nevisIDM SCIM REST API (v1)
Introduction
The nevisIDM SCIM REST API enables to query and manipulate the managed identity objects in nevisIDM using CRUD operations. CRUD stands for Creating, Reading and Deleting resources.
Relationships between two resources are defined by mostly by containment.
The nevisIDM SCIM API also provides access to the properties of the different objects. Properties are dynamic parameters that contain additional, Customer-specific information about an object.
Tags
New calls are annotated with the nevisIDM version from which they are available from.
Calls that can no longer be used are marked with the DEPRECATED tag.
Common errors
HTTP response codes
The following common error codes are available:
-
401 - The caller user is unauthorized (not logged in).
-
403 - The caller user has no right to access the target data room or entity type.
-
404 - There is no entity with the external ID set in the request URI, that is, the requested entity could not be found.
-
409 - The request could not be completed due to a conflict with the current state of the target resource. For example, the target resource may have been modified concurrently.
-
422 - The request format is valid, but the values are violating business rules. For example, a mandatory value is missing, a read-only value is changed, or a value represents an invalid state. This error code always refers to business errors.
-
500 - A technical, non-business-related error occurred on the server side.
Important notes
-
The nevisIDM SCIM API is an individual API. Its versioning is independent from other APIs.
-
You have to be logged in to nevisIDM so that you can use the nevisIDM REST API. except specified meta Endpoints
-
The data room concept is valid for this API (see the nevisIDM reference guide, chapter “Authorization in nevisIDM”). This means that you might receive different result sets and might be able to create or modify different resources than another caller, depending on the nevisIDM roles assigned to you.
-
All data that goes through the REST API is validated on the server side before processing. It is important, however, that you validate the data on the client side as well.
SCIM REST Service ¶
SCIM Error DTO
In addition to returning an HTTP response code the SCIM server must response the errors in the body as a JSON format. The SCIM Error DTO has the following parameters:
-
schemas - An array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure (list, string).
-
status - The HTTP status code (number)
-
scimType - A SCIM detail error keyword (string)
INVALID_FILTER
TOO_MANY
UNIQUENESS
MUTABILITY
INVALID_SYNTAX
INVALID_PATH
NO_TARGET
INVALID_VALUE
INVALID_VERS
SENSITIVE
.
-
detail - A detailed human-readable message (string).
Scim ScimListResponse DTO
SCIM defined list response. The SCIM ListResponse DTO has the following parameters:
-
schemas - An array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure (list, string).
-
totalResults - Number of total results (number).
-
itemsPerPage - Number of results in a single response. By default 10. Controlled by ‘count’ request parameter (number).
-
startIndex - Start index of current result. By default 1. Controlled by ‘startIndex’ request parameter (number).
-
resources - Array of SCIM resources. For example array of users (list).
Scim ScimBulkResponse DTO
SCIM defined complex to hold SCIM bulk operations response. The ScimBulkResponse DTO has the following parameters:
-
operations - List of operations performed (list).
- method - HTTP method that indicates the operation to be performed (string, enum).
POST
GET
DELETE
- bulkId - Identifier of the single operations in the response (string, optional).
- version - The current resource version to supports entity-tags (ETags). (string, optional).
- location - Resource URI to get the single SCIM resource (string, optional).
- response - The HTTP response body for the specified request operation. Included with a response with an HTTP status other than a 200-series response (string, optional).
- status - HTTP status that indicates the result status of performed operation (number).
- method - HTTP method that indicates the operation to be performed (string, enum).
-
meta - Meta information of the Resource (object).
- resourceType - The name of the resource type of the resource (string, optional).
- created - The date and time that the resource was added to the service provider (string, optional).
- lastModified - The most recent date and time that the details of this resource were updated at the service provider (string, optional).
- location - The URI of the resource being returned (string, optional).
- version - The version of the resource being returned (string, optional).
Scim ScimBulkRequest DTO
SCIM defined complex to hold SCIM bulk operations response. The ScimBulkRequest DTO has the following parameters:
-
schemas - An array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure (list, string).
-
failOnErrors - An integer specifying the number of errors that the service provider will accept before the operation is terminated and an error response is returned. (number, optional)
-
operations - List of operations to be performed (list).
- method - HTTP method that indicates the operation to be performed (string, enum)
POST
DELETE
GET
- bulkId - Identifier to identify the single operations in the response (string, optional).
- version - The current resource version to supports entity-tags (ETags) (string, optional).
- path - SCIM resource path. Currently only one path is supported: /Users (string).
- data - Resource data for the operation, for example in case of POST operation the SCIM User instance to be created. Currently only the User resource is supported as input data (object, optional).
- method - HTTP method that indicates the operation to be performed (string, enum)
-
meta - Meta information of the Resource (object).
- resourceType - The name of the resource type of the resource (string, optional).
- created - The date and time that the resource was added to the service provider (string, optional).
- lastModified - The most recent date and time that the details of this resource were updated at the service provider (string, optional ).
- location - The URI of the resource being returned (string, optional).
- version - The version of the resource being returned (string, optional).
Scim ScimCredentialGeneric DTO
SCIM defined complex to hold IDM generic credentials. Defined for ScimUserExtension. The SCIM CredentialGeneric DTO has the following parameters:
-
type - Type of the credential (string, enum).
GENERIC
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
properties - Name value pairs map of Credential’s custom properties (map<string, string>, optional).
-
generic - Value of the generic credential (string).
Scim ScimCredentialPassword DTO
SCIM defined complex to hold IDM password credentials. Defined for ScimUserExtension. The SCIM CredentialPassword DTO has the following parameters:
-
type - Type of the credential (string, enum).
PASSWORD
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
password - Hashed password value with message digest algorithm prefix. The prefix must be a valid message digest algorithm and the content must be base64 encoded byte array where the extra part after the requested number of bytes by the algorithm is used as salt. Without algorithm prefix the value is used as plain text value and it is being hashed with default password hashing algorithm (SSHA256). SSHA is alias for SHA and SSHA256 is alias for SHA-256 algorithms (string).
Scim ScimCredentialOTP DTO
SCIM defined complex to hold IDM OTP credentials. Defined for ScimUserExtension. The SCIM CredentialOTP DTO has the following parameters:
-
type - Type of the credential (string, enum).
OTP
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
otp - Indexed table of small passwords. (string).
Scim ScimCredentialContextPassword DTO
SCIM defined complex to hold IDM context password credentials. Defined for ScimUserExtension. The SCIM CredentialContextPassword DTO has the following parameters:
-
type - Type of the credential (string, enum).
CONTEXTPASSWORD
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
password - Hashed password value with message digest algorithm prefix. The prefix must be a valid message digest algorithm and the content must be base64 encoded byte array where the extra part after the requested number of bytes by the algorithm is used as salt. Without algorithm prefix the value is used as plain text value and it is being hashed with default password hashing algorithm (SSHA256). SSHA is alias for SHA and SSHA256 is alias for SHA-256 algorithms (string).
-
context - In order to log in using the context password, the context must be given by the user, which uniquely defines which context password to use.
Scim ScimCredentialTicket DTO
SCIM defined complex to hold IDM ticket credentials. Defined for ScimUserExtension. The SCIM CredentialTicket DTO has the following parameters:
-
type - Type of the credential (string, enum).
TICKET
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
ticket - Hashed ticket value with message digest algorithm prefix (string).
Scim ScimCredentialMTan DTO
SCIM defined complex to hold IDM mTAN credentials. Defined for ScimUserExtension. The SCIM CredentialMTan DTO has the following parameters:
-
type - Type of the credential (string, enum).
MTAN
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
context - Mobile number which is in raw or E164 format (string).
- example:
- raw:
06401234567
, - E164:
+41401234567
- raw:
- example:
Scim ScimCredentialRecoveryCode DTO
SCIM defined complex to hold IDM Recovery Code credentials. Defined for ScimUserExtension. The SCIM CredentialRecoveryCode DTO has the following parameters:
-
type - Type of the credential (string, enum).
RECOVERY_CODE
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
codes - Array of Recovery Codes with a date of use (list
) - codes:
- usageDate - Date of use. The value is null if the code is not used (string).
