Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-10-04 Thread Dimuthu Leelarathne 
On Tue, Oct 4, 2016 at 2:49 PM, Ishara Karunarathna 
wrote:

> Hi Dimuthu,
>
> On Tue, Oct 4, 2016 at 10:54 AM, Dimuthu Leelarathne 
> wrote:
>
>> Hi Johann,
>>
>> Lets take the read-only case. Our current or future (C5) architecture
>> does not support claims coming from two user stores. And that is ok. But
>> ... we have this habbit of adding a claim whenever we want to do a new
>> feature, is it a good idea to store system claim values in the internal DB?
>> That would make things much simpler. Thinking aloud, we can make it generic
>> and enable half the stuff to come from internal store, but I think it is a
>> over engineering task. IMO, if we can implement such that system claim
>> values are coming from internal DB that would be great.
>>
> With C5 we have this model where we can get user claims from different
> identity stores and build a single user.
> In that case we can put all system claims in to a internal store.
>
> But until we go for that I think its ok to keep it as a user claim.
> WDYT ?
>
>
+1. Thanks Ishara and Johann.

-Dimuthu


> -Ishara
>
>>
>> thanks,
>> Dimuthu
>>
>>
>> On Mon, Oct 3, 2016 at 10:51 PM, Johann Nallathamby 
>> wrote:
>>
>>>
>>>
>>> On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake 
>>> wrote:
>>>
 Hi Ayesha,

 On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka 
 wrote:

> Hi all,
>
> Based on the discussions with Johann, Darshana, Isura and myself, we
> identified following use cases and design concerns.
>
> There are three cases of Admin Forced Password Reset action,
>
>- Admin Forced Password Reset Off-line
>- Admin knows the password and give it to user offline(ex: via
>   phone)
>   - Admin Forced Password Reset via OTP
>   - OTP is sent to user as a notifications(email/sms). Admin may
>   not able see the OTP
>   - Admin Forced Password Reset via Recovery Email
>   - Email with a link which directs to password recovery portal
>   is sent to user
>
> For each case above, Admin Forced Password Reset action trigger is
> identifies as a claim update.
>
> When a special claim "http://wso2.org/claims/identi
> ty/adminForcedPasswordReset" is updated, an EventHandler will handle
> the update to this particular claim.
>
 Do we know claims/attritubes used in LDAP schemas for similar purposes?
 I assume, we ask the user to map above claim to any LDAP attribute.

>>>
>>> We make it a point to use existing attributes wherever possible. I think
>>> there is a attribute in AD called "ChangePasswordAtLogon" for this purpose.
>>> However we didn't plan to use this attribute to store this value as a claim
>>> because its a temporary value for a particular user. Also all LDAPs may not
>>> support this attribute. Plus we need to support it when the user store is
>>> connected in read-only mode also. However we will reconsider this.
>>>
 New governance Connector will be implemented and above three cases can
> be enable/disable based on system requirements.
>
 Is there any document, code which discuss about governance connector?

 thank you.

> Within the EventHandler, a RecoveryScenario is set to identify the
> admin forced password reset activity. And user account will be locked 
> until
> password reset by user.
>
> At the login, inside Login Authenticator it will look at RecoveryScenario
> along with OTP provided in order to prompt password reset option to the
> user. Once the password is reset by user, account will be unlocked and 
> RecoveryScenario
> entry will be cleaned-up.
>
> For the MVP1, I am implementing handling *Admin Forced Password Reset*
> trigger with claim update and Handler to send an email with password reset
> link to user.
>
> Thanks!
> -Ayesha
>
>
> On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka 
> wrote:
>
>> Hi Ishara,
>>
>> Thank you for the input. Having similar discussion with Darshana and
>> Isura, I have started extending askPassword implementation with email
>> verification flow in order trigger a password reset by capturing "update
>> credential" event. Still, we need a mechanism to distinguish admin 
>> password
>> reset vs. user password reset.
>>
>> Thanks!
>> -Ayesha
>>
>>
>> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna <
>> isha...@wso2.com> wrote:
>>
>>> Hi Ayesha,
>>>
>>> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne 
>>> wrote:
>>>
 Hi Ayesha,

 We can extend Ask Password feature we developed in IS 5.3.0 to
 support this feature. So, we can send a confirmation email rather than 
 an
 OTP.

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-10-04 Thread Ishara Karunarathna 
Hi Dimuthu,

On Tue, Oct 4, 2016 at 10:54 AM, Dimuthu Leelarathne 
wrote:

> Hi Johann,
>
> Lets take the read-only case. Our current or future (C5) architecture does
> not support claims coming from two user stores. And that is ok. But ... we
> have this habbit of adding a claim whenever we want to do a new feature, is
> it a good idea to store system claim values in the internal DB? That would
> make things much simpler. Thinking aloud, we can make it generic and enable
> half the stuff to come from internal store, but I think it is a over
> engineering task. IMO, if we can implement such that system claim values
> are coming from internal DB that would be great.
>
With C5 we have this model where we can get user claims from different
identity stores and build a single user.
In that case we can put all system claims in to a internal store.

But until we go for that I think its ok to keep it as a user claim.
WDYT ?

-Ishara

>
> thanks,
> Dimuthu
>
>
> On Mon, Oct 3, 2016 at 10:51 PM, Johann Nallathamby 
> wrote:
>
>>
>>
>> On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake 
>> wrote:
>>
>>> Hi Ayesha,
>>>
>>> On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka 
>>> wrote:
>>>
 Hi all,

 Based on the discussions with Johann, Darshana, Isura and myself, we
 identified following use cases and design concerns.

 There are three cases of Admin Forced Password Reset action,

- Admin Forced Password Reset Off-line
- Admin knows the password and give it to user offline(ex: via
   phone)
   - Admin Forced Password Reset via OTP
   - OTP is sent to user as a notifications(email/sms). Admin may
   not able see the OTP
   - Admin Forced Password Reset via Recovery Email
   - Email with a link which directs to password recovery portal is
   sent to user

 For each case above, Admin Forced Password Reset action trigger is
 identifies as a claim update.

 When a special claim "http://wso2.org/claims/identi
 ty/adminForcedPasswordReset" is updated, an EventHandler will handle
 the update to this particular claim.

