Schema Extensions
This section details the expected schemas extensions (HID JSON base objects).
To use the version-specific parameters/attributes, you must add api-version=N to the query parameter.
Previous versions of the API are also supported with the corresponding functionality.
urn:hid:scim:api:idp:2.0:Attribute
-
name - name of the attribute (String)
-
value - value of the attribute (String)
-
type - TYPE enumeration from set (STRING, DATE, INT, LONG, BOOLEAN)
-
readOnly - Boolean
urn:hid:scim:api:idp:2.0:EntityStatus
-
status - status of the entity (String)
-
active - boolean
-
startDate - start date for the entity (Date)
-
expiryDate - expiry date for the entity (Date)
urn:hid:scim:api:idp:2.0:EntityBase
<Extends SCIM Core Resource> where:
-
type - type of the entity (String)
-
status: status of the entity (EntityStatus)
-
attributes - attributes of the entity (Attribute[])
-
owner - owner of the entity (MemberRef)
urn:hid:scim:api:idp:2.0:Authenticator
This entity represents an authenticator binding a user to an authentication policy and credential/device.
-
<Extends EntityBase> where:
-
id - the internal ID for the resource
-
externalid – user alias for authentication [optional]
-
meta – lifecycle information
-
status - status of the entity (EntityStatus)
- owner – the user that owns the authenticator
-
Attributes:
Attribute | Description |
---|---|
statistics |
The authentication statistics. Can contain:
|
policy |
Details of the authenticator policy for the authenticator (immutable) |
lastSuccessfulDevice |
Details of the last device used in a successful authentication by the user, contains:
|
The authenticator has the following mutually exclusive extensions:
-
urn:hid:scim:api:idp:2.0:Password – password extension
-
username (immutable)
- password (write-only, never returned)
-
-
urn:hid:scim:api:idp:2.0:SecurityQuestion – security question extension
-
prompts – array of prompts:
- prompt:
- display – the actual question (read-only)
- value – the ID of the question (read/write)
- answer – the answer to the question (write-only)
- policy - the constraints (such as case-sensitive and length) with which the answe must comply
- prompt:
-
promptsRequiredForCreation -
-
seedingType -
-
-
urn:hid:scim:api:idp:2.0:Action – action extension
-
action – action to proceed on given authenticator. Can be:
-
RESET
-
DELIVER-CHALLENGE
-
DEVICE-CHALLENGE
-
USER-CHALLENGE
-
REGISTER-OOB
- UNREGISTER-OOB
-
attributes – array of attributes where each attribute is a name/value pair containing:
Copy{
"name": "<static value>",
"value": "<value of attribute such as the code or id>"
}Action Attributes DELIVER-CHALLENGE - USER.EXTERNALID – user external ID
- DEVICETYPE – device type
- DEVICE.EXTERNALID – device serial number
- DEVICE.ID – the internal device ID (long)
- CHANNEL – channel code
DEVICE-CHALLENGE - DEVICETYPE – device type
- DEVICE.EXTERNALID – device serial number
- DEVICE.ID – the internal device ID (long)
- CHANNEL – channel code
USER-CHALLENGE - USER.EXTERNALID – user external ID
- CHANNEL – channel code
REGISTER-OOB OOB_DEVICETYPE_CODE - code of device type that is compatible with credential type bound to the authentication type UNREGISTER-OOB USER.EXTERNALID – user external ID - USER.EXTERNALID – user external ID
-
-
urn:hid:scim:api:idp:2.0:Credential
This entity represents a credential:
-
<Extends EntityBase> where:
-
owner – is the device that owns the credentials
-
type – credential type
-
externalid – credential serial number [optional]
-
id – the internal credential ID to lookup the credential
-
meta – lifecycle information
- status – status of the credential (see urn:hid:scim:api:idp:2.0:EntityStatusurn:hid:scim:api:idp:2.0:EntityStatus)
-
-
attributes: Attributes[] – generic attribute the credentials can hold
urn:hid:scim:api:idp:2.0:Device
This entity represents a device and linked credentials.
-
<Extends EntityBase> where:
-
owner – the user that owns the device
-
type – device type
-
externalid – device serial number [optional]
-
id – the internal device ID to look up the device
-
meta – lifecycle information
- friendlyName – device friendly name [optional]
-
-
children : MemberRef[] – these are the linked credentials
-
urn:hid:scim:api:idp:2.0:Action – action extension:
-
action – action to proceed on given device. Can be SYNCH-COUNTER: to resynchronize a device with a new counter value.
-
attributes – array of attributes:
-
COUNTER: new counter value
-
-
urn:hid:scim:api:idp:2.0:policy:Authenticator
This entity represents an authenticator policy. The policy has three mutually exclusive extensions:
-
urn:hid:scim:api:idp:2.0:policy:authenticator:Password
-
urn:hid:scim:api:idp:2.0:policy:authenticator:SecurityQuestion
-
urn:hid:scim:api:idp:2.0:policy:authenticator:Credential
The policy provides configuration information and constraints necessary to create an authenticator for a user through the Authenticator endpoint.
