On Tue, Oct 4, 2016 at 2:49 PM, Ishara Karunarathna <isha...@wso2.com> wrote:
> Hi Dimuthu, > > On Tue, Oct 4, 2016 at 10:54 AM, Dimuthu Leelarathne <dimut...@wso2.com> > wrote: > >> Hi Johann, >> >> Lets take the read-only case. Our current or future (C5) architecture >> does not support claims coming from two user stores. And that is ok. But >> ... we have this habbit of adding a claim whenever we want to do a new >> feature, is it a good idea to store system claim values in the internal DB? >> That would make things much simpler. Thinking aloud, we can make it generic >> and enable half the stuff to come from internal store, but I think it is a >> over engineering task. IMO, if we can implement such that system claim >> values are coming from internal DB that would be great. >> > With C5 we have this model where we can get user claims from different > identity stores and build a single user. > In that case we can put all system claims in to a internal store. > > But until we go for that I think its ok to keep it as a user claim. > WDYT ? > > +1. Thanks Ishara and Johann. -Dimuthu > -Ishara > >> >> thanks, >> Dimuthu >> >> >> On Mon, Oct 3, 2016 at 10:51 PM, Johann Nallathamby <joh...@wso2.com> >> wrote: >> >>> >>> >>> On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake <manju...@wso2.com> >>> wrote: >>> >>>> Hi Ayesha, >>>> >>>> On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka <aye...@wso2.com> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> Based on the discussions with Johann, Darshana, Isura and myself, we >>>>> identified following use cases and design concerns. >>>>> >>>>> There are three cases of Admin Forced Password Reset action, >>>>> >>>>> - Admin Forced Password Reset Off-line >>>>> - Admin knows the password and give it to user offline(ex: via >>>>> phone) >>>>> - Admin Forced Password Reset via OTP >>>>> - OTP is sent to user as a notifications(email/sms). Admin may >>>>> not able see the OTP >>>>> - Admin Forced Password Reset via Recovery Email >>>>> - Email with a link which directs to password recovery portal >>>>> is sent to user >>>>> >>>>> For each case above, Admin Forced Password Reset action trigger is >>>>> identifies as a claim update. >>>>> >>>>> When a special claim "http://wso2.org/claims/identi >>>>> ty/adminForcedPasswordReset" is updated, an EventHandler will handle >>>>> the update to this particular claim. >>>>> >>>> Do we know claims/attritubes used in LDAP schemas for similar purposes? >>>> I assume, we ask the user to map above claim to any LDAP attribute. >>>> >>> >>> We make it a point to use existing attributes wherever possible. I think >>> there is a attribute in AD called "ChangePasswordAtLogon" for this purpose. >>> However we didn't plan to use this attribute to store this value as a claim >>> because its a temporary value for a particular user. Also all LDAPs may not >>> support this attribute. Plus we need to support it when the user store is >>> connected in read-only mode also. However we will reconsider this. >>> >>>> New governance Connector will be implemented and above three cases can >>>>> be enable/disable based on system requirements. >>>>> >>>> Is there any document, code which discuss about governance connector? >>>> >>>> thank you. >>>> >>>>> Within the EventHandler, a RecoveryScenario is set to identify the >>>>> admin forced password reset activity. And user account will be locked >>>>> until >>>>> password reset by user. >>>>> >>>>> At the login, inside Login Authenticator it will look at RecoveryScenario >>>>> along with OTP provided in order to prompt password reset option to the >>>>> user. Once the password is reset by user, account will be unlocked and >>>>> RecoveryScenario >>>>> entry will be cleaned-up. >>>>> >>>>> For the MVP1, I am implementing handling *Admin Forced Password Reset* >>>>> trigger with claim update and Handler to send an email with password reset >>>>> link to user. >>>>> >>>>> Thanks! >>>>> -Ayesha >>>>> >>>>> >>>>> On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka <aye...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Ishara, >>>>>> >>>>>> Thank you for the input. Having similar discussion with Darshana and >>>>>> Isura, I have started extending askPassword implementation with email >>>>>> verification flow in order trigger a password reset by capturing "update >>>>>> credential" event. Still, we need a mechanism to distinguish admin >>>>>> password >>>>>> reset vs. user password reset. >>>>>> >>>>>> Thanks! >>>>>> -Ayesha >>>>>> >>>>>> >>>>>> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna < >>>>>> isha...@wso2.com> wrote: >>>>>> >>>>>>> Hi Ayesha, >>>>>>> >>>>>>> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne <is...