Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
tutorial:adm:czechidm_installation_finalize [2019/10/31 14:19]
kopro add information about password reset 		tutorial:adm:czechidm_installation_finalize [2020/03/02 09:26]
apeterova password and auth
Line 21: Line 21:
 ===== Password policy ===== ===== Password policy =====
  
-Go to Settings -> Password policies and set the [[devel:documentation:adm:pwd|password policy]] according to your security standards.+Go to Settings -> Password policies and set the [[devel:documentation:password_policies|password policy]] according to your security standards
 + 
 +It's recommended to set [[tutorial:adm:block_user_unsuccessful_login_attemps|temporary blocking login after unsuccessful login attempts]].
  
 If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired). If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired).
Line 32: Line 34:
 Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[tutorial:adm:new_role|Create the role]] and [[tutorial:adm:add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]]. Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[tutorial:adm:new_role|Create the role]] and [[tutorial:adm:add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[devel:documentation:security:dev:authorization#default_settings_of_permissions_for_an_identity_profile|userRole]].
  
 +Users may authenticate by their local CzechIdM password, or you may configure authentication against some of the connected systems - typically AD or LDAP ([[devel:documentation:security:dev:authentication#defaultaccauthenticator|Authentication against end system]]). Or you may configure [[tutorial:adm:sso_ad_domain|SSO]].
  
 ===== Configure the approval process ===== ===== Configure the approval process =====
  • by apeterova