Page tree
Skip to end of metadata
Go to start of metadata

There are many password-related configuration items in midPoint:

  • Password Policy is used to enforce password strength (complexity). This is configured in Value Policy objects referenced from Security Policy objects.
  • Password lifetime parameters (e.g. expiration) can be configured in Security Policy object.
  • Password history setting is configured in Security Policy object.
  • Password storage scheme is configured in Security Policy object.

Most of the password-related settings are located in the Security Policy object where also policies for other credential types are located.

Password Policy

See Password Policy page.

Use Security Policy object to reference password policy:

 <securityPolicy>
    ...
    <credentials>
        <password>
            <valuePolicyRef oid="fef1df42-0a63-11e7-a916-a384c93fd2d0"/>
        </password>
    </credentials>
</securityPolicy>

Direct password policy references are deprecated since midPoint 3.6.

Password History

When password history is enabled then midPoint will remember the passwords that the user has used in the past. Then midPoint will enforce uniqueness of a new password when the user ties to change the password.

 <securityPolicy>
    ...
    <credentials>
        <password>
            <historyLength>10</historyLength>
        </password>
    </credentials>
</securityPolicy>

When this setting is applied then midPoint will remember last 10 passwords.

Since midPoint 3.6 the password policy entries will be stored in a hashed form. The history entries were stored in encrypted form in midPoint 3.5.1 and earlier. Storing password history in hashed form is more secure. However it will prohibit application of password policies that depend on approximate likeness of new password and historical passwords. Only exact matches will be possible if password history is stored in a hashed form. The password history storage scheme can be set in the security policy configuration.

MidPoint 3.5.1 and earlier

Password policy is available since midPoint 3.4.1. However, slightly different setting has to be used to enable it. It was enabled in password policy (value policy):

<valuePolicy>
    ...
    <lifetime>
        <passwordHistoryLength>10</passwordHistoryLength>
    </lifetime>
    ...
</valuePolicy>

This setting is deprecated since midPoint 3.6.

Password Storage Schemes

MidPoint 3.6 and later

This feature is available in midPoint 3.6 and later

See Password Storage Configuration page.

Deprecated Configuration

Starting with midPoint 3.6 all password-related configuration should be done by using the Security Policy object. The direct password policy references in system configuration or organizations are now deprecated.

However, there is one exception: Resource password policy in the resource definition should still be reference directly. This is referencing the resource password policy. There is not security policy defined for the resources.

The password lifetime setting in the password policy (Value policy) objects is deprecated. It is only partially implemented anyway. Do not use this. Use the security policy settings instead.

See Also

  • No labels