Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devel:documentation:uniform_password:password_filter_idm [2020/08/27 14:34] kopro update documentation |
devel:documentation:uniform_password:password_filter_idm [2021/06/28 16:16] (current) kopro [Find correct identity by username from system] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Password | + | ====== Password |
- | {{ : | + | {{tag> |
+ | <note tip> | ||
- | [[https://docs.microsoft.com/en-us/windows/win32/secmgmt/password-filters|Password filter]] is feature | + | {{ : |
+ | |||
+ | |||
+ | CzechIdM provides feature **synchronize passwords from system**. IdM receives request for password synchronization from external system (for example | ||
+ | |||
+ | Setup the password synchronization | ||
+ | |||
+ | IdM process the password change request and **distributes password to all next connected system**. <wrap hi>The result is that user just change the password once via his local workstation and **password is same trough all connected systems**. User uses only **ONE password**.</ | ||
+ | |||
+ | Users also don't need change password via some special form or change password on every system that they use separately. Just one simple change trough own local workstation is enough. | ||
+ | |||
+ | Workstation based on [[https:// | ||
+ | |||
+ | Password synchronization works in two phases. First phase is password **validation** and the second is **password change** in IdM and distribution password to next system. IdM receives password trough **HTTPS** protocol and REST calling. | ||
+ | |||
+ | <note tip> | ||
+ | |||
+ | ===== Phases in password synchronization ===== | ||
+ | |||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | |||
+ | In first phase is synchronized password validated trough defined password policies in IdM. In IdM has every connected system specific | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | After success password validation continues password synchronization with password change. Password will be for first changed in IdM and all another connected systems. Basically the password | ||
+ | |||
+ | Each phase has own log format and it is very easy for check and control password synchronization | ||
+ | |||
+ | <code log> | ||
+ | INFO validate : Validation request pass! For identity [john.doe] and system code [AD users]. Log identifier: [1454118233]. Password filter version: [1.0.0]. | ||
+ | INFO change : Change request from resource [AD users] for identity identifier [john.doe] starting. Log identifier: [3621046325]. Password filter version: [1.0.0]. | ||
+ | INFO change : Password change | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== Step by step password | ||
+ | |||
+ | User wants change | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | After user press CTRL+ALT+DELETE | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | On password change form fill old password and new password and then confirm | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | After user press enter starts whole process described in above. Validation phase and then change phase. User doesn' | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | If new password doesn' | ||
+ | |||
+ | < | ||
+ | Unable to update the password. The value provided for the new password | ||
+ | </ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | After successful | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | ====== How it works in detail? ====== | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Password synchronization can be setup **only for system that has provisioning mapping** for identities and mapped **password** (standard attribute name: '' | ||
+ | |||
+ | Password synchronization has two phase as we said above. Each phase has own REST endpoint. These REST endpoints must be called | ||
- | System CzechIdM provides REST endpoints for AD password filter functionality. Password filter configurations will be available only if exists provisioning mapping for identities and mapped **password** ('' | ||
CzechIdM has two REST endpoints that is called by password filter implementation. The first endpoint **validate** **must be called** before the second endpoint **change**. Call directly **change** REST endpoint isn't allowed and **error will be thrown**. | CzechIdM has two REST endpoints that is called by password filter implementation. The first endpoint **validate** **must be called** before the second endpoint **change**. Call directly **change** REST endpoint isn't allowed and **error will be thrown**. | ||
+ | |||
<note tip>The **change** REST endpoint doesn' | <note tip>The **change** REST endpoint doesn' | ||
Line 21: | Line 98: | ||
Parameters '' | Parameters '' | ||
+ | <note important> | ||
+ | Both REST endpoints has new permissions '' | ||
- | Both REST endpoints has new permissions '' | + | === Permission settings |
- | ===== Why we want check echos? | + | {{: |
+ | |||
+ | ==== Why we want check echos? ==== | ||
{{: | {{: | ||
Without checking echos is very likely that password filter call IdM, IdM will process password and provisioning to all another system, **but including** the system from which was password change executed. The password filter on the system again catch this second password change and whole password change process is executed repeatably. | Without checking echos is very likely that password filter call IdM, IdM will process password and provisioning to all another system, **but including** the system from which was password change executed. The password filter on the system again catch this second password change and whole password change process is executed repeatably. | ||
