Hi Ayesha, On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka <aye...@wso2.com> wrote:
> Hi all, > > Based on the discussions with Johann, Darshana, Isura and myself, we > identified following use cases and design concerns. > > There are three cases of Admin Forced Password Reset action, > > - Admin Forced Password Reset Off-line > - Admin knows the password and give it to user offline(ex: via phone) > - Admin Forced Password Reset via OTP > - OTP is sent to user as a notifications(email/sms). Admin may not > able see the OTP > - Admin Forced Password Reset via Recovery Email > - Email with a link which directs to password recovery portal is > sent to user > > For each case above, Admin Forced Password Reset action trigger is > identifies as a claim update. > > When a special claim "http://wso2.org/claims/identity/ > adminForcedPasswordReset" is updated, an EventHandler will handle the > update to this particular claim. > Do we know claims/attritubes used in LDAP schemas for similar purposes? I assume, we ask the user to map above claim to any LDAP attribute. > New governance Connector will be implemented and above three cases can be > enable/disable based on system requirements. > Is there any document, code which discuss about governance connector? thank you. > Within the EventHandler, a RecoveryScenario is set to identify the admin > forced password reset activity. And user account will be locked until > password reset by user. > > At the login, inside Login Authenticator it will look at RecoveryScenario > along with OTP provided in order to prompt password reset option to the > user. Once the password is reset by user, account will be unlocked and > RecoveryScenario > entry will be cleaned-up. > > For the MVP1, I am implementing handling *Admin Forced Password Reset* > trigger with claim update and Handler to send an email with password reset > link to user. > > Thanks! > -Ayesha > > > On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka <aye...@wso2.com> > wrote: > >> Hi Ishara, >> >> Thank you for the input. Having similar discussion with Darshana and >> Isura, I have started extending askPassword implementation with email >> verification flow in order trigger a password reset by capturing "update >> credential" event. Still, we need a mechanism to distinguish admin password >> reset vs. user password reset. >> >> Thanks! >> -Ayesha >> >> >> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna <isha...@wso2.com> >> wrote: >> >>> Hi Ayesha, >>> >>> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne <is...@wso2.com> >>> wrote: >>> >>>> Hi Ayesha, >>>> >>>> We can extend Ask Password feature we developed in IS 5.3.0 to support >>>> this feature. So, we can send a confirmation email rather than an OTP. >>>> >>> There can be different user cases. >>> If we think about a call center scenario then customer will call to >>> support center and asked to reset the password and will communicate that to >>> the client that time, then use can login and 1st attempt he need to reset >>> the password. >>> Then we can set an additional flag to user attribute that indicate that >>> this password reset by admin. >>> And then this can be checked in Password Policy Authenticator. >>> >>> And secured way to handle this extending Ask password implementation and >>> send a email and rest the password. or send a OTP to customer and enforce >>> to rest in 1st login. >>> I think better to implement the 1st scenario and extent to these cases. >>> >>> Thanks, >>> Ishara >>> >>>> >>>> Thanks >>>> Isura >>>> >>>> >>>> *Isura Dilhara Karunaratne* >>>> Senior Software Engineer | WSO2 >>>> Email: is...@wso2.com >>>> Mob : +94 772 254 810 >>>> Blog : http://isurad.blogspot.com/ >>>> >>>> >>>> >>>> >>>> On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka <aye...@wso2.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I have created public jira IDENTITY-5166 >>>>> <https://wso2.org/jira/browse/IDENTITY-5166> to track this >>>>> implementation. >>>>> >>>>> Thanks! >>>>> -Ayesha >>>>> >>>>> >>>>> >>>>> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka <aye...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have started working on [1], which forces password reset for a user >>>>>> after a administrative password recovery action. >>>>>> >>>>>> Based on the off-line discussion with Darshana, this flow can be as >>>>>> follows. >>>>>> >>>>>> 1. User, '*Bob*' forgets password and request administrative >>>>>> person for a password reset action >>>>>> 2. Admin person reset the password and provide a new password to >>>>>> *Bob* off-line >>>>>> 3. This can be performed using management console >>>>>> 4. When *Bob* tries to log-in with newly provided password, login >>>>>> page should prompt password reset UI to *Bob* >>>>>> 5. And without changing the password Bob cannot login to the >>>>>> system >>>>>> 6. There should be a way to distinguish *user password reset* vs. >>>>>> *admin >>>>>> password reset*. >>>>>> >>>>>> But additionally, there can be enhancements to this flow by sending >>>>>> an OTP in an email to the user, 'Bob' and enforcing password reset by >>>>>> directing to a provided link. >>>>>> >>>>>> What are your thoughts on this? >>>>>> >>>>>> [1] https://redmine.wso2.com/issues/5417 >>>>>> >>>>>> Thanks! >>>>>> -Ayesha >>>>>> >>>>>> -- >>>>>> *Ayesha Dissanayaka* >>>>>> Software Engineer, >>>>>> WSO2, Inc : http://wso2.com >>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Ayesha Dissanayaka* >>>>> Software Engineer, >>>>> WSO2, Inc : http://wso2.com >>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>> 20, Palmgrove Avenue, Colombo 3 >>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Ishara Karunarathna >>> Associate Technical Lead >>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>> >>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>> +94717996791 >>> >>> >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> *Ayesha Dissanayaka* >> Software Engineer, >> WSO2, Inc : http://wso2.com >> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >> 20, Palmgrove Avenue, Colombo 3 >> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >> > > > > -- > *Ayesha Dissanayaka* > Software Engineer, > WSO2, Inc : http://wso2.com > <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> > 20, Palmgrove Avenue, Colombo 3 > E-Mail: aye...@wso2.com <ayshsa...@gmail.com> > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Manjula Rathnayaka Technical Lead WSO2, Inc. Mobile:+94 77 743 1987
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
