“Self-service password synchronization”- an elegant combination of two concepts

The terms “Self-Service” and “Password Synchronization” are heard frequently today in IT departments around the world. Most find themselves challenged with a growing user base plus an ever-increasing number of applications in use per user. In this context “Self-Service” often pertains to resetting passwords but applies to many other areas as well, some of these topics are beyond the scope of this blog entry but Tracy Major of Computerworld does a great job of exploring the particulars further.

Disparate self-service solutions get the job done but are severely lacking in terms of efficiency. As such many IT leaders are looking to password synchronization for a quick win, a scenario where a single self-service reset propagates a new password to many systems almost instantaneously. There are however a few challenges to implementing this type of solution quickly. Password synchronization must address the lowest common denominator, the new password entered by the end user needs to satisfy the complexity of every system it’s being pushed to. Furthermore, every user doesn’t necessarily use every system but rather some mix of them. Furthermore, usernames across systems are often different, which makes locating reset targets reliably difficult.

One recent enterprise customer was faced with exactly this type of problem and by using two concepts, which are often considered individually, in tandem an elegant solution was provided; now colloquially known as Self Service Password Synchronization.

The focus was SAP and this company has 8 instances in place with no reliable method for determining which users currently have, or will need, access to any individual one. Some users have access to all, others the majority, and many only connect to one or two. Additionally, there are password policy and username convention differences across all instances.

This problem was resolved by deploying three different solutions in concert as a unified solution: Password Complexity Manager, Self Service Password Reset Manager, and Password Synchronization Manager. The role played by each is explored further in what proceeds.

Password Complexity Manager

This type of solution augments the native AD password policy with finely tuned complexity requirements. Every user is forced to enter an AD password which meets the minimum complexity requirements of every SAP instance.

Self-Service Password Reset

A self-service password reset solution allows end users to reset their own password from the windows GINA/credential provider and/or via a web interface. In the customer scenario, the product was further customized to manage information regarding SAP instances. After a user authenticated with their AD username and password they’re able to choose which SAP instances they have access to and what their username in each instance is; should access shift in the future they simply make the requisite adjustments in the self-service portal.

Password Synchronization Manager

With this solution in place, every time an AD password is reset a lookup is executed against the self-service roles database. A list of all the SAP instances the user in question has access to, along with their username for that specific instance, is returned. PSM then pushes the new password into each instance.

The end result is that regardless of how a password is reset, whether it be through self-service or by the Administrator in ADUC directly, synchronization harmony is achieved and users experience a notable boost in daily productivity.

Tools4ever excels in implementing the aforementioned solutions, along with many others.  We’re ready for you to challenge us with your company’s specific self-service and password synchronization needs.