>>> Do we know claims/attritubes used in LDAP schemas for similar purposes?
>>> I assume, we ask the user to map above claim to any LDAP attribute.
>>>
>>
>> We make it a point to use existing attributes wherever possible. I think
>> there is a attribute in AD called "ChangePasswordAtLogon" for this purpose.
>> However we didn't plan to use this attribute to store this value as a claim
>> because its a temporary value for a particular user. Also all LDAPs may not
>> support this attribute. Plus we need to support it when the user store is
>> connected in read-only mode also. However we will reconsider this.
>>
>>> New governance Connector will be implemented and above three cases can
 be enable/disable based on system requirements.

>>> Is there any document, code which discuss about governance connector?
>>>
>>> thank you.
>>>
 Within the EventHandler, a RecoveryScenario is set to identify the
 admin forced password reset activity. And user account will be locked until
 password reset by user.

 At the login, inside Login Authenticator it will look at RecoveryScenario
 along with OTP provided in order to prompt password reset option to the
 user. Once the password is reset by user, account will be unlocked and 
 RecoveryScenario
 entry will be cleaned-up.

 For the MVP1, I am implementing handling *Admin Forced Password Reset*
 trigger with claim update and Handler to send an email with password reset
 link to user.

 Thanks!
 -Ayesha


 On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka 
 wrote:

> Hi Ishara,
>
> Thank you for the input. Having similar discussion with Darshana and
> Isura, I have started extending askPassword implementation with email
> verification flow in order trigger a password reset by capturing "update
> credential" event. Still, we need a mechanism to distinguish admin 
> password
> reset vs. user password reset.
>
> Thanks!
> -Ayesha
>
>
> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna <
> isha...@wso2.com> wrote:
>
>> Hi Ayesha,
>>
>> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne 
>> wrote:
>>
>>> Hi Ayesha,
>>>
>>> We can extend Ask Password feature we developed in IS 5.3.0 to
>>> support this feature. So, we can send a confirmation email rather than 
>>> an
>>> OTP.
>>>
>> There can be different user cases.
>> If we think about a call center scenario then customer will call to
>> support center and asked to reset the password and will communicate that 
>> to
>> the client that time, then use can login and 1st

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-10-04 Thread Johann Nallathamby 
On Tue, Oct 4, 2016 at 11:25 AM, Manjula Rathnayake 
wrote:

> Hi all,
>
> It is not clear to me how password reset operation is valid for
> read-only user stores. is it a valid use case?
>

Yes. We must support it even for read only user stores. User stores are
plugged in read-only mode just to populate the initial set of users and
groups. From that point onwards we must be able to support any identity
server features for all those users regardless of whether we can write to
the user store or not.


>
> thank you.
>
> On Tue, Oct 4, 2016 at 10:54 AM, Dimuthu Leelarathne 
> wrote:
>
>> Hi Johann,
>>
>> Lets take the read-only case. Our current or future (C5) architecture
>> does not support claims coming from two user stores. And that is ok. But
>> ... we have this habbit of adding a claim whenever we want to do a new
>> feature, is it a good idea to store system claim values in the internal DB?
>> That would make things much simpler. Thinking aloud, we can make it generic
>> and enable half the stuff to come from internal store, but I think it is a
>> over engineering task. IMO, if we can implement such that system claim
>> values are coming from internal DB that would be great.
>>
>> thanks,
>> Dimuthu
>>
>>
>> On Mon, Oct 3, 2016 at 10:51 PM, Johann Nallathamby 
>> wrote:
>>
>>>
>>>
>>> On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake 
>>> wrote:
>>>
 Hi Ayesha,

 On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka 
 wrote:

> Hi all,
>
> Based on the discussions with Johann, Darshana, Isura and myself, we
> identified following use cases and design concerns.
>
> There are three cases of Admin Forced Password Reset action,
>
>- Admin Forced Password Reset Off-line
>- Admin knows the password and give it to user offline(ex: via
>   phone)
>   - Admin Forced Password Reset via OTP
>   - OTP is sent to user as a notifications(email/sms). Admin may
>   not able see the OTP
>   - Admin Forced Password Reset via Recovery Email
>   - Email with a link which directs to password recovery portal
>   is sent to user
>
> For each case above, Admin Forced Password Reset action trigger is
> identifies as a claim update.
>
> When a special claim "http://wso2.org/claims/identi
> ty/adminForcedPasswordReset" is updated, an EventHandler will handle
> the update to this particular claim.
>
 Do we know claims/attritubes used in LDAP schemas for similar purposes?
 I assume, we ask the user to map above claim to any LDAP attribute.

>>>
>>> We make it a point to use existing attributes wherever possible. I think
>>> there is a attribute in AD called "ChangePasswordAtLogon" for this purpose.
>>> However we didn't plan to use this attribute to store this value as a claim
>>> because its a temporary value for a particular user. Also all LDAPs may not
>>> support this attribute. Plus we need to support it when the user store is
>>> connected in read-only mode also. However we will reconsider this.
>>>
 New governance Connector will be implemented and above three cases can
> be enable/disable based on system requirements.
>
 Is there any document, code which discuss about governance connector?

 thank you.

> Within the EventHandler, a RecoveryScenario is set to identify the
> admin forced password reset activity. And user account will be locked 
> until
> password reset by user.
>
> At the login, inside Login Authenticator it will look at RecoveryScenario
> along with OTP provided in order to prompt password reset option to the
> user. Once the password is reset by user, account will be unlocked and 
> RecoveryScenario
> entry will be cleaned-up.
>
> For the MVP1, I am implementing handling *Admin Forced Password Reset*
> trigger with claim update and Handler to send an email with password reset
> link to user.
>
> Thanks!
> -Ayesha
>
>
> On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka 
> wrote:
>
>> Hi Ishara,
>>
>> Thank you for the input. Having similar discussion with Darshana and
>> Isura, I have started extending askPassword implementation with email
>> verification flow in order trigger a password reset by capturing "update
>> credential" event. Still, we need a mechanism to distinguish admin 
>> password
>> reset vs. user password reset.
>>
>> Thanks!
>> -Ayesha
>>
>>
>> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna <
>> isha...@wso2.com> wrote:
>>
>>> Hi Ayesha,
>>>
>>> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne 
>>> wrote:
>>>
 Hi Ayesha,

 We can extend Ask Password feature we developed in

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-10-04 Thread Johann Nallathamby 
On Tue, Oct 4, 2016 at 10:54 AM, Dimuthu Leelarathne 
wrote:

> Hi Johann,
>
> Lets take the read-only case. Our current or future (C5) architecture does
> not support claims coming from two user stores.
>

In C5 we have this. So yes it can go as a internal DB based user store that
we maintain.


