Hi Community,

When I perform SCIM user request


in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith
------------------------------

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hi Jasmine,

Thank you for your reply. The version of ISAM is 9.0.7 in both environments and I expect
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled
to be set to true.
What triggers this attribute, I mean what action causes it to be set tu true? I get the codeas a picture  (/mga/sps/mga/user/mgmt/otp/qr/totp) and a GET is issued to get a secret, so I expect it should be enough, is it?

------------------------------
Ivan Yartsev
------------------------------

Original Message:
Sent: Wed November 27, 2019 05:52 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hey Ivan,

To enroll a user in TOTP/HOTP, they can either view the QR codes through the link you found, or perform at GET to the OTP endpoint. So it sounds like you have enrolled successfully.

The other reason that the schema may not show up is if the username does not match the SCIM username. A common cause is the user logging in with a different case compared to the SCIM request, for example they enrolled OTPs against the username `userName` but you are searching for users with `UserName`. Can you confirm if this is the case?

You can check this by doing a generic /scim/Users request, rather than a filtered request, and see if there are extra accounts being returned.

If you need the username to be treated as case insensitive, you may need to follow the instructions here:
https://community.ibm.com/community/user/security/blogs/jasmine-smith1/2019/01/08/advanced-access-control-username-case-sensitivity

The reason this may have worked in the lab is that on ISO installs of ISAM 9.0.4+, username case sensitivity is disabled by default.

------------------------------
Jasmine
------------------------------

Original Message:
Sent: Fri November 29, 2019 04:23 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your reply. The version of ISAM is 9.0.7 in both environments and I expect
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled
to be set to true.
What triggers this attribute, I mean what action causes it to be set tu true? I get the codeas a picture  (/mga/sps/mga/user/mgmt/otp/qr/totp) and a GET is issued to get a secret, so I expect it should be enough, is it?

------------------------------
Ivan Yartsev

Original Message:
Sent: Wed November 27, 2019 05:52 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hi Jasmine,

Thank you for your answer. I opened a PMR. I will post the reason for this behavior.

------------------------------
Ivan Yartsev
------------------------------

Original Message:
Sent: Sun December 01, 2019 06:26 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hey Ivan,

To enroll a user in TOTP/HOTP, they can either view the QR codes through the link you found, or perform at GET to the OTP endpoint. So it sounds like you have enrolled successfully.

The other reason that the schema may not show up is if the username does not match the SCIM username. A common cause is the user logging in with a different case compared to the SCIM request, for example they enrolled OTPs against the username `userName` but you are searching for users with `UserName`. Can you confirm if this is the case?

You can check this by doing a generic /scim/Users request, rather than a filtered request, and see if there are extra accounts being returned.

If you need the username to be treated as case insensitive, you may need to follow the instructions here:
https://community.ibm.com/community/user/security/blogs/jasmine-smith1/2019/01/08/advanced-access-control-username-case-sensitivity

The reason this may have worked in the lab is that on ISO installs of ISAM 9.0.4+, username case sensitivity is disabled by default.

------------------------------
Jasmine

Original Message:
Sent: Fri November 29, 2019 04:23 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your reply. The version of ISAM is 9.0.7 in both environments and I expect
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled
to be set to true.
What triggers this attribute, I mean what action causes it to be set tu true? I get the codeas a picture  (/mga/sps/mga/user/mgmt/otp/qr/totp) and a GET is issued to get a secret, so I expect it should be enough, is it?

------------------------------
Ivan Yartsev

Original Message:
Sent: Wed November 27, 2019 05:52 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hi Jasmine,

As you said, a user is enrolled for TOTP/HOTP when he views the QR codes through the link or perform at GET to the OTP endpoint. I would like to know that is it possible to de-enroll a user from this TOTP endpoint?

There can be scenarios where users open the QRCode page but close it without scanning, or if they scan it in the first place and then for some reason delete the account from the App. In both these scenarios, it would be good to de-enroll the user from this.

