[midPoint] Initial credential distribution and password reset

Slavek Licehammer slavek.licehammer at evolveum.com
Thu Apr 16 22:22:20 CEST 2020 

Hello Robert. 

Initial credentials distributions is always complicated. It is bit easier if you have some central access management system which is able to force users to change the initial password when they are accessioning any service. At least that way is easier for users. 

For passwords reset, I suppose students can physically come to students office and employees to HR office. I know that some universities can do password resets using videoconferencing, where they compare the user on the other side with photo in database, also the user has to show some ID, answer some questions, etc. It's not bulletproof solution, it's very dependent on quality of your data and on skill of the employee who is interacting with users. If you asses the risks it's usable, at least for some cases.

If you haven't stumble upon following wiki page yet, I recommend to look at it. It might provide some additional answers. 
https://wiki.evolveum.com/display/midPoint/Initial+Password+Management+Discussion


Best regards, 

  Slavek Licehammer



On 16/04/2020 16:28, Robert Spellman wrote:
> We are an educational institution looking at replacing our IDM solution.
> Every summer, we need to be able to provision hundreds of user accounts for
> new faculty and students, and provide them the ability to login the first
> time and set up their credentials.  We assign each user their username and
> email address, which is automatically generated based upon a combination of
> first and last name.
> 
> I have a test implementation of midPoint running, with three resources
> defined.  The first resource pulls in data from a csv file, which mimics
> our Ellucian Banner system, which is the source of a majority of our user
> attributes.  Importing this resource generates username and email address,
> and automatically assigns a role, which begins the process of provisioning
> accounts within the other two resources, Google (for email) and Active
> Directory.
> 
> I have a few questions:
> 
> 
>    1. How do others handle distribution of the credentials to allow new
>    users to login to midPoint to set their password?  In our current IDM, we
>    assign a one time password which is pre expired, and can only be used to
>    login to the IDM and allow them to enter a new password.
>    2. How do others handle the situation where a user has forgotten their
>    password?  I've seen the old and new password reset configuration pages
>    within the wiki.  I'm hoping someone has some other thoughts on how to do
>    this.
> 
> For most users, we do have an additional email address for them, which we
> could use as the email accounts which we send their password reset link.
> 
> Robert Spellman
> *Associate Director for Network Services*
> Information and Library Services
> Bates College
> p: 207-786-6422
> a: 110 Russell Street, Lewiston, ME 04240
> w: www.bates.edu  e: rspellman at bates.edu <rspellmann at bates.edu>
> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>

More information about the midPoint mailing list