- code - Recovery codes, which are random String values of 16 characters of upper or lower case ASCII characters or numbers separated by dashes (string).
- example:
Az09-Az09-Az09-Az09
- example:
- codes:
Scim ScimCredentialTempStrongPassword DTO
SCIM defined complex to hold IDM Temporary Strong Password credentials. Defined for ScimUserExtension. The SCIM CredentialTempStrongPassword DTO has the following parameters:
-
type - Type of the credential (string, enum).
TEMPSTRONGPASSWORD
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
tempStrongPassword - Hashed password value with message digest algorithm prefix. The prefix must be a valid message digest algorithm and the content must be base64 encoded byte array where the extra part after the requested number of bytes by the algorithm is used as salt. Without algorithm prefix the value is used as plain text value and it is being hashed with default password hashing algorithm (SSHA256). SSHA is alias for SHA and SSHA256 is alias for SHA-256 algorithms. This password is only valid for a single login operation. Therefore, it could also be described as a one-time password credential, which is considered an exceptionally strong authentication method (string).
Scim ScimCredentialSafeWordUser DTO
SCIM defined complex to hold IDM safe word user credentials. Defined for ScimUserExtension. The SCIM CredentialSafeWordUser DTO has the following parameters:
-
type - Type of the credential (string, enum).
SAFEWORDUSER
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
username - The content of the safe word credential (string).
Scim ScimCredentialSecurId DTO
SCIM defined complex to hold IDM SecurID credentials. Defined for ScimUserExtension. The SCIM CredentialSecurId DTO has the following parameters:
-
type - Type of the credential (string, enum).
SECURID
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
username - The SecurID username. (string).
Scim ScimCredentialPuk DTO
SCIM defined complex to hold IDM puk credentials. Defined for ScimUserExtension. The SCIM CredentialPuk DTO has the following parameters:
-
type - Type of the credential (string, enum).
PUK
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
puk - Hashed ticket value with message digest algorithm prefix. Without algorithm prefix the value is used as plain text value and it is being hashed with default hashing algorithm (SSHA256). SSHA is alias for SHA and SSHA256 is alias for SHA-256 algorithms (string).
Scim ScimCredentialCertInfo DTO
SCIM defined complex to hold IDM certificate credentials. Defined for ScimUserExtension. The SCIM CredentialCertInfo DTO has the following parameters:
-
type - Type of the credential (string, enum).
CERTIFICATE
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
properties - Name value pairs map of Credential’s custom properties (map<string, string>, optional).
-
certificate - The certificate value of the credential (string).
- example:
-----BEGIN CERTIFICATE----- MIIFSDCCBDCg........................................ -----END CERTIFICATE-----
- example:
-
subjectDN - DN of the subject (string, optional).
- example:
CN=www.getCertificateSUBJECT_DN.com
- example:
-
issuerDN - DN of the issuer (string, optional).
- example:
CN=www.getCertificateISSUER_DN.com
- example:
-
fingerprint - Fingerprint of the certificate in hexbyte-colon notation (string, optional).
- example:
42:2D:4D:16:47:C5:FC:46:8F:1D:97:3E:DB:8B:4B:60:56:F1:D7:A7
- example:
-
serial - Serial number (string, optional).
- example:
12944643904094573006
- example:
-
subjectKeyIdentifier - The subject key identifier extension stored in the certificate credential (string, optional).
- example:
1178e0b26a1f4df8c706c51437157cce56f80316
- example:
Scim ScimCredentialFido2 DTO
SCIM defined complex to hold IDM FIDO2 credentials. Defined for ScimUserExtension. The SCIM CredentialFido2 DTO has the following parameters:
-
type - Type of the credential (string, enum).
FIDO2
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
aaguid - A 128-bit identifier indicating the type (e.g. make and model) of the authenticator (string).
-
attestationConveyancePreference - The server’s preference on how it would like to verify the attestations of the authenticators (string).
-
authenticator - CBOR serialized authenticator object (string).
-
authenticatorAttachment - Defines how the authenticator is accessed by the WebAuthn client, i.e. where the authenticator is at (string, optional).
-
hashedFido2CredentialId - The hashed credential ID generated by the authenticator. It may contain the encrypted private key of the client (string).
-
rpId - Domain name of Relying Party (string).
-
residentKeyRequirement - Whether the server is willing to accept residental keys (i.e. whether storing the webauthn private key encrypted on the server side is okay or not) (string).
-
userAgent - User agent used by the AuthCloud team, no FIDO2 relation (string).
-
userFriendlyName - The technical process by which an authenticator locally authorizes the invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations (i.e. grants access for the user to proceed with the WebAuthn flows) (string).
-
userVerificationRequirement - The technical process by which an authenticator locally authorizes the invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations (i.e. grants access for the user to proceed with the WebAuthn flows) (string).
Scim ScimCredentialFidoUaf DTO
SCIM defined complex to hold IDM FIDO UAF credentials. Defined for ScimUserExtension. The SCIM CredentialFidoUaf DTO has the following parameters:
-
type - Type of the credential (string, enum).
FIDO_UAF
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
aaid - The authenticator attestation identifier. The aaid is a unique identifier assigned to a model, class or batch of FIDO authenticators that all share the same characteristics. Has to match the regex ^[0-9a-fA-F]{4}#[0-9a-fA-F]{4}$ (string).
- example:
aaaa#a26c
- example:
-
keyId - The key identifier of the authenticator’s registered key (string).
-
deviceId - The device identifier obtained from a push service, which sends push messages to this specific device (string, optional).
-
signCounter - Indicates how many times this authenticator has performed signatures in the past (integer, optional).
-
authenticatorVersion - The version of the authenticator (integer).
-
appId - OS-specific ID of the application that uses the FIDO credential (string).
-
publicKeyAlgorithm - Public key algorithm used for the public key in the authenticator record. You need this information in order to know how to decode the key later on (string).
-
publicKey - The user authentication public key generated by the FIDO authenticator during the registration process. The key is stored in the credential attribute value (string).pos
Scim ScimCredentialKerberos DTO
SCIM defined complex to hold IDM kerberos credentials. Defined for ScimUserExtension. The SCIM CredentialKerberos DTO has the following parameters:
-
type - Type of the credential (string, enum).
KERBEROS
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
kerberosId - Identifier of the credential (string).
Scim ScimCredentialVasco DTO
SCIM defined complex to hold IDM Vasco credentials. Defined for ScimUserExtension. The SCIM CredentialVasco DTO has the following parameters:
-
type - Type of the credential (string, enum).
VASCO
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
tokens - Array of Vasco digipass tokens with the authentication mode (list
) - tokens:
- authMode - The authentication use case the data block is used for (string).
- data - The Vasco Digipass data block (string).
- tokens:
Scim ScimCredentialSAMLFederation DTO
SCIM defined complex to hold IDM SAML Federation credentials. Defined for ScimUserExtension. The SCIM SamlFederation DTO has the following parameters:
-
type - Type of the credential (string, enum).
SAMLFEDERATION
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
subjectNameId - Identifies of the subject of the SAML assertion (generally user to be authenticated).
-
subjectNameIdFormat - Aligns the expectations between the identity provider and the service provider on the user identity that is communicated.
-
issuerNameId - Identifies of the issuer of the SAML assertion.
-
issuerNameIdFormat - Aligns the expectations between the identity provider and the service provider on the user identity that is communicated.
- properties - Name value pairs map of Credential’s custom properties (map<string, string>, optional).
- credentialValue - Hashed identification value with optional message digest algorithm prefix. Without algorithm prefix the value is used as plain text input for the default password hashing algorithm. SSHA is alias for SHA-1 and SSHA256 is alias for SHA-256 algorithms (string).
Scim ScimCredentialUrlTicket DTO
SCIM defined complex to hold IDM url ticket credentials. Defined for ScimUserExtension. The SCIM CredentialUrlTicket DTO has the following parameters:
-
type - Type of the credential (string, enum).
URLTICKET
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
identification - Hashed identification value with message digest algorithm prefix. The prefix must be a valid message digest algorithm and the content must be base64 encoded byte array where the extra part after the requested number of bytes by the algorithm is used as salt. Without algorithm prefix the value is used as plain text value and it is being hashed with default password hashing algorithm (SSHA256). SSHA is alias for SHA and SSHA256 is alias for SHA-256 algorithms (string).