Would appreciate your comments on this..

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Sun December 01, 2019 06:26 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hey Ivan,

To enroll a user in TOTP/HOTP, they can either view the QR codes through the link you found, or perform at GET to the OTP endpoint. So it sounds like you have enrolled successfully.

The other reason that the schema may not show up is if the username does not match the SCIM username. A common cause is the user logging in with a different case compared to the SCIM request, for example they enrolled OTPs against the username `userName` but you are searching for users with `UserName`. Can you confirm if this is the case?

You can check this by doing a generic /scim/Users request, rather than a filtered request, and see if there are extra accounts being returned.

If you need the username to be treated as case insensitive, you may need to follow the instructions here:
https://community.ibm.com/community/user/security/blogs/jasmine-smith1/2019/01/08/advanced-access-control-username-case-sensitivity

The reason this may have worked in the lab is that on ISO installs of ISAM 9.0.4+, username case sensitivity is disabled by default.

------------------------------
Jasmine

Original Message:
Sent: Fri November 29, 2019 04:23 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your reply. The version of ISAM is 9.0.7 in both environments and I expect
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled
to be set to true.
What triggers this attribute, I mean what action causes it to be set tu true? I get the codeas a picture  (/mga/sps/mga/user/mgmt/otp/qr/totp) and a GET is issued to get a secret, so I expect it should be enough, is it?

------------------------------
Ivan Yartsev

Original Message:
Sent: Wed November 27, 2019 05:52 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hi Jahanzaib,

It is possible to remove the enrollment either via SCIM:
PATCH /scim/Me
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op": "remove",
"path": "urn:ietf:params:scim:schemas:extension:isam:1.0:OTP:totpEnrolled"
}]
}

Or via the USC endpoint:
DELETE /mga/sps/mga/user/mgmt/otp/totp

------------------------------
Jasmine
------------------------------

Original Message:
Sent: Mon April 13, 2020 01:29 PM
From: Jahanzaib Sarwar
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

As you said, a user is enrolled for TOTP/HOTP when he views the QR codes through the link or perform at GET to the OTP endpoint. I would like to know that is it possible to de-enroll a user from this TOTP endpoint?

There can be scenarios where users open the QRCode page but close it without scanning, or if they scan it in the first place and then for some reason delete the account from the App. In both these scenarios, it would be good to de-enroll the user from this.

Would appreciate your comments on this..

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sun December 01, 2019 06:26 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hey Ivan,

To enroll a user in TOTP/HOTP, they can either view the QR codes through the link you found, or perform at GET to the OTP endpoint. So it sounds like you have enrolled successfully.

The other reason that the schema may not show up is if the username does not match the SCIM username. A common cause is the user logging in with a different case compared to the SCIM request, for example they enrolled OTPs against the username `userName` but you are searching for users with `UserName`. Can you confirm if this is the case?

You can check this by doing a generic /scim/Users request, rather than a filtered request, and see if there are extra accounts being returned.

If you need the username to be treated as case insensitive, you may need to follow the instructions here:
https://community.ibm.com/community/user/security/blogs/jasmine-smith1/2019/01/08/advanced-access-control-username-case-sensitivity

The reason this may have worked in the lab is that on ISO installs of ISAM 9.0.4+, username case sensitivity is disabled by default.

------------------------------
Jasmine

Original Message:
Sent: Fri November 29, 2019 04:23 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your reply. The version of ISAM is 9.0.7 in both environments and I expect
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled
to be set to true.
What triggers this attribute, I mean what action causes it to be set tu true? I get the codeas a picture  (/mga/sps/mga/user/mgmt/otp/qr/totp) and a GET is issued to get a secret, so I expect it should be enough, is it?

------------------------------
Ivan Yartsev

Original Message:
Sent: Wed November 27, 2019 05:52 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hi Jasmine,

Thank you for your response and letting us know about both the possible ways. But I have a confusion here. What I know about the USC endpoint which you mentioned is that it is used to reset the TOTP shared secret and it does not delete its enrollment. Can you please confirm and correct me if I am wrong?

