On Tue, Oct 4, 2016 at 11:25 AM, Manjula Rathnayake <[email protected]> wrote:
> Hi all, > > It is not clear to me how password reset operation is valid for > read-only user stores. is it a valid use case? > > Just took an example. But the generic idea is we take user claims to store stuff. So we can consider these as system specific things and store in internal user store. > thank you. > > On Tue, Oct 4, 2016 at 10:54 AM, Dimuthu Leelarathne <[email protected]> > wrote: > >> Hi Johann, >> >> Lets take the read-only case. Our current or future (C5) architecture >> does not support claims coming from two user stores. And that is ok. But >> ... we have this habbit of adding a claim whenever we want to do a new >> feature, is it a good idea to store system claim values in the internal DB? >> That would make things much simpler. Thinking aloud, we can make it generic >> and enable half the stuff to come from internal store, but I think it is a >> over engineering task. IMO, if we can implement such that system claim >> values are coming from internal DB that would be great. >> >> thanks, >> Dimuthu >> >> >> On Mon, Oct 3, 2016 at 10:51 PM, Johann Nallathamby <[email protected]> >> wrote: >> >>> >>> >>> On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake <[email protected]> >>> wrote: >>> >>>> Hi Ayesha, >>>> >>>> On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka <[email protected]> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> Based on the discussions with Johann, Darshana, Isura and myself, we >>>>> identified following use cases and design concerns. >>>>> >>>>> There are three cases of Admin Forced Password Reset action, >>>>> >>>>> - Admin Forced Password Reset Off-line >>>>> - Admin knows the password and give it to user offline(ex: via >>>>> phone) >>>>> - Admin Forced Password Reset via OTP >>>>> - OTP is sent to user as a notifications(email/sms). Admin may >>>>> not able see the OTP >>>>> - Admin Forced Password Reset via Recovery Email >>>>> - Email with a link which directs to password recovery portal >>>>> is sent to user >>>>> >>>>> For each case above, Admin Forced Password Reset action trigger is >>>>> identifies as a claim update. >>>>> >>>>> When a special claim "http://wso2.org/claims/identi >>>>> ty/adminForcedPasswordReset" is updated, an EventHandler will handle >>>>> the update to this particular claim. >>>>> >>>> Do we know claims/attritubes used in LDAP schemas for similar purposes? >>>> I assume, we ask the user to map above claim to any LDAP attribute. >>>> >>> >>> We make it a point to use existing attributes wherever possible. I think >>> there is a attribute in AD called "ChangePasswordAtLogon" for this purpose. >>> However we didn't plan to use this attribute to store this value as a claim >>> because its a temporary value for a particular user. Also all LDAPs may not >>> support this attribute. Plus we need to support it when the user store is >>> connected in read-only mode also. However we will reconsider this. >>> >>>> New governance Connector will be implemented and above three cases can >>>>> be enable/disable based on system requirements. >>>>> >>>> Is there any document, code which discuss about governance connector? >>>> >>>> thank you. >>>> >>>>> Within the EventHandler, a RecoveryScenario is set to identify the >>>>> admin forced password reset activity. And user account will be locked >>>>> until >>>>> password reset by user. >>>>> >>>>> At the login, inside Login Authenticator it will look at RecoveryScenario >>>>> along with OTP provided in order to prompt password reset option to the >>>>> user. Once the password is reset by user, account will be unlocked and >>>>> RecoveryScenario >>>>> entry will be cleaned-up. >>>>> >>>>> For the MVP1, I am implementing handling *Admin Forced Password Reset* >>>>> trigger with claim update and Handler to send an email with password reset >>>>> link to user. >>>>> >>>>> Thanks! >>>>> -Ayesha >>>>> >>>>> >>>>> On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Ishara, >>>>>> >>>>>> Thank you for the input. Having similar discussion with Darshana and >>>>>> Isura, I have started extending askPassword implementation with email >>>>>> verification flow in order trigger a password reset by capturing "update >>>>>> credential" event. Still, we need a mechanism to distinguish admin >>>>>> password >>>>>> reset vs. user password reset. >>>>>> >>>>>> Thanks! >>>>>> -Ayesha >>>>>> >>>>>> >>>>>> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Ayesha, >>>>>>> >>>>>>> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Ayesha, >>>>>>>> >>>>>>>> We can extend Ask Password feature we developed in IS 5.3.0 to >>>>>>>> support this feature. So, we can send a confirmation email rather than >>>>>>>> an >>>>>>>> OTP. >>>>>>>> >>>>>>> There can be different user cases. >>>>>>> If we think about a call center scenario