Scim ScimCredentialMobileSignature DTO
SCIM defined complex to hold IDM mobile signature credentials. Defined for ScimUserExtension. The SCIM CredentialMobileSignature DTO has the following parameters:
-
type - Type of the credential (string, enum).
MOBILESIGNATURE
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
properties - Name value pairs map of Credential’s custom properties (map<string, string>, optional).
-
identificator - MSSP-specific identificator of the mobile signature credential. (string).
-
msspIdentifier - URI-based identifier of MSSP. (string).
-
signerCert - X509 signer certificate in PEM format. (string, optional).
-
msisdn - Calling number for mobile device according to ETSI Standard. (string).
Scim ScimCredentialDevicePassword DTO
SCIM defined complex to hold IDM device password credentials. Defined for ScimUserExtension. The SCIM CredentialDevicePassword DTO has the following parameters:
-
type - Type of the credential (string, enum).
DEVICEPASSWORD
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
devicepassword - Hashed password value with message digest algorithm prefix. The prefix must be a valid message digest algorithm and the content must be base64 encoded byte array where the extra part after the requested number of bytes by the algorithm is used as salt. Without algorithm prefix the value is used as plain text value and it is being hashed with default password hashing algorithm (SSHA256). SSHA is alias for SHA and SSHA256 is alias for SHA-256 algorithms (string).
Scim ScimCredentialOath DTO
SCIM defined complex to hold IDM oath credentials. Defined for ScimUserExtension. The SCIM CredentialOath DTO has the following parameters:
-
type - Type of the credential (string, enum).
OATH
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
hashingAlgorithmId - The ID of the OATH hashing algorithm to use. Possible options: 1 (SHA1), 2 (SHA256), 3 (SHA512) (long).
-
digits - The length of the generated token. Possible options: 6, 7, 8 (integer).
-
authenticationMethodId - The ID of the OATH authentication method to use. Possible options: 1 (HOTP), 2 (TOTP) (long).
-
period - The time window (in seconds) how long a TOTP token is valid. (long).
-
counter - The counter for tokens. This is increased on each successful authentication. (long).
-
timeDrift - Detected clock drift for the token in terms of the number of time steps. (long, optional).
-
isShared - Flag to make sure the credential is only shared once. (boolean).
-
secret - The secret that is required to initialize the mobile application. (string).
-
context - Context of the credential. This is used as a label for the credential. (string).
Scim ScimCredentialSecurityQuestion DTO
SCIM defined complex to hold IDM SecurityQuestion credentials. Defined for ScimUserExtension. The SCIM CredentialSecurityQuestion DTO has the following parameters:
-
type - Type of the credential (string, enum).
SECURITYQUESTIONS
-
extId - External identifier for the credential. Must be unique (string).
-
name - Name attribute of the credential (string, optional).
-
state - An Enum value indicating the Credential’s administrative status (enum).
- Available values:
INITIAL
,ACTIVE
,TMP_LOCKED
,FAIL_LOCKED
,RESET_CODE
,ADMIN_CHANGED
,DISABLED
,ARCHIVED
- Available values:
-
validFrom - Validity starting timestamp for the credential (string).
-
validTo - Validity ending timestamp for the credential (string).
-
policyExtId - The external ID of the used policy. The default policy will be set if it is null (string, optional).
-
properties - Name value pairs map of Credential’s custom properties (map<string, string>, optional).
-
personalAnswers - Array of personal answers (list
). - personalAnswer:
- content - Symmetrically encrypted answer of user (string).
- revealCount - Number of times the answer has been revealed to an admin. It gets a default value of ‘0’ during credential creation (readonly integer, optional).
- successCount - Number of times the answer has been verified. It gets a default value of ‘0’ during credential creation (readonly integer, optional).
- failureCount - Number of times the security question was answered incorrectly. It gets a default value of ‘0’ during credential creation (readonly integer, optional).
- personalQuestionExtId - External identifier of the answer’s question (string).
- personalAnswer:
Scim ScimUser DTO with IDM extension
SCIM provides a resource type for “User” resources. The SCIM User DTO with IDM’s UserExtension has the following parameters:
-
schemas - An array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure (list, string).
-
userName - Unique identifier for the User for the actual customer. This is mapped to the loginId property of User (string).
-
name - The components of the user’s name complex type. This is mapped to name, firstName, remarks… properties of User (object).
- formatted - The full name, including all middle names, titles, and suffixes. This is not mapped for input, just generated for output. (string, optional).
- familyName - The family name of the User, or Last Name in most Western languages. This is mapped to name property of User (string, optional).
- givenName - The given name of the User, or First Name in most Western languages. This is mapped to firstName attribute of User (string, optional).
- middleName - The middle name(s) of the User. This is not mapped to any property of User, yet (string, optional).
- honorificPrefix - The honorific prefix(es) of the User, or Title in most Western languages. This is mapped to title property of User (string, optional).
-
displayName - The name of the User, suitable for display to end-users. This is generated like name.formatted. If empty the userName will be returned (string, optional).
-
preferredLanguage - Indicates the User’s preferred written or spoken language. This is mapped to languageId property of User (string, optional)
-
locale - Used to indicate the User’s default location for purposes of localizing items such as currency, date time format, numerical representations, etc. This is mapped to locality property of User (string, optional).
-
active - A Boolean value indicating the User’s administrative status. This it mapped to status property of User (string).
-
emails - E-mail addresses for the user. The IDM can accept only one email address. By default the email address is mandatory and must be unique. This is mapped to email and uniqueEmail properties of User (list
). -
phoneNumbers - Phone numbers for the User. The IDM can accept three kind of phone numbers. Indicate the type as ‘telephone’, ‘telefax’ or ‘mobile’. These values are mapped to properties indicated in type attribute (list
, optional) -
addresses - Physical mailing addresses for this User. The IDM can accept only one address. This is mapped to country, city, postalcode, addressline2 and addressline1 properties of User (list
). - formatted - The full mailing address, formatted for display or for label. This is not mapped for input, just generated for output (string, optional).
- streetAddress - The full street address component. This part is mapped to addressline1 and addressline2 properties of User with separating new line character (only one supported) (string, optional).
- locality - The city or locality component. This part is mapped to city property of User (string, optional).
- region - The state or region component. This part is not mapped to any property of User, yet (string, optional).
- postalCode - The zipcode or postal code component. This part is mapped to postalcode property of User (string, optional).
- country - The country name component. This part is mapped to country property of User (string, optional).
- type - A label indicating the attribute’s function; e.g.
work
orhome
. This part is not mapped to any property of User, yet (string, optional). - primary - A Boolean value indicating the ‘primary’ or preferred. This part is not mapped to any property of User, yet (boolean, optional).
-
urn:nevis:idm:scim:schemas:v1:extension:User - SCIM User IDM extension for properties in IDM “User” that has not been covered by the ScimUser (object).
- remarks - Description for the user (string, optional).
- sex - Gender of the user (string, optional).
- birthDate - Birthdate of the user (string, optional).
- validFrom - Validity starting timestamp can be defined for the user (string, optional).
- validTo - Validity ending timestamp can be defined for the user (string, optional).
- technical - Indicates if it the user is technical or not (boolean).
- street - Street name of user’s address (string, optional).
- houseNumber - House number of user’s address (string, optional).
- dwellingNumber - Property unit number of user’s address (string, optional).
- postOfficeBoxText - Post office box text of user’s address (string, optional).
- postOfficeBoxNumber - Post office box number of user’s address (string, optional).
- templateCollectionName - Name of template collection assigned to the user (string, optional).
- properties - Name value pairs map of User’s custom properties (map<string, string>, optional).
- loginInfo - Login information about the user (object, optional).
- lastLogin - Timestamp of last login of user (string, optional).
- lastFailure - Timestamp of last login failure of user (string, optional).
- credentials - List of credential a assigned to the user (list).
- profiles - List of assigned profiles to the user. At least one is mandatory (list).
- state - An Enum value indicating the Profile’s administrative status (enum).
ACTIVE
,DISABLED
,ARCHIVED
- name - Name of the profile (string).
- remarks - Description for the profile (string, optional).
- extId - External identifier for the profile. Must be unique (string).
- defaultProfile - Indicates it is the default profile of user or not. One and only one must true (boolean).
- validFrom - Validity starting timestamp can be defined for the profile (string, optional).
- validTo - Validity ending timestamp can be defined for the profile (string, optional).
- deputedProfileExtId - External identifier of deputed profile if exists (string, optional).
- unitExtId - Unit external identifier belonging to the client that the profile refers. By default the configured default unit for the client is used to (string, optional).
- properties - Name value pairs map of Profile’s custom properties (map<string, string>, optional).
- idmAuthorizations - IDM role role assignments for the profile (list).
- authorizedForAllUnits - The user is authorized to manage all units in the system
- authorizedForAllApplications - The user is authorized to manage all applications in the system (boolean).
- authorizedForAllEnterpriseRoles - The user is authorized to manage all enterprise roles in the system (boolean).
- authorizedClientExtIds - The user is authorized to manage the selected clients in case all clients flag is false (list
, optional). - authorizedApplicationExtIds - The user is authorized to manage the selected applications in case all applications flag is false (list
, optional). - authorizedUnitExtIdSetForClients - The user is authorized to manage the selected client:units associations in case all units flag is false (map<string, list
>, optional). - authorizedEnterpriseRoleExtIdSetForClients - The user is authorized to manage the selected client:enterprise-roles associations in case all roles flag is false (map<string, list
>, optional).
- appAuthorizations - Application role assignments for the profile (list).
- authorizedForAllUnits - The user is authorized to manage all units in the system
- authorizedForAllApplications - The user is authorized to manage all applications in the system (boolean).
- authorizedForAllEnterpriseRoles - The user is authorized to manage all enterprise roles in the system (boolean).
- authorizedClientExtIds - The user is authorized to manage the selected clients in case all clients flag is false (list
, optional). - authorizedApplicationExtIds - The user is authorized to manage the selected applications in case all applications flag is false (list
, optional). - authorizedUnitExtIdSetForClients - The user is authorized to manage the selected client:units associations in case all units flag is false (map<string, list
>, optional). - authorizedEnterpriseRoleExtIdSetForClients - The user is authorized to manage the selected client:enterprise-roles associations in case all roles flag is false (map<string, list
>, optional).
- enterpriseAuthorizations - Enterprise role assignments for the profile (list).
- authorizedForAllUnits - The user is authorized to manage all units in the system
- authorizedForAllApplications - The user is authorized to manage all applications in the system (boolean).
- authorizedForAllEnterpriseRoles - The user is authorized to manage all enterprise roles in the system (boolean).
- authorizedClientExtIds - The user is authorized to manage the selected clients in case all clients flag is false (list
, optional). - authorizedApplicationExtIds - The user is authorized to manage the selected applications in case all applications flag is false (list
, optional). - authorizedUnitExtIdSetForClients - The user is authorized to manage the selected client:units associations in case all units flag is false (map<string, list
>, optional). - authorizedEnterpriseRoleExtIdSetForClients - The user is authorized to manage the selected client:enterprise-roles associations in case all roles flag is false (map<string, list
>, optional).
- state - An Enum value indicating the Profile’s administrative status (enum).
Scim Scim Search Post DTO with IDM extension
Complex data structure to invoke HTTP POST search request. The SCIM SearchResponse DTO has the following parameters:
-
attributes - A multi-valued list of strings indicating the names of resource attributes to return in the response, overriding the set of attributes that would be returned by default (list, optional).
-
excludedAttributes - A multi-valued list of strings indicating the names of resource attributes to be removed from the default set of attributes to return (list, optional).
-
filter - The filter string used to request a subset of resources (string, optional).
-
sortBy - A string indicating the attribute whose value be used to order the returned responses (string, optional).
-
sortOrder - Sort order of selected attribute (in
sortBy
parameter). Empty value means the default ascending sorting order (string, optional).ascending
descending
-
startIndex - An integer indicating the 1-based index of the first query result (number, optional).
-
count - An integer indicating the desired maximum number of query results per page (number, optional).
-
bulkImportFormat - The output is ScimBulkRequest with create operations instead of ScimListResponse as standard defines. This optional parameter by default false.
Scim User ¶
Retrieve UserGET/{clientExtId}/Users/{userId}
Retrieves the user with the specified Id from the client with the given external ID.
Required permissions
AccessControl.UserView, AccessControl.PropertyView, AccessControl.PropertyValueView, AccessControl.PropertyAllowedValueView, AccessControl.CredentialView, AccessControl.ProfileView
Example URI
- clientExtId
string
(required) Example: 1000ExtID of the client.
- userId
string
(required) Example: 1234ID of the user.
Headers
Content-Type: application/json or application/scim+json
200
Headers
Content-Type: application/json or application/scim+json
Body
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:nevis:idm:scim:schemas:v1:extension:User"
],
"id": "100",
"externalId": "100",
"meta": {
"resourceType": "User",
"created": "2022-05-03T11:17:07.000",
"lastModified": "2022-05-03T11:17:07.000",
"location": "http://localhost:8080/nevisidm/api/scim/v1/100/Users/100",
"version": "v1"
},
"userName": "bootstrap",
"name": {
"formatted": "Boot Strap",
"familyName": "Strap",
"givenName": "Boot",
"honorificPrefix": "Mr."
},
"displayName": "Boot Strap",
"preferredLanguage": "en",
"active": true,
"emails": [
{
"value": "bootstrap@adnovum.ch",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "0444444444",
"type": "telephone",
"primary": true
}
],
"urn:nevis:idm:scim:schemas:v1:extension:User": {
"remarks": "Initial user for bootstrapping",
"technical": false,
"templateCollectionName": "Default",
"credentials": [
{
"extId": "100",
"type": "PASSWORD",
"active": true,
"validFrom": "2022-05-03T11:17:07.000Z",
"validTo": "2029-12-31T23:00:00.000Z",
"password": "{SSHA}OfA52lp84tj5nS6+awPTTgcuY1FF6PdtbxNo/Mry"
}
],
"profiles": [
{
"active": true,
"name": "BootstrapProfile",
"remarks": "Initial profile for bootstrapping",
"extId": "100",
"defaultProfile": true,
"unitExtId": "100",
"idmAuthorizations": [
{
"extId": "100",
"roleExtId": "1",
"authorizedForAllClients": true,
"authorizedForAllUnits": true,
"authorizedForAllApplications": true,
"authorizedForAllEnterpriseRoles": true
},
{
"extId": "105",
"roleExtId": "30",
"authorizedForAllClients": true,
"authorizedForAllUnits": true,
"authorizedForAllApplications": true,
"authorizedForAllEnterpriseRoles": true
}
]
}
],
"loginInfo": {
"lastLogin": "1999-12-31T23:00:00.000Z"
}
}
}
Delete UserDELETE/{clientExtId}/Users/{userId}
Retrieves the user with the specified Id from the client with the given external ID.
Required permissions
AccessControl.UserDelete, AccessControl.UserDeleteTechUser (for deleting technical users only)
Example URI
- clientExtId
string
(required) Example: 1000ExtID of the client.
- userId
string
(required) Example: 1234ID of the user.
Headers
Content-Type: application/json or application/scim+json
204
Scim Users ¶
List all UserGET/{clientExtId}/Users
Retrieves all users from the client with the given external ID.
Returned result are pageable with startIndex
and count
queryParameter.
List is filterable with the following query parameters, which work like the fields of ScimSearchDTO:
-
attributes
-
excludedAttributes
-
filter
-
sortBy
-
sortOrder
-
startIndex
-
count
-
bulkImportFormat
Note
Use +
or %20
in place of the space character to filter out properties with spaces in their names (RFC 1738).
Use %2B
in place of the +
character to filter out attributes, holding mobile numbers (RFC 3151).
Required permissions
AccessControl.UserView, AccessControl.PropertyView, AccessControl.PropertyValueView, AccessControl.PropertyAllowedValueView, AccessControl.CredentialView, AccessControl.ProfileView
Example URI
- clientExtId
string
(required) Example: 1000ExtID of the client.
