Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tutorial:adm:password_provisioning [2019/06/12 05:12]
kopro [Attribute Password in schema (__PASSWORD__)]
tutorial:adm:password_provisioning [2019/11/08 07:59] (current)
doischert
Line 3: Line 3:
 {{ :​tutorial:​adm:​mapping_detail.png?​nolink&​800|}} {{ :​tutorial:​adm:​mapping_detail.png?​nolink&​800|}}
  
-For connector that allow password ​change ​(table, ad, ldap, ...) is possible ​provisioning passwordEvery of these connectors has special settings for password attribute. Eq.:+Connects which support changing user'​s ​password (table, ad, ldap, ...) it is possible ​to provision passwordsEach of these connectors has special settings for password attribute. Eq.:
  
-After you choose the password attribute and generate schema for system. It is possible **create** mapping for password. Main password attribute can be mapped as **\_\_PASSWORD\_\_** attribute. ​+After you choose the password attribute and generate ​the schema for the system, it is possible ​to **create** mapping for password. Main password attribute can be mapped as the **\_\_PASSWORD\_\_** attribute. ​
  
-Main password attribute (\_\_PASSWORD\_\_) is sent to end system only with uid, all attributes including another attributes marked as password will be sent in second ​provisioning operation. If application property (//​idm.sec.acc.provisioning.sendPasswordAttributesTogether//​) is set to true, only one provisioning operation will be created. This beahvior ​is only for password ​change. When CzechIdM creates new one account ​in end system. Is password sent together with another ​attributes (some connectors may reimplement the behavior with own - AD).+Main password attribute (\_\_PASSWORD\_\_) is sent to end system only with uid, all attributes including another attributes marked as password will be sent in a separate ​provisioning operation. If application property (//​idm.sec.acc.provisioning.sendPasswordAttributesTogether//​) is set to true, only one provisioning operation will be created. This behavior ​is only active when changing the password. When CzechIdM creates ​new account ​on the end system, the password ​is sent together with other attributes (some connectors may reimplement the behavior with their own - AD).
  
-All password attributes will be transformed ​before will be transformed via transformation scripts to end system. The transformation scripts must return **GuardedString** or **null**, all another object throw exception. All transformation obtain password in **attributeValue**. For transformation script ​will be applied ​classic rules for check security ​and etc.+All password attributes will be transformed ​using transformation scripts ​before provisioning ​to the end system. The transformation scripts must return **GuardedString** or **null**, all another object throw exception. All transformation ​scripts ​obtain password in **attributeValue**. For transformation script, the classic rules for check security etc. will be applied ​.
  
-<note tip>​Remeber all password attributes must has checked '​Password attribute'​. Including main password attribute \_\_PASSWORD\_\_</​note>​+<note tip>​Remeber all password attributes must have checked '​Password attribute'​. Including main password attribute \_\_PASSWORD\_\_</​note>​
  
-<note important>​In older  versions (<9.3.0) ​exists ​attribute \_\_PASSWORD\_\_ ​the attribute still exists but for proper functioning ​must the attribute ​has checked ​checkbox '​Password attribute',​ otherwise ​behavior with password change ​trough system ​will not work correctly. In existing ​mapping is password attribute checked for all \_\_PASSWORD\_\_ attributes by flyway script.</​note>​+<note important>​In older  versions (before ​9.3.0) ​there is an attribute \_\_PASSWORD\_\_. The attribute still exists but for proper functioning the attribute ​must have the checkbox '​Password attribute' ​checked, otherwise ​the password change will not work correctly. In existing ​mappings, the password attribute ​is checked for all \_\_PASSWORD\_\_ attributes by the flyway script.</​note>​
  
 ===== Passwords and transformation ===== ===== Passwords and transformation =====
-Transformations on password will be applied in these situations:+The transformations of password will be applied in these situations:
  
 ==== Password change ==== ==== Password change ====
-User change ​his password for accounts (doesn'​t matter if account ​include ​CzechIdM account) - classic password change form. After will be password check by password policy ​it will be started ​provisioning operation to system with \_\_PASSWORD\_\_, all another attributes marked as password and all another password that must be included in password change.+User changes ​his password for accounts (doesn'​t matter if the account ​includes his CzechIdM account) - classic password change form. After that, the password ​will be checked ​by the password policy ​and provisioning operation to system with \_\_PASSWORD\_\_ ​will be started.
  
-If script for transformation ​password/s contains errors it will be throw exception:+If the script for transforming ​password/s contains errors it will throw an exception ​which **is not stored** in the provisioning operation queue.
  
-the exception **is not stored** in provisioning operation queue.+==== Creating a new account and generating password ====
  
 +When the administrator or an automated process adds a role with a mapped system to the user and the mapping for the system contains password attributes, new password will be generated and this password will be transformed by each script in password attributes. The same password will be sent to all scripts.
  
-==== Create new account ​and password ​generate ====+<note tip>​Please check all the transformation script for password and remove all debug, info, error logs that the script contains. The user password and will be sent into the script ​and the password ​is very sensitive so we should never log it.</​note>​
  
-When administrator/​automatic process add to user role with mapped system (mapping for system must contains ​password ​attributes. At least one attribute must be marked as password attribute) will be generated ​new password and this password will be transformed ​by each script in password ​attributes. To all script will be sent same password. +The password ​is generated by password ​policy ​for generating ​password that is selected ​for the system. If system contains ​no password policy for generating passwords, the password will be generated by the CzechIdM default password policy. If even default password policy doesn'​t exist **no password will be generated**. ​Null value will be sent into the script. **Please check attributeValue in script for null!**
- +
-<note tip>​Please check all transformation script ​for password ​and remove all debug, info, error logs that the script contains. Into script will be sent user password and password ​is very sensitive information.</​note>​ +
- +
-Password is generated by password policy ​for generating that has assigned ​system. If system ​doesn'​t ​contains password policy for generate ​password will be generated by CzechIdM default password policy. If even default password policy doesn'​t exist **no password will be generated**. ​Into script ​will be sent null. **Please check attributeValue in script for null!**+
  
 ===== Attribute Password in schema (__PASSWORD__) ===== ===== Attribute Password in schema (__PASSWORD__) =====
  
-<note tip>If the attribute __PASSWORD__ missing, you must create this attribute manually.</​note>​+<note tip>If the attribute __PASSWORD__ ​is missing, you must create this attribute manually.</​note>​
  
 {{:​schemapass.png|}} {{:​schemapass.png|}}