[midPoint] SSO, passwords, and end users

[Radovan Semancik]

Hi,

On 07/15/2016 09:03 PM, Florin. Stingaciu wrote:
> *Users changing their password*
> When using SSO, users no longer have a password associated with their 
> midPoint account. However, we'd still like to allow users to change 
> their passwords for their accounts on a resource. Unfortunately we 
> can't utilize the Credentials page as the page will request for your 
> old password -- which doesn't exist. Right now, I had to resort to 
> using the authorization rules to allow end users to modify their 
> password directly on the Projection. This process is not very 
> intuitive, especially when the user doesn't have a password set up on 
> the account at all (they have to click the "show empty fields")
>
> Ideally, the fact that SSO is enabled should generate a different 
> credentials page that lets you change your password on an account of 
> your choosing without asking for the old password.

We already have setting for that:

https://github.com/Evolveum/midpoint/blob/master/samples/objects/security-policy-password.xml

see passwordChangeSecurity

Unfortunately, it is currently documented only in the schema 
(common-core-3.xsd).

> *End Users *
> Another issue we found was that when a user tries to access midPoint 
> and doesn't have the End User role while SSO is in place, the server 
> spits back a 500 error. Ideally, an error message should be generated 
> letting the user know that he lacks authorization to access the 
> midPoint GUI.

Yes, it should be 401 and not 500. Please file a bug report for that.

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/84b31187/attachment.htm>