IBM Security Verify

 View Only
Expand all | Collapse all

Force user to change AD password upon first ISIM login

  • 1.  Force user to change AD password upon first ISIM login

    Posted Thu November 18, 2021 07:26 AM
    If I have authentication on ISIM externalized to an AD, can I force user to change AD password upon first login to ISIM?
    Password sync is disabled.

    Thanks,

    m.


  • 2.  RE: Force user to change AD password upon first ISIM login

    Posted Thu November 18, 2021 08:10 AM
    That is what I would call "a good question"....

    Let me elaborate on this - I would say this very much depends on the underlying integration pattern and the infrastructure ability.

    If this was done using IBM Security Verify Access (ISVA) or similar SSO product this is normally handled in their error handling when authentication - in the ISVA case I believe it working on the IdP authentication and can redirect to a web page where this is handled.

    Now - as you mention "externalized to AD" I would assume that you are either using WAS TAI with AD as the integration mechanism or have developed a custom ISIM authentication wrapper that uses AD as the authentication instead of the ISIM ldap.

    In the first case I do not know what the TAI (really what what WAS functionality is available there - normally this is used as an SSO setup- not userid/pw)  - but I suppose this could work similar to ISVA.

    When using a customer authentication wrapper I should imagine that this is as simple as being able to detect the AD situation when performing the authentication and ensure that the correct return code is send to ISIM upon exiting and then ensure that the ITIM account workflow will also update the AD password (this should not be necessary if you have password synchronization enabled - but I will encourage anybody to use this nowadays).

    As you probably can sense I am not very willing to give a straight answer - but raising a case to IBM Support based on some more accurate/detailed/partly tested usecase should give you a formal answer...

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 3.  RE: Force user to change AD password upon first ISIM login

    Posted Thu November 18, 2021 08:24 AM
    Hi Franz,

    Thanks for the answer.
    Actually, this is Identity Manager VA, and authentication is "externalized" through its LMI, Configure Identity Manager -> Identity External User Registry Configuration.

    in that setup, when you log on to ISIM (ui or console), you are authenticated with your AD username / pass. But, if you set it on AD "User must change pass on next logon", you can't access ISIM before changing pass on AD.

    I wonder if there is some workaround in ISIM, to set AD account without "User must change pass on next logon", but to force user to do password reset once it access ISIM ui.

    Mita
    ​​​


  • 4.  RE: Force user to change AD password upon first ISIM login

    Posted Thu November 18, 2021 08:33 AM
    As you may know I am not a big fan of the VA so I have not used it for many years personally. And "quirks" like this is one of the reason....

    Did you raise a case - else I would do it - it looks like an oversight in the design - if this is not possible technically due to some obscure limitation of either AD or the VA I would think it should be documented as a "permanent restriction" - else it should be either fixed ("APARed") or deemed "working as designed" and hence require a Request for Enhancement - the latter is what is normally called "broken as designed" ;-)

    I believe OIDC is no enabled in the VA - that may be a better option if OIDC supports an expired password in the flow (which probably depends on the setup - I am not an expert here).

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 5.  RE: Force user to change AD password upon first ISIM login

    Posted Thu November 18, 2021 08:42 AM
    Hi Franz,

    Thanks.
    I will open the case with IBM, and come back here if I got any solution, to leave it here, for the reference.

    Mita


  • 6.  RE: Force user to change AD password upon first ISIM login

    Posted Thu November 18, 2021 08:51 AM
    Hi Mita...

    Probably a couple ways to do this, but first thing I could think would be to set some attribute on the ISIM User when you first create them, to indicate they are "new".   Then in the ITIM Account > changePassword Operation, you can put a Script node to check for that attribute/value...and if the User is "new" and changing their password upon first login, then get the password (Account.getAndDecryptPassword()), find the User's AD Account, and pass the new password/ADAccount to a changePassword as well...then unset that "new" attribute on the User.

    ------------------------------
    Grey Thrasher
    IBM
    ------------------------------



  • 7.  RE: Force user to change AD password upon first ISIM login

    Posted Thu November 18, 2021 09:19 AM
    Hi Grey,

    Yes, I was thinking about that, but here is a problem:
    These are already existing users. They have their AD passwords set, that they can get from their superior, and they have ITIM account passwords already created, that no one knows.
    They use their AD password to log in to ISIM, but if I set their ISIM accounts to require password change, it will request for the old password, that is different than AD password.
    Also,
    there is a parameter on ITIM service form, "WebSphere account repository", that should, according to documentation (at least for software installations) be cleared out (or you can change it to AD, it does not make any difference) when you set authentication to an external directory.
    So, if you set it like documented (clear it out), you can't set "change password on next logon" on ISIM account any more.
    As you said "couple of ways to do it", what else you were thinking of?

    Thanks,

    Mita
    ​​​


  • 8.  RE: Force user to change AD password upon first ISIM login

    Posted Thu November 18, 2021 09:35 AM
    Ah..my apologies, I thought you mean the AD Account was set to have password changed as well.
    Yes, you should remove ITIM Service from the WebSphere Account Repository field on the ITIM Service form.  You should also configure ISIM so it doens't require password change on first login (for your ISIM Accounts).  You can configure this in the Account Defaults (on the Service Type or Service Instance) or override the default in the Provisioning Policy.

    ------------------------------
    Grey Thrasher
    IBM
    ------------------------------



  • 9.  RE: Force user to change AD password upon first ISIM login

    Posted Thu November 18, 2021 09:45 AM
    Hi Grey,

    Thanks for the answer.
    Well, do you have idea how to set desired behavior? To force users to change their AD password upon first logon to ISIM?

    Mita


  • 10.  RE: Force user to change AD password upon first ISIM login

    Posted Fri June 17, 2022 01:47 PM
    You can set erChangePswdRequired to "true" in SDS for these users sitting under ou=systemUser,ou=itim, <tenant>, and when any such user will login to isim, they would be landed to Change password screen.

    ------------------------------
    Deepak Singla
    ------------------------------



  • 11.  RE: Force user to change AD password upon first ISIM login

    Posted Mon June 20, 2022 02:12 AM
    Two things here :
    1.
    You should not use the ldap operations directly to the ISIM ldap - use provisioning policies instead when the ISIM account is created.
    There is a lot of caching going on and hence you get some nasty surprises that your changes are not reflected...
    2.
    If you log in with ISIM and you are requsted to change the password the result depends on whether password synchronization is enabled or not. IMHO it should NOT be enabled - that may have looked as a good idea 20 years ago - but this is actually a very bad thing today - and if you are using modern Access Management tools (think ISVA or ISV SaaS also not necessary). Work to remove the dependency of passwords for real users (and for non-personal users - but that is in the PAM domain normally).

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------