Identity Manager supports the following levels of password synchronization:
Bidirectional: Identity Manager accepts passwords from a connected system and distributes passwords to the connected system. Users can change their passwords in the connected system or in the Identity Vault.
Some connected systems can’t provide the user’s actual password, which means they don’t support full bidirectional password synchronization. However, they can provide data (first name, last name, and so forth) that the connected system’s driver policies use to create an initial password. After the initial password is created from connected system data, no more password information is sent from the connected system. Passwords flow only from the Identity Vault to the connected system.
To the connected system: Identity Manager distributes passwords from the Identity Vault to the connected system only.
To the Identity Vault: Identity Manager distributes passwords from the connected system to the Identity Vault only.
The connected system determines the level of support for password synchronization. Some systems, such as Microsoft Active Directory and NetIQ eDirectory, support bidirectional synchronization. Other systems support synchronization in one direction only. See Section 3.0, Connected System Support for Password Synchronization for details.