[midPoint] Storing passwords in Midpoint

Radovan Semancik radovan.semancik at evolveum.com
Mon Apr 4 17:50:05 CEST 2016 

On 04/04/2016 04:56 PM, Richard Frovarp wrote:
> The other option from an organizational perspective is to do #2 and 
> severely limit the number of password stores you have. If everything 
> ties back to one (or two) password stores, either through direct 
> access (LDAP to AD for instance), or SAML (CAS, Shibboleth, ADFS, 
> etc), then there is very little need to actually set real passwords 
> upon account creation.

Yes. Agreed. Completely.

But many deployments still have at least one system that needs a 
password. That might be legacy mainframe application, bloated ERP that 
is too expensive to change, several competing directory systems, custom 
database application that haven't been changed for ages and the original 
author is already retired ... almost always there is something that is 
either temporary or legacy and that despite all efforts stays around 
forever. If there is at least one such application we need one of these 
options. And then there are cloud applications. Many of them will be 
obviously OK with distributed authentication (OIDC, SAML). Some of them 
might be OK with LDAP bind to a remote server. But I think that there 
always be some of them that will insist on setting a password for the 
account.

If there is a lot of legacy applications then option 1 is better. That 
is the usual case in "heavyweight" enterprise environment maintained in 
2000s style. That's where IDM technologies originated and this is still 
the place where IDM provides the best value (and makes best profits). So 
I guess that pretty much explain the popularity of option 1.

If there is only a small number of legacy applications then option 2 is 
better. That seems to (finally) becoming the reality in sufficient 
number of cases to justify the implementation. And as I have already 
mentioned: I will be very happy to implement this.

But the list of things that I would love to implement is long and the 
amount of money that we (Evolveum) can re-invest into development is 
still quite limited. We will get to that eventually. But if you want to 
have it really soon you will have to fund or co-fund this feature. As 
always: https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature

-- 
Radovan Semancik
Software Architect
evolveum.com

More information about the midPoint mailing list