IBM Security Verify

 View Only

IBM Verify Access: SCIM Password Update

By KERRY GUNN posted Thu December 15, 2022 01:07 AM

  

In this article I am going to discuss the various password update methods that are available in the SCIM component of IBM Security Verify Access (ISVA) and how they can be used.

 

There are 3 different ways that a user’s password can be updated:

  1. Reset the password to a value not specified by the user.
  2. Update the password to a user specified value without passing the existing password.
  3. Update the password to a user specified value passing the existing password.

 

Note: For all examples in this article the following assumptions exist:

  • The LDAP user “scimadmin” exists and is a member of the configured SCIM administrative group.
  • The LDAP user “testuser” exists and has a related SCIM ID of “dGVzdHVzZXI”.
  • Examples are shown using curl but the endpoint and payloads are consistent for any tool.


1.0 Password reset as LDAP administrator

    The password reset involves calling the SCIM component to set a user’s password to a specified value.

    Bind User Update Process Password Policy Notes
    Admin Single operation bound as administrator. - The update is made by the LDAP administrator and as such the password policy is not checked.
    - The password history is updated with the new password.

    As the LDAP password policy is not checked it must be ensured that the specified new password conforms to any required policy before passing it to the SCIM component.

    Eg: length, complexity, etc.


    1.1 Password reset using HTTP PUT

    The default SCIM attribute modes allow a user to update their own data so this operation can be performed by either testuser or scimadmin.

     
    curl -k —user testuser:Password https://isvaruntime/scim/Users/dGVzdHVzZXI -X PUT —data-binary '<payload>'

     

    Where <payload> is set as:

     

     {
       "passwordNoPolicy":"Passw0rd1",
       "displayName":"testuser",
       "userName":"Test",
       "phoneNumbers":[
          {
             "type":"work",
             "value":"123456789",
             "primary":true
          }
       ],
       "emails":[
          {
             "type":"work",
             "value":"testuser@test.com",
             "primary":true
          }
       ],
       "schemas":[
          "urn:ietf:params:scim:schemas:core:2.0:User"
       ],
       "name":{
          "givenName":Test,
          "familyName":"User"
       }
    }

     

    This will result in the password for testuser being set as Passw0rd1.

    Note: The PUT operation is a full replace and will result in all the existing user attributes being updated with the new values specified in the payload.

      

    1.2 Password reset using HTTP PATCH with no SCIM path attribute

     

    The default SCIM attribute mode for passwordNoPolicy only allows an administrator to make an update so this operation can be performed only by scimadmin. This SCIM configuration can be updated if required.

     

    curl -k —user scimadmin:Password https://isvaruntime/scim/Users/dGVzdHVzZXI -X PATCH —data-binary '<payload>'

     

    Where <payload> is set as:

     

    {
       "schemas":[
          "urn:ietf:params:scim:api:messages:2.0:PatchOp"
       ],
       "Operations":[
          {
             "op":"add/replace",
             "value":{
                "passwordNoPolicy":"Passw0rd1"
             }
          }
       ]
    }

    This will result in the password for testuser being set as Passw0rd1.

    Note: The PATCH operation may be set as either add or replace with the same effect.

      

    1.3 Password reset using HTTP PATCH with SCIM path attribute

     

    The default SCIM attribute mode for passwordNoPolicy only allows an administrator to make an update so this operation can be performed only by scimadmin. This SCIM configuration can be updated if required.

     

    curl -k —user scimadmin:Password https://isvaruntime/scim/Users/dGVzdHVzZXI -X PATCH —data-binary '<payload>'

     

    Where <payload> is set as:

     

    {
       "schemas":[
          "urn:ietf:params:scim:api:messages:2.0:PatchOp"
       ],
       "Operations":[
          {
             "op":"add/replace",
             "path":"urn:ietf:params:scim:schemas:core:2.0:User:passwordNoPolicy",
             "value":"Passw0rd1"
          }
       ]
    }
     

    This will result in the password for testuser being set as Passw0rd1.

    Note: The PATCH operation may be set as either add or replace with the same effect.

     

     

    2.0 Password update without providing existing password

     

    If the users password is not known there is a secondary reset method available where the user can specify the new password without the existing password. The password update will be performed in 2 separate password updates:

     

    1. The first update is performed by the LDAP administrator and will set the users password to a new random generated password. Note this random password is generated internally by ISVA and is not known outside of this update process.
    2. The second update is performed by the actual user (using the new random password for the bind) and will set the password to the specified new value.

      

    Note: The value of the SCIM user profile “Enforce Password Policy” property influences this password update method. If the property is not set as true, the operation will revert to a single LDAP password update performed by the LDAP administrator as described above in method 1.


    Bind User Update Process Password Policy Notes
    Admin and actual user

    Dual phase operation:

    1. Set random password bound as admin.

    2. Set specified password bound as the actual user.

    - The first update is made by the LDAP administrator and as such the password policy is not checked.

    - The second update is made by the actual user and as such password policy is checked.

    - The password history is updated twice, once with the random password and once with the specified password.

    If the specified new password does not meet the required password policy, the operation may result in the password being set as the unknown random password at the end of the update operation. This may not be a major issue if the user had forgotten their existing password anyway.



    To use this password update method use the SCIM user profile attribute “password” in either a PATCH or PUT operation.

     

    2.1 Password update using HTTP PUT

     

    The default SCIM attribute modes allow a user to update their own data so this operation can be performed by either testuser or scimadmin.

