Schema Extensions

urn:hid:scim:api:idp:2.0:policy:Authenticator

This entity represents an authenticator policy.

The policy provides configuration information and constraints necessary to create an authenticator for a user through the Authenticator Policy endpoint.

• It is a SCIM resource where:

  • id – the policy ID (that is, the authentication type code)

  • externalId – not configurable

  • meta – lifecycle information

  • deliveryGateways – to add delivery gateways bindings. It is an array of object with:

    • display – the adapter name

    • value – the adapter ID (mandatory when updating bindings)

• Common attributes for authenticator policy extensions:

  Attribute	Type
  adapterCode	string
  allowExpiredReset	int
  baseAuthenticatorPolicy	MemberRef (string)
  challengeDisableThreshold	int
  challengeTimeoutPeriod	int
  defaultExpiryThreshold	int
  defaultValidDaysAdd	int
  defaultValidDaysEdit	int
  directAuthenticatorPolicy	MemberRef
  disableThreshold	int
  disabledTimeReset	int
  levelOfAssurance	string
  managerAdapterCode	string
  name	string
  notes	string
  sessionTimeout	int long
  sessionValidPeriod	int long
  validChannelCodes	string[]

The policy also has the mutually exclusive extensions per authenticator type. For example:

• urn:hid:scim:api:idp:2.0:policy:authenticator:Password

  • passwordpolicy – constraints with which a password must comply:

    Constraint	Possible values	Description
    onlyNum	"true" or "false"	Must contain only numeric characters
    onlyAlpha	"true" or "false"	Must contain only alpha characters
    numOrAlpha	"true" or "false"	Must contain only numeric or alpha characters
    numAndAlpha	"true" or "false"	Must contain only numeric and alpha characters
    maxLength	Integer as String	Maximum length
    minLength	Integer as String	Minimum length
    notSequence	"true" or "false"	Must not be a sequence
    atLeastOneNum	"true" or "false"	Must contain at least one numeric character
    atLeastOneLow	"true" or "false"	Must contain at least one lowercase character
    atLeastOneUp	"true" or "false"	Must contain at least one uppercase character
    atLeastOneSpecial	"true" or "false"	Must contain at least one special character
    notOldPassword	"true" or "false"	Must not be an old password
    notUserAttribute	"true" or "false"	Must not contain a user attribute
    minDiffChars	"true" or "false"	Minimum numbers of different characters in password
    caseInsensitive	"true" or "false"	Case insensitive (not recommended)
    notBlackListed	"true" or "false"	Must not contain black listed words

  • usernamepolicy - constraints with which a username must comply:

    Constraint	Description
    onlyNum	Contain only numeric characters
    onlyAlpha	Contain only alpha characters
    numOrAlpha	Contain either numeric or alpha characters
    numAndAlpha	Contain both numeric and alpha characters
    maxLength	Maximum length
    minLength	Minimum length
    minDiffChars	Minimum number of different characters

  • seedingType – "FULL", "PARTIAL" or "BOTH" (string)

  • disableThreshold - number of failed attempts after which the password of the user will be disabled (integer)
  • allowExpiredReset - number of times an expired authenticator can request reset (integer)

• urn:hid:scim:api:idp:2.0:policy:authenticator:SecurityQuestion

  • promptsRequiredForCreation – number of questions to answer in order to create an authenticator

  • prompts – array of possible questions:

    • prompt:
      - display – the actual question
      - value – the identifier of the prompt

    • policy – constraints with which the answer to this question must comply:

      Constraint	Description
      onlyNum	Contain only numeric characters
      onlyAlpha	Contain only alpha characters
      numOrAlpha	Contain either numeric or alpha characters
      numAlpha	Contain both numeric and alpha characters
      caseInsensitive	Case-insensitive
      maxLength	Maximum length
      minLength	Minimum length
      notUserAttribute	Not contain username and is not a user attribute
      dateFormat	Date format

  • seedingType:string (enum)

• urn:hid:scim:api:idp:2.0:policy:authenticator:Credential

  Attribute	Type
  validCredentialPolicies	string
  challengeType	string
  disableThreshold	int

urn:hid:scim:api:idp:2.0:device:Type

The entity represents a Device Type.

• It is a SCIM resource where:

  • id – the device type ID (that is, the device type code)

  • meta – lifecycle information

• Attributes:

  Attribute	Description
  name	Device type name (String)
  notes	Device type notes (String)
  manufacturer	Name of the device manufacturer (String)
  maximumDevicesPerUser	(Optional) The maximum number of this type of device that can be assigned to a user (Integer) If set to -1 (the default) or not present, the attribute is not used. Otherwise, the defined value is used. The limit is only verified when the user attempts to activate a new device of this type and an error message is displayed if they have already reached the maximum. If you set a maximum, it will not affect users who already have more devices than the limit (that is, it will not block authentication nor delete or modify existing devices). However, these users will only be able to activate a new device if they discard existing devices to meet the new limit. For example, if you set the limit to 2 devices, a user with 3 existing devices will need to discard 2 to activate a new device.
  copyFrom	Code of the device type to clone when creating a new device type Only available for POST requests.
  readOnly	Indicates if the resource is safeguarded. This attribute cannot be modified.

Compatible device types (that is, the ones with the “TDS provisioning V4” adapter) have the following extension:

urn:hid:scim:api:idp:2.0:User:Repository

This entity represents a user repository (LDAP or SCIM federated datasource).

A User Repository object is a SCIM resource with the following parameters:

• id – id of the user repository (String)

• name – name of the user repository (String)

• type - User Repository Type (String):

  • LDAP_MS_AD – Microsoft Active Directory (AD)

  • LDAP – LDAP repository

  • SCIM_FED_AD – federated repository such as Microsoft Azure Active Directory (AAD)

Attributes for compatible repositories are:

• LDAP:

  Attribute	Description
  host	Object describing the host configuration and has the following parameters: address – hostname or IP of the server (String) port – port to connect to the server (String) backupAddress – hostname or IP of the backup server (String) backupPort – port to connect to the backup server (String) baseNodeDn – Base DN (String) ldapsRootCaCertificate – certificate in base64 (only for LDAPs) (String) loginCredentials – object describing credentials to connect to the server and has the following parameters: userDn – User DN (String) userPassword – password (can be set in CREATE and REPLACE but is NOT returned in any response) (String) Note: All the above parameters are mandatory for CREATE except backupAddress, backupPort and ldapsRootCaCertificate.
  mappingConfiguration	(Not mandatory) Object describing the configuration of the LDAP and has the following parameters: userClass – User Class (default value is "Person") (String) ldapGroupClass – LDAP Group Class (default value is "group") (String) userIdAttribute – User ID Attribute (default value is " sAMAccountName")(String) groupMemberAttribute – Group Member Attribute (default value is "memberOf")(String) accountStatusAttribute – Account Status Attribute (default value is "UserAccountControl") (String) guidAttributeName – GUID Attribute Name (default value is "objectguid") (String)
  userTypeAssignments	(Not mandatory) Array of objects describing a mapping between ActivID AS User Types and root nodes DN: groupId – User Type ID in ActivID AS (String) rootNodeDn – root node DN in the LDAP (String)
  userGroupAssignments	(Not mandatory) Array of objects describing a mapping between ActivID AS User Groups and root node DN: groupId – User Group ID in ActivID AS (String) rootNodeDn – root node DN in the LDAP (String)
  roleAssignments	(Not mandatory) Array of objects to assign ActivID AS Roles to users in LDAP Groups or in LDAP OU: roleId – Role ID in ActivID AS to assign to the users in the LDAP Group or LDAP OU (String) mappingType – "OU" or "GROUP" (String) groupDnOrOu – DN of the OU or the Group in the LDAP (String)
  referralStrategy	(Not mandatory) Can be "followAll", "followNone" (the default value) or "followListed" (String)
  referrals	(Not mandatory) Array of objects describing a LDAP referral configuration: address – hostname or IP of the server (String) port – port to connect to the server (String) loginCredentials – object describing credentials to connect to the server

• SCIM Federated: AD

  Attribute	Description
  id	Datasource code
  name	Name for the datasource
  adminGroupAssignment.value	Reference to the user group code where users will be created
  provisioningAgentCredential.value	Reference to the agent id (this is the user id of the user for whom the bearer token is configured in Microsoft Azure)
  federatedAttributes.value	Reference to an attribute type code that is provisioned by Microsoft Azure. This attribute is protected and cannot be overwritten (only the provisioning agent is able to modify it)
  roleAssignments	(Not mandatory) Array of objects to assign ActivID AS roles to users in Microsoft Azure Groups or OU: roleId – Role ID in ActivID AS to assign to the users in the Microsoft Azure Group or OU (String) mappingCriteria – ID of the Microsoft Azure "OU" or "GROUP" (String)
  userAuthenticationEndpoint	Configuration for the authentication endpoint of the Microsoft Azure AD: issuerUri – hostname or IP of the Microsoft Azure AD or ADFS OAuth 2.0 provider (String) clientId – ID of the client to connect to the directory host

urn:hid:scim:api:idp:2.0:userattribute:Type

This entity represents a User Attribute Type.

Verb usage: GET(read), PUT(replace), POST(create), DELETE(delete)

<Extends SCIM Core Resource> where:

• id – the internal id to lookup the user attribute type

• meta – lifecycle information

• name – name of the user attribute type

• notes – description of the user attribute type

• encrypted – defines if the user attribute type is encrypted. Possible values are true or false (boolean). Can be used with PUT(replace) and POST(create)

Example:

{
    "schemas": ["urn:hid:scim:api:idp:2.0:userattribute:Type"],
    "id": "CITY",
    "meta":    {
        "resourceType": "UserAttributeType", 
        "location": "https://[base-server-url]/scim/tenant/v2/User/AttributeType/CITY", "version": "1" 
    },
    "name": "City",
    "encrypted": true,
}

PUT /User/AttributeType/CITY
 
{ "encrypted": false }

urn:hid:scim:api:idp:2.0:DeliveryGateway:Push

This entity represents a Push Delivery Gateway.

Verb usage: GET(read), PUT(replace), POST(create), DELETE(delete)

<Extends SCIM Core Resource> where:

• id – identifier of the adapter

• name – name of the adapter

• type – code of the delivery provider (AZURE_WNS_PUSH, AZURE_APNS_PUSH and AZURE_GCM_PUSH are supported)

• notes – description of the delivery gateway

Attributes:

"credential":       {
    "title": "Activation",
    "msg": "Touch to activate"
},
"challenge":       {
    "title": "New Transaction",
    "msg": "Validate transaction"
}

For further information about these parameters, see Configure the Push Delivery Gateway and Adapters .

urn:hid:scim:api:idp:2.0:Application/Generic

This entity represents a Generic Application.

Verb usage: GET(read), PUT(replace), POST(create), DELETE(delete)

<Extends SCIM Core Resource> where:

• id – ID of the generic application (String)

• name – name of the generic application (String)

• notes – notes of the generic application (optional)

• type – only “Generic” is supported

Attributes for compatible applications are: