[midPoint] SSO, passwords, and end users

[Radovan Semancik]

Hi,

On 07/18/2016 06:54 PM, Florin. Stingaciu wrote:
> So I managed to resolve the "Old Password" input field on the 
> credentials page, however the password propagation for the midPoint 
> repository resource is enabled by default. Is there anyway to specify 
> one particular resource to be enabled by default? We want to avoid 
> storing any passwords on the midPoint DB at all costs.

I think there is a way to hide the password propagation dialog. Use the 
propagationUserControl setting (see the XSD schema or maybe one of my 
colleagues can provide an example).
Then simply use password outbound mappings to propagate the password 
just to one resource.

However, currently it is not easy to avoid storing password in midpoint 
database. MidPoint philosophy is to always synchronize between focus 
(user) and projection (account) and never between projections directly. 
So, the password needs to be present in midPoint user. And for now 
complete user is stored in the database.

There was some discussion about the setting to store passwords in hashed 
form (as opposed to encrypted form as it is now). Or even to handle 
password only in memory and not to store it at all. I would really like 
to implement that - and I was expecting this flexibility during midPoint 
design, so the implmenetation should not be that difficult. But 
obviously this feature haven't attracted attention of any midPoint 
subscriber or sponsor. Therefore it is not implemented.

If you want to avoid storing the password you can do some magic with 
scripting hook and remove the password from the user and user deltas at 
the right moment in the request processing "clockwork": just after it 
was propagated to projection context but before the user is stored. I 
believe that this is possible, but it will require very clever 
manipulation of model context.

... or you can get a subscription or sponsor this feature.

> In total we have three repositories. One for the midPOint repository, 
> an LDAP server (which is where we want to change passwords by default) 
> and lastly there's a read only Active Directory. Is there any way 
> (either via security policies, or the authorization model) to only 
> show and allow password changes on the LDAP server?

Yes. If you set up authorizations in a proper way then the GUI should 
adapt. But easier way would be to set up fixed (strong) mappings for 
password propagation and completely disallow account changes.

However, currently the GUI is designed to conveniently change only the 
user password. And we have no plans to extend that to account passwords 
as the common use case is to change user password and propagate the 
change to the resources. We do not want to confuse end user too much ... 
and in fact many users find the password propagation dialog too 
confusing, hence the option to disable it. So just one entry for the 
password should be enough. The way forward is to control the way how 
user password is stored in midpoint repository. I'm sorry that we do not 
have that yet. But anyone can help with funding of this feature.

It could work like this:

User changes his password in midPoint (already implemented)
MidPoint will propagate the password to the resources using the mappings 
(already implemented)
MidPoint consults the password storage policy and forgets the password 
(not implemented)

So, just a little piece is missing.

-- 
Radovan Semancik
Software Architect
evolveum.com