Custom policies with Apache Syncope

About About
- Excellence
- Open Source
- Team
- Case History
- Partners
Solutions Solutions
- Education
  A complete and tested solution for the world of Education
- Healthcare
  A complete and tested solution for the world of Healthcare
- PA
  A complete and tested solution for the world of Public Administration
- Financial
  A complete and proven solution for the word of Finance
- Tailored
  A completely customized and proven solution for your needs
Develop Develop
Blog
Support
Contacts Contacts
Certifications

Written by

Need to comply with cumbersome account or password policies?

In its journey towards 2.0.0, Apache Syncope has recently introduced the support for completely customizable account and password policies.

An account policy defines how usernames should look like: minimum / maximum length, forbidden values and so on.

A password policy does a similar job, but with password values.

Up to Apache Syncope 1.2 there are several predefined options for both policy types, which can be also configured from admin console, as shown by project's wiki.

But we know that customers' fantasy is endless, especially when it comes to deal with internal organization, workflows and security aspects.

I have prepared a sample project which contains:

a custom account policy checking that username values contains a given substring
a custom password policy checking that password values are different from same user's answer to security question

Preparation

$ git clone git@github.com:ilgrosso/SyncopeCustomPolicyRules.git
$ cd SyncopeCustomPolicyRules
$ mvn clean install
$ cd console
$ mvn -P embedded

At this point Apache Syncope is up and running; you can verify by pointing your browser to http://localhost:9080/syncope/doc/.

Run

I have also setup some quite self-explanatory client code which essentially:

configure the custom account rule and create an account policy using it
create a password policy using a custom password rule with no configuration options
set the account and password policies above for root realm
obtain sample user: should fail both account and password policy verification
attempt to create user -> password policy fails because it has the same value as security answer
change security answer to comply with password policy
attempt to create user -> account policy fails because username doesn't contain the required substring
change username to comply with account policy
finally succeed

With reference to the SyncopeCustomPolicyRules directory created from above:

$ cd sample
$ mvn

Sample output of this application can be found here.

Conclusions

The ability to write your own custom account and password policies increases the already wide range of extension points provided by Apache Syncope in an area which is particularly sensible to security aspects.

2 VOTI

Yes, Excellent!

Ti è stato utile questo articolo?

From Tirasa's Blog

The place where we share what we do, learn and discover day by day.

28/05/2024

Custom policies with Apache Syncope

Apache Syncope Identity Management

Preparation

Run

Conclusions

Apache Syncope
Identity Management