-attributes are defined: 213 reason 214 A number value indicating the reason for locking. Valid values 215 are: 217 0 - locked due to failed login attempts. 219 1 - locked by an administrator. 221 2 - locked due to failed forgot password reset attempts 223 on 224 A Boolean value indicating the account is locked. 226 lockDate A DateTime indicating when the resource was locked. 228 duration An optional Integer indicating length of lockout in 229 seconds. 231 The following Multi-valued Attributes are defined: 233 challenges 234 A Complex attribute describing challenge questions that may be 235 used as a supplementary factor during login or during password 236 management requests. 238 question 239 A String that represents a challenge question for which the 240 corresponding response is defined. 242 response 243 A String that represents the subjects specified correct 244 response to the corresponding challenge. The response MAY be 245 compared case-sensitive or case-insensitive based on service 246 provider policy. 248 passwordHistory 249 A writeOnly attribute that contains hashes of previous passwords 250 associated with the SCIM resource. The number of passwords stored 251 in this attribute is set by: "policy.passwordHistorySize". 252 Persisted values MUST be securely hashed such that the clients may 253 test if a clear-text value was previously used by looking for a 254 matching hash within the array of values. 256 2.2. Password Policy 258 The following SCIM extension defines a new SCIM resource type known 259 as "PasswordPolicy" and usually has an endpoint of 260 "/PasswordPolicies". The password policy is identified using the 261 following core schema URI: 262 "urn:ietf:params:scim:schemas:core:2.0:policy:Password". 264 The following Single-value attributes are defined: 266 name 267 A String that is the name of the policy. Typically used for 268 informational purposes (e.g. to display to the user). 270 description 271 A String that describes the current policy. Typically used for 272 informational purposes (e.g. to display to a user). 274 maxLength 275 An Integer indicating the maximum password length (in characters). 276 A value of 0 or no value SHALL indicate no maximum length 277 restriction. 279 minLength 280 An Integer indicating the minimum password length (in characters). 281 A value of 0 or no value SHALL indicate no minimum length 282 restriction. 284 minAlphas 285 An Integer indicating the minimum number of alphabetic characters 286 in a password. A value of 0 or no value SHALL indicate no minimum 287 length restriction. 289 minNumerals 290 An Integer indicating the minimum number of numeric characters in 291 a password. A value of 0 or no value SHALL indicate no minimum 292 length restriction. 294 minAlphaNumerals 295 An Integer indicating the minimum number of alphabetic or numeric 296 characters in a password. A value of 0 or no value SHALL indicate 297 no minimum length restriction. 299 minSpecialChars 300 An Integer indicating the minimum number of special characters in 301 a password. A value of 0 or no value SHALL indicate no minimum 302 length restriction. 304 maxSpecialChars 305 An Integer indicating the maximum number of special characters in 306 a password. A value of 0 or no value SHALL indicate no maximum 307 length restriction. 309 minUpperCase 310 An Integer indicating the minimum number of upper-case alphabetic 311 characters in a password. A value of 0 or no value SHALL indicate 312 no minimum length restriction. 314 minLowerCase 315 An Integer indicating the minimum number of lower-case alphabetic 316 characters in a password. A value of 0 or no value SHALL indicate 317 no minimum length restriction. 319 minUniqueChars 320 An Integer indicating the minimum number of unique characters in a 321 password. A value of 0 or no value SHALL indicate no minimum 322 restriction. 324 maxRepeatedChars 325 An Integer indicating the maximum number of repeated characters in 326 a password. A value of 0 or no value SHALL indicate no 327 restriction. 329 startsWithAlpha 330 A Boolean indicating that the password MUST being with an 331 alphabetic character. 333 minUnicodeChars 334 [...not sure this makes sense. There are strict limitations on 335 password values (must be Unicode UTF-8 processed by PRECIS)] 337 firstNameDisallowed 338 A Boolean indicating a sequence of characters matching the 339 resource's "name.givenName" SHALL NOT be included in the password. 341 lastNameDisallowed 342 A Boolean indicating a sequence of characters matching the 343 resource's "name.familyName" SHALL NOT be included in the 344 password. 346 userNameDisallowed 347 A Boolean indicating a sequence of characters matching the 348 resource's "userName" SHALL NOT be included in the password. 350 minPasswordAgeInDays 351 An Integer indicating the minimum age in days before the password 352 MAY be changed. 354 warningAfterDays 355 An Integer indicating the number of days after which a password 356 reset warning will be issued. 358 expiresAfterDays 359 An Integer indicating the numbers of days after which a password 360 reset is required. 362 requiredChars 363 A String value whose contents indicates a set of characters that 364 MUST appear, in any sequence, in a password value. 366 disallowedChars 367 A String value whose contents indicates a set of characters that 368 SHALL NOT appear, in any sequence, in a password value. 370 disallowedSubStrings 371 A Multi-valued String indicating a set of Strings that SHALL NOT 372 appear within a password value. 374 dictionaryLocation 375 A Reference value containing the URI of a dictionary of words not 376 allowed to appear within a password value. 378 passwordHistorySize 379 An Integer indicating the number of passwords that will be kept in 380 history that may not be used as a password. 382 maxIncorrectAttempts 383 An Integer representing the maximum number of failed logins before 384 an account is locked. 386 lockOutDuration 387 An Integer indicating the number of minutes an account will be 388 locked after "maxIncorrectAttempts" exceeded. 390 challengesEnabled 391 A Boolean value indicating challenges MAY be used during 392 authentication. 394 challengePolicy 395 A complex attribute that defines policy around challenges. It 396 contains the following sub-attributes: 398 source An Integer indicating one of the following: 400 + 0 - User Defined. 402 + 1 - Admin Defined. 404 + 2 - User and Admin Defined. 406 defaultQuestions A Multi-valued String attribute that contains 407 one or more default question a subject may use when setting 408 their challenge questions. 410 minQuestionCount An Integer indicating the minimum number of 411 challenge questions a subject MUST answer when setting 412 challenge question answers. A value of 0 or no value indicates 413 no minimum. 415 minAnswerCount An Integer indicating the minimum number of 416 challenge answers a subject MUST answer when attempting to 417 reset their password via forgot password request. 