diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointHostBasedSamlServiceProviderProvisioning.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointHostBasedSamlServiceProviderProvisioning.java new file mode 100644 index 00000000000..2ddad547aa5 --- /dev/null +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidpointHostBasedSamlServiceProviderProvisioning.java @@ -0,0 +1,93 @@ +/* + * Copyright (c) 2010-2019 Evolveum and contributors + * + * This work is dual-licensed under the Apache License 2.0 + * and European Union Public License. See LICENSE file for details. + */ +package com.evolveum.midpoint.web.security; + +import org.springframework.security.saml.SamlMetadataCache; +import org.springframework.security.saml.SamlTransformer; +import org.springframework.security.saml.SamlValidator; +import org.springframework.security.saml.key.KeyType; +import org.springframework.security.saml.key.SimpleKey; +import org.springframework.security.saml.provider.config.SamlConfigurationRepository; +import org.springframework.security.saml.provider.provisioning.HostBasedSamlServiceProviderProvisioning; +import org.springframework.security.saml.provider.service.AuthenticationRequestEnhancer; +import org.springframework.security.saml.provider.service.HostedServiceProviderService; +import org.springframework.security.saml.provider.service.ServiceProviderService; +import org.springframework.security.saml.provider.service.config.LocalServiceProviderConfiguration; +import org.springframework.security.saml.saml2.metadata.ServiceProviderMetadata; + +import java.util.Collections; +import java.util.LinkedList; +import java.util.List; + +import static org.springframework.util.StringUtils.hasText; + +/** + * @author skublik + */ + +public class MidpointHostBasedSamlServiceProviderProvisioning extends HostBasedSamlServiceProviderProvisioning { + + private final AuthenticationRequestEnhancer authnRequestEnhancer; + + public MidpointHostBasedSamlServiceProviderProvisioning(SamlConfigurationRepository configuration, SamlTransformer transformer, SamlValidator validator, SamlMetadataCache cache, AuthenticationRequestEnhancer authnRequestEnhancer) { + super(configuration, transformer, validator, cache, authnRequestEnhancer); + this.authnRequestEnhancer = authnRequestEnhancer; + } + + protected ServiceProviderService getHostedServiceProvider(LocalServiceProviderConfiguration spConfig) { + String basePath = spConfig.getBasePath(); + + List keys = new LinkedList<>(); + SimpleKey signingKey = null; + if (spConfig.getKeys() != null) { + SimpleKey activeKey = spConfig.getKeys().getActive(); + if (activeKey != null) { + keys.add(activeKey); + keys.add(activeKey.clone(activeKey.getName() + "-encryption", KeyType.ENCRYPTION)); + } + keys.addAll(spConfig.getKeys().getStandBy()); + signingKey = spConfig.isSignMetadata() ? spConfig.getKeys().getActive() : null; + } + + String prefix = hasText(spConfig.getPrefix()) ? spConfig.getPrefix() : "saml/sp/"; + String aliasPath = getAliasPath(spConfig); + ServiceProviderMetadata metadata = + serviceProviderMetadata( + basePath, + signingKey, + keys, + prefix, + aliasPath, + spConfig.getDefaultSigningAlgorithm(), + spConfig.getDefaultDigest() + ); + if (!spConfig.getNameIds().isEmpty()) { + metadata.getServiceProvider().setNameIds(spConfig.getNameIds()); + } + + if (!spConfig.isSingleLogoutEnabled()) { + metadata.getServiceProvider().setSingleLogoutService(Collections.emptyList()); + } + if (hasText(spConfig.getEntityId())) { + metadata.setEntityId(spConfig.getEntityId()); + } + if (hasText(spConfig.getAlias())) { + metadata.setEntityAlias(spConfig.getAlias()); + } + metadata.getServiceProvider().setWantAssertionsSigned(spConfig.isWantAssertionsSigned()); + metadata.getServiceProvider().setAuthnRequestsSigned(spConfig.isSignRequests()); + + return new HostedServiceProviderService( + spConfig, + metadata, + getTransformer(), + getValidator(), + getCache(), + authnRequestEnhancer + ); + } +} diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/SamlModuleWebSecurityConfig.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/SamlModuleWebSecurityConfig.java index 843c256ac2e..fa1edf4216f 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/SamlModuleWebSecurityConfig.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/SamlModuleWebSecurityConfig.java @@ -1,174 +1,177 @@ -/* - * Copyright (c) 2010-2017 Evolveum and contributors - * - * This work is dual-licensed under the Apache License 2.0 - * and European Union Public License. See LICENSE file for details. - */ - -package com.evolveum.midpoint.web.security.module; - -import com.evolveum.midpoint.model.api.authentication.UserProfileService; -import com.evolveum.midpoint.security.api.MidPointPrincipal; -import com.evolveum.midpoint.util.logging.Trace; -import com.evolveum.midpoint.util.logging.TraceManager; -import com.evolveum.midpoint.web.security.*; -import com.evolveum.midpoint.web.security.filter.MidpointSamlAuthenticationRequestFilter; -import com.evolveum.midpoint.web.security.filter.MidpointSamlAuthenticationResponseFilter; -import com.evolveum.midpoint.web.security.filter.configurers.MidpointExceptionHandlingConfigurer; -import com.evolveum.midpoint.web.security.module.configuration.SamlModuleWebSecurityConfiguration; -import com.evolveum.midpoint.web.security.SamlAuthenticationEntryPoint; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.security.authentication.AuthenticationManager; -import org.springframework.security.authentication.ProviderManager; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.AuthenticationException; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.core.session.SessionRegistry; -import org.springframework.security.saml.provider.SamlProviderLogoutFilter; -import org.springframework.security.saml.provider.SamlServerConfiguration; -import org.springframework.security.saml.provider.service.config.SamlServiceProviderServerBeanConfiguration; -import org.springframework.security.web.authentication.logout.CompositeLogoutHandler; -import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler; -import org.springframework.security.web.authentication.logout.LogoutHandler; -import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; -import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; - -import javax.servlet.Filter; - -import java.util.ArrayList; -import java.util.Collections; -import java.util.List; - -import static org.springframework.security.saml.util.StringUtils.stripEndingSlases; - - -/** - * @author skublik - */ - -public class SamlModuleWebSecurityConfig extends ModuleWebSecurityConfig { - - private static final Trace LOGGER = TraceManager.getTrace(SamlModuleWebSecurityConfig.class); - - @Autowired - private SessionRegistry sessionRegistry; - - @Autowired - private MidPointGuiAuthorizationEvaluator accessDecisionManager; - - private SamlServerConfiguration saml2Configuration; - - private MidpointSamlProviderServerBeanConfiguration beanConfiguration; - - public SamlModuleWebSecurityConfig(C configuration) { - super(configuration); - this.saml2Configuration = configuration.getSamlConfiguration(); - this.beanConfiguration = new MidpointSamlProviderServerBeanConfiguration(configuration); - } - - @Override - protected void configure(HttpSecurity http) throws Exception { - getObjectPostProcessor().postProcess(getBeanConfiguration()); - super.configure(http); - String prefix = getPrefix(); - - http.antMatcher(stripEndingSlases(getPrefix()) + "/**"); - http.csrf().disable(); - - getOrApply(http, new MidpointExceptionHandlingConfigurer()) - .authenticationEntryPoint(new SamlAuthenticationEntryPoint("/saml2/select")); - - http.addFilterAfter( - getBeanConfiguration().samlConfigurationFilter(), - BasicAuthenticationFilter.class - ) - .addFilterAfter( - getBeanConfiguration().spMetadataFilter(), - getBeanConfiguration().samlConfigurationFilter().getClass() - ) - .addFilterAfter( - getBeanConfiguration().spAuthenticationRequestFilter(), - getBeanConfiguration().spMetadataFilter().getClass() - ) - .addFilterAfter( - getBeanConfiguration().spAuthenticationResponseFilter(), - getBeanConfiguration().spAuthenticationRequestFilter().getClass() - ) - .addFilterAfter( - getBeanConfiguration().spSamlLogoutFilter(), - getBeanConfiguration().spAuthenticationResponseFilter().getClass() - ); - } - - public SamlServiceProviderServerBeanConfiguration getBeanConfiguration() { - return beanConfiguration; - } - - private class MidpointSamlProviderServerBeanConfiguration extends SamlServiceProviderServerBeanConfiguration { - - @Autowired - private UserProfileService userProfileService; - -// @Autowired -// private AuditedLogoutHandler auditedLogoutHandler; - - private final SamlModuleWebSecurityConfiguration configuration; - - private final SamlServerConfiguration saml2Config; - - public MidpointSamlProviderServerBeanConfiguration(SamlModuleWebSecurityConfiguration configuration) { - this.configuration = configuration; - this.saml2Config = configuration.getSamlConfiguration(); - } - - @Override - protected SamlServerConfiguration getDefaultHostSamlServerConfiguration() { - return saml2Config; - } - - @Override - public Filter spAuthenticationRequestFilter() { - return new MidpointSamlAuthenticationRequestFilter(getSamlProvisioning()); - } - - @Override - public Filter spAuthenticationResponseFilter() { - MidpointSamlAuthenticationResponseFilter authenticationFilter = - new MidpointSamlAuthenticationResponseFilter(getSamlProvisioning()); - try { - authenticationFilter.setAuthenticationManager(new ProviderManager(Collections.emptyList(), authenticationManager())); - } catch (Exception e) { - LOGGER.error("Couldn't initialize authentication manager for saml2 module"); - } - authenticationFilter.setAuthenticationSuccessHandler(getObjectPostProcessor().postProcess( - new MidPointAuthenticationSuccessHandler().setPrefix(configuration.getPrefix()))); - authenticationFilter.setAuthenticationFailureHandler(new MidpointAuthenticationFauileHandler()); - return authenticationFilter; - } - - @Override - public Filter spSamlLogoutFilter() { - List handlers = new ArrayList(); - handlers.add(new SecurityContextLogoutHandler()); - handlers.add(new CookieClearingLogoutHandler("JSESSIONID")); - handlers.add(new MidpointServiceProviderLogoutHandler(getSamlProvisioning())); - return new SamlProviderLogoutFilter( - getSamlProvisioning(), - new CompositeLogoutHandler(handlers), - createLogoutHandler() - ); - } - - private class MidpointSimpleAuthenticationManager implements AuthenticationManager { - @Override - public Authentication authenticate(Authentication authentication) throws AuthenticationException { - - if (authentication.isAuthenticated() && authentication.getPrincipal() instanceof MidPointPrincipal) { - SecurityContextHolder.getContext().setAuthentication(authentication); - } - return authentication; - } - } - } -} +/* + * Copyright (c) 2010-2017 Evolveum and contributors + * + * This work is dual-licensed under the Apache License 2.0 + * and European Union Public License. See LICENSE file for details. + */ + +package com.evolveum.midpoint.web.security.module; + +import com.evolveum.midpoint.model.api.authentication.UserProfileService; +import com.evolveum.midpoint.security.api.MidPointPrincipal; +import com.evolveum.midpoint.util.logging.Trace; +import com.evolveum.midpoint.util.logging.TraceManager; +import com.evolveum.midpoint.web.security.