> And that is ok. But ... we have this habbit of adding a claim whenever we
> want to do a new feature, is it a good idea to store system claim values in
> the internal DB?
>

System claims in the sense its still user specific data what you mean
right? Meaning the value is attached to a particular user in the system.
Its not a value for the entire system.

There are two kinds of user specific data.
1. User attribute - generally long lived values, audited, governed, etc.
2. User specific operational data - generally per transaction short lived.

Attributes such as account lock, account deactived, etc. clearly fall into
the first category. For this category in C4 we have two options to store.
Either in the user store or in the internal DB, These claims are designated
as identity claims.

Attributes such as OTP, PendingForEmailVerification,
ChangePasswordOnNextLogin come under second category. Active Directory kind
of considers some of these as part of the user schema itself. Doesn't mean
we also have to follow the same thing. We try to follow wherever possible.
What's important is to make the categorization as per my above explanation.

We must support both these categories even for read-only user stores.

Hope this clarifies some things.

Regards,
Johann.


> That would make things much simpler. Thinking aloud, we can make it
> generic and enable half the stuff to come from internal store, but I think
> it is a over engineering task. IMO, if we can implement such that system
> claim values are coming from internal DB that would be great.
>
> thanks,
> Dimuthu
>
>
> On Mon, Oct 3, 2016 at 10:51 PM, Johann Nallathamby 
> wrote:
>
>>
>>
>> On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake 
>> wrote:
>>
>>> Hi Ayesha,
>>>
>>> On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka 
>>> wrote:
>>>
 Hi all,

 Based on the discussions with Johann, Darshana, Isura and myself, we
 identified following use cases and design concerns.

 There are three cases of Admin Forced Password Reset action,

- Admin Forced Password Reset Off-line
- Admin knows the password and give it to user offline(ex: via
   phone)
   - Admin Forced Password Reset via OTP
   - OTP is sent to user as a notifications(email/sms). Admin may
   not able see the OTP
   - Admin Forced Password Reset via Recovery Email
   - Email with a link which directs to password recovery portal is
   sent to user

 For each case above, Admin Forced Password Reset action trigger is
 identifies as a claim update.

 When a special claim "http://wso2.org/claims/identi
 ty/adminForcedPasswordReset" is updated, an EventHandler will handle
 the update to this particular claim.

>>> Do we know claims/attritubes used in LDAP schemas for similar purposes?
>>> I assume, we ask the user to map above claim to any LDAP attribute.
>>>
>>
>> We make it a point to use existing attributes wherever possible. I think
>> there is a attribute in AD called "ChangePasswordAtLogon" for this purpose.
>> However we didn't plan to use this attribute to store this value as a claim
>> because its a temporary value for a particular user. Also all LDAPs may not
>> support this attribute. Plus we need to support it when the user store is
>> connected in read-only mode also. However we will reconsider this.
>>
>>> New governance Connector will be implemented and above three cases can
 be enable/disable based on system requirements.

>>> Is there any document, code which discuss about governance connector?
>>>
>>> thank you.
>>>
 Within the EventHandler, a RecoveryScenario is set to identify the
 admin forced password reset activity. And user account will be locked until
 password reset by user.

 At the login, inside Login Authenticator it will look at RecoveryScenario
 along with OTP provided in order to prompt password reset option to the
 user. Once the password is reset by user, account will be unlocked and 
 RecoveryScenario
 entry will be cleaned-up.

 For the MVP1, I am implementing handling *Admin Forced Password Reset*
 trigger with claim update and Handler to send an email with password reset
 link to user.

 Thanks!
 -Ayesha


 On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka 
 wrote:

> Hi Ishara,
>
> Thank you for the input. Having similar discussion with Darshana and
> Isura, I have started extending askPassword implementation with email
> verification flow in

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-10-04 Thread Dimuthu Leelarathne 
On Tue, Oct 4, 2016 at 11:25 AM, Manjula Rathnayake 
wrote:

> Hi all,
>
> It is not clear to me how password reset operation is valid for
> read-only user stores. is it a valid use case?
>
>
Just took an example. But the generic idea is we take user claims to store
stuff. So we can consider these as system specific things and store in
internal user store.


> thank you.
>
> On Tue, Oct 4, 2016 at 10:54 AM, Dimuthu Leelarathne 
> wrote:
>
>> Hi Johann,
>>
>> Lets take the read-only case. Our current or future (C5) architecture
>> does not support claims coming from two user stores. And that is ok. But
>> ... we have this habbit of adding a claim whenever we want to do a new
>> feature, is it a good idea to store system claim values in the internal DB?
>> That would make things much simpler. Thinking aloud, we can make it generic
>> and enable half the stuff to come from internal store, but I think it is a
>> over engineering task. IMO, if we can implement such that system claim
>> values are coming from internal DB that would be great.
>>
>> thanks,
>> Dimuthu
>>
>>
>> On Mon, Oct 3, 2016 at 10:51 PM, Johann Nallathamby 
>> wrote:
>>
>>>
>>>
>>> On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake 
>>> wrote:
>>>
 Hi Ayesha,

 On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka 
 wrote:

> Hi all,
>
> Based on the discussions with Johann, Darshana, Isura and myself, we
> identified following use cases and design concerns.
>
> There are three cases of Admin Forced Password Reset action,
>
>- Admin Forced Password Reset Off-line
>- Admin knows the password and give it to user offline(ex: via
>   phone)
>   - Admin Forced Password Reset via OTP
>   - OTP is sent to user as a notifications(email/sms). Admin may
>   not able see the OTP
>   - Admin Forced Password Reset via Recovery Email
>   - Email with a link which directs to password recovery portal
>   is sent to user
>
> For each case above, Admin Forced Password Reset action trigger is
> identifies as a claim update.
>
> When a special claim "http://wso2.org/claims/identi
> ty/adminForcedPasswordReset" is updated, an EventHandler will handle
> the update to this particular claim.
>
 Do we know claims/attritubes used in LDAP schemas for similar purposes?
 I assume, we ask the user to map above claim to any LDAP attribute.