     

    curl -k —user testuser:Password https://isvaruntime/scim/Users/dGVzdHVzZXI -X PUT —data-binary '<payload>'

     

    Where <payload> is set as:

     

    {
       "password":"Passw0rd1",
       "displayName":"testuser",
       "userName":"Test",
       "phoneNumbers":[
          {
             "type":"work",
             "value":"123456789",
             "primary":true
          }
       ],
       "emails":[
          {
             "type":"work",
             "value":"testuser@test.com",
             "primary":true
          }
       ],
       "schemas":[
          "urn:ietf:params:scim:schemas:core:2.0:User"
       ],
       "name":{
          "givenName":Test,
          "familyName":"User"
       }
    }
     

    This will result in the password for testuser being set as Passw0rd1.

    Note: The PUT operation is a full replace and will result in all the existing user attributes being updated with the new values specified in the payload.

      

    2.2 Password update using HTTP PATCH with no SCIM path attribute

     

    The default SCIM attribute mode for password allows a user to make an update so this operation can be performed by scimadmin or testuser. This SCIM configuration can be updated if required.

     

    curl -k —user testuser:Password https://isvaruntime/scim/Users/dGVzdHVzZXI -X PATCH —data-binary ‘<payload>’

     

    Where <payload> is set as:

     

    {
       "schemas":[
          "urn:ietf:params:scim:api:messages:2.0:PatchOp"
       ],
       "Operations":[
          {
             "op":"add/replace",
             "value":{
                "password":"Passw0rd1"
             }
          }
       ]
    }


    This will result in the password for testuser being set as Passw0rd1. 

    Note: The PATCH operation may be set as either add or replace with the same effect.

      

    2.3 Password update using HTTP PATCH with SCIM path attribute

     

    The default SCIM attribute mode for password allows a user to make an update so this operation can be performed by scimadmin or testuser. This SCIM configuration can be updated if required.

     

    curl -k —user testuser:Password https://isvaruntime/scim/Users/dGVzdHVzZXI -X PATCH —data-binary '<payload>'

     

    Where <payload> is set as:

     

    {
       "schemas":[
          "urn:ietf:params:scim:api:messages:2.0:PatchOp"
       ],
       "Operations":[
          {
             "op":"add/replace",
             "path":"urn:ietf:params:scim:schemas:core:2.0:User:password",
             "value":"Passw0rd1"
          }
       ]
    } 


    This will result in the password for testuser being set as Passw0rd1.
    Note: The PATCH operation may be set as either add or replace with the same effect.

      

     

    3.0 Password update providing the existing password

     

    In ISVA 10.0.5.0 a new password update method was created that allows the user to provide their existing password as part of the update payload.



    Bind User Update Process Password Policy Notes
    Actual user

    Single operation bound as the actual user.

    - The update is made by the actual user administrator and as such the password policy is checked.

    - The password history is updated with the new password.

    The existing password must be supplied for this password update method.



    To use this password update method use the SCIM password attributes “currentPassword” and “newPassword” in either a PATCH or PUT operation.

     

    3.1 Password update using HTTP PUT

     

    The default SCIM attribute modes allow a user to update their own data so this operation can be performed by either testuser or scimadmin.

     

    curl -k —user testuser:Password https://isvaruntime/scim/Users/dGVzdHVzZXI -X PUT —data-binary ‘<payload>’

     

    Where <payload> is set as:

      

    {
       "urn:ietf:params:scim:schemas:extension:isam:1.0:Password": {
           "currentPassword":"Passw0rd",
           "newPassword":"Passw0rd1"
       },
       "displayName":"testuser",
       "userName":"Test",
       "phoneNumbers":[
          {
             "type":"work",
             "value":"123456789",
             "primary":true
          }
       ],
       "emails":[
          {
             "type":"work",
             "value":"testuser@test.com",
             "primary":true
          }
       ],
       "schemas":[
          "urn:ietf:params:scim:schemas:core:2.0:User",
          "urn:ietf:params:scim:schemas:extension:isam:1.0:Password"
       ],
       "name":{
          "givenName":Test,
          "familyName":"User"
       }
    }
     

    This will result in the password for testuser being set as Passw0rd1.

    Note: The PUT operation is a full replace and will result in all the existing user attributes being updated with the new values specified in the payload.

     

    3.2 Password update using HTTP PATCH with no SCIM path attribute

     

    The default SCIM attribute mode for the password schema attributes currentPassword and newPassword only allows a user to make an update so this operation can be performed only by testuser. This SCIM configuration can be updated if required.

     

    curl -k —user testuser:Password https://isvaruntime/scim/Users/dGVzdHVzZXI -X PATCH —data-binary '<payload>'

     

    Where <payload> is set as:

     

    {
       "schemas":[
          "urn:ietf:params:scim:api:messages:2.0:PatchOp"
       ],
       "Operations":[
          {
             "op":"add/replace",
             "value":{
                "urn:ietf:params:scim:schemas:extension:isam:1.0:Password": {
                    "newPassword": "Passw0rd1",
                    "currentPassword": "Passw0rd"
                }
             }
          }
       ]
    }


    This will result in the password for testuser being set as Passw0rd1. 

    Note: The PATCH operation may be set as either add or replace with the same effect.

      

    3.3 Password update using HTTP PATCH with SCIM path attribute

     

    This password update method does not support the PATCH operation with the SCIM path attribute.


    0 comments
    20 views

    Permalink