419 allAtOnce A Boolean value. When true, the client UI will present 420 all challengers in random order each time displayed. When 421 false, the client UI will present one challenge question at a 422 time where the subject MUST respond before the next is 423 displayed. 425 minResponseLength An Integer indicating the minimum number of 426 characters in a challenge response. No value or a value of 0 427 indicates no minimum length (effectively 1). 429 maxIncorrectAttempts An Integer indicates the maximum number of 430 failed reset password attempts using challenges. If any 431 challenges are wrong in a reset attempt, the user's 432 "resetAttempts" counter will be incremented by 1. If 433 "resetAttempts" is greater than "maxIncorrectAttempts", the 434 subject's account will be locked with a "locked.reason" value 435 of 2 see Paragraph 3. 437 2.3. Management Requests 439 This extension defines a series of password and username management 440 requests that are modeled as SCIM resource types. Each request acts 441 as a "function" that MAY result in multiple changes to a designated 442 resource (e.g. User). For example, setting a password involves the 443 service provider validating the new password, updating the password, 444 revising password history and resetting appropriate password state 445 values. 447 A management request is performed by doing a SCIM creation request 448 for the associated management function resource type. Each request 449 resource type has its own schema and resource type endpoint. The 450 normal SCIM API rules apply to these requests. When a request is 451 completed, a SCIM service provider MAY return the final state in the 452 HTTP response, or it MAY return the location of the created request 453 resource object that MAY be used for further processing. [TO BE 454 CLARIFIED] 456 The following requests are supported and defined in the following 457 sections: 459 o PasswordResetRequest 461 o PasswordValidateRequest 463 o UsernameValidateRequest 465 o GenerateUsernameRequest 467 o RecoverUsernameRequest 469 2.4. PasswordResetRequest 471 A password reset request is performed by performing a SCIM Create 472 operation using HTTP POST to the endpoint for resource type 473 "PasswordResetRequest" which is typically "/PasswordResetRequests". 474 Upon receiving the request, the service provider, based on its own 475 logic, validates the request, and based on its own internal logic 476 subsequently resets the password of the resource identified by 477 "userName". This request MAY be made anonymously (since the user is 478 unable to authenticate) or through an authenticated web application 479 component, who in turn may be unable to authenticate the user). [Add 480 security considerations for this request] 481 Upon validating a request, the service provider may return either 482 HTTP Status 200 (Ok), or it may return the request as a temporary 483 resource that exists for a period of time (e.g. awaiting secondary 484 approval or e-mail confirmation). 486 The core schema for a "PasswordResetRequest" is "urn:ietf:params:scim 487 :schemas:core:2.0:password:PasswordResetRequest". The above schema 488 can be used in several reset forms as described in the following two 489 sections. This schema includes the following attributes: 491 userName 492 A string value that matches the service provider unique identifier 493 for the user. 495 challenges 496 A Complex attribute describing challenge questions and responses 497 that match the values found in the resource matched by the 498 "userName" attribute. 500 question 501 A String that represents a challenge question for which the 502 corresponding response is defined. 504 response 505 A String that represents the subjects specified correct 506 response to the corresponding challenge. The response MAY be 507 compared case-sensitive or case-insensitive based on service 508 provider policy. 510 2.4.1. Password Reset With Challenges 512 An anonymous (or authenticated web application) by providing a 513 "userName" and the correct set of challenges and a new password 514 value, MAY request that a service provider accept a requested 515 "password" and set the "password" directly. The service provider 516 might perform other secondary checks to confirm the requestors 517 identity (email confirmation. 519 POST /PasswordResetRequests HTTP/1.1 520 Host: example.com 521 Accept: application/json 522 Content-Type: application/json 523 Content-Length: ... 524 { 525 "schemas": 526 ["urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest"], 527 "userName": 528 "happyAlice", 529 "challenges": [ 530 { 531 "challenge":"what is your favorite color", 532 "response":"red" 533 }, 534 { 535 "challenge":"what is name of your pet", 536 "response":"pet" 537 }, 538 { 539 "challenge":"what is city of your birth", 540 "response":"city" 541 }], 542 "password": "" 543 } 545 Upon processing a successful request, the SCIM service provider would 546 respond with: 548 HTTP/1.1 200 OK 550 In the above example, the request is considered complete when 551 response is returned. In this case, no permanent request object is 552 created and so no HTTP Location value is returned. In some cases, 553 the service provider MAY keep the request until workflow completes. 554 If it wishes to allow clients to "poll" for status, it MAY create a 555 resource and returns an HTTP Location in the response. [Is this 556 needed?] 558 2.4.2. Reset With Email Confirmation 560 By providing only a "userName" value, an email conformation flow MAY 561 be initiated that requires the subject to click on the link (to prove 562 ownership of the known email) upon which the user is confirmed and 563 the request is processed. 565 POST /PasswordResetRequests HTTP/1.1 566 Host: example.com 567 Accept: application/json 568 Content-Type: application/json 569 Content-Length: ... 570 { 571 "schemas": 572 ["urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest"], 573 "userName": 574 "happyAlice" 575 } 577 Upon processing a successful request, the SCIM service provider SHALL 578 respond with: 580 HTTP/1.1 200 OK 582 In the above example, it is expected that the User will be given a 583 link to click on out-of-band. As such the current request completes 584 with no further response. As with the Challenges variant, a service 585 provider MAY provide an HTTP Location if the service provider intends 586 to keep the request active until it is completed. [Is a persisted 587 request needed?] 589 2.5. PasswordValidateRequest 591 A password validation request MAY be used to confirm that a proposed 592 password value conforms to service provider policy and associated 593 user policy and password state criteria (e.g. such as password 594 history). A request is performed by performing a SCIM Create 595 operation using HTTP POST to the endpoint for resource type 596 "PasswordValidateRequest" which is typically 597 "/PasswordValidateRequests". Upon receiving the request, the service 598 provider, based on its own logic and any associated password policy 599 for the resource, validates the provided password. [can this be made 600 anonymously?] 