[midPoint] Midpoint Security Question

[Stefano Belluomini | EI]

We have integrated our midpoint with Azure AD for Single Sign On, which also enforces MFA. Once they are logged in, they are assigned a role that gives them the ability to update certain details and request roles and resources through a self service functionality. We don’t encourage the use of midpoint for password resets though - we use SSPR in Azure AD for that.

-Stefano
________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Matthew Mize via midPoint <midpoint at lists.evolveum.com>
Sent: Saturday, October 1, 2022 3:27:45 AM
To: midpoint at lists.evolveum.com <midpoint at lists.evolveum.com>
Cc: Matthew Mize <mmize1 at udayton.edu>
Subject: [midPoint] Midpoint Security Question

Hello everyone,

As we are working through our Midpoint rollout, we've started discussing how best to allow our end users to self-manage their passwords. One of our options is to allow end users login access to Midpoint itself, where they would use the UI to keep their passwords up to date. However, we try to be a very security conscious organization and, because of the sensitive data that could be exposed if a malicious actor were to gain access to the admin side of Midpoint, would typically want to place the Midpoint administrator UI in a protected zone in our network.

We're wondering what, if anything, other institutions have done. Do you allow your end users login access directly to Midpoint? If so, what steps do you take to keep end-user access and administrator access separate? If you do not have end users manage their passwords in Midpoint, what product(s) do you recommend?

Thanks much!

--
------------------------------------------------------------------------
Matt Mize, (he, him, his)
Director, Software Engineering & Web Engineering
mmize1 at udayton.edu<mailto:mmize1 at udayton.edu>
[A button with "Hear my name" text for name playback in email signature]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.name-coach.com%2Fmatt-mize&data=05%7C01%7Cstefano%40everythinginfo.cloud%7Cb95ddd36f8ab4076389a08daa3092272%7Ce066da37c938490cbf598264850113a8%7C1%7C0%7C638001556900347248%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=73dRok1u7J7wzjUSFv3JQljcXPYmwTruLSqRm1zAE4E%3D&reserved=0>
IT Service Center, (937) 229-3888, itservicecenter at udayton.edu<mailto:itservicecenter at udayton.edu>

University of Dayton
300 College Park, Dayton, OH, 45469-2230
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220930/d2e432f4/attachment.htm>