Password & Login Metadata
9 views
Skip to first unread message
Neil Chambers
May 25, 2012, 7:23:12 AM5/25/12
to Cloud Directory
I'm considering using SCIM within our Enterprise. We have over 150
different identity stores (that we know of) grouped into realms of
ownership that fit nicely into a cloud concept.
The specification, as is, deals well with basic provisioning requests
and I really like the idea of a REST approach.
We also have a need to discover certain metadata about password and
login status for a given identity:
Password Last Reset Date
Password Expiry Date
Last Login Date
This will help us from a compliance angle as well as build preemptive
measures to ensure continuity of service (notifying employees that
their access is about to expire/will require a password reset and so
on).
Is this something that could be considered for the next revision or
does it go against the philosophy of what this group is trying to
achieve?
I guess I could just define a schema extension for us to use
internally but I like the idea of using a widely known spec.
Lastly - thanks to all of the authors for putting this spec together.
I was about to jump on the SPML bandwagon and (probably) would have
pushed for it (and failed) if not for this.
Cheers!
Neil.
different identity stores (that we know of) grouped into realms of
ownership that fit nicely into a cloud concept.
The specification, as is, deals well with basic provisioning requests
and I really like the idea of a REST approach.
We also have a need to discover certain metadata about password and
login status for a given identity:
Password Last Reset Date
Password Expiry Date
Last Login Date
This will help us from a compliance angle as well as build preemptive
measures to ensure continuity of service (notifying employees that
their access is about to expire/will require a password reset and so
on).
Is this something that could be considered for the next revision or
does it go against the philosophy of what this group is trying to
achieve?
I guess I could just define a schema extension for us to use
internally but I like the idea of using a widely known spec.
Lastly - thanks to all of the authors for putting this spec together.
I was about to jump on the SPML bandwagon and (probably) would have
pushed for it (and failed) if not for this.
Cheers!
Neil.
Erik Wahlström
May 25, 2012, 7:41:19 AM5/25/12
to cloud-d...@googlegroups.com
Hi Neal,
This is something that we put out of scope for 1.0 but I think this could definitely be 2.0 material. Keep us posted about that, for now, schema extension.
Best Regards
Erik
This is something that we put out of scope for 1.0 but I think this could definitely be 2.0 material. Keep us posted about that, for now, schema extension.
Best Regards
Erik
Neil Chambers
May 25, 2012, 8:41:03 AM5/25/12
to cloud-d...@googlegroups.com
Hi Erik,
Thanks for the quick reply.
If I can get all parties to agree on the approach we'll no doubt be
adding one or two (idiosyncratic) extensions - maybe even within the
next 1-2 months.
If we do settle on an approach I'll certainly come back with our
findings. I would imagine some of our compliance rules (SOX, PCI and so
on) in addition to a more implementation specific approach to access
renewal are probably a good fit with most large enterprises.
Cheers!
n
Thanks for the quick reply.
If I can get all parties to agree on the approach we'll no doubt be
adding one or two (idiosyncratic) extensions - maybe even within the
next 1-2 months.
If we do settle on an approach I'll certainly come back with our
findings. I would imagine some of our compliance rules (SOX, PCI and so
on) in addition to a more implementation specific approach to access
renewal are probably a good fit with most large enterprises.
Cheers!
n
Trey Drake
May 25, 2012, 2:14:40 PM5/25/12
to cloud-d...@googlegroups.com
Hi Neil,
Please do share. Aside from meta-data about login status and password state are you considering using SCIM as the protocol for password resets too? SCIM can handle simple reset cases now, but is very light on the subject.
Thanks,
Trey
Please do share. Aside from meta-data about login status and password state are you considering using SCIM as the protocol for password resets too? SCIM can handle simple reset cases now, but is very light on the subject.
Thanks,
Trey
Neil Chambers
May 28, 2012, 9:27:57 AM5/28/12
to cloud-d...@googlegroups.com
Hello Trey,
Yes, I'm considering SCIM for password changes too as our needs are,
well, simple.
Saying that it might be useful if a provider resource could express its
password policy (well, format rules). I'm not sure how much millage you
could get trying to achieve that with attributes alone (max/minLength,
mustContain...etc.). A regular expression would be great, parsing issues
not withstanding.
Maybe that is starting to creep into the NotSoSimpleCIM. If you provide
value validations for that attribute then where do you stop?
Cheers,
n
Yes, I'm considering SCIM for password changes too as our needs are,
well, simple.
Saying that it might be useful if a provider resource could express its
password policy (well, format rules). I'm not sure how much millage you
could get trying to achieve that with attributes alone (max/minLength,
mustContain...etc.). A regular expression would be great, parsing issues
not withstanding.
Maybe that is starting to creep into the NotSoSimpleCIM. If you provide
value validations for that attribute then where do you stop?
Cheers,
n
Kelly Grizzle
May 29, 2012, 2:13:19 PM5/29/12
to cloud-d...@googlegroups.com
Hi Neil,
I have also seen the need for more options around password changes (eg - pre-expiring). I would definitely like to see this discussed in SCIM 2.0. I opened issue 96 (http://code.google.com/p/scim/issues/detail?id=96) to track this.
Please update this issue with your findings as you begin to implement.
--Kelly
I have also seen the need for more options around password changes (eg - pre-expiring). I would definitely like to see this discussed in SCIM 2.0. I opened issue 96 (http://code.google.com/p/scim/issues/detail?id=96) to track this.
Please update this issue with your findings as you begin to implement.
--Kelly
Reply all
Reply to author
Forward
0 new messages