602 Upon validating a request, the service provider may returns either 603 HTTP Status 200 (Ok), or it may return HTTP Status 400 indicating the 604 password is unacceptable. [NOTE: should there be a scimType and/or 605 description describing a standardized reason for failure such as: 606 history, tooShort, tooLong, missingSpecialChar, etc etc. 608 The core schema for a "PasswordValidateRequest" is "urn:ietf:params:s 609 cim:schemas:core:2.0:password:PasswordValidateRequest". This schema 610 includes the following attributes: 612 $ref 613 A reference value that contains a URI that points to the resource 614 (e.g. User) against which the proposed password is to be 615 validated as an acceptable password. 617 password 618 A string value containing the requested password value for which 619 validation is requested. 621 The following is a non-normative example validation request. The 622 example has been altered for clarity: 624 POST /PasswordValidateRequests HTTP/1.1 625 Host: example.com 626 Accept: application/json 627 Content-Type: application/json 628 Content-Length: ... 629 { 630 "schemas": 631 ["urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest"], 632 "$ref": "/Users/2819c223-7f76-453a-919d-413861904646", 633 "password":"someG00Didea!" 634 } 636 A successful response looks similar to the following non-normative 637 example: 639 HTTP/1.1 200 OK 641 2.6. UsernameValidateRequest 643 A username validation request MAY be used to confirm that a proposed 644 username value conforms to service provider policy and associated 645 user policy as well as uniqueness. A request is performed by 646 performing a SCIM Create operation using HTTP POST to the endpoint 647 for resource type "UsernameValidateRequest" which is typically 648 "/UsernameValidateRequests". Upon receiving the request, the service 649 provider, tests for uniqueness and any associated formatting policy 650 and validates the provided username. 652 Upon validating a request, the service provider may returns either 653 HTTP Status 200 (Ok), or it may return HTTP Status 400 indicating the 654 password is unacceptable. [NOTE: should there be a scimType and/or 655 description describing a standardized reason for failure such as: 656 history, tooShort, tooLong, missingSpecialChar, etc etc. 658 The core schema for a "UsernameValidateRequest" is "urn:ietf:params:s 659 cim:schemas:core:2.0:password:UsernameValidateRequest". This schema 660 includes the following attributes: 662 $ref 663 A reference value that contains a URI that points to the resource 664 (e.g. User) against which the proposed userName value is to be 665 validated as an acceptable. 667 userName 668 A string value containing the requested userName value for which 669 validation is requested. 671 The following is a non-normative example validation request. The 672 example has been altered for clarity: 674 POST /UsernameValidaeRequests HTTP/1.1 675 Host: example.com 676 Accept: application/json 677 Content-Type: application/json 678 Content-Length: ... 679 { 680 "schemas": 681 ["urn:ietf:params:scim:schemas:core:2.0:password:UsernameValidateRequest"], 682 "$ref": "/Users/2819c223-7f76-453a-919d-413861904646", 683 "userName":"susieQ" 684 } 686 A successful response looks similar to the following non-normative 687 example: 689 HTTP/1.1 200 OK 691 2.7. UsernameGenerateRequest 693 A username generation request MAY be used to request an automatically 694 generated userName that conforms to service provider policy and 695 uniqueness requirements. A request is performed by performing a SCIM 696 Create operation using HTTP POST to the endpoint for resource type 697 "UsernameGenerateRequest" which is typically 698 "/UsernameGenerateRequests". Upon receiving the request, the service 699 provider, generates a unique userName and returns it in a response. 701 The core schema for a "UsernameGenerateRequest" is "urn:ietf:params:s 702 cim:schemas:core:2.0:password:UsernameGenerateRequest". This schema 703 includes the following attributes: 705 $ref 706 An operational reference value that contains a URI that points to 707 the resource (e.g. User) against which existing resource's "name" 708 attribute MAY be used to generate a userName value. When the $ref 709 attribute is used, the generate request MUST be authenticated. 711 userName 712 A string value that is returned in the server's response that 713 contains a generated userName value. The generated userName is 714 not reserved and is guaranteed on first-come-first-served basis by 715 a subsequent SCIM creation or modify request. 717 name 718 An optional complex attribute containing the components of the 719 user's name against which a userName value is to be generated. 720 This attribute MAY be typically used as part of an anonymous 721 userName generation request during a user registration dialog. 723 formatted The full name, including all middle names, titles, and 724 suffixes as appropriate, formatted for display (e.g. "Ms. 725 Barbara Jane Jensen, III." ). 727 familyName The family name of the User, or last name in most 728 Western languages (e.g. "Jensen" given the full name "Ms. 729 Barbara Jane Jensen, III." ). 731 givenName The given name of the User, or first name in most 732 Western languages (e.g. "Barbara" given the full name "Ms. 733 Barbara Jane Jensen, III." ). 735 middleName The middle name(s) of the User (e.g. "Jane" given the 736 full name "Ms. Barbara Jane Jensen, III." ). 738 honorificPrefix The honorific prefix(es) of the User, or title in 739 most Western languages (e.g. "Ms." given the full name "Ms. 740 Barbara Jane Jensen, III." ). 742 honorificSuffix The honorific suffix(es) of the User, or suffix 743 in most Western languages (e.g. "III." given the full name 744 "Ms. Barbara Jane Jensen, III." ). 746 The following is a non-normative example userName generation request. 747 The example has been altered for clarity: 749 POST /UsernameGenerateRequests HTTP/1.1 750 Host: example.com 751 Accept: application/json 752 Content-Type: application/json 753 Content-Length: ... 754 { 755 "schemas": 756 ["urn:ietf:params:scim:schemas:core:2.0:password:UsernameGenerateRequest"], 757 "name": { 758 "formatted": "Ms. Barbara J Doe III", 759 "familyName": "Doe", 760 "givenName": "Barbara", 761 "middleName": "Jane", 762 "honorificSuffix": "III" 763 } 764 } 766 A successful response looks similar to the following non-normative 767 example: 769 HTTP/1.1 200 OK 770 { 771 "userName": "barbara.doe", 772 } 774 2.8. UsernameRecoverRequest 776 A userName recovery request MAY be used to look up a userName based 777 on a provided email address. The provided email address may be 778 matched against any value of an existing resource's "emails" 779 attribute. A request is performed by performing a SCIM Create 780 operation using HTTP POST to the endpoint for resource type 781 "UsernameRecoverRequest" which is typically 782 "/UsernameRecoverRequests". Upon receiving the request, the service 783 provider, generates a unique userName and returns it in a response. 