Headers
Content-Type: application/json or application/scim+json
200
Headers
Content-Type: application/json
Body
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 1,
"itemsPerPage": 10,
"startIndex": 1,
"resources": [
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:nevis:idm:scim:schemas:v1:extension:User"
],
"id": "3000000003",
"externalId": "3000000003",
"meta": {
"resourceType": "User",
"created": "2021-12-03T14:59:47.000Z",
"lastModified": "2021-12-03T14:59:47.000Z",
"location": "http://localhost:8080/nevisidm/api/scim/v1/100/Users/3000000003",
"version": "v1"
},
"userName": "User4321",
"name": {
"formatted": "Tested User",
"familyName": "Tested",
"givenName": "User"
},
"displayName": "User4321",
"preferredLanguage": "en",
"active": true,
"emails": [
{
"value": "user4321@siven.ch",
"type": "work",
"primary": true
}
],
"urn:nevis:idm:scim:schemas:v1:extension:User": {
"technical": false,
"templateCollectionName": "Default",
"credentials": [
{
"extId": "3000000003",
"type": "PASSWORD",
"active": true,
"validFrom": "2021-12-03T15:03:46.000Z",
"validTo": "2031-12-01T15:03:46.000Z",
"password": "{SSHA256}b6HBFxmLGRnW90atPGY9Ap+wpfpbYsgeDl5JsSTIDGlYN0bxa5jRAsi8"
}
],
"properties": {
"User_Import_Property1": "0"
}
}
}
]
}
Create new UserPOST/{clientExtId}/Users
Create a new user with the given settings including credentials, profiles, authentications.
Note
In the case of Security Question Credentials, user creation is only allowed if the policy parameter restrictModifyToOwner
is set to false
.
Required permissions
AccessControl.UserCreate, AccessControl.ProfileCreate, AccessControl.AuthorizationCreate (for creating non-technical users only)
Example URI
- clientExtId
string
(required) Example: 1000ExtID of the client.
Headers
Content-Type: application/json or application/scim+json
Body
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:nevis:idm:scim:schemas:v1:extension:User"
],
"externalId": "3690000001",
"userName": "tesla",
"name": {
"familyName": "Tesla",
"givenName": "Nikola"
},
"emails": [
{
"value": "nikola@tesla.ch"
}
],
"urn:nevis:idm:scim:schemas:v1:extension:User": {
"templateCollectionName": "Default",
"properties": {
"user_global_encrypted": "122"
}
}
}
200
Headers
Content-Type: application/json or application/scim+json
Body
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:nevis:idm:scim:schemas:v1:extension:User"
],
"id": "9999999343",
"externalId": "3690000001",
"meta": {
"resourceType": "User",
"created": "2022-05-03T13:01:31.000Z",
"lastModified": "2022-05-03T13:01:31.000Z",
"location": "http://localhost:8080/nevisidm/api/scim/v1/100/Users/9999999343",
"version": "v1"
},
"userName": "tesla",
"name": {
"formatted": "Nikola Tesla",
"familyName": "Tesla",
"givenName": "Nikola"
},
"displayName": "Nikola Tesla",
"preferredLanguage": "en",
"active": true,
"emails": [
{
"value": "nikola@tesla.ch",
"type": "work",
"primary": true
}
],
"urn:nevis:idm:scim:schemas:v1:extension:User": {
"technical": false,
"templateCollectionName": "Default",
"profiles": [
{
"active": true,
"name": "Profile-tesla",
"remarks": "Automatically generated profile for tesla",
"extId": "2000001376",
"defaultProfile": true,
"unitExtId": "100",
"idmAuthorizations": [
{
"extId": "260002344",
"roleExtId": "1",
"authorizedForAllClients": false,
"authorizedForAllUnits": false,
"authorizedForAllApplications": false,
"authorizedForAllEnterpriseRoles": false
}
]
}
],
"properties": {
"user_global_encrypted": "122"
}
}
}
Scim Bulk Request ¶
Scim Bulk RequestGET/{clientExtId}/bulk
Executes specified operations on a client given with its extId.
Example URI
- clientExtId
string
(required) Example: 1000ExtID of the client.
Headers
Content-Type: application/json or application/scim+json
200
Headers
Content-Type: application/json or application/scim+json
Body
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:BulkRequest"
],
"failOnErrors": 0,
"operations": [
{
"method": "POST",
"bulkId": "create",
"path": "Users",
"data": {
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:nevis:idm:scim:schemas:v1:extension:User"
],
"externalId": "3690000001",
"userName": "tesla",
"name": {
"familyName": "Tesla",
"givenName": "Nikola"
},
"emails": [
{
"value": "nikola@tesla.ch"
}
],
"urn:nevis:idm:scim:schemas:v1:extension:User": {
"templateCollectionName": "Default",
"properties": {
"user_global_encrypted": "122"
}
}
}
},
{
"method": "GET",
"bulkId": "get",
"path": "Users/99991010"
}
]
}
Scim Bulk Request ¶
Search UserPOST/{clientExtId}/Users/.search
Searches for user with the attributes specified in the request body within the given client.
Example URI
- clientExtId
string
(required) Example: 1000ExtID of the client.
Headers
Content-Type: application/json or application/scim+json
Body
{
"filter": "userName EQ 'bootstrap'"
}
200
Headers
Content-Type: application/json or application/scim+json
Body
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 1,
"itemsPerPage": 10,
"startIndex": 1,
"resources": [
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:nevis:idm:scim:schemas:v1:extension:User"
],
"id": "100",
"externalId": "100",
"meta": {
"resourceType": "User",
"created": "2022-05-03T14:19:25.000Z",
"lastModified": "2022-05-03T14:19:25.000Z",
"location": "http://localhost:8080/nevisidm/api/scim/v1/100/Users/100",
"version": "v1"
},
"userName": "bootstrap",
"name": {
"formatted": "Boot Strap",
"familyName": "Strap",
"givenName": "Boot",
"honorificPrefix": "Mr."
},
"displayName": "Boot Strap",
"preferredLanguage": "en",
"active": true,
"emails": [
{
"value": "bootstrap@adnovum.ch",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "0444444444",
"type": "telephone",
"primary": true
}
],
"urn:nevis:idm:scim:schemas:v1:extension:User": {
"remarks": "Initial user for bootstrapping",
"technical": false,
"templateCollectionName": "Default",
"credentials": [
{
"extId": "100",
"type": "PASSWORD",
"state": "ACTIVE",
"validFrom": "2022-05-03T14:19:25.000Z",
"validTo": "2029-12-31T23:00:00.000Z",
"credentialLoginInfo": {
"lastLogin": "2022-05-03T14:19:27.000Z",
"loginSuccessCount": 1,
"lastFailure": "2022-05-03T14:19:27.000Z",
"loginFailureCount": 2
},
"password": "{SSHA}OfA52lp84tj5nS6+awPTTgcuY1FF6PdtbxNo/Mry"
}
],
"profiles": [
{
"state": "ACTIVE",
"name": "BootstrapProfile",
"remarks": "Initial profile for bootstrapping",
"extId": "100",
"defaultProfile": true,
"unitExtId": "100",
"idmAuthorizations": [
{
"extId": "100",
"roleExtId": "1",
"authorizedForAllClients": true,
"authorizedForAllUnits": true,
"authorizedForAllApplications": true,
"authorizedForAllEnterpriseRoles": true
},
{
"extId": "105",
"roleExtId": "30",
"authorizedForAllClients": true,
"authorizedForAllUnits": true,
"authorizedForAllApplications": true,
"authorizedForAllEnterpriseRoles": true
}
]
}
],
"loginInfo": {
"lastLogin": "1999-12-31T23:00:00.000Z"
}
}
}
]
}
SCIM Meta REST Service ¶
These endpoints do not require authorization.
SCIM Error DTO
In addition to returning an HTTP response code the SCIM server must response the errors in the body as a JSON format. The SCIM Error DTO has the following parameters:
-
schemas - An array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure (list, string).
-
status - The HTTP status code (number)
-
scimType - A SCIM detail error keyword (string)
INVALID_FILTER
TOO_MANY
UNIQUENESS
MUTABILITY
INVALID_SYNTAX
INVALID_PATH
NO_TARGET
INVALID_VALUE
INVALID_VERS
SENSITIVE
.