>>>
>>> We make it a point to use existing attributes wherever possible. I think
>>> there is a attribute in AD called "ChangePasswordAtLogon" for this purpose.
>>> However we didn't plan to use this attribute to store this value as a claim
>>> because its a temporary value for a particular user. Also all LDAPs may not
>>> support this attribute. Plus we need to support it when the user store is
>>> connected in read-only mode also. However we will reconsider this.
>>>
 New governance Connector will be implemented and above three cases can
> be enable/disable based on system requirements.
>
 Is there any document, code which discuss about governance connector?

 thank you.

> Within the EventHandler, a RecoveryScenario is set to identify the
> admin forced password reset activity. And user account will be locked 
> until
> password reset by user.
>
> At the login, inside Login Authenticator it will look at RecoveryScenario
> along with OTP provided in order to prompt password reset option to the
> user. Once the password is reset by user, account will be unlocked and 
> RecoveryScenario
> entry will be cleaned-up.
>
> For the MVP1, I am implementing handling *Admin Forced Password Reset*
> trigger with claim update and Handler to send an email with password reset
> link to user.
>
> Thanks!
> -Ayesha
>
>
> On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka 
> wrote:
>
>> Hi Ishara,
>>
>> Thank you for the input. Having similar discussion with Darshana and
>> Isura, I have started extending askPassword implementation with email
>> verification flow in order trigger a password reset by capturing "update
>> credential" event. Still, we need a mechanism to distinguish admin 
>> password
>> reset vs. user password reset.
>>
>> Thanks!
>> -Ayesha
>>
>>
>> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna <
>> isha...@wso2.com> wrote:
>>
>>> Hi Ayesha,
>>>
>>> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne 
>>> wrote:
>>>
 Hi Ayesha,

 We can extend Ask Password feature we developed in IS 5.3.0 to
 support this feature. So, we can send a confirmation email rather than 
 an
 OTP.

>>> There can be

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-10-03 Thread Manjula Rathnayake 
Hi all,

It is not clear to me how password reset operation is valid for
read-only user stores. is it a valid use case?

thank you.

On Tue, Oct 4, 2016 at 10:54 AM, Dimuthu Leelarathne 
wrote:

> Hi Johann,
>
> Lets take the read-only case. Our current or future (C5) architecture does
> not support claims coming from two user stores. And that is ok. But ... we
> have this habbit of adding a claim whenever we want to do a new feature, is
> it a good idea to store system claim values in the internal DB? That would
> make things much simpler. Thinking aloud, we can make it generic and enable
> half the stuff to come from internal store, but I think it is a over
> engineering task. IMO, if we can implement such that system claim values
> are coming from internal DB that would be great.
>
> thanks,
> Dimuthu
>
>
> On Mon, Oct 3, 2016 at 10:51 PM, Johann Nallathamby 
> wrote:
>
>>
>>
>> On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake 
>> wrote:
>>
>>> Hi Ayesha,
>>>
>>> On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka 
>>> wrote:
>>>
 Hi all,

 Based on the discussions with Johann, Darshana, Isura and myself, we
 identified following use cases and design concerns.

 There are three cases of Admin Forced Password Reset action,

- Admin Forced Password Reset Off-line
- Admin knows the password and give it to user offline(ex: via
   phone)
   - Admin Forced Password Reset via OTP
   - OTP is sent to user as a notifications(email/sms). Admin may
   not able see the OTP
   - Admin Forced Password Reset via Recovery Email
   - Email with a link which directs to password recovery portal is
   sent to user

 For each case above, Admin Forced Password Reset action trigger is
 identifies as a claim update.

 When a special claim "http://wso2.org/claims/identi
 ty/adminForcedPasswordReset" is updated, an EventHandler will handle
 the update to this particular claim.

>>> Do we know claims/attritubes used in LDAP schemas for similar purposes?
>>> I assume, we ask the user to map above claim to any LDAP attribute.
>>>
>>
>> We make it a point to use existing attributes wherever possible. I think
>> there is a attribute in AD called "ChangePasswordAtLogon" for this purpose.
>> However we didn't plan to use this attribute to store this value as a claim
>> because its a temporary value for a particular user. Also all LDAPs may not
>> support this attribute. Plus we need to support it when the user store is
>> connected in read-only mode also. However we will reconsider this.
>>
>>> New governance Connector will be implemented and above three cases can
 be enable/disable based on system requirements.

>>> Is there any document, code which discuss about governance connector?
>>>
>>> thank you.
>>>
 Within the EventHandler, a RecoveryScenario is set to identify the
 admin forced password reset activity. And user account will be locked until
 password reset by user.

 At the login, inside Login Authenticator it will look at RecoveryScenario
 along with OTP provided in order to prompt password reset option to the
 user. Once the password is reset by user, account will be unlocked and 
 RecoveryScenario
 entry will be cleaned-up.

 For the MVP1, I am implementing handling *Admin Forced Password Reset*
 trigger with claim update and Handler to send an email with password reset
 link to user.

 Thanks!
 -Ayesha


 On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka 
 wrote:

> Hi Ishara,
>
> Thank you for the input. Having similar discussion with Darshana and
> Isura, I have started extending askPassword implementation with email
> verification flow in order trigger a password reset by capturing "update
> credential" event. Still, we need a mechanism to distinguish admin 
> password
> reset vs. user password reset.
>
> Thanks!
> -Ayesha
>
>
> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna <
> isha...@wso2.com> wrote:
>
>> Hi Ayesha,
>>
>> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne 
>> wrote:
>>
>>> Hi Ayesha,
>>>
>>> We can extend Ask Password feature we developed in IS 5.3.0 to
>>> support this feature. So, we can send a confirmation email rather than 
>>> an
>>> OTP.
>>>
>> There can be different user cases.
>> If we think about a call center scenario then customer will call to
>> support center and asked to reset the password and will communicate that 
>> to
>> the client that time, then use can login and 1st attempt he need to reset
>> the password.
>> Then we can set an additional flag to user attribute that indicate
>> that this password

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-10-03 Thread Dimuthu Leelarathne 
Hi Johann,

Lets take the read-only case. Our current or future (C5) architecture does
not support claims coming from two user stores. And that is ok. But ... we
have this habbit of adding a claim whenever we want to do a new feature, is
it a good idea to store system claim values in the internal DB? That would
make things much simpler. Thinking aloud, we can make it generic and enable
half the stuff to come from internal store, but I think it is a over
engineering task. IMO, if we can implement such that system claim values
are coming from internal DB that would be great.