*; +import com.evolveum.midpoint.web.security.filter.MidpointSamlAuthenticationRequestFilter; +import com.evolveum.midpoint.web.security.filter.MidpointSamlAuthenticationResponseFilter; +import com.evolveum.midpoint.web.security.filter.configurers.MidpointExceptionHandlingConfigurer; +import com.evolveum.midpoint.web.security.module.configuration.SamlModuleWebSecurityConfiguration; +import com.evolveum.midpoint.web.security.SamlAuthenticationEntryPoint; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; +import org.springframework.security.authentication.AuthenticationManager; +import org.springframework.security.authentication.ProviderManager; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.session.SessionRegistry; +import org.springframework.security.saml.provider.SamlProviderLogoutFilter; +import org.springframework.security.saml.provider.SamlServerConfiguration; +import org.springframework.security.saml.provider.provisioning.HostBasedSamlServiceProviderProvisioning; +import org.springframework.security.saml.provider.provisioning.SamlProviderProvisioning; +import org.springframework.security.saml.provider.service.ServiceProviderService; +import org.springframework.security.saml.provider.service.config.SamlServiceProviderServerBeanConfiguration; +import org.springframework.security.web.authentication.logout.CompositeLogoutHandler; +import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler; +import org.springframework.security.web.authentication.logout.LogoutHandler; +import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; +import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; + +import javax.servlet.Filter; + +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import static org.springframework.security.saml.util.StringUtils.stripEndingSlases; + + +/** + * @author skublik + */ + +public class SamlModuleWebSecurityConfig extends ModuleWebSecurityConfig { + + private static final Trace LOGGER = TraceManager.getTrace(SamlModuleWebSecurityConfig.class); + + private MidpointSamlProviderServerBeanConfiguration beanConfiguration; + + public SamlModuleWebSecurityConfig(C configuration) { + super(configuration); + this.beanConfiguration = new MidpointSamlProviderServerBeanConfiguration(configuration); + } + + @Override + protected void configure(HttpSecurity http) throws Exception { + getObjectPostProcessor().postProcess(getBeanConfiguration()); + super.configure(http); + + http.antMatcher(stripEndingSlases(getPrefix()) + "/**"); + http.csrf().disable(); + + getOrApply(http, new MidpointExceptionHandlingConfigurer()) + .authenticationEntryPoint(new SamlAuthenticationEntryPoint("/saml2/select")); + + http.addFilterAfter( + getBeanConfiguration().samlConfigurationFilter(), + BasicAuthenticationFilter.class + ) + .addFilterAfter( + getBeanConfiguration().spMetadataFilter(), + getBeanConfiguration().samlConfigurationFilter().getClass() + ) + .addFilterAfter( + getBeanConfiguration().spAuthenticationRequestFilter(), + getBeanConfiguration().spMetadataFilter().getClass() + ) + .addFilterAfter( + getBeanConfiguration().spAuthenticationResponseFilter(), + getBeanConfiguration().spAuthenticationRequestFilter().getClass() + ) + .addFilterAfter( + getBeanConfiguration().spSamlLogoutFilter(), + getBeanConfiguration().spAuthenticationResponseFilter().getClass() + ); + } + + public SamlServiceProviderServerBeanConfiguration getBeanConfiguration() { + return beanConfiguration; + } + + private class MidpointSamlProviderServerBeanConfiguration extends SamlServiceProviderServerBeanConfiguration { + +// @Autowired +// private AuditedLogoutHandler auditedLogoutHandler; + + private final SamlModuleWebSecurityConfiguration configuration; + + private final SamlServerConfiguration saml2Config; + + public MidpointSamlProviderServerBeanConfiguration(SamlModuleWebSecurityConfiguration configuration) { + this.configuration = configuration; + this.saml2Config = configuration.getSamlConfiguration(); + } + + @Override + @Bean(name = "samlServiceProviderProvisioning") + public SamlProviderProvisioning getSamlProvisioning() { + return new MidpointHostBasedSamlServiceProviderProvisioning( + samlConfigurationRepository(), + samlTransformer(), + samlValidator(), + samlMetadataCache(), + authenticationRequestEnhancer() + ); + } + + @Override + protected SamlServerConfiguration getDefaultHostSamlServerConfiguration() { + return saml2Config; + } + + @Override + public Filter spAuthenticationRequestFilter() { + return new MidpointSamlAuthenticationRequestFilter(getSamlProvisioning()); + } + + @Override + public Filter spAuthenticationResponseFilter() { + MidpointSamlAuthenticationResponseFilter authenticationFilter = + new MidpointSamlAuthenticationResponseFilter(getSamlProvisioning()); + try { + authenticationFilter.setAuthenticationManager(new ProviderManager(Collections.emptyList(), authenticationManager())); + } catch (Exception e) { + LOGGER.error("Couldn't initialize authentication manager for saml2 module"); + } + authenticationFilter.setAuthenticationSuccessHandler(getObjectPostProcessor().postProcess( + new MidPointAuthenticationSuccessHandler().setPrefix(configuration.getPrefix()))); + authenticationFilter.setAuthenticationFailureHandler(new MidpointAuthenticationFauileHandler()); + return authenticationFilter; + } + + @Override + public Filter spSamlLogoutFilter() { + List handlers = new ArrayList(); + handlers.add(new SecurityContextLogoutHandler()); + handlers.add(new CookieClearingLogoutHandler("JSESSIONID")); + handlers.add(new MidpointServiceProviderLogoutHandler(getSamlProvisioning())); + return new SamlProviderLogoutFilter( + getSamlProvisioning(), + new CompositeLogoutHandler(handlers), + createLogoutHandler() + ); + } + + private class MidpointSimpleAuthenticationManager implements AuthenticationManager { + @Override + public Authentication authenticate(Authentication authentication) throws AuthenticationException { + + if (authentication.isAuthenticated() && authentication.getPrincipal() instanceof MidPointPrincipal) { + SecurityContextHolder.getContext().setAuthentication(authentication); + } + return authentication; + } + } + } +} diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/configuration/SamlModuleWebSecurityConfiguration.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/configuration/SamlModuleWebSecurityConfiguration.java index 96296d9598b..117c8c7f343 100644 --- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/configuration/SamlModuleWebSecurityConfiguration.java +++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/configuration/SamlModuleWebSecurityConfiguration.java @@ -1,253 +1,253 @@ -/* - * Copyright (c) 2010-2019 Evolveum and contributors - * - * This work is dual-licensed under the Apache License 2.0 - * and European Union Public License. See LICENSE file for details. - */ -package com.evolveum.midpoint.web.security.module.configuration; - -import com.evolveum.midpoint.prism.crypto.EncryptionException; -import com.evolveum.midpoint.prism.crypto.Protector; -import com.evolveum.midpoint.util.logging.Trace; -import com.evolveum.midpoint.util.logging.TraceManager; -import com.evolveum.midpoint.xml.ns._public.common.common_3.