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Sun April 19, 2020 06:45 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Jahanzaib,

It is possible to remove the enrollment either via SCIM:
PATCH /scim/Me
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op": "remove",
"path": "urn:ietf:params:scim:schemas:extension:isam:1.0:OTP:totpEnrolled"
}]
}

Or via the USC endpoint:
DELETE /mga/sps/mga/user/mgmt/otp/totp

------------------------------
Jasmine

Original Message:
Sent: Mon April 13, 2020 01:29 PM
From: Jahanzaib Sarwar
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

As you said, a user is enrolled for TOTP/HOTP when he views the QR codes through the link or perform at GET to the OTP endpoint. I would like to know that is it possible to de-enroll a user from this TOTP endpoint?

There can be scenarios where users open the QRCode page but close it without scanning, or if they scan it in the first place and then for some reason delete the account from the App. In both these scenarios, it would be good to de-enroll the user from this.

Would appreciate your comments on this..

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sun December 01, 2019 06:26 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hey Ivan,

To enroll a user in TOTP/HOTP, they can either view the QR codes through the link you found, or perform at GET to the OTP endpoint. So it sounds like you have enrolled successfully.

The other reason that the schema may not show up is if the username does not match the SCIM username. A common cause is the user logging in with a different case compared to the SCIM request, for example they enrolled OTPs against the username `userName` but you are searching for users with `UserName`. Can you confirm if this is the case?

You can check this by doing a generic /scim/Users request, rather than a filtered request, and see if there are extra accounts being returned.

If you need the username to be treated as case insensitive, you may need to follow the instructions here:
https://community.ibm.com/community/user/security/blogs/jasmine-smith1/2019/01/08/advanced-access-control-username-case-sensitivity

The reason this may have worked in the lab is that on ISO installs of ISAM 9.0.4+, username case sensitivity is disabled by default.

------------------------------
Jasmine

Original Message:
Sent: Fri November 29, 2019 04:23 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your reply. The version of ISAM is 9.0.7 in both environments and I expect
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled
to be set to true.
What triggers this attribute, I mean what action causes it to be set tu true? I get the codeas a picture  (/mga/sps/mga/user/mgmt/otp/qr/totp) and a GET is issued to get a secret, so I expect it should be enough, is it?

------------------------------
Ivan Yartsev

Original Message:
Sent: Wed November 27, 2019 05:52 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hi Jahanzaib,

I think you are confusing the UI "reset" functionality with the REST "delete" functionality. If you go to the UI and observe the network tools, you'll see that the reset flow performs a DELETE, then a GET. The GET is what regenerates the secret key. If you call the DELETE endpoint without calling the GET afterwards, the enrollment will be fully removed.

Hope this helps.

------------------------------
Jasmine
------------------------------

Original Message:
Sent: Fri April 24, 2020 02:02 PM
From: Jahanzaib Sarwar
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your response and letting us know about both the possible ways. But I have a confusion here. What I know about the USC endpoint which you mentioned is that it is used to reset the TOTP shared secret and it does not delete its enrollment. Can you please confirm and correct me if I am wrong?

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sun April 19, 2020 06:45 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Jahanzaib,

It is possible to remove the enrollment either via SCIM:
PATCH /scim/Me
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op": "remove",
"path": "urn:ietf:params:scim:schemas:extension:isam:1.0:OTP:totpEnrolled"
}]
}

Or via the USC endpoint:
DELETE /mga/sps/mga/user/mgmt/otp/totp

------------------------------
Jasmine

Original Message:
Sent: Mon April 13, 2020 01:29 PM
From: Jahanzaib Sarwar
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

As you said, a user is enrolled for TOTP/HOTP when he views the QR codes through the link or perform at GET to the OTP endpoint. I would like to know that is it possible to de-enroll a user from this TOTP endpoint?

