AnsweredAssumed Answered

Bulk load Active Directory user passwords

Question asked by Chris_Ryan_Thomas on Feb 28, 2017
Latest reply on Oct 1, 2017 by jose.rosario

Background:

 

Bulk user on-boarding from Active Directory into CA directory already completed, but now challenged to ensure that the end-user's first login into CA Identity manager is simple and synchronized. 

 

Question Detail:

 

Searching for Best Practice to implement CA Technologies Identity Manager authentication, without Siteminder, using customer's existing Microsoft Active directory passwords and policies. 

 

More specifically, what would be the best practice to setup first login for thousands of users, into CA IdM within and infrastructure devoid of Siteminder(SSO)?

 

More Technical Details:

 

Client predominantly uses Active Directory (as their authentication directory) within their enterprise, but CA IdM uses CA Directory user store for authentication, how best to unify these credentials? 

 

Limitations:

 

Meaning, Siteminder for whatever reason can't be utilized to authenticate users into IdM against Microsoft Active Directory, which would likely be the best approach, but nonetheless, thousands of users need to login to CA IdM (for the first time) and have no password set up in CA IdM user store.

 

Bottom Line:

 

How best can we unify these disparate authentication directories (CA Directory, Microsoft Active Directory) so that CA Identity Manager UI can make the best possible first impression to its user base when they login for the first time? 

 

Possible Solutions:

 

Have considered the following possible solutions: 

( 1 and 2 would require setting a new password, 3 and 4 wouldn't)

 

1- should forgotten password reset task be used? but does the user need to login to set security questions or can this be bypassed in the roles and tasks settings?

2- Can password sync / credential provider be used to catch AD password changes and synchronize them back up to CA IdM or would it just go to the provisioning server / store, and not make it to the corporate store? If password sync was feasible then couldn't all ad accounts require the user to reset password at next login, which would then update the same password to allow them to login to CA IdM? 

3- customize the CA IdM login authentication JSP to authenticate against AD instead of CA directory user store? 

4- make a secure LDAP bind from IDMGR to AD when AD is the user store and Siteminder is not in use. but this is an old approach, is there anything more updated? Also wouldn't this require creating a new directory and environment within the management console?

5- ..

 

*Please note, any hyperlinks above were just compiled while I was researching this on the communities and aren't directly related to this question. Above communities hyperlinks aren't directly related to this problem I'm trying to solve or solution being sought after, just simply that they further explain sections of these proposed solutions, which may many times be trivial, but sometimes help describe details in a different way, which I hope will help those reading it to better understand the bigger picture of the problem we're trying to solve. 

 

Thanks, appreciate the help.

Chris. 

Outcomes