*; -import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType; -import org.apache.commons.lang3.StringUtils; -import org.apache.commons.lang3.Validate; -import org.springframework.security.saml.key.KeyType; -import org.springframework.security.saml.key.SimpleKey; -import org.springframework.security.saml.provider.SamlServerConfiguration; -import org.springframework.security.saml.provider.config.NetworkConfiguration; -import org.springframework.security.saml.provider.config.RotatingKeys; -import org.springframework.security.saml.provider.service.config.ExternalIdentityProviderConfiguration; -import org.springframework.security.saml.provider.service.config.LocalServiceProviderConfiguration; -import org.springframework.security.saml.saml2.signature.AlgorithmMethod; -import org.springframework.security.saml.saml2.signature.DigestMethod; - -import javax.servlet.ServletRequest; -import javax.servlet.http.HttpServletRequest; -import java.io.IOException; -import java.net.URI; -import java.nio.file.Files; -import java.nio.file.Paths; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; - -import static org.springframework.security.saml.util.StringUtils.stripSlashes; - -/** - * @author skublik - */ - -public class SamlModuleWebSecurityConfiguration extends ModuleWebSecurityConfigurationImpl { - - private static final transient Trace LOGGER = TraceManager.getTrace(SamlModuleWebSecurityConfiguration.class); - private static Protector protector; - - private SamlServerConfiguration samlConfiguration; - private Map namesOfUsernameAttributes = new HashMap(); - - private SamlModuleWebSecurityConfiguration() { - } - - public static void setProtector(Protector protector) { - SamlModuleWebSecurityConfiguration.protector = protector; - } - - public static SamlModuleWebSecurityConfiguration build(AuthenticationModuleSaml2Type modelType, String prefixOfSequence, ServletRequest request){ - Validate.notNull(request); - SamlModuleWebSecurityConfiguration configuration = buildInternal((AuthenticationModuleSaml2Type)modelType, prefixOfSequence, request); - configuration.validate(); - return configuration; - } - - private static SamlModuleWebSecurityConfiguration buildInternal(AuthenticationModuleSaml2Type modelType, String prefixOfSequence, ServletRequest request){ - SamlModuleWebSecurityConfiguration configuration = new SamlModuleWebSecurityConfiguration(); - build(configuration, modelType, prefixOfSequence); - SamlServerConfiguration samlConfiguration = new SamlServerConfiguration(); - AuthenticationModuleSaml2NetworkType networkType = modelType.getNetwork(); - if (networkType != null) { - NetworkConfiguration network = new NetworkConfiguration(); - if (networkType.getConnectTimeout() != 0) { - network.setConnectTimeout(networkType.getConnectTimeout()); - } - if (networkType.getReadTimeout() != 0) { - network.setReadTimeout(networkType.getReadTimeout()); - } - samlConfiguration.setNetwork(network); - } - AuthenticationModuleSaml2ServiceProviderType serviceProviderType = modelType.getServiceProvider(); - LocalServiceProviderConfiguration serviceProvider = new LocalServiceProviderConfiguration(); - serviceProvider.setEntityId(serviceProviderType.getEntityId()) - .setSignMetadata(Boolean.TRUE.equals(serviceProviderType.isSignRequests())) - .setSignRequests(Boolean.TRUE.equals(serviceProviderType.isSignRequests())) - .setWantAssertionsSigned(Boolean.TRUE.equals(serviceProviderType.isWantAssertionsSigned())) - .setSingleLogoutEnabled(Boolean.TRUE.equals(serviceProviderType.isSingleLogoutEnabled())) - .setBasePath(getBasePath(((HttpServletRequest) request))); - List objectList = new ArrayList(); - for (AuthenticationModuleSaml2NameIdType nameIdType : serviceProviderType.getNameId()) { - objectList.add(nameIdType.value()); - } - serviceProvider.setNameIds(objectList); - if (serviceProviderType.getDefaultDigest() != null) { - serviceProvider.setDefaultDigest(DigestMethod.fromUrn(serviceProviderType.getDefaultDigest().value())); - } - if (serviceProviderType.getDefaultSigningAlgorithm() != null) { - serviceProvider.setDefaultSigningAlgorithm(AlgorithmMethod.fromUrn(serviceProviderType.getDefaultSigningAlgorithm().value())); - } - AuthenticationModuleSaml2KeyType keysType = serviceProviderType.getKeys(); -// if (keysType != null) { - RotatingKeys key = new RotatingKeys(); - AuthenticationModuleSaml2SimpleKeyType activeKeyType = keysType.getActive(); -// if (activeKeyType != null) { - try { - key.setActive(createSimpleKey(activeKeyType)); - } catch (EncryptionException e) { - LOGGER.error("Couldn't obtain clear string for configuration of SimpleKey from " + activeKeyType); - } -// } - -// if (keysType.getStandBy() != null && !keysType.getStandBy().isEmpty()) { - for (AuthenticationModuleSaml2SimpleKeyType standByKey : keysType.getStandBy()) { - try { - key.getStandBy().add(createSimpleKey(standByKey)); - } catch (EncryptionException e) { - LOGGER.error("Couldn't obtain clear string for configuration of SimpleKey from " + standByKey); - } - } -// } - serviceProvider.setKeys(key); -// } - - List providers = new ArrayList(); - List providersType = serviceProviderType.getProvider(); - for (AuthenticationModuleSaml2ProviderType providerType : providersType) { - ExternalIdentityProviderConfiguration provider = new ExternalIdentityProviderConfiguration(); - provider.setAlias(providerType.getAlias()) - .setSkipSslValidation(Boolean.TRUE.equals(providerType.isSkipSslValidation())) - .setMetadataTrustCheck(Boolean.TRUE.equals(providerType.isMetadataTrustCheck())) - .setAuthenticationRequestBinding(URI.create(providerType.getAuthenticationRequestBinding())); - if (StringUtils.isNotBlank(providerType.getLinkText())) { - provider.setLinktext(providerType.getLinkText()); - } - List verificationKeys = new ArrayList(); - for (ProtectedStringType verificationKeyProtected : providerType.getVerificationKeys()) { - try { - String verificationKey = protector.decryptString(verificationKeyProtected); - } catch (EncryptionException e) { - LOGGER.error("Couldn't obtain clear string for provider verification key"); - } - } - if (verificationKeys != null && !verificationKeys.isEmpty()) { - provider.setVerificationKeys(verificationKeys); - } - try { - provider.setMetadata(createMetadata(providerType.getMetadata(), true)); - } catch (Exception e) { - LOGGER.error("Couldn't obtain metadata as string from " + providerType.getMetadata()); - } - providers.add(provider); - configuration.addNameOfUsernameAttributeOfIP(providerType.getEntityId(), providerType.getNameOfUsernameAttribute()); - } - serviceProvider.setProviders(providers); - try { - serviceProvider.setMetadata(createMetadata(serviceProviderType.getMetadata(), false)); - } catch (Exception e) { - LOGGER.error("Couldn't obtain metadata as string from " + serviceProviderType.getMetadata()); - } - serviceProvider.setPrefix(configuration.getPrefix()); - samlConfiguration.setServiceProvider(serviceProvider); - configuration.setSamlConfiguration(samlConfiguration); - return configuration; - } - - private static String createMetadata(AuthenticationModuleSaml2ProviderMetadataType metadata, boolean required) throws IOException { - if (metadata != null) { - String metadataUrl = metadata.getMetadataUrl(); - if (StringUtils.isNotBlank(metadataUrl)) { - return metadataUrl; - } - String pathToFile = metadata.getPathToFile(); - if (StringUtils.isNotBlank(pathToFile)) { - return readFile(pathToFile); - } - byte[] xml = metadata.getXml(); - if (xml != null && xml.length != 0) { - return new String(xml); - } - } - if (required) { - throw new IllegalArgumentException("Metadata is not present"); - } - return null; - } - - private static String readFile(String path) throws IOException { - byte[] encoded = Files.readAllBytes(Paths.get(path)); - return new String(encoded); - } - - private static SimpleKey createSimpleKey(AuthenticationModuleSaml2SimpleKeyType simpleKeyType) throws EncryptionException { - SimpleKey key = new SimpleKey(); - key.setName(simpleKeyType.getName()); -// Protector protector = ((MidPointApplication) Application.get()).getProtector(); - String privateKey = protector.decryptString(simpleKeyType.getPrivateKey()); - key.setPrivateKey(privateKey); - String passphrase = protector.decryptString(simpleKeyType.getPassphrase()); - key.setPassphrase(passphrase); - String certificate = protector.decryptString(simpleKeyType.getCertificate()); - key.setCertificate(certificate); - if (simpleKeyType.getType() != null) { - key.setType(KeyType.fromTypeName(simpleKeyType.getType().name())); - } - return key; - } - - private static String getBasePath(HttpServletRequest request) { - boolean includePort = true; - if (443 == request.getServerPort() && "https".equals(request.getScheme())) { - includePort = false; - } - else if (80 == request.getServerPort() && "http".equals(request.getScheme())) { - includePort = false; - } - return request.getScheme() + - "://" + - request.getServerName() + - (includePort ? (":" + request.getServerPort()) : "") + - request.getContextPath(); - } - - public SamlServerConfiguration getSamlConfiguration() { - return samlConfiguration; - } - - public void setSamlConfiguration(SamlServerConfiguration samlConfiguration) { - this.samlConfiguration = samlConfiguration; - } - - public Map getNamesOfUsernameAttributes() { - return namesOfUsernameAttributes; - } - - public void addNameOfUsernameAttributeOfIP(String aliasOfIP, String nameOfAttribute){ - if (StringUtils.isBlank(aliasOfIP) || StringUtils.isBlank(nameOfAttribute)) { - throw new IllegalArgumentException("Couldn't use attribute name '" + nameOfAttribute +"'" + " for alias '" + aliasOfIP +"'"); - } - getNamesOfUsernameAttributes().put(aliasOfIP, nameOfAttribute); - } - - public void setNamesOfUsernameAttributes(Map namesOfUsernameAttributes) { - this.namesOfUsernameAttributes = namesOfUsernameAttributes; - } - - @Override - protected void validate() { - super.validate(); - if (getSamlConfiguration() == null) { - throw new IllegalArgumentException("Saml configuration is null"); - } - } -} +/* + * Copyright (c) 2010-2019 Evolveum and contributors + * + * This work is dual-licensed under the Apache License 2.0 + * and European Union Public License. See LICENSE file for details. + */ +package com.evolveum.midpoint.web.security.module.configuration; + +import com.evolveum.midpoint.prism.crypto.EncryptionException; +import com.evolveum.midpoint.prism.crypto.Protector; +import com.evolveum.midpoint.util.logging.Trace; +import com.evolveum.midpoint.util.logging.TraceManager; +import com.evolveum.midpoint.xml.ns._public.common.common_3.