Version Affected: [22.12+]
Description:
When reviewing how SCIM sends a user's password via POST call, the password can be seen in plain text.
Cause:
This is a requirement per specification RFC 7643 - System for Cross-domain Identity Management: Core Schema where the password has to be sent in this manner, as the provider may require as such.
Resolution:
An option to exclude the password has been implemented in IdP 24.4.7:
Option to exclude password in SCIM payload:
You can now use a new option in SCIM to exclude the user password from the payload sent to the SCIM provider. By default, the IdP includes the password field when creating users, as defined in RFC 7643 (SCIM Core Schema). If you select this option, the password is not sent during provisioning. Some SCIM providers require a password for account creation, so user creation may fail if you choose to exclude it.
Please reach out to Support for assistance with getting release update 24.4.7 updated in your environment(s).
Special Considerations (optional as needed):
If you are on a release update prior to IdP 24.4.7, you can set a static attribute for “password” and leave this field empty. This will overwrite the userpassword with this static attribute, which is blank.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.