thanks,
Dimuthu


On Mon, Oct 3, 2016 at 10:51 PM, Johann Nallathamby  wrote:

>
>
> On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake 
> wrote:
>
>> Hi Ayesha,
>>
>> On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka 
>> wrote:
>>
>>> Hi all,
>>>
>>> Based on the discussions with Johann, Darshana, Isura and myself, we
>>> identified following use cases and design concerns.
>>>
>>> There are three cases of Admin Forced Password Reset action,
>>>
>>>- Admin Forced Password Reset Off-line
>>>- Admin knows the password and give it to user offline(ex: via phone)
>>>   - Admin Forced Password Reset via OTP
>>>   - OTP is sent to user as a notifications(email/sms). Admin may
>>>   not able see the OTP
>>>   - Admin Forced Password Reset via Recovery Email
>>>   - Email with a link which directs to password recovery portal is
>>>   sent to user
>>>
>>> For each case above, Admin Forced Password Reset action trigger is
>>> identifies as a claim update.
>>>
>>> When a special claim "http://wso2.org/claims/identi
>>> ty/adminForcedPasswordReset" is updated, an EventHandler will handle
>>> the update to this particular claim.
>>>
>> Do we know claims/attritubes used in LDAP schemas for similar purposes? I
>> assume, we ask the user to map above claim to any LDAP attribute.
>>
>
> We make it a point to use existing attributes wherever possible. I think
> there is a attribute in AD called "ChangePasswordAtLogon" for this purpose.
> However we didn't plan to use this attribute to store this value as a claim
> because its a temporary value for a particular user. Also all LDAPs may not
> support this attribute. Plus we need to support it when the user store is
> connected in read-only mode also. However we will reconsider this.
>
>> New governance Connector will be implemented and above three cases can be
>>> enable/disable based on system requirements.
>>>
>> Is there any document, code which discuss about governance connector?
>>
>> thank you.
>>
>>> Within the EventHandler, a RecoveryScenario is set to identify the admin
>>> forced password reset activity. And user account will be locked until
>>> password reset by user.
>>>
>>> At the login, inside Login Authenticator it will look at RecoveryScenario
>>> along with OTP provided in order to prompt password reset option to the
>>> user. Once the password is reset by user, account will be unlocked and 
>>> RecoveryScenario
>>> entry will be cleaned-up.
>>>
>>> For the MVP1, I am implementing handling *Admin Forced Password Reset*
>>> trigger with claim update and Handler to send an email with password reset
>>> link to user.
>>>
>>> Thanks!
>>> -Ayesha
>>>
>>>
>>> On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka 
>>> wrote:
>>>
 Hi Ishara,

 Thank you for the input. Having similar discussion with Darshana and
 Isura, I have started extending askPassword implementation with email
 verification flow in order trigger a password reset by capturing "update
 credential" event. Still, we need a mechanism to distinguish admin password
 reset vs. user password reset.

 Thanks!
 -Ayesha


 On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna  wrote:

> Hi Ayesha,
>
> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne 
> wrote:
>
>> Hi Ayesha,
>>
>> We can extend Ask Password feature we developed in IS 5.3.0 to
>> support this feature. So, we can send a confirmation email rather than an
>> OTP.
>>
> There can be different user cases.
> If we think about a call center scenario then customer will call to
> support center and asked to reset the password and will communicate that 
> to
> the client that time, then use can login and 1st attempt he need to reset
> the password.
> Then we can set an additional flag to user attribute that indicate
> that this password reset by admin.
> And then this can be checked in Password Policy Authenticator.
>
> And secured way to handle this extending Ask password implementation
> and send a email and rest the password. or send a OTP to customer and
> enforce to rest in 1st login.
> I think better to implement the 1st scenario and extent to these cases.
>
> Thanks,
>

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-10-03 Thread Johann Nallathamby 
On Mon, Oct 3, 2016 at 1:00 PM, Manjula Rathnayake 
wrote:

> Hi Ayesha,
>
> On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka 
> wrote:
>
>> Hi all,
>>
>> Based on the discussions with Johann, Darshana, Isura and myself, we
>> identified following use cases and design concerns.
>>
>> There are three cases of Admin Forced Password Reset action,
>>
>>- Admin Forced Password Reset Off-line
>>- Admin knows the password and give it to user offline(ex: via phone)
>>   - Admin Forced Password Reset via OTP
>>   - OTP is sent to user as a notifications(email/sms). Admin may not
>>   able see the OTP
>>   - Admin Forced Password Reset via Recovery Email
>>   - Email with a link which directs to password recovery portal is
>>   sent to user
>>
>> For each case above, Admin Forced Password Reset action trigger is
>> identifies as a claim update.
>>
>> When a special claim "http://wso2.org/claims/identi
>> ty/adminForcedPasswordReset" is updated, an EventHandler will handle the
>> update to this particular claim.
>>
> Do we know claims/attritubes used in LDAP schemas for similar purposes? I
> assume, we ask the user to map above claim to any LDAP attribute.
>

We make it a point to use existing attributes wherever possible. I think
there is a attribute in AD called "ChangePasswordAtLogon" for this purpose.
However we didn't plan to use this attribute to store this value as a claim
because its a temporary value for a particular user. Also all LDAPs may not
support this attribute. Plus we need to support it when the user store is
connected in read-only mode also. However we will reconsider this.

