On Sun, Mar 19, 2017 at 11:28 AM, Gayan Gunawardana <[email protected]> wrote:
> > > On Thu, Mar 16, 2017 at 8:44 PM, Sagara Gunathunga <[email protected]> > wrote: > >> >> >> On Sun, Mar 12, 2017 at 7:44 AM, Gayan Gunawardana <[email protected]> >> wrote: >> >>> Hi All, >>> >>> We are in the process of implementing password history validation >>> feature for IS 6.0.0. Architecture of this feature was previously discussed >>> in [1] by Isura for IS 5.3.0. We plan to follow same architecture with >>> minor changes. >>> >>> Previously history validation has been done by checking only last 'n' >>> number of attempts. Ex. you cannot use a password which is inside last 5 >>> attempts. This time we additionally validate time factor as well Ex. you >>> cannot use a password, if there is a similar password with created date >>> inside last 7days. >>> >> >> Can I assume followings ? >> >> - As Identity Admin (IA) I don't want to make any restriction on new >> passwords. >> > Yes > >> >> - As Identity Admin (IA) I can restrict not to use same password again >> during next 'N' number of password change attempts. >> > Yes > >> >> - As IA I can restrict not to use same password again during 'T' time >> duration in future regardless of number of attempts (check only time >> duration) . >> > Yes > >> >> - As IA I can restrict not to use same password again during next 'N' >> number of password change attempts within 'T' time duration. >> > This is some what we need to think where both restrictions (time and > attempts) need to be satisfied in order to restrict > >> >> - As IA I can configure values for above "N" and "T" using >> deployment.yaml file. >> > Yes > >> >> >> Also different questions about password management >> >> - As IA can I force "all the users" in the system to change their >> password after "T" duration, after this "T" duration when they login back >> with current password they will redirect to update password page of the >> user portal, without completing this step user can't perform any other >> actions. Additionally I should able to apply one of above rule when >> changing the password. >> >> - IA should able to configure above "T" value using deployment.yaml file. >> >> - IA should able to apply above rule only for selected set of users of >> the system, say one or more groups >> >> - IA should able to configure different values for above "T" per group >> basis. >> > I think this is about password expiry feature we may need to discuss > separately. > According to the way we breakdown features this can be belong to other epic/feature but users point of this is an expectation of password management as a whole, can you please validate whether we have already tracked this story in Redmine ? if not please add a new entry for tracking purposes. Thanks ! > >> >> Thanks ! >> >> >>> >>> Table structure will be changed as below since we have unique user ID in >>> C5. >>> >>> *Previous * >>> >>> CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA ( >>> ID INTEGER NOT NULL AUTO_INCREMENT, >>> USER_NAME VARCHAR(255) NOT NULL, >>> USER_DOMAIN VARCHAR(127) NOT NULL, >>> TENANT_ID INTEGER DEFAULT -1, >>> SALT_VALUE VARCHAR(255), >>> HASH VARCHAR(255) NOT NULL, >>> TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, >>> PRIMARY KEY(ID), >>> UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH) >>> )ENGINE INNODB; >>> >>> >>> *New * >>> CREATE TABLE IF NOT EXISTS IDN_PASSWORD_HISTORY_DATA ( >>> ID INTEGER NOT NULL AUTO_INCREMENT, >>> USER_UNIQUE_ID VARCHAR(255) NOT NULL, >>> SALT_VALUE VARCHAR(255), >>> HASH VARCHAR(255) NOT NULL, >>> TIME_CREATED TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, >>> PRIMARY KEY(ID), >>> UNIQUE (USER_NAME,USER_DOMAIN,TENANT_ID,SALT_VALUE,HASH) >>> )ENGINE INNODB; >>> >>> Password Hashing algorithm will be a configurable property. >>> >>> [1] [Architecture] Force Password Reset and Password History validation >>> >>> Thanks, >>> Gayan >>> >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: [email protected] >>> Mobile: +94 (71) 8020933 >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Sagara Gunathunga >> >> Associate Director / Architect; WSO2, Inc.; http://wso2.com >> V.P Apache Web Services; http://ws.apache.org/ >> Linkedin; http://www.linkedin.com/in/ssagara >> Blog ; http://ssagara.blogspot.com >> >> > > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > -- Sagara Gunathunga Associate Director / Architect; WSO2, Inc.; http://wso2.com V.P Apache Web Services; http://ws.apache.org/ Linkedin; http://www.linkedin.com/in/ssagara Blog ; http://ssagara.blogspot.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
