Resource schemas

Edit online

Verify Identity Access supports the following resource schemas from RFC 7643.


“User” Resource Schema 
urn:ietf:params:scim:schemas:core:2.0:User

Enterprise User Schema Extension 
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

“Group” Resource Schema 
urn:ietf:params:scim:schemas:core:2.0:Group

Verify Identity Access also provides the following extensions to the “User” Resource Schema:


MMFA Authenticators
urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator	

MMFA Transactions
urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Transaction

MMFA EAS
urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:EAS

User Knowledge Questions
urn:ietf:params:scim:schemas:extension:isam:1.0:UserKnowledgeQuestions	

ISVA User
urn:ietf:params:scim:schemas:extension:isam:1.0:User 

ISVA Group
urn:ietf:params:scim:schemas:extension:isam:1.0:Group

FIDO U2F
urn:ietf:params:scim:schemas:extension:isam:1.0:U2F

EULA
urn:ietf:params:scim:schemas:extension:isam:1.0:EULA

OTP
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP

FIDO2 Authenticators
urn:ietf:params:scim:schemas:extension:isam:1.0:FIDO2Authenticators

Password
urn:ietf:params:scim:schemas:extension:isam:1.0:Password

Data in the Verify Identity Access schemas can be managed for users that do not necessarily exist in the LDAP user registry. For instance, scenarios where a user logged in with their identity from another provider.

Consider a user logging in with an identity from social.ibm.com. Their AZN_CRED_PRINCIPAL_NAME is https://social.ibm.com/myTestUser. The SCIM interface can be used to manage data on the Verify Identity Access extension schemas if the correct SCIM user ID is provided.

The SCIM user ID expected by the SCIM application is the Base64 and URL encoded version of the username, which in this case is “aHR0cHM6Ly9zb2NpYWwuaWJtLmNvbS9teVRlc3RVc2Vy”. Even though the user does not exist in the LDAP user registry and has no attributes in the defined User Resource Schema, it is still possible to manage their data in the Verify Identity Access specific schemas.

In the following example, a user is not in the user registry but still has MMFA Authenticators data.


GET https://scim.ibm.com/scim/Users/aHR0cHM6Ly9zb2NpYWwuaWJtLmNvbS9teVRlc3RVc2Vy

{
  "meta": {
    "location": "https://scim.ibm.com/scim/Users/aHR0cHM6Ly9zb2NpYWwuaWJtLmNvbS9teVRlc3RVc2Vy ",
    "resourceType": "User"
  },
  "schemas": [
    "urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator"
  ],
  "id": "dGVzdHVzZXI1NTU",
  "urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator": {
    "userPresenceMethods": [],
    "authenticators": [
      {
        "osVersion": "2.b",
        "id": "uuid1c689142-be74-4262-9e33-8813b532599b",
        "oauthGrant": "uuid9d06ddc1-0157-16e7-87b9-e593c7ab6dfc",
        "deviceName": "IBM Phone",
        "enabled": true
      }
    ],
    "fingerprintMethods": [
      {
        "id": "uuid4e6e91fe-0956-41be-a933-c01ed4466c05",
        "keyHandle": " SVNBTSBTQ0lNIEVhc3RlciBFZ2cu",
        "authenticator": "uuid1c689142-be74-4262-9e33-8813b532599b",
        "enabled": true,
        "algorithm": "SHA512withRSA"
      }
    ]
  }
}