- | As you see on picture at left side. The user initialize password change on his own computer. The computer process the password change | + | As you see on picture at left side. The **user initialize** password change on his **own computer**. The computer process the password |
- | When IdM check echo the process marked as red line will never happen. | + | <wrap hi>When IdM check echo the process marked as red line will never happen.</ |
---- | ---- | ||
Line 38: | Line 119: | ||
{{ : | {{ : | ||
- | The second image (right image) present password change executed by user from IdM. Password change can be executed by public change form, classic form change on user detail, password reset, password generation even create user with password. For all these cases IdM create | + | The second image (right image) present password change |
- | After user executed password change. IdM will create and process provisioning operation with password to all systems that has mapped password. For systems with password filter will be also create echo records and then will be processed classic provisioning with password. AD and other system with password (eq: LDAP, card system, ...) receives request with password change and process. AD process the password change request via password filer. AD's password filter doesn' | + | After user executed password change. IdM will **create** and process |
- | If IdM does not check the echo. The process marked as red line will be processed and the cycle occurs. | + | <wrap hi>If IdM does not check the echo. The process marked as red line will be processed and the cycle occurs.</ |
- | ===== Echo and flags ===== | + | ==== Echo and flags ==== |
- | All echo records are stored in distributed cache in IdM. | + | All echo records are stored in distributed cache in IdM. Echo record **can be evicted** by application configuration (Settings-> |
- | <note tip>Echo record are persisted in cache</ | + | {{ : |
- | ===== Password validation request | + | <note tip>Echo record are persisted in cache - with application restart may be all echos deleted - it depend on cache configuration.</ |
+ | |||
+ | {{ : | ||
+ | |||
+ | **Global agenda for all echo doesn' | ||
+ | |||
+ | Echo column will be shown only when logged user has permission for '' | ||
+ | |||
+ | In modal windows with echo detail are show 4 rows with these information: | ||
+ | * **Password changed** (boolean) - flag/check if password was **successfully** changed, | ||
+ | * **Changed date** (date) - date when was password **successfully** changed, | ||
+ | * **Performed successful password validation** (boolean) - flag if password validation was success or not, | ||
+ | * **Validation date** (date) - validation date. | ||
+ | |||
+ | <wrap hi>Echo record will be created after password filter call first validation REST endpoint</ | ||
+ | |||
+ | |||
+ | |||
+ | ==== Password validation request ==== | ||
There is step by step behavior processed by endpoint **VALIDATE** (//eq: http:// | There is step by step behavior processed by endpoint **VALIDATE** (//eq: http:// | ||
Line 62: | Line 161: | ||
- if attribute cannot be found or has bad configuration **exception will be throw** (404 - PASSWORD\_FILTER\_DEFINITION\_NOT\_FOUND), | - if attribute cannot be found or has bad configuration **exception will be throw** (404 - PASSWORD\_FILTER\_DEFINITION\_NOT\_FOUND), | ||
- **find identity** for given parameter '' | - **find identity** for given parameter '' | ||
- | - if identity cannot be found **exception will be throw** (404 - PASSWORD\_FILTER\_IDENTITY\_NOT\_FOUND), | + | - if identity |
- for more information about find specific identity see this section | - for more information about find specific identity see this section | ||
- **check if exists uniform password definition** | - **check if exists uniform password definition** | ||
Line 81: | Line 180: | ||
- **successfully** validate password trough password policies - **set/ | - **successfully** validate password trough password policies - **set/ | ||
- | ===== Password change request | + | ==== Password change request ==== |
Second endpoint **CHANGE** has following behavior (//eq: http:// | Second endpoint **CHANGE** has following behavior (//eq: http:// | ||
Line 109: | Line 208: | ||
- | ===== PASSWORD event ===== | + | ==== PASSWORD event ==== |
Endpoint change publish after all check new event **PASSWORD** for entity IdmIdentityDto. **The whole event including provisioning is synchronous now**. Classic **PASSWORD** event provides password validation, but event published by password filter has all validations skipped by property '' | Endpoint change publish after all check new event **PASSWORD** for entity IdmIdentityDto. **The whole event including provisioning is synchronous now**. Classic **PASSWORD** event provides password validation, but event published by password filter has all validations skipped by property '' | ||
Line 121: | Line 220: | ||
- | ===== Find correct identity by username from system ===== | + | ==== Find correct identity by username from system ==== |
+ | |||
+ | <note tip>The script used to transform the username** must be of type** '' | ||
- | ===== Password filter attribute ===== | + | From external system IdM receives **user identifier** - '' |
+ | But some external system has own system identifier. For these cases exists **transformation script** that allows to find correct owner of password change request. It is required returned identity otherwise exception will be thrown. The **script has to be** of the '' |