> New governance Connector will be implemented and above three cases can be
>> enable/disable based on system requirements.
>>
> Is there any document, code which discuss about governance connector?
>
> thank you.
>
>> Within the EventHandler, a RecoveryScenario is set to identify the admin
>> forced password reset activity. And user account will be locked until
>> password reset by user.
>>
>> At the login, inside Login Authenticator it will look at RecoveryScenario
>> along with OTP provided in order to prompt password reset option to the
>> user. Once the password is reset by user, account will be unlocked and 
>> RecoveryScenario
>> entry will be cleaned-up.
>>
>> For the MVP1, I am implementing handling *Admin Forced Password Reset*
>> trigger with claim update and Handler to send an email with password reset
>> link to user.
>>
>> Thanks!
>> -Ayesha
>>
>>
>> On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka 
>> wrote:
>>
>>> Hi Ishara,
>>>
>>> Thank you for the input. Having similar discussion with Darshana and
>>> Isura, I have started extending askPassword implementation with email
>>> verification flow in order trigger a password reset by capturing "update
>>> credential" event. Still, we need a mechanism to distinguish admin password
>>> reset vs. user password reset.
>>>
>>> Thanks!
>>> -Ayesha
>>>
>>>
>>> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna 
>>> wrote:
>>>
 Hi Ayesha,

 On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne 
 wrote:

> Hi Ayesha,
>
> We can extend Ask Password feature we developed in IS 5.3.0 to support
> this feature. So, we can send a confirmation email rather than an OTP.
>
 There can be different user cases.
 If we think about a call center scenario then customer will call to
 support center and asked to reset the password and will communicate that to
 the client that time, then use can login and 1st attempt he need to reset
 the password.
 Then we can set an additional flag to user attribute that indicate that
 this password reset by admin.
 And then this can be checked in Password Policy Authenticator.

 And secured way to handle this extending Ask password implementation
 and send a email and rest the password. or send a OTP to customer and
 enforce to rest in 1st login.
 I think better to implement the 1st scenario and extent to these cases.

 Thanks,
 Ishara

>
> Thanks
> Isura
>
>
> *Isura Dilhara Karunaratne*
> Senior Software Engineer | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810
> Blog : http://isurad.blogspot.com/
>
>
>
>
> On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka 
> wrote:
>
>> Hi,
>>
>> I have created public jira IDENTITY-5166
>>  to track this
>> implementation.
>>
>> Thanks!
>> -Ayesha
>>
>>
>>
>> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka 
>> wrote:
>>
>>> Hi,
>>>
>>> I have started working on [1], which forces password reset for a
>>> user after a administrative password recovery action.

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-10-03 Thread Manjula Rathnayake 
Hi Ayesha,

On Fri, Sep 30, 2016 at 3:17 PM, Ayesha Dissanayaka  wrote:

> Hi all,
>
> Based on the discussions with Johann, Darshana, Isura and myself, we
> identified following use cases and design concerns.
>
> There are three cases of Admin Forced Password Reset action,
>
>- Admin Forced Password Reset Off-line
>- Admin knows the password and give it to user offline(ex: via phone)
>   - Admin Forced Password Reset via OTP
>   - OTP is sent to user as a notifications(email/sms). Admin may not
>   able see the OTP
>   - Admin Forced Password Reset via Recovery Email
>   - Email with a link which directs to password recovery portal is
>   sent to user
>
> For each case above, Admin Forced Password Reset action trigger is
> identifies as a claim update.
>
> When a special claim "http://wso2.org/claims/identity/
> adminForcedPasswordReset" is updated, an EventHandler will handle the
> update to this particular claim.
>
Do we know claims/attritubes used in LDAP schemas for similar purposes? I
assume, we ask the user to map above claim to any LDAP attribute.

> New governance Connector will be implemented and above three cases can be
> enable/disable based on system requirements.
>
Is there any document, code which discuss about governance connector?

thank you.

> Within the EventHandler, a RecoveryScenario is set to identify the admin
> forced password reset activity. And user account will be locked until
> password reset by user.
>
> At the login, inside Login Authenticator it will look at RecoveryScenario
> along with OTP provided in order to prompt password reset option to the
> user. Once the password is reset by user, account will be unlocked and 
> RecoveryScenario
> entry will be cleaned-up.
>
> For the MVP1, I am implementing handling *Admin Forced Password Reset*
> trigger with claim update and Handler to send an email with password reset
> link to user.
>
> Thanks!
> -Ayesha
>
>
> On Wed, Sep 28, 2016 at 12:19 PM, Ayesha Dissanayaka 
> wrote:
>
>> Hi Ishara,
>>
>> Thank you for the input. Having similar discussion with Darshana and
>> Isura, I have started extending askPassword implementation with email
>> verification flow in order trigger a password reset by capturing "update
>> credential" event. Still, we need a mechanism to distinguish admin password
>> reset vs. user password reset.
>>
>> Thanks!
>> -Ayesha
>>
>>
>> On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna 
>> wrote:
>>
>>> Hi Ayesha,
>>>
>>> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne 
>>> wrote:
>>>
 Hi Ayesha,

 We can extend Ask Password feature we developed in IS 5.3.0 to support
 this feature. So, we can send a confirmation email rather than an OTP.

>>> There can be different user cases.
>>> If we think about a call center scenario then customer will call to
>>> support center and asked to reset the password and will communicate that to
>>> the client that time, then use can login and 1st attempt he need to reset
>>> the password.
>>> Then we can set an additional flag to user attribute that indicate that
>>> this password reset by admin.
>>> And then this can be checked in Password Policy Authenticator.
>>>
>>> And secured way to handle this extending Ask password implementation and
>>> send a email and rest the password. or send a OTP to customer and enforce
>>> to rest in 1st login.
>>> I think better to implement the 1st scenario and extent to these cases.
>>>
>>> Thanks,
>>> Ishara
>>>

 Thanks
 Isura


 *Isura Dilhara Karunaratne*
 Senior Software Engineer | WSO2
 Email: is...@wso2.com
 Mob : +94 772 254 810
 Blog : http://isurad.blogspot.com/




 On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka 
 wrote:

> Hi,
>
> I have created public jira IDENTITY-5166
>  to track this
> implementation.
>
> Thanks!
> -Ayesha
>
>
>
> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka 
> wrote:
>
>> Hi,
>>
>> I have started working on [1], which forces password reset for a user
>> after a administrative password recovery action.
>>
>> Based on the off-line discussion with Darshana, this flow can be as
>> follows.
>>
>>1. User, '*Bob*' forgets password and request administrative
>>person for a password reset action
>>2. Admin person reset the password and provide a new password to
>>*Bob* off-line
>>3. This can be performed using management console
>>4. When *Bob* tries to log-in with newly provided password, login
>>page should prompt password reset UI to *Bob*
>>5. And without changing the password Bob cannot login to the
>>system
>>6. There should be a way to distinguish *user password

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-09-28 Thread Ayesha Dissanayaka 
Hi Ishara,

Thank you for the input. Having similar discussion with Darshana and Isura,
I have started extending askPassword implementation with email verification
flow in order trigger a password reset by capturing "update credential"
event. Still, we need a mechanism to distinguish admin password reset vs.
user password reset.

