30.2 Verifying Password Synchronization Settings

Password Synchronization lets you synchronize passwords across connected systems using Identity Manager. To view your Password Synchronization settings for connected systems, select the appropriate driver set from the drop-down.

By using Password Synchronization, you can set up connected systems to do the following:

  • Publish passwords to Identity Manager.

  • Subscribe to passwords from Identity Manager or other connected systems.

  • Enforce Password Policies on connected systems.

  • Send notification emails.

Perform the following steps to check the password synchronization settings:

  1. In Identity Console, select Password Synchronization > Password Synchronization from the main page.

  2. Select the driver set that contains the driver whose settings you want to check.

  3. Click the name of the driver from the list.

    NOTE:The settings that are enabled and disabled vary depending on the driver. Only those settings for features supported by the driver are available.

  4. Verify that the settings are configured properly.

    Identity Manager accepts passwords (Publisher Channel): If this option is enabled, Identity Manager allows passwords to flow from the connected system into the Identity Vault. Disabling this option means that no <password> elements are allowed to flow to Identity Manager. They are stripped out of the XML by a password synchronization policy on the Publisher channel.

    This setting applies to user passwords that are provided by the connected system itself, and password values that are created by a policy on the Publisher channel.

    If this option is enabled but the Distribution Password option below it is disabled, a <password> value coming from the connected system is written directly to the Universal password in the Identity Vault. If the user’s password policy does not enable Universal Password, the password is written to the NDS password.

    Use Distribution Password for password synchronization: This setting is available only if the Identity Manager accepts passwords (Publisher Channel) setting is enabled.

    If this option is enabled, a password value coming from the connected system is written to the Distribution password. The Distribution password is reversible, which means that it can be retrieved from the Identity Vault data store for password synchronization. It is used by Identity Manager for bidirectional password synchronization with connected systems. For Identity Manager to distribute passwords from this system to other systems, this option must be enabled.

    Accept password only if it complies with user’s Password Policy: This setting is available only if the Use Distribution Password for password synchronization setting is enabled.

    If this option is selected, Identity Manager does not write a password from this connected system to the Distribution password in the Identity Vault or publish it to connected systems unless the password complies with the user’s password policy.

    If a password does not comply, enable the Reset the user’s password to the Distribution Password setting to reset the user’s password on the connected system. This allows you to enforce the password policy on the connected system as well as in your Identity Vault. If you do not select this option, user passwords can become out-of-sync on connected systems. However, you need to consider the connected system’s password policies when deciding whether to use this option. Some connected systems might not allow the reset because they don't allow you to repeat passwords.

    By using the Notify the user of password synchronization failure via email setting, you can inform users when a password fails to be set or reset. Notification is especially helpful for this option. If the user changes to a password that is allowed by the connected system but rejected by Identity Manager because of the password policy, the user won't know that the password has been reset until the user receives a notification or tries to log in to the connected system with the old password.

    Always accept password; ignore Password Policies: This setting is available only if the Use Distribution Password for password synchronization setting is enabled.

    If you select this option, Identity Manager does not enforce the user’s password policy for this connected system. Identity Manager writes the password from this connected system to the Distribution password in the Identity Vault and distributes it to other connected systems regardless of password policy compliance.

    Application accepts passwords (Subscriber Channel): If you enable this option, the driver sends passwords from the Identity Vault to this connected system. This also means that if a user changes the password on a different connected system that is publishing passwords to the Distribution password in the Identity Vault, the password is changed on this connected system.

    By default, the Distribution password is the same as the Universal password in the Identity Vault, so changes to the Universal password made in the Identity Vault are also sent to the connected system.

    Notify the user of password synchronization failure via email: If you enable this option, email is sent to the user if a password is not synchronized, set, or reset. The email that is sent to the user is based on an email template. This template is provided by the Password Synchronization application. However, for the template to work, you must customize it and specify an email server to send the notification messages. For instructions, see Configuring E-Mail Notification in the NetIQ Identity Manager Password Management Guide.

  5. When you are finished, click Save to save your changes. The settings are saved as Global Configuration Values.

Figure 30-1 Managing Password Synchronization