There can be scenarios where users open the QRCode page but close it without scanning, or if they scan it in the first place and then for some reason delete the account from the App. In both these scenarios, it would be good to de-enroll the user from this.

Would appreciate your comments on this..

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sun December 01, 2019 06:26 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hey Ivan,

To enroll a user in TOTP/HOTP, they can either view the QR codes through the link you found, or perform at GET to the OTP endpoint. So it sounds like you have enrolled successfully.

The other reason that the schema may not show up is if the username does not match the SCIM username. A common cause is the user logging in with a different case compared to the SCIM request, for example they enrolled OTPs against the username `userName` but you are searching for users with `UserName`. Can you confirm if this is the case?

You can check this by doing a generic /scim/Users request, rather than a filtered request, and see if there are extra accounts being returned.

If you need the username to be treated as case insensitive, you may need to follow the instructions here:
https://community.ibm.com/community/user/security/blogs/jasmine-smith1/2019/01/08/advanced-access-control-username-case-sensitivity

The reason this may have worked in the lab is that on ISO installs of ISAM 9.0.4+, username case sensitivity is disabled by default.

------------------------------
Jasmine

Original Message:
Sent: Fri November 29, 2019 04:23 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your reply. The version of ISAM is 9.0.7 in both environments and I expect
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled
to be set to true.
What triggers this attribute, I mean what action causes it to be set tu true? I get the codeas a picture  (/mga/sps/mga/user/mgmt/otp/qr/totp) and a GET is issued to get a secret, so I expect it should be enough, is it?

------------------------------
Ivan Yartsev

Original Message:
Sent: Wed November 27, 2019 05:52 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hi Jasmine,

Thank you very much. It is clear now. I confused it with the UI reset functionality.

Thanks and best regards,
Jahanzaib

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Sun April 26, 2020 06:30 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Jahanzaib,

I think you are confusing the UI "reset" functionality with the REST "delete" functionality. If you go to the UI and observe the network tools, you'll see that the reset flow performs a DELETE, then a GET. The GET is what regenerates the secret key. If you call the DELETE endpoint without calling the GET afterwards, the enrollment will be fully removed.

Hope this helps.

------------------------------
Jasmine

Original Message:
Sent: Fri April 24, 2020 02:02 PM
From: Jahanzaib Sarwar
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your response and letting us know about both the possible ways. But I have a confusion here. What I know about the USC endpoint which you mentioned is that it is used to reset the TOTP shared secret and it does not delete its enrollment. Can you please confirm and correct me if I am wrong?

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sun April 19, 2020 06:45 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Jahanzaib,

It is possible to remove the enrollment either via SCIM:
PATCH /scim/Me
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op": "remove",
"path": "urn:ietf:params:scim:schemas:extension:isam:1.0:OTP:totpEnrolled"
}]
}

Or via the USC endpoint:
DELETE /mga/sps/mga/user/mgmt/otp/totp

------------------------------
Jasmine

Original Message:
Sent: Mon April 13, 2020 01:29 PM
From: Jahanzaib Sarwar
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

As you said, a user is enrolled for TOTP/HOTP when he views the QR codes through the link or perform at GET to the OTP endpoint. I would like to know that is it possible to de-enroll a user from this TOTP endpoint?

There can be scenarios where users open the QRCode page but close it without scanning, or if they scan it in the first place and then for some reason delete the account from the App. In both these scenarios, it would be good to de-enroll the user from this.

Would appreciate your comments on this..

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sun December 01, 2019 06:26 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hey Ivan,

To enroll a user in TOTP/HOTP, they can either view the QR codes through the link you found, or perform at GET to the OTP endpoint. So it sounds like you have enrolled successfully.

The other reason that the schema may not show up is if the username does not match the SCIM username. A common cause is the user logging in with a different case compared to the SCIM request, for example they enrolled OTPs against the username `userName` but you are searching for users with `UserName`. Can you confirm if this is the case?

