On Thu, Mar 16, 2017 at 8:44 PM, Sagara Gunathunga <[email protected]> wrote:
> > > On Sun, Mar 12, 2017 at 7:44 AM, Gayan Gunawardana <[email protected]> wrote: > >> Hi All, >> >> We are in the process of implementing password history validation feature >> for IS 6.0.0. Architecture of this feature was previously discussed in [1] >> by Isura for IS 5.3.0. We plan to follow same architecture with minor >> changes. >> >> Previously history validation has been done by checking only last 'n' >> number of attempts. Ex. you cannot use a password which is inside last 5 >> attempts. This time we additionally validate time factor as well Ex. you >> cannot use a password, if there is a similar password with created date >> inside last 7days. >> > > Can I assume followings ? > > - As Identity Admin (IA) I don't want to make any restriction on new > passwords. > Yes > > - As Identity Admin (IA) I can restrict not to use same password again > during next 'N' number of password change attempts. > Yes > > - As IA I can restrict not to use same password again during 'T' time > duration in future regardless of number of attempts (check only time > duration) . > Yes > > - As IA I can restrict not to use same password again during next 'N' > number of password change attempts within 'T' time duration. > This is some what we need to think where both restrictions (time and attempts) need to be satisfied in order to restrict > > - As IA I can configure values for above "N" and "T" using deployment.yaml > file. > Yes > > > Also different questions about password management > > - As IA can I force "all the users" in the system to change their password > after "T" duration, after this "T" duration when they login back with > current password they will redirect to update password page of the user > portal, without completing this step user can't perform any other actions. > Additionally I should able to apply one of above rule when changing the > password. > > - IA should able to configure above "T" value using deployment.yaml file. > > - IA should able to apply above rule only for selected set of users of the > system, say one or more groups > > - IA should able to configure different values for above "T" per group > basis. > I think this is about password expiry feature we may need to discuss separately. > > > Thanks ! > > >> >> Table structure will be changed as below since we have unique user ID in >> C5. >> >> *Previous * >> >> CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA ( >> ID INTEGER NOT NULL AUTO_INCREMENT, >> USER_NAME VARCHAR(255) NOT NULL, >> USER_DOMAIN VARCHAR(127) NOT NULL, >> TENANT_ID INTEGER DEFAULT -1, >> SALT_VALUE VARCHAR(255), >> HASH VARCHAR(255) NOT NULL, >> TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, >> PRIMARY KEY(ID), >> UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH) >> )ENGINE INNODB; >> >> >> *New * >> CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA ( >> ID INTEGER NOT NULL AUTO_INCREMENT, >> USER_UNIQUE_ID VARCHAR(255) NOT NULL, >> SALT_VALUE VARCHAR(255), >> HASH VARCHAR(255) NOT NULL, >> TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, >> PRIMARY KEY(ID), >> UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH) >> )ENGINE INNODB; >> >> Password Hashing algorithm will be a configurable property. >> >> [1] [Architecture] Force Password Reset and Password History validation >> >> Thanks, >> Gayan >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: [email protected] >> Mobile: +94 (71) 8020933 >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Sagara Gunathunga > > Associate Director / Architect; WSO2, Inc.; http://wso2.com > V.P Apache Web Services; http://ws.apache.org/ > Linkedin; http://www.linkedin.com/in/ssagara > Blog ; http://ssagara.blogspot.com > > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: [email protected] Mobile: +94 (71) 8020933
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