785 The core schema for a "UsernameRecoverRequest" is "urn:ietf:params:sc 786 im:schemas:core:2.0:password:UsernameRecoverRequest". This schema 787 includes the following attributes: 789 email 790 A string value containing an email address that is to be matched 791 against an existing resource's "emails" attribute. 793 userName A string value provided in response to a request which is 794 the unique userName that corresponds to the recovery request. 796 The following is a non-normative example userName recovery request. 797 The example has been altered for clarity: 799 POST /UsernameRecoverRequests HTTP/1.1 800 Host: example.com 801 Accept: application/json 802 Content-Type: application/json 803 Content-Length: ... 804 { 805 "schemas": 806 ["urn:ietf:params:scim:schemas:core:2.0:password:UsernameRecoverRequest"], 807 "email": "bdoe@example.com" 808 } 810 A successful response looks similar to the following non-normative 811 example: 813 HTTP/1.1 200 OK 814 { 815 "userName": "barbara.doe", 816 } 818 [Note: it would be more secure not to return the userName in the 819 response and instead the service provider should send an email 820 confirmation] 822 3. Schemas Representation 824 This section provides a JSON representation of the schema extensions 825 in this draft. [TODO follow format of Sec 8.7 of core schema draft] 827 3.1. Password Extension 829 The following is a representation of the password state extension 830 "urn:ietf:params:scim:schemas:extension:account:2.0:Password" that is 831 used to extend a User resource. 833 { 834 "id" : 835 "urn:ietf:params:scim:schemas:extension:account:2.0:Password", 836 "name" : "Password Management Schema Extension", 837 "description" : "This extension defines attributes used to manage 838 account passwords within a service provider. The extension is 839 typically applied to a User resource, but MAY be applied to 840 other resources that use passwords.", 842 "attributes" : [ 843 { 844 "name" : "passwordState", 845 "type" : "complex", 846 "multiValued" : false, 847 "description" : "A Complex attribute that describes server 848 provided attributes regarding the state of the resource's 849 password.", 850 "required" : true, 851 "returned" : "default", 852 "mutability" : "readWrite", 853 "subAttributes" : [ 854 { 855 "name" : "createDate", 856 "type" : "dateTime", 857 "multiValued" : false, 858 "description" : "A DateTime which specifies the date and 859 time the current password was set.", 860 "required" : false, 861 "mutability" : "readWrite", 862 "returned" : "default" 863 }, 864 { 865 "name" : "cantChange", 866 "type" : "boolean", 867 "multiValued" : false, 868 "description" : "A Boolean indicating that the current 869 password MAY NOT be changed and all other password expiry 870 settings SHALL be ignored", 871 "required" : false, 872 "mutability" : "readWrite", 873 "returned" : "default" 874 }, 875 { 876 "name" : "noExpiry", 877 "type" : "boolean", 878 "multiValued" : false, 879 "description" : "A Boolean indicating that password expiry 880 policy will not be applied for the current resource.", 881 "required" : false, 882 "mutability" : "readWrite", 883 "returned" : "default" 884 }, 885 { 886 "name" : "lastSuccessfulLoginDate", 887 "type" : "dateTime", 888 "multiValued" : false, 889 "description" : "A DateTime value indicating the last 890 successful login date.", 891 "required" : false, 892 "mutability" : "readWrite", 893 "returned" : "default" 894 }, 895 { 896 "name" : "lastFailedLoginDate", 897 "type" : "dateTime", 898 "multiValued" : false, 899 "description" : "A DateTime value indicating the last 900 failed login date.", 901 "required" : false, 902 "mutability" : "readWrite", 903 "returned" : "default" 904 }, 905 { 906 "name" : "loginAttempts", 907 "type" : "integer", 908 "multiValued" : false, 909 "description" : "An Integer value indicating the number of 910 failed login attempts. The value is reset to 0 after a 911 successfull login.", 912 "required" : false, 913 "mutability" : "readOnly", 914 "returned" : "default" 915 }, 916 { 917 "name" : "resetAttempts", 918 "type" : "integer", 919 "multiValued" : false, 920 "description" : "An Integer value indicating the number of 921 password reset attempts. The value is reset to 0 after 922 successful reset.", 923 "required" : false, 924 "mutability" : "readOnly", 925 "returned" : "default" 926 }, 927 { 928 "name" : "passwordMustChange", 929 "type" : "boolean", 930 "multiValued" : false, 931 "description" : "A Boolean value that indicates that the 932 subject password value MUST change at the next login. If 933 not changed, typically the account is locked The value 934 may be set indirectly when the subject's current password 935 expires, or directly set by an administrator.", 936 "required" : false, 937 "mutability" : "readWrite", 938 "returned" : "default" 939 } 940 ] 941 }, 942 { 943 "name" : "passwordPolicyUrl", 944 "type" : "reference", 945 "referenceTypes" : ["PasswordPolicy"], 946 "multiValued" : false, 947 "description" : "A URI reference value that indicates the 948 address of a password policy that is used in relation to the 949 current resource.", 950 "required" : false, 951 "caseExact" : false, 952 "mutability" : "readWrite", 953 "returned" : "default", 954 "uniqueness" : "none" 955 }, 956 { 957 "name" : "locked", 958 "type" : "complex", 959 "multiValued" : false, 960 "description" : "A Complex attribute that indicates an account 961 is locked (blocking new sessions).", 962 "required" : false, 963 "returned" : "default", 964 "mutability" : "readWrite", 965 "subAttributes" : [ 966 { 967 "name" : "reason", 968 "type" : "integer", 969 "multiValued" : false, 970 "description" : "A number value indicating the reason for 971 locking. Valid values are: 0 - failed attempts. 