Repository: syncope Updated Branches: refs/heads/2_0_X 31a7d92c8 -> a6c1798b8 refs/heads/master a6cf81094 -> 516063769
Clarifying how password propagation works in practice Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a6c1798b Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a6c1798b Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a6c1798b Branch: refs/heads/2_0_X Commit: a6c1798b872ad42fa9800c7addc8a7427a0ad63f Parents: 31a7d92 Author: Francesco Chicchiriccò <ilgro...@apache.org> Authored: Sat Nov 18 11:45:44 2017 +0100 Committer: Francesco Chicchiriccò <ilgro...@apache.org> Committed: Sat Nov 18 11:45:44 2017 +0100 ---------------------------------------------------------------------- .../concepts/provisioning/propagation.adoc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/a6c1798b/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc b/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc index 7c62b8d..062c41e 100644 --- a/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc +++ b/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc @@ -120,3 +120,20 @@ endif::[] | Required for setup of an External Resource based on the https://connid.atlassian.net/wiki/display/BASE/Google+Apps#GoogleApps-Configuration[ConnId GoogleApps connector bundle^]. |=== + +[[propagation-password]] +[TIP] +.Propagate password values +==== +Password values are kept in the internal storage according to the `password.cipher.algorithm` <<configuration-parameters, configuration parameter>>, whose value is `SHA1` by default. +`SHA1` is a hash algorithm: this means that, once stored, the cleartext value cannot be reverted any more. + +During propagation, Syncope fetches all data of the given User, then prepares the attributes to propagate, according to the provided mapping; password has a special treatment: + +* if cleartext value is available (this cannot happen during <<provisioning-push>>), it is sent to the External Resource +* if `password.cipher.algorithm` is `AES` (the only supported reversible algorithm), then the ciphered password value is made cleartext again, and sent to the External Resource +* if the <<external-resource-details,generate random password flag>> is set, a random password value is generated according to the defined password policies, and sent to the External Resource +* otherwise, a `null` value is sent to the External Resource + +Password values are always sent to External Resources wrapped as ConnId http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/common/security/GuardedString.html[GuardedString^] objects. +====