| Both sides previous revision Previous revision | |
| tutorial:adm:password_provisioning [2019/11/08 07:59] – doischert | tutorial:adm:password_provisioning [2025/10/03 10:46] (current) – fiserp |
|---|
| ====== Password provisioning ====== | ====== Password provisioning ====== |
| |
| {{ :tutorial:adm:mapping_detail.png?nolink&800|}} | {{ :tutorial:adm:mapping_detail.png?nolink&800|}} |
| | Connectors that support changing a user's password (e.g., table, AD, LDAP, etc.) allow password provisioning. Each connector has specific settings for the password attribute. |
| |
| Connects which support changing user's password (table, ad, ldap, ...) it is possible to provision passwords. Each of these connectors has special settings for password attribute. Eq.: | For example: |
| | After selecting the password attribute and generating the system schema, it is possible to **create a mapping for the password**. The main password attribute can be mapped as the ''%%__PASSWORD__%%'' attribute. |
| |
| After you choose the password attribute and generate the schema for the system, it is possible to **create** mapping for password. Main password attribute can be mapped as the **\_\_PASSWORD\_\_** attribute. | The main password attribute (''%%__PASSWORD__%%'') is sent to the end system only with the user ID (''uid''). All attributes, including other attributes marked as password, are sent in separate provisioning operations. If the application property ''idm.sec.acc.provisioning.sendPasswordAttributesTogether'' is set to ''true'', only one provisioning operation will be created. This behavior is specific to password changes. When CzechIdM creates a new account on the end system, the password is sent together with other attributes (some connectors may reimplement this behavior, e.g., AD). |
| | |
| Main password attribute (\_\_PASSWORD\_\_) is sent to end system only with uid, all attributes including another attributes marked as password will be sent in a separate provisioning operation. If application property (//idm.sec.acc.provisioning.sendPasswordAttributesTogether//) is set to true, only one provisioning operation will be created. This behavior is only active when changing the password. When CzechIdM creates a new account on the end system, the password is sent together with other attributes (some connectors may reimplement the behavior with their own - AD). | |
| | |
| All password attributes will be transformed using transformation scripts before provisioning to the end system. The transformation scripts must return **GuardedString** or **null**, all another object throw exception. All transformation scripts obtain password in **attributeValue**. For transformation script, the classic rules for check security etc. will be applied . | |
| | |
| <note tip>Remeber all password attributes must have checked 'Password attribute'. Including main password attribute \_\_PASSWORD\_\_</note> | |
| | |
| <note important>In older versions (before 9.3.0) there is an attribute \_\_PASSWORD\_\_. The attribute still exists but for proper functioning the attribute must have the checkbox 'Password attribute' checked, otherwise the password change will not work correctly. In existing mappings, the password attribute is checked for all \_\_PASSWORD\_\_ attributes by the flyway script.</note> | |
| |
| | All password attributes will be transformed using transformation scripts before provisioning to the end system. The transformation scripts must return a **GuardedString** or **null**; any other object will throw an exception. All transformation scripts receive the password in the ''attributeValue'' parameter. Classic security rules (e.g., checks for sensitive data) apply to these scripts. |
| | <note tip>Ensure all password attributes have the **Password attribute** checkbox enabled. This includes the main password attribute ''%%__PASSWORD__%%''.</note> |
| | <note important>In older versions (before 9.3.0), the ''%%__PASSWORD__%%'' attribute still exists. For proper functionality, this attribute must have the **Password attribute** checkbox enabled, otherwise password changes will not work correctly. Existing mappings automatically have this checkbox enabled for all ''%%__PASSWORD__%%'' attributes via a flyway script.</note> |
| ===== Passwords and transformation ===== | ===== Passwords and transformation ===== |
| The transformations of password will be applied in these situations: | Password transformations are applied in these scenarios: |
| ==== Password change ==== | ==== Password change ==== |
| User changes his password for accounts (doesn't matter if the account includes his CzechIdM account) - classic password change form. After that, the password will be checked by the password policy and provisioning operation to system with \_\_PASSWORD\_\_ will be started. | When a user changes their password for an account (regardless of whether it's their CzechIdM account), the password is first validated against the password policy, then a provisioning operation is triggered for the system using ''%%__PASSWORD__%%''. |
| | If any transformation script contains errors, it will throw an exception that **is not stored** in the provisioning operation queue. |
| If the script for transforming password/s contains errors it will throw an exception which **is not stored** in the provisioning operation queue. | ==== Creating a new account and generating a password ==== |
| | When an administrator or automated process assigns a role with a mapped system to a user, and the system's mapping includes password attributes, a new password is generated. This password is transformed by each script in the password attributes. The same password is passed to all scripts. |
| ==== Creating a new account and generating password ==== | <note tip>Review all password transformation scripts and remove any debug, info, or error logs. The password is sensitive, so it should never be logged.</note> |
| | The password is generated using the password policy configured for the system. If no password policy is defined, the CzechIdM default password policy is used. If even the default policy is missing, **no password will be generated**. A ''null'' value will be passed to the script. **Always check for ''null'' in the ''attributeValue'' parameter** in your scripts. |
| When the administrator or an automated process adds a role with a mapped system to the user and the mapping for the system contains password attributes, new password will be generated and this password will be transformed by each script in password attributes. The same password will be sent to all scripts. | |
| | |
| <note tip>Please check all the transformation script for password and remove all debug, info, error logs that the script contains. The user password and will be sent into the script and the password is very sensitive so we should never log it.</note> | |
| | |
| The password is generated by a password policy for generating password that is selected for the system. If system contains no password policy for generating passwords, the password will be generated by the CzechIdM default password policy. If even default password policy doesn't exist **no password will be generated**. Null value will be sent into the script. **Please check attributeValue in script for null!** | |
| ===== Attribute Password in schema (__PASSWORD__) ===== | ===== Attribute Password in schema (__PASSWORD__) ===== |
| | <note tip>If the ''%%__PASSWORD__%%'' attribute is missing, you must create it manually.</note> |
| <note tip>If the attribute __PASSWORD__ is missing, you must create this attribute manually.</note> | |
| {{:schemapass.png|}} | {{:schemapass.png|}} |
| | * **Name:** ''%%__PASSWORD__%%'' |
| * **Name:** \_\_PASSWORD\_\_ | * **Data type:** ''eu.bcvsolutions.idm.core.security.api.domain.GuardedString'' |
| * **Data type:** eu.bcvsolutions.idm.core.security.api.domain.GuardedString | |
| * **Able to create:** true | * **Able to create:** true |
| * **Able to edit:** true | * **Able to edit:** true |
| * **Able to read:** true | * **Able to read:** true |
| |