Thanks!
-Ayesha


On Wed, Sep 28, 2016 at 12:06 PM, Ishara Karunarathna 
wrote:

> Hi Ayesha,
>
> On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne 
> wrote:
>
>> Hi Ayesha,
>>
>> We can extend Ask Password feature we developed in IS 5.3.0 to support
>> this feature. So, we can send a confirmation email rather than an OTP.
>>
> There can be different user cases.
> If we think about a call center scenario then customer will call to
> support center and asked to reset the password and will communicate that to
> the client that time, then use can login and 1st attempt he need to reset
> the password.
> Then we can set an additional flag to user attribute that indicate that
> this password reset by admin.
> And then this can be checked in Password Policy Authenticator.
>
> And secured way to handle this extending Ask password implementation and
> send a email and rest the password. or send a OTP to customer and enforce
> to rest in 1st login.
> I think better to implement the 1st scenario and extent to these cases.
>
> Thanks,
> Ishara
>
>>
>> Thanks
>> Isura
>>
>>
>> *Isura Dilhara Karunaratne*
>> Senior Software Engineer | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>> On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka 
>> wrote:
>>
>>> Hi,
>>>
>>> I have created public jira IDENTITY-5166
>>>  to track this
>>> implementation.
>>>
>>> Thanks!
>>> -Ayesha
>>>
>>>
>>>
>>> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka 
>>> wrote:
>>>
 Hi,

 I have started working on [1], which forces password reset for a user
 after a administrative password recovery action.

 Based on the off-line discussion with Darshana, this flow can be as
 follows.

1. User, '*Bob*' forgets password and request administrative person
for a password reset action
2. Admin person reset the password and provide a new password to
*Bob* off-line
3. This can be performed using management console
4. When *Bob* tries to log-in with newly provided password, login
page should prompt password reset UI to *Bob*
5. And without changing the password Bob cannot login to the system
6. There should be a way to distinguish *user password reset* vs. *admin
password reset*.

 But additionally, there can be enhancements to this flow by sending an
 OTP in an email to the user, 'Bob' and enforcing password reset by
 directing to a provided link.

 What are your thoughts on this?

 [1] https://redmine.wso2.com/issues/5417

 Thanks!
 -Ayesha

 --
 *Ayesha Dissanayaka*
 Software Engineer,
 WSO2, Inc : http://wso2.com
 
 20, Palmgrove Avenue, Colombo 3
 E-Mail: aye...@wso2.com 

>>>
>>>
>>>
>>> --
>>> *Ayesha Dissanayaka*
>>> Software Engineer,
>>> WSO2, Inc : http://wso2.com
>>> 
>>> 20, Palmgrove Avenue, Colombo 3
>>> E-Mail: aye...@wso2.com 
>>>
>>> ___
>>> Architecture mailing list
>>> Architecture@wso2.org
>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>>
>>>
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> Ishara Karunarathna
> Associate Technical Lead
> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>
> email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
> +94717996791
>
>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
*Ayesha Dissanayaka*
Software Engineer,
WSO2, Inc : http://wso2.com

20, Palmgrove Avenue, Colombo 3
E-Mail: aye...@wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-09-28 Thread Ishara Karunarathna 
Hi Ayesha,

On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne  wrote:

> Hi Ayesha,
>
> We can extend Ask Password feature we developed in IS 5.3.0 to support
> this feature. So, we can send a confirmation email rather than an OTP.
>
There can be different user cases.
If we think about a call center scenario then customer will call to support
center and asked to reset the password and will communicate that to the
client that time, then use can login and 1st attempt he need to reset the
password.
Then we can set an additional flag to user attribute that indicate that
this password reset by admin.
And then this can be checked in Password Policy Authenticator.

And secured way to handle this extending Ask password implementation and
send a email and rest the password. or send a OTP to customer and enforce
to rest in 1st login.
I think better to implement the 1st scenario and extent to these cases.

Thanks,
Ishara

>
> Thanks
> Isura
>
>
> *Isura Dilhara Karunaratne*
> Senior Software Engineer | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810
> Blog : http://isurad.blogspot.com/
>
>
>
>
> On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka 
> wrote:
>
>> Hi,
>>
>> I have created public jira IDENTITY-5166
>>  to track this
>> implementation.
>>
>> Thanks!
>> -Ayesha
>>
>>
>>
>> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka 
>> wrote:
>>
>>> Hi,
>>>
>>> I have started working on [1], which forces password reset for a user
>>> after a administrative password recovery action.
>>>
>>> Based on the off-line discussion with Darshana, this flow can be as
>>> follows.
>>>
>>>1. User, '*Bob*' forgets password and request administrative person
>>>for a password reset action
>>>2. Admin person reset the password and provide a new password to
>>>*Bob* off-line
>>>3. This can be performed using management console
>>>4. When *Bob* tries to log-in with newly provided password, login
>>>page should prompt password reset UI to *Bob*
>>>5. And without changing the password Bob cannot login to the system
>>>6. There should be a way to distinguish *user password reset* vs. *admin
>>>password reset*.
>>>
>>> But additionally, there can be enhancements to this flow by sending an
>>> OTP in an email to the user, 'Bob' and enforcing password reset by
>>> directing to a provided link.
>>>
>>> What are your thoughts on this?
>>>
>>> [1] https://redmine.wso2.com/issues/5417
>>>
>>> Thanks!
>>> -Ayesha
>>>
>>> --
>>> *Ayesha Dissanayaka*
>>> Software Engineer,
>>> WSO2, Inc : http://wso2.com
>>> 
>>> 20, Palmgrove Avenue, Colombo 3
>>> E-Mail: aye...@wso2.com 
>>>
>>
>>
>>
>> --
>> *Ayesha Dissanayaka*
>> Software Engineer,
>> WSO2, Inc : http://wso2.com
>> 
>> 20, Palmgrove Avenue, Colombo 3
>> E-Mail: aye...@wso2.com 
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Ishara Karunarathna
Associate Technical Lead
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-09-27 Thread Kathees Rajendram 
Hi Ayesha,

The similar implementation is done in authentication flow It enforces
password reset for user when last password change time is exceed number of
days days with compared with current day.