-
detail - A detailed human-readable message (string).
Scim ResourceType DTO
Specifies the schema that describes a SCIM resource type. The SCIM ResourceType DTO has the following parameters:
-
schemas - An array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure (list, string).
-
id - The resource type’s server unique ID. May be the same as the ‘name’ attribute (string).
-
name - The resource type name. When applicable, service providers MUST specify the name, e.g.,
User
(string). -
schema - The resource type’s primary/base schema URI (string).
-
description - The resource type’s human-readable description. When applicable, service providers MUST specify the description (string).
-
endpoint - The resource type’s HTTP-addressable endpoint relative to the Base URL, e.g.,
/Users
(string). -
schemaExtensions - A list of URIs of the resource type’s schema extensions.
- schema - The unique URI of the schema (string).
- required - Contains if the SchemaExtension is required for the Extended Schema (boolean).
-
meta - Meta information of the Resource (object).
- resourceType - The name of the resource type of the resource (string, optional).
- created - The date and time that the resource was added to the service provider (string, optional).
- lastModified - The most recent date and time that the details of this resource were updated at the service provider (string, optional ).
- location - The URI of the resource being returned (string, optional).
- version - The version of the resource being returned (string, optional).
Scim Schema DTO
Specifies the schema that describes a SCIM resource type. The SCIM ResourceType DTO has the following parameters:
-
schemas - An array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure (list, string).
-
id - The unique URI of the schema (string).
-
name - The schema’s human-readable name (string).
-
schema - The resource type’s primary/base schema URI (string).
-
description - The schema’s human-readable description (string).
-
attributes - List of attributes of schema related resource (object).
- type - The attribute’s data type (string, enum).
STRING
BOOLEAN
DECIMAL
INTEGER
DATE_TIME
REFERENCE
COMPLEX
- mutability - A single keyword indicating the circumstances under which the value of the attribute can be defined (string, enum).
READ_ONLY
READ_WRITE
IMMUTABLE
WRITE_ONLY
- returned - A single keyword that indicates when an attribute and associated values are returned in response to a GET request or in response to a PUT, POST, or PATCH request (string, enum).
ALWAYS
NEVER
DEFAULT
REQUEST
- uniqueness - A single keyword value that specifies how the service provider enforces uniqueness of attribute values (string, enum).
NONE
SERVER
GLOBAL
- type - The attribute’s data type (string, enum).
-
meta - Meta information of the Resource (object).
- resourceType - The name of the resource type of the resource (string, optional).
- created - The date and time that the resource was added to the service provider (string, optional).
- lastModified - The most recent date and time that the details of this resource were updated at the service provider (string, optional ).
- location - The URI of the resource being returned (string, optional).
- version - The version of the resource being returned (string, optional).
Scim ServiceProviderConfig DTO
Schema for representing the service provider’s configuration. The SCIM ServiceProviderConf DTO has the following parameters:
-
schemas - An array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure (list, string).
-
documentationUri - An HTTP-addressable URL pointing to the service provider’s human-consumable help documentation (string).
-
patch - A complex type that specifies PATCH operation is allowed or not (object).
- supported - A Boolean value specifying whether or not the operation is supported (boolean).
-
bulk - A complex type that specifies bulk configuration options (object).
- maxOperations - An integer value specifying the maximum number of operations (number)
- supported - A Boolean value specifying whether or not the operation is supported (boolean).
-
filter - A complex type that specifies FILTER configuration options (object).
- maxResult - An integer value specifying the maximum number of resources returned in a response (number).
- maxPayload - An integer value specifying the maximum payload size in bytes (number).
- supported - A Boolean value specifying whether or not the operation is supported (boolean).
-
etag - A complex type that specifies ETag configuration options. (object).
- supported - A Boolean value specifying whether or not the operation is supported (boolean).
-
changePassword - A complex type that specifies configuration options related to changing a password (object).
- supported - A Boolean value specifying whether or not the operation is supported (boolean).
-
authenticationSchemes - A complex type that specifies supported authentication scheme properties (list, optional).
- type - The authentication scheme. This specification defines the values
oauth
,oauth2
,oauthbearertoken
,httpbasic
, andhttpdigest
(string). - name - The common authentication scheme name, e.g.,
HTTP Basic
(string) - description - A description of the authentication scheme. (string, optional)
- specUri - An HTTP-addressable URL pointing to the authentication scheme’s specification. (string, optional)
- documentationUri - An HTTP-addressable URL pointing to the service provider’s human-consumable help documentation. (string, optional)
- type - The authentication scheme. This specification defines the values
-
meta - Meta information of the Resource (object).
- resourceType - The name of the resource type of the resource (string, optional).
- created - The date and time that the resource was added to the service provider (string, optional).
- lastModified - The most recent date and time that the details of this resource were updated at the service provider (string, optional ).
- location - The URI of the resource being returned (string, optional).
- version - The version of the resource being returned (string, optional).
Scim ScimListResponse DTO
SCIM defined list response. The SCIM ListResponse DTO has the following parameters:
-
schemas - An array of Strings containing URIs that are used to indicate the namespaces of the SCIM schemas that define the attributes present in the current JSON structure (list, string).
-
totalResults - Number of total results (number).
-
itemsPerPage - Number of results in a single response. By default 10. Controlled by ‘count’ request parameter (number).
-
startIndex - Start index of current result. By default 1. Controlled by ‘startIndex’ request parameter (number).
-
resources - Array of SCIM resources. For example array of users (list).
Scim Schemas ¶
List all SchemaGET/Schemas
This is a meta endpoint, it does not require authorization.
Retrieves all SCIM Schema implemented on this server.
Example URI
Headers
Content-Type: application/json or application/scim+json
200
Headers
Content-Type: application/json or application/scim+json
Body
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 7,
"itemsPerPage": 10,
"startIndex": 1,
"resources": [
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Schema"
],
"id": "urn:ietf:params:scim:schemas:core:2.0:User",
"name": "User",
"description": "SCIM provides a resource type for \"User\" resources. The core schema for \"User\" is identified using the following schema URI: urn:ietf:params:scim:schemas:core:2.0:User.",
"attributes": [
{
"name": "userName",
"type": "string",
"multiValued": false,
"description": "Unique identifier for the User for the actual customer. This is mapped to the loginId property of User.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "name",
"type": "complex",
"subAttributes": [
{
"name": "formatted",
"type": "string",
"multiValued": false,
"description": "The full name, including all middle names, titles, and suffixes. This is not mapped for input, just generated for output.",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "familyName",
"type": "string",
"multiValued": false,
"description": "The family name of the User, or Last Name in most Western languages. This is mapped to name property of User.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "givenName",
"type": "string",
"multiValued": false,
"description": "The given name of the User, or First Name in most Western languages. This is mapped to firstName attribute of User.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "middleName",
"type": "string",
"multiValued": false,
"description": "The middle name(s) of the User. This is not mapped to any property of User, yet.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "honorificPrefix",
"type": "string",
"multiValued": false,
"description": "The honorific prefix(es) of the User, or Title in most Western languages. This is mapped to title property of User.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": false,
"description": "The components of the user’s name complex type. This is mapped to name, firstName, remarks... properties of User.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "displayName",
"type": "string",
"multiValued": false,
"description": "The name of the User, suitable for display to end-users. This is generated like name.formatted. If empty the userName will be returned.",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "preferredLanguage",
"type": "string",
"multiValued": false,
"description": "Indicates the User's preferred written or spoken language. This is mapped to languageId property of User.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "locale",
"type": "string",
"multiValued": false,
"description": "Used to indicate the User's default location for purposes of localizing items such as currency, date time format, numerical representations, etc. This is mapped to locality property of User.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "active",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the User's administrative status. This it mapped to status property of User. 'true' => ACTIVE, 'false' => DISABLED; ACTIVE => 'true', otherwise 'false'.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "emails",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "Attribute value (eg. email address, prhone number. This part is mapped to the referred property of User.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes. This part is not mapped, for output the value is repeated here.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's function; e.g. 'work', 'home', etc. For email this part is not mapped. For phone the following values are accepted and required: 'telephone', 'telefax' or 'mobile'. Other types are not supported, yet.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "primary",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the 'primary' or preferred. This part is not mapped, the first one always true the rest always false.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "E-mail addresses for the user. The IDM can accept only one email address. By default the email address is mandatory and must be unique. This is mapped to email and uniqueEmail properties of User.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "phoneNumbers",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "Attribute value (eg. email address, prhone number. This part is mapped to the referred property of User.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes. This part is not mapped, for output the value is repeated here.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's function; e.g. 'work', 'home', etc. For email this part is not mapped. For phone the following values are accepted and required: 'telephone', 'telefax' or 'mobile'. Other types are not supported, yet.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "primary",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the 'primary' or preferred. This part is not mapped, the first one always true the rest always false.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "Phone numbers for the User. The IDM can accept three kind of phone numbers. Indicate the type as 'telephone', 'telefax' or 'mobile'. These values are mapped to properties indicated in type attribute.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "addresses",
"type": "complex",
"subAttributes": [
{
"name": "formatted",
"type": "string",
"multiValued": false,
"description": "The full mailing address, formatted for display or for label. This is not mapped for input, just generated for output.",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "streetAddress",
"type": "string",
"multiValued": false,
"description": "The full street address component. This part is mapped to addressline1 and addressline2 properties of User with separating new line character (only one supported).",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "locality",
"type": "string",
"multiValued": false,
"description": "The city or locality component. This part is mapped to city property of User.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "region",
"type": "string",
"multiValued": false,
"description": "The state or region component. This part is not mapped to any property of User, yet.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "postalCode",
"type": "string",
"multiValued": false,
"description": "The zipcode or postal code component. This part is mapped to postalcode property of User.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "country",
"type": "string",
"multiValued": false,
"description": "The country name component. This part is mapped to country property of User.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's function; e.g. 'work' or 'home'. This part is not mapped to any property of User, yet.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "primary",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the 'primary' or preferred. This part is not mapped to any property of User, yet.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "Physical mailing addresses for this User. The IDM can accept only one address.This is mapped to country, city, postalcode, addressline2 and addressline1 properties of User.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
]
},
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Schema"
],
"id": "urn:nevis:idm:scim:schemas:v1:extension:User",
"name": "UserExtension",
"description": "SCIM User IDM extension for properties in IDM \"User\" that has not been covered by the ScimUser. Schema: \"urn:nevis:idm:scim:schemas:v1:extension:User\".",
"attributes": [
{
"name": "remarks",
"type": "string",
"multiValued": false,
"description": "Description for the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "sex",
"type": "string",
"multiValued": false,
"description": "Gender of the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "birthDate",
"type": "dateTime",
"multiValued": false,
"description": "Birthdate of the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validFrom",
"type": "dateTime",
"multiValued": false,
"description": "Validity starting timestamp can be defined for the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validTo",
"type": "dateTime",
"multiValued": false,
"description": "Validity ending timestamp can be defined for the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "technical",
"type": "boolean",
"multiValued": false,
"description": "Indicates if it the user is technical or not.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "street",
"type": "string",
"multiValued": false,
"description": "Street name of user's address.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "houseNumber",
"type": "string",
"multiValued": false,
"description": "House number of user's address.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "dwellingNumber",
"type": "string",
"multiValued": false,
"description": "Property unit number of user's address.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "postOfficeBoxText",
"type": "string",
"multiValued": false,
"description": "Post office box text of user's address.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "postOfficeBoxNumber",
"type": "integer",
"multiValued": false,
"description": "Post office box number of user's address.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "templateCollectionName",
"type": "string",
"multiValued": false,
"description": "Name of template collection assigned to the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "credentials",
"type": "complex",
"subAttributes": [
{
"name": "extId",
"type": "string",
"multiValued": false,
"description": "External identifier for the credential. Must be unique.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "Type of the credential.",
"required": true,
"canonicalValues": [
"PASSWORD",
"GENERIC",
"TICKET"
],
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "name",
"type": "string",
"multiValued": false,
"description": "Name attribute for the credential.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "active",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the Credential's administrative status. 'true' => ACTIVE, 'false' => DISABLED; INITIAL, ACTIVE, RESET_CODE, ADMIN_CHANGED => 'true', otherwise 'false'.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validFrom",
"type": "dateTime",
"multiValued": false,
"description": "Validity starting timestamp for the credential.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validTo",
"type": "dateTime",
"multiValued": false,
"description": "Validity ending timestamp for the credential.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "List of credential a assigned to the user.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "profiles",
"type": "complex",
"subAttributes": [
{
"name": "active",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the Profile's administrative status. 'true' => ACTIVE, 'false' => DISABLED; ACTIVE => 'true', otherwise 'false'.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "name",
"type": "string",
"multiValued": false,
"description": "Name of the profile.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "remarks",
"type": "string",
"multiValued": false,
"description": "Description for the profile.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "extId",
"type": "string",
"multiValued": false,
"description": "External identifier for the profile. Must be unique.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "defaultProfile",
"type": "boolean",
"multiValued": false,
"description": "Indicates it is the default profile of user or not. One and only one must true.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validFrom",
"type": "dateTime",
"multiValued": false,
"description": "Validity starting timestamp can be defined for the profile.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validTo",
"type": "dateTime",
"multiValued": false,
"description": "Validity ending timestamp can be defined for the profile.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "deputedProfileExtId",
"type": "string",
"multiValued": false,
"description": "External identifier of deputed profile if exists.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "unitExtId",
"type": "string",
"multiValued": false,
"description": "Unit external identifier belonging to the client that the profile refers. By default the configured default unit for the client is used to.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "idmAuthorizations",
"type": "complex",
"subAttributes": [
{
"name": "authorizedForAllClients",
"type": "boolean",
"multiValued": false,
"description": "The user is authorized to manage all clients in the system.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "authorizedForAllUnits",
"type": "boolean",
"multiValued": false,
"description": "The user is authorized to manage all units in the system.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "authorizedForAllApplications",
"type": "boolean",
"multiValued": false,
"description": "The user is authorized to manage all applications in the system.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "authorizedForAllEnterpriseRoles",
"type": "boolean",
"multiValued": false,
"description": "The user is authorized to manage all enterprise roles in the system.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "authorizedClientExtIds",
"type": "string",
"multiValued": true,
"description": "The user is authorized to manage the selected clients in case all clients flag is false.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "authorizedApplicationExtIds",
"type": "string",
"multiValued": true,
"description": "The user is authorized to manage the selected applications in case all applications flag is false.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "IDM role assignments for the profile.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "appAuthorizations",
"type": "complex",
"multiValued": true,
"description": "Application role assignments for the profile.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "enterpriseAuthorizations",
"type": "complex",
"multiValued": true,
"description": "Enterprise role assignments for the profile.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "List of assigned profiles to the user. At least one is mandatory.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "loginInfo",
"type": "complex",
"subAttributes": [
{
"name": "lastLogin",
"type": "dateTime",
"multiValued": false,
"description": "Timestamp of last login of user.",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "lastFailure",
"type": "dateTime",
"multiValued": false,
"description": "Timestamp of last login failure of user.",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": false,
"description": "Login information about the user.",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
}
]
}
]
}
Scim Schema ¶
Retrieve a SchemaGET/Schemas/{schema}
This is a meta endpoint, it does not require authorization.
Retrieves the SCIM schema with the given schema urn if implemented on this server.
Example URI
- schema
string
(required) Example: urn:nevis:idm:scim:schemas:v1:extension:Userschema urn of the requested schema.