1 - admin 972 lock. 2 - reset attempts", 973 "required" : true, 974 "mutability" : "readWrite", 975 "returned" : "default" 976 }, 977 { 978 "name" : "on", 979 "type" : "boolean", 980 "multiValued" : false, 981 "description" : 982 "A Boolean value indicating the account is locked.", 983 "required" : true, 984 "mutability" : "readWrite", 985 "returned" : "default" 987 }, 988 { 989 "name" : "lockDate", 990 "type" : "dateTime", 991 "multiValued" : false, 992 "description" : "A DateTime which specifies the date and 993 time the current resource was locked.", 994 "required" : false, 995 "mutability" : "readWrite", 996 "returned" : "default" 997 } 998 ] 999 }, 1000 { 1001 "name" : "challenges", 1002 "type" : "complex", 1003 "multiValued" : true, 1004 "description" : "A Complex attribute describing challenge 1005 questions that may be used as a supplementary factor during 1006 login or during password management requests.", 1007 "required" : false, 1008 "returned" : "default", 1009 "mutability" : "readWrite", 1010 "subAttributes" : [ 1011 { 1012 "name" : "question", 1013 "type" : "string", 1014 "multiValued" : false, 1015 "description" : "A String that represents a challenge 1016 question for which the corresponding response is 1017 defined.", 1018 "required" : true, 1019 "caseExact" : true, 1020 "mutability" : "readWrite", 1021 "returned" : "default", 1022 "uniqueness" : "none" 1023 }, 1024 { 1025 "name" : "response", 1026 "type" : "string", 1027 "multiValued" : false, 1028 "description" : "A String that represents the subjects 1029 specified correct response to the corresponding 1030 challenge.", 1031 "required" : true, 1032 "caseExact" : false, 1033 "mutability" : "readWrite", 1034 "returned" : "default", 1035 "uniqueness" : "none" 1036 } 1037 ] 1038 }, 1039 { 1040 "name" : "passwordHistory", 1041 "type" : "string", 1042 "multiValued" : true, 1043 "description" : "A writeOnly attribute that contains hashes of 1044 previous passwords associated with the SCIM resource.", 1045 "required" : false, 1046 "caseExact" : true, 1047 "mutability" : "writeOnly", 1048 "returned" : "never", 1049 "uniqueness" : "none" 1050 } 1051 ] 1052 } 1054 Password Extension for Users 1056 3.2. Password Policy Schema 1058 The following is a representation of the password policy resource 1059 type extension 1060 "urn:ietf:params:scim:schemas:core:2.0:policy:Password" that is used 1061 to define a PasswordPolicy resource. 1063 { 1064 "id" : 1065 "urn:ietf:params:scim:schemas:core:2.0:policy:Password", 1066 "name" : "Password Policy Schema", 1067 "description" : "This extension defines attributes for a password 1068 policy.", 1069 "attributes" : [ 1070 { 1071 "name" : "name", 1072 "type" : "string", 1073 "multiValued" : false, 1074 "description" : "A String that is the name of the policy. 1075 Typically used for informational purposes (e.g. to display 1076 to the user)", 1077 "required" : true, 1078 "caseExact" : false, 1079 "mutability" : "readWrite", 1080 "returned" : "default", 1081 "uniqueness" : "none" 1082 }, 1083 { 1084 "name" : "description", 1085 "type" : "string", 1086 "multiValued" : false, 1087 "description" : "A String that describes the current policy. 1088 Typically used for informational purposes (e.g. to display 1089 to a user).", 1090 "required" : false, 1091 "caseExact" : false, 1092 "mutability" : "readWrite", 1093 "returned" : "default", 1094 "uniqueness" : "none" 1095 }, 1096 { 1097 "name" : "maxLength", 1098 "type" : "integer", 1099 "multiValued" : false, 1100 "description" : "Maximum password length in characters.", 1101 "required" : false, 1102 "mutability" : "readWrite", 1103 "returned" : "default" 1104 }, 1105 { 1106 "name" : "minLength", 1107 "type" : "integer", 1108 "multiValued" : false, 1109 "description" : "Minimum password length in characters.", 1110 "required" : false, 1111 "mutability" : "readWrite", 1112 "returned" : "default" 1113 }, 1114 { 1115 "name" : "minAlphas", 1116 "type" : "integer", 1117 "multiValued" : false, 1118 "description" : "Minimum number of alpha chcars.", 1119 "required" : false, 1120 "mutability" : "readWrite", 1121 "returned" : "default" 1122 }, 1123 { 1124 "name" : "minNumerals", 1125 "type" : "integer", 1126 "multiValued" : false, 1127 "description" : "Minimum number of numeric characters.", 1128 "required" : false, 1129 "mutability" : "readWrite", 1130 "returned" : "default" 1132 }, 1133 { 1134 "name" : "maxLength", 1135 "type" : "integer", 1136 "multiValued" : false, 1137 "description" : "Maximum password length in characters.", 1138 "required" : false, 1139 "mutability" : "readWrite", 1140 "returned" : "default" 1141 }, 1142 { 1143 "name" : "minAlphaNumerals", 1144 "type" : "integer", 1145 "multiValued" : false, 1146 "description" : "Minimum num of alphas and numeric chars.", 1147 "required" : false, 1148 "mutability" : "readWrite", 1149 "returned" : "default" 1150 }, 1151 { 1152 "name" : "minSpecialChars", 1153 "type" : "integer", 1154 "multiValued" : false, 1155 "description" : "Minimum num of special chars.", 1156 "required" : false, 1157 "mutability" : "readWrite", 1158 "returned" : "default" 1159 }, 1160 { 1161 "name" : "maxSpecialChars", 1162 "type" : "integer", 1163 "multiValued" : false, 1164 "description" : "Maximum number of special chars.", 1165 "required" : false, 1166 "mutability" : "readWrite", 1167 "returned" : "default" 1168 }, 1169 { 1170 "name" : "minUpperCase", 1171 "type" : "integer", 1172 "multiValued" : false, 1173 "description" : "Minimum num of upper case chars.", 1174 "required" : false, 1175 "mutability" : "readWrite", 1176 "returned" : "default" 1177 }, 1178 { 1179 "name" : "minLowerCase", 1180 "type" : "integer", 1181 "multiValued" : false, 1182 "description" : "Minimum num of lower case chars.", 1183 "required" : false, 1184 "mutability" : "readWrite", 1185 "returned" : "default" 1186 }, 1187 { 1188 "name" : "minUnique", 1189 "type" : "integer", 1190 "multiValued" : false, 1191 "description" : "Minimum num of unique chars.", 1192 "required" : false, 1193 "mutability" : "readWrite", 1194 "returned" : "default" 1195 }, 1196 { 1197 "name" : "maxRepeatChars", 1198 "type" : "integer", 1199 "multiValued" : false, 1200 "description" : "Max num of repeated chars.", 1201 "required" : false, 1202 "mutability" : "readWrite", 1203 "returned" : "default" 1204 }, 1205 { 1206 "name" : "startsWithAlphas", 1207 "type" : "boolean", 1208 "multiValued" : false, 1209 "description" : "Indicates password must begin with alpha char", 1210 "required" : false, 1211 "mutability" : "readWrite", 1212 "returned" : "default" 1213 }, 1214 { 1215 "name" : "minUnicodeChars", 1216 "type" : "integer", 1217 "multiValued" : false, 1218 "description" : "[TO BE DISCUSSED]", 1219 "required" : false, 1220 "mutability" : "readWrite", 1221 "returned" : "default" 1222 }, 1223 { 1224 "name" : "firstNameDisallowed", 1225 "type" : "boolean", 1226 "multiValued" : false, 1227 "description" : "Indicates a sequence of characters matching 1228 the resource's name.givenName SHALL NOT be included in the 1229 password", 1230 "required" : false, 1231 "mutability" : "readWrite", 1232 "returned" : "default" 1233 }, 1234 { 1235 "name" : "lastNameDisallowed", 1236 "type" : "boolean", 1237 "multiValued" : false, 1238 "description" : "Indicates a sequence of characters matching 1239 the resource's name.familyName SHALL NOT be included in the 1240 password", 1241 "required" : false, 1242 "mutability" : "readWrite", 1243 "returned" : "default" 1244 }, 1245 { 1246 "name" : "userNameDisallowed", 1247 "type" : "boolean", 1248 "multiValued" : false, 1249 "description" : "Indicates a sequence of characters matching 1250 the resource's userName SHALL NOT be included in the 1251 password", 1252 "required" : false, 1253 "mutability" : "readWrite", 1254 "returned" : "default" 1255 }, 1256 { 1257 "name" : "minPasswordAgeInDays", 1258 "type" : "integer", 1259 "multiValued" : false, 1260 "description" : "An Integer indicating the minimum age in days 1261 before the password MAY be changed.", 1262 "required" : false, 1263 "mutability" : "readWrite", 1264 "returned" : "default" 1265 }, 1266 { 1267 "name" : "warningAfterDays", 1268 "type" : "integer", 1269 "multiValued" : false, 1270 "description" : "An Integer indicating the number of days after 1271 which a password reset warning will be issued.", 1272 "required" : false, 1273 "mutability" : "readWrite", 1274 "returned" : "default" 1275 }, 1276 { 1277 "name" : "expiresAfterDays", 1278 "type" : "integer", 1279 "multiValued" : false, 1280 "description" : "An Integer indicating the numbers of days 1281 after which a password reset is required.", 1282 "required" : false, 1283 "mutability" : "readWrite", 1284 "returned" : "default" 1285 }, 1286 { 1287 "name" : "requiredChars", 1288 "type" : "string", 1289 "multiValued" : false, 1290 "description" : "A String value whose contents indicates a set 1291 of characters that MUST appear, in any sequence, in a 1292 password value.", 1293 "required" : false, 1294 "caseExact" : true, 1295 "mutability" : "readWrite", 1296 "returned" : "never", 1297 "uniqueness" : "none" 1298 }, 1299 { 1300 "name" : "disallowedChars", 1301 "type" : "string", 1302 "multiValued" : false, 1303 "description" : "A String value whose contents indicates a set 1304 of characters that SHALL NOT appear, in a password value.", 1305 "required" : false, 1306 "caseExact" : true, 1307 "mutability" : "readWrite", 1308 "returned" : "never", 1309 "uniqueness" : "none" 1310 }, 1311 { 1312 "name" : "disallowedSubstrings", 1313 "type" : "string", 1314 "multiValued" : true, 1315 "description" : "A set of strings that SHALL not appear in a 1316 password value.", 1317 "required" : false, 1318 "caseExact" : true, 1319 "mutability" : "readWrite", 1320 "returned" : "never", 1321 "uniqueness" : "none" 1322 }, 1323 { 1324 "name" : "disctionaryLocation", 1325 "type" : "reference", 1326 "referenceTypes" : ["reference"], 1327 "multiValued" : false, 1328 "description" : "A Reference value containing the URI of a 1329 dictionary of words not allowed to appear within a password 1330 value.", 1331 "required" : false, 1332 "caseExact" : false, 1333 "mutability" : "readWrite", 1334 "returned" : "default", 1335 "uniqueness" : "none" 1336 }, 1337 { 1338 "name" : "passwordHistorySize", 1339 "type" : "integer", 1340 "multiValued" : false, 1341 "description" : "An Integer indicating the number of passwords 1342 that will be kept in history that may not be used as a 1343 password.", 1344 "required" : false, 1345 "mutability" : "readWrite", 1346 "returned" : "default" 1347 }, 1348 { 1349 "name" : "maxIncorrectAttempts", 1350 "type" : "integer", 1351 "multiValued" : false, 1352 "description" : "An Integer representing the maximum number of 1353 failed logins before an account is locked.", 1354 "required" : false, 1355 "mutability" : "readWrite", 1356 "returned" : "default" 1357 }, 1358 { 1359 "name" : "lockOutDuration", 1360 "type" : "integer", 1361 "multiValued" : false, 1362 "description" : "An integer indicating the number of minutes 1363 an account will be locked after maxIncorrectAttempts 1364 exceeded.", 1365 "required" : false, 1366 "mutability" : "readWrite", 1367 "returned" : "default" 1368 }, 1369 { 1370 "name" : "challengesEnabled", 1371 "type" : "boolean", 1372 "multiValued" : false, 1373 "description" : "Indicates whether challenges may be used 1374 during authentication.", 1375 "required" : false, 1376 "mutability" : "readWrite", 1377 "returned" : "default" 1378 }, 1379 { 1380 "name" : "challengePolicy", 1381 "type" : "complex", 1382 "multiValued" : false, 1383 "description" : "A complex attribute that defines policy around 1384 challenges.", 1385 "required" : true, 1386 "returned" : "default", 1387 "mutability" : "readWrite", 1388 "subAttributes" : [ 1389 { 1390 "name" : "source", 1391 "type" : "integer", 1392 "multiValued" : false, 1393 "description" : "A number value indicating the source for 1394 challenges. Valid values are: 0 - user. 1 - admin 1395 defined. 2 - both", 1396 "required" : true, 1397 "mutability" : "readWrite", 1398 "returned" : "default" 1399 }, 1400 { 1401 "name" : "defaultQuestions", 1402 "type" : "string", 1403 "multiValued" : true, 1404 "description" : "A Multi-valued String attribute that 1405 contains one or more default question a subject may use 1406 when setting their challenge questions", 1407 "required" : false, 1408 "caseExact" : false, 1409 "mutability" : "readWrite", 1410 "returned" : "default", 1411 "uniqueness" : "none" 1412 }, 1413 { 1414 "name" : "minQuestionCount", 1415 "type" : "integer", 1416 "multiValued" : false, 1417 "description" : "An Integer indicating the minimum number 1418 of challenge questions a subject MUST answer when setting 1419 challenge question answers. A value of 0 or no value 1420 indicates no minimum.", 1421 "required" : true, 1422 "mutability" : "readWrite", 1423 "returned" : "default" 1424 }, 1425 { 1426 "name" : "minAnswerCount", 1427 "type" : "integer", 1428 "multiValued" : false, 1429 "description" : "An Integer indicating the mimimum number 1430 of challenge answers a subject MUST answer when 1431 attempting to reset their password via forgot password 1432 request.", 1433 "required" : true, 1434 "mutability" : "readWrite", 1435 "returned" : "default" 1436 }, 1437 { 1438 "name" : "allAtOnce", 1439 "type" : "boolean", 1440 "multiValued" : false, 1441 "description" : "When true, the client UI will present 1442 all challengers in random order each time displayed. 1443 When false, the client UI will present one challenge 1444 question at a time where the subject MUST respond before 1445 the next is displayed.", 1446 "required" : true, 1447 "mutability" : "readWrite", 1448 "returned" : "default" 1449 }, 1450 { 1451 "name" : "minResponseLength", 1452 "type" : "integer", 1453 "multiValued" : false, 1454 "description" : "An Integer indicating the minimum number 1455 of chars in a challenge response. No value or a value 1456 of 0 indicates no minimum length (effectively 1)", 1457 "required" : true, 1458 "mutability" : "readWrite", 1459 "returned" : "default" 1460 }, 1461 { 1462 "name" : "maxIncorrectAttempts", 1463 "type" : "integer", 1464 "multiValued" : false, 1465 "description" : "An Integer indicates the maximum number of 1466 failed reset password attempts using challenges. If any 1467 challenges are wrong in a reset attempt, the user's 1469 resetAttempts counter will be incremented by 1. If 1470 resetAttempts is greater than maxIncorrectAttempts, the 1471 subject's account will be locked with a locked.reason 1472 value.", 1473 "required" : true, 1474 "mutability" : "readWrite", 1475 "returned" : "default" 1476 } 1477 ] 1478 } 1479 ] 1480 } 1482 Password