SCIM - User attribute overview
For attributes specified by SCIM: Core Schema v1.1 compliance to this specification is indicated in the same way as on the more general SCIM - Core Schema 1.1 compliance page:
- compliance is indicated
- ✅ indicates compliance
- ✳️ indicates optional features that are supported
- 🔆 indicates optional features that are not supported
- ✖️ indicates non compliance
- semantics for specific fields are described.
The below information covers both standard SCIM attributes and OneWelcome extensions. This will give a complete overview of available attributes. Custom attributes can be configured on request, see SCIM - Custom user schema extension.
User Attributes
SCIM allows for various user attributes and fields to be submitted to OneWelcome. These can be divided in 2 categories:
- Fields for which OneWelcome has some kind of semantics (e.g. meaning to OneWelcome's logic rather than 'just data').
- Fields for which OneWelcome has no semantics at all; OneWelcome only stores and makes those available through interfaces.
Personalia
| Attribute | Multiplicity | Subattribute | Semantics | Validations | Schema |
|---|---|---|---|---|---|
| name | 1 | ✳️ OneWelcome returns both 'formatted' and other sub-attributes. | SCIM core 1.1 | ||
| formatted | OneWelcome derives the value from other name sub-attributes by OneWelcome. ✅ This enforces consistency between all name sub-attributes. Furthermore it facilitates consistent presentation of a user's name in SCIM client applications and OneWelcome applications like SelfService and ServiceDesk. If a the SCIM client does not provide any name sub-attributes, OneWelcome allows a SCIM client to submit a formatted name only. If familyName, giveName or middleName is submitted as well as a formatted name, the formatted name is overwritten with the generated value. The format of the generated formatted name is configurable per 'locale' (e.g. "Smith, John" or "John Smith"). | none | SCIM core 1.1 | ||
| familyName | none | SCIM core 1.1 | |||
| givenName | none | SCIM core 1.1 | |||
| middleName | none | SCIM core 1.1 | |||
| honorificPrefix | none | SCIM core 1.1 | |||
| honorificSuffix | none | SCIM core 1.1 | |||
| nickName | 1 | ✅ nickName is not used as a user's login name; many people may share the same nickName such as 'John'. | none | SCIM core 1.1 | |
| profileUrl | 1 | ✖️ A fully qualified URL - not validated. | SCIM core 1.1 | ||
| title | 1 | none | SCIM core 1.1 | ||
| photos | * | OneWelcome allows SCIM clients to submit and retrieve any reference to a photo. OneWelcome does not set or use the values of this field. | ✖️ No validations at all. Canonical values photo, thumbnail are not validated. | SCIM core 1.1 | |
| birthdate | 1 | 🔆 Validations on meaningful values ( between 1-1-1900 and current date ) are not applied. | OneWelcome user extension | ||
| gender | 1 | Male or female | OneWelcome user extension | ||
| placeOfBirth | 1 | No validations. | OneWelcome user extension |
Contact Details
| Attribute | Multiplicity | Subattribute | Semantics | Validations | Schema |
|---|---|---|---|---|---|
| addresses | * | Canonical Type Values of work, home, and other. In addition to these OneWelcome also supports values 'invoice', 'shipping'. 🔆 Validations on canonical type values are not applied. | |||
| formatted | Value is derived from individual address sub-attributes by OneWelcome. The format of the formatted address is configurable per 'locale'. If the SCIM client doesn't submit sub-attributes, the SCIM client may submit a formatted address. If a the SCIM client provides one or multiple address sub-attributes, OneWelcome will overwrite the formatted address with the generated value. | SCIM core 1.1 | |||
| streetAddress | As per SCIM specifications this field can be used for "the full street address component, which may include house number, street name, P.O. box, and multi-line extended street address information. This attribute MAY contain newlines." In `OneWelcome's implementation the value may contain '\n' which is used as a separator between individual data with the streetAddress. In this case OneWelcome will parse the field using the following logic: {street}\n{streetnumber}\n{region}\n{postal_code}\n{city} OneWelcome does not copy the values of region, postal_code and city as result of such parsing into the sub-attributes listed in this table. The parsed values will be shown as individual fields in the Self Service UI (if configured). | SCIM core 1.1 | |||
| locality | SCIM core 1.1 | ||||
| region | SCIM core 1.1 | ||||
| postalCode | No validation on real life existence of the postal code, also consistency of postalCode with e.g. streetAddress is not validated. | SCIM core 1.1 | |||
| country | ✖️ No validation against ISO 3166-1 alpha 2 'short' code format. | SCIM core 1.1 | |||
| emails | * | The primary value of this multi-valued attribute is used by OneWelcome to send emails (with authenticating links, OTP, ...). Primary email addresses (by default) are used as user identifier. 🔆 OneWelcome does not canonicalise the values; i.e. does not convert to lowercase. Email addresses should be submitted in lowercase. | 🔆 Canonical Type values of 'work' or 'home' are not validated. An email address must have a valid value. Informally stated, it should look like "XXX@YYY.ZZZ"; it must contain one '@' and a '.'. Primary email addresses must be unique over all identities within a segment; they're used as identifier. Email addresses within a single identity must be unique (regardless of their type and whether they're primary or not). By default, a primary email is configured as a mandatory attribute; with this default OneWelcome configuration no identities can exist without a primary value for the emails attribute. | SCIM core 1.1 | |
