You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2017/11/18 10:46:11 UTC
[2/2] syncope git commit: Clarifying how password propagation works
in practice
Clarifying how password propagation works in practice
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/51606376
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/51606376
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/51606376
Branch: refs/heads/master
Commit: 5160637693339b554499e383921845f158b316fe
Parents: a6cf810
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Sat Nov 18 11:45:44 2017 +0100
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Sat Nov 18 11:45:59 2017 +0100
----------------------------------------------------------------------
.../concepts/provisioning/propagation.adoc | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/51606376/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc b/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
index afba13f..c0d3b25 100644
--- a/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
@@ -120,3 +120,20 @@ endif::[]
| Required for setup of an External Resource based on the https://connid.atlassian.net/wiki/display/BASE/Google+Apps#GoogleApps-Configuration[ConnId GoogleApps connector bundle^].
|===
+
+[[propagation-password]]
+[TIP]
+.Propagate password values
+====
+Password values are kept in the internal storage according to the `password.cipher.algorithm` <<configuration-parameters, configuration parameter>>, whose value is `SHA1` by default.
+`SHA1` is a hash algorithm: this means that, once stored, the cleartext value cannot be reverted any more.
+
+During propagation, Syncope fetches all data of the given User, then prepares the attributes to propagate, according to the provided mapping; password has a special treatment:
+
+* if cleartext value is available (this cannot happen during <<provisioning-push>>), it is sent to the External Resource
+* if `password.cipher.algorithm` is `AES` (the only supported reversible algorithm), then the ciphered password value is made cleartext again, and sent to the External Resource
+* if the <<external-resource-details,generate random password flag>> is set, a random password value is generated according to the defined password policies, and sent to the External Resource
+* otherwise, a `null` value is sent to the External Resource
+
+Password values are always sent to External Resources wrapped as ConnId http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/common/security/GuardedString.html[GuardedString^] objects.
+====