04 Sep 2015

Custom policies with Apache Syncope

Written by ilgrosso

In its journey towards 2.0.0, Apache Syncope has recently introduced the support for completely customizable account and password policies.

An account policy defines how usernames should look like: minimum / maximum length, forbidden values and so on.

A password policy does a similar job, but with password values.

Up to Apache Syncope 1.2 there are several predefined options for both policy types, which can be also configured from admin console, as shown by project's wiki.

But we know that customers' fantasy is endless, especially when it comes to deal with internal organization, workflows and security aspects.

I have prepared a sample project which contains:

  • a custom account policy checking that username values contains a given substring
  • a custom password policy checking that password values are different from same user's answer to security question


$ git clone git@github.com:ilgrosso/SyncopeCustomPolicyRules.git
$ cd SyncopeCustomPolicyRules
$ mvn clean install
$ cd console
$ mvn -P embedded

At this point Apache Syncope is up and running; you can verify by pointing your browser to http://localhost:9080/syncope/doc/.


I have also setup some quite self-explanatory client code which essentially:

  1. configure the custom account rule and create an account policy using it
  2. create a password policy using a custom password rule with no configuration options
  3. set the account and password policies above for root realm
  4. obtain sample user: should fail both account and password policy verification
  5. attempt to create user -> password policy fails because it has the same value as security answer
  6. change security answer to comply with password policy
  7. attempt to create user -> account policy fails because username doesn't contain the required substring
  8. change username to comply with account policy
  9. finally succeed

With reference to the SyncopeCustomPolicyRules directory created from above:

$ cd sample
$ mvn

Sample output of this application can be found here.


The ability to write your own custom account and password policies increases the already wide range of extension points provided by Apache Syncope in an area which is particularly sensible to security aspects.


« Return