then customer will call to >>>>>>> support center and asked to reset the password and will communicate >>>>>>> that to >>>>>>> the client that time, then use can login and 1st attempt he need to >>>>>>> reset >>>>>>> the password. >>>>>>> Then we can set an additional flag to user attribute that indicate >>>>>>> that this password reset by admin. >>>>>>> And then this can be checked in Password Policy Authenticator. >>>>>>> >>>>>>> And secured way to handle this extending Ask password implementation >>>>>>> and send a email and rest the password. or send a OTP to customer and >>>>>>> enforce to rest in 1st login. >>>>>>> I think better to implement the 1st scenario and extent to these >>>>>>> cases. >>>>>>> >>>>>>> Thanks, >>>>>>> Ishara >>>>>>> >>>>>>>> >>>>>>>> Thanks >>>>>>>> Isura >>>>>>>> >>>>>>>> >>>>>>>> *Isura Dilhara Karunaratne* >>>>>>>> Senior Software Engineer | WSO2 >>>>>>>> Email: [email protected] >>>>>>>> Mob : +94 772 254 810 >>>>>>>> Blog : http://isurad.blogspot.com/ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have created public jira IDENTITY-5166 >>>>>>>>> <https://wso2.org/jira/browse/IDENTITY-5166> to track this >>>>>>>>> implementation. >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> -Ayesha >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I have started working on [1], which forces password reset for a >>>>>>>>>> user after a administrative password recovery action. >>>>>>>>>> >>>>>>>>>> Based on the off-line discussion with Darshana, this flow can be >>>>>>>>>> as follows. >>>>>>>>>> >>>>>>>>>> 1. User, '*Bob*' forgets password and request administrative >>>>>>>>>> person for a password reset action >>>>>>>>>> 2. Admin person reset the password and provide a new password >>>>>>>>>> to *Bob* off-line >>>>>>>>>> 3. This can be performed using management console >>>>>>>>>> 4. When *Bob* tries to log-in with newly provided password, >>>>>>>>>> login page should prompt password reset UI to *Bob* >>>>>>>>>> 5. And without changing the password Bob cannot login to the >>>>>>>>>> system >>>>>>>>>> 6. There should be a way to distinguish *user password reset* >>>>>>>>>> vs. *admin password reset*. >>>>>>>>>> >>>>>>>>>> But additionally, there can be enhancements to this flow by >>>>>>>>>> sending an OTP in an email to the user, 'Bob' and enforcing password >>>>>>>>>> reset >>>>>>>>>> by directing to a provided link. >>>>>>>>>> >>>>>>>>>> What are your thoughts on this? >>>>>>>>>> >>>>>>>>>> [1] https://redmine.wso2.com/issues/5417 >>>>>>>>>> >>>>>>>>>> Thanks! >>>>>>>>>> -Ayesha >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Ayesha Dissanayaka* >>>>>>>>>> Software Engineer, >>>>>>>>>> WSO2, Inc : http://wso2.com >>>>>>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>>>>>> E-Mail: [email protected] <[email protected]> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Ayesha Dissanayaka* >>>>>>>>> Software Engineer, >>>>>>>>> WSO2, Inc : http://wso2.com >>>>>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>>>>> E-Mail: [email protected] <[email protected]> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ishara Karunarathna >>>>>>> Associate Technical Lead >>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>> >>>>>>> email: [email protected], blog: isharaaruna.blogspot.com, >>>>>>> mobile: +94717996791 >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Ayesha Dissanayaka* >>>>>> Software Engineer, >>>>>> WSO2, Inc : http://wso2.com >>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>> E-Mail: [email protected] <[email protected]> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Ayesha Dissanayaka* >>>>> Software Engineer, >>>>> WSO2, Inc : http://wso2.com >>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>> 20, Palmgrove Avenue, Colombo 3 >>>>> E-Mail: [email protected] <[email protected]> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Manjula Rathnayaka >>>> Technical Lead >>>> WSO2, Inc. >>>> Mobile:+94 77 743 1987 >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Johann Dilantha Nallathamby* >>> Technical Lead & Product Lead of WSO2 Identity Server >>> Governance Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+94777776950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Dimuthu Leelarathne >> Director, Solutions Architecture >> >> WSO2, Inc. (http://wso2.com) >> email: [email protected] >> Mobile: +94773661935 >> Blog: http://muthulee.blogspot.com >> >> Lean . Enterprise . Middleware >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Manjula Rathnayaka > Technical Lead > WSO2, Inc. > Mobile:+94 77 743 1987 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Dimuthu Leelarathne Director, Solutions Architecture WSO2, Inc. (http://wso2.com) email: [email protected] Mobile: +94773661935 Blog: http://muthulee.blogspot.com Lean . Enterprise . Middleware
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
