Hi Nicola, I agree with you. Indeed Syncope already permits 2-way encryption.
Fabio Martelli Nicola Scendoni <[email protected]> ha scritto: Il giorno 23 marzo 2012 17:17, Denis Signoretto <[email protected] > ha scritto: > > > -----Messaggio originale----- > > Da: Fabio Martelli [mailto:[email protected]] > > Inviato: venerdì 23 marzo 2012 16.42 > > A: [email protected] > > Oggetto: Re: new password issue > > > > > > > > Il giorno 23/mar/2012, alle ore 16.17, Nicola Scendoni ha scritto: > > > > > Il giorno 23 marzo 2012 15:32, Fabio Martelli > > <[email protected]> ha > > > scritto: > > > > > >> Hi Syncopers, > > >> we have a password issue to be discussed and managed asap. > > >> > > >> Currently, every time user's resource set is updated a new > > user password > > >> specification is required. > > >> From my point of view this couldn't be acceptable: a new > > password should > > >> be required just in case of adding of a new resource > > requiring password. > > >> Do you have any idea about how we can do this? > > >> > > >> > > > The same behavior is applied in case of an user update coming from a > > >> synchronization. > > >> If during synchronization an user must be updated by > > adding a new resource > > >> to its external resource set (may be implied by a user > > template) new > > >> password specification is always required. Currently we'll > > get a failure in > > >> this scenario .... > > >> Do you have any idea about how we can generate a new > > password just for new > > >> external resources requiring it? > > >> > > >> Guys, I ask you your opinions in order to open a new issue > > to tune these > > >> behaviors. > > >> > > >> > > > > > > > > > Hi Fabio, > > > > > > Why a password is required during the update? I agree with > > you this is not > > > accptable. > > > About new resources: I think a good approach could be to store the > > > encrypted user password and use this password for all the > > new resources. At > > > least this behaviour should be allowed. > > > > Hi Nicola, > > "unfortunately" password could be encrypted one-way. The > > trick you suggest is feasible just in case of reversible encryption. > > I think that adding a new external resource (with password > > attribute mapped) by a self-update or by user administration, > > manual change password should be required. > > > > In case of synchronization I can suggest to generate a random > > password. What do you think? > > Of course, in case of reversible password, automatic password > > retrieving could be preferred to a manual change or to a > > random generation. > > > > F. > > > > Hi Fabio, > > I agree with you. Password should be required only if a new resource is > added and only if Syncope is storing the password with a one way algorithm. > (there is an open issue on old google issue tracking about avoid password > requirement using AES algorithm). > > In case of one way algorithm I agree with you. One possible solution, > it's a random password generation compliant with the password policy. > > With some IDM the user password can be encrypted with a 2-way algorithm, so the user can have unique password for all the resources. I think that give this option to the users can be good. Do you agree? > Bye, > Denis. >
