[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00

Network Working Group                                       P. Hunt, Ed.
Internet-Draft                                                 G. Wilson
Intended status: Standards Track                                  Oracle
Expires: September 30, 2015                               March 29, 2015


                   SCIM Password Management Extension
                    draft-hunt-scim-password-mgmt-00

Abstract

   The System for Cross-Domain Identity Management (SCIM) specification
   is an HTTP based protocol that makes managing identities in multi-
   domain scenarios easier to support through a standardized services.
   SCIM provides extension points that enable new ResourceTypes and
   Schema Extensions to be defined.  This specification defines a set of
   password and account status extensions for managing passwords and
   password usage (e.g. failures) and other related session data.  The
   specification defines new ResourceTypes that enable management of
   passwords and account recovery functions.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 30, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect



Hunt & Wilson          Expires September 30, 2015               [Page 1]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction and Overview . . . . . . . . . . . . . . . . . .   2
     1.1.  Notational Conventions  . . . . . . . . . . . . . . . . .   3
     1.2.  Definitions . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Schema Extensions . . . . . . . . . . . . . . . . . . . . . .   4
     2.1.  Password Schema Extension . . . . . . . . . . . . . . . .   4
     2.2.  Password Policy . . . . . . . . . . . . . . . . . . . . .   6
     2.3.  Management Requests . . . . . . . . . . . . . . . . . . .  10
     2.4.  PasswordResetRequest  . . . . . . . . . . . . . . . . . .  10
       2.4.1.  Password Reset With Challenges  . . . . . . . . . . .  11
       2.4.2.  Reset With Email Confirmation . . . . . . . . . . . .  12
     2.5.  PasswordValidateRequest . . . . . . . . . . . . . . . . .  13
     2.6.  UsernameValidateRequest . . . . . . . . . . . . . . . . .  14
     2.7.  UsernameGenerateRequest . . . . . . . . . . . . . . . . .  15
     2.8.  UsernameRecoverRequest  . . . . . . . . . . . . . . . . .  17
   3.  Schemas Representation  . . . . . . . . . . . . . . . . . . .  18
     3.1.  Password Extension  . . . . . . . . . . . . . . . . . . .  18
     3.2.  Password Policy Schema  . . . . . . . . . . . . . . . . .  23
     3.3.  Request Schemas . . . . . . . . . . . . . . . . . . . . .  32
   4.  Password Management ResourceTypes . . . . . . . . . . . . . .  38
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  40
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  40
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  41
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  41
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  41
   Appendix A.  Contributors . . . . . . . . . . . . . . . . . . . .  41
   Appendix B.  Acknowledgments  . . . . . . . . . . . . . . . . . .  41
   Appendix C.  Change Log . . . . . . . . . . . . . . . . . . . . .  41
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  41

1.  Introduction and Overview

   The System for Cross-Domain Identity Management (SCIM) specification
   is an HTTP based protocol that makes managing identities in multi-
   domain scenarios easier to support through a standardized services.
   SCIM provides extension points that enable new ResourceTypes and
   Schema Extensions to be defined.  This specification defines a set of
   password and account status extensions for managing passwords and
   tracking password usage (e.g. failures) and other related session
   data.  The specification defines new resource types that enable
   management of passwords and account recovery functions.




Hunt & Wilson          Expires September 30, 2015               [Page 2]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


   A set of SCIM schema extensions that define:

   o  Password Schema Extension - Providing account password state (e.g.
      login attempts, successful login date, create date), policy,
      account locking, as well as challenge questions.

   o  Password Policy Schema - A new resource type that defines password
      policies that may be applied to resources that use passwords such
      as complexity requirements, expiry, lockout, and usage
      constraints.

   A set of resource types are defined that enable password and password
   policy management:

   o  Password Policy

   o  Password Reset Request

   o  Password Validation Request

   o  Username Recovery Request

   In the above list, the last 3 resource types are temporary resources
   that are used to convey requests that may update an identified target
   resource URI (e.g. a User).  While these requests have a simple state
   transfer request/response relationship with a SCIM client, they may
   cause secondary effects by changing multiple attribute states in the
   target of the request.  For example, setting a resource's password
   attribute involves validating password policy as well as checking and
   revising password history.  There may be further service provider
   actions such as email confirmation that occur asynchronously from the
   SCIM client's perspective.

1.1.  Notational Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].  These
   keywords are capitalized when used to unambiguously specify
   requirements of the protocol or application features and behavior
   that affect the interoperability and security of implementations.
   When these words are not capitalized, they are meant in their
   natural-language sense.

   For purposes of readability examples are not URL encoded.
   Implementers MUST percent encode URLs as described in Section 2.1 of
   [RFC3986].




Hunt & Wilson          Expires September 30, 2015               [Page 3]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


   Throughout this documents all figures MAY contain spaces and extra
   line-wrapping for readability and space limitations.  Similarly, some
   URI's contained within examples, have been shortened for space and
   readability reasons.

1.2.  Definitions

   [TBD]

2.  Schema Extensions

2.1.  Password Schema Extension

   The following SCIM extension defines attributes used to manage
   account passwords within a service provider.  The extension is
   applied to a "User" resource, but MAY be applied to other resources
   that use passwords.  The password extension is identified using the
   following schema URI:
   "urn:ietf:params:scim:schemas:extension:account:2.0:Password".

   The following Singular Attributes are defined:

   passwordState
      A Complex attribute that describes server provided attributes
      regarding the state of the resource's password.

      createDate
         A DateTime which specifies the date and time the current
         password was set.

      cantChange
         A Boolean indicating that the current password MAY NOT be
         changed and all other password expiry settings SHALL be
         ignored.

      noExpiry
         A Boolean indicating that password expiry policy will not be
         applied for the current resource.

      lastSuccessfulLoginDate
         A DateTime value indicating the last successful login date.

      lastFailedLoginDate
         A DateTime value indicating the last failed login date.

      loginAttempts
         An Integer value indicating the number of failed login
         attempts.  The value is reset to 0 after a successful login.



Hunt & Wilson          Expires September 30, 2015               [Page 4]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


      resetAttempts
         An Integer value indicating the number of password reset
         attempts.

      passwordMustChange
         A Boolean value that indicates that the subject password value
         MUST change at the next login.  If not changed, typically the
         account is locked The value may be set indirectly when the
         subject's current password expires, or directly set by an
         administrator.

   passwordPolicyUri
      A URI reference value that indicates the address of a password
      policy that is used in relation to the current resource.

   locked
      A Complex attribute that indicates an account is locked (blocking
      new sessions).  The following sub-attributes are defined:

      reason
         A number value indicating the reason for locking.  Valid values
         are:

            0 - locked due to failed login attempts.

