User password change and recovery

Edit online

The SCIM service provides an API that allows a user to update their own password.

Three separate methods can be used to update a user password by using the SCIM API.

  • Update the password with no password policy validation. This update is done by using either a PUT or PATCH operation while the newpassword is passed by way of the passwordNoPolicy SCIM Attribute.
  • Update the password as the actual user without providing the current password. This update is done by using either a PUT or PATCH operation while the new password is passed by way of the password SCIMattribute. It updates the password in two phases.
    1. Sets the user’s password as a randomly generated password while binding as the LDAP administrator
    2. Binds as the actual user by using the new random password and sets the password as the passed value.
    Note: This method does the following actions.
    • If the SCIMconfiguration has enable password policy set to true, it enforces the LDAP password policy validation.
    • Creates two separate password updates that add two new passwords to the LDAP password history.
    • If the new password does not meet password requirements, it sets the random password without validating the actual new password against the password policy. This action might result in setting the password to an unknown value.
  • Update the password as the actual user by providing the current password with the password schema.

Process to update the password as the actual user

Update the password by using PATCH.
This method provides the current and new passwords a PATCH data by using the patch with no path API. For example,
PATCH https://runtime/scim/Me
{    
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
   "Operations":[
     {       "op”:”add/replace",
       "value": {
           "urn:ietf:params:scim:schemas:extension:isam:1.0:Password": {
               "newPassword": “password1”,
               "currentPassword": “password"
            }
         }     
      }   
   ]
}
Note:
  • The PATCH operation can be set as either add or replace. Both values result in the same update process.
  • The PATCH with path API is not supported for this password update.
Update the password by using PUT.
This method provides the current and new password as PUT data by using the update API. For example,
PUT https://runtime/scim/Users/dGVzdHVzZXI
{
    "schemas":[
      "urn:ietf:params:scim:schemas:core:2.0:User",
      "urn:ietf:params:scim:schemas:extension:isam:1.0:Password"
    ],
   "urn:ietf:params:scim:schemas:extension:isam:1.0:Password": {
       "currentPassword":"password",
       "newPassword":"password1"
   },
   "userName":"testuser",
   "registrySuffix":"dc=test,dc=org",
   "name":{
       "familyName":"User",
       "givenName":"Test"
    }
}
Note: The update operation is a full replace operation. Ensure that all the user data is provided or else the existing data that is not specified is erased.