[midPoint] SSO, passwords, and end users

Florin. Stingaciu fstingaciu at mirantis.com
Mon Jul 18 18:54:10 CEST 2016


Hey Radovan,

So I managed to resolve the "Old Password" input field on the credentials
page, however the password propagation for the midPoint repository resource
is enabled by default. Is there anyway to specify one particular resource
to be enabled by default? We want to avoid storing any passwords on the
midPoint DB at all costs.

In total we have three repositories. One for the midPOint repository, an
LDAP server (which is where we want to change passwords by default) and
lastly there's a read only Active Directory. Is there any way (either via
security policies, or the authorization model) to only show and allow
password changes on the LDAP server?

Thanks,
-F

On Mon, Jul 18, 2016 at 12:53 AM, Radovan Semancik <
radovan.semancik at evolveum.com> wrote:

> Hi,
>
> On 07/15/2016 09:03 PM, Florin. Stingaciu wrote:
>
> *Users changing their password*
> When using SSO, users no longer have a password associated with their
> midPoint account. However, we'd still like to allow users to change their
> passwords for their accounts on a resource. Unfortunately we can't utilize
> the Credentials page as the page will request for your old password --
> which doesn't exist. Right now, I had to resort to using the authorization
> rules to allow end users to modify their password directly on the
> Projection. This process is not very intuitive, especially when the user
> doesn't have a password set up on the account at all (they have to click
> the "show empty fields")
>
> Ideally, the fact that SSO is enabled should generate a different
> credentials page that lets you change your password on an account of your
> choosing without asking for the old password.
>
>
> We already have setting for that:
>
>
> https://github.com/Evolveum/midpoint/blob/master/samples/objects/security-policy-password.xml
>
> see passwordChangeSecurity
>
> Unfortunately, it is currently documented only in the schema
> (common-core-3.xsd).
>
> *End Users *
> Another issue we found was that when a user tries to access midPoint and
> doesn't have the End User role while SSO is in place, the server spits back
> a 500 error. Ideally, an error message should be generated letting the user
> know that he lacks authorization to access the midPoint GUI.
>
>
> Yes, it should be 401 and not 500. Please file a bug report for that.
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160718/a68b9063/attachment.htm>


More information about the midPoint mailing list