Resource schemas

Security Access Manager supports the following resource schemas from RFC 7643.

“User” Resource Schema 
urn:ietf:params:scim:schemas:core:2.0:User

Enterprise User Schema Extension 
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

“Group” Resource Schema 
urn:ietf:params:scim:schemas:core:2.0:Group

Security Access Manager also provides the following extensions to the “User” Resource Schema:

MMFA Authenticators
urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator	

MMFA Transactions
urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Transaction

MMFA EAS
urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:EAS

User Knowledge Questions
urn:ietf:params:scim:schemas:extension:isam:1.0:UserKnowledgeQuestions	

ISAM User
urn:ietf:params:scim:schemas:extension:isam:1.0:User 

ISAM Group
urn:ietf:params:scim:schemas:extension:isam:1.0:Group

FIDO U2F
urn:ietf:params:scim:schemas:extension:isam:1.0:U2F

EULA
urn:ietf:params:scim:schemas:extension:isam:1.0:EULA

OTP
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP

FIDO2 Authenticators
urn:ietf:params:scim:schemas:extension:isam:1.0:FIDO2Authenticators

Data in the Security Access Manager schemas can be managed for users that do not necessarily exist in the LDAP user registry. For instance, scenarios where a user logged in with their identity from another provider.

Consider a user logging in with an identity from social.ibm.com. Their AZN_CRED_PRINCIPAL_NAME is https://social.ibm.com/myTestUser. The SCIM interface can be used to manage data on the Security Access Manager extension schemas if the correct SCIM user ID is provided.

The SCIM user ID expected by the SCIM application is the Base64 and URL encoded version of the username, which in this case is “aHR0cHM6Ly9zb2NpYWwuaWJtLmNvbS9teVRlc3RVc2Vy”. Even though the user does not exist in the LDAP user registry and has no attributes in the defined User Resource Schema, it is still possible to manage their data in the Security Access Manager specific schemas.

In the following example, a user is not in the user registry but still has MMFA Authenticators data.

GET https://scim.ibm.com/scim/Users/aHR0cHM6Ly9zb2NpYWwuaWJtLmNvbS9teVRlc3RVc2Vy

{
  "meta": {
    "location": "https://scim.ibm.com/scim/Users/aHR0cHM6Ly9zb2NpYWwuaWJtLmNvbS9teVRlc3RVc2Vy ",
    "resourceType": "User"
  },
  "schemas": [
    "urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator"
  ],
  "id": "dGVzdHVzZXI1NTU",
  "urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator": {
    "userPresenceMethods": [],
    "authenticators": [
      {
        "osVersion": "2.b",
        "id": "uuid1c689142-be74-4262-9e33-8813b532599b",
        "oauthGrant": "uuid9d06ddc1-0157-16e7-87b9-e593c7ab6dfc",
        "deviceName": "IBM Phone",
        "enabled": true
      }
    ],
    "fingerprintMethods": [
      {
        "id": "uuid4e6e91fe-0956-41be-a933-c01ed4466c05",
        "keyHandle": " SVNBTSBTQ0lNIEVhc3RlciBFZ2cu",
        "authenticator": "uuid1c689142-be74-4262-9e33-8813b532599b",
        "enabled": true,
        "algorithm": "SHA512withRSA"
      }
    ]
  }
}