You can check this by doing a generic /scim/Users request, rather than a filtered request, and see if there are extra accounts being returned.

If you need the username to be treated as case insensitive, you may need to follow the instructions here:
https://community.ibm.com/community/user/security/blogs/jasmine-smith1/2019/01/08/advanced-access-control-username-case-sensitivity

The reason this may have worked in the lab is that on ISO installs of ISAM 9.0.4+, username case sensitivity is disabled by default.

------------------------------
Jasmine

Original Message:
Sent: Fri November 29, 2019 04:23 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your reply. The version of ISAM is 9.0.7 in both environments and I expect
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled
to be set to true.
What triggers this attribute, I mean what action causes it to be set tu true? I get the codeas a picture  (/mga/sps/mga/user/mgmt/otp/qr/totp) and a GET is issued to get a secret, so I expect it should be enough, is it?

------------------------------
Ivan Yartsev

Original Message:
Sent: Wed November 27, 2019 05:52 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hi Jasmine, This example helps me a lot, is part of what i have to implement. But How could I remove user authenticator device via scim?
Thanks in advance. Regards.

------------------------------
David Vicenteño
------------------------------

Original Message:
Sent: Sun April 19, 2020 06:45 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Jahanzaib,

It is possible to remove the enrollment either via SCIM:
PATCH /scim/Me
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op": "remove",
"path": "urn:ietf:params:scim:schemas:extension:isam:1.0:OTP:totpEnrolled"
}]
}

Or via the USC endpoint:
DELETE /mga/sps/mga/user/mgmt/otp/totp

------------------------------
Jasmine

Original Message:
Sent: Mon April 13, 2020 01:29 PM
From: Jahanzaib Sarwar
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

As you said, a user is enrolled for TOTP/HOTP when he views the QR codes through the link or perform at GET to the OTP endpoint. I would like to know that is it possible to de-enroll a user from this TOTP endpoint?

There can be scenarios where users open the QRCode page but close it without scanning, or if they scan it in the first place and then for some reason delete the account from the App. In both these scenarios, it would be good to de-enroll the user from this.

Would appreciate your comments on this..

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sun December 01, 2019 06:26 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hey Ivan,

To enroll a user in TOTP/HOTP, they can either view the QR codes through the link you found, or perform at GET to the OTP endpoint. So it sounds like you have enrolled successfully.

The other reason that the schema may not show up is if the username does not match the SCIM username. A common cause is the user logging in with a different case compared to the SCIM request, for example they enrolled OTPs against the username `userName` but you are searching for users with `UserName`. Can you confirm if this is the case?

You can check this by doing a generic /scim/Users request, rather than a filtered request, and see if there are extra accounts being returned.

If you need the username to be treated as case insensitive, you may need to follow the instructions here:
https://community.ibm.com/community/user/security/blogs/jasmine-smith1/2019/01/08/advanced-access-control-username-case-sensitivity

The reason this may have worked in the lab is that on ISO installs of ISAM 9.0.4+, username case sensitivity is disabled by default.

------------------------------
Jasmine

Original Message:
Sent: Fri November 29, 2019 04:23 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your reply. The version of ISAM is 9.0.7 in both environments and I expect
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled
to be set to true.
What triggers this attribute, I mean what action causes it to be set tu true? I get the codeas a picture  (/mga/sps/mga/user/mgmt/otp/qr/totp) and a GET is issued to get a secret, so I expect it should be enough, is it?

------------------------------
Ivan Yartsev

Original Message:
Sent: Wed November 27, 2019 05:52 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hi David,

To delete an authenticator instead, you just need to modify the path in the SCIM remove request to target the MMFA schema and the specific authenticator ID:

PATCH /scim/Me
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op": "remove",
"path": "urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator:authenticators[id eq <id>]"
}]
}

Hope this helps.

