Differences

This shows you the differences between two versions of the page.

--- devel:documentation:uniform_password:password_filter_idm [2020/09/03 09:58]
kopro temp save
+++ devel:documentation:uniform_password:password_filter_idm [2021/06/28 16:16] (current)
kopro [Find correct identity by username from system]
@@ Line 2: / Line 2: @@
 {{tag>synchronization password filter passwordfilter echo echos uniform password system systems change passwords CTRL+ALT+DELETE CTRL ALT DELETE}}
-{{ :devel:documentation:uniform_password:pf001.png|}}
+<note tip>Password synchronization allows users **very simply** change password to **all connected system** just from theirs workstations -> **only one password trough all system**.</note>
-<note tip>Password synchronization allow **simply** change password to **all connected system** from users **workstations**.</note>
+{{ :devel:documentation:uniform_password:pf001.png?700|}}
-CzechIdM provides fueature **synchronize password from system**. After sucessfull password synchronization sends the password on next connected systems via classic password change behavior in IdM. After administrator activates the feature **password synchronization** users can initialized password change form on his own workstation. For example Windows stations has standard shortcut ''CTRL+ALT+DELETE''. Password change form sends request for password change into IdM. IdM process the request and distributes password to all connected system. <wrap hi>The result is that user just change the password via his local workstation and **password is same trough all connected systems**. User uses on password.</wrap>
+CzechIdM provides feature **synchronize passwords from system**. IdM receives request for password synchronization from external system (for example [[https://en.wikipedia.org/wiki/Active_Directory|Active Directory]], [[https://www.openldap.org/|Open Ldap]]).  After IdM successful validates request for password synchronization. Password will be distributes into connected systems via classic password change behavior.
-Users don't need change password via some special form or change password on every system that they use separately. Just one simple change trough own local workstation is enough.
+Setup the password synchronization is easy - administrator musts just activate the feature **password synchronization** in IdM and  setup external system for sending password change requests to IdM. Then users can simply initialized password change form on his own workstation and start changing the passwords by standard behavior. For example Windows stations has standard shortcut ''CTRL+ALT+DELETE'' for initialize password change form. External system sends request for password change into IdM and IdM will take care of the rest of the password change process.
+IdM process the password change request and **distributes password to all next connected system**. <wrap hi>The result is that user just change the password once via his local workstation and **password is same trough all connected systems**. User uses only **ONE password**.</wrap>
+Users also don't need change password via some special form or change password on every system that they use separately. Just one simple change trough own local workstation is enough.
 Workstation based on [[https://en.wikipedia.org/wiki/Active_Directory|Active Directory]] uses password synchronization via [[https://docs.microsoft.com/en-us/windows/win32/secmgmt/password-filters|password filter]] more about this component [[devel:documentation:uniform_password:password_filter_dll|can be found there]].
-Password synchronization works in two phases. First phase is password validation and the second is password change in IdM and distribution password to next system. IdM receives password trough HTTPS protocol and REST calling.
+Password synchronization works in two phases. First phase is password **validation** and the second is **password change** in IdM and distribution password to next system. IdM receives password trough **HTTPS** protocol and REST calling.
-<note tip>Password is **never saved in plain text** in IdM.</note>
+<note tip>Passwords are **never saved in plain text** in IdM.</note>
 ===== Phases in password synchronization =====
@@ Line 41: / Line 45: @@
 ===== Step by step password synchronization from Active Directory =====
-User wants change password on his own workstation and press CTRL+ALT+DELETE for initialize password change process
+User wants change password on his own workstation and press CTRL+ALT+DELETE for initialize password change process:
 {{ :devel:documentation:uniform_password:pf1.png?600 |}}
-After user press CTRL+ALT+DELETE Windows shows context menu that allow change password by option "Change a password"
+After user press CTRL+ALT+DELETE Windows shows context menu that allow change password by option "Change a password":
 {{ :devel:documentation:uniform_password:pf2.png |}}
-On password change form fill old password and new password and then confirm the password change by enter.
+On password change form fill old password and new password and then confirm the password change by enter:
 {{ :devel:documentation:uniform_password:pf5.png |}}
-After user press enter starts whole process described in above. Validation phase and then change phase. User doesn't about anything on background and some phases.
+After user press enter starts whole process described in above. Validation phase and then change phase. User doesn't about anything on background and some phases:
 {{ :devel:documentation:uniform_password:pf3.png |}}
-If new password doesn't meet with policies Windows show to users standard info message about not valid password:
+If new password doesn't meet with policies defined in AD or inIdM Windows show to users standard info message about not valid password:
 <code>
@@ Line 63: / Line 67: @@
 </code>
+{{ :devel:documentation:uniform_password:pf7.png |}}
+After successful password change Windows shows success result:
+{{ :devel:documentation:uniform_password:pf4.png |}}
@@ Line 89: / Line 98: @@
 Parameters ''logIdentifier'' and ''version'' is part for **every log record** written into application log. Both these parameter is not required. Parameters ''password'', ''username'' and ''resource'' is **required**.
+<note important>
+Both REST endpoints has new permissions ''SYSTEM\_PASSWORDFILTERVALIDATE'' for validation and for change ''SYSTEM\_PASSWORDFILTERCHANGE''. Identity that password filter used for calling these REST endpoint must have both these permissions. For authentization can be used standard **basic** authentization or **CIDMST** token. Recommended is use **CIDMST** token with long expiration date. It's recommend create new identity with these permissions. </note>
-Both REST endpoints has new permissions ''SYSTEM\_PASSWORDFILTERVALIDATE'' for validation and for change ''SYSTEM\_PASSWORDFILTERCHANGE''. Identity that password filter used for calling these REST endpoint must have both these permissions. For authentization can be used standard **basic** authentization or **CIDMST** token. Recommended is use **CIDMST** token with long expiration date.
+=== Permission settings for password filter ===
+{{:devel:documentation:uniform_password:pf_permissions_setting.png?500|}}
 ==== Why we want check echos? ====
 {{:devel:documentation:uniform_password:100.png |}}
@@ Line 148: / Line 161: @@
       - if attribute cannot be found or has bad configuration **exception will be throw** (404 - PASSWORD\_FILTER\_DEFINITION\_NOT\_FOUND),
   - **find identity** for given parameter ''username'',
-      - if identity cannot be found **exception will be throw** (404 - PASSWORD\_FILTER\_IDENTITY\_NOT\_FOUND),
+      - if identity for whom the password is being validated cannot be found in IdM **exception will be throw** (404 - PASSWORD\_FILTER\_IDENTITY\_NOT\_FOUND),
       - for more information about find specific identity see this section
   - **check if exists uniform password definition**
@@ Line 209: / Line 222: @@
 ==== Find correct identity by username from system ====
-==== Password filter attribute ====
+<note tip>The script used to transform the username** must be of type** ''Transform from a system''!</note>
+From external system IdM receives **user identifier** - ''username'' parameter. If for the identifier exists equal account (UID) the owner of the account will be used as owner of the password change request. If doesn't exists equal account, IdM checks if exists identity (username) with the given **user identifier**.
+But some external system has own system identifier. For these cases exists **transformation script** that allows to find correct owner of password change request. It is required returned identity otherwise exception will be thrown. The **script has to be** of the ''Transformation from a system'' type, **another script types will not work**!