Schema Extensions

This section details the expected schemas extensions (HID JSON base objects).

Note: The API version supported by ActivID AS 8.6 is 3.0.

To use the version-specific parameters/attributes, you must add api-version=N to the query parameter.

Previous versions of the API are also supported with the corresponding functionality.

urn:hid:scim:api:idp:2.0:Attribute

name - name of the attribute (String)
value - value of the attribute (String)
type - TYPE enumeration from set (STRING, DATE, INT, LONG, BOOLEAN)
readOnly - Boolean

urn:hid:scim:api:idp:2.0:EntityStatus

status - status of the entity (String)
active - boolean
startDate - start date for the entity (Date)
expiryDate - expiry date for the entity (Date)

urn:hid:scim:api:idp:2.0:EntityBase

<Extends SCIM Core Resource> where:

type - type of the entity (String)
status: status of the entity (EntityStatus)
attributes - attributes of the entity (Attribute[])
owner - owner of the entity (MemberRef)

urn:hid:scim:api:idp:2.0:Authenticator

This entity represents an authenticator binding a user to an authentication policy and credential/device.

<Extends EntityBase> where:
- id - the internal ID for the resource
- externalid – user alias for authentication [optional]
- meta – lifecycle information
- status - status of the entity (EntityStatus)
- owner – the user that owns the authenticator

Attributes:

Attribute	Description
statistics	The authentication statistics. Can contain: maximumNumberOfUsages consecutiveFailed consecutiveSuccess totalFailed totalSuccess lastSuccessfulDate lastUnsuccessfulDate lastSuccessfulChannel lastUnsuccessfulChannel challengeCount
policy	Details of the authenticator policy for the authenticator (immutable)
lastSuccessfulDevice	Details of the last device used in a successful authentication by the user, contains: type - type of the last successfully used device value - ID of the last successfully used device

Attribute

Description

statistics

The authentication statistics. Can contain:

maximumNumberOfUsages
consecutiveFailed
consecutiveSuccess
totalFailed
totalSuccess
lastSuccessfulDate
lastUnsuccessfulDate
lastSuccessfulChannel
lastUnsuccessfulChannel
challengeCount

policy

Details of the authenticator policy for the authenticator (immutable)

lastSuccessfulDevice

Details of the last device used in a successful authentication by the user, contains:

type - type of the last successfully used device
value - ID of the last successfully used device

The authenticator has the following mutually exclusive extensions:

urn:hid:scim:api:idp:2.0:Password – password extension
- username (immutable)
- password (write-only, never returned)
urn:hid:scim:api:idp:2.0:SecurityQuestion – security question extension
- prompts – array of prompts:
  - prompt:
    - display – the actual question (read-only)
    - value – the ID of the question (read/write)
  - answer – the answer to the question (write-only)
  - policy - the constraints (such as case-sensitive and length) with which the answe must comply
- promptsRequiredForCreation -
- seedingType -

urn:hid:scim:api:idp:2.0:Action – action extension

action – action to proceed on given authenticator. Can be:

RESET
DELIVER-CHALLENGE
DEVICE-CHALLENGE
USER-CHALLENGE
REGISTER-OOB
UNREGISTER-OOB

attributes – array of attributes where each attribute is a name/value pair containing:

Copy

{
    "name": "<static value>",
    "value": "<value of attribute such as the code or id>"
}

Action	Attributes
DELIVER-CHALLENGE	USER.EXTERNALID – user external ID DEVICETYPE – device type DEVICE.EXTERNALID – device serial number DEVICE.ID – the internal device ID (long) CHANNEL – channel code
DEVICE-CHALLENGE	DEVICETYPE – device type DEVICE.EXTERNALID – device serial number DEVICE.ID – the internal device ID (long) CHANNEL – channel code
USER-CHALLENGE	USER.EXTERNALID – user external ID CHANNEL – channel code
REGISTER-OOB	OOB_DEVICETYPE_CODE - code of device type that is compatible with credential type bound to the authentication type
UNREGISTER-OOB	USER.EXTERNALID – user external ID

urn:hid:scim:api:idp:2.0:Credential

This entity represents a credential:

<Extends EntityBase> where:
- owner – is the device that owns the credentials
- type – credential type
- externalid – credential serial number [optional]
- id – the internal credential ID to lookup the credential
- meta – lifecycle information
- status – status of the credential (see urn:hid:scim:api:idp:2.0:EntityStatus urn:hid:scim:api:idp:2.0:EntityStatus)
attributes: Attributes[] – generic attribute the credentials can hold

urn:hid:scim:api:idp:2.0:Device

This entity represents a device and linked credentials.

<Extends EntityBase> where:
- owner – the user that owns the device
- type – device type
- externalid – device serial number [optional]
- id – the internal device ID to look up the device
- meta – lifecycle information
- friendlyName – device friendly name [optional]
children : MemberRef[] – these are the linked credentials
urn:hid:scim:api:idp:2.0:Action – action extension:
- action – action to proceed on given device. Can be SYNCH-COUNTER: to resynchronize a device with a new counter value.
- attributes – array of attributes:
  - COUNTER: new counter value

urn:hid:scim:api:idp:2.0:policy:Authenticator

Important: This API is deprecated. Use the updated /configuration/authenticator API instead.

This entity represents an authenticator policy. The policy has three mutually exclusive extensions:

urn:hid:scim:api:idp:2.0:policy:authenticator:Password
urn:hid:scim:api:idp:2.0:policy:authenticator:SecurityQuestion
urn:hid:scim:api:idp:2.0:policy:authenticator:Credential

The policy provides configuration information and constraints necessary to create an authenticator for a user through the Authenticator endpoint.