[1] -
https://github.com/wso2-extensions/identity-outbound-auth-passwordPolicy
[2] -
https://docs.wso2.com/display/ISCONNECTORS/Configuring+Password+Policy+Authenticator

Thanks,
Kathees

On Tue, Sep 27, 2016 at 11:00 AM, Isura Karunaratne  wrote:

> Hi Ayesha,
>
> We can extend Ask Password feature we developed in IS 5.3.0 to support
> this feature. So, we can send a confirmation email rather than an OTP.
>
> Thanks
> Isura
>
>
> *Isura Dilhara Karunaratne*
> Senior Software Engineer | WSO2
> Email: is...@wso2.com
> Mob : +94 772 254 810
> Blog : http://isurad.blogspot.com/
>
>
>
>
> On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka 
> wrote:
>
>> Hi,
>>
>> I have created public jira IDENTITY-5166
>>  to track this
>> implementation.
>>
>> Thanks!
>> -Ayesha
>>
>>
>>
>> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka 
>> wrote:
>>
>>> Hi,
>>>
>>> I have started working on [1], which forces password reset for a user
>>> after a administrative password recovery action.
>>>
>>> Based on the off-line discussion with Darshana, this flow can be as
>>> follows.
>>>
>>>1. User, '*Bob*' forgets password and request administrative person
>>>for a password reset action
>>>2. Admin person reset the password and provide a new password to
>>>*Bob* off-line
>>>3. This can be performed using management console
>>>4. When *Bob* tries to log-in with newly provided password, login
>>>page should prompt password reset UI to *Bob*
>>>5. And without changing the password Bob cannot login to the system
>>>6. There should be a way to distinguish *user password reset* vs. *admin
>>>password reset*.
>>>
>>> But additionally, there can be enhancements to this flow by sending an
>>> OTP in an email to the user, 'Bob' and enforcing password reset by
>>> directing to a provided link.
>>>
>>> What are your thoughts on this?
>>>
>>> [1] https://redmine.wso2.com/issues/5417
>>>
>>> Thanks!
>>> -Ayesha
>>>
>>> --
>>> *Ayesha Dissanayaka*
>>> Software Engineer,
>>> WSO2, Inc : http://wso2.com
>>> 
>>> 20, Palmgrove Avenue, Colombo 3
>>> E-Mail: aye...@wso2.com 
>>>
>>
>>
>>
>> --
>> *Ayesha Dissanayaka*
>> Software Engineer,
>> WSO2, Inc : http://wso2.com
>> 
>> 20, Palmgrove Avenue, Colombo 3
>> E-Mail: aye...@wso2.com 
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Kathees
Software Engineer,
email: kath...@wso2.com
mobile: +94772596173
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-09-26 Thread Isura Karunaratne 
Hi Ayesha,

We can extend Ask Password feature we developed in IS 5.3.0 to support this
feature. So, we can send a confirmation email rather than an OTP.

Thanks
Isura


*Isura Dilhara Karunaratne*
Senior Software Engineer | WSO2
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : http://isurad.blogspot.com/




On Mon, Sep 26, 2016 at 10:03 PM, Ayesha Dissanayaka 
wrote:

> Hi,
>
> I have created public jira IDENTITY-5166
>  to track this implementation.
>
> Thanks!
> -Ayesha
>
>
>
> On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka 
> wrote:
>
>> Hi,
>>
>> I have started working on [1], which forces password reset for a user
>> after a administrative password recovery action.
>>
>> Based on the off-line discussion with Darshana, this flow can be as
>> follows.
>>
>>1. User, '*Bob*' forgets password and request administrative person
>>for a password reset action
>>2. Admin person reset the password and provide a new password to *Bob*
>>off-line
>>3. This can be performed using management console
>>4. When *Bob* tries to log-in with newly provided password, login
>>page should prompt password reset UI to *Bob*
>>5. And without changing the password Bob cannot login to the system
>>6. There should be a way to distinguish *user password reset* vs. *admin
>>password reset*.
>>
>> But additionally, there can be enhancements to this flow by sending an
>> OTP in an email to the user, 'Bob' and enforcing password reset by
>> directing to a provided link.
>>
>> What are your thoughts on this?
>>
>> [1] https://redmine.wso2.com/issues/5417
>>
>> Thanks!
>> -Ayesha
>>
>> --
>> *Ayesha Dissanayaka*
>> Software Engineer,
>> WSO2, Inc : http://wso2.com
>> 
>> 20, Palmgrove Avenue, Colombo 3
>> E-Mail: aye...@wso2.com 
>>
>
>
>
> --
> *Ayesha Dissanayaka*
> Software Engineer,
> WSO2, Inc : http://wso2.com
> 
> 20, Palmgrove Avenue, Colombo 3
> E-Mail: aye...@wso2.com 
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [architecture ] [IS-5.3.0] Admin forces password reset for user

2016-09-26 Thread Ayesha Dissanayaka 
Hi,

I have created public jira IDENTITY-5166
 to track this implementation.

Thanks!
-Ayesha



On Mon, Sep 26, 2016 at 5:14 PM, Ayesha Dissanayaka  wrote:

> Hi,
>
> I have started working on [1], which forces password reset for a user
> after a administrative password recovery action.
>
> Based on the off-line discussion with Darshana, this flow can be as
> follows.
>
>1. User, '*Bob*' forgets password and request administrative person
>for a password reset action
>2. Admin person reset the password and provide a new password to *Bob*
>off-line
>3. This can be performed using management console
>4. When *Bob* tries to log-in with newly provided password, login page
>should prompt password reset UI to *Bob*
>5. And without changing the password Bob cannot login to the system
>6. There should be a way to distinguish *user password reset* vs. *admin
>password reset*.
>
> But additionally, there can be enhancements to this flow by sending an OTP
> in an email to the user, 'Bob' and enforcing password reset by directing to
> a provided link.
>
> What are your thoughts on this?
>
> [1] https://redmine.wso2.com/issues/5417
>
> Thanks!
> -Ayesha
>
> --
> *Ayesha Dissanayaka*
> Software Engineer,
> WSO2, Inc : http://wso2.com
> 
> 20, Palmgrove Avenue, Colombo 3
> E-Mail: aye...@wso2.com 
>



-- 
*Ayesha Dissanayaka*
Software Engineer,
WSO2, Inc : http://wso2.com

20, Palmgrove Avenue, Colombo 3
E-Mail: aye...@wso2.com 
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture