Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tutorial:adm:czechidm_installation_finalize [2019/10/31 14:19]
kopro add information about password reset
tutorial:adm:czechidm_installation_finalize [2020/03/02 09:26] (current)
apeterova password and auth
Line 21: Line 21:
 ===== Password policy ===== ===== Password policy =====
  
-Go to Settings -> Password policies and set the [[devel:​documentation:​adm:pwd|password policy]] according to your security standards.+Go to Settings -> Password policies and set the [[devel:​documentation:​password_policies|password policy]] according to your security standards
 + 
 +It's recommended to set [[tutorial:​adm:​block_user_unsuccessful_login_attemps|temporary blocking login after unsuccessful login attempts]].
  
 If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[devel:​documentation:​application_configuration:​dev:​scheduled_tasks:​task-scheduler#​passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[devel:​documentation:​application_configuration:​dev:​scheduled_tasks:​task-scheduler#​passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired). If you want to use **Maximum password age**, you will probably want to notify users when their passwords are going to expire. To do so, schedule the tasks [[devel:​documentation:​application_configuration:​dev:​scheduled_tasks:​task-scheduler#​passwordexpirationwarningtaskexecutor|PasswordExpirationWarningTaskExecutor]] (notify users before the password expiration) and [[devel:​documentation:​application_configuration:​dev:​scheduled_tasks:​task-scheduler#​passwordexpiredtaskexecutor|PasswordExpiredTaskExecutor]] (notify users when their password expired).
Line 32: Line 34:
 Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[tutorial:​adm:​new_role|Create the role]] and [[tutorial:​adm:​add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[devel:​documentation:​security:​dev:​authorization#​default_settings_of_permissions_for_an_identity_profile|userRole]]. Typically, you want to enable the users to see their profile, request for roles or change their password. This is done by a special role called **userRole**. [[tutorial:​adm:​new_role|Create the role]] and [[tutorial:​adm:​add_permissions|add Permissions]] to it. Recommended settings is written in the example permissions for [[devel:​documentation:​security:​dev:​authorization#​default_settings_of_permissions_for_an_identity_profile|userRole]].
  
 +Users may authenticate by their local CzechIdM password, or you may configure authentication against some of the connected systems - typically AD or LDAP ([[devel:​documentation:​security:​dev:​authentication#​defaultaccauthenticator|Authentication against end system]]). Or you may configure [[tutorial:​adm:​sso_ad_domain|SSO]].
  
 ===== Configure the approval process ===== ===== Configure the approval process =====