[midPoint] Password Aging?

Ivan Noris ivan.noris at evolveum.com
Wed Oct 9 06:37:53 UTC 2019


Hi,

AFAIK there is no flag about the password being expired. The
authentication simply compares the current timestamp with the
last-modified timestamp of the password and uses this according to the
policy.

I'm not aware of any way how to propagate this with default midpoint.
Maybe someone else is.


Best regards,

Ivan

On 8. 10. 2019 14:24, JStanczak at vinu.edu wrote:
> Yes. I'm talking about the maxAge. It does expire users from Midpoint
> login... but I'm wanting to map that boolean condition to one of my
> resources. This resource will trigger the user to update their
> password when they attempt a login to CAS. I'm not using Midpoint for
> login... just admin logins. I want both features working. I want to
> expire admins using Midpoint and also expire regular users in another
> system. 
>
> Thanks.
>
>
> -----"midPoint" <midpoint-bounces at lists.evolveum.com
> <mailto:midpoint-bounces at lists.evolveum.com>> wrote: -----
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> From: "Ivan Noris"
> Sent by: "midPoint"
> Date: 10/08/2019 02:15AM
> Subject: Re: [midPoint] Password Aging?
>
> Hi,
> if you are talking about password aging using maxAge in the security
> policy, this works for midPoint authentication.
> Users with passwords out of the maxAge (since the last password
> change) are not allowed to login to midPoint.
>
> Best regards,
> Ivan
>
> ------------------------------------------------------------------------
> *From: *JStanczak at vinu.edu <mailto:JStanczak at vinu.edu>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com
> <mailto:midpoint at lists.evolveum.com>>
> *Sent: *Monday, October 7, 2019 2:08:43 PM
> *Subject: *[midPoint] Password Aging?
>
> I'm trying to age passwords that have not been changed in 180 days. I
> can set a "valid to" and the expire works fine. But password aging
> doesn't seem to change it. I'm not sure where I went wrong. 
>
> <maxAge>P180D</maxAge>
>
>
> <attribute id="4">
> <c:ref>ri:expired</c:ref>
> <tolerant>true</tolerant>
> <exclusiveStrong>false</exclusiveStrong>
> <outbound>
>     <authoritative>true</authoritative>
>     <exclusive>false</exclusive>
>     <strength>normal</strength>
>     <source>
>         <c:path>$focus/activation/effectiveStatus</c:path>
>     </source>
>     <expression>
>         <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ScriptExpressionEvaluatorType">
>             <code>
> import
> com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
> return effectiveStatus == ActivationStatusType.DISABLED;
> </code>
>         </script>
>     </expression>
> </outbound>
> </attribute>
>
> Thanks.
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint/attachments/20191009/5a3c077d/attachment-0001.html>


More information about the midPoint mailing list