It is a SCIM resource where:
- id – the policy ID (that is, the authentication type code)
- externalId – not configurable
- meta – lifecycle information

Attributes:

Attribute	Type
allowExpiredReset	int
baseAuthenticatorPolicy	MemberRef
challengeDisableThreshold	int
defaultExpiryThreshold	int
challengeTimeoutPeriod	int
defaultValidDaysAdd	int
defaultValidDaysEdit	int
directAuthenticatorPolicy	MemberRef
failureDisplay	string
name	string
notes	string
requiredAuthentication	string
sessionTimeout	long
sessionValidPeriod	long
validChannelCodes	string[]
onlyIndirect	boolean

The policy has the following mutually exclusive extensions:

urn:hid:scim:api:idp:2.0:policy:authenticator:Password

passwordpolicy – constraints with which a password must comply:

Constraint	Possible values	Description
onlyNum	"true" or "false"	Must contain only numeric characters
onlyAlpha	"true" or "false"	Must contain only alpha characters
numOrAlpha	"true" or "false"	Must contain only numeric or alpha characters
numAlpha	"true" or "false"	Must contain only numeric and alpha characters
maxLength	Integer as String	Maximum length
minLength	Integer as String	Minimum length
notSequence	"true" or "false"	Must not be a sequence
notEnglish	"true" or "false"	Must not be an English word
minNum	"true" or "false"	Must contain at least one numeric character
minLow	"true" or "false"	Must contain at least one lowercase character
minUp	"true" or "false"	Must contain at least one uppercase character
minSpecial	"true" or "false"	Must contain at least one special character
notOldPassword	"true" or "false"	Must not be an old password
notUserAttribute	"true" or "false"	Must not contain a user attribute
minDiffChars	"true" or "false"	Minimum numbers of different characters in password
caseInsensitive	"true" or "false"	Case insensitive (not recommended)
blacklist	"true" or "false"	Must not contain black listed words

usernamepolicy - constraints with which a username must comply:

Constraint	Description
onlyNum	Contain only numeric characters
onlyAlpha	Contain only alpha characters
numOrAlpha	Contain either numeric or alpha characters
numAlpha	Contain both numeric and alpha characters
maxLength	Maximum length
minLength	Minimum length
minDiffChars	Minimum number of different characters

seedingType – "FULL", "PARTIAL" or "BOTH" (string)
disableThreshold - number of failed attempts after which the password of the user will be disabled (integer)

urn:hid:scim:api:idp:2.0:policy:authenticator:SecurityQuestion

promptsRequiredForCreation – number of questions to answer in order to create an authenticator

prompts – array of possible questions:

prompt:
- display – the actual question
- value – the identifier of the prompt

policy – constraints with which the answer to this question must comply:

Constraint	Description
onlyNum	Contain only numeric characters
onlyAlpha	Contain only alpha characters
numOrAlpha	Contain either numeric or alpha characters
numAlpha	Contain both numeric and alpha characters
caseInsensitive	Case-insensitive
maxLength	Maximum length
minLength	Minimum length
notUserAttribute	Not contain username and is not a user attribute
dateFormat	Date format

seedingType:string (enum)

urn:hid:scim:api:idp:2.0:policy:authenticator:Credential

Attribute	Type
validCredentialPolicies	string
challengeType	string
disableThreshold	int

urn:hid:scim:api:idp:2.0:Organization

This entity represents an organization.

<Extends SCIM Core Resource> where:

id – the internal organization ID to lookup the organization

externalid – the external organization ID
type – organization type (dataset)
initialPassword – used to manage the organization
organizationDelegation – the organization to which delegation is given
organizationBranding – the organization branding for HID Approve™ and the Authentication Portal

urn:hid:scim:api:idp:2.0:OrganizationDelegation

This entity represents an organization delegation of a restricted subset of roles.

<Extends SCIM Core Resource> where:

id – the internal organization ID to look up the organization
externalid – the external organization ID
idProof – the certificate of the organization to which delegation is given
delegatedRoles – list of roles that are delegated to the proxy organization

urn:hid:scim:api:idp:2.0:OrganizationBranding

This entity represents an organization branding.

hidApproveCustoFiles – array of OrganizationCustomizationFile for HID Approve
authPortalCustoFile – an OrganizationCustomizationFile for the Authentication Portal

An OrganizationCustomizationFile has the following parameters:

filename – filename of the customization file
fileAsBase64 – base64 encoded file

urn:hid:scim:api:idp:2.0:PermissionSet

This entity represents a permission set.

<Extends SCIM Core Resource> where:
- id – the internal ID to lookup the permission set
- meta – lifecycle information
- name – name of the permission set
- resourceType – can be “GROUP” or “ASSET”
urn:hid:scim:api:idp:2.0:PermissionSetItem[]– list of permissions:
- id – ID of the permission
- parameter – can be used to define roles for relevant permissions.

urn:hid:scim:api:idp:2.0:Provision

This entity represents a device issuance request.

<Extends EntityBase> where:

owner – is the user that owns the device provision
deviceType – device type
id – the internal device provision ID to look up the device provision
status – status of the device provision, can have the following values:
- IN_ISSUANCE
- PROCESSED
- REG_PROCESS
- UNPROCESSED
meta – lifecycle information

urn:hid:scim:api:idp:2.0:PseudonymizationToken

This entity represents pseudonymization tokens in exported audit logs.

<Extends SCIM Core Resource> where:

token – the pseudonymization token
value – the clear value
ownerId – owner ID of this token
ownerExtId – owner external ID of this token

urn:hid:scim:api:idp:2.0:Role

This entity represents a list of roles:

<Extends SCIM Core Resource> where:
- id – the internal role ID to lookup the role
- meta – lifecycle information
- name – name of the role
- description – a short summary of the role
- updatePermissionSet – defines if a configured permission set should be updated when creating a role
Attributes:
- name:string