Differences

This shows you the differences between two versions of the page.

--- devel:documentation:uniform_password:password_filter_idm [2020/09/03 12:46]
kopro add script information
+++ devel:documentation:uniform_password:password_filter_idm [2021/06/28 16:16] (current)
kopro [Find correct identity by username from system]
@@ Line 1: / Line 1: @@
 ====== Password synchronization ======
 {{tag>synchronization password filter passwordfilter echo echos uniform password system systems change passwords CTRL+ALT+DELETE CTRL ALT DELETE}}
-{{ :devel:documentation:uniform_password:pf001.png?700|}}
 <note tip>Password synchronization allows users **very simply** change password to **all connected system** just from theirs workstations -> **only one password trough all system**.</note>
+{{ :devel:documentation:uniform_password:pf001.png?700|}}
@@ Line 98: / Line 98: @@
 Parameters ''logIdentifier'' and ''version'' is part for **every log record** written into application log. Both these parameter is not required. Parameters ''password'', ''username'' and ''resource'' is **required**.
+<note important>
+Both REST endpoints has new permissions ''SYSTEM\_PASSWORDFILTERVALIDATE'' for validation and for change ''SYSTEM\_PASSWORDFILTERCHANGE''. Identity that password filter used for calling these REST endpoint must have both these permissions. For authentization can be used standard **basic** authentization or **CIDMST** token. Recommended is use **CIDMST** token with long expiration date. It's recommend create new identity with these permissions. </note>
-Both REST endpoints has new permissions ''SYSTEM\_PASSWORDFILTERVALIDATE'' for validation and for change ''SYSTEM\_PASSWORDFILTERCHANGE''. Identity that password filter used for calling these REST endpoint must have both these permissions. For authentization can be used standard **basic** authentization or **CIDMST** token. Recommended is use **CIDMST** token with long expiration date.
+=== Permission settings for password filter ===
+{{:devel:documentation:uniform_password:pf_permissions_setting.png?500|}}
 ==== Why we want check echos? ====
 {{:devel:documentation:uniform_password:100.png |}}
@@ Line 157: / Line 161: @@
       - if attribute cannot be found or has bad configuration **exception will be throw** (404 - PASSWORD\_FILTER\_DEFINITION\_NOT\_FOUND),
   - **find identity** for given parameter ''username'',
-      - if identity cannot be found **exception will be throw** (404 - PASSWORD\_FILTER\_IDENTITY\_NOT\_FOUND),
+      - if identity for whom the password is being validated cannot be found in IdM **exception will be throw** (404 - PASSWORD\_FILTER\_IDENTITY\_NOT\_FOUND),
       - for more information about find specific identity see this section
   - **check if exists uniform password definition**
@@ Line 217: / Line 221: @@
 ==== Find correct identity by username from system ====
+<note tip>The script used to transform the username** must be of type** ''Transform from a system''!</note>
 From external system IdM receives **user identifier** - ''username'' parameter. If for the identifier exists equal account (UID) the owner of the account will be used as owner of the password change request. If doesn't exists equal account, IdM checks if exists identity (username) with the given **user identifier**.
-But some external system has own system identifier. For these cases exists **transformation script** that allow find correct owner of password change request. It is required returned identity otherwise exception will be thrown.
+But some external system has own system identifier. For these cases exists **transformation script** that allows to find correct owner of password change request. It is required returned identity otherwise exception will be thrown. The **script has to be** of the ''Transformation from a system'' type, **another script types will not work**!