------------------------------
Jasmine
------------------------------

Original Message:
Sent: Mon August 10, 2020 12:10 PM
From: David Vicenteño
Subject: SCIM attribute is not present in the responce

Hi Jasmine, This example helps me a lot, is part of what i have to implement. But How could I remove user authenticator device via scim?
Thanks in advance. Regards.

------------------------------
David Vicenteño

Original Message:
Sent: Sun April 19, 2020 06:45 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Jahanzaib,

It is possible to remove the enrollment either via SCIM:
PATCH /scim/Me
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op": "remove",
"path": "urn:ietf:params:scim:schemas:extension:isam:1.0:OTP:totpEnrolled"
}]
}

Or via the USC endpoint:
DELETE /mga/sps/mga/user/mgmt/otp/totp

------------------------------
Jasmine

Original Message:
Sent: Mon April 13, 2020 01:29 PM
From: Jahanzaib Sarwar
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

As you said, a user is enrolled for TOTP/HOTP when he views the QR codes through the link or perform at GET to the OTP endpoint. I would like to know that is it possible to de-enroll a user from this TOTP endpoint?

There can be scenarios where users open the QRCode page but close it without scanning, or if they scan it in the first place and then for some reason delete the account from the App. In both these scenarios, it would be good to de-enroll the user from this.

Would appreciate your comments on this..

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sun December 01, 2019 06:26 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hey Ivan,

To enroll a user in TOTP/HOTP, they can either view the QR codes through the link you found, or perform at GET to the OTP endpoint. So it sounds like you have enrolled successfully.

The other reason that the schema may not show up is if the username does not match the SCIM username. A common cause is the user logging in with a different case compared to the SCIM request, for example they enrolled OTPs against the username `userName` but you are searching for users with `UserName`. Can you confirm if this is the case?

You can check this by doing a generic /scim/Users request, rather than a filtered request, and see if there are extra accounts being returned.

If you need the username to be treated as case insensitive, you may need to follow the instructions here:
https://community.ibm.com/community/user/security/blogs/jasmine-smith1/2019/01/08/advanced-access-control-username-case-sensitivity

The reason this may have worked in the lab is that on ISO installs of ISAM 9.0.4+, username case sensitivity is disabled by default.

------------------------------
Jasmine

Original Message:
Sent: Fri November 29, 2019 04:23 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your reply. The version of ISAM is 9.0.7 in both environments and I expect
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled
to be set to true.
What triggers this attribute, I mean what action causes it to be set tu true? I get the codeas a picture  (/mga/sps/mga/user/mgmt/otp/qr/totp) and a GET is issued to get a secret, so I expect it should be enough, is it?

------------------------------
Ivan Yartsev

Original Message:
Sent: Wed November 27, 2019 05:52 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Thank you Very Much Jasmine, It was just what I need.
Regards.

------------------------------
David Vicenteño
------------------------------

Original Message:
Sent: Mon August 10, 2020 06:31 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi David,

To delete an authenticator instead, you just need to modify the path in the SCIM remove request to target the MMFA schema and the specific authenticator ID:

PATCH /scim/Me
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op": "remove",
"path": "urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator:authenticators[id eq <id>]"
}]
}

Hope this helps.

------------------------------
Jasmine

Original Message:
Sent: Mon August 10, 2020 12:10 PM
From: David Vicenteño
Subject: SCIM attribute is not present in the responce

Hi Jasmine, This example helps me a lot, is part of what i have to implement. But How could I remove user authenticator device via scim?
Thanks in advance. Regards.

------------------------------
David Vicenteño

Original Message:
Sent: Sun April 19, 2020 06:45 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Jahanzaib,

It is possible to remove the enrollment either via SCIM:
PATCH /scim/Me
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[{
"op": "remove",
"path": "urn:ietf:params:scim:schemas:extension:isam:1.0:OTP:totpEnrolled"
}]
}

Or via the USC endpoint:
DELETE /mga/sps/mga/user/mgmt/otp/totp

------------------------------
Jasmine

Original Message:
Sent: Mon April 13, 2020 01:29 PM
From: Jahanzaib Sarwar
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

As you said, a user is enrolled for TOTP/HOTP when he views the QR codes through the link or perform at GET to the OTP endpoint. I would like to know that is it possible to de-enroll a user from this TOTP endpoint?

