0
Answered

Identity Broker and Password Reset

Bob Bradley 7 years ago • updated by anonymous 3 years ago 12

The "enable password management" checkbox is disabled and unselected in the attached screenshot. Does this mean that password sync is not supported with a standard IdB implementation? @VicEd there will be a need to establish a connector with an external directory purely for password sync (no normal attribute flows ... just a connector for each object), and in this special case the "placeholder" connector would be perfect at providing the necessary anchor (cs object) to implement a change/set password extension for this directory.


IdB.FIMMA.ConfigureExtensions.png
Affected Versions:
Fixed by Version:

Hey Bob,

The packaged MA is missing the necessary config by default in v3 - you'll need to update the XML file in the XMLs directory like https://unifysolutions.jira.com/browse/IDB-125?focusedCommentId=27868&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-27868. If you want to point to an external password extension, just point the extension at a different DLL. After updating the XML, you will need to open Synchronization Service Manager again and create the management agent (it doesn't update existing MAs).

Thanks for the explanation Matt - can you please assign permissions for me to be able to read the item you linked to?

Has the need to support both standard (whatever that is!!!) AND custom (would have thought it would always be this) password extensions been considered as an IdB 4 requirement?

I'll just get you the relevant excerpt from the issue:

<password-extension-config>
<password-extension-enabled>1</password-extension-enabled>
<dll data-owner="ISV">Unify.Framework.ILM2007FP1Adapter.dll</dll>
<password-set-enabled>1</password-set-enabled>
<password-change-enabled>1</password-change-enabled>
<connection-info>
<connect-to>
http://localhost:59990/IdentityBroker/RemoteXmlAdapter.svc,56C7E551-5BDE-43A9-8D86-7A8EEE916CCA,EndpointConfigurationName</connect-to>
<user />
</connection-info>
<timeout />
</password-extension-config>

You'll also need to update an element at the top of the XML to look like the following:

<password-sync-allowed>1</password-sync-allowed>

That need has never come up so we haven't catered for the need directly. There are some limitations with how FIM interprets the password settings in the XML, so the created MA will either be enabled completely as a password sync target, or not at all (and the XML would need to be updated). IdB 4 will currently set the XML correctly if the base connector supports password synchronization, otherwise users would always need to disable the password settings during management agent creation.

Note that you can leave your connect-to element empty for your custom target.

That need has never come up so we haven't catered for the need directly.

So you're saying that an IdB3 feature (custom dll) won't be carried forward to IdB4 Matt?

From what I understand from today's demo, a custom DLL option is still supported for IdB 4.0???

Bob, you should just be able to change the password extension dll in the management agent. What I meant was that the xMA generator in Identity Broker hasn't been configured to let you specify a custom DLL before exporting. Is this an option you see as beneficial?

Matt - with a FIM "packaged MA" the main DLL selection for the ECMA itself is read-only (from the FIM MA wizard). It is a LONG time since I implemented a password extension for such an ECMA, and I am only assuming that this DLL is also read-only, in which case we will need to ensure that it can be specified as part of the packaging process. If I am wrong, and the DLL CAN be changed post deployment and/or implementation (i.e either when either CREATING a new or MODIFYING an existing INSTANCE of the IdB ECMA), then this item can be closed.
Thanks.

Bob,

Sorry for the late followup on this. Yes, the password sync setting can be updated after the packaged MA has been exported by following the above process. For v4.0.0, if the base connector supports password sync, the xMA will export containing a reference to our FIM adapter with password sync enabled. Custom password extensions will still need to be configured by updating the XML. However, I have created IDB-645 as a feature request for a future version of Identity Broker to avoid doing this via the XML. IDBFIM-23 has been created in order to document the current mechanism for setting up a packaged MA this way.

I have marked this issue as resolved, please close if appropriate.

Please review this issue and close if it has been confirmed as fixed, or if no further action can be taken.