[midPoint] SSO, passwords, and end users

[Florin. Stingaciu]

Hello,

In our instance of midPoint, we're using SSO to authenticate users. There
are some issues that we've experienced in this set up and I wanted to let
you guys know.

*Users changing their password*
When using SSO, users no longer have a password associated with their
midPoint account. However, we'd still like to allow users to change their
passwords for their accounts on a resource. Unfortunately we can't utilize
the Credentials page as the page will request for your old password --
which doesn't exist. Right now, I had to resort to using the authorization
rules to allow end users to modify their password directly on the
Projection. This process is not very intuitive, especially when the user
doesn't have a password set up on the account at all (they have to click
the "show empty fields")

Ideally, the fact that SSO is enabled should generate a different
credentials page that lets you change your password on an account of your
choosing without asking for the old password.

*End Users *
Another issue we found was that when a user tries to access midPoint and
doesn't have the End User role while SSO is in place, the server spits back
a 500 error. Ideally, an error message should be generated letting the user
know that he lacks authorization to access the midPoint GUI.

Thanks,
-F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160715/46dc9d8b/attachment.htm>