djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update site/content/posts/2022-01-18-idp-refresh-tls-ciphers-for-compliance.md

Browse Source 
Co-authored-by: Ryan Richard <rrichard@pivotal.io>
This commit is contained in:
anjalitelang 2022-01-20 10:43:52 -05:00 committed by GitHub
parent 4f61b6c6e2
commit d4c014ec07
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
site/content/posts/2022-01-18-idp-refresh-tls-ciphers-for-compliance.md
View File

@ -75,7 +75,7 @@ If your access tokens have a lifetime shorter than 3 hours, Pinniped will issue
### What about LDAP / Active Directory IDP changes?
LDAP does not have a concept of sessions or refresh tokens. Hence we run LDAP queries against the LDAP or AD IDP to simulate the refresh. For LDAP, we validate if the LDAP entry exists with no changes to Pinniped *UID and Username* fields. For AD, we validate all the LDAP checks mentioned earlier and we also validate the user's password and account status if locked or disabled. If any of the LDAP or AD checks fail, the user will be able to use the existing Pinniped session until it expires in about 5 minutes.
LDAP does not have a concept of sessions or refresh tokens. Hence we run LDAP queries against the LDAP or AD IDP to approximate a refresh. For LDAP, we validate if the LDAP entry still exists with no changes to Pinniped UID and username fields. For AD, we validate the same LDAP checks and we also validate the user's password has not changed since the original login and their account is not locked or disabled.
## Secure TLS ciphers