Clarifying how password propagation works in practice
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/51606376 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/51606376 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/51606376 Branch: refs/heads/master Commit: 5160637693339b554499e383921845f158b316fe Parents: a6cf810 Author: Francesco Chicchiriccò <[email protected]> Authored: Sat Nov 18 11:45:44 2017 +0100 Committer: Francesco Chicchiriccò <[email protected]> Committed: Sat Nov 18 11:45:59 2017 +0100 ---------------------------------------------------------------------- .../concepts/provisioning/propagation.adoc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/51606376/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc ---------------------------------------------------------------------- diff --git a/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc b/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc index afba13f..c0d3b25 100644 --- a/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc +++ b/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc @@ -120,3 +120,20 @@ endif::[] | Required for setup of an External Resource based on the https://connid.atlassian.net/wiki/display/BASE/Google+Apps#GoogleApps-Configuration[ConnId GoogleApps connector bundle^]. |=== + +[[propagation-password]] +[TIP] +.Propagate password values +==== +Password values are kept in the internal storage according to the `password.cipher.algorithm` <<configuration-parameters, configuration parameter>>, whose value is `SHA1` by default. +`SHA1` is a hash algorithm: this means that, once stored, the cleartext value cannot be reverted any more. + +During propagation, Syncope fetches all data of the given User, then prepares the attributes to propagate, according to the provided mapping; password has a special treatment: + +* if cleartext value is available (this cannot happen during <<provisioning-push>>), it is sent to the External Resource +* if `password.cipher.algorithm` is `AES` (the only supported reversible algorithm), then the ciphered password value is made cleartext again, and sent to the External Resource +* if the <<external-resource-details,generate random password flag>> is set, a random password value is generated according to the defined password policies, and sent to the External Resource +* otherwise, a `null` value is sent to the External Resource + +Password values are always sent to External Resources wrapped as ConnId http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/common/security/GuardedString.html[GuardedString^] objects. +====