*; +import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType; +import org.apache.commons.lang3.StringUtils; +import org.apache.commons.lang3.Validate; +import org.springframework.security.saml.key.KeyType; +import org.springframework.security.saml.key.SimpleKey; +import org.springframework.security.saml.provider.SamlServerConfiguration; +import org.springframework.security.saml.provider.config.NetworkConfiguration; +import org.springframework.security.saml.provider.config.RotatingKeys; +import org.springframework.security.saml.provider.service.config.ExternalIdentityProviderConfiguration; +import org.springframework.security.saml.provider.service.config.LocalServiceProviderConfiguration; +import org.springframework.security.saml.saml2.signature.AlgorithmMethod; +import org.springframework.security.saml.saml2.signature.DigestMethod; + +import javax.servlet.ServletRequest; +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; +import java.net.URI; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import static org.springframework.security.saml.util.StringUtils.stripSlashes; + +/** + * @author skublik + */ + +public class SamlModuleWebSecurityConfiguration extends ModuleWebSecurityConfigurationImpl { + + private static final transient Trace LOGGER = TraceManager.getTrace(SamlModuleWebSecurityConfiguration.class); + private static Protector protector; + + private SamlServerConfiguration samlConfiguration; + private Map namesOfUsernameAttributes = new HashMap(); + + private SamlModuleWebSecurityConfiguration() { + } + + public static void setProtector(Protector protector) { + SamlModuleWebSecurityConfiguration.protector = protector; + } + + public static SamlModuleWebSecurityConfiguration build(AuthenticationModuleSaml2Type modelType, String prefixOfSequence, ServletRequest request){ + Validate.notNull(request); + SamlModuleWebSecurityConfiguration configuration = buildInternal((AuthenticationModuleSaml2Type)modelType, prefixOfSequence, request); + configuration.validate(); + return configuration; + } + + private static SamlModuleWebSecurityConfiguration buildInternal(AuthenticationModuleSaml2Type modelType, String prefixOfSequence, ServletRequest request){ + SamlModuleWebSecurityConfiguration configuration = new SamlModuleWebSecurityConfiguration(); + build(configuration, modelType, prefixOfSequence); + SamlServerConfiguration samlConfiguration = new SamlServerConfiguration(); + AuthenticationModuleSaml2NetworkType networkType = modelType.getNetwork(); + if (networkType != null) { + NetworkConfiguration network = new NetworkConfiguration(); + if (networkType.getConnectTimeout() != 0) { + network.setConnectTimeout(networkType.getConnectTimeout()); + } + if (networkType.getReadTimeout() != 0) { + network.setReadTimeout(networkType.getReadTimeout()); + } + samlConfiguration.setNetwork(network); + } + AuthenticationModuleSaml2ServiceProviderType serviceProviderType = modelType.getServiceProvider(); + LocalServiceProviderConfiguration serviceProvider = new LocalServiceProviderConfiguration(); + serviceProvider.setEntityId(serviceProviderType.getEntityId()) + .setSignMetadata(Boolean.TRUE.equals(serviceProviderType.isSignRequests())) + .setSignRequests(Boolean.TRUE.equals(serviceProviderType.isSignRequests())) + .setWantAssertionsSigned(Boolean.TRUE.equals(serviceProviderType.isWantAssertionsSigned())) + .setSingleLogoutEnabled(Boolean.TRUE.equals(serviceProviderType.isSingleLogoutEnabled())) + .setBasePath(getBasePath(((HttpServletRequest) request))); + List objectList = new ArrayList(); + for (AuthenticationModuleSaml2NameIdType nameIdType : serviceProviderType.getNameId()) { + objectList.add(nameIdType.value()); + } + serviceProvider.setNameIds(objectList); + if (serviceProviderType.getDefaultDigest() != null) { + serviceProvider.setDefaultDigest(DigestMethod.fromUrn(serviceProviderType.getDefaultDigest().value())); + } + if (serviceProviderType.getDefaultSigningAlgorithm() != null) { + serviceProvider.setDefaultSigningAlgorithm(AlgorithmMethod.fromUrn(serviceProviderType.getDefaultSigningAlgorithm().value())); + } + AuthenticationModuleSaml2KeyType keysType = serviceProviderType.getKeys(); + RotatingKeys key = new RotatingKeys(); + if (keysType != null) { + AuthenticationModuleSaml2SimpleKeyType activeKeyType = keysType.getActive(); + if (activeKeyType != null) { + try { + key.setActive(createSimpleKey(activeKeyType)); + } catch (EncryptionException e) { + LOGGER.error("Couldn't obtain clear string for configuration of SimpleKey from " + activeKeyType); + } + } + + if (keysType.getStandBy() != null && !keysType.getStandBy().isEmpty()) { + for (AuthenticationModuleSaml2SimpleKeyType standByKey : keysType.getStandBy()) { + try { + key.getStandBy().add(createSimpleKey(standByKey)); + } catch (EncryptionException e) { + LOGGER.error("Couldn't obtain clear string for configuration of SimpleKey from " + standByKey); + } + } + } + } + serviceProvider.setKeys(key); + + List providers = new ArrayList(); + List providersType = serviceProviderType.getProvider(); + for (AuthenticationModuleSaml2ProviderType providerType : providersType) { + ExternalIdentityProviderConfiguration provider = new ExternalIdentityProviderConfiguration(); + provider.setAlias(providerType.getAlias()) + .setSkipSslValidation(Boolean.TRUE.equals(providerType.isSkipSslValidation())) + .setMetadataTrustCheck(Boolean.TRUE.equals(providerType.isMetadataTrustCheck())) + .setAuthenticationRequestBinding(URI.create(providerType.getAuthenticationRequestBinding())); + if (StringUtils.isNotBlank(providerType.getLinkText())) { + provider.setLinktext(providerType.getLinkText()); + } + List verificationKeys = new ArrayList(); + for (ProtectedStringType verificationKeyProtected : providerType.getVerificationKeys()) { + try { + String verificationKey = protector.decryptString(verificationKeyProtected); + } catch (EncryptionException e) { + LOGGER.error("Couldn't obtain clear string for provider verification key"); + } + } + if (verificationKeys != null && !verificationKeys.isEmpty()) { + provider.setVerificationKeys(verificationKeys); + } + try { + provider.setMetadata(createMetadata(providerType.getMetadata(), true)); + } catch (Exception e) { + LOGGER.error("Couldn't obtain metadata as string from " + providerType.getMetadata()); + } + providers.add(provider); + configuration.addNameOfUsernameAttributeOfIP(providerType.getEntityId(), providerType.getNameOfUsernameAttribute()); + } + serviceProvider.setProviders(providers); + try { + serviceProvider.setMetadata(createMetadata(serviceProviderType.getMetadata(), false)); + } catch (Exception e) { + LOGGER.error("Couldn't obtain metadata as string from " + serviceProviderType.getMetadata()); + } + serviceProvider.setPrefix(configuration.getPrefix()); + samlConfiguration.setServiceProvider(serviceProvider); + configuration.setSamlConfiguration(samlConfiguration); + return configuration; + } + + private static String createMetadata(AuthenticationModuleSaml2ProviderMetadataType metadata, boolean required) throws IOException { + if (metadata != null) { + String metadataUrl = metadata.getMetadataUrl(); + if (StringUtils.isNotBlank(metadataUrl)) { + return metadataUrl; + } + String pathToFile = metadata.getPathToFile(); + if (StringUtils.isNotBlank(pathToFile)) { + return readFile(pathToFile); + } + byte[] xml = metadata.getXml(); + if (xml != null && xml.length != 0) { + return new String(xml); + } + } + if (required) { + throw new IllegalArgumentException("Metadata is not present"); + } + return null; + } + + private static String readFile(String path) throws IOException { + byte[] encoded = Files.readAllBytes(Paths.get(path)); + return new String(encoded); + } + + private static SimpleKey createSimpleKey(AuthenticationModuleSaml2SimpleKeyType simpleKeyType) throws EncryptionException { + SimpleKey key = new SimpleKey(); + key.setName(simpleKeyType.getName()); +// Protector protector = ((MidPointApplication) Application.get()).getProtector(); + String privateKey = protector.decryptString(simpleKeyType.getPrivateKey()); + key.setPrivateKey(privateKey); + String passphrase = protector.decryptString(simpleKeyType.getPassphrase()); + key.setPassphrase(passphrase); + String certificate = protector.decryptString(simpleKeyType.getCertificate()); + key.setCertificate(certificate); + if (simpleKeyType.getType() != null) { + key.setType(KeyType.fromTypeName(simpleKeyType.getType().name())); + } + return key; + } + + private static String getBasePath(HttpServletRequest request) { + boolean includePort = true; + if (443 == request.getServerPort() && "https".equals(request.getScheme())) { + includePort = false; + } + else if (80 == request.getServerPort() && "http".equals(request.getScheme())) { + includePort = false; + } + return request.getScheme() + + "://" + + request.getServerName() + + (includePort ? (":" + request.getServerPort()) : "") + + request.getContextPath(); + } + + public SamlServerConfiguration getSamlConfiguration() { + return samlConfiguration; + } + + public void setSamlConfiguration(SamlServerConfiguration samlConfiguration) { + this.samlConfiguration = samlConfiguration; + } + + public Map getNamesOfUsernameAttributes() { + return namesOfUsernameAttributes; + } + + public void addNameOfUsernameAttributeOfIP(String aliasOfIP, String nameOfAttribute){ + if (StringUtils.isBlank(aliasOfIP) || StringUtils.isBlank(nameOfAttribute)) { + throw new IllegalArgumentException("Couldn't use attribute name '" + nameOfAttribute +"'" + " for alias '" + aliasOfIP +"'"); + } + getNamesOfUsernameAttributes().put(aliasOfIP, nameOfAttribute); + } + + public void setNamesOfUsernameAttributes(Map namesOfUsernameAttributes) { + this.namesOfUsernameAttributes = namesOfUsernameAttributes; + } + + @Override + protected void validate() { + super.validate(); + if (getSamlConfiguration() == null) { + throw new IllegalArgumentException("Saml configuration is null"); + } + } +} diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-security-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-security-3.xsd index b33565a1b86..09b7d51fe08 100644 --- a/infra/schema/src/main/resources/xml/ns/public/common/common-security-3.xsd +++ b/infra/schema/src/main/resources/xml/ns/public/common/common-security-3.xsd @@ -1,2108 +1,2108 @@ - - - - - - - - - Security parts of common schema. - - - - - - - - - - - - - - - Object that contains definitions of overall security policy. - It contains configuration of authentication mechanisms, credentials management - (such as password resets) and so on. - Please note that this NOT contain authorization and auditing. Authorization is - defined in roles (see RoleType) and auditing has a separate configuration. - - - - - - - - - - - - - true - - - - - - - 3.8 - - - - - - - - - - - - - - -

