Versions Compared

Old Version 7

changes.mady.by.user Ethan Kromhout (unc.edu)

Saved on

compared with

New Version 8

changes.mady.by.user Ethan Kromhout (unc.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

        i. Describe the password policies you support with regard to complexity, length, and any dictionary checks. Include character classes supported in complexity checks. (Call nist) midPoint supports a wide veriety of checks, including character classes and length restrictions. Character classes are conveyed in regex like lists of characters, so sub members of classes can be excluded. https://wiki.evolveum.com/display/midPoint/Password+Policy

        ii. Does your product support flexible password policy based on password length? For example support pass phrases but requiring additional character sets for shorter passwords. Not clear if midPoint supports an notion of "OR" on limits, documention states that "AND" is implied on multiple limits. midPoint does support scripted limits, so this could be done via scripting rather than configuration.

        iii.         iii. Describe your support for passwords in multiple languages. I was not able to locate documentation for this, but don't see any reason character classes could not include non-english characters.

        iv. Describe your products support for         iv. Describe your products support for password expiration, including any support for flexible expiration based on grouping, assurance, or other factors such as password quality. Password expiration is a function of the maximum age stanza of the security policy. Security policies can be for organizational units, we are group structures, so flexible expiration could be handled there, or via scripting.

        v. Describe how your product conveys password quality to end users. I do not see a configurable way to convey password quality to end uers         v. Describe how your product conveys password quality to end users.

        vi. Describe how you product meets accessibility guidelinesguidelines Surprisingly I was not able to find information on accessibility.

    b.       Initial password setting (credential activation?, initial login?)

        i. Describe how your product assures initial password setting is being done by the appropriate authority, such as invitations, one time and/or short lived tokens etc.time and/or short lived tokens etc. midPoint supports invitations via email and SMS with support for expiring invitations, and custom forms can be created to validate demographics.

        ii. Describe your products support for terms of use and informed consent when getting a credential. Support for consent in the current version would require a custom form. midPoint is proposing consent for GDPR compliance in future versions https://wiki.evolveum.com/pages/viewpage.action?pageId=24675082         ii. Describe your products support for terms of use and informed consent when getting a credential.

        iii. What platforms are supported for end user devices setting initial and subsequent passwords, including any required technologiesand subsequent passwords, including any required technologies. End user interface is simple html/js/css and should be broadly supported.

        iv. Describe any features your product has to deter attacks on unclaimed credentials. Invitation expiration.

        v. Describe how your product handles multiple credential storesAs long as passwords are stored in an encrypted rather than hashed format, passwords can be synced via an resource connector.

    c.       Assignment of additional authentication factors

        i. Describe your support for certificate based authenticationsupport for certificate based authentication. midPoint is spring security based, so a wide range of authentiction methods are supported including certificates.

        ii. Describe your support for multifactor enrollment, specifying supported technologies and products, explicitly address U2F support. I don't find any explicit support.

        iii. Describe any support you have for challenge response questions. Password reset documentation mentions support for security questions, but I haven't found further documentation.

        iv. Describe any unlisted additional authentication factors, and any features that help user recognition such as image validation. Possible via custom forms.

        v. How do you handle loss of a (perhaps only) two factor device, such as one time tokenstokens Support for time based token expiration and re-issue.

    d.       Deprovisioning of credentials

...