Details
-
Type:
New Feature
-
Status: Closed (View Workflow)
-
Priority:
P2
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: Q4 2018
-
Labels:
-
Epic Link:
-
Analysis Estimate:Medium < 5 days
-
Front End Estimate:XL < 15 days
-
Back End Estimate:Large < 10 days
-
Estimation Notes and Assumptions:KG: 5/30/2018 Updated what feature covers. Probably need to re-estimate Frontend and Backend.
-
Development Team:Vega
-
Rank: Chalmers:go-live
-
Rank: Chicago:NOT NEEDED
-
Rank: Cornell:can wait - up to 1 year
-
Rank: 5Colleges:can wait - up to a quarter after go-live
-
Rank: Lehigh:go-live
-
Rank: TAMU:can wait - up to 1 year
-
Rank: U of AL:go-live
-
Rank: Bremen:go-live
Description
Feature requirement: Define and implement Folio local username/password management policies and workflows.
Assumption
Assumption from UM SIG has been that only FOLIO operators need passwords.
Feature covers the following
- Valid Password requirements
- Validate password against bad password list(s) / dictionary(ies)
- Log/Audit password (failed)
- Support locking out a user who failed to login after successive attempts
- Password strength meter
- Workflow: Create Password
- Workflow: Reset Password
- Workflow: Change Password
- Workflow: Locate my username
- Ensure a user with SSO enable cannot have a local username/password
Mockups
Kimie mockups: https://drive.google.com/drive/folders/0By8ccf5VV4EWNnppQkRGSHZuSjg
Attachments
Issue Links
- relates to
-
MODLOGIN-30
Update Status Field to also control access to Folio with local username/password
-
- Closed
-
-
MODLOGIN-33
Prevent Local Password Re-Use (at least the last 10 passwords)
-
- Closed
-
-
MODLOGIN-34
Implement a bad password list(s)
-
- Draft
-
-
MODLOGIN-35
Select a bad password list(s)
-
- Closed
-
-
MODLOGIN-36
Security: Logging to support local password management (Technical design)
-
- Closed
-
-
MODLOGIN-41
Backend - Security: Handling: Failed login attempts - Lock Account
-
- Closed
-
-
MODLOGIN-42
Security: Counting Failed login attempts
-
- Closed
-
-
MODLOGSAML-32
Update Status Field to also control access to Folio via SSO
-
- Closed
-
-
MODTEMPENG-5
Reset a Password Email Template
-
- Closed
-
-
MODTEMPENG-8
Create a password email template
-
- Closed
-
-
STCOR-275
Folio Login: Forgot password page
-
- Closed
-
-
STCOR-276
Folio Login: Forgot username page
-
- Closed
-
-
UIMPROF-2
Create My profile landing page
-
- Closed
-
-
UIMPROF-3
Create Change Password page
-
- Closed
-
-
UIMPROF-13
Change Password: Prevent Local Password Re-Use (at least the last 10 passwords)
-
- Closed
-
-
UIP-1 Figure out UX for settings vs. preferences
-
- Closed
-
-
UIU-344 Can't Create a New User Unless You Specify a Password
-
- Closed
-
-
UIU-508
Data Feed: Add a flag to indicate if the user record can have a local password
-
- Draft
-
-
UIU-513
Update Status Field to also control access to Folio
-
- Closed
-
-
UIU-514
All passwords stored must be encrypted (Change Password verification)
-
- Closed
-
-
UIU-515
All passwords must be encrypted on transit
-
- Closed
-
-
UIU-519
Technical Design: Generate a Create/Reset Password link
-
- Closed
-
-
UIU-521
Forgot Username email
-
- Draft
-
-
UIU-522
Edit User Detail Record: Display a Reset Password Email link
-
- Closed
-
-
UIU-564
Security: Logging Change Password Updates
-
- Draft
-
-
UIU-589
Edit User Detail Record: Display Send a create password email link (Frontend + Backend)
-
- Closed
-
-
UIU-590
Frontend: Security: Handling Failed login attempts via Folio Login Screen - Lock Account
-
- Blocked
-
-
UIU-591
Frontend: Indicate on User Detail record that the User is inactive due to failed login attempts
-
- Closed
-
-
UIU-595
Create/Reset Confirmation Modal : Copy link functionality
-
- Closed
-
-
UIU-596
Folio Login Page: Display a Forgot username link
-
- Closed
-
-
UIU-751
Edit User Detail Record: Display a Reset Password Email link (wire backend to frontend)
-
- Closed
-
-
-
- In Progress
-
-
FOLIO-1359
Ensure that password and PII are secured while in transit
-
- Draft
-
-
FOLIO-1371
API Design: A Folio module to send and format emails.
-
- Closed
-
-
MODLOGIN-38
Technical Design: Local Password Rules Parameters/Configuration
-
- Closed
-
-
MODLOGIN-86
Create/Extend password storage to support retaining last 10 changed passwords a user has saved
-
- Closed
-
-
MODNOTIFY-33
Extend mod-notify to support sending password creation/reset/changed password emails
-
- Closed
-
-
MODTEMPENG-1
Generate a Change Password email
-
- Closed
-
-
MODUSERBL-40
Create/Reset Password link validation
-
- Closed
-
-
MODUSERBL-41
Create/Reset password submission
-
- Closed
-
-
STCOR-273
Local Password Management: Create/Reset a Password Screen
-
- Closed
-
-
STRIPES-541
Create ui-myprofile module
-
- Closed
-
-
UIMPROF-4
Access Change my password from Folio Top Toolbar
-
- Closed
-
-
UIMPROF-5
If change password is successful then keep Folio session and do not force user to log out
-
- Closed
-
-
UIMPROF-20
Implement a Password Strength Meter
-
- Closed
-
-
UIU-516
Spike: Select a Password Strength Meter
-
- Closed
-
-
UIU-748
Successfully changed password confirmation page
-
- Closed
-
Expenses
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
Will create a feature to capture Small Q1 2019 updates.
mod-login in its current form does two things:
Things like password reset could be managed by any service that has the appropriate permissions to write to the credentials store. Things like contact email and the like could be referenced from the user module. What we don't currently implement is any kind of "security question" information associated with credentials.
We're also not currently implementing anything to track password re-use. This would require an additional field to store past salt/hash pairs to check against new input.
As to whether SSO could completely replace username/password auth, I think theoretically yes. The main job of the login process is to return a usable token based on some kind of auth challenge. Whether that be password or SSO, it really should not matter.