Page tree
Skip to end of metadata
Go to start of metadata

Security policy object contains definition of a security-related setting for an midPoint instance. It refers to password policies and contains configuration for different types of credentials (security questions, nonce, password). It is also used to define password resets, self-service registration and so on.

Following is the example of complex Security Policy.

Security Policy sample
<securityPolicy oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1" xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
	<name>Security Policy</name>
	<authentication>
    	<mailAuthentication>
       		<name>confirmationLink</name>
        	<displayName>Additional mail authentication</displayName>
        	<mailNonce>mailNonce</mailNonce>
    	</mailAuthentication>
	</authentication>
	<credentials>
		<password>
			<maxAge>P180D</maxAge>
			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
			<lockoutDuration>PT15M</lockoutDuration>
			<valuePolicyRef oid="6df08ed7-0b13-11e7-8ced-af0e536f33e1" type="ValuePolicyType/>
		</password>
		<nonce>
			<maxAge>PT10M</maxAge>
			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
			<lockoutDuration>PT15M</lockoutDuration>
			<valuePolicyRef oid="6df08ed7-0b13-11e7-8ced-af0e536f33e2" type="ValuePolicyType/>
		</nonce>
		<securityQuestions>
			<maxAge>P90D</maxAge>
			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
			<lockoutDuration>PT15M</lockoutDuration>
			<valuePolicyRef oid="6df08ed7-0b13-11e7-8ced-af0e536f33e3" type="ValuePolicyType/>
			<questionNumber>1</questionNumber>
			<question>
				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</identifier>
				<enabled>true</enabled>
				<questionText>How much wood would a woodchuck chuck if woodchuck could chuck wood?</questionText>
			</question>
			<question>
				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002</identifier>
				<questionText>What is your mother's best friend's uncle's grandaughter's dog's mother maiden name?</questionText>
			</question>
			<question>
				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q003</identifier>
				<enabled>true</enabled>
				<questionText>What's your favorite color?</questionText>
			</question>
			<question>
				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q004</identifier>
				<enabled>false</enabled>
				<questionText>What's your favorite film?</questionText>
			</question>
		</securityQuestions>
	</credentials>
	<registration>
      <selfRegistration>
         <name>selfRegistration</name>
         <initialLifecycleState>proposed</initialLifecycleState>
         <displayName>Self Registration</displayName>
         <additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
         <defaultRole xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
                      oid="00000000-0000-0000-0000-000000000008"
                      relation="org:default"
                      type="c:RoleType"/>
      </selfRegistration>
   </registration>
   <credentialsReset>
      <mailReset>
         <name>Reset password using mail</name>
         <additionalAuthenticationName>confirmationLink</additionalAuthenticationName>
      </mailReset>
   </credentialsReset>
</securityPolicy>
 

Configuring credentials

Midpoint supports different types of credentials - password, nonce, security questions. Nonce and security questions are midPoint specific types of credentials which are mainly used for reset password, self-registration or similar use cases related to the midPoint. They are stored in the midPoint directory but they are not propagated to connected systems. Password (based on the configuration) is (usually) stored in midPoint local repository, but it is also propagated to the connected resources (based on the configuration again). For all credential types supported by midPoint it is possible to set policies for validation, e.g if the nonce generated for password reset is still valid, if there is enough security question-answer couples, if the password satisfies password policy and so on. Following table contains properties which can be set for all types of credentials.

PropertyExampleDescription
maxAgeP30DTo enforce maximum lifetime of the credentials. E.g. password has to be changed every 30 days
lockoutMaxFailedAttempts3To enforce lockout of the account after n failed attempts to login
lockoutDurationPT15MTo provide automatic unlock of the account after some time
valuePolicyRefoid="6df08ed7-0b13-11e7-8ced-af0e536f33e1"Reference to the value policy used to validate characters used in password

Configuring password related policies

Credentials - Password
<securityPolicy oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1" xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
	<name>Security Policy</name>
	...
	<credentials>
		<password>
			<maxAge>P180D</maxAge>
			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
			<lockoutDuration>PT15M</lockoutDuration>
			<valuePolicyRef oid="6df08ed7-0b13-11e7-8ced-af0e536f33e1" type="ValuePolicyType/>
		</password>
	....
	</credentials>
	...
</securityPolicy>

Configuring nonce related policies

Credentials - Nonce
<securityPolicy oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1" xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
	...
	<credentials>
		...
		<nonce>
			<maxAge>PT10M</maxAge>
			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
			<lockoutDuration>PT15M</lockoutDuration>
			<valuePolicyRef oid="6df08ed7-0b13-11e7-8ced-af0e536f33e2" type="ValuePolicyType/>
		</nonce>
		...
	</credentials>
	...
</securityPolicy>

Configuring security questions related policies

Credentials - Security questions
<securityPolicy oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1" xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
	<name>Security Policy</name>
	...
	<credentials>
		...
		<securityQuestions>
			<maxAge>P90D</maxAge>
			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
			<lockoutDuration>PT15M</lockoutDuration>
			<valuePolicyRef oid="6df08ed7-0b13-11e7-8ced-af0e536f33e3" type="ValuePolicyType/>
			<questionNumber>1</questionNumber>
			<question>
				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</identifier>
				<enabled>true</enabled>
				<questionText>How much wood would a woodchuck chuck if woodchuck could chuck wood?</questionText>
			</question>
			<question>
				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002</identifier>
				<questionText>What is your mother's best friend's uncle's grandaughter's dog's mother maiden name?</questionText>
			</question>
			<question>
				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q003</identifier>
				<enabled>true</enabled>
				<questionText>What's your favorite color?</questionText>
			</question>
			<question>
				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q004</identifier>
				<enabled>false</enabled>
				<questionText>What's your favorite film?</questionText>
			</question>
		</securityQuestions>
	</credentials>
	...
</securityPolicy>

 

Referencing Security Policy

The security policy object is usually referenced from System Configuration Object:

<systemConfiguration>
    ...
    <globalSecurityPolicyRef oid="6df80eb2-0a63-11e7-8ced-af0e536f33e1"/>
    ...
</systemConfiguration>

Security policy referenced in this way is considered to be a global security policy. It defines the setting for the whole system. Since midPoint 3.6 the security policy may also be specified for each organizational unit.

See Also

  • No labels