Please note that this has to be configured on the resource which is the target of the comparison which is not the resource where the password policy is used. This will also work only if all passwords of all accounts are cached. The passwords are cached only if the account password is changed by using midPoint (e.g. midPoint self-service user interface) because that is the only moment when midPoint is able to see password cleartext. The stored (cached) password are always stored in hashed form.
Current password policy implementation has some limitations:
- Prohibited values are currently supported only to prohibit same passwords between users, personas and projections. It is possible that the prohibited values method will also work with (some) properties and attributes, but this is currently not tested and not supported.
- Prohibited projection values only work when password caching is enabled and all passwords are properly cached.
- Prohibited projection values may not work in case that the user is created together with projections. In that case it is possible to set the same password for the projections even if the policy specifies it as s prohibited value. The policy will work as expected once the user and projections are created and the password is set or changed (including account initialization scenarios when using password hashing).
- The use of prohibited projection values in user password policy is only partially tested. This feature is currently supported only when applied to resource password policy.
- Currently midPoint user interface may limit usefulness of this feature (e.g. limited capability to set account password individually using credentials self-service page).
This is a limited midPoint feature. This feature currently supports only some specific use-cases. We are perfectly capable to finish the feature, just the funding for the work is needed. Please consider the possibility for supporting development of this feature by using midPoint Platform subscription. If you are midPoint Platform subscriber and this feature is within the goals of your deployment you may be able to use your subscription to endorse implementation of this feature.