Hi Asela, On Tue, Jan 16, 2018 at 12:14 PM, Asela Pathberiya <[email protected]> wrote:
> > > On Tue, Jan 16, 2018 at 11:16 AM, Nadun De Silva <[email protected]> wrote: > >> Hi, >> >> At the moment the authenticator only has the *"password expiration time >> period"* in the password expiration policy. >> >> So I can start off by altering the authenticator to publish the following >> to analytics >> > > Do we need to deploy an analytic instance to use this authenticator... Is > it something mandatory ? > > If we use the current approach mentioned before, the analytics instance is > *not required to use the* *authenticator*. However, the analytics instance would be *required to use the password expiration notifications*. If the user does not use the analytics instance only the notifications will be disabled. > Can we simply store & implement task inside WSO2IS to achieve this ? > We did consider spawning a task to achieve this. But there were several issues pointed out in our discussions. - If the task is inside the identity Server instance, it will have a periodic workload of going through all the users and finding the users whose passwords had expired. - This is especially a concern when the number of users is really high. - Siddhi or a Spark query will be able to handle this more efficiently. - By using the analytics instance and only emitting the password changed events from the identity server we can decouple the notifications. - This gives the admin more freedom over the notifications. - We can do further analytics to identify anomalies and threats. > Thanks, > Asela. > > >> - The password expiration time period config change >> - The password changed event >> >> Also, the high-level architecture would be as follows. >> >> >> >> >> Any comments or improvements are highly appreciated. >> >> Thank you! >> >> Regards, >> NadunD >> >> On Tue, Jan 16, 2018 at 6:39 AM, Ruwan Abeykoon <[email protected]> wrote: >> >>> Hi Dimuthu, >>> I would suggest storing the expiration policy in IS side. How and where >>> this can be stored yet to be discussed. For the time being, we can play >>> around registry for quick start( but registry will go away soon) >>> IS needs to emit an event towards analytics upon any change in the >>> policy. This change will then be stored in analytics side too, and used as >>> parameters on Siddhi (preferable) or Spark queries. >>> >>> This will decouple the policy from the code. Hence "Identity Admin" is >>> given chance implement most of things that can bed imagine. >>> >>> We provide default policy + default query. But "Identity Admin" can >>> modify them without code change and change will be immediately live. >>> >>> Cheers, >>> Ruwan >>> >>> >>> On Tue, Jan 16, 2018 at 3:03 AM, Dimuthu Leelarathne <[email protected]> >>> wrote: >>> >>>> Hi Nadun, >>>> >>>> >>>> On Mon, Jan 15, 2018 at 9:01 PM, Nadun De Silva <[email protected]> >>>> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I have started working on a Password Rotation Policy Authenticator for >>>>> the Identity Server. >>>>> >>>>> Currently, there is an authenticator [1] which can be used to force >>>>> the user to change the password. >>>>> >>>>> However, it does not support the following requirements on its own. >>>>> >>>>> - Force the user to change the password to a *previously unused >>>>> password* >>>>> - *Notify the user* when the password had expired >>>>> >>>>> According to my research, I found out that the *user can be forced to >>>>> change the password to a previously unused password using the Password >>>>> History Validation Policy* [2] and the authenticator [1]. However, >>>>> the authenticator does not show a proper message to the user. I am >>>>> planning >>>>> to fix this. >>>>> >>>>> I have also started working on the *password expiry notifications*. >>>>> The planned approach that will be used is as follows, >>>>> >>>>> - Emit the password change event to analytics >>>>> - Use an analytic query to identify the user's whose passwords had >>>>> expired >>>>> >>>>> >>>> Where do we hope to maintain the password expiration policy? It is at >>>> the identity server side. Can analytics query can invoke a REST API on >>>> identity server side to retrieve it? >>>> >>>> thanks, >>>> Dimuthu >>>> >>>> >>>> This approach was selected as this will have a minimal load on the >>>>> identity server instance as well as it will also open up the path to do >>>>> further analytics to identify anomalous user behaviors. >>>>> >>>>> Any suggestions or improvements are highly appreciated. >>>>> >>>>> [1] https://store.wso2.com/store/assets/isconnector/details/ >>>>> 502efeb1-cc59-4b62-a197-8c612797933c >>>>> [2] https://docs.wso2.com/display/IS530/Password+History+Validation >>>>> >>>>> Thank you! >>>>> >>>>> Regards, >>>>> NadunD >>>>> >>>>> -- >>>>> *Nadun De Silva* >>>>> Software Engineer | WSO2 >>>>> >>>>> Email: [email protected] >>>>> Mobile: +94778222607 <077%20822%202607> >>>>> Web: http://wso2.com >>>>> >>>>> <http://wso2.com/signature> >>>>> >>>> >>>> >>>> >>>> -- >>>> Dimuthu Leelarathne >>>> Director, Solutions Architecture >>>> >>>> WSO2, Inc. (http://wso2.com) >>>> email: [email protected] >>>> Mobile: +94773661935 <+94%2077%20366%201935> >>>> Blog: http://muthulee.blogspot.com >>>> >>>> Lean . Enterprise . Middleware >>>> >>> >>> >>> >>> -- >>> >>> *Ruwan Abeykoon* >>> *Associate Director/Architect**,* >>> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >>> *lean.enterprise.middleware.* >>> >>> >> >> >> -- >> *Nadun De Silva* >> Software Engineer | WSO2 >> >> Email: [email protected] >> Mobile: +94778222607 <+94%2077%20822%202607> >> Web: http://wso2.com >> >> <http://wso2.com/signature> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks & Regards, > Asela > > ATL > Mobile : +94 777 625 933 <+94%2077%20762%205933> > +358 449 228 979 > > http://soasecurity.org/ > http://xacmlinfo.org/ > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Nadun De Silva* Software Engineer | WSO2 Email: [email protected] Mobile: +94778222607 Web: http://wso2.com <http://wso2.com/signature>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