| phoneNumbers | * | 🔆 OneWelcome does not canonicalise to format as per RFC3966. It is recommended to submit values that are compliant (e.g. start with '+'), which will allow mobile phone numbers to be used in an automated way to send SMS text messages for 2FA purposes. Phone number is a multi-valued attribute in the SCIM interface. If the type is 'mobile' and it is marked as 'primary', OneWelcome may use the phone number to send OTP per SMS Text message. Phone numbers can be used as user identifier if their type is 'mobile'. | 🔆 Canonical Type values of work, home, mobile, fax, pager are validated. | SCIM core 1.1 | |
| ims | * | No validation on type, since canonical values are not specified. | SCIM core 1.1 |
Authentication Related User Attributes (Security)
| Attribute | Multiplicity | Subattribute | Semantics | Validations | Schema |
|---|---|---|---|---|---|
| userName | 1 | Username can be used for identification during login (if configured). Username is case sensitive. Username value should not contain copied values from other identifying user attributes. When username was submitted through SCIM or chosen by end user during registration or activation, it will get trustLevel 'verified' and may be shown on Self Service screens. In other situations it will have same value as 'id' and will not have the 'verified' trustLevel. | ✅ OneWelcome validates the uniqueness and presence of this attribute. ℹ️ When OneWelcome's segmentation feature is used, uniqueness is validated within the identity's segment. | SCIM core 1.1 | |
| id | 1 | - | Value is generated by OneWelcome and typically not known to the end user. ID can be used for identification during login (if configured). Value of ID never changes during lifecycle of the user's identity. | none | SCIM core 1.1 |
| externalId | 1 | - | The external system determines how a typical value would look like.So relevance of this example is restricted. | none | SCIM core 1.1 |
| segment | 1 | - | Click here for explanation. | OneWelcome validates a user's segment against the list of configured segments. | OneWelcome user extension |
| active | 1 | - | ✳️ The value true indicates if the user can do a login. The value is derived from the more granular 'state' attribute. It is a read only attribute. | none, read-only | SCIM core 1.1 |
| state | 1 | - | Click here for explanation. | OneWelcome user extension | |
| password | 1 | - | Password can be provided via SCIM. When a user is created, typically a password it will be included, but this is not necessary. When an identity is updated through SCIM User-PUT without a password-attribute, the password within OneWelcome remains unchanged. OneWelcome supports the possibility to submit securely hashed passwords. Currently this feature is supported with the bcrypt, md5,and SSHA algorithms. If the value that is submitted starts with "{bcrypt}", "{md5} or "{ssha}", the remaining part of the value is interpreted as the hash value, which will be used for password validation. When the Authoritative Source, sets the password through SCIM, it may have communicated the password to the user or not, which can be indicated by setting the Trust level (see here) to 'validated' or not. Passwords that don't have TrustLevel 'validated' could be considered not known to the user and may as well be considered as non-existing, since they will not be used to login. Usage of this semantics is optional, however. | ✳️ Passwords are validated against password complexity rules. An update to a user with a password that does not comply to password complexity rules is rejected. | SCIM core 1.1 |
| x509Certificates | * | - | OneWelcome does currently not use this attribute; it just allows storage and retrieval of values by SCIM clients. | none | SCIM core 1.1 |
User Settings
| Attribute | Multiplicity | Subattribute | Semantics | Validations | Schema |
|---|---|---|---|---|---|
| displayName | 1 | - | 🔆 OneWelcome does not use this attribute; it just allows storage and retrieval of values by SCIM clients. | 🔆 none | SCIM core v1.1 |
| preferredLanguage | 1 | - | Value may be set by SCIM client, but may also be updated by the end user through Self Service. ✅ If OneWelcome updates the value of this attribute, the value will be compliant with SCIM specification (e.g. 'en_US'). | ✖️ no validations are applied. SCIM clients should submit values in compliance with SCIM specifications. Validations may be applied by future releases of OneWelcome. | SCIM core v1.1 |
| locale | 1 | - | OneWelcome does not interpret nor set this field. SCIM clients can set and retrieve values. | ✖️ no validations. SCIM clients should submit values in compliance with SCIM specifications. Validations may be applied by future OneWelcome releases. | SCIM core v1.1 |
| timezone | 1 | - | Welcome does not interpret nor set this field. SCIM clients can set and retrieve values. | ✖️ no validations. SCIM clients should submit values in compliance with SCIM specifications. Validations may be applied by future OneWelcome releases. | SCIM core v1.1 |
Authorisation Related User Attribute
| Attribute | Multiplicity | Subattribute | Semantics | Validations | Schema |
|---|---|---|---|---|---|
| groups | * | - | ✖️ This attribute is not supported. Also the Group endpoint is currently not supported. | none | |
| entitlements | * | - | Currently no semantics are applied; SCIM clients can set and retrieve any value. Future versions of OneWelcome may apply semantics. | none | SCIM core v1.1 |
| roles | * | - | Currently no semantics are applied; SCIM clients can set and retrieve any value. Future versions of OneWelcome may apply semantics. | none | SCIM core v1.1 |
| userType | 1 | - | Currently no semantics are applied; SCIM clients can set and retrieve any value. Future versions of OneWelcome may apply semantics. | none | SCIM core v1.1 |