Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devel:documentation:uniform_password:password_filter_idm [2020/09/03 10:58] kopro |
devel:documentation:uniform_password:password_filter_idm [2021/06/28 16:16] (current) kopro [Find correct identity by username from system] |
||
---|---|---|---|
Line 2: | Line 2: | ||
{{tag> | {{tag> | ||
- | {{ : | + | <note tip> |
- | <note tip> | + | {{ : |
- | CzechIdM provides feature **synchronize | + | CzechIdM provides feature **synchronize |
- | Users don't need change password via some special form or change password on every system that they use separately. Just one simple change trough own local workstation is enough. | + | Setup the password synchronization is easy - administrator musts just activate the feature **password synchronization** in IdM and setup external system for sending password change requests to IdM. Then users can simply initialized password change form on his own workstation and start changing the passwords by standard behavior. For example Windows stations has standard shortcut '' |
+ | |||
+ | IdM process the password change request and **distributes password to all next connected system**. <wrap hi>The result is that user just change the password once via his local workstation and **password is same trough all connected systems**. User uses only **ONE password**.</ | ||
+ | |||
+ | Users also don't need change password via some special form or change password on every system that they use separately. Just one simple change trough own local workstation is enough. | ||
Workstation based on [[https:// | Workstation based on [[https:// | ||
- | Password synchronization works in two phases. First phase is password validation and the second is password change in IdM and distribution password to next system. IdM receives password trough HTTPS protocol and REST calling. | + | Password synchronization works in two phases. First phase is password |
- | <note tip>Password is **never saved in plain text** in IdM.</ | + | <note tip>Passwords are **never saved in plain text** in IdM.</ |
===== Phases in password synchronization ===== | ===== Phases in password synchronization ===== | ||
Line 41: | Line 45: | ||
===== Step by step password synchronization from Active Directory ===== | ===== Step by step password synchronization from Active Directory ===== | ||
- | User wants change password on his own workstation and press CTRL+ALT+DELETE for initialize password change process | + | User wants change password on his own workstation and press CTRL+ALT+DELETE for initialize password change process: |
{{ : | {{ : | ||
- | After user press CTRL+ALT+DELETE Windows shows context menu that allow change password by option " | + | After user press CTRL+ALT+DELETE Windows shows context menu that allow change password by option " |
{{ : | {{ : | ||
- | On password change form fill old password and new password and then confirm the password change by enter. | + | On password change form fill old password and new password and then confirm the password change by enter: |
{{ : | {{ : | ||
- | After user press enter starts whole process described in above. Validation phase and then change phase. User doesn' | + | After user press enter starts whole process described in above. Validation phase and then change phase. User doesn' |
{{ : | {{ : | ||
- | If new password doesn' | + | If new password doesn' |
< | < | ||
Line 63: | Line 67: | ||
</ | </ | ||
+ | {{ : | ||
+ | |||
+ | After successful password change Windows shows success result: | ||
+ | |||
+ | {{ : | ||
Line 89: | Line 98: | ||
Parameters '' | Parameters '' | ||
+ | <note important> | ||
+ | Both REST endpoints has new permissions '' | ||
- | Both REST endpoints has new permissions '' | + | === Permission settings |
+ | {{: | ||
+ | | ||
==== Why we want check echos? ==== | ==== Why we want check echos? ==== | ||
{{: | {{: | ||
Line 148: | Line 161: | ||
- if attribute cannot be found or has bad configuration **exception will be throw** (404 - PASSWORD\_FILTER\_DEFINITION\_NOT\_FOUND), | - if attribute cannot be found or has bad configuration **exception will be throw** (404 - PASSWORD\_FILTER\_DEFINITION\_NOT\_FOUND), | ||
- **find identity** for given parameter '' | - **find identity** for given parameter '' | ||
- | - if identity cannot be found **exception will be throw** (404 - PASSWORD\_FILTER\_IDENTITY\_NOT\_FOUND), | + | - if identity |
- for more information about find specific identity see this section | - for more information about find specific identity see this section | ||
- **check if exists uniform password definition** | - **check if exists uniform password definition** | ||
Line 209: | Line 222: | ||
==== Find correct identity by username from system ==== | ==== Find correct identity by username from system ==== | ||
- | ==== Password filter attribute ==== | + | <note tip>The script used to transform the username** must be of type** '' |
+ | |||
+ | From external system IdM receives **user identifier** - '' | ||
+ | But some external system has own system identifier. For these cases exists **transformation script** that allows to find correct owner of password change request. It is required returned identity otherwise exception will be thrown. The **script has to be** of the '' |