Authenticate a user name and password.

Entitlement required: manageUserGroups (Manage users and groups), or manageAllUserGroups (Synchronize users and groups), or manageUserStandardGroups (Manage users and standard groups), or authn (Authenticate yourself), or authnAnyUser (Authenticate any user), or manageUsers (Manage all users), or manageUsersInStandardGroups (Manage users in standard groups).
Note: You only need one entitlement, but you can have more than one.


The email template for branding is at "notifications/user_management/login/{locale}/user_account_locked_email.xml". Pass in the themeId query parameter to brand the email template for notifications.

* Versions of this API before September 2021 returned a scimType of LOCKED_PWD_FAILURES when a user was locked out because of invalid credentials. The API now returns a scimType of INVALID_CREDS and a notification is sent to the user, stating that the account was locked. Use the urn:ietf:params:scim:schemas:extension:ibm:2.0:Notification element in the POST body to determine the type of notification.

If custom password intelligence warning is enabled and a password is provided that is listed in it, the 200 response includes the header 'isv-dictionary-policy' with the value: 'WARNLOCAL'.
If X-Force password intelligence warning is enabled and a password is provided that is listed in it, the 200 response includes the header 'isv-dictionary-policy' with the value: 'WARNGLOBAL'.
If custom password intelligence prevention is enabled and a password is provided that is listed in it, the 400 response can include the header 'isv-dictionary-policy' with the value: 'ENFORCELOCAL'. The corresponding error status is 'PWD_IN_DICTIONARY'.
If X-Force password intelligence prevention is enabled and a password is provided that is listed in it, the 400 response can include the header 'isv-dictionary-policy' with the value: 'ENFORCEGLOBAL'. The corresponding error status is 'PWD_IN_GLOBAL_DICTIONARY'.