cancel
Showing results for 
Search instead for 
Did you mean: 

Read password into IDM from AD

jaisuryan
Active Contributor
0 Kudos

Hello Experts,

Password hook is not available for IDM 8.0 yet and I got to know few months back that its not reliable and has security implications.

So if not for password hook, how to read password from AD into IDM? Initial load doesnt bring in the password. We get NULL value for Ad attribute userPassword when using the standard initial load job.

How have you covered this scenario?

Kind regards,

Jai

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

The password hook can only read password changes, it could never read existing passwords and if you could simply read the password from AD from ldap or adsi you'd have a major security issue. Even if you could get the hashed password value it would be useless for other systems.

I'm not sure I understand your scenario, are you looking for SSO functionality or just catching password changes in ADS?

jaisuryan
Active Contributor
0 Kudos

Hello Chris,

Thanks for looking into this.

The scenario is, implementing SAP IDM in an existing AD and SAP systems landscape where SSO is not enabled. We want to load users with their passwords into IDM so that we can provision users to SAP systems with the same password.

What is the way forward for this scenario? Thanks.

Kind regards,

Jai

former_member2987
Active Contributor
0 Kudos

Hi Jai,

To follow up on what Chris was saying...

If you want to use the Password hook for "Simplified Sign-on" You will need to set up Self Service Password Reset:

Unfortunately, as Chris mentioned, there is no "Big Bang" solution.  As users change their passwords via IDM the passwords can be distributed to systems via the Framework (including AD)

Of course one could "induce" this but changing their password expiry dates, but that can cause more issues than it hopes to solve.

BTW, as far as I know there is no issue between the PW Hook and Version 8.  However if there is, you should open a note on it ASAP.

Regards,

Matt

Former Member
0 Kudos

Hi Jai,

   As Chris&Matt said there is not an easy solution, but my suggestion is to set up the IdM authorization to be against AD, so to log in IdM the users should use their AD credentials. Then if the users want they can reset their password by using the standard Password Reset workflow(the password will be reset in all of the systems). In order to reset the password partially, you should do some custom extension of the standard workflow.

BR,

Simona

Answers (2)

Answers (2)

jaisuryan
Active Contributor
0 Kudos

Thank you all for your prompt responses.

So I will let them know there is no standard configuration to read passwords of existing users into IDM.

SSO option will cover initial phase where passwords will be different between AD and SAP systems.

Then for new users and password resets of existing users, IDM will maintain the master password and there will be single source of truth.

Kind regards,

Jaisuryan

Former Member
0 Kudos

I recently worked on a scenario where IdM was integrated with a custom built.Net password utility that was used to reset AD passwords. This .Net utility passed the password value to VDS via LDAP update call applying the value to MX_PASSWORD attribute. This was then provisioned to all SAP systems where the user had an ID. We used productive password provisioning (which requires Secure Network Communication defined between IdM and the ABAP Netweaver Stack). This set the AD password and the SAP password to the same value (Note: that contradicting minds suggested that setting the AD password and SAP password the same was a security risk - something to consider).

With that said, the .Net utility could be replaced with the delivered Password Self-service feature within IdM. The key is activation of SNC, modifying the update ABAP Password Pass to set a productive password, and setting the PSS component to allow the user to set their own password (versus allowing IdM to generate one).

Hope this gives you some ideas...