On Sun, Mar 12, 2017 at 7:44 AM, Gayan Gunawardana <[email protected]> wrote:
> Hi All, > > We are in the process of implementing password history validation feature > for IS 6.0.0. Architecture of this feature was previously discussed in [1] > by Isura for IS 5.3.0. We plan to follow same architecture with minor > changes. > > Previously history validation has been done by checking only last 'n' > number of attempts. Ex. you cannot use a password which is inside last 5 > attempts. This time we additionally validate time factor as well Ex. you > cannot use a password, if there is a similar password with created date > inside last 7days. > Can I assume followings ? - As Identity Admin (IA) I don't want to make any restriction on new passwords. - As Identity Admin (IA) I can restrict not to use same password again during next 'N' number of password change attempts. - As IA I can restrict not to use same password again during 'T' time duration in future regardless of number of attempts (check only time duration) . - As IA I can restrict not to use same password again during next 'N' number of password change attempts within 'T' time duration. - As IA I can configure values for above "N" and "T" using deployment.yaml file. Also different questions about password management - As IA can I force "all the users" in the system to change their password after "T" duration, after this "T" duration when they login back with current password they will redirect to update password page of the user portal, without completing this step user can't perform any other actions. Additionally I should able to apply one of above rule when changing the password. - IA should able to configure above "T" value using deployment.yaml file. - IA should able to apply above rule only for selected set of users of the system, say one or more groups - IA should able to configure different values for above "T" per group basis. Thanks ! > > Table structure will be changed as below since we have unique user ID in > C5. > > *Previous * > > CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA ( > ID INTEGER NOT NULL AUTO_INCREMENT, > USER_NAME VARCHAR(255) NOT NULL, > USER_DOMAIN VARCHAR(127) NOT NULL, > TENANT_ID INTEGER DEFAULT -1, > SALT_VALUE VARCHAR(255), > HASH VARCHAR(255) NOT NULL, > TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, > PRIMARY KEY(ID), > UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH) > )ENGINE INNODB; > > > *New * > CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA ( > ID INTEGER NOT NULL AUTO_INCREMENT, > USER_UNIQUE_ID VARCHAR(255) NOT NULL, > SALT_VALUE VARCHAR(255), > HASH VARCHAR(255) NOT NULL, > TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, > PRIMARY KEY(ID), > UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH) > )ENGINE INNODB; > > Password Hashing algorithm will be a configurable property. > > [1] [Architecture] Force Password Reset and Password History validation > > Thanks, > Gayan > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Sagara Gunathunga Associate Director / Architect; WSO2, Inc.; http://wso2.com V.P Apache Web Services; http://ws.apache.org/ Linkedin; http://www.linkedin.com/in/ssagara Blog ; http://ssagara.blogspot.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