Policy Schema 1484 3.3. Request Schemas 1486 The following are the schemas for all password request resource types 1487 returned by the "/Schemas" endpoint: 1489 [ 1490 { 1491 "id" : 1492 "urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest", 1493 "name" : "Password Reset Request", 1494 "description" : "Used to submit a password reset request for a 1495 specific userName. Before resetting a secondary confirmation is 1496 completed.", 1497 "attributes" : [ 1498 { 1499 "name" : "userName", 1500 "type" : "string", 1501 "multiValued" : false, 1502 "description" : "A string value that matches the service provider 1503 unique identifier for the user.", 1504 "required" : true, 1505 "caseExact" : false, 1506 "mutability" : "readWrite", 1507 "returned" : "default", 1508 "uniqueness" : "none" 1509 }, 1510 { 1511 "name" : "challenges", 1512 "type" : "complex", 1513 "multiValued" : true, 1514 "description" : "A Complex attribute describing challenge 1515 questions and responses that match the values found in the 1516 resource matched by the userName attribute.", 1517 "required" : false, 1518 "returned" : "default", 1519 "mutability" : "readWrite", 1520 "subAttributes" : [ 1521 { 1522 "name" : "question", 1523 "type" : "string", 1524 "multiValued" : false, 1525 "description" : "A String that represents a challenge 1526 question for which the corresponding response is 1527 defined.", 1528 "required" : true, 1529 "caseExact" : true, 1530 "mutability" : "readWrite", 1531 "returned" : "default", 1532 "uniqueness" : "none" 1533 }, 1534 { 1535 "name" : "response", 1536 "type" : "string", 1537 "multiValued" : false, 1538 "description" : "A String that represents the subjects 1539 specified correct response to the corresponding 1540 challenge.", 1541 "required" : true, 1542 "caseExact" : false, 1543 "mutability" : "readWrite", 1544 "returned" : "default", 1545 "uniqueness" : "none" 1546 } 1547 ] 1548 }, 1549 { 1550 "name" : "password", 1551 "type" : "string", 1552 "multiValued" : false, 1553 "description" : "A string value for the requested password. 1554 When specified, the challenges attribute must also be present.", 1555 "required" : true, 1556 "caseExact" : false, 1557 "mutability" : "writeOnly", 1558 "returned" : "never", 1559 "uniqueness" : "none" 1560 } 1561 ] 1562 }, 1563 { 1564 "id" : 1566 "urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest", 1567 "name" : "Password Validate Request", 1568 "description" : "Used to submit a password for validation.", 1569 "attributes" : [ 1570 { 1571 "name" : "password", 1572 "type" : "string", 1573 "multiValued" : false, 1574 "description" : "A string value for the requested password. 1575 When specified, the challenges attribute must also be present.", 1576 "required" : true, 1577 "caseExact" : false, 1578 "mutability" : "writeOnly", 1579 "returned" : "never", 1580 "uniqueness" : "none" 1581 } 1582 ] 1583 }, 1584 { 1585 "id" : 1586 "urn:ietf:params:scim:schemas:core:2.0:password:UserNameValidateRequest", 1587 "name" : "UserName Validate Request", 1588 "description" : "Used to submit a username for validation.", 1589 "attributes" : [ 1590 { 1591 "name" : "$ref", 1592 "type" : "reference", 1593 "referenceTypes" : [ 1594 "User" 1595 ], 1596 "multiValued" : false, 1597 "description" : "A reference value that contains a URI that 1598 points to the resource (e.g. User) against which the proposed 1599 userName value is to be validated as an acceptable.", 1600 "required" : false, 1601 "caseExact" : false, 1602 "mutability" : "readWrite", 1603 "returned" : "default", 1604 "uniqueness" : "none" 1605 }, 1606 { 1607 "name" : "userName", 1608 "type" : "string", 1609 "multiValued" : false, 1610 "description" : "A string value containing the requested userName 1611 value for which validation is requested.", 1612 "required" : true, 1613 "caseExact" : false, 1614 "mutability" : "readWrite", 1615 "returned" : "default", 1616 "uniqueness" : "none" 1617 } 1618 ] 1619 }, 1620 { 1621 "id" : 1622 "urn:ietf:params:scim:schemas:core:2.0:password:UserNameGenerateRequest", 1623 "name" : "Username Generate Request", 1624 "description" : "Used to request a new username be generated.", 1625 "attributes" : [ 1626 { 1627 "name" : "$ref", 1628 "type" : "reference", 1629 "referenceTypes" : [ 1630 "User" 1631 ], 1632 "multiValued" : false, 1633 "description" : "An reference value that contains a URI that 1634 points to the resource (e.g. User) against which existing 1635 resource's name attribute MAY be used to generate a userName 1636 value. When the $ref attribute is used, the generate 1637 request MUST be authenticated.", 1638 "required" : false, 1639 "caseExact" : false, 1640 "mutability" : "readWrite", 1641 "returned" : "default", 1642 "uniqueness" : "none" 1643 }, 1644 { 1645 "name" : "userName", 1646 "type" : "string", 1647 "multiValued" : false, 1648 "description" : "A string value that is returned in the 1649 server's reponse that contains a generated userName value. 1650 The generated userName is not reserved and is guaranteed on 1651 first-come-first-served basis by a subsequent SCIM creation 1652 or modify request.", 1653 "required" : true, 1654 "caseExact" : false, 1655 "mutability" : "readOnly", 1656 "returned" : "default", 1657 "uniqueness" : "none" 1658 }, 1659 { 1660 "name" : "name", 1661 "type" : "complex", 1662 "multiValued" : false, 1663 "description" : "An optional complex attribute containing the 1664 components of the user's name against which a userName value 1665 is to be generated. This attribute MAY be typically used as 1666 part of an anonymous userName generation request during a 1667 user registration dialog.", 1668 "required" : false, 1669 "subAttributes" : [ 1670 { 1671 "name" : "formatted", 1672 "type" : "string", 1673 "multiValued" : false, 1674 "description" : "The full name, including all middle names, 1675 titles, and suffixes as appropriate, formatted for display (e.g. Ms. 1676 Barbara J Jensen, III.).", 1677 "required" : false, 1678 "caseExact" : false, 1679 "mutability" : "readWrite", 1680 "returned" : "default", 1681 "uniqueness" : "none" 1682 }, 1683 { 1684 "name" : "familyName", 1685 "type" : "string", 1686 "multiValued" : false, 1687 "description" : "The family name of the User, or Last Name 1688 in most Western languages (e.g. Jensen given the full name Ms. Barbara J 1689 Jensen, III.).", 1690 "required" : false, 1691 "caseExact" : false, 1692 "mutability" : "readWrite", 1693 "returned" : "default", 1694 "uniqueness" : "none" 1695 }, 1696 { 1697 "name" : "givenName", 1698 "type" : "string", 1699 "multiValued" : false, 1700 "description" : "The given name of the User, or First Name 1701 in most Western languages (e.g. Barbara given the full name Ms. Barbara 1702 J Jensen, III.).", 1703 "required" : false, 1704 "caseExact" : false, 1705 "mutability" : "readWrite", 1706 "returned" : "default", 1707 "uniqueness" : "none" 1708 }, 1709 { 1710 "name" : "middleName", 1711 "type" : "string", 1712 "multiValued" : false, 1713 "description" : "The middle name(s) of the User (e.g. Robert 1714 given the full name Ms. Barbara J Jensen, III.).", 1715 "required" : false, 1716 "caseExact" : false, 1717 "mutability" : "readWrite", 1718 "returned" : "default", 1719 "uniqueness" : "none" 1720 }, 1721 { 1722 "name" : "honorificPrefix", 1723 "type" : "string", 1724 "multiValued" : false, 1725 "description" : "The honorific prefix(es) of the User, or 1726 Title in most Western languages (e.g. Ms. given the full name Ms. 1727 Barbara J Jensen, III.).", 1728 "required" : false, 1729 "caseExact" : false, 1730 "mutability" : "readWrite", 1731 "returned" : "default", 1732 "uniqueness" : "none" 1733 }, 1734 { 1735 "name" : "honorificSuffix", 1736 "type" : "string", 1737 "multiValued" : false, 1738 "description" : "The honorific suffix(es) of the User, or 1739 Suffix in most Western languages (e.g. III. given the full name Ms. 1740 Barbara J Jensen, III.).", 1741 "required" : false, 1742 "caseExact" : false, 1743 "mutability" : "readWrite", 1744 "returned" : "default", 1745 "uniqueness" : "none" 1746 } 1747 ], 1748 "mutability" : "readWrite", 1749 "returned" : "default", 1750 "uniqueness" : "none" 1751 } 1752 ] 1753 }, 1754 { 1755 "id" : 1756 "urn:ietf:params:scim:schemas:core:2.0:password:UserNameRecoverRequest", 1757 "name" : "UserName Recovery Request", 1758 "description" : "Used to look up a username by email address.", 1759 "attributes" : [ 1760 { 1761 "name" : "email", 1762 "type" : "string", 1763 "multiValued" : false, 1764 "description" : "A string value containing an email address 1765 that is to be matched against an existing resource's emails 1766 attribue.", 1767 "required" : false, 1768 "caseExact" : false, 1769 "mutability" : "readWrite", 1770 "returned" : "default", 1771 "uniqueness" : "none" 1772 }, 1773 { 1774 "name" : "userName", 1775 "type" : "string", 1776 "multiValued" : false, 1777 "description" : "A string value provided in response to a 1778 request which is the unique userName that corresponds to the 1779 recovery request.", 1780 "required" : true, 1781 "caseExact" : false, 1782 "mutability" : "readOnly", 1783 "returned" : "always", 1784 "uniqueness" : "none" 1785 } 1786 ] 1787 } 1788 ] 1790 Request Schemas 1792 4. Password Management ResourceTypes 1794 The following are the resource type definitions for the resource 1795 types defined in this specification. 1797 [ 1798 { 1799 "schemas" : [ 1800 "urn:ietf:params:scim:schemas:core:2.0:ResourceType" 1801 ], 1802 "id" : "PasswordPolicy", 1803 "name" : "Password Policy Definition", 1804 "endpoint" : "/Users", 1805 "description" : "Password policy definition", 1806 "schema" : "urn:ietf:params:scim:schemas:core:2.0:policy:Password", 1807 "schemaExtensions" : [ 1809 ] 1810 }, 1811 { 1812 "schemas" : [ 1813 "urn:ietf:params:scim:schemas:core:2.0:ResourceType" 1814 ], 1815 "id" : "PasswordResetRequest", 1816 "name" : "Password Reset Request type", 1817 "endpoint" : "/PasswordResetRequest", 1818 "description" : "Resource type for processing password reset 1819 requests", 1820 "schema" : 1821 "urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest", 1822 "schemaExtensions" : [ 1824 ] 1825 }, 1826 { 1827 "schemas" : [ 1828 "urn:ietf:params:scim:schemas:core:2.0:ResourceType" 1829 ], 1830 "id" : "PasswordValidateRequest", 1831 "name" : "Password Validate Request type", 1832 "endpoint" : "/PasswordValidateRequest", 1833 "description" : "Resource type for processing password validation 1834 requests", 1835 "schema" : 1836 "urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest", 1837 "schemaExtensions" : [ 1839 ] 1840 }, 1841 { 1842 "schemas" : [ 1843 "urn:ietf:params:scim:schemas:core:2.0:ResourceType" 1844 ], 1845 "id" : "UserNameValidateRequest", 1846 "name" : "Username Validate Request type", 1847 "endpoint" : "/UserNameValidateRequest", 1848 "description" : "Resource type for processing username validation 1849 requests", 1850 "schema" : 1851 "urn:ietf:params:scim:schemas:core:2.0:password:UserNameValidateRequest", 1852 "schemaExtensions" : [ 1853 ] 1854 }, 1855 { 1856 "schemas" : [ 1857 "urn:ietf:params:scim:schemas:core:2.0:ResourceType" 1858 ], 1859 "id" : "UserNameGenerateRequest", 1860 "name" : "Username Generation Request type", 1861 "endpoint" : "/UserNameGenerateRequest", 1862 "description" : "Resource type for processing username generation 1863 requests", 1864 "schema" : 1865 "urn:ietf:params:scim:schemas:core:2.0:password:UserNameGenerateRequest", 1866 "schemaExtensions" : [ 1868 ] 1869 }, 1870 { 1871 "schemas" : [ 1872 "urn:ietf:params:scim:schemas:core:2.0:ResourceType" 1873 ], 1874 "id" : "UserNameRecoverRequest", 1875 "name" : "Username Recovery Request type", 1876 "endpoint" : "/UserNameRecoverRequest", 1877 "description" : "Resource type for recovering usernames.", 1878 "schema" : 1879 "urn:ietf:params:scim:schemas:core:2.0:password:UserNameRecoveryRequest", 1880 "schemaExtensions" : [ 1882 ] 1883 } 1884 ] 1886 Password Management Resource Types 1888 5. Security Considerations 1890 This specification builds on those of the SCIM API and Core-Schema 1891 specifications and as such the security considerations of both of 1892 these drafts apply to this specification. 1894 [other considerations TBD] 1896 6. IANA Considerations 1898 TODO: Registration for Password management schema 1900 TODO: Registration of password management resource types 1902 7. References 1904 7.1. Normative References 1906 [I-D.ietf-scim-api] 1907 Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C. 1908 Mortimore, "System for Cross-Domain Identity Management: 1909 Protocol", draft-ietf-scim-api-14 (work in progress), 1910 December 2014. 1912 [I-D.ietf-scim-core-schema] 1913 Hunt, P., Grizzle, K., Wahlstroem, E., and C. Mortimore, 1914 "System for Cross-Domain Identity Management: Core 1915 Schema", draft-ietf-scim-core-schema-14 (work in 1916 progress), December 2014. 1918 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1919 Requirement Levels", BCP 14, RFC 2119, March 1997. 1921 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 1922 Resource Identifier (URI): Generic Syntax", STD 66, RFC 1923 3986, January 2005. 1925 7.2. Informative References 1927 [I-D.ietf-precis-framework] 1928 Saint-Andre, P. and M. Blanchet, "PRECIS Framework: 1929 Preparation, Enforcement, and Comparison of 1930 Internationalized Strings in Application Protocols", 1931 draft-ietf-precis-framework-21 (work in progress), 1932 December 2014. 1934 Appendix A. Contributors 1936 Appendix B. Acknowledgments 1938 The editor would like to thank the participants in the SCIM working 1939 group for their support of this specification. 1941 Appendix C. Change Log 1943 Draft 00 - PH - First Draft 1945 Authors' Addresses 1946 Phil Hunt (editor) 1947 Oracle Corporation 1949 Email: phil.hunt@yahoo.com 1951 Gregg Wilson 1952 Oracle Corporation 1954 Email: gregg.wilson@oracle.com