- Definition of the use of authentication mechanisms. This part specifies how midPoint - uses the credentials to authenticate users. This is also the place where SSO system - integrations are specified. -

-

- This is in fact practically applicable only in default security policy - (the policy that is referenced from system configuration). -

- - - - - - - - - - 4.1 - - - - - - - 4.1 - - - - - - - - true - 4.1 - - - - - - - true - 4.1 - - - - - - - - - - Definition of authentication modules that midPoint is aware about. - Each element has a configuration of a particular authentication element instance. - Each modules specified in the container must have unique name. - - - - 4.1 - - - - - - - - - - - - - - - - - - - Common supertype for all authentication module definitions. - - - - 4.1 - - - - - - - Unique name of the authentication module. This name is fact a short identifier. - It is supposed to give some idea about nature of the module to system administrator. - But it is not supposed to be used as a user-friendly label for the module. - Module name must be unique. - - - - - - - Free form description of the module (administrator comment). - - - - - - - - - -

- Common definition for all authentication modules that use password. -

-

- This is an authentication module setting. It controls how credentials are used - for authentication. It does not control how credentials are set (stored), e.g. it does NOT - control password policy. Credential policy setting is supposed to do that. - E.g. acceptEmptyPassword setting in this data type controls whether empty password can - be used for authentication. It does not control whether empty password can be set or whether - existing password can be removed. -

- - - - 4.1 - - - - - - - - - Name of credential definition that should be used when validating password. - This must point to a valid credential definition - in the "credential" section of a security policy. - If not specified then default password definition is used. - - - - - - - - - - - - - Common definition for all authentication modules that use password. - - - - 4.1 - - - - - - - - - If set to true than an empty (all blank) password will be accepted as valid password. - Password is still compared with user's password. Therefore for the password to be accepted - an empty password must still be set as a credential for a user. - - - - - - - - - - - - Definition of "login form" module. The module is used for interactive log-in of a user by using - HTML forms. - - - - 4.1 - - - - - - - - - - - - - - - Definition of HTTP BASIC authentication module (RFC 7617). - - - - 4.1 - - - - - - - - - - - - - - - Pseudo-authentication for pre-authenticated users. Based on HTTP header values. - - - - 4.1 - - - - - - - - - Name of HTTP header that contains username. - - - - - - - Url for redirect after logout. Default is '/'. - - - - - - - - - - - - - SAML2 authentication module support authentication via Identity provider with SAML2. - - - - 4.1 - - - - - - - - - - - - - - - - - SAML2 authentication module, network configuration. - - - - 4.1 - - - - - - - - - - - - SAML2 authentication module, service provider configuration. - - - - 4.1 - - - - - - - Unique identifier of the service provider. - - - - - - - Unique alias used to identify the selected local service provider based on used URL. - - - - - - - Default signing algorithm. Default is RSA_SHA256. - - - - - - - Default digest method. Default is SHA256; - - - - - - - - - - - - - - Flag indicating whether this service signs authentication requests. - - - - - - - Flag indicating whether this service requires signed assertions. - - - - - - - Flag indicating whether this service enable single logout. - - - - - - - Name identifiers to be included in the metadata. Supported values are: - EMAIL, TRANSIENT, PERSISTENT, UNSPECIFIED and X509_SUBJECT. - Order of NameIDs in the property determines order of NameIDs - in the generated metadata. - - - - - - - Key used by service provider. - - - - - - - Possible identity providers for this service provider. - - - - - - - Service provider can use prepared metadata. - - - - - - - - - - Possible NameId. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Possible digest method. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Possible signing algorithm. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SAML2 key. - - - - 4.1 - - - - - - - Active key. - - - - - - - Stand-by keys. - - - - - - - - - - SAML2 active key. - - - - 4.1 - - - - - - - - - - - - - - - - Possible types of key. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - SAML2 provider. - - - - 4.1 - - - - - - - Unique identifier of the identity provider. - - - - - - - Unique alias used to identify the selected local service provider based on used URL. - - - - - - - Metadata of Identity provider. - - - - - - - - Flag indicating disabled signature verification. - - - - - - - User friendly name of provider. - - - - - - - SAML2 binding used for authentication request. - - - - - - - - Name of attribute in response, which value define name of user in Midpoint. For example 'uid'. - - - - - - - - - - SAML2 provider metadata. - - - - 4.1 - - - - - - - - URL, which show metadata. - - - - - - - Xml of metadata encrypted by base64. - - - - - - - Path to xml file, which contains metadata. - - - - - - - - - - - OpenId Connect authentication module. - PLACEHOLDER. NOT SUPPORTED YET. - - - - 4.1 - - - - - - - - - - - - - - - Mail nonce authentication module. - Module that sends randomly generated nonce in URL in mail message. - - - - 4.1 - - - - - - - - - - - - - - - SMS (mobile text message) nonce authentication module. - Module that sends randomly generated nonce in mobile text message (SMS). - - - - 4.1 - - - - - - - - - Path of a user property that will be the source of a mobile telephone number. - This number will be the target of SMS message. - - - - - - - - - - - - Common definition for all authentication modules that use security questions. - - - - 4.1 - - - - - - - - - - - - - - - Definition of "security questions form" module. The module is used for interactive log-in of a user by - answering a set of security questions. - - - - 4.1 - - - - - - - - - - - - - - - Definition of HTTP SecQ module. The module is used for quasi-interative log-in of a user by - answering a set of security questions. The HTTP SecQ mechanism is similar to HTTP BASIC mechanism, - but it is using security questions instead of password. - - - - 4.1 - - - - - - - - - - - - - - - Authentication sequence. It is a sequence of authentication modules. The modules could be invoked - in order, or they may be invoked in parallel if the specific implementation allows such approach. - The purpose of the sequence is to guide user through a complete authentication process. - - - - 4.1 - - - - - - - Unique name of the authentication sequence. This name is fact a short identifier. - It is supposed to give some idea about purpose of the sequence to system administrator. - But it is not supposed to be used as a user-friendly label. - Sequence name must be unique. - - - - - - - Free form description of the sequence (administrator comment). - - - - - - - Specification of channel for authentication sequence. - - - - - - - Required assignment target. This authentication sequence is applicable only to users that - have active assignment with this target (and relation). If the sequence is attempted on a user - that does not have this assignment then the authentication will fail. - - - - - - - - - Specification of authentication module in the sequence. - - - - - - - - - - Channel specification for authentication sequence. It specifies whether this sequence is usable for - a specific channel (user/GUI, REST, etc.) - - - - 4.1 - - - - - - - Name (URI) of the channel. - - - - - - - Free form description (administrator comment). - - - - - - - Specifies whether this sequence is the default sequence for a specified channel. - The default sequence will be chosen in case that specific sequence was not requested, e.g. by using URL suffix. - If this element is not present and only a single sequence is defined for a channel, - then such sequence is considered to be the default. If more than one sequence is specified then - none of them is considered to be default. In that case this element must be used explicitly. - - - - - - - URL suffix that can be used to select this authentication sequence specifically. URL suffix can't contains slash '/'. - - - - - - - - - - -

- Specification of authentication module in the sequence. -

-

- The authentication modules are evaluated in sequence (or in parallel if possible). - At least one authentication module must succeed for authentication to be successful. - If there are required or requisite modules in the sequence then all of them must succeed - for the sequence to be successful. -

- - - - 4.1 - - - - - - - Reference to the authentication module name. Value of this element must match name of - existing authentication module. - - - - - - - Free form description (administrator comment). - - - - - - - Ordering number for the module. The modules are sorted according to those numbers. - Modules that have the same value of "order" can be evaluated in parallel in case that - actual use of authentication mechanism allows that. - - - - - - - Necessity, i.e. the level of requirement, whether the module is mandatory or optional. - - - - - - - - - - - Necessity, i.e. the level of requirement, whether the module is mandatory or optional. - - - 4.1 - - - - - - - - The module is sufficient for authentication to succeed. It is NOT required to succeed. - If this module succeeds, the evaluation stops. The result is a success. Other modules are NOT evaluated. - (Except for the case when "required" module that was evaluated before has failed.) - If this module fails, the evaluation continues. Other modules are evaluated. - - - - - - - - - - - - - -

