on 08-27-2015 7:56 AM
Hello Experts,
Password hook is not available for IDM 8.0 yet and I got to know few months back that its not reliable and has security implications.
So if not for password hook, how to read password from AD into IDM? Initial load doesnt bring in the password. We get NULL value for Ad attribute userPassword when using the standard initial load job.
How have you covered this scenario?
Kind regards,
Jai
The password hook can only read password changes, it could never read existing passwords and if you could simply read the password from AD from ldap or adsi you'd have a major security issue. Even if you could get the hashed password value it would be useless for other systems.
I'm not sure I understand your scenario, are you looking for SSO functionality or just catching password changes in ADS?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Chris,
Thanks for looking into this.
The scenario is, implementing SAP IDM in an existing AD and SAP systems landscape where SSO is not enabled. We want to load users with their passwords into IDM so that we can provision users to SAP systems with the same password.
What is the way forward for this scenario? Thanks.
Kind regards,
Jai
Hi Jai,
To follow up on what Chris was saying...
If you want to use the Password hook for "Simplified Sign-on" You will need to set up Self Service Password Reset:
Unfortunately, as Chris mentioned, there is no "Big Bang" solution. As users change their passwords via IDM the passwords can be distributed to systems via the Framework (including AD)
Of course one could "induce" this but changing their password expiry dates, but that can cause more issues than it hopes to solve.
BTW, as far as I know there is no issue between the PW Hook and Version 8. However if there is, you should open a note on it ASAP.
Regards,
Matt
Hi Jai,
As Chris&Matt said there is not an easy solution, but my suggestion is to set up the IdM authorization to be against AD, so to log in IdM the users should use their AD credentials. Then if the users want they can reset their password by using the standard Password Reset workflow(the password will be reset in all of the systems). In order to reset the password partially, you should do some custom extension of the standard workflow.
BR,
Simona
Thank you all for your prompt responses.
So I will let them know there is no standard configuration to read passwords of existing users into IDM.
SSO option will cover initial phase where passwords will be different between AD and SAP systems.
Then for new users and password resets of existing users, IDM will maintain the master password and there will be single source of truth.
Kind regards,
Jaisuryan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I recently worked on a scenario where IdM was integrated with a custom built.Net password utility that was used to reset AD passwords. This .Net utility passed the password value to VDS via LDAP update call applying the value to MX_PASSWORD attribute. This was then provisioned to all SAP systems where the user had an ID. We used productive password provisioning (which requires Secure Network Communication defined between IdM and the ABAP Netweaver Stack). This set the AD password and the SAP password to the same value (Note: that contradicting minds suggested that setting the AD password and SAP password the same was a security risk - something to consider).
With that said, the .Net utility could be replaced with the delivered Password Self-service feature within IdM. The key is activation of SNC, modifying the update ABAP Password Pass to set a productive password, and setting the PSS component to allow the user to set their own password (versus allowing IdM to generate one).
Hope this gives you some ideas...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
24 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.