Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
The TOTP Shared Secret SCIM Sub Resource Type Handler may be used to manage the end-user's TOTP (time-based one-time password as described in RFC 6238) shared secret using the UnboundID Password Policy State Extended LDAP operation.
The TOTP Shared Secret SCIM Sub Resource Type Handler may be used for retrieving whether the end-user has a registered shared secret, removing the registered shared secret, as well as generating and registering a new shared secret.
↓Parent Component
↓Properties
↓dsconfig Usage
The TOTP Shared Secret SCIM Sub Resource Type Handler component inherits from the SCIM Sub Resource Type Handler
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | None |
| ↓ enabled | |
| ↓ endpoint | |
| ↓ otpauth-uri-issuer-name | |
| ↓ otpauth-uri-account-attribute-path | |
| ↓ time-interval-duration | |
| ↓ adjacent-intervals-to-check |
| Description | A description for this SCIM Sub Resource Type Handler |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the handler is enabled. If a handler is not enabled, then its operations using this handler will not be processed. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The HTTP addressable endpoint of this SCIM Sub Resource Type Handler relative to the base resource URL (i.e. '/scim/v2/users/1234'). Do not include a leading '/'. |
| Default Value | None |
| Allowed Values | A HTTP addressable endpoint consisting only of letters, digits, '_' and '-' characters. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the issuer that will be displayed in the TOTP device when a QR code encoded from the generated shared secret URI is scanned. This value of this property is inserted into the generated shared secret URI which can be encoded into a QR code that may be scanned by the TOTP device. It is useful for identifying the provider or service managing the account the shared secret is associated with. It must not contain a colon character. |
| Default Value | No issuer will be included. |
| Allowed Values | The issuer name |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
otpauth-uri-account-attribute-path
| Description | Specifies the attribute path whose value will be used as the account name that will be displayed in TOTP device when a QR code encoded from the generated shared secret URI is scanned. This value of this property is inserted into the generated shared secret URI which can be encoded into a QR code that may be scanned by the TOTP device. It is useful for identifying the account the shared secret is associated with. |
| Default Value | No account name will be included. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The duration of the time interval used to validate the TOTP before registering the generated shared secret. In order for clients to authenticate successfully, they must be configured to use the same time interval as the server. The time interval should be large enough to allow a user to enter the generated one-time password within the interval, but small enough to minimize the length of time during which that one-time password could be re-used. Most implementations use a default interval duration of 30 seconds, and deviating from that may limit the set of tools which may be used to generate one-time password values. |
| Default Value | 30 seconds |
| Allowed Values | A duration. Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The number of adjacent time intervals (both before and after the current time) that should be checked to validate the TOTP before registering the generated shared secret. It is recommended that a small number of adjacent intervals be supported to allow for clients whose clocks may be slightly skewed from that of the server, and also for cases in which the time interval changes between the time the client sent the request and the server was able to process it. However, checking too many adjacent intervals can adversely impact performance because the server will have to check up to one more than twice the configured number of adjacent intervals (one for the current interval, one for each adjacent interval before the current interval, and once for each adjacent interval after the current interval). |
| Default Value | 2 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured SCIM Sub Resource Type Handlers:
dsconfig list-scim-sub-resource-type-handlers
[--property {propertyName}] ...
To view the configuration for an existing SCIM Sub Resource Type Handler:
dsconfig get-scim-sub-resource-type-handler-prop
--handler-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing SCIM Sub Resource Type Handler:
dsconfig set-scim-sub-resource-type-handler-prop
--handler-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new TOTP Shared Secret SCIM Sub Resource Type Handler:
dsconfig create-scim-sub-resource-type-handler
--handler-name {name}
--type totp-shared-secret
--set enabled:{propertyValue}
--set endpoint:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing SCIM Sub Resource Type Handler:
dsconfig delete-scim-sub-resource-type-handler
--handler-name {name}