On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake <[email protected]> wrote:
> Hi Ayesha, > > On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka <[email protected]> > wrote: > >> Hi all, >> >> Based on the discussions with Johann, Darshana, Isura and myself, we >> identified following use cases and design concerns. >> >> There are three cases of Admin Forced Password Reset action, >> >> - Admin Forced Password Reset Off-line >> - Admin knows the password and give it to user offline(ex: via phone) >> - Admin Forced Password Reset via OTP >> - OTP is sent to user as a notifications(email/sms). Admin may not >> able see the OTP >> - Admin Forced Password Reset via Recovery Email >> - Email with a link which directs to password recovery portal is >> sent to user >> >> For each case above, Admin Forced Password Reset action trigger is >> identifies as a claim update. >> >> When a special claim "http://wso2.org/claims/identi >> ty/adminForcedPasswordReset" is updated, an EventHandler will handle the >> update to this particular claim. >> > Do we know claims/attritubes used in LDAP schemas for similar purposes? I > assume, we ask the user to map above claim to any LDAP attribute. > We make it a point to use existing attributes wherever possible. I think there is a attribute in AD called "ChangePasswordAtLogon" for this purpose. However we didn't plan to use this attribute to store this value as a claim because its a temporary value for a particular user. Also all LDAPs may not support this attribute. Plus we need to support it when the user store is connected in read-only mode also. However we will reconsider this. > New governance Connector will be implemented and above three cases can be >> enable/disable based on system requirements. >> > Is there any document, code which discuss about governance connector? > > thank you. > >> Within the EventHandler, a RecoveryScenario is set to identify the admin >> forced password reset activity. And user account will be locked until >> password reset by user. >> >> At the login, inside Login Authenticator it will look at RecoveryScenario >> along with OTP provided in order to prompt password reset option to the >> user. Once the password is reset by user, account will be unlocked and >> RecoveryScenario >> entry will be cleaned-up. >> >> For the MVP1, I am implementing handling *Admin Forced Password Reset* >> trigger with claim update and Handler to send an email with password reset >> link to user. >> >> Thanks! >> -Ayesha >> >> >> On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka <[email protected]> >> wrote: >> >>> Hi Ishara, >>> >>> Thank you for the input. Having similar discussion with Darshana and >>> Isura, I have started extending askPassword implementation with email >>> verification flow in order trigger a password reset by capturing "update >>> credential" event. Still, we need a mechanism to distinguish admin password >>> reset vs. user password reset. >>> >>> Thanks! >>> -Ayesha >>> >>> >>> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna <[email protected]> >>> wrote: >>> >>>> Hi Ayesha, >>>> >>>> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne <[email protected]> >>>> wrote: >>>> >>>>> Hi Ayesha, >>>>> >>>>> We can extend Ask Password feature we developed in IS 5.3.0 to support >>>>> this feature. So, we can send a confirmation email rather than an OTP. >>>>> >>>> There can be different user cases. >>>> If we think about a call center scenario then customer will call to >>>> support center and asked to reset the password and will communicate that to >>>> the client that time, then use can login and 1st attempt he need to reset >>>> the password. >>>> Then we can set an additional flag to user attribute that indicate that >>>> this password reset by admin. >>>> And then this can be checked in Password Policy Authenticator. >>>> >>>> And secured way to handle this extending Ask password implementation >>>> and send a email and rest the password. or send a OTP to customer and >>>> enforce to rest in 1st login. >>>> I think better to implement the 1st scenario and extent to these cases. >>>> >>>> Thanks, >>>> Ishara >>>> >>>>> >>>>> Thanks >>>>> Isura >>>>> >>>>> >>>>> *Isura Dilhara Karunaratne* >>>>> Senior Software Engineer | WSO2 >>>>> Email: [email protected] >>>>> Mob : +94 772 254 810 >>>>> Blog : http://isurad.blogspot.com/ >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I have created public jira IDENTITY-5166 >>>>>> <https://wso2.org/jira/browse/IDENTITY-5166> to track this >>>>>> implementation. >>>>>> >>>>>> Thanks! >>>>>> -Ayesha >>>>>> >>>>>> >>>>>> >>>>>> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have started working on [1], which forces password reset for a >>>>>>> user after a administrative password recovery action. >>>>>>> >>>>>>> Based on the off-line discussion with Darshana, this flow can be as >>>>>>> follows. >>>>>>> >>>>>>> 1. User, '*Bob*' forgets password and request administrative >>>>>>> person for a password reset action >>>>>>> 2. Admin person reset the password and provide a new password to >>>>>>> *Bob* off-line >>>>>>> 3. This can be performed using management console >>>>>>> 4. When *Bob* tries to log-in with newly provided password, >>>>>>> login page should prompt password reset UI to *Bob* >>>>>>> 5. And without changing the password Bob cannot login to the >>>>>>> system >>>>>>> 6. There should be a way to distinguish *user password reset* >>>>>>> vs. *admin password reset*. >>>>>>> >>>>>>> But additionally, there can be enhancements to this flow by sending >>>>>>> an OTP in an email to the user, 'Bob' and enforcing password reset by >>>>>>> directing to a provided link. >>>>>>> >>>>>>> What are your thoughts on this? >>>>>>> >>>>>>> [1] https://redmine.wso2.com/issues/5417 >>>>>>> >>>>>>> Thanks! >>>>>>> -Ayesha >>>>>>> >>>>>>> -- >>>>>>> *Ayesha Dissanayaka* >>>>>>> Software Engineer, >>>>>>> WSO2, Inc : http://wso2.com >>>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>>> E-Mail: [email protected] <[email protected]> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Ayesha Dissanayaka* >>>>>> Software Engineer, >>>>>> WSO2, Inc : http://wso2.com >>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>> E-Mail: [email protected] <[email protected]> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 >>>> >>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> *Ayesha Dissanayaka* >>> Software Engineer, >>> WSO2, Inc : http://wso2.com >>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>> 20, Palmgrove Avenue, Colombo 3 >>> E-Mail: [email protected] <[email protected]> >>> >> >> >> >> -- >> *Ayesha Dissanayaka* >> Software Engineer, >> WSO2, Inc : http://wso2.com >> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >> 20, Palmgrove Avenue, Colombo 3 >> E-Mail: [email protected] <[email protected]> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Manjula Rathnayaka > Technical Lead > WSO2, Inc. > Mobile:+94 77 743 1987 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