            1 - locked by an administrator.

            2 - locked due to failed forgot password reset attempts

      on
         A Boolean value indicating the account is locked.

      lockDate  A DateTime indicating when the resource was locked.

      duration  An optional Integer indicating length of lockout in
         seconds.

   The following Multi-valued Attributes are defined:

   challenges
      A Complex attribute describing challenge questions that may be
      used as a supplementary factor during login or during password
      management requests.

      question
         A String that represents a challenge question for which the
         corresponding response is defined.




Hunt & Wilson          Expires September 30, 2015               [Page 5]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


      response
         A String that represents the subjects specified correct
         response to the corresponding challenge.  The response MAY be
         compared case-sensitive or case-insensitive based on service
         provider policy.

   passwordHistory
      A writeOnly attribute that contains hashes of previous passwords
      associated with the SCIM resource.  The number of passwords stored
      in this attribute is set by: "policy.passwordHistorySize".
      Persisted values MUST be securely hashed such that the clients may
      test if a clear-text value was previously used by looking for a
      matching hash within the array of values.

2.2.  Password Policy

   The following SCIM extension defines a new SCIM resource type known
   as "PasswordPolicy" and usually has an endpoint of
   "/PasswordPolicies".  The password policy is identified using the
   following core schema URI:
   "urn:ietf:params:scim:schemas:core:2.0:policy:Password".

   The following Single-value attributes are defined:

   name
      A String that is the name of the policy.  Typically used for
      informational purposes (e.g. to display to the user).

   description
      A String that describes the current policy.  Typically used for
      informational purposes (e.g. to display to a user).

   maxLength
      An Integer indicating the maximum password length (in characters).
      A value of 0 or no value SHALL indicate no maximum length
      restriction.

   minLength
      An Integer indicating the minimum password length (in characters).
      A value of 0 or no value SHALL indicate no minimum length
      restriction.

   minAlphas
      An Integer indicating the minimum number of alphabetic characters
      in a password.  A value of 0 or no value SHALL indicate no minimum
      length restriction.

   minNumerals



Hunt & Wilson          Expires September 30, 2015               [Page 6]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


      An Integer indicating the minimum number of numeric characters in
      a password.  A value of 0 or no value SHALL indicate no minimum
      length restriction.

   minAlphaNumerals
      An Integer indicating the minimum number of alphabetic or numeric
      characters in a password.  A value of 0 or no value SHALL indicate
      no minimum length restriction.

   minSpecialChars
      An Integer indicating the minimum number of special characters in
      a password.  A value of 0 or no value SHALL indicate no minimum
      length restriction.

   maxSpecialChars
      An Integer indicating the maximum number of special characters in
      a password.  A value of 0 or no value SHALL indicate no maximum
      length restriction.

   minUpperCase
      An Integer indicating the minimum number of upper-case alphabetic
      characters in a password.  A value of 0 or no value SHALL indicate
      no minimum length restriction.

   minLowerCase
      An Integer indicating the minimum number of lower-case alphabetic
      characters in a password.  A value of 0 or no value SHALL indicate
      no minimum length restriction.

   minUniqueChars
      An Integer indicating the minimum number of unique characters in a
      password.  A value of 0 or no value SHALL indicate no minimum
      restriction.

   maxRepeatedChars
      An Integer indicating the maximum number of repeated characters in
      a password.  A value of 0 or no value SHALL indicate no
      restriction.

   startsWithAlpha
      A Boolean indicating that the password MUST being with an
      alphabetic character.

   minUnicodeChars
      [...not sure this makes sense.  There are strict limitations on
      password values (must be Unicode UTF-8 processed by PRECIS)]

   firstNameDisallowed



Hunt & Wilson          Expires September 30, 2015               [Page 7]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


      A Boolean indicating a sequence of characters matching the
      resource's "name.givenName" SHALL NOT be included in the password.

   lastNameDisallowed
      A Boolean indicating a sequence of characters matching the
      resource's "name.familyName" SHALL NOT be included in the
      password.

   userNameDisallowed
      A Boolean indicating a sequence of characters matching the
      resource's "userName" SHALL NOT be included in the password.

   minPasswordAgeInDays
      An Integer indicating the minimum age in days before the password
      MAY be changed.

   warningAfterDays
      An Integer indicating the number of days after which a password
      reset warning will be issued.

   expiresAfterDays
      An Integer indicating the numbers of days after which a password
      reset is required.

   requiredChars
      A String value whose contents indicates a set of characters that
      MUST appear, in any sequence, in a password value.

   disallowedChars
      A String value whose contents indicates a set of characters that
      SHALL NOT appear, in any sequence, in a password value.

   disallowedSubStrings
      A Multi-valued String indicating a set of Strings that SHALL NOT
      appear within a password value.

   dictionaryLocation
      A Reference value containing the URI of a dictionary of words not
      allowed to appear within a password value.

   passwordHistorySize
      An Integer indicating the number of passwords that will be kept in
      history that may not be used as a password.

   maxIncorrectAttempts
      An Integer representing the maximum number of failed logins before
      an account is locked.




Hunt & Wilson          Expires September 30, 2015               [Page 8]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


   lockOutDuration
      An Integer indicating the number of minutes an account will be
      locked after "maxIncorrectAttempts" exceeded.

   challengesEnabled
      A Boolean value indicating challenges MAY be used during
      authentication.

   challengePolicy
      A complex attribute that defines policy around challenges.  It
      contains the following sub-attributes:

      source  An Integer indicating one of the following:

         +  0 - User Defined.

         +  1 - Admin Defined.

         +  2 - User and Admin Defined.

      defaultQuestions  A Multi-valued String attribute that contains
         one or more default question a subject may use when setting
         their challenge questions.

      minQuestionCount  An Integer indicating the minimum number of
         challenge questions a subject MUST answer when setting
         challenge question answers.  A value of 0 or no value indicates
         no minimum.

      minAnswerCount  An Integer indicating the minimum number of
         challenge answers a subject MUST answer when attempting to
         reset their password via forgot password request.

      allAtOnce  A Boolean value.  When true, the client UI will present
         all challengers in random order each time displayed.  When
         false, the client UI will present one challenge question at a
         time where the subject MUST respond before the next is
         displayed.

      minResponseLength  An Integer indicating the minimum number of
         characters in a challenge response.  No value or a value of 0
         indicates no minimum length (effectively 1).

      maxIncorrectAttempts  An Integer indicates the maximum number of
         failed reset password attempts using challenges.  If any
         challenges are wrong in a reset attempt, the user's
         "resetAttempts" counter will be incremented by 1.  If
         "resetAttempts" is greater than "maxIncorrectAttempts", the



Hunt & Wilson          Expires September 30, 2015               [Page 9]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


         subject's account will be locked with a "locked.reason" value
         of 2 see Paragraph 3.

2.3.  Management Requests

   This extension defines a series of password and username management
   requests that are modeled as SCIM resource types.  Each request acts
   as a "function" that MAY result in multiple changes to a designated
   resource (e.g.  User).  For example, setting a password involves the
   service provider validating the new password, updating the password,
   revising password history and resetting appropriate password state
   values.

   A management request is performed by doing a SCIM creation request
   for the associated management function resource type.  Each request
   resource type has its own schema and resource type endpoint.  The
   normal SCIM API rules apply to these requests.  When a request is
   completed, a SCIM service provider MAY return the final state in the
   HTTP response, or it MAY return the location of the created request
   resource object that MAY be used for further processing.  [TO BE
   CLARIFIED]

   The following requests are supported and defined in the following
   sections:

   o  PasswordResetRequest

   o  PasswordValidateRequest

   o  UsernameValidateRequest

   o  GenerateUsernameRequest

   o  RecoverUsernameRequest

2.4.  PasswordResetRequest

   A password reset request is performed by performing a SCIM Create
   operation using HTTP POST to the endpoint for resource type
   "PasswordResetRequest" which is typically "/PasswordResetRequests".
   Upon receiving the request, the service provider, based on its own
   logic, validates the request, and based on its own internal logic
   subsequently resets the password of the resource identified by
   "userName".  This request MAY be made anonymously (since the user is
   unable to authenticate) or through an authenticated web application
   component, who in turn may be unable to authenticate the user).  [Add
   security considerations for this request]




Hunt & Wilson          Expires September 30, 2015              [Page 10]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


   Upon validating a request, the service provider may return either
   HTTP Status 200 (Ok), or it may return the request as a temporary
   resource that exists for a period of time (e.g. awaiting secondary
   approval or e-mail confirmation).

   The core schema for a "PasswordResetRequest" is "urn:ietf:params:scim
   :schemas:core:2.0:password:PasswordResetRequest".  The above schema
   can be used in several reset forms as described in the following two
   sections.  This schema includes the following attributes:

   userName
      A string value that matches the service provider unique identifier
      for the user.

   challenges
      A Complex attribute describing challenge questions and responses
      that match the values found in the resource matched by the
      "userName" attribute.

      question
         A String that represents a challenge question for which the
         corresponding response is defined.

      response
         A String that represents the subjects specified correct
         response to the corresponding challenge.  The response MAY be
         compared case-sensitive or case-insensitive based on service
         provider policy.

2.4.1.  Password Reset With Challenges

   An anonymous (or authenticated web application) by providing a
   "userName" and the correct set of challenges and a new password
   value, MAY request that a service provider accept a requested
   "password" and set the "password" directly.  The service provider
   might perform other secondary checks to confirm the requestors
   identity (email confirmation.














Hunt & Wilson          Expires September 30, 2015              [Page 11]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


POST /PasswordResetRequests  HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
    "schemas":
        ["urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest"],
    "userName":
        "happyAlice",
    "challenges": [
    {
        "challenge":"what is your favorite color",
        "response":"red"
    },
    {
        "challenge":"what is name of your pet",
        "response":"pet"
    },
    {
        "challenge":"what is city of your birth",
        "response":"city"
    }],
    "password": "<new password>"
}

   Upon processing a successful request, the SCIM service provider would
   respond with:

   HTTP/1.1 200 OK

   In the above example, the request is considered complete when
   response is returned.  In this case, no permanent request object is
   created and so no HTTP Location value is returned.  In some cases,
   the service provider MAY keep the request until workflow completes.
   If it wishes to allow clients to "poll" for status, it MAY create a
   resource and returns an HTTP Location in the response.  [Is this
   needed?]

2.4.2.  Reset With Email Confirmation

   By providing only a "userName" value, an email conformation flow MAY
   be initiated that requires the subject to click on the link (to prove
   ownership of the known email) upon which the user is confirmed and
   the request is processed.






Hunt & Wilson          Expires September 30, 2015              [Page 12]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


POST /PasswordResetRequests  HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
    "schemas":
        ["urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest"],
    "userName":
        "happyAlice"
}

   Upon processing a successful request, the SCIM service provider SHALL
   respond with:

   HTTP/1.1 200 OK

   In the above example, it is expected that the User will be given a
   link to click on out-of-band.  As such the current request completes
   with no further response.  As with the Challenges variant, a service
   provider MAY provide an HTTP Location if the service provider intends
   to keep the request active until it is completed.  [Is a persisted
   request needed?]

2.5.  PasswordValidateRequest

   A password validation request MAY be used to confirm that a proposed
   password value conforms to service provider policy and associated
   user policy and password state criteria (e.g. such as password
   history).  A request is performed by performing a SCIM Create
   operation using HTTP POST to the endpoint for resource type
   "PasswordValidateRequest" which is typically
   "/PasswordValidateRequests".  Upon receiving the request, the service
   provider, based on its own logic and any associated password policy
   for the resource, validates the provided password. [can this be made
   anonymously?]

   Upon validating a request, the service provider may returns either
   HTTP Status 200 (Ok), or it may return HTTP Status 400 indicating the
   password is unacceptable.  [NOTE: should there be a scimType and/or
   description describing a standardized reason for failure such as:
   history, tooShort, tooLong, missingSpecialChar, etc etc.

   The core schema for a "PasswordValidateRequest" is "urn:ietf:params:s
   cim:schemas:core:2.0:password:PasswordValidateRequest".  This schema
   includes the following attributes:

   $ref



Hunt & Wilson          Expires September 30, 2015              [Page 13]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


      A reference value that contains a URI that points to the resource
      (e.g.  User) against which the proposed password is to be
      validated as an acceptable password.

   password
      A string value containing the requested password value for which
      validation is requested.

   The following is a non-normative example validation request.  The
   example has been altered for clarity:

POST /PasswordValidateRequests  HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
    "schemas":
        ["urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest"],
    "$ref": "/Users/2819c223-7f76-453a-919d-413861904646",
    "password":"someG00Didea!"
}

   A successful response looks similar to the following non-normative
   example:

   HTTP/1.1 200 OK

2.6.  UsernameValidateRequest

   A username validation request MAY be used to confirm that a proposed
   username value conforms to service provider policy and associated
   user policy as well as uniqueness.  A request is performed by
   performing a SCIM Create operation using HTTP POST to the endpoint
   for resource type "UsernameValidateRequest" which is typically
   "/UsernameValidateRequests".  Upon receiving the request, the service
   provider, tests for uniqueness and any associated formatting policy
   and validates the provided username.

   Upon validating a request, the service provider may returns either
   HTTP Status 200 (Ok), or it may return HTTP Status 400 indicating the
   password is unacceptable.  [NOTE: should there be a scimType and/or
   description describing a standardized reason for failure such as:
   history, tooShort, tooLong, missingSpecialChar, etc etc.

   The core schema for a "UsernameValidateRequest" is "urn:ietf:params:s
   cim:schemas:core:2.0:password:UsernameValidateRequest".  This schema
   includes the following attributes:



Hunt & Wilson          Expires September 30, 2015              [Page 14]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


   $ref
      A reference value that contains a URI that points to the resource
      (e.g.  User) against which the proposed userName value is to be
      validated as an acceptable.

   userName
      A string value containing the requested userName value for which
      validation is requested.

   The following is a non-normative example validation request.  The
   example has been altered for clarity:

POST /UsernameValidaeRequests  HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
    "schemas":
        ["urn:ietf:params:scim:schemas:core:2.0:password:UsernameValidateRequest"],
    "$ref": "/Users/2819c223-7f76-453a-919d-413861904646",
    "userName":"susieQ"
}

   A successful response looks similar to the following non-normative
   example:

   HTTP/1.1 200 OK

2.7.  UsernameGenerateRequest

   A username generation request MAY be used to request an automatically
   generated userName that conforms to service provider policy and
   uniqueness requirements.  A request is performed by performing a SCIM
   Create operation using HTTP POST to the endpoint for resource type
   "UsernameGenerateRequest" which is typically
   "/UsernameGenerateRequests".  Upon receiving the request, the service
   provider, generates a unique userName and returns it in a response.

   The core schema for a "UsernameGenerateRequest" is "urn:ietf:params:s
   cim:schemas:core:2.0:password:UsernameGenerateRequest".  This schema
   includes the following attributes:

   $ref
      An operational reference value that contains a URI that points to
      the resource (e.g.  User) against which existing resource's "name"
      attribute MAY be used to generate a userName value.  When the $ref
      attribute is used, the generate request MUST be authenticated.



Hunt & Wilson          Expires September 30, 2015              [Page 15]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


   userName
      A string value that is returned in the server's response that
      contains a generated userName value.  The generated userName is
      not reserved and is guaranteed on first-come-first-served basis by
      a subsequent SCIM creation or modify request.

   name
      An optional complex attribute containing the components of the
      user's name against which a userName value is to be generated.
      This attribute MAY be typically used as part of an anonymous
      userName generation request during a user registration dialog.

      formatted  The full name, including all middle names, titles, and
         suffixes as appropriate, formatted for display (e.g.  "Ms.
         Barbara Jane Jensen, III." ).

      familyName  The family name of the User, or last name in most
         Western languages (e.g.  "Jensen" given the full name "Ms.
         Barbara Jane Jensen, III." ).

      givenName  The given name of the User, or first name in most
         Western languages (e.g.  "Barbara" given the full name "Ms.
         Barbara Jane Jensen, III." ).

      middleName  The middle name(s) of the User (e.g.  "Jane" given the
         full name "Ms.  Barbara Jane Jensen, III." ).

      honorificPrefix  The honorific prefix(es) of the User, or title in
         most Western languages (e.g.  "Ms." given the full name "Ms.
         Barbara Jane Jensen, III." ).

      honorificSuffix  The honorific suffix(es) of the User, or suffix
         in most Western languages (e.g.  "III." given the full name
         "Ms.  Barbara Jane Jensen, III." ).

















Hunt & Wilson          Expires September 30, 2015              [Page 16]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


   The following is a non-normative example userName generation request.
   The example has been altered for clarity:

POST /UsernameGenerateRequests  HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
    "schemas":
        ["urn:ietf:params:scim:schemas:core:2.0:password:UsernameGenerateRequest"],
    "name": {
        "formatted": "Ms. Barbara J Doe III",
        "familyName": "Doe",
        "givenName": "Barbara",
        "middleName": "Jane",
        "honorificSuffix": "III"
    }
}

   A successful response looks similar to the following non-normative
   example:

   HTTP/1.1 200 OK
   {
       "userName": "barbara.doe",
   }

2.8.  UsernameRecoverRequest

   A userName recovery request MAY be used to look up a userName based
   on a provided email address.  The provided email address may be
   matched against any value of an existing resource's "emails"
   attribute.  A request is performed by performing a SCIM Create
   operation using HTTP POST to the endpoint for resource type
   "UsernameRecoverRequest" which is typically
   "/UsernameRecoverRequests".  Upon receiving the request, the service
   provider, generates a unique userName and returns it in a response.

   The core schema for a "UsernameRecoverRequest" is "urn:ietf:params:sc
   im:schemas:core:2.0:password:UsernameRecoverRequest".  This schema
   includes the following attributes:

   email
      A string value containing an email address that is to be matched
      against an existing resource's "emails" attribute.





Hunt & Wilson          Expires September 30, 2015              [Page 17]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


   userName  A string value provided in response to a request which is
      the unique userName that corresponds to the recovery request.

   The following is a non-normative example userName recovery request.
   The example has been altered for clarity:

POST /UsernameRecoverRequests  HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json
Content-Length: ...
{
  "schemas":
    ["urn:ietf:params:scim:schemas:core:2.0:password:UsernameRecoverRequest"],
   "email": "bdoe@example.com"
}

   A successful response looks similar to the following non-normative
   example:

   HTTP/1.1 200 OK
   {
       "userName": "barbara.doe",
   }

   [Note: it would be more secure not to return the userName in the
   response and instead the service provider should send an email
   confirmation]

3.  Schemas Representation

   This section provides a JSON representation of the schema extensions
   in this draft.  [TODO follow format of Sec 8.7 of core schema draft]

3.1.  Password Extension

   The following is a representation of the password state extension
   "urn:ietf:params:scim:schemas:extension:account:2.0:Password" that is
   used to extend a User resource.