- Credentials management policy. It specifies the management details for each supported - credentials type. It defines parameters such as credential lifetime. It may define even - a very complex schemes for some credential types. E.g. it may define a complete security - questions. -

-

- This section is a definition of user credentials that midPoint can MANAGE. - Which mostly means writing/changing the credentials. This section is not directly concerned - with authentication or credential reset - at least not directly. - But there may be dependencies. E.g. password reset may use password policy to generate/validate new password. - Also, resource-side passwords need to be defined here to be used by authentication modules. -

- - - - - - - - - - Common setting applied to all other credentials type. Any of this - setting can be overridden in the individual credentials setting. - - - - - - - - - - Nonce settings used to generate one-time random values. - Used in self-registration, e-mail-based password reset and possibly also - other scenarios. - - - - - - - - - - - TODO - - - - - - - - - - - - 3.8 - - - - - - - - - - - -

- Credentials reset management policy. It specifies the management details for each supported - credentials reset type. It defines parameters such as reset method. -

-

- The idea is that all the password reset mechanisms have the same parts: - request, authentication, credential source, delivery. - This data structure is meant to configure those steps. -

- - - - - - - - - - Name of the password reset scheme. This is a short name that acts both as an - identifier of the scheme and also as a short name used for diagnostics. - - - 3.7.1 - - - - - - - Free form description of the credential reset method (administrator comment). - - - 4.1 - - - - - - - Defined authentication sequence, which will be use for reset credential. - - - 4.1 - - - - - - - - Source of a new credential value. This setting specifies whether the new credential - value should be provided by the user, randomly generated, derived by a key-exchange - protocol and so on. - - - 3.7.1 - - - - - - - If set to true then the new credential will have the forceChange flag set. - Which usually means that the user will have to change the credential on next logon. - - - 3.7.1 - - - - - - - - - - - - - - - - - - - - Source of a new credential value. This setting specifies whether the new credential - value should be provided by the user, randomly generated, derived by a key-exchange - protocol and so on. - - - - 3.7.1 - - - - - - - New credential value is entered by the user. - - - - - - - - - - - Specifies the details of a new credential entered manually by a user. - - - - 3.7.1 - - - - - - - - - - - - - - - - - - - - - Authentication management policy. It specifies configurations for different authentication methods - - - - - - - - - - A configuration for user notifications. In future, it might be overridden e.g. at a level - of a user. - - - - - - - - - - - - - - - Authentication management policy. It specifies configurations for different authentication methods - - - - - - - - - - - - - - - - Reference to form which is displayed for registration - - - tns:FormType - - - - - - - - - - - Structure that specifies policy for password management. It is in fact only a simple reference - to a password policy. - - - - - - - - - - - - - - - - - - Structure that specifies policy for password management. It is in fact only a simple reference - to a password policy. - - - - - - - - - - - - - - - - - - Structure that specifies policy for password management. It is in fact only a simple reference - to a password policy. - - - - - - - - - - - - - - - - - - Structure that specifies policy for password management. It is in fact only a simple reference - to a password policy. - - - - - - - - - - - - - - - - - - - Structure that specifies policy for password management. It is in fact only a simple reference - to a password policy. - - - - - - - - - - - - - - - - - - - - TODO - - - - - - - - - - - - - - - - - - - - Reference to the default roles which will be assigned to the user automatically after registration - - - tns:AbstractRoleType - - - - - - - - - - - Structure that specifies policy for password management. It is in fact only a simple reference - to a password policy. - - - - - - - - - - - - Reference to form which is displayed for registration - - - tns:FormType - - - - - - - - - - - - - Structure that specifies common elements to all the credential policies. - - - - - - - - - -

- Unique name of the credential. This name is fact a short identifier. - It is supposed to give some idea about purpose of the credential to system administrator. - It is also used for referencing the credential when needed (e.g. from authentication modules, credential reset specs, etc.) - The name may be stored in the user object together with the credential. - But it is not supposed to be used as a user-friendly label for credential. - Credential name must be unique. -

-

- Credential name is optional, mostly due to historical/compatibility reasons. -

-

- This is a credential policy. Which means that it controls how credentials are set (stored). - It does not control how credentials are used for authentication. That is controlled by the - authentication module setting - and in fact this may even be out of our control completely, - e.g. in case that external authentication is used (SSO). -

- - - 4.1 - - - - - - - Free form description of the credential (administrator comment). - - - 4.1 - - - - - - - - - Method used to store the values of this credential (encrypted, hashed, ...) - If storage method is not specified it defaults to encryption - (due to compatibility and convenience reasons). - - - 3.6 - - - - - - - - - - Constraints that define how propagation of the credentials can be controlled by the - user. E.g. if user can choose where the password change will be propagated. - - - - - - - Minimal number of value occurrences. minOccurs set to zero means that the value - is optional. - E.g. when applied to passwords the minOccurs=0 means that the policy will - accept no password at all. But it will still validate the password using - stringPolicy if a password is present. - - - - - - - Maximal number of value occurrences. - If not specified then the default schema limitation is imposed. - - - - - - - Maximum age of the credential, counted from the last credential value update. - The credential must not be used after the age is exceeded (it is expired). - Any authentication with such credential must fail. - - - - - - - Minimum age of the credential, counted from the last credential value update. - The credential cannot be changed before its minimal age is reached. - - - - - - - The time interval before credential expiration (exceeded maxAge) that the user will be - warned that the credential is about to expire. - - - - - - - Maximum number of failed authentication attempts that can be tried before the credential - is locked-out. - - - - - - - The duration in which the failed attempts must happen for the credential to be locked-out. - The failed attempt counter is re-set after this duration (counted from the last failed attempt). - The credential is NOT locked-out during this duration. - - - - - - - The duration for which the credential remains locked-out. The credential is automatically - unlocked after this duration. - - - - - - - Reference to the value policy for the credential. - - - tns:ValuePolicyType - - - - - - - The number of entries to keep in the credential history. Also specifies the - number of past credential values that will be checked before accepting a new - credential change. - - - - - - - Method used to store historical values of the credential (encrypted, hashed, ...) - If storage type is not specified then it defaults to hashing. - - - 3.6 - - - - - - - - - - - Constraints that define how propagation of credentials can be controlled by the - user. E.g. if user can choose where the password change will be propagated. - - - - - - - - - - Credentials propagation will be determined by the mappings. - User cannot choose where the credentials will be propagated. - The credentials propagation dialog will not be shown. - - - - - - - - - - The user can choose where the credentials will be propagated. - The propagation dialog will be shown. - - - - - - - - - - - - - Specifies the method of resetting the credential. This usually applies to a - self-service credential reset. - - - - - - - - - - The type of credential reset. - - - - - - - - - - - - - - - - - Credential reset is disabled. - - - - - - - - - - Use security questions to reset the credential. - - - - - - - - - - Use security questions to reset the credential. - - - - - - - - - - Use security questions to reset the credential. - - - - - - - - - - Use security questions to reset the credential. - - - - - - - - - - - - - Specifies the method of storing the credential in midPoint. - - - - - - - - - - The type of credential storage. - - - - - - - - - - - - - - - - - - Credential will be stored in an encrypted form. - This is a symmetric (reversible) encryption. - MidPoint will be able to get a cleartext form of - the credential if needed. - - - - - - - - - - Credential will be stored in a hashed form. - One-way (irreversible) cryptographic hash or key derivation function - will be used to transform the credential before storage. - MidPoint will NOT be able to get a cleartext form of - the credential, but it can still compare credential values. - - - - - - - - - - MidPoint will not store the credential at all. - MidPoint will only work with credential in the memory - while it is needed to complete current operation. - The credential will be discarded after the operation. - - THIS IS ONLY PARTIALLY SUPPORTED - - MidPoint should be able not to store the credentials when - this setting is used. But there may be side effects - that are not completely addressed yet. - This is not entirely tested and not supported. - Use at your own risk. - - - - - - - - - - - - -

- Structure that specifies policy for password management. It is in fact only a simple reference - to a password policy. -

-

- This is a credential policy. Which means that it controls how credentials are set (stored). - It does not control how credentials are used for authentication. That is controlled by the - authentication module setting - and in fact this may even be out of our control completely, - e.g. in case that external authentication is used (SSO). -

- - - - - tns:passwordPolicyRef - 4.0 - removed - - - tns:passwordHistoryLength - 4.0 - removed - - - - - - - - - - Additional security applied when changing a password. - This applies when user is changing his own password. It does NOT apply - when administrator changes password of other user. - - - - - - - - - - - - Additional security applied when changing a password. - - - - - - - - - - No additional security. Password can be changed by supplying new value. - - - - - - - - - - User must supply old password to change the password. - - - - - - - - - - - - - Structure that specifies policy for security questions. It actually contains text for the - questions (or rather a reference to localization catalog file). But it also contains a policy - how the questions can be used, e.g. how many questions to display to a user. - - - - - - - - - - - - Number of Questions in order to change the passwords - - - - - - - The set of all the security questions in this policy. - - - - - - - - - - - - Definition of a single security question. - - - - - - - - - - Unique identified of a security question. This can be used in the answer to refer to this - definition (see SecurityQuestionAnswerType). - - It is expected that midPoint will come with a pre-configured set of frequently used security - questions (such as "what is your mother's maiden name?"). Therefore URI is a good mechanism for - this identifier. URI has a natural namespacing. Which means that the identifiers of built-in - questions will not clash with identifiers of questions configured by midPoint administrators. - - - - - - - Simple flag that could be used to disable a use of a specific question without actually - deleting it. This may be used to select only some questions, e.g. to disable the low-security - built-in questions such as "what is your mother's maiden name?". - If not present at all then the question is assumed to be enabled. - - - - - - - The question itself, or the localization identifier to it. - - - - - - - - - - - - Structure that specifies policy for nonce management. - - - - - - - - - - - - - - - - + + + + + + + + + Security parts of common schema. + + + + + + + + + + + + + + + Object that contains definitions of overall security policy. + It contains configuration of authentication mechanisms, credentials management + (such as password resets) and so on. + Please note that this NOT contain authorization and auditing. Authorization is + defined in roles (see RoleType) and auditing has a separate configuration. + + + + + + + + + + + + + true + + + + + + + 3.8 + + + + + + + + + + + + + + +

