Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devel:documentation:uniform_password:password_filter_idm [2020/09/02 11:10] kopro |
devel:documentation:uniform_password:password_filter_idm [2021/06/28 16:16] (current) kopro [Find correct identity by username from system] |
||
---|---|---|---|
Line 2: | Line 2: | ||
{{tag> | {{tag> | ||
- | {{ : | + | <note tip> |
- | <note tip> | + | {{ : |
- | CzechIdM provides | + | CzechIdM provides |
- | Users don't need change password via some special form or change password on every system that they use separately. Just one simple change trough own local workstation is enough. | + | Setup the password synchronization is easy - administrator musts just activate the feature **password synchronization** in IdM and setup external system for sending password change requests to IdM. Then users can simply initialized password change form on his own workstation and start changing the passwords by standard behavior. For example Windows stations has standard shortcut '' |
+ | |||
+ | IdM process the password change request and **distributes password to all next connected system**. <wrap hi>The result is that user just change the password once via his local workstation and **password is same trough all connected systems**. User uses only **ONE password**.</ | ||
+ | |||
+ | Users also don't need change password via some special form or change password on every system that they use separately. Just one simple change trough own local workstation is enough. | ||
Workstation based on [[https:// | Workstation based on [[https:// | ||
- | Password synchronization works in two phases. First phase is password validation and the second is password change in IdM and distribution password to next system. IdM receives password trough HTTPS protocol and REST calling. | + | Password synchronization works in two phases. First phase is password |
+ | |||
+ | <note tip> | ||
+ | |||
+ | ===== Phases in password synchronization ===== | ||
- | <note tip> | ||
{{ : | {{ : | ||
+ | |||
+ | |||
In first phase is synchronized password validated trough defined password policies in IdM. In IdM has every connected system specific password policy including IdM application. Through these policies will be password validated and the result will be send back to user. When password doesn' | In first phase is synchronized password validated trough defined password policies in IdM. In IdM has every connected system specific password policy including IdM application. Through these policies will be password validated and the result will be send back to user. When password doesn' | ||
Line 23: | Line 32: | ||
{{ : | {{ : | ||
+ | After success password validation continues password synchronization with password change. Password will be for first changed in IdM and all another connected systems. Basically the password change has same process as standard password changed that can be done in IdM by basic password change form. Before this phase must be password successfully validated, otherwise isn't possible change the password. | ||
+ | |||
+ | Each phase has own log format and it is very easy for check and control password synchronization with own log control mechanism, or just simple via log agenda in IdM. Simple example of parsed logs: | ||
+ | |||
+ | <code log> | ||
+ | INFO validate : Validation request pass! For identity [john.doe] and system code [AD users]. Log identifier: [1454118233]. Password filter version: [1.0.0]. | ||
+ | INFO change : Change request from resource [AD users] for identity identifier [john.doe] starting. Log identifier: [3621046325]. Password filter version: [1.0.0]. | ||
+ | INFO change : Password change will be processed. For identity [john.doe] and system [AD users] was found these accounts for change [john.doe, | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== Step by step password synchronization from Active Directory ===== | ||
+ | |||
+ | User wants change password on his own workstation and press CTRL+ALT+DELETE for initialize password change process: | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | After user press CTRL+ALT+DELETE Windows shows context menu that allow change password by option " | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | On password change form fill old password and new password and then confirm the password change by enter: | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | After user press enter starts whole process described in above. Validation phase and then change phase. User doesn' | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | If new password doesn' | ||
+ | |||
+ | < | ||
+ | Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain | ||
+ | </ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | After successful password change Windows shows success result: | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | ====== How it works in detail? ====== | ||
+ | |||
+ | {{: | ||
- | After success password validation is password | + | Password synchronization can be setup **only for system that has provisioning mapping** for identities and mapped **password** (standard attribute name: '' |
+ | Password synchronization has two phase as we said above. Each phase has own REST endpoint. These REST endpoints must be called with **POST** method and each endpoint has **own permission**. First endpoint provides validation and the second provides password change. | ||
- | System CzechIdM provides REST endpoints for AD password filter functionality. Password filter configurations will be available only if exists provisioning mapping for identities and mapped **password** ('' | ||
Line 44: | Line 98: | ||
Parameters '' | Parameters '' | ||
+ | <note important> | ||
+ | Both REST endpoints has new permissions '' | ||
- | Both REST endpoints has new permissions '' | + | === Permission settings |
- | ===== Why we want check echos? | + | {{: |
+ | |||
+ | ==== Why we want check echos? ==== | ||
{{: | {{: | ||
Line 68: | Line 126: | ||
- | ===== Echo and flags ===== | + | ==== Echo and flags ==== |
All echo records are stored in distributed cache in IdM. Echo record **can be evicted** by application configuration (Settings-> | All echo records are stored in distributed cache in IdM. Echo record **can be evicted** by application configuration (Settings-> | ||
Line 92: | Line 150: | ||
- | ===== Password validation request | + | ==== Password validation request ==== |
There is step by step behavior processed by endpoint **VALIDATE** (//eq: http:// | There is step by step behavior processed by endpoint **VALIDATE** (//eq: http:// | ||
Line 103: | Line 161: | ||
- if attribute cannot be found or has bad configuration **exception will be throw** (404 - PASSWORD\_FILTER\_DEFINITION\_NOT\_FOUND), | - if attribute cannot be found or has bad configuration **exception will be throw** (404 - PASSWORD\_FILTER\_DEFINITION\_NOT\_FOUND), | ||
- **find identity** for given parameter '' | - **find identity** for given parameter '' | ||
- | - if identity cannot be found **exception will be throw** (404 - PASSWORD\_FILTER\_IDENTITY\_NOT\_FOUND), | + | - if identity |
- for more information about find specific identity see this section | - for more information about find specific identity see this section | ||
- **check if exists uniform password definition** | - **check if exists uniform password definition** | ||
Line 122: | Line 180: | ||
- **successfully** validate password trough password policies - **set/ | - **successfully** validate password trough password policies - **set/ | ||
- | ===== Password change request | + | ==== Password change request ==== |
Second endpoint **CHANGE** has following behavior (//eq: http:// | Second endpoint **CHANGE** has following behavior (//eq: http:// | ||
Line 150: | Line 208: | ||
- | ===== PASSWORD event ===== | + | ==== PASSWORD event ==== |
Endpoint change publish after all check new event **PASSWORD** for entity IdmIdentityDto. **The whole event including provisioning is synchronous now**. Classic **PASSWORD** event provides password validation, but event published by password filter has all validations skipped by property '' | Endpoint change publish after all check new event **PASSWORD** for entity IdmIdentityDto. **The whole event including provisioning is synchronous now**. Classic **PASSWORD** event provides password validation, but event published by password filter has all validations skipped by property '' | ||
Line 162: | Line 220: | ||
- | ===== Find correct identity by username from system ===== | + | ==== Find correct identity by username from system ==== |
+ | |||
+ | <note tip>The script used to transform the username** must be of type** '' | ||
- | ===== Password filter attribute ===== | + | From external system IdM receives **user identifier** - '' |
+ | But some external system has own system identifier. For these cases exists **transformation script** that allows to find correct owner of password change request. It is required returned identity otherwise exception will be thrown. The **script has to be** of the '' |