    {
     "id" :
       "urn:ietf:params:scim:schemas:extension:account:2.0:Password",
     "name" : "Password Management Schema Extension",
     "description" : "This extension defines attributes used to manage
       account passwords within a service provider.  The extension is
       typically applied to a User resource, but MAY be applied to
       other resources that use passwords.",



Hunt & Wilson          Expires September 30, 2015              [Page 18]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


     "attributes" : [
       {
         "name" : "passwordState",
         "type" : "complex",
         "multiValued" : false,
         "description" : "A Complex attribute that describes server
           provided attributes regarding the state of the resource's
           password.",
         "required" : true,
         "returned" : "default",
         "mutability" : "readWrite",
         "subAttributes" : [
           {
             "name" : "createDate",
             "type" : "dateTime",
             "multiValued" : false,
             "description" : "A DateTime which specifies the date and
               time the current password was set.",
             "required" : false,
             "mutability" : "readWrite",
             "returned" : "default"
           },
           {
             "name" : "cantChange",
             "type" : "boolean",
             "multiValued" : false,
             "description" : "A Boolean indicating that the current
               password MAY NOT be changed and all other password expiry
               settings SHALL be ignored",
             "required" : false,
             "mutability" : "readWrite",
             "returned" : "default"
           },
           {
             "name" : "noExpiry",
             "type" : "boolean",
             "multiValued" : false,
             "description" : "A Boolean indicating that password expiry
               policy will not be applied for the current resource.",
             "required" : false,
             "mutability" : "readWrite",
             "returned" : "default"
           },
           {
             "name" : "lastSuccessfulLoginDate",
             "type" : "dateTime",
             "multiValued" : false,
             "description" : "A DateTime value indicating the last



Hunt & Wilson          Expires September 30, 2015              [Page 19]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


               successful login date.",
             "required" : false,
             "mutability" : "readWrite",
             "returned" : "default"
           },
           {
             "name" : "lastFailedLoginDate",
             "type" : "dateTime",
             "multiValued" : false,
             "description" : "A DateTime value indicating the last
               failed login date.",
             "required" : false,
             "mutability" : "readWrite",
             "returned" : "default"
           },
           {
             "name" : "loginAttempts",
             "type" : "integer",
             "multiValued" : false,
             "description" : "An Integer value indicating the number of
               failed login attempts. The value is reset to 0 after a
               successfull login.",
             "required" : false,
             "mutability" : "readOnly",
             "returned" : "default"
           },
           {
             "name" : "resetAttempts",
             "type" : "integer",
             "multiValued" : false,
             "description" : "An Integer value indicating the number of
               password reset attempts. The value is reset to 0 after
               successful reset.",
             "required" : false,
             "mutability" : "readOnly",
             "returned" : "default"
           },
           {
             "name" : "passwordMustChange",
             "type" : "boolean",
             "multiValued" : false,
             "description" : "A Boolean value that indicates that the
               subject password value MUST change at the next login. If
               not changed, typically the account is locked The value
               may be set indirectly when the subject's current password
               expires, or directly set by an administrator.",
             "required" : false,
             "mutability" : "readWrite",



Hunt & Wilson          Expires September 30, 2015              [Page 20]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


             "returned" : "default"
           }
         ]
       },
       {
         "name" : "passwordPolicyUrl",
         "type" : "reference",
         "referenceTypes" : ["PasswordPolicy"],
         "multiValued" : false,
         "description" : "A URI reference value that indicates the
           address of a password policy that is used in relation to the
           current resource.",
         "required" : false,
         "caseExact" : false,
         "mutability" : "readWrite",
         "returned" : "default",
         "uniqueness" : "none"
       },
       {
         "name" : "locked",
         "type" : "complex",
         "multiValued" : false,
         "description" : "A Complex attribute that indicates an account
           is locked (blocking new sessions).",
         "required" : false,
         "returned" : "default",
         "mutability" : "readWrite",
         "subAttributes" : [
           {
             "name" : "reason",
             "type" : "integer",
             "multiValued" : false,
             "description" : "A number value indicating the reason for
               locking. Valid values are: 0 - failed attempts. 1 - admin
               lock. 2 - reset attempts",
             "required" : true,
             "mutability" : "readWrite",
             "returned" : "default"
           },
           {
             "name" : "on",
             "type" : "boolean",
             "multiValued" : false,
             "description" :
               "A Boolean value indicating the account is locked.",
             "required" : true,
             "mutability" : "readWrite",
             "returned" : "default"



Hunt & Wilson          Expires September 30, 2015              [Page 21]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


           },
           {
             "name" : "lockDate",
             "type" : "dateTime",
             "multiValued" : false,
             "description" : "A DateTime which specifies the date and
               time the current resource was locked.",
             "required" : false,
             "mutability" : "readWrite",
             "returned" : "default"
           }
         ]
       },
       {
         "name" : "challenges",
         "type" : "complex",
         "multiValued" : true,
         "description" : "A Complex attribute describing challenge
           questions that may be used as a supplementary factor during
           login or during password management requests.",
         "required" : false,
         "returned" : "default",
         "mutability" : "readWrite",
         "subAttributes" : [
           {
             "name" : "question",
             "type" : "string",
             "multiValued" : false,
             "description" : "A String that represents a challenge
               question for which the corresponding response is
               defined.",
             "required" : true,
             "caseExact" : true,
             "mutability" : "readWrite",
             "returned" : "default",
             "uniqueness" : "none"
           },
           {
             "name" : "response",
             "type" : "string",
             "multiValued" : false,
             "description" : "A String that represents the subjects
               specified correct response to the corresponding
               challenge.",
             "required" : true,
             "caseExact" : false,
             "mutability" : "readWrite",
             "returned" : "default",



Hunt & Wilson          Expires September 30, 2015              [Page 22]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


             "uniqueness" : "none"
           }
         ]
       },
       {
         "name" : "passwordHistory",
         "type" : "string",
         "multiValued" : true,
         "description" : "A writeOnly attribute that contains hashes of
           previous passwords associated with the SCIM resource.",
         "required" : false,
         "caseExact" : true,
         "mutability" : "writeOnly",
         "returned" : "never",
         "uniqueness" : "none"
       }
     ]
   }

                       Password Extension for Users

3.2.  Password Policy Schema

   The following is a representation of the password policy resource
   type extension
   "urn:ietf:params:scim:schemas:core:2.0:policy:Password" that is used
   to define a PasswordPolicy resource.

  {
    "id" :
      "urn:ietf:params:scim:schemas:core:2.0:policy:Password",
    "name" : "Password Policy Schema",
    "description" : "This extension defines attributes for a password
      policy.",
    "attributes" : [
      {
        "name" : "name",
        "type" : "string",
        "multiValued" : false,
        "description" : "A String that is the name of the policy.
          Typically used for informational purposes (e.g. to display
          to the user)",
        "required" : true,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },



Hunt & Wilson          Expires September 30, 2015              [Page 23]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


      {
        "name" : "description",
        "type" : "string",
        "multiValued" : false,
        "description" : "A String that describes the current policy.
          Typically used for informational purposes (e.g. to display
          to a user).",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "maxLength",
        "type" : "integer",
        "multiValued" : false,
        "description" : "Maximum password length in characters.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "minLength",
        "type" : "integer",
        "multiValued" : false,
        "description" : "Minimum password length in characters.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "minAlphas",
        "type" : "integer",
        "multiValued" : false,
        "description" : "Minimum number of alpha chcars.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
       {
        "name" : "minNumerals",
        "type" : "integer",
        "multiValued" : false,
        "description" : "Minimum number of numeric characters.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"



Hunt & Wilson          Expires September 30, 2015              [Page 24]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


      },
       {
        "name" : "maxLength",
        "type" : "integer",
        "multiValued" : false,
        "description" : "Maximum password length in characters.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "minAlphaNumerals",
        "type" : "integer",
        "multiValued" : false,
        "description" : "Minimum num of alphas and numeric chars.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "minSpecialChars",
        "type" : "integer",
        "multiValued" : false,
        "description" : "Minimum num of special chars.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "maxSpecialChars",
        "type" : "integer",
        "multiValued" : false,
        "description" : "Maximum number of special chars.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "minUpperCase",
        "type" : "integer",
        "multiValued" : false,
        "description" : "Minimum num of upper case chars.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "minLowerCase",



Hunt & Wilson          Expires September 30, 2015              [Page 25]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


        "type" : "integer",
        "multiValued" : false,
        "description" : "Minimum num of lower case chars.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "minUnique",
        "type" : "integer",
        "multiValued" : false,
        "description" : "Minimum num of unique chars.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "maxRepeatChars",
        "type" : "integer",
        "multiValued" : false,
        "description" : "Max num of repeated chars.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "startsWithAlphas",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "Indicates password must begin with alpha char",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "minUnicodeChars",
        "type" : "integer",
        "multiValued" : false,
        "description" : "[TO BE DISCUSSED]",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "firstNameDisallowed",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "Indicates a sequence of characters matching



Hunt & Wilson          Expires September 30, 2015              [Page 26]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


          the resource's name.givenName SHALL NOT be included in the
          password",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "lastNameDisallowed",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "Indicates a sequence of characters matching
          the resource's name.familyName SHALL NOT be included in the
          password",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "userNameDisallowed",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "Indicates a sequence of characters matching
          the resource's userName SHALL NOT be included in the
          password",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "minPasswordAgeInDays",
        "type" : "integer",
        "multiValued" : false,
        "description" : "An Integer indicating the minimum age in days
          before the password MAY be changed.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "warningAfterDays",
        "type" : "integer",
        "multiValued" : false,
        "description" : "An Integer indicating the number of days after
          which a password reset warning will be issued.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },



Hunt & Wilson          Expires September 30, 2015              [Page 27]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


      {
        "name" : "expiresAfterDays",
        "type" : "integer",
        "multiValued" : false,
        "description" : "An Integer indicating the numbers of days
          after which a password reset is required.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "requiredChars",
        "type" : "string",
        "multiValued" : false,
        "description" : "A String value whose contents indicates a set
          of characters that MUST appear, in any sequence, in a
          password value.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "never",
        "uniqueness" : "none"
      },
      {
        "name" : "disallowedChars",
        "type" : "string",
        "multiValued" : false,
        "description" : "A String value whose contents indicates a set
          of characters that SHALL NOT appear, in a password value.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "never",
        "uniqueness" : "none"
      },
      {
        "name" : "disallowedSubstrings",
        "type" : "string",
        "multiValued" : true,
        "description" : "A set of strings that SHALL not appear in a
          password value.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "never",
        "uniqueness" : "none"
      },
      {



Hunt & Wilson          Expires September 30, 2015              [Page 28]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


        "name" : "disctionaryLocation",
        "type" : "reference",
        "referenceTypes" : ["reference"],
        "multiValued" : false,
        "description" : "A Reference value containing the URI of a
          dictionary of words not allowed to appear within a password
          value.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "passwordHistorySize",
        "type" : "integer",
        "multiValued" : false,
        "description" : "An Integer indicating the number of passwords
          that will be kept in history that may not be used as a
          password.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "maxIncorrectAttempts",
        "type" : "integer",
        "multiValued" : false,
        "description" : "An Integer representing the maximum number of
          failed logins before an account is locked.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "lockOutDuration",
        "type" : "integer",
        "multiValued" : false,
        "description" : "An integer indicating the number of minutes
          an account will be locked after maxIncorrectAttempts
          exceeded.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "challengesEnabled",
        "type" : "boolean",



Hunt & Wilson          Expires September 30, 2015              [Page 29]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


        "multiValued" : false,
        "description" : "Indicates whether challenges may be used
          during authentication.",
        "required" : false,
        "mutability" : "readWrite",
        "returned" : "default"
      },
      {
        "name" : "challengePolicy",
        "type" : "complex",
        "multiValued" : false,
        "description" : "A complex attribute that defines policy around
          challenges.",
        "required" : true,
        "returned" : "default",
        "mutability" : "readWrite",
        "subAttributes" : [
          {
            "name" : "source",
            "type" : "integer",
            "multiValued" : false,
            "description" : "A number value indicating the source for
              challenges. Valid values are: 0 - user. 1 - admin
              defined. 2 - both",
            "required" : true,
            "mutability" : "readWrite",
            "returned" : "default"
          },
          {
            "name" : "defaultQuestions",
            "type" : "string",
            "multiValued" : true,
            "description" : "A Multi-valued String attribute that
              contains one or more default question a subject may use
              when setting their challenge questions",
            "required" : false,
            "caseExact" : false,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {
            "name" : "minQuestionCount",
            "type" : "integer",
            "multiValued" : false,
            "description" : "An Integer indicating the minimum number
              of challenge questions a subject MUST answer when setting
              challenge question answers.  A value of 0 or no value



