LDAPWiki: SCIM Password Management Extension

Overview#

SCIM Password Management Extension is an EXPIRED Internet Draft SCIM Password Management Extension

The System for Cross-domain Identity Management (SCIM) specification is an HTTP based protocol that makes managing identities in multi-domain scenarios easier to support through a standardized services. SCIM provides extension points that enable new ResourceTypes and Schema Extensions to be defined. the SCIM Password Management Extension specification defines a set of password and account status extensions for managing passwords and tracking password usage (e.g. failures) and other related session data. The specification defines new resource types that enable management of passwords and account recovery functions.

A set of SCIM schema extensions that define:

Password Schema Extension - Providing account password state (e.g.login attempts, successful login date, create date), policy, account locking, as well as challenge questions.
Password Policy Schema - A new resource type that defines password policies that may be applied to resources that use passwords such as complexity requirements, expiry, lockout, and usage constraints.

A set of resource types are defined that enable password and password policy management:

Password Policy
Password Reset Request - (temporary resource)
Password Validation Request - (temporary resource)
Username Recovery Request - (temporary resource)

In the above list, the last 3 resource types are temporary resources that are used to convey requests that may update an identified target resource URI (e.g. a User). While these requests have a simple state transfer request/response relationship with a SCIM Client, they may cause secondary effects by changing multiple attribute states in the target of the request. For example, setting a resource's password attribute involves validating password policy as well as checking and revising Password History. There may be further service provider actions such as email confirmation that occur asynchronously from the SCIM Client's perspective.SCIM Password Management Extension defines The following Singular Attributes are defined:

passwordState - A Complex Attribute that describes server provided attributes regarding the state of the resource's password.
- createDate - A DateTime which specifies the date and time the current password was set.
- cantChange - A Boolean indicating that the current password MAY NOT be changed and all other password expiry settings SHALL be ignored. (reflects PASSWD_CANT_CHANGE Dirxml-uACPasswordCantChange)
- noExpiry - A Boolean indicating that password expiry policy will not be applied for the current resource.
- lastSuccessfulLoginDate - A DateTime value indicating the last successful login date.
- lastFailedLoginDate - A DateTime value indicating the last failed login date.
- loginAttempts - An Integer value indicating the number of failed login attempts. The value is reset to 0 after a successful login.
- resetAttempts - An Integer value indicating the number of password reset attempts.
- passwordMustChange - A Boolean value that indicates that the subject password value MUST change at the next login. If not changed, typically the account is locked The value may be set indirectly when the subject's current password expires, or directly set by an administrator.
passwordPolicyUri - A URI reference value that indicates the address of a Password Policy that is used in relation to the current resource. (nspmPasswordPolicyDN)
locked - A Complex Attribute that indicates an account is locked (blocking new sessions). The following sub-attributes are defined:
- reason - A number value indicating the reason for locking. Valid values are:
  - 0 - locked due to failed login attempts.
  - 1 - locked by an administrator.
  - 2 - locked due to failed forgot password reset attempts
- on - A Boolean value indicating the account is locked. (pwdLockout)
- lockDate A DateTime indicating when the resource was locked. (pwdAccountLockedTime)
- duration An optional Integer indicating length of lockout in seconds. (pwdLockoutDuration)

The following MULTI-VALUE Attributes are defined:#

challenges - A Complex Attribute describing challenge questions that may be used as a supplementary factor during login or during password management requests.
- question - A String that represents a challenge question for which the corresponding response is defined.
- response - A String that represents the subjects specified correct response to the corresponding challenge. The response MAY be compared case-sensitive or case-insensitive based on service provider policy.
passwordHistory - A writeOnly attribute that contains hashes of previous passwords associated with the SCIM resource. The number of passwords stored in this attribute is set by: "policy.passwordHistorySize". Persisted values MUST be securely hashed such that the clients may test if a clear-text value was previously used by looking for a matching hash within the array of values. (pwdHistory. pwdInHistory)! Password Policy