+ Definition of the use of authentication mechanisms. This part specifies how midPoint + uses the credentials to authenticate users. This is also the place where SSO system + integrations are specified. +

+

+ This is in fact practically applicable only in default security policy + (the policy that is referenced from system configuration). +

+ + + + + + + + + + 4.1 + + + + + + + 4.1 + + + + + + + + true + 4.1 + + + + + + + true + 4.1 + + + + + + + + + + Definition of authentication modules that midPoint is aware about. + Each element has a configuration of a particular authentication element instance. + Each modules specified in the container must have unique name. + + + + 4.1 + + + + + + + + + + + + + + + + + + + Common supertype for all authentication module definitions. + + + + 4.1 + + + + + + + Unique name of the authentication module. This name is fact a short identifier. + It is supposed to give some idea about nature of the module to system administrator. + But it is not supposed to be used as a user-friendly label for the module. + Module name must be unique. + + + + + + + Free form description of the module (administrator comment). + + + + + + + + + +

+ Common definition for all authentication modules that use password. +

+

+ This is an authentication module setting. It controls how credentials are used + for authentication. It does not control how credentials are set (stored), e.g. it does NOT + control password policy. Credential policy setting is supposed to do that. + E.g. acceptEmptyPassword setting in this data type controls whether empty password can + be used for authentication. It does not control whether empty password can be set or whether + existing password can be removed. +

+ + + + 4.1 + + + + + + + + + Name of credential definition that should be used when validating password. + This must point to a valid credential definition + in the "credential" section of a security policy. + If not specified then default password definition is used. + + + + + + + + + + + + + Common definition for all authentication modules that use password. + + + + 4.1 + + + + + + + + + If set to true than an empty (all blank) password will be accepted as valid password. + Password is still compared with user's password. Therefore for the password to be accepted + an empty password must still be set as a credential for a user. + + + + + + + + + + + + Definition of "login form" module. The module is used for interactive log-in of a user by using + HTML forms. + + + + 4.1 + + + + + + + + + + + + + + + Definition of HTTP BASIC authentication module (RFC 7617). + + + + 4.1 + + + + + + + + + + + + + + + Pseudo-authentication for pre-authenticated users. Based on HTTP header values. + + + + 4.1 + + + + + + + + + Name of HTTP header that contains username. + + + + + + + Url for redirect after logout. Default is '/'. + + + + + + + + + + + + + SAML2 authentication module support authentication via Identity provider with SAML2. + + + + 4.1 + + + + + + + + + + + + + + + + + SAML2 authentication module, network configuration. + + + + 4.1 + + + + + + + + + + + + SAML2 authentication module, service provider configuration. + + + + 4.1 + + + + + + + Unique identifier of the service provider. + + + + + + + Unique alias used to identify the selected local service provider based on used URL. + + + + + + + Default signing algorithm. Default is RSA_SHA256. + + + + + + + Default digest method. Default is SHA256; + + + + + + + + + + + + + + Flag indicating whether this service signs authentication requests. + + + + + + + Flag indicating whether this service requires signed assertions. + + + + + + + Flag indicating whether this service enable single logout. + + + + + + + Name identifiers to be included in the metadata. Supported values are: + EMAIL, TRANSIENT, PERSISTENT, UNSPECIFIED and X509_SUBJECT. + Order of NameIDs in the property determines order of NameIDs + in the generated metadata. + + + + + + + Key used by service provider. + + + + + + + Possible identity providers for this service provider. + + + + + + + Service provider can use prepared metadata. + + + + + + + + + + Possible NameId. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Possible digest method. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Possible signing algorithm. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SAML2 key. + + + + 4.1 + + + + + + + Active key. + + + + + + + Stand-by keys. + + + + + + + + + + SAML2 active key. + + + + 4.1 + + + + + + + + + + + + + + + + Possible types of key. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SAML2 provider. + + + + 4.1 + + + + + + + Unique identifier of the identity provider. + + + + + + + Unique alias used to identify the selected local service provider based on used URL. + + + + + + + Metadata of Identity provider. + + + + + + + + Flag indicating disabled signature verification. + + + + + + + User friendly name of provider. + + + + + + + SAML2 binding used for authentication request. + + + + + + + + Name of attribute in response, which value define name of user in Midpoint. For example 'uid'. + + + + + + + + + + SAML2 provider metadata. + + + + 4.1 + + + + + + + + URL, which show metadata. + + + + + + + Xml of metadata encrypted by base64. + + + + + + + Path to xml file, which contains metadata. + + + + + + + + + + + OpenId Connect authentication module. + PLACEHOLDER. NOT SUPPORTED YET. + + + + 4.1 + + + + + + + + + + + + + + + Mail nonce authentication module. + Module that sends randomly generated nonce in URL in mail message. + + + + 4.1 + + + + + + + + + + + + + + + SMS (mobile text message) nonce authentication module. + Module that sends randomly generated nonce in mobile text message (SMS). + + + + 4.1 + + + + + + + + + Path of a user property that will be the source of a mobile telephone number. + This number will be the target of SMS message. + + + + + + + + + + + + Common definition for all authentication modules that use security questions. + + + + 4.1 + + + + + + + + + + + + + + + Definition of "security questions form" module. The module is used for interactive log-in of a user by + answering a set of security questions. + + + + 4.1 + + + + + + + + + + + + + + + Definition of HTTP SecQ module. The module is used for quasi-interative log-in of a user by + answering a set of security questions. The HTTP SecQ mechanism is similar to HTTP BASIC mechanism, + but it is using security questions instead of password. + + + + 4.1 + + + + + + + + + + + + + + + Authentication sequence. It is a sequence of authentication modules. The modules could be invoked + in order, or they may be invoked in parallel if the specific implementation allows such approach. + The purpose of the sequence is to guide user through a complete authentication process. + + + + 4.1 + + + + + + + Unique name of the authentication sequence. This name is fact a short identifier. + It is supposed to give some idea about purpose of the sequence to system administrator. + But it is not supposed to be used as a user-friendly label. + Sequence name must be unique. + + + + + + + Free form description of the sequence (administrator comment). + + + + + + + Specification of channel for authentication sequence. + + + + + + + Required assignment target. This authentication sequence is applicable only to users that + have active assignment with this target (and relation). If the sequence is attempted on a user + that does not have this assignment then the authentication will fail. + + + + + + + + + Specification of authentication module in the sequence. + + + + + + + + + + Channel specification for authentication sequence. It specifies whether this sequence is usable for + a specific channel (user/GUI, REST, etc.) + + + + 4.1 + + + + + + + Name (URI) of the channel. + + + + + + + Free form description (administrator comment). + + + + + + + Specifies whether this sequence is the default sequence for a specified channel. + The default sequence will be chosen in case that specific sequence was not requested, e.g. by using URL suffix. + If this element is not present and only a single sequence is defined for a channel, + then such sequence is considered to be the default. If more than one sequence is specified then + none of them is considered to be default. In that case this element must be used explicitly. + + + + + + + URL suffix that can be used to select this authentication sequence specifically. URL suffix can't contains slash '/'. + + + + + + + + + + +

+ Specification of authentication module in the sequence. +

+

+ The authentication modules are evaluated in sequence (or in parallel if possible). + At least one authentication module must succeed for authentication to be successful. + If there are required or requisite modules in the sequence then all of them must succeed + for the sequence to be successful. +

+ + + + 4.1 + + + + + + + Reference to the authentication module name. Value of this element must match name of + existing authentication module. + + + + + + + Free form description (administrator comment). + + + + + + + Ordering number for the module. The modules are sorted according to those numbers. + Modules that have the same value of "order" can be evaluated in parallel in case that + actual use of authentication mechanism allows that. + + + + + + + Necessity, i.e. the level of requirement, whether the module is mandatory or optional. + + + + + + + + + + + Necessity, i.e. the level of requirement, whether the module is mandatory or optional. + + + 4.1 + + + + + + + + The module is sufficient for authentication to succeed. It is NOT required to succeed. + If this module succeeds, the evaluation stops. The result is a success. Other modules are NOT evaluated. + (Except for the case when "required" module that was evaluated before has failed.) + If this module fails, the evaluation continues. Other modules are evaluated. + + + + + + + + + + + + + +

+ Credentials management policy. It specifies the management details for each supported + credentials type. It defines parameters such as credential lifetime. It may define even + a very complex schemes for some credential types. E.g. it may define a complete security + questions. +

+

+ This section is a definition of user credentials that midPoint can MANAGE. + Which mostly means writing/changing the credentials. This section is not directly concerned + with authentication or credential reset - at least not directly. + But there may be dependencies. E.g. password reset may use password policy to generate/validate new password. + Also, resource-side passwords need to be defined here to be used by authentication modules. +

+ + + + + + + + + + Common setting applied to all other credentials type. Any of this + setting can be overridden in the individual credentials setting. + + + + + + + + + + Nonce settings used to generate one-time random values. + Used in self-registration, e-mail-based password reset and possibly also + other scenarios. + + + + + + + + + + + TODO + + + + + + + + + + + + 3.8 + + + + + + + + + + + +

+ Credentials reset management policy. It specifies the management details for each supported + credentials reset type. It defines parameters such as reset method. +

+

+ The idea is that all the password reset mechanisms have the same parts: + request, authentication, credential source, delivery. + This data structure is meant to configure those steps. +

+ + + + + + + + + + Name of the password reset scheme. This is a short name that acts both as an + identifier of the scheme and also as a short name used for diagnostics. + + + 3.7.1 + + + + + + + Free form description of the credential reset method (administrator comment). + + + 4.1 + + + + + + + Defined authentication sequence, which will be use for reset credential. + + + 4.1 + + + + + + + + Source of a new credential value. This setting specifies whether the new credential + value should be provided by the user, randomly generated, derived by a key-exchange + protocol and so on. + + + 3.7.1 + + + + + + + If set to true then the new credential will have the forceChange flag set. + Which usually means that the user will have to change the credential on next logon. + + + 3.7.1 + + + + + + + + + + + + + + + + + + + + Source of a new credential value. This setting specifies whether the new credential + value should be provided by the user, randomly generated, derived by a key-exchange + protocol and so on. + + + + 3.7.1 + + + + + + + New credential value is entered by the user. + + + + + + + + + + + Specifies the details of a new credential entered manually by a user. + + + + 3.7.1 + + + + + + + + + + + + + + + + + + + + + Authentication management policy. It specifies configurations for different authentication methods + + + + + + + + + + A configuration for user notifications. In future, it might be overridden e.g. at a level + of a user. + + + + + + + + + + + + + + + Authentication management policy. It specifies configurations for different authentication methods + + + + + + + + + + + + + + + + Reference to form which is displayed for registration + + + tns:FormType + + + + + + + + + + + Structure that specifies policy for password management. It is in fact only a simple reference + to a password policy. + + + + + + + + + + + + + + + + + + Structure that specifies policy for password management. It is in fact only a simple reference + to a password policy. + + + + + + + + + + + + + + + + + + Structure that specifies policy for password management. It is in fact only a simple reference + to a password policy. + + + + + + + + + + + + + + + + + + Structure that specifies policy for password management. It is in fact only a simple reference + to a password policy. + + + + + + + + + + + + + + + + + + + Structure that specifies policy for password management. It is in fact only a simple reference + to a password policy. + + + + + + + + + + + + + + + + + + + + TODO + + + + + + + + + + + + + + + + + + + + Reference to the default roles which will be assigned to the user automatically after registration + + + tns:AbstractRoleType + + + + + + + + + + + Structure that specifies policy for password management. It is in fact only a simple reference + to a password policy. + + + + + + + + + + + + Reference to form which is displayed for registration + + + tns:FormType + + + + + + + + + + + + + Structure that specifies common elements to all the credential policies. + + + + + + + + + +

+ Unique name of the credential. This name is fact a short identifier. + It is supposed to give some idea about purpose of the credential to system administrator. + It is also used for referencing the credential when needed (e.g. from authentication modules, credential reset specs, etc.) + The name may be stored in the user object together with the credential. + But it is not supposed to be used as a user-friendly label for credential. + Credential name must be unique. +

+

+ Credential name is optional, mostly due to historical/compatibility reasons. +

+

+ This is a credential policy. Which means that it controls how credentials are set (stored). + It does not control how credentials are used for authentication. That is controlled by the + authentication module setting - and in fact this may even be out of our control completely, + e.g. in case that external authentication is used (SSO). +

+ + + 4.1 + + + + + + + Free form description of the credential (administrator comment). + + + 4.1 + + + + + + + + + Method used to store the values of this credential (encrypted, hashed, ...) + If storage method is not specified it defaults to encryption + (due to compatibility and convenience reasons). + + + 3.6 + + + + + + + + + + Constraints that define how propagation of the credentials can be controlled by the + user. E.g. if user can choose where the password change will be propagated. + + + + + + + Minimal number of value occurrences. minOccurs set to zero means that the value + is optional. + E.g. when applied to passwords the minOccurs=0 means that the policy will + accept no password at all. But it will still validate the password using + stringPolicy if a password is present. + + + + + + + Maximal number of value occurrences. + If not specified then the default schema limitation is imposed. + + + + + + + Maximum age of the credential, counted from the last credential value update. + The credential must not be used after the age is exceeded (it is expired). + Any authentication with such credential must fail. + + + + + + + Minimum age of the credential, counted from the last credential value update. + The credential cannot be changed before its minimal age is reached. + + + + + + + The time interval before credential expiration (exceeded maxAge) that the user will be + warned that the credential is about to expire. + + + + + + + Maximum number of failed authentication attempts that can be tried before the credential + is locked-out. + + + + + + + The duration in which the failed attempts must happen for the credential to be locked-out. + The failed attempt counter is re-set after this duration (counted from the last failed attempt). + The credential is NOT locked-out during this duration. + + + + + + + The duration for which the credential remains locked-out. The credential is automatically + unlocked after this duration. + + + + + + + Reference to the value policy for the credential. + + + tns:ValuePolicyType + + + + + + + The number of entries to keep in the credential history. Also specifies the + number of past credential values that will be checked before accepting a new + credential change. + + + + + + + Method used to store historical values of the credential (encrypted, hashed, ...) + If storage type is not specified then it defaults to hashing. + + + 3.6 + + + + + + + + + + + Constraints that define how propagation of credentials can be controlled by the + user. E.g. if user can choose where the password change will be propagated. + + + + + + + + + + Credentials propagation will be determined by the mappings. + User cannot choose where the credentials will be propagated. + The credentials propagation dialog will not be shown. + + + + + + + + + + The user can choose where the credentials will be propagated. + The propagation dialog will be shown. + + + + + + + + + + + + + Specifies the method of resetting the credential. This usually applies to a + self-service credential reset. + + + + + + + + + + The type of credential reset. + + + + + + + + + + + + + + + + + Credential reset is disabled. + + + + + + + + + + Use security questions to reset the credential. + + + + + + + + + + Use security questions to reset the credential. + + + + + + + + + + Use security questions to reset the credential. + + + + + + + + + + Use security questions to reset the credential. + + + + + + + + + + + + + Specifies the method of storing the credential in midPoint. + + + + + + + + + + The type of credential storage. + + + + + + + + + + + + + + + + + + Credential will be stored in an encrypted form. + This is a symmetric (reversible) encryption. + MidPoint will be able to get a cleartext form of + the credential if needed. + + + + + + + + + + Credential will be stored in a hashed form. + One-way (irreversible) cryptographic hash or key derivation function + will be used to transform the credential before storage. + MidPoint will NOT be able to get a cleartext form of + the credential, but it can still compare credential values. + + + + + + + + + + MidPoint will not store the credential at all. + MidPoint will only work with credential in the memory + while it is needed to complete current operation. + The credential will be discarded after the operation. + + THIS IS ONLY PARTIALLY SUPPORTED + + MidPoint should be able not to store the credentials when + this setting is used. But there may be side effects + that are not completely addressed yet. + This is not entirely tested and not supported. + Use at your own risk. + + + + + + + + + + + + +

+ Structure that specifies policy for password management. It is in fact only a simple reference + to a password policy. +

+

+ This is a credential policy. Which means that it controls how credentials are set (stored). + It does not control how credentials are used for authentication. That is controlled by the + authentication module setting - and in fact this may even be out of our control completely, + e.g. in case that external authentication is used (SSO). +

+ + + + + tns:passwordPolicyRef + 4.0 + removed + + + tns:passwordHistoryLength + 4.0 + removed + + + + + + + + + + Additional security applied when changing a password. + This applies when user is changing his own password. It does NOT apply + when administrator changes password of other user. + + + + + + + + + + + + Additional security applied when changing a password. + + + + + + + + + + No additional security. Password can be changed by supplying new value. + + + + + + + + + + User must supply old password to change the password. + + + + + + + + + + + + + Structure that specifies policy for security questions. It actually contains text for the + questions (or rather a reference to localization catalog file). But it also contains a policy + how the questions can be used, e.g. how many questions to display to a user. + + + + + + + + + + + + Number of Questions in order to change the passwords + + + + + + + The set of all the security questions in this policy. + + + + + + + + + + + + Definition of a single security question. + + + + + + + + + + Unique identified of a security question. This can be used in the answer to refer to this + definition (see SecurityQuestionAnswerType). + + It is expected that midPoint will come with a pre-configured set of frequently used security + questions (such as "what is your mother's maiden name?"). Therefore URI is a good mechanism for + this identifier. URI has a natural namespacing. Which means that the identifiers of built-in + questions will not clash with identifiers of questions configured by midPoint administrators. + + + + + + + Simple flag that could be used to disable a use of a specific question without actually + deleting it. This may be used to select only some questions, e.g. to disable the low-security + built-in questions such as "what is your mother's maiden name?". + If not present at all then the question is assumed to be enabled. + + + + + + + The question itself, or the localization identifier to it. + + + + + + + + + + + + Structure that specifies policy for nonce management. + + + + + + + + + + + + + + + +