Password Synch versus Single Sign On

In many implementations of our Self Service Reset Password Manager (SSRPM), a client will request that we send the new password to several other applications.  On the surface, this seems like a simple request and a function that our product is certainly capable of providing. Once you delve deeper there are a number of mitigating factors that need to be considered:

• Are user names the same across all systems? If yes, implementing is easy. If no, a translation table will need to be built up to make sure JDOE in system 1 is equal to John_Doe in system 2 and DOEJ in system 3 and so on.
• Are password complexity rules the same in all systems? If yes, implementing is easy. If no, the most complex password requirement now becomes the defacto standard. Special character restrictions can also become an issue.
• What happens if System B is unavailable when the synch occurs? A password storage vault and error handling need to implemented to insure a reset can occur when the system becomes available. 
• While SSPRM addresses forgotten passwords, how do we handle capture password changes and synch them?

While Tools4ever has the products (PSM and PCM) and expertise to address these issues, there needs to be a determination of feasibility and reliability. This determination directly corresponds to the number of systems that need to be synched. Sending password resets to 2 or 3 systems, in addition to Active Directory is a complex requirements but entirely feasible. 

When the number of systems expands much beyond that, the recommendation would be to lean towards a Single Sign On (SSO) solution that eliminates all of the issues above.  SSO can capture and cache all credentials for any number of systems making the synch unnecessary. All users need to remember is one set of credential; their AD username and password. SSO can handle password resets automatically for all systems and complexity rules are a non-issue as they are addressed at the application level.

For more information, please visit our website.

Workflow and Identity Management

One topic we seem to running across with increased regularity is employees starting work before they are actually entered into the HR system. When this occurs, completely automating the user account creation breaks down. The employee will need access to the network, email and applications on their first day but HR can have a lag of a few days to a few weeks before all information is compiled, approved and entered into the HR system.

To resolve this issue, we have several creative methods to insure the employee has what he or she needs to be productive on Day 1. In at one recent customer install, we implemented Web forms to allow a hiring manager to start the user account lifecycle process. Basic information, such as name, department and title are entered into the web form. From there an automated workflow process takes over and routes system access request to the appropriate individuals.  As approvals are granted, the system automatically creates the accounts in Active Directory, Office 365 and several other systems based on the user requirements. This process insures the new employee has what they need on their first day of work.

Once the automated process detects the user is added to the HR system, a synching process occurs and adds other relevant information to the Active Directory such as employee number, address, office location and cell number. The automated process also detects changes in employee status such as departmental transfers and takes appropriate actions to re-provision access as appropriate. The HR system also feeds termination dates to the User Management application to insure access is disabled. The HR team and managers also have a web form where they can mark an employee terminated immediately insuring that access to the network is revoked instantaneously.
To learn more about utilizing the Tools4ever User Management solution to delegate account creation responsibilities, please visit our website.