Hi all, It is not clear to me how password reset operation is valid for read-only user stores. is it a valid use case?
thank you. On Tue, Oct 4, 2016 at 10:54 AM, Dimuthu Leelarathne <dimut...@wso2.com> wrote: > Hi Johann, > > Lets take the read-only case. Our current or future (C5) architecture does > not support claims coming from two user stores. And that is ok. But ... we > have this habbit of adding a claim whenever we want to do a new feature, is > it a good idea to store system claim values in the internal DB? That would > make things much simpler. Thinking aloud, we can make it generic and enable > half the stuff to come from internal store, but I think it is a over > engineering task. IMO, if we can implement such that system claim values > are coming from internal DB that would be great. > > thanks, > Dimuthu > > > On Mon, Oct 3, 2016 at 10:51 PM, Johann Nallathamby <joh...@wso2.com> > wrote: > >> >> >> On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake <manju...@wso2.com> >> wrote: >> >>> Hi Ayesha, >>> >>> On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka <aye...@wso2.com> >>> wrote: >>> >>>> Hi all, >>>> >>>> Based on the discussions with Johann, Darshana, Isura and myself, we >>>> identified following use cases and design concerns. >>>> >>>> There are three cases of Admin Forced Password Reset action, >>>> >>>> - Admin Forced Password Reset Off-line >>>> - Admin knows the password and give it to user offline(ex: via >>>> phone) >>>> - Admin Forced Password Reset via OTP >>>> - OTP is sent to user as a notifications(email/sms). Admin may >>>> not able see the OTP >>>> - Admin Forced Password Reset via Recovery Email >>>> - Email with a link which directs to password recovery portal is >>>> sent to user >>>> >>>> For each case above, Admin Forced Password Reset action trigger is >>>> identifies as a claim update. >>>> >>>> When a special claim "http://wso2.org/claims/identi >>>> ty/adminForcedPasswordReset" is updated, an EventHandler will handle >>>> the update to this particular claim. >>>> >>> Do we know claims/attritubes used in LDAP schemas for similar purposes? >>> I assume, we ask the user to map above claim to any LDAP attribute. >>> >> >> We make it a point to use existing attributes wherever possible. I think >> there is a attribute in AD called "ChangePasswordAtLogon" for this purpose. >> However we didn't plan to use this attribute to store this value as a claim >> because its a temporary value for a particular user. Also all LDAPs may not >> support this attribute. Plus we need to support it when the user store is >> connected in read-only mode also. However we will reconsider this. >> >>> New governance Connector will be implemented and above three cases can >>>> be enable/disable based on system requirements. >>>> >>> Is there any document, code which discuss about governance connector? >>> >>> thank you. >>> >>>> Within the EventHandler, a RecoveryScenario is set to identify the >>>> admin forced password reset activity. And user account will be locked until >>>> password reset by user. >>>> >>>> At the login, inside Login Authenticator it will look at RecoveryScenario >>>> along with OTP provided in order to prompt password reset option to the >>>> user. Once the password is reset by user, account will be unlocked and >>>> RecoveryScenario >>>> entry will be cleaned-up. >>>> >>>> For the MVP1, I am implementing handling *Admin Forced Password Reset* >>>> trigger with claim update and Handler to send an email with password reset >>>> link to user. >>>> >>>> Thanks! >>>> -Ayesha >>>> >>>> >>>> On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka <aye...@wso2.com> >>>> wrote: >>>> >>>>> Hi Ishara, >>>>> >>>>> Thank you for the input. Having similar discussion with Darshana and >>>>> Isura, I have started extending askPassword implementation with email >>>>> verification flow in order trigger a password reset by capturing "update >>>>> credential" event. Still, we need a mechanism to distinguish admin >>>>> password >>>>> reset vs. user password reset. >>>>> >>>>> Thanks! >>>>> -Ayesha >>>>> >>>>> >>>>> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna < >>>>> isha...@wso2.com> wrote: >>>>> >>>>>> Hi Ayesha, >>>>>> >>>>>> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne <is...