According to Gartner, 20% to 50% of tickets opened with Helpdesk concern password problems. The estimated cost of treatment is 15 euros (META Group Resp. Gartner IT Key Metrics Data, summary report, 2011).
This blog co-authored with benjamin.gourdon is based on several customers' experiences which are looking for an alternative to single sign-on.
The purpose of this blog is to present an easy solution to implement designed to greatly reduce the number of calls to the support. This method, proven by many customers, provides a lower ROI than 3 months.
You want to synchronize the password of all your users throughout your IT landscape with a simple solution which is able to provision SAP and non-SAP applications. SAP Netweaver Identity Management can easily help you for this.
Illustration of the password synchronization challenge
Of course it is possible to simply reset SAP passwords directly from SAP IDM web interface but this blog deals with password synchronization from user’s Windows session (Active Directory domain password) to SAP and non-SAP applications. This means that we have to be able to detect the change of password in your Active Directory and then provision it as a productive password to applications (user is not prompted to change it at the first connection).
So this blog suggests an easy solution to implement a complete password synchronization using SAP Netweaver Identity Management in 4 steps:
Illustration of the 4 steps methodology
SAP Netweaver Identity Management provides a tool which allows to catch the change of password in Active Directory: Password Hook. It has to be installed on each domain controller to ensure a complete monitoring of password changing flows.
For installation prerequisites and procedure please have a look on SAP documentation here:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0bce8df-02e8-2d10-11a3-b61f8df4e...
Find below an example of Password Hook configuration (not enabled on this screen):
When Password Hook detects a password change it executes automatically a job configured and exported as .dse file from your Identity Center. For job definition you can do the following:
The new password is then sent to your SAP Netweaver Identity Management database in a temporary table. I recommend the following columns for the table:
To encrypt the password you should use the same keys.ini file of your Identity Center to encrypt the password before sending it to IDM (DES3 encryption).
The first column has a very important role in our workflow: it allows to know which password has been treated by the runtime by comparison with another internal counter at repository level.
The last column is an additional information about which domain controller sent the password. It can be useful if you want to know if a domain controller or if the Password Hook is down.
To trigger the new password entered in the temporary table you should use an Event Agent which keep watching the automatic incremental key of the table as described below:
So when a new line appears the Event Agent executes a defined job composed by 4 passes to execute actions (including scripts):
Maintaining a counter at repository level permits to ensure that there is no lag between entries treated in the temporary table and entries treated in Identity Store. In case of problems (Event Agent down) it permits to identify easily how many passwords are waiting for treatment.
If SAP IDM is designed to provision Active Directory password, Password Hook will be started automatically every time password is modified. So the challenge is to synchronize to other applications only the good password which is from the user himself. Here is a simple and pragmatic method to address this issue.
Because it is not possible to make any check or workflow at Password Hook side, you have to make your checks in your Identity Center before writing definitively the new value of the password.
So triggers (Add and modify event tasks) on attribute Z_ENCRYPTED_PASSWORD_FROM_AD are needed to start a customized workflow assuming following values:
Illustration of the workflow used to check password in IdStore
Remark: Instead of using a customized attribute in productive IdStore, the other option that could be used is to add a Staging Area IdStore to execute these checks.
The corresponding configuration in the Identity Center below (including queries for the two Conditional tasks):
You are now able to ensure coherence and synchronization of your user’s passwords.
Think about your end users wellness gain and enjoy the time you will save in the future on workload of user's support!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
11 | |
10 | |
7 | |
6 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 |