-
Notifications
You must be signed in to change notification settings - Fork 188
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
identity recovery documentation (not finished)
- Loading branch information
1 parent
81e1223
commit 2871fba
Showing
1 changed file
with
161 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,161 @@ | ||
= Identity recovery | ||
:page-nav-title: Identity recovery | ||
:page-toc: top | ||
|
||
++++ | ||
{% include since.html since="4.8" %} | ||
++++ | ||
|
||
Identity recovery feature brings the possibility to recover user's data in case they were lost | ||
or forgotten. User can recover their login name or other data depending on the configuration. | ||
|
||
With this functionality two authentication modules appear in midPoint. | ||
|
||
The first module is Archetype selection module. It defines a list of archetypes among which the user | ||
can make a choice. This step helps the user to define which role they belong | ||
in midPoint to. If the user cannot choose some definite archetype, the flow still can be continued | ||
with the undefined archetype if this option is configured in the Archetype selection module. | ||
|
||
The second module is Correlation module. Going through this module the user should provide their data. | ||
MidPoint searches for the user's account in midPoint basing on the entered data. The search is | ||
processed with the help of correlation mechanism (link here) and as a result one or multiple users' accounts can | ||
be found.Correlation module defines the list of correlators which are responsible for the search. | ||
The correlators are processed one by one and correlation module can be finished after any of them if | ||
the correlation result has already found a specified user's account (in this case the found account's | ||
data will be displayed on the screen). Otherwise, all correlators are processed and the results are | ||
shown on the screen. Correlation module configuration allows to restrict the number of the accounts | ||
which can be found by the correlators. If the correlation result contains more accounts than it's | ||
allowed, correlation module will end up with an error. If no limitation is set, all found accounts | ||
will be displayed to the user. | ||
|
||
== Identity recovery configuration | ||
To make Identity recovery functionality working 3 basic authentication sections should be configured: | ||
modules, sequence and flow. | ||
|
||
=== Archetype selection and Correlation authentication modules | ||
Archetype selection and Correlation authentication modules are configured in the `modules` part of | ||
the `authentication` section in the security policy object. | ||
|
||
The following Archetype selection module gives the possibility to select among 3 archetypes: Student, | ||
Applicant and Teacher. Undefined archetype option is also allowed. | ||
|
||
.Archetype selection module configuration | ||
[source,xml] | ||
---- | ||
<securityPolicy> | ||
............. | ||
<authentication> | ||
<modules> | ||
............. | ||
<archetypeSelection> | ||
<identifier>archetypeSelection</identifier> | ||
<archetypeSelection> | ||
<archetypeRef oid="612c147c-1ef7-4be9-9085-a1cb6ca8515e"/> <!-- Reference to Applicant archetype --> | ||
<archetypeRef oid="5bd3f6b4-e328-4f6e-976a-7b5b0c48346d"/> <!-- Reference to Student archetype --> | ||
<archetypeRef oid="9e105fbc-38e2-4de9-9b93-58bce2f2995a"/> <!-- Reference to Teacher archetype --> | ||
</archetypeSelection> | ||
<allowUndefinedArchetype>true</allowUndefinedArchetype> | ||
</archetypeSelection> | ||
............. | ||
</modules> | ||
---- | ||
|
||
Correlation module defines correlators identifiers and their order. Correlator identifier refers to | ||
the `name` attribute of the `correlators` element which is defined in `correlation` part of object | ||
template. The maximum number of the users to be found is set within `candidateLimit` element. | ||
|
||
.Correlation module configuration | ||
[source,xml] | ||
---- | ||
<securityPolicy> | ||
............. | ||
<authentication> | ||
<modules> | ||
............. | ||
<correlation> | ||
<identifier>correlationModule</identifier> | ||
<correlator> | ||
<correlatorIdentifier>identity-recovery-1</correlatorIdentifier> | ||
<order>1</order> | ||
</correlator> | ||
<correlator> | ||
<correlatorIdentifier>identity-recovery-2</correlatorIdentifier> | ||
<order>2</order> | ||
</correlator> | ||
<correlator> | ||
<correlatorIdentifier>identity-recovery-3</correlatorIdentifier> | ||
<order>3</order> | ||
</correlator> | ||
<options> | ||
<candidateLimit>3</candidateLimit> | ||
</options> | ||
</correlation> | ||
............. | ||
</modules> | ||
---- | ||
|
||
=== Identity recovery authentication sequence | ||
|
||
Identity recovery authentication sequence is configured within `sequence` element in the `authentication` | ||
section of the security policy object. Sequence specifies the modules which are processed during | ||
Identity recovery flow. | ||
|
||
.Identity recovery sequence | ||
[source,xml] | ||
---- | ||
<securityPolicy> | ||
............. | ||
<authentication> | ||
............. | ||
<sequence> | ||
<identifier>identity-recovery-sequence</identifier> | ||
<channel> | ||
<channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#identityRecovery</channelId> | ||
<default>true</default> | ||
<urlSuffix>identityRecovery</urlSuffix> | ||
</channel> | ||
<module> | ||
<identifier>archetypeSelection</identifier> | ||
<order>1</order> | ||
<necessity>requisite</necessity> | ||
</module> | ||
<module> | ||
<identifier>correlationModule</identifier> | ||
<order>2</order> | ||
<necessity>requisite</necessity> | ||
</module> | ||
</sequence> | ||
............. | ||
---- | ||
|
||
=== Identity recovery flow | ||
Identity recovery flow is configured just straight in the security policy object. | ||
`authenticationSequenceIdentifier` element points to the authentication sequence which should be used | ||
during this flow. The list of items to be displayed to the user on the final screen can be configured | ||
with the help of multivalue `itemToDisplay` element. However, this is not obligatory to configure | ||
`itemToDisplay`. If none is specified, `name` attribute of the recovered identity object will be | ||
displayed on the final screen. | ||
|
||
.Identity recovery flow | ||
[source,xml] | ||
---- | ||
<securityPolicy> | ||
............. | ||
<identityRecovery> | ||
<identifier>identity-recovery</identifier> | ||
<authenticationSequenceIdentifier>identity-recovery-sequence</authenticationSequenceIdentifier> | ||
<itemToDisplay>emailAddress</itemToDisplay> | ||
<itemToDisplay>fullName</itemToDisplay> | ||
</identityRecovery> | ||
............. | ||
---- | ||
|
||
=== Another objects | ||
To build up full configuration of the Identity recovery functionality, some other objects also should | ||
be present in the system. In this section of the document the full chain of the configuration objects | ||
is described. | ||
|
||
To be continued... | ||
|
||
|