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Ayesha, >>>>>>> >>>>>>> We can extend Ask Password feature we developed in IS 5.3.0 to >>>>>>> support this feature. So, we can send a confirmation email rather than >>>>>>> an >>>>>>> OTP. >>>>>>> >>>>>> There can be different user cases. >>>>>> If we think about a call center scenario then customer will call to >>>>>> support center and asked to reset the password and will communicate that >>>>>> to >>>>>> the client that time, then use can login and 1st attempt he need to reset >>>>>> the password. >>>>>> Then we can set an additional flag to user attribute that indicate >>>>>> that this password reset by admin. >>>>>> And then this can be checked in Password Policy Authenticator. >>>>>> >>>>>> And secured way to handle this extending Ask password implementation >>>>>> and send a email and rest the password. or send a OTP to customer and >>>>>> enforce to rest in 1st login. >>>>>> I think better to implement the 1st scenario and extent to these >>>>>> cases. >>>>>> >>>>>> Thanks, >>>>>> Ishara >>>>>> >>>>>>> >>>>>>> Thanks >>>>>>> Isura >>>>>>> >>>>>>> >>>>>>> *Isura Dilhara Karunaratne* >>>>>>> Senior Software Engineer | WSO2 >>>>>>> Email: is...@wso2.com >>>>>>> Mob : +94 772 254 810 >>>>>>> Blog : http://isurad.blogspot.com/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka < >>>>>>> aye...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have created public jira IDENTITY-5166 >>>>>>>> <https://wso2.org/jira/browse/IDENTITY-5166> to track this >>>>>>>> implementation. >>>>>>>> >>>>>>>> Thanks! >>>>>>>> -Ayesha >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka < >>>>>>>> aye...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have started working on [1], which forces password reset for a >>>>>>>>> user after a administrative password recovery action. >>>>>>>>> >>>>>>>>> Based on the off-line discussion with Darshana, this flow can be >>>>>>>>> as follows. >>>>>>>>> >>>>>>>>> 1. User, '*Bob*' forgets password and request administrative >>>>>>>>> person for a password reset action >>>>>>>>> 2. Admin person reset the password and provide a new password >>>>>>>>> to *Bob* off-line >>>>>>>>> 3. This can be performed using management console >>>>>>>>> 4. When *Bob* tries to log-in with newly provided password, >>>>>>>>> login page should prompt password reset UI to *Bob* >>>>>>>>> 5. And without changing the password Bob cannot login to the >>>>>>>>> system >>>>>>>>> 6. There should be a way to distinguish *user password reset* >>>>>>>>> vs. *admin password reset*. >>>>>>>>> >>>>>>>>> But additionally, there can be enhancements to this flow by >>>>>>>>> sending an OTP in an email to the user, 'Bob' and enforcing password >>>>>>>>> reset >>>>>>>>> by directing to a provided link. >>>>>>>>> >>>>>>>>> What are your thoughts on this? >>>>>>>>> >>>>>>>>> [1] https://redmine.wso2.com/issues/5417 >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> -Ayesha >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Ayesha Dissanayaka* >>>>>>>>> Software Engineer, >>>>>>>>> WSO2, Inc : http://wso2.com >>>>>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Ayesha Dissanayaka* >>>>>>>> Software Engineer, >>>>>>>> WSO2, Inc : http://wso2.com >>>>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> Architecture@wso2.org >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> Architecture@wso2.org >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Associate Technical Lead >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>>>> +94717996791 >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> Architecture@wso2.org >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Ayesha Dissanayaka* >>>>> Software Engineer, >>>>> WSO2, Inc : http://wso2.com >>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>> 20, Palmgrove Avenue, Colombo 3 >>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>>>> >>>> >>>> >>>> >>>> -- >>>> *Ayesha Dissanayaka* >>>> Software Engineer, >>>> WSO2, Inc : http://wso2.com >>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>> 20, Palmgrove Avenue, Colombo 3 >>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Manjula Rathnayaka >>> Technical Lead >>> WSO2, Inc. >>> Mobile:+94 77 743 1987 >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Dimuthu Leelarathne > Director, Solutions Architecture > > WSO2, Inc. (http://wso2.com) > email: dimut...@wso2.com > Mobile: +94773661935 > Blog: http://muthulee.blogspot.com > > Lean . Enterprise . Middleware > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Manjula Rathnayaka Technical Lead WSO2, Inc. Mobile:+94 77 743 1987
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture