A little synchronization can pay big dividends ! End to end password synchronization
According to Gartner, 20% to 50% of tickets opened with Helpdesk concern password problems. The estimated cost of treatment is 15 euros (META Group Resp. Gartner IT Key Metrics Data, summary report, 2011).
This blog co-authored with Benjamin GOURDON is based on several customers’ experiences which are looking for an alternative to single sign-on.
The purpose of this blog is to present an easy solution to implement designed to greatly reduce the number of calls to the support. This method, proven by many customers, provides a lower ROI than 3 months.
Password management challenges
You want to synchronize the password of all your users throughout your IT landscape with a simple solution which is able to provision SAP and non-SAP applications. SAP Netweaver Identity Management can easily help you for this.
Illustration of the password synchronization challenge
Of course it is possible to simply reset SAP passwords directly from SAP IDM web interface but this blog deals with password synchronization from user’s Windows session (Active Directory domain password) to SAP and non-SAP applications. This means that we have to be able to detect the change of password in your Active Directory and then provision it as a productive password to applications (user is not prompted to change it at the first connection).
So this blog suggests an easy solution to implement a complete password synchronization using SAP Netweaver Identity Management in 4 steps:
- Catch the change of password at Active Directory’s side
- Send this password to your Identity Center
- Handle the new password to write it in the IdStore
- Trigger the provisioning of the password to applications
Illustration of the 4 steps methodology
Step 1 & 2: Catching change of user password end sending it to your Identity Center
SAP Netweaver Identity Management provides a tool which allows to catch the change of password in Active Directory: Password Hook. It has to be installed on each domain controller to ensure a complete monitoring of password changing flows.
For installation prerequisites and procedure please have a look on SAP documentation here:
Find below an example of Password Hook configuration (not enabled on this screen):
When Password Hook detects a password change it executes automatically ajob configured and exported as .dse file from your Identity Center. For job definition you can do the following:
The new password is then sent to your SAP Netweaver Identity Management database in a temporary table. I recommend the following columns for the table:
- Automatic Incremental key
- User unique ID
- User encrypted password
- Date of modification
- Name of the controller which sent the password
To encrypt the password you should use the same keys.ini file of your Identity Center to encrypt the password before sending it to IDM (DES3 encryption).
The first column has a very important role in our workflow: it allows to know which password has been treated by the runtime by comparison with another internal counter at repository level.
The last column is an additional information about which domain controller sent the password. It can be useful if you want to know if a domain controller or if the Password Hook is down.
Step 3: Handle new password in Identity Center
To trigger the new password entered in the temporary table you should use an Event Agent which keep watching the automatic incremental key of the table as described below:
So when a new line appears the Event Agent executes a defined job composed by 4 passes to execute actions (including scripts):
- Update MX_PERSON customized attribute like Z_ENCRYPTED_PASSWORD_FROM_AD
- Write log into a log table
- Delete the entry in the temporary table
- Increment a counter on the repository (as variable) to ensure that temporary table’s key = repository variable
Maintaining a counter at repository level permits to ensure that there is no lag between entries treated in the temporary table and entries treated in Identity Store. In case of problems (Event Agent down) it permits to identify easily how many passwords are waiting for treatment.
Step 4: New password provisioning to applications
If SAP IDM is designed to provision Active Directory password, Password Hook will be started automatically every time password is modified. So the challenge is to synchronize to other applications only the good password which is from the user himself. Here is a simple and pragmatic method to address this issue.
Because it is not possible to make any check or workflow at Password Hook side, you have to make your checks in your Identity Center before writing definitively the new value of the password.
So triggers (Add and modify event tasks) on attribute Z_ENCRYPTED_PASSWORD_FROM_AD are needed to start a customized workflow assuming following values:
- Attribute Z_ENCRYPTED_PASSWORD_FROM_AD, corresponding to the new encrypted password received from AD and Password Hook
- Attribute MX_ENCRYPTED_PASSWORD, corresponding to the current encrypted password in IdStore
- Global constant Z_DEFAULT_PASSWORD, corresponding to the default value defined for reset password by administrators (example of value : Welcome123)
Illustration of the workflow used to check password in IdStore
Remark: Instead of using a customized attribute in productive IdStore, the other option that could be used is to add a Staging Area IdStore to execute these checks.
The corresponding configuration in the Identity Center below (including queries for the two Conditional tasks):
You are now able to ensure coherence and synchronization of your user’s passwords.
Think about your end users wellness gain and enjoy the time you will save in the future on workload of user’s support!