Password Propagation Plug-ins

About the Password Propagation Callout Handler

The Password Propagation Callout provides an extension point to the Password Change authentication method. The DirX Access native login module is responsible for determining if a password change is necessary during the authentication process. It manages the logic that decides when users should be prompted to enter a new password, ensuring that password policies and security requirements are met. The callout mechanism, on the other hand, provides flexibility by enabling the propagation of the new password through various external channels, such as LDAP or SCIM. The second application of the callout mechanism involves externalizing the configuration of password policies.

Developing a Password Propagation Callout Handler

This section describes the tasks necessary for developing a custom Password Propagation callout handler.

Externalizing Password Propagation flow from the DirX Access Server

The DirX Access Server allows externalizing Password Propagation flow through a plug-in interface. This method requires creating a Password Propagation callout handler that implements the PasswordPropagationCallout interface (net.atos.dirx.access.authn.api.callout.PasswordPropagationCallout). The interface is based on the general Callback interface enabling access to the internal DXA server services (e.g., authentication service, application repository (configuration, policy, and user credentials) service, etc.). The implementing class must be contained within an exported package of an OSGi bundle.

Employing a Password Propagation Callout Handler

The steps needed to employ the custom callout handler are outlined in the section Employing External Plug-in Modules.

Using a Password Propagation Callout Handler

This section describes the tasks that need to be performed to use a Password Propagation callout handler. Before starting to configure the DirX Access Server, make sure to run through all the steps in the section Employing External Plug-in Modules.

Prerequisites

To successfully employ the custom Password Propagation callout handler, the OSGi bundle exporting the package containing the callout implementation must be installed on the DirX Access Server. To accomplish this task, make sure you have performed all of the steps described in the section Employing External Plug-in Modules.

Configuring the Custom Password Propagation Callout Handler at the DirX Access Server

To configure the custom Password Propagation callout handler at the DirX Access Server:

  • In DirX Access Manager, go to Configuration | Extension modules.

  • Create the callout handler <CalloutIdentifier>:

    • Go to Callout handlers and click the “add” icon to create a new callout handler.

    • Identifier: <CalloutIdentifier>.

    • Description: arbitrary.

    • Type: select PasswordPropagationEvents.

    • Class name: enter the fully-qualified Java class name of the callout implementation.

    • Click Save.

  • In DirX Access Manager, go to Authentication | Methods | Password Change:

    • Select an Authentication method to which the custom handler should be assigned.

    • In the Callout handler identifier drop-down box, select the desired <CalloutIdentifier>.

    • Click Save.