There can be scenarios where users open the QRCode page but close it without scanning, or if they scan it in the first place and then for some reason delete the account from the App. In both these scenarios, it would be good to de-enroll the user from this.

Would appreciate your comments on this..

Best regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Sun December 01, 2019 06:26 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hey Ivan,

To enroll a user in TOTP/HOTP, they can either view the QR codes through the link you found, or perform at GET to the OTP endpoint. So it sounds like you have enrolled successfully.

The other reason that the schema may not show up is if the username does not match the SCIM username. A common cause is the user logging in with a different case compared to the SCIM request, for example they enrolled OTPs against the username `userName` but you are searching for users with `UserName`. Can you confirm if this is the case?

You can check this by doing a generic /scim/Users request, rather than a filtered request, and see if there are extra accounts being returned.

If you need the username to be treated as case insensitive, you may need to follow the instructions here:
https://community.ibm.com/community/user/security/blogs/jasmine-smith1/2019/01/08/advanced-access-control-username-case-sensitivity

The reason this may have worked in the lab is that on ISO installs of ISAM 9.0.4+, username case sensitivity is disabled by default.

------------------------------
Jasmine

Original Message:
Sent: Fri November 29, 2019 04:23 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Jasmine,

Thank you for your reply. The version of ISAM is 9.0.7 in both environments and I expect
urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled
to be set to true.
What triggers this attribute, I mean what action causes it to be set tu true? I get the codeas a picture  (/mga/sps/mga/user/mgmt/otp/qr/totp) and a GET is issued to get a secret, so I expect it should be enough, is it?

------------------------------
Ivan Yartsev

Original Message:
Sent: Wed November 27, 2019 05:52 PM
From: Jasmine Smith
Subject: SCIM attribute is not present in the responce

Hi Ivan,

There are a couple of reasons the OTP schema might be missing from the customer's environment.

First reason is the user might not have TOTP or HOTP enrolled. The OTP schema will only be present in the response if at least one of the OTP methods is enrolled, i.e. at least totpEnrolled or hotpEnrolled must be true. If both are false, the schema will be omitted (this is because of ISAM's SCIM framework. Happy to go into details if so desired).

Secondly, the OTP schema was only added in ISAM 907. If the customer environment is on an earlier version of ISAM, the schema won't be present.
You can flick through the ISAM versions here to see which schemas are included in specific versions here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/admin/concept/con_scim_resource_schema.html

Hope this helps

------------------------------
Jasmine Smith

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------

Hi,

There are other possible problems:

• If SCIM answerd with 500 Server Error it could be resolved by installing 9071_IF5 fixpack.
• userName sourse Attribut is set to CN by default and in this case the user could not be found in the table. Solution: set userName source attribut in the SCIM configuration under User Profile to UID.

------------------------------
Ivan Yartsev
------------------------------

Original Message:
Sent: Tue November 26, 2019 08:44 AM
From: Ivan Yartsev
Subject: SCIM attribute is not present in the responce

Hi Community,

When I perform SCIM user request

/Users?filter=userName%20eq%20UserName

in my Lab I get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled attribute for a user:

"urn:ietf:params:scim:schemas:extension:isam:1.0:OTP": {
"totpEnrolled": true,
"hotpEnrolled": true
},

but in customer environment I don't get this attribute.

The Attribute is configured in Global Settings under Attribute Modes in mode "ReadWrite" with "Defaul" settings set to "yes".

What could be the reason for such behavior, what should be done to get urn:ietf:params:scim:schemas:extension:isam:1.0:OTP.totpEnrolled in the SCIM answer?​​​

------------------------------
Best Regards
Ivan Yartsev
------------------------------