Headers
Content-Type: application/json or application/scim+json
200
Headers
Content-Type: application/json or application/scim+json
Body
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Schema"
],
"id": "urn:nevis:idm:scim:schemas:v1:extension:User",
"name": "UserExtension",
"description": "SCIM User IDM extension for properties in IDM \"User\" that has not been covered by the ScimUser. Schema: \"urn:nevis:idm:scim:schemas:v1:extension:User\".",
"attributes": [
{
"name": "remarks",
"type": "string",
"multiValued": false,
"description": "Description for the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "sex",
"type": "string",
"multiValued": false,
"description": "Gender of the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "birthDate",
"type": "dateTime",
"multiValued": false,
"description": "Birthdate of the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validFrom",
"type": "dateTime",
"multiValued": false,
"description": "Validity starting timestamp can be defined for the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validTo",
"type": "dateTime",
"multiValued": false,
"description": "Validity ending timestamp can be defined for the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "technical",
"type": "boolean",
"multiValued": false,
"description": "Indicates if it the user is technical or not.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "street",
"type": "string",
"multiValued": false,
"description": "Street name of user's address.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "houseNumber",
"type": "string",
"multiValued": false,
"description": "House number of user's address.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "dwellingNumber",
"type": "string",
"multiValued": false,
"description": "Property unit number of user's address.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "postOfficeBoxText",
"type": "string",
"multiValued": false,
"description": "Post office box text of user's address.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "postOfficeBoxNumber",
"type": "integer",
"multiValued": false,
"description": "Post office box number of user's address.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "templateCollectionName",
"type": "string",
"multiValued": false,
"description": "Name of template collection assigned to the user.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "credentials",
"type": "complex",
"subAttributes": [
{
"name": "extId",
"type": "string",
"multiValued": false,
"description": "External identifier for the credential. Must be unique.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "Type of the credential.",
"required": true,
"canonicalValues": [
"PASSWORD",
"GENERIC",
"TICKET"
],
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "name",
"type": "string",
"multiValued": false,
"description": "Name attribute for the credential.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "active",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the Credential's administrative status. 'true' => ACTIVE, 'false' => DISABLED; INITIAL, ACTIVE, RESET_CODE, ADMIN_CHANGED => 'true', otherwise 'false'.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validFrom",
"type": "dateTime",
"multiValued": false,
"description": "Validity starting timestamp for the credential.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validTo",
"type": "dateTime",
"multiValued": false,
"description": "Validity ending timestamp for the credential.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "List of credential a assigned to the user.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "profiles",
"type": "complex",
"subAttributes": [
{
"name": "active",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the Profile's administrative status. 'true' => ACTIVE, 'false' => DISABLED; ACTIVE => 'true', otherwise 'false'.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "name",
"type": "string",
"multiValued": false,
"description": "Name of the profile.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "remarks",
"type": "string",
"multiValued": false,
"description": "Description for the profile.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "extId",
"type": "string",
"multiValued": false,
"description": "External identifier for the profile. Must be unique.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "defaultProfile",
"type": "boolean",
"multiValued": false,
"description": "Indicates it is the default profile of user or not. One and only one must true.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validFrom",
"type": "dateTime",
"multiValued": false,
"description": "Validity starting timestamp can be defined for the profile.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "validTo",
"type": "dateTime",
"multiValued": false,
"description": "Validity ending timestamp can be defined for the profile.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "deputedProfileExtId",
"type": "string",
"multiValued": false,
"description": "External identifier of deputed profile if exists.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "unitExtId",
"type": "string",
"multiValued": false,
"description": "Unit external identifier belonging to the client that the profile refers. By default the configured default unit for the client is used to.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "idmAuthorizations",
"type": "complex",
"subAttributes": [
{
"name": "authorizedForAllClients",
"type": "boolean",
"multiValued": false,
"description": "The user is authorized to manage all clients in the system.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "authorizedForAllUnits",
"type": "boolean",
"multiValued": false,
"description": "The user is authorized to manage all units in the system.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "authorizedForAllApplications",
"type": "boolean",
"multiValued": false,
"description": "The user is authorized to manage all applications in the system.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "authorizedForAllEnterpriseRoles",
"type": "boolean",
"multiValued": false,
"description": "The user is authorized to manage all enterprise roles in the system.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "authorizedClientExtIds",
"type": "string",
"multiValued": true,
"description": "The user is authorized to manage the selected clients in case all clients flag is false.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "authorizedApplicationExtIds",
"type": "string",
"multiValued": true,
"description": "The user is authorized to manage the selected applications in case all applications flag is false.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "IDM role assignments for the profile.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "appAuthorizations",
"type": "complex",
"multiValued": true,
"description": "Application role assignments for the profile.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "enterpriseAuthorizations",
"type": "complex",
"multiValued": true,
"description": "Enterprise role assignments for the profile.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "List of assigned profiles to the user. At least one is mandatory.",
"required": true,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "loginInfo",
"type": "complex",
"subAttributes": [
{
"name": "lastLogin",
"type": "dateTime",
"multiValued": false,
"description": "Timestamp of last login of user.",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "lastFailure",
"type": "dateTime",
"multiValued": false,
"description": "Timestamp of last login failure of user.",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": false,
"description": "Login information about the user.",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
}
]
}
Scim Resource Types ¶
List all Resource TypesGET/ResourceTypes
This is a meta endpoint, it does not require authorization.
Retrieves the SCIM Standard Resource Types implemented on this server. Currently only User is implemented.
Example URI
Headers
Content-Type: application/json or application/scim+json
200
Headers
Content-Type: application/json or application/scim+json
Body
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 1,
"itemsPerPage": 10,
"startIndex": 1,
"resources": [
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id": "User",
"name": "User",
"description": "SCIM provides a resource type for \"User\" resources. The core schema for \"User\" is identified using the following schema URI: urn:ietf:params:scim:schemas:core:2.0:User.",
"meta": {
"resourceType": "ResourceType",
"location": "http://localhost:8080/nevisidm/api/scim/v1/ResourceTypes/User"
},
"endpoint": "/Users",
"schemaExtensions": [
{
"required": true,
"schema": "urn:nevis:idm:scim:schemas:v1:extension:User"
}
],
"schema": "urn:ietf:params:scim:schemas:core:2.0:User"
}
]
}
Scim Resource Type ¶
Retrieve a Resource TypeGET/ResourceTypes/{id}
This is a meta endpoint, it does not require authorization.
Retrieves the SCIM Standard Resource Type with given id if implemented on this server. Currently only User is implemented.
Example URI
- id
string
(required) Example: Username of the resource type.
Headers
Content-Type: application/json or application/scim+json
200
Headers
Content-Type: application/json or application/scim+json
Body
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"id": "User",
"name": "User",
"description": "SCIM provides a resource type for \"User\" resources. The core schema for \"User\" is identified using the following schema URI: urn:ietf:params:scim:schemas:core:2.0:User.",
"meta": {
"resourceType": "ResourceType",
"location": "http://localhost:8080/nevisidm/api/scim/v1/ResourceTypes/User"
},
"endpoint": "/Users",
"schemaExtensions": [
{
"required": true,
"schema": "urn:nevis:idm:scim:schemas:v1:extension:User"
}
],
"schema": "urn:ietf:params:scim:schemas:core:2.0:User"
}
Scim ServiceProvider Configuration ¶
Retrieve ServiceProvider ConfigurationGET/ServiceProviderConfiguration
This is a meta endpoint, it does not require authorization.
Retrieves the ServiceProvider Configuration from the server, which provides information of its capabilities regards of scim
Example URI
Headers
Content-Type: application/json or application/scim+json
200
Headers
Content-Type: application/json or application/scim+json
Body
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
],
"documentationUri": "http://example.com/help/scim.html",
"patch": {
"supported": true
},
"bulk": {
"supported": true,
"maxOperations": 1000,
"maxPayloadSize": 1048576
},
"filter": {
"supported": true,
"maxResults": 200
},
"changePassword": {
"supported": true
},
"sort": {
"supported": true
},
"etag": {
"supported": true
},
"authenticationSchemes": [
{
"name": "OAuth Bearer Token",
"description": "Authentication scheme using the OAuth Bearer Token Standard",
"specUri": "http://www.rfc-editor.org/info/rfc6750",
"documentationUri": "http://example.com/help/oauth.html",
"type": "oauthbearertoken",
"primary": true
},
{
"name": "HTTP Basic",
"description": "Authentication scheme using the HTTP Basic Standard",
"specUri": "http://www.rfc-editor.org/info/rfc2617",
"documentationUri": "http://example.com/help/httpBasic.html",
"type": "httpbasic"
}
],
"meta": {
"location": "https://example.com/v2/ServiceProviderConfig",
"resourceType": "ServiceProviderConfig",
"created": "2010-01-23T04:56:22Z",
"lastModified": "2011-05-13T04:42:34Z",
"version": "W/\"3694e05e9dff594\""
}
}