Password filter in IdM

Password filter is feature from Active Directory (hereinafter as AD) that provides creating own password policy and password change implementation for AD. After user, that is logged with AD account, will process trough password change via password change form in OS (standard shortcut CTRL+ALT+DELETE) the behavior in AD will process new password via password filter. Password filter will be called twice, first for validation and second for password change.

System CzechIdM provides REST endpoints for AD password filter functionality. Password filter configurations will be available only if exists mapped password (\_\_PASSWORD\_\_) in system atribute mapping. Configuration will be available after checkbox Attribute with password will be checked.

CzechIdM has two REST endpoints that will be called by password filter implementation. The first endpoint that must be called is validate. Call directly change isn't allowed and error will be thrown.

There is step by step behavior processed by endpoint VALIDATE (eq: http://localhost/idm/api/v1/systems/password-filter/validate/ ):

1. find correct system (SysSystemDto) in IdM by parameter resource. If system cannot be found exception will be throw (404 - PASSWORD\_FILTER\_SYSTEM\_NOT\_FOUND),
2. find mapped attribute that contains configuration for password filter. If attribute cannot be found or has bad configuration exception will be throw (404 - PASSWORD\_FILTER\_DEFINITION\_NOT\_FOUND),
3. find identity for given parameter username (for more information about find specific identity see this section). If identity cannot be found exception will be throw (404 - PASSWORD\_FILTER\_IDENTITY\_NOT\_FOUND),
4. check if exists uniform password definition - uniform password definition unite all another systems. On the systems will be also changed password and for system with password filter will be also set echo record,
5. check echo record - checking echo for validation has following steps for every managed account with password filter:
   1. echo doesn't exists ✔️ - password will be processed
   2. password in echo record isn't same ✔️ - password will be processed
   3. echo record is already expired ✔️ - password will be processed
   4. echo record is already changed and valid ✖️ - skip all another process - to password filter will be returned password is valid,
   5. echo record was already only checked and someone call second validation ✔️ - password will be processed
6. check if exists uniform password definition and is checked change in IdM,
7. create final password policy set that may include default password policy,
8. process validation,
9. when only one item failed - set/create echos for all managed accounts with failed check flag,
10. successfully validate password trough password policies - set/create echos for all managed accounts with valid check flag.

There is step by step behavior processed by endpoint VALIDATE (eq: http://localhost/idm/api/v1/systems/password-filter/validate/ ):

Second endpoint CHANGE