4.1 Verifying Password Synchronization Settings in iManager

  1. In iManager, open the properties page for the driver whose password settings you want to check:

    1. Click to display the Identity Manager Administration page.

    2. In the Administration list, click Identity Manager Overview.

    3. On the Driver Sets tab, locate the driver set that contains the driver whose settings you want to check. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.

    4. Click the driver set to open the Driver Set Overview page.

    5. Click the driver to display the Driver Overview page.

    6. Click the upper right corner of the driver to display the Actions menu, then click Edit properties.

  2. One the properties page, click the Server Variables tab to display the Password Synchronization page.

    The settings that are enabled and disabled vary depending on the driver. Only those settings for features supported by the driver are available (not dimmed).

  3. Verify that the settings are configured properly.

    Identity Manager accepts passwords (Publisher Channel): If this option is enabled, Identity Manager allows passwords to flow from the connected system into the Identity Vault. Disabling this option means that no <password> elements are allowed to flow to Identity Manager. They are stripped out of the XML by a password synchronization policy on the Publisher channel.

    This setting applies to user passwords that are provided by the connected system itself, and password values that are created by a policy on the Publisher channel.

    If this option is enabled but the Distribution Password option below it is disabled, a <password> value coming from the connected system is written directly to the Universal password in the Identity Vault. If the user’s password policy does not enable Universal Password, the password is written to the NDS password.

    Use Distribution Password for password synchronization: This setting is available only if the Identity Manager accepts passwords (Publisher Channel) setting is enabled.

    If this option is enabled, a password value coming from the connected system is written to the Distribution password. The Distribution password is reversible, which means that it can be retrieved from the Identity Vault data store for password synchronization. It is used by Identity Manager for bidirectional password synchronization with connected systems. For Identity Manager to distribute passwords from this system to other systems, this option must be enabled.

    Accept password only if it complies with user’s Password Policy: This setting is available only if the Use Distribution Password for password synchronization setting is enabled.

    If this option is selected, Identity Manager does not write a password from this connected system to the Distribution password in the Identity Vault or publish it to connected systems unless the password complies with the user’s password policy.

    If a password does not comply, enable the Reset the user’s password to the Distribution Password setting to reset the user’s password on the connected system. This allows you to enforce the password policy on the connected system as well as in your Identity Vault. If you do not select this option, user passwords can become out-of-sync on connected systems. However, you need to consider the connected system’s password policies when deciding whether to use this option. Some connected systems might not allow the reset because they don't allow you to repeat passwords.

    By using the Notify the user of password synchronization failure via e-mail setting, you can inform users when a password fails to be set or reset. Notification is especially helpful for this option. If the user changes to a password that is allowed by the connected system but rejected by Identity Manager because of the password policy, the user won't know that the password has been reset until the user receives a notification or tries to log in to the connected system with the old password.

    Always accept password; ignore Password Policies: This setting is available only if the Use Distribution Password for password synchronization setting is enabled.

    If you select this option, Identity Manager does not enforce the user’s password policy for this connected system. Identity Manager writes the password from this connected system to the Distribution password in the Identity Vault and distributes it to other connected systems regardless of password policy compliance.

    Application accepts passwords (Subscriber Channel): If you enable this option, the driver sends passwords from the Identity Vault to this connected system. This also means that if a user changes the password on a different connected system that is publishing passwords to the Distribution password in the Identity Vault, the password is changed on this connected system.

    By default, the Distribution password is the same as the Universal password in the Identity Vault, so changes to the Universal password made in the Identity Vault are also sent to the connected system.

    Notify the user of password synchronization failure via e-mail: If you enable this option, e-mail is sent to the user if a password is not synchronized, set, or reset. The e-mail that is sent to the user is based on an e-mail template. This template is provided by the Password Synchronization application. However, for the template to work, you must customize it and specify an e-mail server to send the notification messages. For instructions, see Section 5.0, Configuring E-Mail Notification.

  4. When you are finished, click OK to save your changes.

    The settings are saved as Global Configuration Values. You can view them on the Identity Manager > Global Config Values page.