IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  SCIM Support for operational attributes

    Posted Wed September 25, 2019 08:20 PM
    Hello,

    I use ISAM 9.0.7. Release notes of 9.0.6 state that SCIM will support LDAP operational attributes.

    I would like to read password attributes like pwdChangedTime, pwdReset of the LDAP user. We use basic users.

    Is this possible at all? If yes, how can I add this to the attribute mappings?

    Best regards,
    Juergen

    ------------------------------
    Jürgen Hitt
    ------------------------------


  • 2.  RE: SCIM Support for operational attributes

    Posted Thu October 10, 2019 09:20 AM

    Hello Juergen,

    This is possible, yes. To make these attributes appear in the drop down options in attribute mappings, you first need to add them to the objectclass for the user.

    I have, in the past achieved this on SDS, but am not sure of your external LDAP so cannot recommend a method for adding these attributes. I, personally added operational attributes to the 'inetOrgPerson' objectclass - this resulted in them being available to the SCIM attribute mapping.

    I hope that's helpful, otherwise feel free to reach out and we can continue to work on this to get it working for you.


    Regards,
    Matthew Britt



    ------------------------------
    Matthew Britt
    ------------------------------



  • 3.  RE: SCIM Support for operational attributes

    Posted Mon May 11, 2020 01:26 PM
    Is it possible also to write operational attributes like secPwdLastChanged?

    Changing the password using the SCIM rest interface does not update the secPwdLastChanged attribute and if Max Password Age policy is set I cannot log in with my brand new password because the account results still locked.


    Best Regards,
    Patrizio Spadavecchia

    ------------------------------
    Patrizio Spadavecchia
    ------------------------------



  • 4.  RE: SCIM Support for operational attributes

    Posted Wed May 13, 2020 12:46 PM
    Edited by Patrizio Wed May 13, 2020 12:47 PM
    an update on the topic,
    initially I used the call described in the documentation "Partially update to SCIM user" by changing the content of the password attribute, but as I said in the previous post this is not a real password change.

    To get an effective password change you need to use this json payload:

    {
        "Operations": [
            {
                "op""replace",
                "path""urn:ietf:params:scim:schemas:extension:isam:1.0:User:password",
                "value""NewPassword"
            }
        ],
        "schemas": [
            "urn:ietf:params:scim:schemas:extension:isam:1.0:PatchOp"
        ]
    }

    source: IBM Support

    regards

    ------------------------------
    Patrizio Spadavecchia
    ------------------------------