-
It is a SCIM resource where:
-
id – the policy ID (that is, the authentication type code)
-
externalId – not configurable
- meta – lifecycle information
-
-
Attributes:
Attribute Type allowExpiredReset
int
baseAuthenticatorPolicy
MemberRef challengeDisableThreshold
int defaultExpiryThreshold
int challengeTimeoutPeriod
int defaultValidDaysAdd
int defaultValidDaysEdit
int directAuthenticatorPolicy
MemberRef failureDisplay
string name
string notes
string requiredAuthentication
string sessionTimeout
long sessionValidPeriod
long validChannelCodes
string[] onlyIndirect
boolean
The policy has the following mutually exclusive extensions:
-
urn:hid:scim:api:idp:2.0:policy:authenticator:Password
-
passwordpolicy – constraints with which a password must comply:
Constraint Possible values Description onlyNum
"true" or "false"
Must contain only numeric characters
onlyAlpha
"true" or "false"
Must contain only alpha characters
numOrAlpha
"true" or "false"
Must contain only numeric or alpha characters
numAlpha
"true" or "false"
Must contain only numeric and alpha characters
maxLength
Integer as String
Maximum length
minLength
Integer as String
Minimum length
notSequence
"true" or "false"
Must not be a sequence
notEnglish "true" or "false" Must not be an English word minNum
"true" or "false"
Must contain at least one numeric character
minLow
"true" or "false"
Must contain at least one lowercase character
minUp
"true" or "false"
Must contain at least one uppercase character
minSpecial
"true" or "false"
Must contain at least one special character
notOldPassword
"true" or "false"
Must not be an old password
notUserAttribute
"true" or "false"
Must not contain a user attribute
minDiffChars
"true" or "false"
Minimum numbers of different characters in password
caseInsensitive
"true" or "false"
Case insensitive (not recommended)
blacklist
"true" or "false"
Must not contain black listed words
-
usernamepolicy - constraints with which a username must comply:
Constraint Description onlyNum
Contain only numeric characters onlyAlpha
Contain only alpha characters numOrAlpha
Contain either numeric or alpha characters numAlpha
Contain both numeric and alpha characters maxLength
Maximum length minLength
Minimum length minDiffChars
Minimum number of different characters -
seedingType – "FULL", "PARTIAL" or "BOTH" (string)
- disableThreshold - number of failed attempts after which the password of the user will be disabled (integer)
-
-
urn:hid:scim:api:idp:2.0:policy:authenticator:SecurityQuestion
-
promptsRequiredForCreation – number of questions to answer in order to create an authenticator
-
prompts – array of possible questions:
-
prompt:
-
display – the actual question
-
value – the identifier of the prompt
-
-
policy – constraints with which the answer to this question must comply:
Constraint Description onlyNum
Contain only numeric characters onlyAlpha
Contain only alpha characters numOrAlpha
Contain either numeric or alpha characters numAlpha
Contain both numeric and alpha characters caseInsensitive
Case-insensitive maxLength
Maximum length minLength
Minimum length notUserAttribute
Not contain username and is not a user attribute dateFormat
Date format
-
- seedingType:string (enum)
-
-
urn:hid:scim:api:idp:2.0:policy:authenticator:Credential
Attribute Type validCredentialPolicies
string challengeType
string disableThreshold
int
urn:hid:scim:api:idp:2.0:Organization
This entity represents an organization.
<Extends SCIM Core Resource> where:
-
id – the internal organization ID to lookup the organization
-
externalid – the external organization ID
-
type – organization type (dataset)
-
initialPassword – used to manage the organization
-
organizationDelegation – the organization to which delegation is given
-
organizationBranding – the organization branding for HID Approve™ and the Authentication Portal
urn:hid:scim:api:idp:2.0:OrganizationDelegation
This entity represents an organization delegation of a restricted subset of roles.
<Extends SCIM Core Resource> where:
-
id – the internal organization ID to look up the organization
-
externalid – the external organization ID
-
idProof – the certificate of the organization to which delegation is given
-
delegatedRoles – list of roles that are delegated to the proxy organization
urn:hid:scim:api:idp:2.0:OrganizationBranding
This entity represents an organization branding.
-
hidApproveCustoFiles – array of OrganizationCustomizationFile for HID Approve
-
authPortalCustoFile – an OrganizationCustomizationFile for the Authentication Portal
An OrganizationCustomizationFile has the following parameters:
-
filename – filename of the customization file
-
fileAsBase64 – base64 encoded file
urn:hid:scim:api:idp:2.0:PermissionSet
This entity represents a permission set.
-
<Extends SCIM Core Resource> where:
-
id – the internal ID to lookup the permission set
-
meta – lifecycle information
-
name – name of the permission set
- resourceType – can be “GROUP” or “ASSET”
-
-
urn:hid:scim:api:idp:2.0:PermissionSetItem[]– list of permissions:
-
id – ID of the permission
-
parameter – can be used to define roles for relevant permissions.
-
urn:hid:scim:api:idp:2.0:Provision
This entity represents a device issuance request.
<Extends EntityBase> where:
-
owner – is the user that owns the device provision
-
deviceType – device type
-
id – the internal device provision ID to look up the device provision
-
status – status of the device provision, can have the following values:
-
IN_ISSUANCE
-
PROCESSED
-
REG_PROCESS
- UNPROCESSED
-
-
meta – lifecycle information
urn:hid:scim:api:idp:2.0:PseudonymizationToken
This entity represents pseudonymization tokens in exported audit logs.
<Extends SCIM Core Resource> where:
-
token – the pseudonymization token
-
value – the clear value
-
ownerId – owner ID of this token
-
ownerExtId – owner external ID of this token
urn:hid:scim:api:idp:2.0:Role
This entity represents a list of roles:
-
<Extends SCIM Core Resource> where:
-
id – the internal role ID to lookup the role
-
meta – lifecycle information
-
name – name of the role
-
description – a short summary of the role
-
-
Attributes:
-
name:string
-