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Ayesha, >>>>>>>> >>>>>>>> We can extend Ask Password feature we developed in IS 5.3.0 to >>>>>>>> support this feature. So, we can send a confirmation email rather than >>>>>>>> an >>>>>>>> OTP. >>>>>>>> >>>>>>> There can be different user cases. >>>>>>> If we think about a call center scenario then customer will call to >>>>>>> support center and asked to reset the password and will communicate >>>>>>> that to >>>>>>> the client that time, then use can login and 1st attempt he need to >>>>>>> reset >>>>>>> the password. >>>>>>> Then we can set an additional flag to user attribute that indicate >>>>>>> that this password reset by admin. >>>>>>> And then this can be checked in Password Policy Authenticator. >>>>>>> >>>>>>> And secured way to handle this extending Ask password implementation >>>>>>> and send a email and rest the password. or send a OTP to customer and >>>>>>> enforce to rest in 1st login. >>>>>>> I think better to implement the 1st scenario and extent to these >>>>>>> cases. >>>>>>> >>>>>>> Thanks, >>>>>>> Ishara >>>>>>> >>>>>>>> >>>>>>>> Thanks >>>>>>>> Isura >>>>>>>> >>>>>>>> >>>>>>>> *Isura Dilhara Karunaratne* >>>>>>>> Senior Software Engineer | WSO2 >>>>>>>> Email: is...@wso2.com >>>>>>>> Mob : +94 772 254 810 >>>>>>>> Blog : http://isurad.blogspot.com/ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka < >>>>>>>> aye...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have created public jira IDENTITY-5166 >>>>>>>>> <https://wso2.org/jira/browse/IDENTITY-5166> to track this >>>>>>>>> implementation. >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> -Ayesha >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka < >>>>>>>>> aye...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I have started working on [1], which forces password reset for a >>>>>>>>>> user after a administrative password recovery action. >>>>>>>>>> >>>>>>>>>> Based on the off-line discussion with Darshana, this flow can be >>>>>>>>>> as follows. >>>>>>>>>> >>>>>>>>>> 1. User, '*Bob*' forgets password and request administrative >>>>>>>>>> person for a password reset action >>>>>>>>>> 2. Admin person reset the password and provide a new password >>>>>>>>>> to *Bob* off-line >>>>>>>>>> 3. This can be performed using management console >>>>>>>>>> 4. When *Bob* tries to log-in with newly provided password, >>>>>>>>>> login page should prompt password reset UI to *Bob* >>>>>>>>>> 5. And without changing the password Bob cannot login to the >>>>>>>>>> system >>>>>>>>>> 6. There should be a way to distinguish *user password reset* >>>>>>>>>> vs. *admin password reset*. >>>>>>>>>> >>>>>>>>>> But additionally, there can be enhancements to this flow by >>>>>>>>>> sending an OTP in an email to the user, 'Bob' and enforcing password >>>>>>>>>> reset >>>>>>>>>> by directing to a provided link. >>>>>>>>>> >>>>>>>>>> What are your thoughts on this? >>>>>>>>>> >>>>>>>>>> [1] https://redmine.wso2.com/issues/5417 >>>>>>>>>> >>>>>>>>>> Thanks! >>>>>>>>>> -Ayesha >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Ayesha Dissanayaka* >>>>>>>>>> Software Engineer, >>>>>>>>>> WSO2, Inc : http://wso2.com >>>>>>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>>>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Ayesha Dissanayaka* >>>>>>>>> Software Engineer, >>>>>>>>> WSO2, Inc : http://wso2.com >>>>>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> Architecture@wso2.org >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> Architecture@wso2.org >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ishara Karunarathna >>>>>>> Associate Technical Lead >>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>> >>>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, >>>>>>> mobile: +94717996791 >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> Architecture@wso2.org >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Ayesha Dissanayaka* >>>>>> Software Engineer, >>>>>> WSO2, Inc : http://wso2.com >>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>>> 20, Palmgrove Avenue, Colombo 3 >>>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Ayesha Dissanayaka* >>>>> Software Engineer, >>>>> WSO2, Inc : http://wso2.com >>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>>>> 20, Palmgrove Avenue, Colombo 3 >>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Manjula Rathnayaka >>>> Technical Lead >>>> WSO2, Inc. >>>> Mobile:+94 77 743 1987 >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Johann Dilantha Nallathamby* >>> Technical Lead & Product Lead of WSO2 Identity Server >>> Governance Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+94777776950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Dimuthu Leelarathne >> Director, Solutions Architecture >> >> WSO2, Inc. (http://wso2.com) >> email: dimut...@wso2.com >> Mobile: +94773661935 >> Blog: http://muthulee.blogspot.com >> >> Lean . Enterprise . Middleware >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: > +94717996791 > > > -- Dimuthu Leelarathne Director, Solutions Architecture WSO2, Inc. (http://wso2.com) email: dimut...@wso2.com Mobile: +94773661935 Blog: http://muthulee.blogspot.com Lean . Enterprise . Middleware
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture