Resource schemas
Security Access Manager supports the following resource schemas from RFC 7643.
“User” Resource Schema
urn:ietf:params:scim:schemas:core:2.0:User
Enterprise User Schema Extension
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
“Group” Resource Schema
urn:ietf:params:scim:schemas:core:2.0:Group
Security Access Manager also provides the following extensions to the “User” Resource Schema:
MMFA Authenticators
urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator
MMFA Transactions
urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Transaction
MMFA EAS
urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:EAS
User Knowledge Questions
urn:ietf:params:scim:schemas:extension:isam:1.0:UserKnowledgeQuestions
ISAM User
urn:ietf:params:scim:schemas:extension:isam:1.0:User
ISAM Group
urn:ietf:params:scim:schemas:extension:isam:1.0:Group
FIDO U2F
urn:ietf:params:scim:schemas:extension:isam:1.0:U2F
EULA
urn:ietf:params:scim:schemas:extension:isam:1.0:EULA
OTP
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP
FIDO2 Authenticators
urn:ietf:params:scim:schemas:extension:isam:1.0:FIDO2Authenticators
Data in the Security Access Manager schemas can be managed for users that do not necessarily exist in the LDAP user registry. For instance, scenarios where a user logged in with their identity from another provider.
Consider a user logging in with an identity from social.ibm.com. Their AZN_CRED_PRINCIPAL_NAME is https://social.ibm.com/myTestUser. The SCIM interface can be used to manage data on the Security Access Manager extension schemas if the correct SCIM user ID is provided.
The SCIM user ID expected by the SCIM application is the Base64 and URL encoded version of the username, which in this case is “aHR0cHM6Ly9zb2NpYWwuaWJtLmNvbS9teVRlc3RVc2Vy”. Even though the user does not exist in the LDAP user registry and has no attributes in the defined User Resource Schema, it is still possible to manage their data in the Security Access Manager specific schemas.
In the following example, a user is not in the user registry but still has MMFA Authenticators data.
GET https://scim.ibm.com/scim/Users/aHR0cHM6Ly9zb2NpYWwuaWJtLmNvbS9teVRlc3RVc2Vy
{
"meta": {
"location": "https://scim.ibm.com/scim/Users/aHR0cHM6Ly9zb2NpYWwuaWJtLmNvbS9teVRlc3RVc2Vy ",
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator"
],
"id": "dGVzdHVzZXI1NTU",
"urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator": {
"userPresenceMethods": [],
"authenticators": [
{
"osVersion": "2.b",
"id": "uuid1c689142-be74-4262-9e33-8813b532599b",
"oauthGrant": "uuid9d06ddc1-0157-16e7-87b9-e593c7ab6dfc",
"deviceName": "IBM Phone",
"enabled": true
}
],
"fingerprintMethods": [
{
"id": "uuid4e6e91fe-0956-41be-a933-c01ed4466c05",
"keyHandle": " SVNBTSBTQ0lNIEVhc3RlciBFZ2cu",
"authenticator": "uuid1c689142-be74-4262-9e33-8813b532599b",
"enabled": true,
"algorithm": "SHA512withRSA"
}
]
}
}