Hunt & Wilson          Expires September 30, 2015              [Page 30]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


              indicates no minimum.",
            "required" : true,
            "mutability" : "readWrite",
            "returned" : "default"
          },
          {
            "name" : "minAnswerCount",
            "type" : "integer",
            "multiValued" : false,
            "description" : "An Integer indicating the mimimum number
              of challenge answers a subject MUST answer when
              attempting to reset their password via forgot password
              request.",
            "required" : true,
            "mutability" : "readWrite",
            "returned" : "default"
          },
          {
            "name" : "allAtOnce",
            "type" : "boolean",
            "multiValued" : false,
            "description" : "When true, the client UI will present
              all challengers in random order each time displayed.
              When false, the client UI will present one challenge
              question at a time where the subject MUST respond before
              the next is displayed.",
            "required" : true,
            "mutability" : "readWrite",
            "returned" : "default"
          },
          {
            "name" : "minResponseLength",
            "type" : "integer",
            "multiValued" : false,
            "description" : "An Integer indicating the minimum number
              of chars in a challenge response.  No value or a value
              of 0 indicates no minimum length (effectively 1)",
            "required" : true,
            "mutability" : "readWrite",
            "returned" : "default"
          },
          {
            "name" : "maxIncorrectAttempts",
            "type" : "integer",
            "multiValued" : false,
            "description" : "An Integer indicates the maximum number of
              failed reset password attempts using challenges. If any
              challenges are wrong in a reset attempt, the user's



Hunt & Wilson          Expires September 30, 2015              [Page 31]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


             resetAttempts counter will be incremented by 1.  If
             resetAttempts is greater than maxIncorrectAttempts, the
             subject's account will be locked with a locked.reason
             value.",
            "required" : true,
            "mutability" : "readWrite",
            "returned" : "default"
          }
        ]
      }
    ]
  }

                          Password Policy Schema

3.3.  Request Schemas

   The following are the schemas for all password request resource types
   returned by the "/Schemas" endpoint:

[
  {
    "id" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest",
    "name" : "Password Reset Request",
    "description" : "Used to submit a password reset request for a
    specific userName. Before resetting a secondary confirmation is
    completed.",
    "attributes" : [
      {
        "name" : "userName",
        "type" : "string",
        "multiValued" : false,
        "description" : "A string value that matches the service provider
        unique identifier for the user.",
        "required" : true,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "challenges",
        "type" : "complex",
        "multiValued" : true,
        "description" : "A Complex attribute describing challenge
        questions and responses that match the values found in the
        resource matched by the userName attribute.",



Hunt & Wilson          Expires September 30, 2015              [Page 32]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


        "required" : false,
        "returned" : "default",
        "mutability" : "readWrite",
        "subAttributes" : [
          {
            "name" : "question",
            "type" : "string",
            "multiValued" : false,
            "description" : "A String that represents a challenge
               question for which the corresponding response is
               defined.",
            "required" : true,
            "caseExact" : true,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {
            "name" : "response",
            "type" : "string",
            "multiValued" : false,
            "description" : "A String that represents the subjects
              specified correct response to the corresponding
              challenge.",
            "required" : true,
            "caseExact" : false,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
          }
        ]
      },
      {
        "name" : "password",
        "type" : "string",
        "multiValued" : false,
        "description" : "A string value for the requested password.
        When specified, the challenges attribute must also be present.",
        "required" : true,
        "caseExact" : false,
        "mutability" : "writeOnly",
        "returned" : "never",
        "uniqueness" : "none"
      }
    ]
  },
  {
    "id" :



Hunt & Wilson          Expires September 30, 2015              [Page 33]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


"urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest",
    "name" : "Password Validate Request",
    "description" : "Used to submit a password for validation.",
    "attributes" : [
      {
        "name" : "password",
        "type" : "string",
        "multiValued" : false,
        "description" : "A string value for the requested password.
        When specified, the challenges attribute must also be present.",
        "required" : true,
        "caseExact" : false,
        "mutability" : "writeOnly",
        "returned" : "never",
        "uniqueness" : "none"
      }
    ]
  },
  {
    "id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameValidateRequest",
    "name" : "UserName Validate Request",
    "description" : "Used to submit a username for validation.",
    "attributes" : [
      {
        "name" : "$ref",
        "type" : "reference",
        "referenceTypes" : [
          "User"
        ],
        "multiValued" : false,
        "description" : "A reference value that contains a URI that
        points to the resource (e.g.  User) against which the proposed
        userName value is to be validated as an acceptable.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "userName",
        "type" : "string",
        "multiValued" : false,
        "description" : "A string value containing the requested userName
        value for which validation is requested.",
        "required" : true,
        "caseExact" : false,



Hunt & Wilson          Expires September 30, 2015              [Page 34]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }
    ]
  },
  {
    "id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameGenerateRequest",
    "name" : "Username Generate Request",
    "description" : "Used to request a new username be generated.",
    "attributes" : [
      {
        "name" : "$ref",
        "type" : "reference",
        "referenceTypes" : [
          "User"
        ],
        "multiValued" : false,
        "description" : "An reference value that contains a URI that
          points to the resource (e.g.  User) against which existing
          resource's name attribute MAY be used to generate a userName
          value.  When the $ref attribute is used, the generate
          request MUST be authenticated.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "userName",
        "type" : "string",
        "multiValued" : false,
        "description" : "A string value that is returned in the
          server's reponse that contains a generated userName value.
          The generated userName is not reserved and is guaranteed on
          first-come-first-served basis by a subsequent SCIM creation
          or modify request.",
        "required" : true,
        "caseExact" : false,
        "mutability" : "readOnly",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "name",
        "type" : "complex",



Hunt & Wilson          Expires September 30, 2015              [Page 35]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