The following SCIM extension defines a new SCIM resource type known as "PasswordPolicy" and usually has an endpoint of "/PasswordPolicies". The password policy is identified using the following core schema URI:

urn:ietf:params:scim:schemas:core:2.0:policy:Password

The following Single-value attributes are defined:

name - A String that is the name of the policy. Typically used for informational purposes (e.g. to display to the user).
description - A String that describes the current policy. Typically used for informational purposes (e.g. to display to a user).
maxLength - An Integer indicating the maximum password length (in characters). A value of 0 or no value SHALL indicate no maximum length restriction.
minLength - An Integer indicating the minimum password length (in characters). A value of 0 or no value SHALL indicate no minimum length restriction.
minAlphas - An Integer indicating the minimum number of alphabetic characters in a password. A value of 0 or no value SHALL minimum number of alphabetic characters in a password.
minNumerals - An Integer indicating the minimum number of numeric characters in a password. A value of 0 or no value SHALL indicate minimum number of numeric characters in a password.
minAlphaNumerals - An Integer indicating the minimum number of alphabetic or numeric characters in a password. A value of 0 or no value SHALL indicate no minimum number of alphabetic or numeric characters in a password.
minSpecialChars - An Integer indicating the minimum number of special characters in a password. A value of 0 or no value SHALL indicate no minimum number of special characters in a password.
maxSpecialChars - An Integer indicating the maximum number of special characters in a password. A value of 0 or no value SHALL indicate no maximum number of special characters in a password.
minUpperCase - An Integer indicating the minimum number of upper-case alphabetic characters in a password. A value of 0 or no value SHALL indicate no minimum number of upper-case alphabetic characters in a password.
minLowerCase - An Integer indicating the minimum number of lower-case alphabetic characters in a password. A value of 0 or no value SHALL indicate no minimum number of lower-case alphabetic characters in a password.
minUniqueChars - An Integer indicating the minimum number of unique characters in a password. A value of 0 or no value SHALL indicate no minimum number of unique characters in a password.
maxRepeatedChars - An Integer indicating the maximum number of repeated characters in a password. A value of 0 or no value SHALL indicate no restriction.
startsWithAlpha - A Boolean indicating that the password MUST being with an alphabetic character.
minUnicodeChars - (...not sure this makes sense. There are strict limitations on password values (must be Unicode UTF-8 processed by PRECIS) )
firstNameDisallowed - A Boolean indicating a sequence of characters matching the resource's "name.givenName" SHALL NOT be included in the password.
lastNameDisallowed - A Boolean indicating a sequence of characters matching the resource's "name.familyName" SHALL NOT be included in the password.
userNameDisallowed - A Boolean indicating a sequence of characters matching the resource's "userName" SHALL NOT be included in the password. ( WHAT IS userName??? )
minPasswordAgeInDays - An Integer indicating the minimum age in days before the password MAY be changed.
warningAfterDays - An Integer indicating the number of days after which a password reset warning will be issued.
expiresAfterDays - An Integer indicating the numbers of days after which a password reset is required.
requiredChars - A String value whose contents indicates a set of characters that MUST appear, in any sequence, in a password value. ( NO WAY! )
disallowedChars - A String value whose contents indicates a set of characters that SHALL NOT appear, in any sequence, in a password value.
disallowedSubStrings - A Multi-valued String indicating a set of Strings that SHALL NOT appear within a password value.
dictionaryLocation - A Reference value containing the URI of a dictionary of words not allowed to appear within a password value.
passwordHistorySize - An Integer indicating the number of passwords that will be kept in history that may not be used as a password.
maxIncorrectAttempts - An Integer representing the maximum number of failed logins before an account is locked.
lockOutDuration - An Integer indicating the number of minutes an account will be locked after "maxIncorrectAttempts" exceeded.
challengesEnabled - A Boolean value indicating challenges MAY be used during authentication.
challengePolicy - A complex attribute that defines policy around challenges. It contains the following sub-attributes:
- source An Integer indicating one of the following:
  - 0 - User Defined.
  - 1 - Admin Defined.
  - 2 - User and Admin Defined.
- defaultQuestions A Multi-valued String attribute that contains one or more default question a subject may use when setting their challenge questions.
- minQuestionCount An Integer indicating the minimum number of challenge questions a subject MUST answer when setting challenge question answers. A value of 0 or no value indicates no minimum.
- minAnswerCount An Integer indicating the minimum number of challenge answers a subject MUST answer when attempting to reset their password via forgot password request.
- allAtOnce - A Boolean value. When true, the client UI will present all challengers in random order each time displayed. When false, the client UI will present one challenge question at a time where the subject MUST respond before the next is displayed.
- minResponseLength An Integer indicating the minimum number of characters in a challenge response. No value or a value of 0 indicates no minimum length (effectively 1).
- maxIncorrectAttempts An Integer indicates the maximum number of failed reset password attempts using challenges. If any challenges are wrong in a reset attempt, the user's "resetAttempts" counter will be incremented by 1. If "resetAttempts" is greater than "maxIncorrectAttempts", the subject's account will be locked with a "locked.reason" value of 2 see Paragraph 3.

More Information#

There might be more information for this subject on one of the following:

SCIM Password Management