Service Tokens Using the Password Authenticator Plugin

As of Registry v3.3.0, Service Tokens can be implemented via Authenticator Plugins. As a result, Service Tokens need not be Passwords. To use Service Tokens, first set up an appropriate Authenticator. (In particular, the Password Authenticator Plugin may be useful.) Then edit (or create) the desired Registry Service and select the Authenticator in the configuration.

The LDAP Provisioner supports using PasswordAuthenticators to populate the voPersonApplicationPassword attribute.

Service Tokens in Registry v3.2.x and Earlier

...

1. Only plaintext tokens of 8 or 15 characters are supported.
2. Once set, a token cannot be revoked completely, though it can be changed.
3. Although provisioning is initiated when a Service Token is set, provisioners do not currently have access to the Service Token records via the normal mechanism for accessing provisioning data. In other words, there is no out of the box mechanism for accessing Service Tokens. A custom provisioner must be written.
   1.  An experimental Provisioner Plugin, LdapServiceTokenProvisioner is available to write a service token to the userPassword attribute. It is an optional plugin, and must be enabled. Once enabled, it is configured by associating with an existing LDAP Provisioning Target and a single CO Service, for which it will write associated service tokens to the CO Person LDAP record. Be sure to order the Service Token Provisioner to run after the primary LDAP provisioner. This Plugin is likely to be replaced or removed in a future release.
4. Although administrators can technically assign tokens on behalf of a user, there is no link from the CO Person canvas page to do so.

...

See Also

• cm_co_service_token_settings
• cm_co_service_tokens
• cm_co_services