        "multiValued" : false,
        "description" : "An optional complex attribute containing the
          components of the user's name against which a userName value
          is to be generated. This attribute MAY be typically used as
          part of an anonymous userName generation request during a
          user registration dialog.",
        "required" : false,
        "subAttributes" : [
          {
            "name" : "formatted",
            "type" : "string",
            "multiValued" : false,
            "description" : "The full name, including all middle names,
titles, and suffixes as appropriate, formatted for display (e.g. Ms.
Barbara J Jensen, III.).",
            "required" : false,
            "caseExact" : false,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {
            "name" : "familyName",
            "type" : "string",
            "multiValued" : false,
            "description" : "The family name of the User, or Last Name
in most Western languages (e.g. Jensen given the full name Ms. Barbara J
Jensen, III.).",
            "required" : false,
            "caseExact" : false,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {
            "name" : "givenName",
            "type" : "string",
            "multiValued" : false,
            "description" : "The given name of the User, or First Name
in most Western languages (e.g. Barbara given the full name Ms. Barbara
J Jensen, III.).",
            "required" : false,
            "caseExact" : false,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {



Hunt & Wilson          Expires September 30, 2015              [Page 36]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


            "name" : "middleName",
            "type" : "string",
            "multiValued" : false,
            "description" : "The middle name(s) of the User (e.g. Robert
given the full name Ms. Barbara J Jensen, III.).",
            "required" : false,
            "caseExact" : false,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {
            "name" : "honorificPrefix",
            "type" : "string",
            "multiValued" : false,
            "description" : "The honorific prefix(es) of the User, or
Title in most Western languages (e.g. Ms. given the full name Ms.
Barbara J Jensen, III.).",
            "required" : false,
            "caseExact" : false,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
          },
          {
            "name" : "honorificSuffix",
            "type" : "string",
            "multiValued" : false,
            "description" : "The honorific suffix(es) of the User, or
Suffix in most Western languages (e.g. III. given the full name Ms.
Barbara J Jensen, III.).",
            "required" : false,
            "caseExact" : false,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
          }
        ],
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }
    ]
  },
  {
    "id" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameRecoverRequest",
    "name" : "UserName Recovery Request",



Hunt & Wilson          Expires September 30, 2015              [Page 37]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


    "description" : "Used to look up a username by email address.",
    "attributes" : [
      {
        "name" : "email",
        "type" : "string",
        "multiValued" : false,
        "description" : "A string value containing an email address
          that is to be matched against an existing resource's emails
          attribue.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      },
      {
        "name" : "userName",
        "type" : "string",
        "multiValued" : false,
        "description" : "A string value provided in response to a
          request which is the unique userName that corresponds to the
          recovery request.",
        "required" : true,
        "caseExact" : false,
        "mutability" : "readOnly",
        "returned" : "always",
        "uniqueness" : "none"
      }
    ]
  }
]

                              Request Schemas

4.  Password Management ResourceTypes

   The following are the resource type definitions for the resource
   types defined in this specification.

[
  {
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
    ],
    "id" : "PasswordPolicy",
    "name" : "Password Policy Definition",
    "endpoint" : "/Users",
    "description" : "Password policy definition",



Hunt & Wilson          Expires September 30, 2015              [Page 38]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


    "schema" : "urn:ietf:params:scim:schemas:core:2.0:policy:Password",
    "schemaExtensions" : [

    ]
  },
  {
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
    ],
    "id" : "PasswordResetRequest",
    "name" : "Password Reset Request type",
    "endpoint" : "/PasswordResetRequest",
    "description" : "Resource type for processing password reset
      requests",
    "schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordResetRequest",
    "schemaExtensions" : [

    ]
  },
  {
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
    ],
    "id" : "PasswordValidateRequest",
    "name" : "Password Validate Request type",
    "endpoint" : "/PasswordValidateRequest",
    "description" : "Resource type for processing password validation
      requests",
    "schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:PasswordValidateRequest",
    "schemaExtensions" : [

    ]
  },
  {
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
    ],
    "id" : "UserNameValidateRequest",
    "name" : "Username Validate Request type",
    "endpoint" : "/UserNameValidateRequest",
    "description" : "Resource type for processing username validation
      requests",
    "schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameValidateRequest",
    "schemaExtensions" : [




Hunt & Wilson          Expires September 30, 2015              [Page 39]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


    ]
  },
  {
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
    ],
    "id" : "UserNameGenerateRequest",
    "name" : "Username Generation Request type",
    "endpoint" : "/UserNameGenerateRequest",
    "description" : "Resource type for processing username generation
      requests",
    "schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameGenerateRequest",
    "schemaExtensions" : [

    ]
  },
  {
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
    ],
    "id" : "UserNameRecoverRequest",
    "name" : "Username Recovery Request type",
    "endpoint" : "/UserNameRecoverRequest",
    "description" : "Resource type for recovering usernames.",
    "schema" :
"urn:ietf:params:scim:schemas:core:2.0:password:UserNameRecoveryRequest",
    "schemaExtensions" : [

    ]
  }
]

                    Password Management Resource Types

5.  Security Considerations

   This specification builds on those of the SCIM API and Core-Schema
   specifications and as such the security considerations of both of
   these drafts apply to this specification.

   [other considerations TBD]

6.  IANA Considerations

   TODO: Registration for Password management schema

   TODO: Registration of password management resource types



Hunt & Wilson          Expires September 30, 2015              [Page 40]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


7.  References

7.1.  Normative References

   [I-D.ietf-scim-api]
              Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E., and C.
              Mortimore, "System for Cross-Domain Identity Management:
              Protocol", draft-ietf-scim-api-14 (work in progress),
              December 2014.

   [I-D.ietf-scim-core-schema]
              Hunt, P., Grizzle, K., Wahlstroem, E., and C. Mortimore,
              "System for Cross-Domain Identity Management: Core
              Schema", draft-ietf-scim-core-schema-14 (work in
              progress), December 2014.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66, RFC
              3986, January 2005.

7.2.  Informative References

   [I-D.ietf-precis-framework]
              Saint-Andre, P. and M. Blanchet, "PRECIS Framework:
              Preparation, Enforcement, and Comparison of
              Internationalized Strings in Application Protocols",
              draft-ietf-precis-framework-21 (work in progress),
              December 2014.

Appendix A.  Contributors

Appendix B.  Acknowledgments

   The editor would like to thank the participants in the SCIM working
   group for their support of this specification.

Appendix C.  Change Log

   Draft 00 - PH - First Draft

Authors' Addresses







Hunt & Wilson          Expires September 30, 2015              [Page 41]


Internet-Draft        draft-hunt-scim-password-mgmt           March 2015


   Phil Hunt (editor)
   Oracle Corporation

   Email: phil.hunt@yahoo.com


   Gregg Wilson
   Oracle Corporation

   Email: gregg.wilson@oracle.com









































Hunt & Wilson          Expires September 30, 2015              [Page 42]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/